Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Search - "login without login"
-
So, since I hear from a lot of people (on here and irl) that Linux has a 'very high learning curve', let me share my experiences with the first time my dad touched Linux (Elementary OS) without me interfering at all! (keep in mind that he is very a-technical)
*le me boots the system* (I already did setup a user account for him and gave him the password).
Dad: *enters password and presses enter*
Me: "Hmm that went faster than expected."
Dad: "Uhm I know how to login son, it's not that hard and pretty obvious".
Me: "Alright, why don't you try to open up the default word documents editor on here! I'll be right back!"
Me: *Goes away and returns after a minute*.
Dad: *already a few test sentences typed in LibreOffice writer* it's going pretty well :)!
Me: "Oo how did you find that?!"
Dad: "Well, there's a thingy that says 'applications' so I clicked in and found it in the "Office" section, do you think I am blind or something?!"
Me: 😐. uhm no but I just didn't think you'd find it that quickly. Now try to install Chromium browser! *thinking: he'll fail this one for sure* I'll be right back :).
Me: *returns again after a minute or so*
Dad: *already searching for stuff through Chromium*
Me: "wait, how the hell did you do that so quickly, it's not the easiest thingy for most people".
Dad: "Jesus, it's not that hard! I went to the application browsing thingy, typed 'software' and then a sorta software store icon showed up so I clicked it and it opened a windows with a search bar saying something like 'search for applications/software'. clicked in it, typed 'chromium', saw it coming up, there was a very clear 'install' button, it asked for my password, I put it in and after a little it gave a notification that it was installed. Then I went to that application browsing thingy again and typed Chromium. Then I hit enter because it selected an icon called chromium...."
Me: O.o. Okay this is going very good, now open an email client and login to your email address!
Dad: *goes to application browsing thingy, types 'email', evolution icon shows up, dad clicks it, email address setup steps show up and dad follows them quickly. After about a minute, everything is setup.
I expected this to be a hard process for someone who dealt with Windows his entire life but damn, I underestimated it.
Asked him if he found it easy/what he liked about it:
"Well, it's very clear where I can find everything, default browser/email/word document editor programs are easy to find and that's about all I need so yeah, great system!"
I am proud of you, dad!77 -
When someone changes the API at 5pm without notice and you get a call at midnight that no one can login.6
-
So I got the job. Here's a story, never let anyone stop you from accomplishing your dreams!
It all started in 2010. Windows just crashed unrecoverably for the 3rd time in two years. Back then I wasn't good with computers yet so we got our tech guy to look at it and he said: "either pay for a windows license again (we nearly spend 1K on licenses already) or try another operating system which is free: Ubuntu. If you don't like it anyways, we can always switch back to Windows!"
Oh well, fair enough, not much to lose, right! So we went with Ubuntu. Within about 2 hours I could find everything. From the software installer to OpenOffice, browsers, email things and so on. Also I already got the basics of the Linux terminal (bash in this case) like ls, cd, mkdir and a few more.
My parents found it very easy to work with as well so we decided to stick with it.
I already started to experiment with some html/css code because the thought of being able to write my own websites was awesome! Within about a week or so I figured out a simple html site.
Then I started to experiment more and more.
After about a year of trial and error (repeat about 1000+ times) I finally got my first Apache server setup on a VirtualBox running Ubuntu server. Damn, it felt awesome to see my own shit working!
From that moment on I continued to try everything I could with Linux because I found the principle that I basically could do everything I wanted (possible with software solutions) without any limitations (like with Windows/Mac) very fucking awesome. I owned the fucking system.
Then, after some years, I got my first shared hosting plan! It was awesome to see my own (with subdomain) website online, functioning very well!
I started to learn stuff like FTP, SSH and so on.
Went on with trial and error for a while and then the thought occured to me: what if I'd have a little server ONLINE which I could use myself to experiment around?
First rented VPS was there! Couldn't get enough of it and kept experimenting with server thingies, linux in general aaand so on.
Started learning about rsa key based login, firewalls (iptables), brute force prevention (fail2ban), vhosts (apache2 still), SSL (damn this was an interesting one, how the fuck do you do this yourself?!), PHP and many other things.
Then, after a while, the thought came to mind: what if I'd have a dedicated server!?!?!?!
I ordered my first fucking dedicated server. Damn, this was awesome! Already knew some stuff about defending myself from brute force bots and so on so it went pretty well.
Finally made the jump to NginX and CentOS!
Made multiple VPS's for shitloads of purposes and just to learn. Started working with reverse proxies (nginx), proxy servers, SSL for everything (because fuck basic http WITHOUT SSL), vhosts and so on.
Started with simple, one screen linux setup with ubuntu 10.04.
Running a five monitor setup now with many distro's, running about 20 servers with proxies/nginx/apache2/multiple db engines, as much security as I can integrate and this fucking passion just got me my first Linux job!
It's not just an operating system for me, it's a way of life. And with that I don't just mean the operating system, but also the idea behind it :).20 -
Rant
Why do shithead clients think they can walk away without paying us once we deliver the project !!!
So, here goes nothing..
Got an online gig to create a dashboard.
Since i had to deal with a lot of shitheads in the past, I told them my rules were simple, 20% advance, 40% on 50% completion and 40% after i complete and send them proof of completion. Once i receive the payment in full, only then i will hand over the code.
They said it was fine and paid 20%.
I got the next 40% also without any effort but they said they also needed me to deploy the code on their AWS account, and they were ready to pay extra for it, so i agreed.
I complete the whole project and sent them the screenshots, asking for the remaining 40% payment. They rejected the request saying my work was not complete as i had not deployed on AWS yet. After a couple of more such exchanges, i agreed to setup their account before the payment. But i could sense something fishy, so i did everything on their AWS account, except registered the domain from my account and set up everything. Once i inform them that its done and ask for the remaining payment.
The reply i got was LOL.
I tried to login to the AWS account, only to find password had been changed.
Database access revoked.
Even my admin account on the app had been removed. Thinking that they have been successful, they even published ads about thier NEW dashboard to their customers.
I sent them a final mail with warning ending with a middle finger emoji. 24 hours later,
I created a github page with the text " This website has been siezed by the government as the owner is found accused in fraud" and redirected the domain to it. Got an apology mail from them 2 hours later begging me to restore the website. i asked for an extra 10% penalty apart from the remaining payment. After i got paid, set an auto-reply of LOL to thier emails and chilled for a week before restoring the domain back to normal.
Dev : 1
Shithead Client: 024 -
Boss: "Here's our new intern! He's a bloody genius doing apps! Perfect for that important project that shouldn't be trusted to an intern!!"
*takes intern 9 weeks to do a login view without any real backend*
Turns out the guy couldn't do shit but steal others code and change background color.
Boss: "He wasn't very good..."
Me: "You interview him. How about you bring a developer to the interview next time..."
Boss: "Doesn't matter. The app needs to be done the day after tomorrow, good luck"
Me: "............"
*puts on coffee, cries, programs the app in miserable silence*11 -
Its that time of the morning again where I get nothing done and moan about the past ... thats right its practiseSafeHex's most incompetent co-worker!!!
Today I'd like to tell you the story of "i". Interesting about "I" is that he was actually a colleague of yesterdays nominee "G" (and was present at the "java interface" video call, and agreed with G!): https://devrant.com/rants/1152317/...
"I" was the spearhead of a project to end all projects in that company. It was suppose to be a cross-platform thing but ended up only working for iOS. It was actually quite similar to this: https://jasonette.com/ (so similar i'm convinced G / I were part of this but I can't find their github ID's in it).
To briefly explain the above + what they built ... this is the worst piece of shit you can imagine ... and thats a pretty strong statement looking back at the rest of this series so far!
"I" thought this would solve all of our problems of having to build similar-ish apps for multiple customers by letting us re-use more code / UI across apps. His main solution, was every developers favourite part of writing code. I mean how often do you sit back and say:
"God damn I wish more of this development revolved around passing strings back and forth. Screw autocomplete, enums and typed classes / variables, I want more code / variables inside strings in this library!"
Yes thats right, the main part of this bullshittery was putting your entire app, into JSON, into a string and downloading it over http ... what could possibly go wrong!
Some of my issues were:
- Everything was a string, meaning we had no autocomplete. Every type and property had to be remembered and spelled perfectly.
- Everything was a string so we had no way to cmd + click / ctrl + click something to see somethings definition.
- Everything was a string so any business logic methods had to be remembered, all possible overloaded versions, no hints at param types no nothing.
- There was no specific tooling for any of this, it was literally open up xcode, create a json file and start writing strings.
- We couldn't use any of the native UI builders ... cause strings!
- We couldn't use any of the native UI layout constructs and we had to use these god awful custom layout managers, with a weird CSS feel to them.
What angered me a lot was their insistence that "You can download a new app over http and it will update instantly" ... except you can't because you can't download new business logic only UI. So its a new app, but must do 100% exactly the same thing as before.
His other achievements include:
- Deciding he didn't like apple's viewController and navigationBar classes and built his own, which was great when iOS 7 was released (changed the UI to allow drawing under the status bar) and we had no access to any of apples new code or methods, meaning everything had to be re-built from scratch.
- On my first week, my manager noticed he fucked up the login error handling on the app I was taking over. He noticed this as I was about to leave for the evening. I stayed so we could call him (he was in an earlier timezone). Rather than deal with his fucked up, he convinced the manager it would be a "great learning experience" for me to do it ... and stay in late ... while he goes home early.
- He once argued with me in front of the CEO, that his frankenstein cross-platform stuff was the right choice and that my way of using apples storyboards (and well thought out code) wasn't appropriate. So I challenged him to prove it, we got 2 clients who needed similar apps, we each did it our own way. He went 8 man weeks over, I came in 2 days under and his got slated in the app store for poor performance / issues. #result.
But rather than let it die he practically sucked off the CEO to let him improve the cross platform tooling instead.
... in that office you couldn't swing a cat without hitting a retard.
Having had to spend a lot more time working with him and more closely than most of the other nominees, at a minimum "I" is on the top of my list for needing a good punch in the face. Not for being an idiot (which he is), not for ruining so much (which he did), but for just being such an arrogant bastard about it all, despite constant failure.
Will "I" make it to most incompetent? Theres some pretty stiff competition so far
Tune in later for more practiceSafeHex's most incompetent co-worker!!!7 -
One week, and it turned out to be worse than that.
I was put on a project for a COVID-19 program in America (The CARES Act). The financial team came to us on Monday morning and said they need to give away a couple thousand dollars.
No big deal. All they wanted was a single form that people could submit with some critical info. Didn't need a login/ registration flow or anything. You could have basically used Google Forms for this project.
The project landed in my lap just before lunch on Monday morning. I was a junior in a team with a senior and another junior on standby. It was going to go live the next Monday.
The scope of the project made it seem like the one week deadline wasn't too awful. We just had to send some high priority emails to get some prod servers and app keys and we were fine.
Now is the time where I pause the rant to express to you just how fine we were decidedly **not**: we were not fine.
Tuesday rolls around and what a bad Tuesday it was. It was the first of many requirement changes. There was going to need to be a review process. Instead of the team just reading submissions from the site, they needed accept and reject buttons. They needed a way to deny people for specific reasons. Meaning the employee dashboard just got a little more complicated.
Wednesday came around and yeah, we need a registration and login flow. Yikes.
Thursday came and the couple-thousand dollars turned into a tens of millions. The amount of users we expected just blew up.
Friday, and they needed a way for users to edit their submissions and re-submit if they were rejected. And we needed to send out emails for the status of their applications.
Every day, a new meeting. Every meeting, new requirements that were devastating given our timeframe.
We put in overtime. Came in on the weekend. And by Monday, we had a form that users could submit and a registration/ login flow. No reviewer dashboard. We figured we could take in user input on time and then finish the dashboard later.
Well, financial team has some qualms. They wanted a more complicated review process. They wanted roles; managers assign to assistants. Assistants review assigned items.
The deadline that we worked so hard on whizzed by without so much as a thought, much less the funeral it deserved.
Then, they wanted multiple people to review an application before it was final. Then, they needed different landing pages for a few more departments to be able to review different steps of the applications.
Ended up going live on Friday, close to a month after that faithful Monday which disrupted everything else I was working on, effective immediately.
I don't know why, but we always go live on a Friday for some reason. It must be some sort of conspiracy to force overtime out of our managers. I'm baffled.
But I worked support after the launch.
And there's a funny story about support too: we were asked to create a "submit an issue" form. Me and the other junior worked on it on a wednesday three weeks into the project. Finished it. And the next day it was scrapped and moved to another service we already had running. Poor management like that plagued the project and worked in tandem with the dynamic and ridiculous requirements to make this project hell.
Back to support.
Phone calls give me bad anxiety. But Friday, just before lunch, I was put on the support team. Sure, we have a department that makes calls and deal with users. But they can't be trained on this program: it didn't exist just a month ago, and three days ago it worked differently (the slippery requirements never stopped).
So all of Friday and then all of Saturday and all of Monday (...) I had extended panic attacks calling hundreds of people. And the team that was calling people was only two people. We had over 400 tickets in the first two days.
And fuck me, stupid me, for doing a good job. Because I was put on the call team for **another** COVID project afterwards. I knew nothing about this project. I have hated my job recently. But I'm a junior. What am I gonna say, no?7 -
Was at my sisters place a little ago and somehow we came at the subject of her laptop.
For everyone who thinks I'm posting this solely to hate on windows, I'm not. This really happened and if you don't believe it, well, so be it, I guess.
Also keep in mind that's she's using a stock version without anything except for word and itunes installed.
She got it a couple of years ago and I dual booted it for her (windows + ubuntu). I fully expected her to use windows because of office and outlook etc.
Asked her anyways:
Me: So, you've got dual boot, although I think already know the answer, what system do you use mostly? (I didn't even consider that there was a possibility that the answer would be ubuntu or linux)
Sister: Ubuntu!
Me:
Me:
Me:
Me:
Me:
Me:
Me:
Me: 😵
Me: Sorry, what? You're not using windows as primary system?!
Sister: No. It at first takes that motherfucking system about 5 minutes to reach the FUCKING LOGIN SCREEN.
Me: Ow, that's bad :/
Me: *turns laptop on and indeed, it takes a fuckton of time*
Me: Is the password still the same as when I set it up for you?
Sister: Yesss.
Me: *types the password, it's working, loading screen appears*
Sister: Would you like a coffee?
Me: Uhm.... sure? But that would take you about 10-15 minutes to make.......?
Sister: Yes. And that's exactly how long it takes before that fucking piece of shit called windows has finally loaded the FUCKING DESKTOP.
Me: 😅
Me: Okay but it can't be that bad, right? I mean, I hate windows but you mostly need it for studies and such and as you know I'm not judging you for tha......
Sister: YES IT IS THAT FUCKING BAD. WHEN I'M IN CLASS, IT TAKES HALF THE FUCKING CLASS TO LOAD BEFORE I CAN OPEN WORD OR WHAT-THE-FUCK EVER.
THAT'S WHY I USE UBUNTU PRIMARILY, BECAUSE, ALTOUGH IT'S NOT MY FAVOURITE SYSTEM, IT. JUST. FUCKING. WORKS.
Well, I did definitely NOT see that one coming!
There is some bloatware on there but definitely as bad as what would cause this. Virus scan turned up empty. No. Fucking. Clue.
It's not a gaming laptop or anything but come on, it should run either windows or linux very well.51 -
Motherfucker. It's two thousand fucking seventeen. You can get a free ssl certificate for any website.
Then WHY are there still some fucking websites which contain login portals, sensitive information or anything that SHOULD be protected in transit WITHOUT FUCKING SSL?!
I hope that the people who manage those sites and are AWARE that they can get a free cert but don't do that die in agonising pain.
This really fucking pisses me off.
On another note, EVERY site should have SSL, it's free anyways and protects your visitors from a range of threats.-24 -
So Nvidia doesn't let you use their GeForce Experience app anymore without logging in.
*Uninstalled*
Fuck that, I don't want to login so I can see an FPS counter in my ganes or record them to my local disk or something like that... Fuck you Nvidia and fuck whoever decided that would be a good idea.6 -
The Orange Juice Saga ....
I've just come off one of the stupidest calls ever.
Firstly, I am not in tech support, I'm a software developer - read the below with this in mind.
My client called up to say the system I created as been compromised. When he attempts to login, he is logged off his Windows machine.
He'd also apparently taken his PC to ***insert large UK computer superstore here***, who took £100 plus to look at the machine and conclude his needs to buy a new PC.
I remoted into his computer to see WTF was going on.
As he described, visiting my login form did log you out. In fact, whenever you pressed the "L" key you were logged out. Press the "M" key, all windows were minimized. Basically, all Windows hotkeys appeared to be active, without the need to press the Windows key.
Whilst connected to his PC I spent a good 30 minutes checking keyboard settings and came up short.
After asking all the normal questions (has anything changed on your PC, have you installed stuff lately etc.) without any useful answers I got nothing.
I then came across an article stating several presses of the Windows in quick succession will solve the issue.
I got the client to try this, pressed the "L" key (which would have logged me off previously) and the issue was resolved.
Basically, the Windows key was "stuck", which oddly makes your PC kind of useless.
I asked the client if they'd split anything on the keyword whilst working. His exact word were simply lol:
"Oh yer, yesterday, I was trying to drink a glass of orange quickly and split some in the corner of keyboard. I did clean it up quickly though".
Yep, the issue was due to the client spilling orange juice on their keyboard , which in turn made the Windows key stick.
Disaster averted.
A call that started with the client stating I made a system that was easily compromised (i.e. my fault), morphed into a sorry saga of cold drinks.
The client did ask why the ***superstore name*** charged him money for that and recommended a new machine. That is a good question and demonstrated some the questionable tech support practices we see nowadays, even at very large stores.
