Details
Joined devRant on 1/17/2017
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
I'm fixing a security exploit, and it's a goddamn mountain of fuckups.
First, some idiot (read: the legendary dev himself) decided to use a gem to do some basic fucking searching instead of writing a simple fucking query.
Second, security ... didn't just drop the ball, they shit on it and flushed it down the toilet. The gem in question allows users to search by FUCKING EVERYTHING on EVERY FUCKING TABLE IN THE DB using really nice tools, actually, that let you do fancy things like traverse all the internal associations to find the users table, then list all users whose password reset hashes begin with "a" then "ab" then "abc" ... Want to steal an account? Hell, want to automate stealing all accounts? Only takes a few hundred requests apiece! Oooh, there's CC data, too, and its encryption keys!
Third, the gem does actually allow whitelisting associations, methods, etc. but ... well, the documentation actually recommends against it for whatever fucking reason, and that whitelisting is about as fine-grained as a club. You wanna restrict it to accessing the "name" column, but it needs to access both the "site" and "user" tables? Cool, users can now access site.name AND user.name... which is PII and totally leads to hefty fines. Thanks!
Fourth. If the gem can't access something thanks to the whitelist, it doesn't catch the exception and give you a useful error message or anything, no way. It just throws NoMethodErrors because fuck you. Good luck figuring out what they mean, especially if you have no idea you're even using the fucking thing.
Fifth. Thanks to the follower mentality prevalent in this hellhole, this shit is now used in a lot of places (and all indirectly!) so there's no searching for uses. Once I banhammer everything... well, loads of shit is going to break, and I won't have a fucking clue where because very few of these brainless sheep write decent test coverage (or even fucking write view tests), so I'll be doing tons of manual fucking testing. Oh, and I only have a week to finish everything, because fucking of course.
So, in summary. The stupid and lazy (and legendary!) dev fucked up. The stupid gem's author fucked up, and kept fucking up. The stupid devs followed the first fuckup's lead and repeated his fuck up, and fucked up on their own some more. It's fuckups all the fucking way down.rant security exploit root swears a lot actually root swears oh my stupid fucking people what the fuck fucking stupid fucking people20 -
When pandemic hit in 2020 I found myself out of work. Until then I used to have a java based pirate gameserver of a MMORPG as a hobby.
When pandemic hit I noticed that online players count increased from like 70 to 200 without much advertising because purely of people being stuck in home. So i decided to scale and spent 2 years with that. What a wild ride it was.
So i invested a bit in ads, managed to reach around 500 online players, opened my own company and launched a couple other successful spinoffs of that gameserver.
First year it was a goldmine but I was doing 10-14 hour days because I had to take care of everything (web, advertising, payment integrations, player support and also developing the server itself, ddos protections and etc.). I made quite a bit of money, saved for a downpayment for mortgage and got an apartment.
Second year I noticed that there was a lot of competition and online players count dropped, but I double downed on this and invested a lot into the product itself and spent most of the time developing a perfect gameserver that would be the big bang while also maintaining existing ones. Clasic overengineering mistake. As you can guess, I crashed and burned on all levels, never even managed to launch my final project because simply the scope was too big and I had trouble finding decent devs to outsource it to, since it was a very niche gameserver.
In the end I learned a lot especially about my own limits and ownership, now Im back to being a dev but working as a contractor.
I believe having actual business owner experience allows me to have different perspective and I can bring more to the table rather than focusing on crunching tasks.6 -
So there's this annoying colleague who loves to call me (My work phone) at 3 am, so I decided to adjust some settings to forward the calls to the CEO.
aha!! , in the meeting CEO point it out, and yes, finally company set a rule that no work calls after working hours....13 -
PhD applications in computer science are so fucking frustrating. I have responded to so many invasive questions so far. The only private information universities haven't asked yet, is my bra size. The only contact they haven't asked for yet, is my kindergarten teacher (And her bra size, coincidentally). The only document about a potential project I haven't given to them yet, is my freaking dissertation. None of these have anything to do with my research potential, btw. There's nothing asked of me about my research aspiration and how I actually undertake a research project.
And then suddenly it occured to me: people in Academic administration are not smart. I'm actually explaining my potential to a pretty dumb bunch (Excluding those in research, none of whom will bother with these stupid documents).
... The world seems to revolve around stupid people. Fuck.19 -
YAML configuration is more difficult to do than the actual programming itself.
JSON and ini files are way better.19