To be fair to the client, he told me to bill him for half a days work as it was his own fault.
When I'm able to stop myself involuntarily face palming, I'm off for a swim to unwind :)7 -
Ex-boss (who boasted 20 years of programming exp.) Would not let us work on a web project saying we didn't have enough experience and said he'd do it alone... Fast forward to 3 days before presenting to client, we get to check the log in interface and immediately find that there's no actual security, no validation... Just 2 text boxes with hard coded users and no way to add more without creating them in db... And if you knew the next page's URL you can actually skip the login... Needless to say he was removed from the project that instant and we (interns at the time) had to do everything from scratch. A 3 months project done in 2 days. Never been more stressed in my life :'(11
-
There was a time in Windows 95, where during login, you could just press cancel and you were logged in without the need of a password.8
-
Rant! I found a bug in payment provider's api. The bug involves sending an invalid (!) Stripe ID to that API, (which I send on purpose btw) Which causes a complete white page when you login to their systems and view the details of that customer. Btw the API will accept that invalid Stripe ID without questioning and returns a 200 status code back.
So I send a mail to there support saying "look I found this bug by accident, this is how you can reproduce it"
And the support team send me a message back saying "then don't send an invalid Stripe ID"...
You don't freaking say... *sigh*9 -
Fuck the incompetent and "pretentious psuedo devs" !!
I have been developing a web portal for a student club for this really big company (as intern) and then they assign this fuckin group of these 4 stupid intern devs to work with me !
The fuckin tweked my code and redirected the CONTACT FORM to the fuckin LOGIN CONTROLLER !!
Then these sons of Einstein inserted dummy users without a username and password into the fuckin production site !!
Now each fukin time someone submits contact form is redirected into some random user account !!
Who the fuck needs Hackers when we have these legendary coders -_-11 -
Designer: Need to file a bug, I'm not getting an option to login with FaceID
Me: Oh weird bug. Is it setup on the phone you are testing with?
Designer: yes, use it in all other apps
Me: Did you get an error during onboarding on the FaceID screen?
Designer: nope no error
Me: ..... hhhmm, can you show me your settings?
Me: ... eh, says you have FaceID disabled for this app ... did you click "No" to FaceID during onboarding?
Designer: Yes, to test edge cases
Me: ................ ok ........ if you setup the app and told it to not allow FaceID to login ......... you won't get the ability to use FaceID to login .......... like .... by design .... on purpose ...... cause .... you told it to do that
Designer: No no, it needs to have a setting on the login screen to allow me to turn that back on incase I forget my passcode
Me: the fuck it does. Yeah we can't have anything on the login page that says, without authorization, change my settings
*Deep breath*
Me: Remember we had this conversation previously, where you didn't want the user to create a passcode during onboarding as it was too much friction, and wanted to do FaceID only. With your backup plan being to allow the user to create a NEW passcode on the login screen if FaceID failed .... remember that discussion we had about security? ... and how its important? ... and that we like having any? Ok so its the same reason as that, just with a different setting this time
Designer: ... hhmm i'm not sure I like this
Me: ... tough luck then, not happening
Me: oh and btw, remember we had that other talk about reproduction steps for bugs? Like when the app crashed and you told me it was because its in light mode, and nothing else at all? So disabling FaceID, is very relevant info to the problem of "I can't login with FaceID", please tell me these things first11 -
I still miss my college days. Our crappy IT Dept restricted internet usage on campus. Each student used to get 10 GB of internet data and they used Cyberoam for login (without HTTPS). 10 GB was so less (at least for me).
Now, thanks to CS50, I learned that HTTP was not secure and somehow you can access login credentials. I spent a night figuring things out and then bam!! Wireshark!!!!
I went to the Central Library and connected using Wireshark. Within a matter of minutes, I got more than 30 user ids and passwords. One of them belonged to a Professor. And guess what, it had unlimited data usage with multiple logins. I felt like I was a millionaire. On my farewell, I calculated how much data I used. It was in TBs.
Lesson: Always secure your URLs.5 -
Email. Fuck everything about it.
It's an obnoxious queue of messages I somehow must handle. And everyone in society expects you to have email. You can cancel your phone number, maybe even live without a house... but every hobo still must check their email.
It is an endless shitstream of things I don't want. Like a garden with some nice tomato plants, but then a really smelly weed starts invading and no matter what you do it keeps coming back.
I don't want to login to unsubscribe. I don't care about your "notifications center", or "managing the offers you receive from us".
And then your boss asks you to design an email campaign... I don't want to receive that shit, why would our customers? And even if I agreed with using email as a communication channel... YOU THOUGHT CSS IN INTERNET EXPLORER WAS A BITCH?
No really. Fuck email. Fuck everything about it.15 -
3 rants for the price of 1, isn't that a great deal!
1. HP, you braindead fucking morons!!!
So recently I disassembled this HP laptop of mine to unfuck it at the hardware level. Some issues with the hinge that I had to solve. So I had to disassemble not only the bottom of the laptop but also the display panel itself. Turns out that HP - being the certified enganeers they are - made the following fuckups, with probably many more that I didn't even notice yet.
- They used fucking glue to ensure that the bottom of the display frame stays connected to the panel. Cheap solution to what should've been "MAKE A FUCKING DECENT FRAME?!" but a royal pain in the ass to disassemble. Luckily I was careful and didn't damage the panel, but the chance of that happening was most certainly nonzero.
- They connected the ribbon cables for the keyboard in such a way that you have to reach all the way into the spacing between the keyboard and the motherboard to connect the bloody things. And some extra spacing on the ribbon cables to enable servicing with some room for actually connecting the bloody things easily.. as Carlos Mantos would say it - M-m-M, nonoNO!!!
- Oh and let's not forget an old flaw that I noticed ages ago in this turd. The CPU goes straight to 70°C during boot-up but turning on the fan.. again, M-m-M, nonoNO!!! Let's just get the bloody thing to overheat, freeze completely and force the user to power cycle the machine, right? That's gonna be a great way to make them satisfied, RIGHT?! NO MOTHERFUCKERS, AND I WILL DISCONNECT THE DATA LINES OF THIS FUCKING THING TO MAKE IT SPIN ALL THE TIME, AS IT SHOULD!!! Certified fucking braindead abominations of engineers!!!
Oh and not only that, this laptop is outperformed by a Raspberry Pi 3B in performance, thermals, price and product quality.. A FUCKING SINGLE BOARD COMPUTER!!! Isn't that a great joke. Someone here mentioned earlier that HP and Acer seem to have been competing for a long time to make the shittiest products possible, and boy they fucking do. If there's anything that makes both of those shitcompanies remarkable, that'd be it.
2. If I want to conduct a pentest, I don't want to have to relearn the bloody tool!
Recently I did a Burp Suite test to see how the devRant web app logs in, but due to my Burp Suite being the community edition, I couldn't save it. Fucking amazing, thanks PortSwigger! And I couldn't recreate the results anymore due to what I think is a change in the web app. But I'll get back to that later.
So I fired up bettercap (which works at lower network layers and can conduct ARP poisoning and DNS cache poisoning) with the intent to ARP poison my phone and get the results straight from the devRant Android app. I haven't used this tool since around 2017 due to the fact that I kinda lost interest in offensive security. When I fired it up again a few days ago in my PTbox (which is a VM somewhere else on the network) and today again in my newly recovered HP laptop, I noticed that both hosts now have an updated version of bettercap, in which the options completely changed. It's now got different command-line switches and some interactive mode. Needless to say, I have no idea how to use this bloody thing anymore and don't feel like learning it all over again for a single test. Maybe this is why users often dislike changes to the UI, and why some sysadmins refrain from updating their servers? When you have users of any kind, you should at all times honor their installations, give them time to change their individual configurations - tell them that they should! - in other words give them a grace time, and allow for backwards compatibility for as long as feasible.
3. devRant web app!!
As mentioned earlier I tried to scrape the web app's login flow with Burp Suite but every time that I try to log in with its proxy enabled, it doesn't open the login form but instead just makes a GET request to /feed/top/month?login=1 without ever allowing me to actually log in. This happens in both Chromium and Firefox, in Windows and Arch Linux. Clearly this is a change to the web app, and a very undesirable one. Especially considering that the login flow for the API isn't documented anywhere as far as I know.
So, can this update to the web app be rolled back, merged back to an older version of that login flow or can I at least know how I'm supposed to log in to this API in order to be able to start developing my own client?6 -
TLDR: In defense of Powershell - the rant:
I don’t get the Powershell hate.
You don’t hate a screwdriver for not being able to turn a nut, you just *don’t use a screwdriver to turn a nut*
Once you recognize what the tool is good for and you don’t try to use it like Bash, it’s wildly powerful, and satisfying to use in a way Cmd.exe never was.
Cygwin or a Linux Subsystem can only go so far on a Windows computer. You’re dealing with two fundamentally different OS architectures. It makes sense you’d need different tools.
And like it or not, Microsoft owns the non-tech-user desktop , corners the non-tech server business market, and Active Directory is THE tool for managing Windows desktops on a large scale - So Wanblows is not going away anytime soon.
Automation without some weird ass sysVol batch login script is finally possible. Anyone who knows .Net classes can leverage their methods from directly within Powershell. Remote management of headless Windows servers is now a reality. If you have an Office 365 Exchange server you can literally Powershell remote to it for management, just like your favorite cloud hosted Linux distribution.
No one said Windows is a better OS, but an object based shell on an object based OS *makes sense*. It’s useful for its environment. Let it be.11 -
Just wow. I am amazed by what just happened.
A year ago my parents decided to switch from desktop to laptop for convenience. Knowing their needs, i bought them one without an OS and installed Ubuntu 16.04 on it. The thing is that if you do a regular maintenance of the laptop once a year at their partner company, you get additional 4 years of warranty (this offer is amazing).
So today was the day I brought the laptop for this maintenance for the first time. They make you a profile on their support website where you can track shit regarding your device, super convenient. First thing I notice that the login page was not https. Awkward, but there is no sensitive data here so i let it pass. Naturally i forgot my password, so I requested a new one and guess what? I recieved it in plaintext via mail. A tech repair oriented company does this, my god.
I went there, gave them the laptop in question and got a piece of paper, where they wrote that the laptop is in their hands now, and the current physical state of the laptop, and blabla.
I got home and I read what the guy wrote among other things: THE OPERATING SYSTEM IS NOT LEGAL.
How the fuck is Ubuntu not legal??? What the fuck is this shit? I sure as hell didn't torrent it or bought a booteged copy on the streets.11 -
Background: I'm not drunk yet, BUT I'M WORKING ON IT.
okay.
I just finished a second sprint on my React app. The first was to build a merchant onboarding flow. The second was to do substantial cleanup as I learned more about react/redux, and to create a "supply order" flow -- basically purchasing marketing materials and services. I finished that in a week, and I'm pretty proud. api-guy wanted it done in a day. i laughed. he probably could have, but it would have been a copy of the code in a new repo with some lines changed.
ANYWAY. it's all done and It's super pretty and works amazingly well. It has both the onboarding flow and the ordering flow, with a nice pop-out sidebar for navigation, namespaced actions, etc. Everything is pretty clean. I even added a cart to the ordering (despite everyone telling me not to) because wtf, what if someone wants to order TWO items? dumbasses. So I made that. it's sexy.
Anyway, it's all done and shiny and fancy and wonderful and I'd *love* to share screenshots if only it didn't give away where I worked. :<
... but the point of the rant!
After the first sprint, I made a copy of the repo so I could rework it and add more functionality without touching the original. (Hey! That's what a branch is for, right? Why didn't I branch it up?
well, read on)
I knew we were going to have multiple separate flows for this app: onboard, ordering, merchant tools, admin tools, support, etc. So, I wrote its server portion (the webpack builder + http server) so it would serve the same app at whatever url the user hit, and set a cookie containing that host+url. This allows the app to serve different content (basically showing/hiding content) based on the URL and future login roles. If someone hits /order, it would hide everything but the order flow. If they're a merchant, it would show all the merchant views plus ordering, etc.
tl;dr This way I can use the same codebase for multiple sites, drastically simplifying development, branding, and what have you. This new app could obv also be a drop-in replacement for the original onboarding project because of the above.
HOWEVER. this apparently isn't good enough for api-guy. He's terrified that adding/updating future components will affect all the existing content somehow.
so.
now we have three repos for basically the same codebase. 1) onboard aka "surfboard", 2) ordering, 3) merchant tools, aka "ferrari" (the "future" app).
Except.
1) "surfboard" is a very old version of the code. 3) "ferrari" is also old, since 2) "ordering" has newer content in it now.
... and somehow this is better?
fuck if i can figure out how.
His reasoning is "well, you won't be touching surfboard or ordering for 6 months, so now you don't have to worry about it." Sure, except, you know, it'll be a pain in the ass in 6 months now when I have a crapton of code and branding to redo. ffs.
Oh. We also have three Heroku pipelines for these three repos. for the same codebase.
and now you know why i'm drinking.undefined idiocy fucking hell fuck this noise api guy i'm just gonna replace everything later this codebase is as dry as the friggin ocean7 -
Devrant client update:
- load indicator on ajax execs
- changed the design yet again, hopefully final this time lol
- implemented ajax content loading so the menubar doesn't flash
- block users/keywords plugins done, only left to find a clean way to integrate it with the upcoming notifications, so no notifications are fired for blocked users or posts with blocked keywords (similar to twitter mute keywords)
- usernames linkifier plugin
- links get unshortened on feed too (via plugin), without losing the ability to press on a post
next is (just to name a few, the trello list is far bigger by now)
- login
- local notifications, should be firing without GCM/FCM too hopefully, which would be great for people on here that de-googled entirely and don't want microG
- port some of my userscript plugins I haven't yet
- theme system
- global and plugin settings
- plugin update system
- plugin import checks for obfuscated code, one line etc. and warns the user
- client update system8 -
It were around 1997~1998, I was on middle school. It was a technical course, so we had programing languages classes, IT etc.
The IT guy of our computer lab had been replaced and the new one had blocked completely the access on the computers. We had to make everything on floppy disks, because he didn't trusted us to use the local hard disk. Our class asked him to remove some of the restrictions, but he just ignored us. Nobody liked that guy. Not us, not the teachers, not the trainees at the lab.
Someday a friend and me arrived a little bit early at the school. We gone to the lab and another friend that was a trainee on the lab (that is registered here, on DevRant) allowed us to come inside. We had already memorized all the commands. We crawled in the dark lab to the server. Put a ms dos 5.3 boot disk with a program to open ntfs partitions and without turn on the computer monitor, we booted the server.
At that time, Windows stored all passwords in an encrypted file. We knew the exact path and copied the file into the floppy disk.
To avoid any problems with the floppy disk, we asked the director of the school to get out just to get a homework we theorically forgot at our friends house that was on the same block at school. We were not lying at all. He really lived there and he had the best computer of us.
The decrypt program stayed running for one week until it finds the password we did want: the root.
We came back to the lab at the class. Logged in with the root account. We just created another account with a generic name but the same privileges as root. First, we looked for any hidden backup at network and deleted. Second, we were lucky: all the computers of the school were on the same network. If you were the admin, you could connect anywhere. So we connected to a "finance" computer that was really the finances and we could get lists of all the students with debits, who had any discount etc. We copied it to us case we were discovered and had to use anything to bargain.
Now the fun part: we removed the privileges of all accounts that were higher than the trainee accounts. They had no access to hard disks anymore. They had just the students privileges now.
After that, we changed the root password. Neither we knew it. And last, but not least, we changed the students login, giving them trainee privileges.
We just deleted our account with root powers, logged in as student and pretended everything was normal.
End of class, we went home. Next day, the lab was closed. The entire school (that was school, mid school and college at the same place) was frozen. Classes were normal, but nothing more worked. Library, finances, labs, nothing. They had no access anymore.
We celebrated it as it were new years eve. One of our teachers came to us saying congratulations, as he knew it had been us. We answered with a "I don't know what are you talking about". He laughed and gone to his class.
We really have fun remembering this "adventure". :)
PS: the admin formatted all the servers to fix the mess. They had plenty of servers.4 -
Root has a deadline
I've been working on this CCPA ticket for awhile. Admittedly too long, but I'm new to the codebase and it's fucking sprawling. There has also been a lot of back-and-forth on the ticket.
Anyway, I've had a few blockers, such as how mailers work, the legal copy, where to put a admin-facing link to the dashboard, how to build the jira integration (and its creds), etc.
Quite awhile ago I asked Mr. Product, "Where should I put the ccpa dashboard link?" To which he responds: "I'll get you the answer today!" Awesome. Except he didn't. That day came and went without a peep. So, the next day I ask again: "Where should I put the ccpa dashboard link?" To which he responds: "I'll get you the answer today!" And that day comes and goes, too. I ask again, and you guessed it: "I'll get you the answer today." Repeat ad nauseam.
I also asked about the Jira integration and credentials. I got about the same treatment as above, but with a tiwst: they tell me to talk to / continue to bug Mr. H instead. Except Mr. H had been on PTO for weeks. Every time I ask, they keep referring me to him. A little over two weeks later (yesterday), I finally got a response from him. Yay! I was preoccupied with finishing the dashboard (which wasn't in the original ticket for some reason) so I didn't get a chance to look into it yet. After asking his boss three times, Mr. Product also finally (!!!) gave me a response on the link placement today, too! Though not directly: he discussed it with said boss in a group chat that I'm a part of, but never tagged me or told me directly. So, now I know where to put it (I think), but I have no idea how that area of the site is built (it's dynamic based on domain, login, and roles), so adding it will still be difficult.
The best part:
Today during standup, some lady I've only rarely seen before attends the meeting, doesn't say anything until the very end, and then announces that everything must be code-complete by tomorrow for release, and then promptly signs off.
For fuck's sake. I've had blockers on this for weeks, and now I need to finish it by fucking tonight?
I still don't know how to build the mailers (because translations and formats), nor how to actually send emails using them. I don't know how to modify the footer (dynamic, complex), how to add the admin-facing link (dynamic, complex), nor how build a Jira integration (haven't even looked yet). I just got unblocked on two of these fucking today. and it needs to be done and code reviewed by tomorrow?
No bloody way.
Maybe I should go back to my previous job. 😡rant root has a deadline traded my days for a pocketful of mumbles blockers deadlines nobody cares the boxer18 -
The tech stack at my current gig is the worst shit I’ve ever dealt with...
I can’t fucking stand programs, especially browser based programs, to open new windows. New tab, okay sure, ideally I just want the current tab I’m on to update when I click on a link.
Ticketing system: Autotask
Fucking opens up with a crappy piss poor sorting method and no proper filtering for ticket views. Nope you have to go create a fucking dashboard to parse/filter the shit you want to see. So I either have to go create a metric-arse tonne of custom ticket views and switch between them or just use the default turdburger view. Add to that that when I click on a ticket, it opens another fucking window with the ticket information. If I want to do time entry, it just feels some primal need to open another fucking window!!! Then even if I mark the ticket complete it just minimizes the goddamn second ticket window. So my jankbox-supreme PC that my company provided gets to strugglepuff along trying to keep 10 million chrome windows open. Yeah, sure 6GB of ram is great for IT work, especially when using hot steaming piles of trashjuice software!
I have to manually close these windows regularly throughout the day or the system just shits the bed and halts.
RMM tool: Continuum
This fucker takes the goddamn soggy waffle award for being utterly fucking useless. Same problem with the windows as autotask except this special snowflake likes to open a login prompt as a full-fuck-mothering-new window when we need to open a LMI rescue session!!! I need to enter a username and a password. That’s it! I don’t need a full screen window to enter credentials! FUCK!!! Btw the LMI tools only work like 70% of the time and drag ass compared to literally every other remote support tool I’ve ever used. I’ve found that it’s sometimes just faster to walk someone through enabling RDP on their system then remoting in from another system where LMI didn’t decide to be fully suicidal and just kill itself.
Our fucking chief asshat and sergeant fucknuts mcdoogal can’t fucking setup anything so the antivirus software is pushed to all client systems but everything is just set to the default site settings. Absolutely zero care or thought or effort was put forth and these gorilla spunk drinking, rimjob jockey motherfuckers sell this as a managed AntiVirus.
We use a shitty password manager than no one besides I use because there is a fully unencrypted oneNote notebook that everyone uses because fuck security right? “Sometimes it’s just faster to have the passwords at the ready without having to log into the password manager.” Chief Asshat in my first week on the job.
Not to mention that windows server is unlicensed in almost every client environment, the domain admin password is same across multiple client sites, is the same password to log into firewalls, and office 365 environments!!!
I’ve brought up tons of ways to fix these problems, but they have their heads so far up their own asses getting high on undeserved smugness since “they have been in business for almost ten years”. Like, Whoop Dee MotherFucking Doo! You have only been lucky to skate by with this dumpster fire you call a software stack, you could probably fill 10 olympic sized swimming pools to the brim with the logarrhea that flows from your gullets not only to us but also to your customers, and you won’t implement anything that is good for you, your company, or your poor clients because you take ten minutes to try and understand something new.
I’m fucking livid because I’m stuck in a position where I can’t just quit and work on my business full time. I’m married and have a 6m old baby. Between both my wife and I working we barely make ends meet and there’s absolutely zero reason that I couldn’t be providing better service to customers without having to lie through my teeth to them and I could easily support my family and be about 264826290461% happier!
But because we make so little, I can’t scrap together enough money to get Terranimbus (my startup) bootstrapped. We have zero expendable/savable income each month and it’s killing my soul. It’s so fucking frustrating knowing that a little time and some capital is all that stands between a better life for my family and I and being able to provide a better overall service out there over these kinds of shady as fuck knob gobblers.5 -
I absolutely love the email protocols.
IMAP:
x1 LOGIN user@domain password
x2 LIST "" "*"
x3 SELECT Inbox
x4 LOGOUT
Because a state machine is clearly too hard to implement in server software, clients must instead do the state machine thing and therefore it must be in the IMAP protocol.
SMTP:
I should be careful with this one since there's already more than enough spam on the interwebs, and it's a good thing that the "developers" of these email bombers don't know jack shit about the protocol. But suffice it to say that much like on a real letter, you have an envelope and a letter inside. You know these envelopes with a transparent window so you can print the address information on the letter? Or the "regular" envelopes where you write it on the envelope itself?
Yeah not with SMTP. Both your envelope and your letter have them, and they can be different. That's why you can have an email in your inbox that seemingly came from yourself. The mail server only checks for the envelope headers, and as long as everything checks out domain-wise and such, it will be accepted. Then the mail client checks the headers in the letter itself, the data field as far as the mail server is concerned (and it doesn't look at it). Can be something else, can be nothing at all. Emails can even be sent in the future or the past.
Postfix' main.cf:
You have this property "mynetworks" in /etc/postfix/main.cf where you'd imagine you put your own networks in, right? I dunno, to let Postfix discover what your networks are.. like it says on the tin? Haha, nope. This is a property that defines which networks are allowed no authentication at all to the mail server, and that is exactly what makes an open relay an open relay. If any one of the addresses in your networks (such as a gateway, every network has one) is also where your SMTP traffic flows into the mail server from, congrats the whole internet can now send through your mail server without authentication. And all because it was part of "your networks".
Yeah when it comes to naming things, the protocol designers sure have room for improvement... And fuck email.
Oh, bonus one - STARTTLS:
So SMTP has this thing called STARTTLS where you can.. unlike mynetworks, actually starts a TLS connection like it says on the tin. The problem is that almost every mail server uses self-signed certificates so they're basically meaningless. You don't have a chain of trust. Also not everyone supports it *cough* government *cough*, so if you want to send email to those servers, your TLS policy must be opportunistic, not enforced. And as an icing on the cake, if anything is wrong with the TLS connection (such as an MITM attack), the protocol will actively downgrade to plain. I dunno.. isn't that exactly what the MITM attacker wants? Yeah, great design right there. Are the designers of the email protocols fucking retarded?9 -
Something I probably shouldn't talk about:
One of the projects at work has a specific path you can visit. The """security""" is that nobody should know the path. But I can guaran-fucking-tee you it's not difficult to guess.
On this page, ***without a login***, you can view some user information. Well, you can view all of it, but only certain fields.
And if you perform a specific action on this page, you can get their password, plaintext.
This project is not mine. But learning all of this made me super uneasy. I had to share it.14 -
Warning: long read....
I got a call this morning from a client who was panicking about not being able to login to his web panel.
So I went to the web panel and tried to login and was just redirected back to the login page. No errors or anything (at least visible on the page). Went looking for an error_log file and found it.
It turns out there was an error was showing: Disk quota exceeded.
So I went into the cPanel and checked, he used about 16GB out of 100GB and that got me confused. So I looked around and found out he was using about 510000/500000 inodes.
Went looking trough FTP to see where he has so many files and try and remove some.
Well it turns out that there were about 7 injected websites (warez, online casino, affiliate one etc) and a full hacking web panel on his FTP. After detailed analysis some who actually built the site (I just maintain some parts) made an upload form available to public with any checks on it. Meaning anyone could upload whatever they wanted and the form would allow it.
The worst part is that the client is not allowing us to secure the form with some sort of login or remove it completely (the best option) as it is not really needed but he uses it to upload some pdf catalogs or something.
TL; DR;
Old programmer created an upload form that was accessible to anyone on the web without adding any security or check as to see what kind of files was getting uploaded. Which lead to having maximum number on inodes used on server and client being unable to login.
Side note:
And ofc I had to go and fix the mess behind him again, even though he stopped working a long time ago and I started just recently and have been having nightmares of this project.2 -
A few weeks ago I stepped onto the grounds of lovely Canada. Back then - coming from Europe - I was surprised. Free WiFi everywhere without all the bells and whistles of creating an account and such.
Well ... at least I thought so ...
Today I went to a location where they actually charge you for their wireless services - fair enough the coverage area is pretty huge - and provide you with an access coupon. All good my optimistic me told me but once the login page loaded...
There are a lot of things about UX I could rant about but let's put that aside. The coupon came from the office where they KNEW all your contact details but it required you to create an account with all of them again to redeem the coupon.
Not only that but it asked for things like the phone number - obviously asking for a Canadian landline number since hell who uses mobiles anyway with numbers longer than ten characters?! - and even though it had a nice country selection it kept the states field there even when selecting a country that doesn't have states ...
Oh, and on a regular phone screen (which would be the target user for WiFi on a campground I suppose) the input fields for state and zip were occluded by the margins of the input rendering the content invisible.
And if that weren't enough after creating your account they made you watch an ad as if the personal data and the 4$ you paid them wasn't enough for the lousy 400 KB/s you get for 24h ...
Gets better though! After creating the account they display your password to make sure you remembered it ... over a non-secured WiFi network ... and send you an email afterward ... password via unencrypted mail via an unencrypted WIRELESS connection ... not that it protects anything that would matter anyways you can just snoop the MAC of your neighbor and get in that way or for that sake get their password but oh well ...
Gosh, sometimes I just feel the urgent need to find the ones responsible and tell them to GTFO of the IT world ...
Is it just me feeling like this about crappy UI/UX design? Always wondering...2 -
Sometimes I wonder how compromised my parents online security would be without my intervention.
My mom logged into her gmail and there was an red bar on top informing about Google preventing an attempted login from an unknown device.
Like typical parents / old people, that red bar didn't caught her attention but I noticed it immediately. I took over and looked into it. It showed an IP address and a location that was quite odd.
I went ahead with the Account security review and I was shocked to find that she had set her work email address as the recovery email!!
I explained her that work email accounts cannot be trusted and IT department of the workplace can easily snoop emails and other info on that email address and should not be related to personal accounts.
After fixing that issue, me being a typical skeptic and curious guy, I decided to find more info about that IP address.
I looked up the IP address on a lookup website and it showed an ISP that was related to the corporate office of her workplace. I noticed the location Google reported also matched with the corporate office location of her work.
Prior to this event, few days ago, I had made her change her gmail account password to a more secure one. ( Her previous password was her name followed by birth date!! ). This must have sent a notification to the recovery mail address.
All these events are connected. It is very obvious that someone at corporate office goes through employees email addresses and maybe even abuse those information.
My initial skeptism of someone snooping throguh work email addresses was right.
You're welcome mom!9 -
Tech support for Friend...
Again...
Ok...
A friend ran down the hallway to my Appartement, I opened the door for him and asked him "What The Fuck... Is wrong with you?!" He was just coughing like...
My... Laptop.... Is... Slow...
When he then eventually came to the point where he could Breath normally again I asked him to login into his by then super with shitty software bloated PC... It was a mess... A Desktop full of Shit... only Shit... I
then opened Chrome and Task Manager...
and holy shit... EVERYTHING! Literally ANYTHING was under 100% Load... Yet his shitty Fans werent spinning up... Shutdown the Laptop and opened it... not to my surprise it was full of Dust... I cleaned it and booted it again... still 100% Load... I couldnt do shit without being bombarded with porn and Hentai Ads... So... I asked him "Did you make any backups to this machine?" He was like.. "*Really long explenation* No *Really long Explenation*"
Great... i thought to myself... Then I said to him his PC was so trash that i only could Reset it to 0... He was like DO ANYTHING YOU CAN LITERALLY ANYTHING!
I then explained him, Resetting this PC Means literally 0 A Fresh start, nothing of your data will be there literally nothing...
He again Was like DO IT!
So I did... When it was done i showed him the result... He FREAKED OUT LIKE THE WORLD WAS GOING TO FUCKING END, HE SCREAMED AT ME WHAT THE HELL HAVE YOU DONE? REVERSE IT! REVERSE IT NOW!
I Then said to him, I reset it to 0, I said this would happen...
He then took his now perfectly running Laptop and Ran away...
tl;dr
Tech support for friend, Reset PC to 0, Freaked out AF...3 -
Best part about the covid19 manufactured crisis?
Liquor stores deliver. Worst part about liquor stores delivering? Needing to use their shoddy websites.
I've been using a particular store (Total Wines) since they're cheaper than the rest and have better selection; it's quite literally a large warehouse made to look like a store.
Their website tries really hard to look professional, too, but it's just not. It took me two days to order, and not just from lack of time -- though from working 14 hour days, that's a factor.
Signing up was difficult. Your username is an email address, but you can't use comments because the server 500s, making the ajax call produce a wonderfully ambiguous error message. It also fades the page out like it's waiting on something, but that fade is on top of the error modal too. Similar error with the password field, though I don't remember how I triggered it.
Signing up also requires agreeing to subscribe to their newsletter. it's technically an opt-in, but not opting-in doesn't allow you to proceed. Same with opting-in to receiving a text notification when your order is ready for pickup -- you also opt-in to reciving SMS spam.
Another issue: After signing up, you start to navigate through the paginated product list. Every page change scrolls you to the exact middle of the next page. Not deliberatly; the UI loads first, and the browser gets as close as it can to your previous position -- which was below that as the pagination is at the bottom -- and then the products populate after. But regardless of why, there is no worse place to start because now you must scroll in both directions to view the products. If it stayed at the very bottom, it would at least mean you only need to scroll upwards to look at everything on the page. Minor, but increasingly irritating.
Also, they have like 198 pages of spirits alone because each size is unique entry. A 50ml, 350ml, 500ml, 750ml, 1000ml, and 1750ml bottle of e.g. Tito's vodka isn't one product, it's six. and they're sorted seemingly randomly. I think it's by available stock, looking back.
If you fancy a product, you can click on it for a detail page. Said detail page lists the various sizes in a dropdown, but they're not sorted correctly either, and changing sizes triggers a page reload, which leads to another problem:
if you navigate to more than a few pages within a 10 or so second window, the site accuses you of using browser automation. No captcha here, just a "click me for five seconds" button. However, it (usually) also triggers the check on every other tab you have open after its next nagivation.
That product page also randomly doesn't work. I haven't narrowed it down, but it will randomly decide to start failing, and won't stop failing for hours. It renders the page just fine, then immediately replaces it with a blank page. When it's failing, the only way to interact with the page is a perfectly-timed [esc], which can (and usually does) break all other page functionality, too. Absolutely great when you need to re-add everything from a stale copy of your signed-out cart living in another tab. More on that later. And don't forget to slow down to bypass the "browser automation" check, too!
Oh, and if you're using container tabs, make sure to open new tabs in the SAME container, as any request from the same IP without the login cookie will usually trigger that "browser automation" response, too.
The site also randomly signs you out, but allows you to continue amassing your cart. You'd think this is a good thing until you choose to sign in again... which empties your cart. It's like they don't want to make a sale at all.
The site also randomly forgets your name, replacing it with "null." My screen currently says "Hello, null". Hello, cruft!
It took me two days to order.
Mostly from lack of time, as i've been pulling 14 hour shifts lately trying to get everything done. but the sheer number of bugs certainly wasted most of what little time i had left. Now I definitely need a drink.
But maybe putting up with all of this is worthwhile because of their loyalty program? Apparently if you spend $500, you can take $5 off your next purchase! Yay! 1%! And your points expire! There are three levels; maybe it gets better. Level zero is for everyone; $0 requirement. There are also levels at $500 and $2500. That last one is seriously 5x more than the first paid level. and what does it earn you? A 'free' magazine subscription, 'free' classes (they're usually like $20-$50 iirc), and a 'free' grab bag (a $2.99 value!) twice per month. All for spending $2500. What a steal. It reminds me of Candy Crush's 3-star system where the first two stars are trivial, and the third is usually a difficult stretch goal. But here it's just thinly-veiled manipulation with no benefit.
I can tell they're employing some "smarketing" people with big ideas (read: stolen mistakes), but it's just such a fail.
The whole thing is a fail.8 -
The gym I go to has an app for user's to scan a QR code when they arrive and it has multiple HUGE issues.
This app shows the credit card info used for the direct debit without anything being redacted.
When the gym is signing up someone they give them a password so they can login, not too bad except the password is always the person's first name with the first letter capitalised.
This gets worse when you figure out that their is no way to change the password given to you AT ALL.
And just to top it all off, when you click the "Forgot Password" link on the login screen, the app just sends you an email with your password (your first name) in plain text.
The app also doesn't log you out or notify you if your login is used on a different device.
So I have tested this with 2 of my friends that go to the same gym and, with only knowing their email and first name (which I could have gotten from their email if I didn't know them), I can get into their app and see their credit card info without them being any the wiser.9 -
Ticket: “feature [x] doesn’t work”
Me: “I’ll need more details: how do I reach feature [x]? In which of the three projects you assigned me is that?”
Manager: “the design is in the ticket”
Me, in my head: “can you effin listen to what I told you before giving air to your mouth?”
Me, in person: “yeah I just need to know which project this refers to and how to reach it”
Manager: “but you have to open the ticket as a separate page!”
Me: “sure!” *waits 15 min, opens a ticket for more details, assigns it to manager, flags as blocking, flags the other one as blocked*
5 mins later: details are given and I can proudly fox it by remembering the manager they have to login in order to see feature [x]
Later in the workweek:
Manager at 8:00 URGENT FEATURE! MUST BE DELIVERED BY EOD
Me, 10:00 “can jump on it, need authorisation for [a procedure]
Me, 11,12,13,15,16,17:30: pings for an answer
Manager, 17:58 “ah sorry didn’t see, we can do it tomorrow”
Is this the matrix? Am I being stopped from developing cause I am randomly accessing matrix’s code without knowing it? Is this the Truman show? And most importantly: can I please take part to a manager hiring session? I am curious to see how tf you hire such peculiar people.10 -
My university has impeccable data management. I needed to ssh into their Linux server for an assignment but it refused to accept my login. Which was weird because I could login to the same account on one of our websites just fine. I typed my password into a text file and then copy and pasted it into both logins. The Linux one failed but the website succeeded. After some experimentation it turns out that the Linux server only recognized my username if I typed it in all lowercase, even though when I created the account it had uppercase characters as well.
So let me walk you through the sloppiness that had to have occurred for this to happen. When I first created the account it must have ignored what I entered and just saved the username in all lowercase without communicating that to me. Then the websites that use this account must either ignore case for usernames or lowercase the user input before querying the database. Finally, the Linux server, despite knowing that all the usernames are lowercase, is case sensitive and won't recognize the username as I originally typed it in.
Can you guess what department manages the account, website and Linux server? The Department of Computer and Information Science. Incredible.2 -
Taking IT classes in college. The school bought us all lynda and office365 accounts but we can't use them because the classroom's network has been severed from the Active Directory server that holds our credentials. Because "hackers." (The non-IT classrooms don't have this problem, but they also don't need lynda accounts. What gives?)
So, I got bored, and irritated, so I decided to see just how secure the classroom really was.
It wasn't.
So I created a text file with the following rant and put it on the desktop of the "locked" admin account. Cheers. :)
1. don't make a show of "beefing up security" because that only makes people curious.
I'm referring of course to isolating the network. This wouldn't be a problem except:
2. don't restrict the good guys. only the bad guys.
I can't access resources for THIS CLASS that I use in THIS CLASS. That's a hassle.
It also gives me legitimate motivation to try to break your security.
3. don't secure it if you don't care. that is ALSO a hassle.
I know you don't care because you left secure boot off, no BIOS password, and nothing
stopping someone from using a different OS with fewer restrictions, or USB tethering,
or some sort malware, probably, in addition to security practices that are
wildly inconsistent, which leads me to the final and largest grievance:
4. don't give admin priveledges to an account without a password.
seriously. why would you do this? I don't understand.
you at least bothered to secure the accounts that don't even matter,
albeit with weak and publicly known passwords (that are the same on all machines),
but then you went and left the LEAST secure account with the MOST priveledges?
I could understand if it were just a single-user machine. Auto login as admin.
Lots of people do that and have a reason for it. But... no. I just... why?
anyway, don't worry, all I did was install python so I could play with scripting
during class. if that bothers you, trust me, you have much bigger problems.
I mean you no malice. just trying to help.
For real. Don't kick me out of school for being helpful. That would be unproductive.
Plus, maybe I'd be a good candidate for your cybersec track. haven't decided yet.
-- a guy who isn't very good at this and didn't have to be
have a nice day <3
oh, and I fixed the clock. you're welcome.2 -
Well... I had in over 15 years of programming a lot of PHP / HTML projects where I asked myself: What psychopath could have written this?
(PHP haters: Just go trolling somewhere else...)
In my current project I've "inherited" a project which was running around ~ 15 years. Code Base looked solid to me... (Article system for ERP, huge company / branches system, lot of other modules for internal use... All in all: Not small.)
The original goal was to port to PHP 7 and to give it a fresh layout. Seemed doable...
The first days passed by - porting to an asset system, cleaning up the base system (login / logout / session & cookies... you know the drill).
And that was where it all went haywire.
I really have no clue how someone could have been so ignorant to not even think twice before setting cookies or doing other "header related" stuff without at least checking the result codes...
Basically the authentication / permission system was fully fucked up. It relied on redirecting the user via header modification to the login page with an error set in a GET variable...
Uh boy. That ain't funny.
Ported to session flash messages, checked if headers were sent, hard exit otherwise - redirect.
But then I got to the first layers of the whole "OOP class" related shit...
It's basically "whack a mole".
Whoever wrote this, was as dumb and as ignorant to build up a daisy chain of commands for fixing corner cases of corner cases of the regular command... If you don't understand what I mean, take the following example:
Permissions are based on group (accumulation of single permissions) and single permissions - to get all permissions from a user, you need to fetch both and build a unique array.
Well... The "names" for permissions are not unique. I'd never expected to be someone to be so stupid. Yes. You could have two permissions name "article_search" - while relying on uniqueness.
All in all all permissions are fetched once for lifetime of script and stored to a cache...
To fix this corner case… There is another function that fetches the results from the cache and returns simply "one" of the rights (getting permission array).
In case you need to get the ID of the other (yes... two identifiers used in the project for permissions - name and ID (auto increment key))...
Let's write another function on top of the function on top of the function.
My brain is seriously in deep fried mode.
Untangling this mess is basically like getting pumped up with pain killers and trying to solve logic riddles - it just doesn't work....
So... From redesigning and porting from PHP 7 I'm basically rewriting the whole base system to MVC, porting and touching every script, untangling this dumb shit of "functions" / "OOP" [or whatever you call this garbage] and then hoping everything works...
A huge thanks to AURA. http://auraphp.com/
It's incredibily useful in this case, as it has no dependencies and makes it very easy to get a solid ground without writing a whole framework by myself.
Amen.2 -
My new team more or less forced me to change from a Windows machine to a Mac (Mac book pro, I think?) due to "compatibility issues", so I thought I might as well see what all the Mac fuzz is about. Here is a list of my observations so far:
- If you try powering on the mac book with more than one DisplayPort cable plugged in, the screen will go black until you plug all DP cables out
- If you unplug your DisplayPort cables to go to a meeting you can expect one of the monitors getting frozen on the blurry login screen (without any login prompt) when you get back (while the main monitor shows your desktop without the taskbar)
- If you get out of range from your wireless peripherals (keyboard in this case) while going to a meeting your keyboard layouts are most likely deleted and reset to U.S qwerty when you get back to your desk
- When pressing quit on any application you can't expect in to close and clear up memory, it will remain in the background until you force kill it.
- There is a 50/50 chance that your Mac book never wakes up from sleep
Best thing is that I found out today that the software we use is completely compatible with any RedHat/Solaris distro.
Rant over.12 -
They added a javascript that checks the login info. Worst part an if statement was the only thing keeping you from logging in without the correct password
-
TLDR: crappy api + idiot ex client combo rant // devam si duška
I saw a lot of people bitching about APIs that don't return proper response codes and other stuff..
Well let me tell you a story. I used to work on a project where we had to do something like booking, but better..crossbreed with the Off&Away bidding site (which btw we had to rip off the .js stuff and reverse engineer the whole timer thingy), using free versions of everything..even though money wasn't an issue (what our client said). Same client decided to go with transhotel because it was sooooo gooood... OK? Why did noone heard of them then?
Anyhow, the api was xml based.. we had to send some xml that was validated against a schema, we received another that was supposed to be validated againts another schema.. and so on and so on..
...
...
supposed..
The API docs were nonexistent.. What was there, was broken English or Spanish.. Even had some comments like Add This & that to chapter xy.. Of course that chapter didn't even exist yet. :( And the last documentation they had, was really really old..more than a year, with visible gaps, we got the validation schemas not even listed in the docs, let alone described properly.
Yaaay! And that was not everything.. besides wrong and missing data, the API itself caused the 500 server error whenever you were no longer authenticated.
Of course it didn't tell you that your session was dead.. Just pooof! Unhandled crap everywhere!
And the best part?! We handled that login after inspecting what the hell happened, but sent the notification to the company anyways.. We had a conf call, and sent numerous emails explaining to them what a 'try catch' is and how they should handle the not authenticated error <= BTW they should have had a handled xml response for that, we got the schema for it! But they didn't. Anyhow, after two agonizing days talking back and forth they at least set up the server to be available again after the horrified 500 error. Before, it even stopped responding until reset (don't ask me how they managed to do that).
Oh yeah, did I mention this was a worldwide renown company?! Where everybody spoke/wrote English?! Yup, they have more than 700 people there, of course they speak English! <= another one of my ex clients fabulous statements... making me wanna strangle him with his tie.. I told him I am not talking to them because no-one there understood/spoke English and it would be a waste of my time.. Guess who spent almost 3 hours to talk to someone who sounded like a stereotypical Indian support tech guy with a flue speaking Italian?! // no offence please for the referenced parties!!
So yeah, sadly I don't have SS of the fucked up documentation..and I cannot post more details (not sure if the NDA still holds even though they canceled the project).. Not that I care really.. not after I saw how the client would treat his customers..
Anywayz I found on the interwebz some proof that this shitty api existed..
picture + link: https://programmableweb.com/api/...
SubRant: the client was an idiot! Probably still is, but no longer my client..
Wanted to store the credit card info + cvc and owner info etc.. in our database.. for easier second payment, like on paypal (which he wanted me to totally customize the payment page of paypal, and if that wasn't possible to collect user data on our personalized payment page and then just send it over to paypal api, if possible in plaintext, he just didn't care as long as he got his personalized payment page) or sth.... I told the company owner that they are fucking retards if they think they can pull this off & that they will lose all their (potential) clients if they figure that out.. or god forbid someone hacked us and stole the data.. I think this shit is also against the law..
I think it goes without saying what happened next.. called him ignorant stupid fucktard to his face and told him I ain't doing that since our company didn't even had a certificate to store the last 4 numbers.. They heard my voice over the whole firm.. we had fish-tank like offices, so they could all see me yelling at the director..
Guess who got laid off due to not being needed anymore the next day?! It was the best day of my life..so far!! Never have I been happier to lose my job!!
P.S. all that crap + test + the whole backand for analysis, the whole crm + campaign emails etc.. the client wanted done in 6 months.. O.o
P.P.S. almost shat my pants when devRant notified my I cannot post and wanted to copy the message and then everything disappeard.. thank god I have written this in the n++ xDundefined venting big time issues no documentation idiot xml security api privacy ashole crappy client rant11 -
Always back up your data.
I came to my computer earlier today to find it on my Linux login screen. This could only mean one thing: something went horribly wrong.
Let me explain.
I have my BIOS set up to boot into Windows automatically. The exception is a reboot or something horrible happens and the computer crashes. Then, it boots me into Linux. Due to a hardware issue I never looked into, I have to be present to push F1 to allow the computer to start. The fact that it rebooted successfully, without me present, into *Linux*, could only mean one thing:
My primary hard drive died and was no longer bootable.
The warning was the BIOS telling me the drive was likely to fail ("Device Error" doesn't really tell me anything to be fair).
The massive wave of panic hit me.
I rebooted in hopes of reviving the drive. No dice.
I rebooted again. The drive appeared.
Let's see how much data I can recover from it before I can no longer mount it. Hopefully, I can come out of this relatively unscathed.
The drive in question is a 10 year old 1.5 TB Seagate drive that came with the computer. It served me well.
Press F to pay respects I guess.
On the bright side, I'll be getting an SSD as a replacement (probably a Samsung EVO).8 -
The Hungarian public transport company launched an online shop (created by T-Systems), which was clearly rushed. Within the first days people found out that you could modify the headers and buy tickets for whatever price you set, and you could login as anyone else without knowing their password. And they sent out password reminders in plain text in non-encrypted emails. People reported these to the company which claims to have fixed the problems.
Instead of being ashamed of themselves now they're suing those who pointed out the flaws. Fucking dicks, if anyone they should be sued for treating confidential user data (such as national ID numbers) like idiots.3 -
So... did I mention I sometimes hate banks?
But I'll start at the beginning.
In the beginning, the big bang created the universe and evolution created humans, penguins, polar bea... oh well, fuck it, a couple million years fast forward...
Your trusted, local flightless bird walks into a bank to open an account. This, on its own, was a mistake, but opening an online bank account as a minor (which I was before I turned 18, because that was how things worked) was not that easy at the time.
So, yours truly of course signs a contract, binding me to follow the BSI Grundschutz (A basic security standard in Germany, it's not a law, but part of some contracts. It contains basic security advice like "don't run unknown software, install antivirus/firewall, use strong passwords", so it's just a basic prototype for a security policy).
The copy provided with my contract states a minimum password length of 8 (somewhat reasonable if you don't limit yourself to alphanumeric, include the entire UTF 8 standard and so on).
The bank's online banking password length is limited to 5 characters. So... fuck the contract, huh?
Calling support, they claimed that it is a "technical neccessity" (I never state my job when calling a support line. The more skilled people on the other hand notice it sooner or later, the others - why bother telling them) and that it is "stored encrypted". Why they use a nonstandard way of storing and encrypting it and making it that easy to brute-force it... no idea.
However, after three login attempts, the account is blocked, so a brute force attack turns into a DOS attack.
And since the only way to unblock it is to physically appear in a branch, you just would need to hit a couple thousand accounts in a neighbourhood (not a lot if you use bots and know a thing or two about the syntax of IBAN numbers) and fill up all the branches with lots of potential hostages for your planned heist or terrorist attack. Quite useful.
So, after getting nowhere with the support - After suggesting to change my username to something cryptic and insisting that their homegrown, 2FA would prevent attacks. Unless someone would login (which worked without 2FA because the 2FA only is used when moving money), report the card missing, request a new one to a different address and log in with that. Which, you know, is quite likely to happen and be blamed on the customer.
So... I went to cancel my account there - seeing as I could not fulfill my contract as a customer. I've signed to use a minimum password length of 8. I can only use a password length of 5.
Contract void. Sometimes, I love dealing with idiots.
And these people are in charge of billions of money, stock and assets. I think I'll move to... idk, Antarctica?4 -
tl;dr:
The Debian 10 live disc and installer say: Heavens me, just look at the time! I’m late for my <segmentation fault
—————
tl:
The Debian 10 live cd and its new “calamares” installer are both complete crap. I’ve never had any issues with installing Debian prior to this, save with getting WiFi to work (as expected). But this version? Ugh. Here are the things I’ve run into:
Unknown root password; easy enough to get around as there is no user password; still annoying after the 10th time.
Also, the login screen doesn’t work off-disc because it won’t accept a blank password, so don’t idle or you’ll get locked out.
The lock screen is overzealous and hard-locks the computer after awhile; not even the magic kernel keys work!
The live disc doesn’t have many standard utilities, or a graphical partition editor. Thankfully I’m comfortable with fdisk.
The graphical installer (calamares) randomly segfaults, even from innocuous things like clicking [change partition] when you don’t have a partition selected. Derp.
It also randomly segfaults while writing partitions to disk — usually on the second partition.
It strangely seems less likely to segfault if the partitions are already there, even if it needs to “reformat” (recreate) them.
It also defaults to using MBR instead of GPT for the partition table, despite the tooltip telling you that MBR is deprecated and limited, and that GPT is recommended for new systems. You cannot change this without doing the partitions manually.
If you do the partitions manually and it can’t figure out where to install things, it just crashes. This is great because you can’t tell it where to install things, and specifying mount points like /boot, /, and /home don’t seem to be enough.
It also tries installing 32bit grub instead of 64bit, causing the grub installer to fail.
If you tell it to install grub on /boot, it complains when that partition isn’t encrypted — fair — but if you tell it to encrypt /boot like it wants you to, it then tries installing grub on the encrypted partition it just created, apparently without decrypting it, so that obviously fails — specific error: cannot read file system.
On the rare chance that everything else goes correctly, the install process can still segfault.
The log does include entries for errors, but doesn’t include an error message. Literally: “ERROR: Installation failed:” and the log ends. Helpful!
If the installer doesn’t segfault and the install process manages to complete, the resulting install might not even boot, even when installed without any drive encryption. Why? My guess is it never bothered to install Grub, or put it in the wrong place, or didn’t mark it as bootable, or who knows what.
Even when using the live disc that includes non-free firmware (including Ath9k) it still cannot detect my wlan card (that uses Ath9k).
I’ve attempted to install thirty plus times now, and only managed to get a working install once — where I neglected to include the Ath9k firmware.
I’m now trying the cli-only installer option instead of the live session; it seems to behave at least. I’m just terrified that the resulting install will be just as unstable as the live session.
All of this to copy the contents of my encrypted disks over so I can use them on a different system. =/
I haven’t decided which I’m going with next, but likely Arch, Void, or Gentoo. I’d go with Qubes if I had more time to experiment.
But in all seriousness, the Debian devs need some serious help. I would be embarrassed if I released this quality of hot garbage.
(This same system ran both Debian 8 and 9 flawlessly for years)15 -
Only touching the topic slightly:
In my school time we had a windows domain where everyone would login to on every computer. You also had a small private storage accessible as network share that would be mapped to a drive letter so everyone could find it. The whole folder containing the private subfolders of everyone was shared so you could see all names but they were only accessible to the owner.
At some point, though, I tried opening them again but this time I could see the contents. That was quite unexpected so I tried reading some generic file which also worked without problems. Even the write command went through successfully. Beginning to grasp the severity of the misconfiguration I verified with other userfolders and even borrowed the account of someone else.
Skipping the "report a problem" form, which would have been read at at least in the next couple hours but I figured this was too serious, I went straight to the admin and told him what I found. You can't believe how quickly he ran off to the admin room to have a look/fix the permissions. -
1. our public transport added a free wifi to busses, some years ago already. it's got a "login" page, connect to wifi, get a phone notification, tap it, opens page with an ad and 10 second timer on a "click to continue to internet" button.
... okay.
recently, the geniuses decided to harvest mail addresses, which... *gritting teeth* if you must...
BUT... "please input your mail address". i input and submit.
"we have sent a mail with confirmation link to that address, please click the link to confirm to get access".
FUCKING BRAINZOMBIES, HOW DO YOU EXPECT ME TO ACCESS MY MAILBOX TO ACCESS INTERNET WITHOUT THE ACCESS TO INTERNET?
2. i had a second unrelated minirant, but i forgot what it was, so another one instead:
a long time ago, in a country where i live, the transaction slip the ATM gives you after withdrawing money used to contain info about remaining funds after withdrawal.
then, the info was removed from the slip, and a "feature" was added to atms where you "can" check the money on the account.
doing so costs you 0.50€
greedy asshole fuckers.12 -
MySQL databases beginning with "test" in the name gives even people without login full access to its tables.
Somebody deleted all tables so we had to get a backup from out hoster.
Thanks MySQL.1 -
Client wants a webapp where every label on all form inputs are configurable, even the fucking login form ("Login" and "Password" text)
They also want it to send emails where the message is configurable too (they can insert your own HTML)
so basically they want the entire fucking webapp to be configurable, all without requiring any code change.
I could use a "configurable" torture device right now.9 -
A few days ago Aruba Cloud terminated my VPS's without notice (shortly after my previous rant about email spam). The reason behind it is rather mundane - while slightly tipsy I wanted to send some traffic back to those Chinese smtp-shop assholes.
Around half an hour later I found that e1.nixmagic.com had lost its network link. I logged into the admin panel at Aruba and connected to the recovery console. In the kernel log there was a mention of the main network link being unresponsive. Apparently Aruba Cloud's automated systems had cut it off.
Shortly afterwards I got an email about the suspension, requested that I get back to them within 72 hours.. despite the email being from a noreply address. Big brain right there.
Now one server wasn't yet a reason to consider this a major outage. I did have 3 edge nodes, all of which had equal duties and importance in the network. However an hour later I found that Aruba had also shut down the other 2 instances, despite those doing nothing wrong. Another hour later I found my account limited, unable to login to the admin panel. Oh and did I mention that for anything in that admin panel, you have to login to the customer area first? And that the account ID used to login there is more secure than the password? Yeah their password security is that good. Normally my passwords would be 64 random characters.. not there.
So with all my servers now gone, I immediately considered it an emergency. Aruba's employees had already left the office, and wouldn't get back to me until the next day (on-call be damned I guess?). So I had to immediately pull an all-nighter and deploy new servers elsewhere and move my DNS records to those ASAP. For that I chose Hetzner.
Now at Hetzner I was actually very pleasantly surprised at just how clean the interface was, how it puts the project front and center in everything, and just tells you "this is what this is and what it does", nothing else. Despite being a sysadmin myself, I find the hosting part of it insignificant. The project - the application that is to be hosted - that's what's important. Administration of a datacenter on the other hand is background stuff. Aruba's interface is very cluttered, on Hetzner it's super clean. Night and day difference.
Oh and the specs are better for the same price, the password security is actually decent, and the servers are already up despite me not having paid for anything yet. That's incredible if you ask me.. they actually trust a new customer to pay the bills afterwards. How about you Aruba Cloud? Oh yeah.. too much to ask for right. Even the network isn't something you can trust a long-time customer of yours with.
So everything has been set up again now, and there are some things I would like to stress about hosting providers.
You don't own the hardware. While you do have root access, you don't have hardware access at all. Remember that therefore you can't store anything on it that you can't afford to lose, have stolen, or otherwise compromised. This is something I kept in mind when I made my servers. The edge nodes do nothing but reverse proxying the services from my LXC containers at home. Therefore the edge nodes could go down, while the worker nodes still kept running. All that was necessary was a new set of reverse proxies. On the other hand, if e.g. my Gitea server were to be hosted directly on those VPS's, losing that would've been devastating. All my configs, projects, mirrors and shit are hosted there.
Also remember that your hosting provider can terminate you at any time, for any reason. Server redundancy is not enough. If you can afford multiple redundant servers, get them at different hosting providers. I've looked at Aruba Cloud's Terms of Use and this is indeed something they were legally allowed to do. Any reason, any time, no notice. They covered all their bases. Make sure you do too, and hope that you'll never need it.
Oh, right - this is a rant - Aruba Cloud you are a bunch of assholes. Kindly take a 1Gbps DDoS attack up your ass in exchange for that termination without notice, will you?6 -
TL;DR: Google asked me to PROVIDE a phone number to verify connection from a new device, on the said device.
Yesterdayto log into my work Google account from my personal laptop to check emails, calendars update and so on. I opened up a private navigation window, went to Google sign-in page, entered my credentials, all is well.
Google then decided to "verify it's me" and prompted me to PROVIDE a phone number (work account without work phone means no phone number set up) so that they can send a verification code to the number I just provided to make sure the connection is legit.
Didn't want to do that, clicked "use another method" and got asked to fill the last password I remember, which would be my current password thanks to my trusty password manager. After submitting, I'm prompted with an error saying I have to contact my admin to reset my password because they can't log me in with my CURRENT password.
I ain't gonna do that, so went back to login page, provided my phone number, got the code, filled in the code, next thing I know I'm browsing through my emails.
What the duck? Could have been anybody giving any phone number. So much for extra security.
Also don't care that they have my phone number, the issue is more about the way used to obtain it: locking me out of my account and having no other way of logging in.6 -
I just got an email that a client changed their DNS zone files to point at a new server. Turns out that they haven't set the server up yet. Client is wondering why that domain's emails aren't working, and why their site is down. They didn't want to give me the Domain's portal login credentials until now, because they "could do it without [me]." Tomorrow morning should be fun.4
-
A while ago I stumbled upon this cheap vps provider called dedistation (lowest was $15/year), so I end up buying a one year subscription and transferred all of my personal sites to it. Fast forward six month later, uptime robot notified me that my vps is down. No problem, I'll just submit a ticket. Few days go by and I yet to receive a response. Not a problem, I'll just try and login via the serial interface and get my shit, no luck there either.
Seems like these motherfuckers just packed up and went offline without a shit given.
No response, no notification untill today! How more twat a company could be?
Lessons learned the hard way
- always backup regularly
- check and transfer nameserver or no emails for days.
- you get what u pay for (haven't learned this fully yet. Went again with a cheap legit-ish provider (arubacloud)7 -
Social Captain (a service to increase a user's Instagram followers) has exposed thousands of Instagram account passwords. The company says it helps thousands of users to grow their Instagram follower counts by connecting their accounts to its platform. Users are asked to enter their Instagram username and password into the platform to get started.
According to TechCrunch : Social Captain was storing the passwords of linked Instagram accounts in unencrypted plaintext. Any user who viewed the web page source code on their Social Captain profile page could see their Instagram username and password in plain text, as they had connected their account to the platform. A website bug allowed anyone access to any Social Captain user's profile without having to log in ; simply plugging in a user's unique account ID into the company's web address would grant access to their Social Captain account and their Instagram login credentials. Because the user account IDs were for the most part sequential, it was possible to access any user's account and view their Instagram password and other account information easily. The security researcher who reported the vulnerability provided a spreadsheet of about 10,000 scraped user accounts to TechCrunch.3 -
TL;DR my first vps got hacked, the attacker flooded my server log when I successfully discovered and removed him so I couldn't use my server anymore because the log was taking up all the space on the server.
The first Linux VPN I ever had (when I was a noob and had just started with vServers and Linux in general, obviously) got hacked within 2 moths since I got it.
As I didn't knew much about securing a Linux server, I made all these "rookie" mistakes: having ssh on port 22, allowing root access via ssh, no key auth...
So, the server got hacked without me even noticing. Some time later, I received a mail from my hoster who said "hello, someone (probably you) is running portscans from your server" of which I had no idea... So I looked in the logs, and BAM, "successful root login" from an IP address which wasn't me.
After I found out the server got hacked, I reinstalled the whole server, changed the port and activated key auth and installed fail2ban.
Some days later, when I finally configured everything the way I wanted, I observed I couldn't do anything with that server anymore. Found out there was absolutely no space on the server. Made a scan to find files to delete and found a logfile. The ssh logfile. I took up a freaking 95 GB of space (of a total of 100gb on the server). Turned out the guy who broke into my server got upset I discovered him and bruteforced the shit out of my server flooding the logs with failed login attempts...
I guess I learnt how to properly secure a server from this attack 💪3 -
Starting to feel like shit about my new job. Every task my boss gives me I return with a "sorry it can't be done" for one reason or another. At first it was because user interface testing is a nightmare, then it was because the API postman tests he wanted is for endpoints we haven't exposed so it can't be done and the automated login on postman and retrieval of cookie information can't be done through postman because it requires rendering the site in a browser. I feel worthless to the company but I also feel he keeps making up tasks for me without checking if they're actually useful to us or even possible first, rather than let me touch any of the real code.. I don't know if I should just quit tbh.16
-
How bad is it for a fortune 500 company to open port 22 over the internet for all its linux servers?? Today, I reported this to my boss and he said "it won't be a problem, no one can login without a password".8
-
I'm in a situation here, I had an idea for an app and I started coding it. Since I'm a front end developer I find it not amusing to do the backend part. I then started to share the idea and such with good classmate (not a coder). I then made him join me on this adventure. After a lot of coding he said he wanted to contribute with something since I'm coding all day and he's not. Then we agreed freelancing the back end part.
Some time later we got a pretty good deal on some Indians doing the whole app. I thought to myself "this feels kinda good!" so we went on with the freelancer.
Days went to months and we finally got the app back. I did a mistake of paying him all the milestones without testing the app in its wholeness, later finding out that one part of the login system didn't work. That lead to a deeper debug to find out that the core function of the app was commented out.. I then wrote the freelancer back with minimal and slow response.
Now the deadline of the app is like in 2 months. If not we miss a whole year.
My classmate knows about this and he's the one who played for the freelancing. Now we have talked about me doing the whole backend myself.
The only issue I have now is that I feel like he's just sitting home doing nothing other than flashing money around and me busting my ass of writing code that I really am not good at. (basically learning more than coding)
But he played a lot of money for this.. So I feel kinda bad for him.
Rip life.15 -
I'm currently planning to set myselv up with some vps/dedicated server's for a project. What i plan to do to secure these servers is.
*Use centos 7
* Setup Wireguard and join all of the servers +1 client (my pc) to that network
*Disable SSH Access from outside that VPN
*Only allow RSA Key login to the Servers
*Install Cockpit for monitoring
*Intall docker/kubernetes for the applications i plan to run
What do you guys think of that as a baseline? Im not sure if my lower powered VPS (VPS M SSD from Contabo) will work as Kubernetes Nodes, does anyone have experience with that?
In general these Servers will be used for my projects and other fooling around.
If you guys have other suggestions for Securing/monitoring or other software i could put on to have more control without eating up to much of the Servers power, let me know :D13 -
I swear I get multiple emails every week from a person who's forgotten their password but instead insists our software is broken. "Account Broken, Can't Login!"
I've started just replying to these emails without even checking their accounts anymore -- or even opening up the system.
I'll say, "I'm sorry to hear that! I've looked into your account and it should work now."
I always get a reply back "THANKS! It works great now!"
Then I facepalm.1 -
Why does Google FRP even exist?!
For everyone who doesn't know what FRP is: FRP (Factory Reset Protection) is a partition on an Android device that stores data about the last used Google account on the device. It "protects" the device to be used by a second person (or a thief) even AFTER a factory reset when executed via bootloader.
Last week I bought a HTC One A9 second-hand w/o any documents. I ensured it has been reset, so I took it home... I then wanted to set it up, as following message appeared on the screen: "This device has been reset. Please login using a Google account that has been synced with this device before."
I checked the IMEI for being blacklisted, but it wasn't. Unlocking the bootloader and erasing the frp partition is not an option, because on HTC devices you have to enable OEM unlocking in the settings first. Someone stated on a forum, that you can bypass the bootloader lock with a "RUU Image" (I'm not familiar with this so pls don't blame me for that statement). But since the phone has a branding from Vodafone Germany, I can't find a RUU Image that would flash the device without a CID mismatch...
Why the f*** does Google have to implement a feature that prevents to use the phone when bought from another person that you don't know?12 -
The company I used to work for, despite me not working there contacts me to get a verification code because the crappy developer they hired can't change a couple settings on the apple website and add themselves as a developer.
At the start of this all, a couple months back I gave them the code out of courtesy, but at this point, as i'm heavily invested in the development stage of my actual job as a vr developer, I won't take time out of my day to even answer the phone for them.
But what really pisses me off is the person who contacts me, my assumbly best friend, who during the last 12 months has only called me for these codes, so work related shit or just personal shit and never to hang out or play games or generally what we used to do as friends before he got a job at that stupid company doesn't have the balls to tell his boss that i'm busy with my job, that maybe if payment was offered as an incentive that I would be happy to be contacted.
When I left that company I didn't setup anything to make it so they would have to contact me, all I did was add myself as a developer of their app. I also heavily documented everything I did, all the issues I faced and the workarounds I found, and everything including all login information needed to get things working, I went above just "developing" the app I added in all the credits to all work used in the app as partly to make sure we don't get sued for stealing someones work without the right credit.
I hate the fact that I worked for minimum wage and did all of this shit, but I never complained at all about things like the 1 1/2 hour travel time (one way I might add) to my boss, the amount of money I spent on public transportation, the little money left over that I didn't even spend and instead give to my parents.
They know nothing about how hard that year was for me, and if they want to get this code, my so called friend can come chat in person, in his off time and when I'm done working on my own shit and we can discuss terms because this shit is just not fair at all.5 -
TLDR;
I remissness about Yahoo site builder and talk about finding the record of the Google search that changed my life a long time ago and I think it's fucking great.
Earlier I re-installed google chrome but unlike every other time, this time I forgot to turn off the auto-sync feature. I only realized this when I opened gmail and it pre-populated my login info with the info of my very first, long forgotten gmail account.
So naturally I went exploring... after going through the mails I decided to check out the actual Google account to see if there was anything of interest there and lo and behold I found around 7 years of browsing history that I had no idea Google stored at the time.
As scary as it was to see I'm kinda glad about it now because aside from finding out that I was going through an Asian porn phase in 2008 I also found the one Google search record that changed my life.
It was a search to download Yahoo site builder followed by a bunch more on how to use it.
I had stumbled across a random article about it and it caught my eye because I needed a website for the grocery store I was a manager of back then.
Thankfully it was a fucking horrible WYSIWYG editor. I recall it acting almost identical to Word at the time - I would save and back up my site constantly because moving something 1px would fuck the layout up and burn everything to the ground, cntrl+z would try and do something, reversing only my last action while leaving the rest of the site in tatters and I didn't have the skills to understand or fix it...
Ultimately my frustration led me learn a bit of html & css and a week or so later It became apparent it would be easier to scratch code the damn thing so I uninstalled Yahoo site builder and started all over again.
Learning & building that site in notepad ignited my passion for coding and less than a year later I left my shitty dead end job to join a brand new tech company created with the help of a like minded investor officially employed as a developer. Let help you understand just how big this achievement was for me - I had been trying to find a job, ANY job in I.T even at a call center level without success for 6 years because I dropped out of school.
In 6 years as an active job seeker I only received one phone call about a job opportunity which ended very quickly once they realised they had misread my CV. In all those years I never even got a single job interview.
After that I spent the next 3 years rolling out and improving the cloud based loyalty card system I had written for my store out on a national scale and the rest is history. Since then I have never been judged by a crappy piece of paper, hated my job or struggled to find a new one.
What a beautiful search result that was to find.
I dedicate this rant to Yahoo, with my sincere gratitude for making a shitty WYSIWYG editor that was so bad it pissed me off enough to make me actually learn something.2 -
Your three-second password retry delay is far more likely to annoy users than preventing a brute-force attack.
If you insist on a retry delay, let the user enter a password five times without any delay. This would make no difference in the grand scheme, the trillions of retries needed for a brute-force attack, and guessing a password takes longer than three seconds of thinking anyway.
Another alternative is a tenth of the password retry delay but one added character. One added character slows down a brute-force attack by at least sixty-two (62) times, so one more character but a tenth of the password retry delay would still mean more than six (6) times the protection against brute-forcing.
On Linux, the password retry delay can thankfully be reduced by changing a value inside /etc/pam.d/common-auth or /etc/pam.d/login (out of scope for this post, you can search online for more details).5 -
The global joke of Information Security
So I broke my iPhone because the nuclear adhesive turned my display into a shopping bag.
This started the ride for my character arc in this boring dystopia novel:
Amazon is preventing me from accessing my account because they want my password, email AND mobile phone number in their TWO.STEP Verifivation.
Just because one too many scammers managed to woo one too many 90+y/o's into bailing their long lost WW2 comrades from a nigerian jail with Amazon gift cards and Amazon doesn't know what to do about anymore,
DHL is keeping my new phone in a "highly secure" vault 200m away from my place, waiting for a letter to register some device with a camera because you need to verify your identity with an app,
all the while my former car insurance is making regress claims of about 7k€ against me for a minor car accident (no-one hurt fortunately, but was my fault).
Every rep from each of the above had the same stupid bitchass scapegoat to create high-tech supra chargers to the account deletion request:
- Amazon: We need to verify your password, whether the email was yours and whether the phone number is yours.
They call it 2-step-verification.
Guess what Amazon requests to verify you before contacting customer support since you dont have access to your number? Your passwoooooord. While youre at it, click on that button we sent you will ya? ...
I call this design pattern the "dement Tupi-Guarani"
- DHL: We need an ID to verify your identity for the request for changing the delivery address you just made. Oh you wanted to give us ANOTHER address than the one written on your ID? Too bad bro, we can't help, GDPR
- Car Insurance: We are making regress claims against you, which might throw you back to mom's basement, oh and also we compensated the injured party for something else, it doesn't matter what it is but it's definitely something, so our claims against you just raised by 1.2k. Wait you want proof we compensated something to the injured at all? Nah mate we cant do that , GDPR. But trust me, those numbers are legit, my quant forecasted the cost of childrens' christmas wishes. You have 14 days or we'll see you in court haha
I am also their customer in a pension scheme. Something special to Germany, where you save some taxes but have to pay them back once you get the fund paid out. I have sent them a letter to terminate the contract.
Funniest thing is, the whole rant is my second take. Because when I hit the post button, devrant made me verify my e-mail. The text was gone afterwards. If someone from devRant reads this, you are free to quote this in the ticket description.
Fuck losing your virginity, or filing your first tax return, or by God get your first car, living through this sad Truman dystopia without going batshit insane is what becoming a true adult is.
I am grateful for all this though:
Amazon's safety measures prevented me from spending the money I can use to conclude the insurance odyssey, and DHLs "giving a fuck about customers" prevention policies made me support local businesses. And having ranted all this here does feel healthy too. So there's that.
Oh, cherry on top. I cant check my balance, because I can only verify my login requests to my banking account wiiiiiiith...?2 -
I have an issue with my Laravel routing. Can you help me out, @bittersweet?
I have a custom "/home" route called "/admin" and I set the protected property in the LoginController:
$redirectTo = "/admin";
And it works fine, if I log in from guest. But when I navigate to "/login" as auth-user it still redirects me to "/home".
What the fuck is this? What do I have to change to make this work? Who has to be fucked? Is it possible to solve this without sacrificing a virgin at bloodmoon? And why are Platypus so fucking ugly?14 -
//rant
So i ordered myself a web server and am trying to get access to phpmyadmin.
I got generated username and password for the phpmyadmin login.
So i created mysql databases and database users, outside the interface, but that's fucking it, i need to create tables as well, can't do that without the interface, cuz NO ACCESS!
Fucking piece of shit service provider, they had one thing to do and they can't even fucking do it right. How dare they call themselves web hosts at all...
It's probably a badly configured config file but i can't access the file myself to start sorting this shit out, so i got to wait at least 12 hours till work hours to be able to contact with them and sort this shit out.1 -
At first glance, this week's group rant seems perfect for me since I have drunk coded at least 2 to 3 times per month (my TGIFs are usually followed by Saturday morning demo meetings).
However I cannot say I have had any particular "worst" code that I have done so far.
Yea I once formatted and installed some linux distro while drunk and couldn't remember the login info the next morning.
Yea I once exported, imported between dbs from prod and local while drunk and lost this and that data.
Yes I once decided to organize my repositories and somehow deleted some repos without any backup while I was drunk.
I was fine. I somehow solved my way out by either bullshitting or being quiet or fixing without any sleep. Most of the times nobody really comprehend the extent of my actions. So I was fine. Hence I really don't have any particular worst drunk coding experience yet.
Best drunk coding experience?
Well I do not agree that coding while drunk is a pleasurable or fun thing to do. So I don't really have that either.
This week's topic is actually a very tough one although it might seem easy. -
Yet another day at my company, Im rewriting some old code for client (rewriting old, php 4 system for vindications managment) and you know the moment when you are focused and someone comes to you to absolutely ruin your focus. Fine, whatever. Oh, for fuck sake. Again dev is doing as support becouse one moron with second can't login into zimbra admin panel and add fucking mailbox. I show them exacly how they login, remind them they are admins too, slowly show them, so you click "manage" than you click that gear icon and than you click "new", fill in email address and password. As simple as 1-2-3. Okay, fuck it, time to go for a cig. I just finish up few lines and stand, grab my vape and start walking towards door. In door I find my buddy with 2 random people. He told me that they are interns and that I should show them some basics and stuff around that. Oh god, fuck my life. If anything, Im definitely very bad teacher, mainly becouse I often have problems with saying what I mean in the way that somebody actually understans and knows what I am trying to say. Whatever. Fuck it all. I grab two of our old laptops that nobody used in like a year or so, and first thing I quickly figure out, is that one day for some what the fuck reason I dont even dont bothered to remember I installed Arch on both while I dont usually use Arch. I just needed it for some specific reason. Whatever. So I guess I will need to upgrade fucking system. Our network isn't really great so that was like... hour or so. In the meantime I figured what they know about coding in general etc, and holly shit. One of them (there was boy and girl), girl, apparently never ever in her life even touched code. Well... fuck. Why am I wasting my time? Becouse there was some programme or some shit like that... Someone could tell me before so I could mentally prepare.. fuck it. whatever. So while laptops are doing their pacman thing, I sit with them and slowly start to explain based on my machine some really basic concepts. Second guy actually had some expirience, he knew how to make some really really basic logic and stuff, so he had another world of problems, becouse it was PHP and, as we all know, everyone hates PHP, and... yeah.. You can probably imagine his approach. Yes, you get user input in super global array. I really wanted to say "Now shut the fuck up and write that fucking $_POST".
hour or so passed, I was close to giving up to not let my anger rise (im not really good teacher... I mentioned it. I suck at teaching others) but luckly machines upgraded. He wanted to use visual studio code, she didnt care too much, so I installed phpstorm in trial mode. whatever. Since that's linux and they were not comfortable with that, I walked them through installing LAMP stack, and when finally it started to look like LAMP stack, I requested them to google how to install xdebug, becouse xdebug is very usefull and googling skill is your best weapon on that field. I go for cig, come back and what I see boiled me a little bit. The girl was stuck looking at github page randomly looking through xdebug source code and idk... hoping for miracle (she admited she thought there will be instructions somewhere) and the guy was in good place, xdebug has a place to paste your phpinfo() for custom instructions. But it didn't work for him, he claims that wizzard told him it cant help him.. hmm intresting, you are sure you pasted in phpinfo? yes, he is sure. Okay, show me.
Again mindblown how someone can have problems with reading.
so his phpinfo() looked like that:
```<?php
phpinfo();```
I highlighted on the page the words "output of phpinfo". He somehow didn't see it or something. He didnt know, he thought that he needs to put in phpinfo so he did. OMG.
Finally, I figured out I can workaround my intern problem, and I just briefly shown them php.net, how documentation looks, said to allways google in english, if he uses tutorial to read whole fucking thing, not just some parts of it, and left them with simple task, that took them whole day and at which they ultimately failed.
To make 3 buttons labeled "1" "2" "3" and if someone presses one of them, remember in session that they pressed it and disallow pressing other ones.
Never fucking again interns. Especially those who randomly without apparent reason almost literally just spawn in front of you and here, its your fucking problem now.
Fuck it, I have some time to get back to my stuff. Time is running so lets not waste it.
After around 15 minutes my one of my superiors comes in and asks me if I can go on meeting with him and other superior. My buddy goes with us, and next 3 hours I was basically explaining that you cannot do some things (ie. know XYZ happened without any source of information) in code, and I can't listen for callbacks from ABC becouse it wont send anyc cuz in their fucking brilliant idea ABC can't even know that this script would even exist, not to mention it wants callbacks.
Sometimes I hate my job.4 -
Last year, one of our government organizations' websites' edit page was editable without login credentials... People can easily modify or even delete a company. They had a login functionality for employees and was pretty much useless.
-
trying to login fb
username : ...........
pass : ...................
without thinking just type that pass
error changed pass 2 year back
again try to remember same password
:(
unable to remember1 -
starting new job on monday, already received a new laptop... with windows 10... Asked if i can install Linux - absolutely not. Without exceptions.
*very long and slow sigh*
started it up, started customizing. Tried to remove a shortcut from desktop - a popup to login as admin...
*even longer and slower sigh, even though the previous one was near my limit*
can't wait to get started.
P.S. pros still outweigh the cons. but this is gonna be exhausting...7 -
So, it's been a while since I've been working on my current project and I've never had the "luck" to touch the legacy project wrote in PHP, until this week when I got my first issue.
And damn, this goddamn issue. It was a bug, a very strange bug, that only happens in production and that nobody has any idea what was happening, so yeah, I didn't have anyone to ask and I got less time than usual ( because Thanksgiving ).
And thus, I have no starting point, no previous knowledge on PHP and less time! I expected a very fun week 😀 and it was beyond my expectations.
First I tried to understand what might be causing the issue, but there wasn't any real clue to star with, so no choice, time to read the flow on the code and see what are they're doing and using ( 1k line files, yay, legacy ). Luckily I got some clues, we're using a cookie and a php session variable for the session, ok, let's star with the session variable. Where it's that been initialize ? Well, spoiler alert, I shouldn't start with that, because my search end up in the login method of the API that set a that variable and for some reason in the front end app it was always false and that lead me to think that some of the new backend functions were failing, but after checking the logs I got no luck.
Ok, maybe the cookie it's the issue, I should try open the previous website on the brow...redirect to new project login, What? Why ? I ask around and it's a new feature push on Monday, ok I got Chrome Dev tools I can see which value of the cookie it's been set and THERE IT WAS it has a wrong domain! After 2 days ( I resume a lot of my pain ) I got what I've been looking for, so now I should be able to fix the bug. Then where is the cookie initialized ? In the first file the server hits whenever you tried to enter any page of the app, ok, I found the method, but it's using a function that process the domain and sets it correctly? wtf ? Then how in heaven do I get the incorrect domain ? Hello? Ok, relax, you still have one more day to fix this, let's take it easy.
Then, at the end of the Wednesday, nope I still have no clue how this is happening. I talked with the Devops guy and he explain me how this redirection happens and with what it depends on, I followed the PHP code through and nothing, everything should works fine, sigh. Ok I still have 2 days, because I'm not from US and I'm not in US, so I still have time, but the Sprint is messed up already, so whatever I'm gonna had done this bug anyhow.
Thursday ! I got sick, yay, what else could happen this week. Somehow I managed to work a little and star thinking in what external issue could affect the processing, maybe the redirection was bringing a wrong direction, let's talk with the Devops guy again, and he answer me that the redirection it was being made by PHP code, IN A FILE THAT DOESN'T EXIST IN THE REPOSITORY, amazing, it's just amazing. Then he explained me why this file might be missing and how it's the deployment of this app ( btw the Devops guy it's really cool and I will invite him a beer ) . After that I checked the file and I see a random session_star in the first line of the code, without any configuration, eureka ! There was the cause and I only need to ask someone If that line it's necessary anymore, but oh they're on holiday, damn, well I'll wait till Monday to ask them. But once and for all that bug was done for ! 🎉
What do I learn ? PHP and that I don't want any more tickets of PHP 😆. -
This morning, I was logging in on the site I was working on without problem.
After lunch, I couldn't log in. No reason why.
Then I found out why. Someone modified the login in database, and warned everyone.
Everyone except the ones that are working on the website (me and my team).1 -
Trying to use authenticate a JWT token from an Azure service, which apparently needs to use Azure AD Identity services (Microsoft Entra ID, Azure AD B2C, pick your poison). I sent a request to our Azure admin. Two days later, I follow up, "Sorry, I forgot...here you go..."
Sends me a (small) screenshot of the some of the properties+GUIDs I need, hoping I don't mess up, still missing a few values.
Me: "I need the instance url, domain, and client secret."
<hour later>
T: "Sorry, I don't understand what those are."
Me: "The login URL. I assume it's the default, but I can't see what you see. Any shot you can give me at least read permissions so I can see the various properties without having to bother you?"
T: "I don't see any URLs, I'll send you the config json, the values you need should be in there."
<10 minutes later, I get a json file, nothing I needed>
<find screenshots of what I'm looking for, send em to T>
Me: "The Endpoints, what URLs do you see when you click Endpoints?"
<20 minutes later, sends me the list of endpoints, exactly what I'm looking for, but still not authenticating the JWT>
Me: "Still not working. Not getting an error, just that the authentication is failing. Don't know if it's the JWT, am I missing a slash, or what. Any way I can get at least read permissions so I don't have to keep bugging you to see certain values?"
T: "What do you need, exactly?"
Me: "I don't know. I don't know if I'm using the right secret key, I can't verify if I'm using the right client id. I feel like I'm guessing trying to make this work."
T: "What exactly are you trying to get working?"
<explain, again, what I'm trying to do>
T: "That's probably not going to work. We don't allow AD authentication from the outside world."
Me: "Yes we do. Microsoft Teams, Outlook, the remote access services. I can log into those services from home using my AD credentials."
T: "Oh yea, I guess we do. I meant what you are trying to do. Azure doesn't allow outside services to authenticate using a JWT. Sorry."
FRACK FRACK FRACK!!
Whew! Putting the flamethrower away.
Thanks devrant for letting me rant.3 -
Been a mobile developer since April, liking the experience and the amount of projects that I've been a part of.
And one of the things that I've learned about this is that sometimes the client doesn't even know what he really wants. I mean for fucksakes, we implement everything, and new functionalities and there's always something that works on every other app (and is basically a standard) and he thinks is not suppose to be like that...
And another thing. Fuck Apple Store. At the company we've developed an app that practically shows information that only users should see (in our logic is sensitive information from our clients) and they DECLINED 4 FUCKING TIMES THE APP. Reason? Since the app's purpose "isn't correlated" with the basical information we show, the user can navigate through the app without going through login.
We basically added an "explore option" that shows basically nothing and they've accepted. FUCK APPLE FOR WAISTING OUR TIME AND THE CLIENTS TIME1 -
4 months ago, my team had the task of redesigning the login page of our main app. Really nice design. Since it was fairly simple, it was given to one of our summer camp guys to do something useful. After he finished, it was stuck on merge request and no one bothered to check it, as it was not important for our PO's, it simply got forgotten...
Last week, since I was bored and remembered about it, I decided to check it and fix the small issues it had, without telling anything to our PO, just did it, asked for code review and added it to our latest release.
Today I overheard 2 guys from analytics team:
"Hey, have you seen our new login page?"
"There is a new WordPress developer so he just does his job well"
Our application is not in WordPress, only our company's website is!
Our application is in Angular!
There is no new WordPress developer! We only have an offer looking for one!
WTF2 -
Just moved flats with a last minute confirmation, sadly the flat in question is not eligible for fibre broadband (high-rise) so had to settle for good old ASDL.
Find a good deal (as all providers are offering the same speeds/technology, all ASDL broadband is provided in the UK through BT landlines) to discover there is a mandatory 2 week waiting period to switch over ownership...
Fine, will wait 10 days for internet (torture except from dev rant on mobile internet, thanks for being text only), box arrives 3 days ago stating not to plug it in until activation date...
Fine I shall wait, today I get impatient and setup the router without connecting it to the landline so I can use the WiFi to connect to my Nas etc, login to WiFi navigate to Nas IP .... Automatic reroute to "login" page "We have detected your router is not connected to the landline, ensure your router is properly connected". Try logging into management site, works, change admin password etc. No setting to disable "self heal" functionality. No setting to setup static routes for my lab router, No setting to switch to modem only mode for when I inevitably buy a new wireless router for when this piece of crap can't handle the internal network traffic...
All this for a pitiful 10/? Mbps average, I want my fibre connection back :'(1 -
Facepalm Monday...
My collegue denies to provide breaking changes in our login API in a separate version to the other teams depending on it.
What is the reason for his stubborn rejection?
It's scrum. We haven't planned the effort for realising a versioning concept for our API.
Let's build it in the next sprint as a part of live deployment strategy.
The point he miss is that the ProductOwner wants his API change deployed during the next sprint.
Additionally, it is best practice, having a compatible, deployable product after each sprint, without any risks.
Furthermore, another best practice to provide your API is one URI without a version part holding the current development of the API. And URIs with a version part in it to keep a specific request/response structure and behavior.
What really grind my gears are sayings like 'if the other teams had well programmed their software, modifying our API won't have any effect on them'
C'mon dude. That's far from reality, as anybody knows.
I can't accept, we provide unprofessional API builds, as he is going to do.
So, i have to spend my time and energy to change his mind, together with other software-architects, planning the big thing API-Gateway *sigh*2 -
Dear Microsoft,
I really like SQL Server, but my dbms (ssms) is like 2 years old, I installed it from a predownloaded exe we had.
Can you please let me download the update without asking me to register?
Everyday for the last years I had to see the update notification and resist the urge to click it and be prompted with a login page
Dearly, a Linux user who develops in .NET, sometimes12 -
No devRant, i do not want to install your App. Let me use your website on my mobile browser without desktop mode and without the need to login.5
-
Who actually started the reign of mixed character passwords? because seriously it sucks to have an unnecessarily complex password! Like websites and apps requesting passwords to contain Upper/Lower case letter, numeric characters and symbols without considering the average user with low memory threshold (i.e; Me).
Let's push the complaint aside and return back to the actual reason a complex password is required.
Like we already know; Passwords are made complex so it can't be easily guessed by password crackers used by hackers and the primary reason behind adding symbols and numbers in a password is simply to create a stretch for possible outcome of guesses.
Now let's take a look into the logic behind a password cracker.
To hack a password,
1) The Password Cracker will usually lookup a dictionary of passwords (This point is very necessary for any possible outcome).
2) Attempts to login multiple times with list of passwords found (In most cases successful entries are found for passwords less than 8 chars).
3) If none was successful after the end of the dictionary, the cracker formulates each password on the dictionary to match popular standards of most website (i.e; First letter uppercase, a number at the end followed by a symbol. Thanks to those websites!)
4) If any password was successful, the cracker adds them to a new dictionary called a "pattern builder list" (This gives the cracker an upper edge on that specific platform because most websites forces a specific password pattern anyway)
In comparison:
>> Mygirlfriend98##
would be cracked faster compared to
>> iloveburberryihatepeanuts
Why?
Because the former is short and follows a popular pattern.
In reality, password crackers don't specifically care about Upper-Lowercase-Number-Symbol bullshit! They care more about the length of the password, the pattern of the password and formerly used entries (either from keyloggers or from previously hacked passwords).
So the need for requesting a humanly complex password is totally unnecessary because it's a bot that is being dealt with not another human.
My devrant password is a short story of *how I met first girlfriend* Goodluck to a password cracker!6 -
My workplace is still using xml based configuration, and non-spring boot projects.
So every spring boot tutorial I find feels like "Look at how easy you can get this running" and then it's just actually a toy you can't get into production.
Also it kind of bugs me that you need to be online to actually be able to initialize/create a spring boot project and every single tutorial says so.
You can make a local network m2 repository, but can one make a spring initializer service?
Either way, migrating every single project to Spring boot is a no-no,
And I'm stuck with like 5 prototypes of SSO integration from which only 2 work, and the other 3 have their own problems.
One does redirect to the login and all, but the SAML endpoint gets 404 on response when you log in.
One is on OpenID Connect, but I would need to update the project from Spring 3 to Spring 5 to get it working, which upon attempting to do seems to break everything else.
One has an external library handling the security context just the way we are accustomed to, but it only does a 401 forbidden when you go without logging in and I'm starting to think it is actually one of those that require you to extract the token or something manual like that, which wouldn't work for us
The other two are spring boot tutorials that worked out of the box, both SAML and OpenID, still can't use those for the main projects.
I'm tired of dealing with this configuration hell, been two months at this, I want to get features done as usual, not be stuck configuring stuff that might or might not work.
Rant aside, I think I figured I need to use a different Security adapter, but I needed to vent.2 -
!rant
So, when I was young, I wanted to be a freelancing nomad. You know, live the live, work remote and travel.
But I didn't have the bones to pursue that. After 10 years of struggling as a normal "programmer", I did a little of everything. I did normal boring "erp maintenance" in C#, Oracle and some legacy stuff called Visual WEB GUI , which was fun, but required a full 9,5 hours work day, 8:00 am to 6:30pm, and the bosses where squares, and I was young and wanted to try something out of the corporate world.
Then I did some work for a newly funded consulting company that used python, Django, and postgresql, but the bosses promised a lot and delivered none, (I was supposed to work backend and have frontend support, which I did not have, and that hurt my productivity and bosses instead of looking at what they promised but did not deliver, they just discounted my salary 3 months in a row, so Bye bye MFs!!
Then I did some remote work for some guys, that, I managed to sustain for a whole year, the pay was good, the stack was simple, just node.js and pug templates, that gig was good, but communication with the bosses was hard, and eventually things started to get hard for them and me, and we had to say farewell to each other, I miss those guys. This is the only time I remember having fun working, I could work whenever I wanted, I only had to reach the weekly goals, and then my time was mine, I could work from home in the odd hours, or rent a chair in a co working space if I wanted to socialize.
Then fate got me one big gig with a multinational company, and I could hire some people, but I delegated too much and was asking too little of myself, and that project eventually died because I did not know how to negotiate.
So, I quit the whole entrepreneur idea, and got a public job at my University, I was a public employee with all the perks, but none of the fun, I just had to clock-in, work, and clock-out. That experience led me to discover a lot of myself, I worked as a public employee for a year and a half, and in that time, I discovered more about myself than what I learnt in 27 years of previous life experience.
Then, I grew bored of that life, and wanted some action, and I found more than enough fun in a VC funded startup ran by young narcissists that did not have a clue of what they were doing, I helped them organize themselves into "closing stuff", you know, finish the things you say you have finished. Just to give you an idea of what it was like before I got there, the were working for 3 months already on this project, they had on paper 50% of the system done and working, when I tried to use the app, I couldn't even sign-up without hacking some database commands, (this was supposedly done). So I spent a month there teaching these guys how to finish stuff, they got, Sign Up, (their sign up was a mess, it is one of those KYC rich things, that financial apps have), Login, and some core functionality working in a month, while in the previous 4 months they only did parallel work, writing endpoints that were not tried, and an app that did not communicate with the backend. But the bosses weren't happy with me, because I told them time and time again that we were not going to reach the goal they needed to reach to keep receiving funds from the investors, and I had to quit before it became a mayhem of toxic employer/employee relationship.
So now I decided to re-engage with life, I have funds to survive about a month and half, I have a good line of credit in case I need some more funds, and the time of the world.
So wish me luck!!! And I'll be posting often, because I would like opinions, hear from people with similar life experiences and share anecdotes.
Next post, it's going to be about how I discovered taskwarrior, and how implemented my first weekend following some of the aspects of GTD to do all my housekeeping chores, because, I think that organizing myself will be key to survive as a freelancer nomad. -
So I'm a developer trainee. My development machine ? - was given a MacBook pro that was used by previous developer. The home screen is filled with random project files and documents.
Try to click on the pad, doesn't work, realized you have to press it real hard on side to click , wth, crappy touchpad. Back to setup.
I guess create a new account. Need to make an apple ID, heck no, create account without it, logon and just realized, shit all the tools need be installed..
Go to app store, need an apple id, heck.. , create an id, login, realize most of the tools aren't in app store...
Log back in crazy's account, power windows virtual machine..
Desktop filled with shyteload of files.. try to personalize windows, Windows isn't activated.. the heck.
Give up, just install vscode on corporation desktop machine for now, while the MacBook is a paperweight, and my shield in case of a gun situation
Better I see the crazy Dev who worked on this machine, and hit em in head with this paperweight.undefined developer that covers all the paper underneath mac wth mcshytebook my new paperweight macbook wth!?!? wth??! windows the struggle2 -
i was trying to explain my vision of a client's site to him without using any technical terms, so the most used term was "thingy", "there gonna be a lil thingy here, a thing for login and stuff there, yea all that, got it, the theme gon be blue [...]".
-
A normal day on my CMS as a Service...
URL: https://go to CMS
> Login screen: enter credentials, check checbox "remember me" (which doesn't remember you)
> redirected to SSO (single sign-on welcome page)
> Re-enter URL to go to CMS
> Fires up second browser on second screen, do the exact same things as above
--- Code editing
As it's a very modern CMS, you have to edit the code via the CMS using a bulky and honestly shitty editor (or rather: they didn't spend time configuring it to be at least semi-decent).
Plus default white horrible theme.
> Go to "/themes"
> Scroll all the way down the page
> Enter filename in search box
> Click the "Edit" button, which is a small button located right next to a much bigger red "DELETE" button. When you middle click (as I always open files in new tabs) on the DELETE button, it DELETES without confirmation. In such cases, you lose up to three days of work asking the providers to set it back up for you via their backup - and charge you for that. So sorry for deleting an *important* file
> Edit the file.
> Save the file - it takes 3 seconds. Upon saving, rescroll again to where you were in the code.
> On the other screen, refresh dev view of current template
> Wait 5 seconds
> If there are any special blocks, they all load via a semi-synchronous AJAX request (it's async, but they load one by one), the same time you waited to refresh your page.
> Notice you forgot adding some markup
> Re-edit the file, save...
> OH NO - I'VE BEEN BACKGROUNDEDLY DISCONNECTED. Back to Login page.
> Enter credentials.
> Am not on the CMS, but on the SSO
> Navigate back to file
> Re-write new changes
--- Manager comes in:
I need to you edit XXX objects in DB Manager (a big PHPMyAdmin if you will)
> New tab, go to https://DB
> Although still connected on CMS, I have to re-enter credentials
> Am redirected to SSO
> Re-enter https://DB
> Find the object (20 seconds of loading)
> Find the appropriate field
> Find out the field is in fact another object located elsewhere
> Uff, thank goodness, there's a shortcut button to directly edit said elsewhere object
> Operates on elsewhere object + save
> Re-edits original object + save
> ERROR 500, APPLICATION UNEXPECTEDLY CRASHED
:') painful much?
(for those who ask: yes i've got plenty of mind-reflexes in order to minimise losses)2 -
Is there a Linux distribution without a lot of problems with Nvidia drivers? I'm currently using elementary os, because I like the look of it, but I'm getting a lot of graphical glitches and black screens all the time and I was wondering if changing to another distro would help. Is elementary is known for graphical glitches, or is it just the Nvidia drivers? I've also turned my display manager into a mess while trying to customise my login screen, so it might be a good time to change to another distribution. Any recommendations? And one more thing, just out of curiosity, can you install multiple distributions and use the same home directory if home is mounted on a separate partition?15
-
I am using Dell Insipiron 7567.
I have dual booted my rig with Ubuntu 18.04 and Windows 10.
Right from the start itself I couldn't get to the screen of trying or installing with default settings. I had to use 'nomodeset' with 'quiet splash'.
Even after installing I had problems. After some hours of searching I found out that installing Nvidia 390 driver would remove the bug. It did. But my rig heats like shit. And throttles very much. Where as I am not using anything other than
1.chrome
2.vscode
3.terminal
Which i think is very normal?
And looor of battery drain.
I used to get around 3-5 hrs of battery life in Ubuntu Gnome 16.04 but now its like max 2 hrs.
Which is bad I guess.
I switched back to "X.Org X server" driver with "nomodeset" (without nomoseset it will load upto login page. Once i hit enter it gets stuck) it boots up but can't change the level of brighness or can't do anything related to display setting. Temperature has reduced but sacrificing on display settings.
Is there any way to remove this bug?
And additional infos
Graphics in about shows something like "llvmpipe (LMVM 6.0, 256bits)"
Guys do respond please?question dell inspiron 7567 x.org bug nvidia battery drain graphics drivers urgent request on fire ubuntu 18.0417 -
I am just student looking for job, and got this pre interview test:
Develop an Android or iOS app with login and password input field, download button, place for image we prvided.
... reading further:
What we are looking for in the code ?
internal quality:
-consistent formatting of the source code
-clean, robust code without smells
-consistent abstractions and logical overall structure
-no cyclic dependencies
-code organized in meaningful layers
-low coupling and high cohesion
-descriptive and intention-revealing names of packages, classes, methods etc.
-single small functions that do one thing
-truly object-oriented design with proper encapsulation, sticking to DRY and SOLID principles, without procedural anti-patterns
-lots of bonus points for advanced techniques like design patterns, dependency injection, design by contract and especially unit (or even functional or integration) tests
external quality:
-the app should be fully functional, with every state, user input, boundary condition etc. taken care of (although this app is indeed very small, treat it as a part of big production-ready project)
-the app should correctly handle screen orientation changes, device resources and permissions, incoming calls, network connection issues, being pushed to the background, signing deal with the devil :D and other platform intricacies and should recover from these events gracefully
-lowest API level is not defined - use what you think is reasonable in these days
-bonus points if the app interacts with the user in an informative and helpful way
-bonus points for nice looks - use a clean, simple yet effective layout and design
... I mean really ? and they give me like 2 days ?4 -
Fuck Facebook!
Disabling apps without warnings or anything which means no customer login. This is a huge pain since the solution doesn't have any way to login to the same account with another credential.
"Oh did you use that? Now you can't. And the only way to do anything is to submit a form to 'appeal' the case which we'll just reject without any notifications or emails"
Normally I won't rant like this or use that much swearing.. but in this case:
Fuck you, Facebook. Fuck. You.7 -
Why the fucking nuget needs a Microsoft/whatever account and asks for it every 3 seconds? FUCK YOU, you can just install dependencies manually without any fucking account why you fucking bug people perpetually with login screens
-
I just started a new job last week. Old-school sysadmin role for a pretty old-school company, but the pay is nice and the kids've gotta eat.
They gave me a windows laptop. I haven't used windows for work or as a daily driver since 2016, and now, a week into trying to make this machine work for me, I have the following observations to report.
WSL is nice. It's nice to have it installed(though actually installing it was an adventure unto itself), and to set alacritty to open my default user prompt straight into that is very nice. As terminal emulators are by far my most used piece of software, that's nice to have.
Command-line software management through powershell, winget, and chocolatey are also very nice.
I like the accessibility offered by autohotkey, though there is something of a learning curve on it. Once I get better with it, I suspect that what follows will be largely mitigated.
The Bad:
In general, Windows is janky. It feels like it's all kinda taped together without any particular cohesion in mind. As a desktop, it feels decidedly amateur, compared to the feature-mountain polish of MacOS, and especially compared to the flexibility and infinite possibilities of Linux.
Lots of screen real estate is wasted, with window decorations, and fonts that look terrible at smaller sizes, because the antialiasing of fonts is just terrible. Almost all the features I depend on in other desktops: ad-hoc searches and launches(alfred, rofi) are-- again --janky. They work, but they typically require more typing than alfred or rofi. I admit I haven't spent weeks on this problem yet, but I haven't found a workable solution yet with wox, hain, and keypirinha. Quick searches like what you get with alfred, alfred workflows, and the swiss army knife that is rofi, just aren't possible or reliable with the tools I've used so far, and most require some kind of indexing agent to fully function.
It beggars imagination that a desktop in which users are subjected to "default apps" that is purported to be acceptable for enterprise, professional use, does not have a default entry for text editor. I installed nvim-qt, and I want to use it to edit anything and everything I ever edit with text, but all too often, apps have hard-coded instructions to open text files with notepad.
I want to open certain URLs with firefox, certain ones with firefox developer edition, and others with vivaldi, and yet there is not an app available that I have seen yet in my searches that allows me to set this kind of configuration. I found one that's supposed to, but it just ignores everything I put into its config, and just opens MS Edge for everything. Jank.
Simple things take too long. Like the delay between when I laboriously hit ctrl-alt-del to bring up the login and when the actual text field appears, and the delay between that and when I want to start using the computer.
Changing some settings requires a reboot. Updating some software requires a reboot. Updating permissions on something sometimes requires a reboot. And those are all on top of the frequent requests to reboot for updates.
I would have thought Windows would have overcome most of the issues that create these problems, but it's just, as I said, amateur.1 -
iPhone alarm clock suddenly stopped playing sounds this week (again), fortunately my wake up time is not critical.
After every major osx upgrade I feel that I need to restart macbook more and more often cause system suddenly hangs.
Yesterday I spotted that after each restart there is information that if system hangs on login screen for a while I should restart computer again ( well thanks for advice that I don’t have to wait till I die ).
Cursor randomly disappears after I connected microsoft usb mouse ( microsoft mouse eating cursor from apple windows ).
Why I use microsoft mouse you ask ? That’s the best thing microsoft made, it’s literally indestructible. I dropped and kicked that mouse hundred times, still works perfectly fine.
I think also somehow osx forced minor bug fix upgrade once without my permission so they’re slowly going the forgotten microsoft path that is always forcing updates you don’t want to install in this particular moment.
Because their engineers know better when and why I want to update.
Looks like Apple engineering is slowly degrading or QA care less about older hardware users.
I am not used to buy new shit when old works just fine, those shiny little things are my work tools not something I show around to impress people how cool I am.
That’s all disappointing but still better then windows experience cause didn’t reinstalled osx from scratch since almost 5 years and it’s working at the same speed like it was new ( not impressed linux users here but from my previous experience with windows “registry” that means something and this hardware already paid for itself).6 -
I am working on a freelance project for a software dev startup. The api service endpoints given to me is so full errors that you can boldly say it's zero percent tested and you'll be correct. The project was meant to last for a week but now it's going to a month due to the errors I have encountered while working with the given API service, so more like a back and forth wait for an update kind of thing. I am close to done building the client but yes they cannot test my last update because someone updated the login endpoint which now returns 500 internal server error. I really want to vent out my frustration to this company without loosing them to the project but honestly i don't know how to do it.
Edit: Just for a side note, about the relationship this client is my former company.3 -
First time linux user feedback
Linux lovers are probably gonna eat me alive but I don't give a flying fuck
Maybe its a little lenghty or boring, tell me what you think
Backstory:
I work for game extension company. We work with WinAPI and such. I've been using Windows since forever and I'm happy with it. But I thought to myself "hey, if I wanna be a good dev, I should give Linux and OS X a try, too"
I downloaded Linux Mint couple of months ago to start with. I was unable to boot it from live CD no matter what I tried, even in recovery mode. Apparently, Mint 18.3 was based on Ubuntu 16.04 which doesnt support UEFI
Wait, what the fuck, all modern PCs have UEFI so what, do all Mint users have 10 y/o laptops and PCs???
Anyway, when I heard about Mint 19 being released I thought to give it another try and I did. What a surprise, it booted successfully from Live CD. I saw the Linux desktop for the first time in my life, yay! I then installed it, GRUB appeared, my Windows was still there and wasn't broken so I was happy SOMETHING was working. I configured timeshift and applied dvorak layout system-wide. Realised dvorak layout is fucked up big time and applied normal layout for just desktop environment. Everything was really nice until couple reboots later Cinnamon stopped launching (kept returning to login screen). Okay, lets use timeshift
First big what-the-fuck was when I found out system restore can only be done using GUI??? This is absolutely retarded and I couldn't believe it is true. Login screen has a reachable console but I can't login there since I can't type the password. Fuck, fuck, fucking drovak layout was there.
Recovery mode - I've spent 20 minutes trying to type "timeshift --restore" having to press all keyboard buttons just to progress with one button. I've had another what-the-fuck when I saw "error: can't restore timeshift - partition already mounted"
Okay, this is too much. Why the fuck would you bundle a recovery mode if you can't restore a snapshot from there.
I have spent 3 hours now googling and trying to remove this fucking keyboard layout. No dice. I am making another copy of the live CD now. I'm gonna reinstall the whole shit now. I have the desire to create a custom Mint version without this abomination of a keyboard layout.
It's okay. Windows has taught me to be patient.
Fuck Dvorak, I dont know who the guy is but his keyboard layout can eat my dick7 -
I hate Mondays...
So, Yours truly, the multilingual flightless bird leaves his apartment... Locks door... Fucking key gets stuck in lock (had some attempted home invasion attempt last year, left a few things bent).
The last thing I can use today, important project to work on with a deadline close enough to worry about.
I would say that's a classic Error 500 on login kinda situation.
The irony? I fancy myself a pretty good lock picker(A must have for an aspiring pentester) .
Luckily, a quick squirt of gun oil resolved that one... Seriously, how do people manage without a supply of tools and stuff?3 -
Interview question i had:
- how does jwt work under the hood, where is it stored, what 3 parts is it made of, who creates jwt, how does the server know what information the jwt token has (how can it say oh you're Joe you can login now)
- what is the difference between observable and promise in typescript, how does observable work, what is a stream, what is the difference between fetching data through an observable and fetching data with promise and when should we use one over the other, what does .next() funcrion do in observable under the hood
Answer me these questions without googling8 -
The sad moment when you realise that you're locked out of your VPS without your pc, because you forgot to add your phone's ssh key to the list and password login is disabled :(
Hope everything keeps working until I get back 😱2 -
Can I say Ubuntu installation has really gone messy lately(at least the last time when I installed back in 2009). Especially the part of disk partition and selection. You get only three options - Install alongside Windows(without additional customisation), Install on the whole disk, and then Custom.
Most times these days people will select Custom and configure the partitions. And then the crucial part is selection of Boot Loader. But it's not given much focus which is empirical because otherwise even if your installation is successful, without the correct Bootloader config, you will continue to boot into Windows and then debugging and fixing gets really tricky. Especially for somebody who wants to try it out.
And then you will be cursing yourself to have bought a laptop with Nvidia graphics card because the drivers are proprietary and sometimes they have you stuck in Blank Screens prior to login. Ubuntu is not at fault here, but then it makes the life of people trying out things so much more difficult that will force people to just give it up.
I had moved to CentOS(because of Gnome) back in 2015 after really squeezing everything out of Ubuntu 9.04 on my Intel Core 2 Quad. And today, I installed Ubuntu 20.04 after almost 11+ years and it was really not a good experience.6 -
Released the product to customers without realising someone had pre-filled a production test accounted login at the login screen. Obviously it was used for testing purposes and the dev forgot to remove it before committing.
I loled when I found out about it, and some customers started to login and made transactions.
When I checked the commit history... It was under my name :/3 -
Motherfucking peace of shit....
Dont know to whom I should direct this to .
Was creating a new login page for web app using Quasar(vue.js). Since my application have 2 different types of user, which also have different UI, and functionality.
One is written in vanilla ( and is quiet heavy) and the other one in vuejs ( though earlier it was written in vanilla too ). Login page too was written in vanilla which was working fine.
Now just yesterday I finished a prototype for the third type of user, which is also written in vuejs. Now I decided to re create login page using vuejs. Quiet small and easy to do. Finished it yesterday itself. Now since today's morning I am trying to configure it so that it this piece of shit just let me log in. It was authentication and verifying but not letting me log in.
( On server after authentication, I set cookies/token on clients browser and auto reload the page, so during next request to server/ or during reload, server will read the cookie/token and send the specific admin panel to user)
Prick. Dick.
It was setting cookie, but not at the '/' path. Mother fucker.
It was setting cookie to the path I was sending login credentials ( which was different from '/', I.e.- /login/verify=password )
So it was setting cookie/token at '/login/verify=password'.
Even tried setting path for cookie at server. Read everything on internet. MF nothing worked. All I came across was, 'this is CORS' .... 'this is CORS'. Assholes, if it were CORS', how then I am able to make request to server and getting response without error
Only a hour ago, when I made get request to '/login/verify=password' I figured out, cookie is being sent to server for this path only. Then did some changes at server, so to send login credentials to '/'. Now that shit is working
Fucking waste of time. Wasted more than 6 hours. Asshole.
Btw, if you can suggest a better way to login, then please. -
The magic Apple Support:
A few days ago, I suddenly couldn't login to iCloud on my mac. I thought it was something that would be gone if I would try turning it back off and on again. Didn't work. Used the mac without bothering about it. I was too lazy to call the Apple Support and it didn't annoy me that much.
A day later, suddenly Spark (my email client) didnt work either, it asked me all the time to re-login into one of the accounts but "an authentication error occured". At that point I thought it was a problem with the keychain. Because i don't use email that often and the last time I should pay 30€ if I wanted to call Support (out of warranty), I just started using email on my phone.
Yesterday, MS Office (yes I use it and I like this Microsoft Product and I'm an Apple fanboy) wouldn't login either. I didn't call them.
Today, I had finally time to call them. They didn't want to charge me since I selected an Apple-Id Problem (and I think the Support Hotlines are free to call idk). The call from Ireland came 2 times and the connection didn't work (thanks iPhone). The third time, the moment the Support guy said Hello iCloud worked. A few second later Office and Spark worked again too. I don't know how these coincidences happen. Anyway, I am just happy my stuff works again and I don't have to use Google Docs and write my mails on my phone. -
Me : sending screenshots of login screen, API design ,etc. to the client
Client : ohhh that's nice to see..Being a business analyst, I'm just curious on one thing here, does our app work without internet.
Me : Wrong decision on the first place that I chose you to be my client. Fuck you !!! I need to talk to the company that hired you as a business analyst first !!! *Hangs the call* *Facepalm*6 -
This is the story of me discovering devRant by accident.
---
I have never meddled with php before and I never intended to do so. For some reason, I accepted this consulting and chose Ci4 as the framework. All hell broke lose on my life. I could be a fucking idiot or the framework is a real ass wipe.
The setup took me hours and when I tried adding myth/auth, the real shit hit the giant fucking fan. WHAT THE FUCK PHP AND CI4? I tried all the weird fucking suggestions from the internet and you still fucked me in the ass with a bigger stick EVERY FUCKING TIME. I spent an whole night figuring you out and now I have my real job to login to with NO FUCKING SLEEP. You royally fucked my night and also my day without an ounce of A FUCKING CLOSURE.
Once I figure this out, Imma fuck the fucking project dealer and throw the weird ass shit on his ugly ass face and yell "FUCK YOU".
I am so depressed that this made me find an app to rant about it like a maniac.
-BrainlessIdiot2 -
!long rant
Trying to work from home is always a pain, since we need to use company laptops (no ifs, ands or buts about it).
Yesterday I took the laptop in to check for updates that just wouldn't run while at home (my first mistake), and I couldn't get past the "Press Ctrl+Alt+Delete to login" screen, laptop keyboard didn't seem to be registering clicks, and an external keyboard wasn't either (and I forgot about the on-screen keyboard). A couple of restarts later with no further changes to the situation, the laptop then didn't get past the BIOS screen.
So I called support (my second mistake) and logged an incident.
Couple of hours later someone comes to my desk and asks about the issue, so I describe it, show them (by now the laptop was once again getting past BIOS screen), and leave them to it. Since these laptops are just used as preconfigured VPN and RDP gateways, I said it would be okay if he just wanted to reinstall the OS (my third mistake).
Several hours later, after staying late last night waiting for it to finish, I loaded my profile, installed updates, shut down, grabbed my stuff and left, without checking VPN or RDP over WiFi (my fourth mistake).
Turns out that some of the buttons on the keyboard just no longer work, but now USB keyboards do work, and I can just use OSK to login while out. I figured this would be my only issue with things, and that it was acceptable.
This morning I attempt to use the laptop, and forgot about OSK and the faulty delete button, so spent a few minutes on that. Try to connect to WiFi and find it can't connect, because of course, it doesn't remember the WiFi password, so I root around for the code in some drawer, enter it, and it works. VPN tries to connect and... get told to insert my smart card, which is already inserted, because the driver is wrong!
So I'm sitting here writing a post, not quite believing that I'm considering cancelling my plans for the day to go into the office because of a bloody driver issue now...1 -
Company just gave me a laptop running windows 10 that doesnt get to the login screen because of a bad AVG upgrade - of course its urgent hence they cant give it to the guy whos fucking job it is becuase he will take week.
Firstly just found out you cant access safe mode without a disk if you cant hit the login sceen - Windows your fucking kidding me right?
Now I've been watching a spinning fucking circle for an hour while it's "attempting repairs" without even saying what its trying, oh ya and of course formatting this peice of shit is out of the question.2 -
Auto Login feature enables itself when a certain config flag is present - the app will login as an admin without requiring username or password.
I pray to the Continuous Deployment monsters that the config setting never gets copied to production by mistake.2 -
Postman freaking sucks now. It's bloated and can't easily do what's it's supposed to do without hassle. You have to login first, then it will inexplicably lose all your previous API requests.
I guess the company has forgotten who their base customers are.6 -
Somebody: (whinwy) we need something to log into nonprivileged technical accounts without our rootssh proxy. We want this pammodule pam_X.so
me: this stuff is old (-2013) and i can't find any source for it. How about using SSSD with libsss_sudo? Its an modern solution which would allow this with an advantage of using the existing infrastructure.
somebody: NO I WANT THIS MODULE.
me: ok i have it packaged under this name. Could you please test it by manipulating the pam config?
Somebody: WHAT WHY DO I NEED TO MANIPULATE THE PAMCONFIG?
me: because another package on our servers already manipulates the config and i don't want to create trouble by manipulate it.
Somebody: why are we discussing this. I said clearly what we need and we need it NOW.
we have an package that changes the pam config to our needs, we are starting to roll out the config via ansible, but we still use configuration packages on many servers
For authentication as root we use cyberark for logging the ssh sessions.
The older solution allowed additionally the login into non-rootaccounts, but it is shut down in the next few weeks after over half an year of both systems active and over half an year with the information that the login into non-privileged accounts will be no more.7 -
I don't know why but the default settings in Ubuntu have changed quite a lot. There was once a glorious time when if your Ubuntu got stuck, you could press Ctl + Alt + F2-F6, login to a console, run top command to see which process was taking too much time and kill it, and you can go back and start the process and again.
I remember days(~15-20 days) between restarts of my laptop, because I could do that. But now, my Ubuntu gets stuck, and continues to get stuck for about 5-10 mins, and then just restarts.
I have run the disk checks to see if my hard disk is creating issues, but no issues there. Maybe, there are times when the processes execute some buggy code and cannot get out. One fine moment, one of the processes(probably a browser or Eclipse), starts using too much memory or cpu, and the whole worlds seems to be crashing down.
But, my control to kill it promptly without crashing my other applications, was so good to have. And now, every time this happens, I feel 2016-17 and earlier days were so much better.12 -
I ranted about my new laptop and linux mint on it https://devrant.com/rants/1919501 and I said there will be a rant about the OSs I tried
So my new laptop is the Xiaomi notebook pro, with the highest config: i7/16g/256g/mx150 gpu/alu body/10h battery/perfect keyboard/great screen. Its Chinese, but Xiaomi... you kinda expect flaws, problems, but i watched all the reviews and knew about all the things, and the price was 35% down (836 + taxes = 997EUR) for a macbook pro clone? its a no brainer.. but i had a rattling vent (fixed with shoe glue lol) now its just loud in windows but not in linux, strange
I changed the Chinese windows on it to EN... worked perfect... but... It has 2 slots for NVMe ssd so i bought a 500gb one for the second slot, I put windows on that (because games, occasional insta story video edit, big files, anyway...) and put Ubuntu on the 256gb original ssd.. (to develop on that) and it was slow as fuck, I got errors all over the places, problems I never had before with ubuntu.. and mind you Windows had over 3000 MB/s for read and almost 2000 MB/s for write speeds on that disk... I was disappointed af. MIND YOU all my life I had Ubuntu on secondary old/slow laptops/pcs working JUST FINE... I still don't know what the fuck happened.. the ui was choppy to say the least and I just was not ready to accept that on this HW while windows worked like a charm (yuck)
Then I went with Manjaro (based on arch, here on devrant people like that stuff, must be great)... well after I installed it, it booted up to the login page and black screen... something with the MX150 GPU according to the interwebs... by this time I was so frustrated and in time stress because of my flight home for xmas that I decided not to fix Manjaro but to go with another flavour
Linux Mint it is... everything kinda works out of the box, like they say... it has dark mode everywhere in the settings without downloading some bloated theme or plugin like on other flavours. So I sticked with Linux Mint. Im not saying its perfect, but I have it for like a month now and all its flaws are these small irrelevant settings not working, utilities like the battery showing funny numbers in the post I linked in the beginning.
Other than this I want to ask you guys. In all 3 distros I tried, they all had text scaling issues everywhere (os, apps, web). I think I have a regular fullHD display, its sharp, but I mean... I never expected resolution or scaling issues or things like that. On Windows I never had those scaling issues... other than the famous win10 "blurry apps"3 -
I hate my internet provider.
I configure everything to work remotely and when I try to login to it I got "Http Status 502".
I thought I misconfigure something and recheck everything and still got "Http Status 502".
When I use the internet connection provided by different provider, it works!
Everything is hard to debug without you messing it up internet provider. It like trying to debug the code and find out the problem is in compiler.8 -
I am currently playing dumb with a potential hire and it's just so much fun I don't know if I should stop.
We gave the dev a little coding challenge to code a small expense tracking app. Nothing fancy, just to see how he well he could do on his own. We told him to take as much time as he requires.
He submitted it and I tried to run it. It worked alright but I could not register or login.
I debugged the issue with him for a while and told him I would look at it later since I am tied up with other tasks..
We are communicating via an IM.
Him: Or how did you run the project. I wish I was there to run it for you. Lol
Me: dotnet run. start without debugging
Him: From the cmd?
At this point I about to get pissed. Where else would I run 'dotnet run' from??
Me: I would hope so
Him: I always run it from the cmd. With administrative privileges
Me: Really?? Where can I find cmd?
Him: Yes. Do you use a Mac?
Me: nope. I am using windows2 -
I just realized what a horrible fate I escaped several years ago.
I was just finishing bachelor s degree, when I was offered to write my diploma under teacher, who works in Bitrix.
I was given first tasks how to make web site on my own l, I liked it pretty much in the beginning, I installed sql database, made simple registration, login. And then I was offered to try CMS bitrix (which is essentially proprietary local version of Wordpress). With words, that I will see how much easier to work in this way.
I found myself not trusting it, something was fishy. I could not understand why, am I as beginning dev in it, could not use it for free? Why could I not making deving in it, without paying big sum per month(it was big for student-me at least).
I went to work with computer graphics during diploma then, and made minecraft analog in c# (at that time I played minecraft too much)
Now I am working with modern open source world wide supported frameworks. And recently saw a web site made by bitrix devs... They went into production without... https. And I think they are the same ones.4 -
Tries to automate login with vb using I.E...
Gets stuck because login page is a hive of nested iframes with deep nested tags without defined names
FML -
I want to start learning to write a simple game server emulator in C#. The game works LAN but it gets LAN disconnected when internet drops so some sort of keepalive is implemented. I can copy the files to another device and it works online without a login etc so there is no online authentication but as soon as internet drops the LAN game goes down to so i need to emulate the online update server or something like that to prevent that from happening. (spotted with Wireshark etc)
I don't have much experience , just created a simple tcp client/server console app but in this case I ofcrs will only need a server one in combination with custom dns. Any tips on where to start? Does someone have an example game server emulator? or update server emulator?1 -
Hey ranters, I want to setup a centralised auth backend that assigns multiple logins/API keys to a single user account which is managed through a Frontend application.
Background is we use multiple services each with their own login system and not all support a unified login/auth method for their API.
My approach is to setup a simple API/Auth backend that stores the users credentials plus multiple API-Keys of other services or their logins. When auth is successful the Frontend app may receive the associated credentials for the other backends to call their respective API. So the user can login once but the Frontend may access all backend services without the user noticing that their are other auths.
This should be a really general problem today. I'm really just diving into the topic of auth and Frontend, so I hope to get some guidence/overview from you. My questions are:
- Is my approach totally stupid?
- Are there good frameworks you'd recommend for such a setup?
- Is there a best practice which I've overseen so far?
- Resources you think are a must-read?
- Any other recommendations regarding security here?
So, what do you ranters think? -
What's the point of the Gmail API if you can do all of its functions with IMAP or POP3 and not have to have user login oauth, just account and password?
I wanted to read a company email account for certain emails related to our tickets. No one actually accesses this account, and the tool is without a GUI. As such, I can't use the Gmail API. I just remembered there must be a more ordinary way to do this because how does Outlook and other email software work? So python import imaplib and I was done in a few minutes. -
Fellow devranters, I need your help for a... NodeJS question... (and I won't bother asking the question on SO, because all the questions/answers I found won't work)
You see, this client we have says they want their app to be login-less; once the app starts, ir automatically knows who is the ldap user that 'logged' in the app.
I've been struggling with it for weeks, trying to use npm modules, retrieving info from process.env, and I'm sure it is completely impossible without at least providing a username.
So here I am, asking anyone out here who can answer me this question: is it possible to login without providing anything?7 -
Vivaldi browser seemed a good idea to escape Google's misfeatures without swapping it for Microsoft extensions (Edge) or Firefox / Gecko idiosyncrasies (size / magnification issues on Ubuntu, slow Android version, clunky UI). But there are some ongoing issues that I never experienced in any other user agent (maybe I will when switching to Chromium), like URL completion (port URLs without a protocol aren't prepended with https but trigger a xdg-open dialog, autocomplete prefers obscure deep links with long paths instead of the base URL, browsers seems to forget login passwords by default, etc.) - so Chromium seems like the obvious choice. But there seem to be no more Chromium builds for Android? Anyone else disappointed by Vivaldi has a preferred solution?4
-
Php framework which provides nothing more than user management and separate admin and user login? Without shitload amount of external dependencies and packages? I want to give the mysql location and done, I don't want to learn some shitty js frontend you're forcing on me because you think it's fancy... Is there something with a kind of a pull-> works way? I develop javascript stuff, and I'm really tired of installing bunch of garbage what I don't even use. They're all pushing some extra js frameworks too, I need user management and that's it. Even Laravel started to be discusting..
-
I really want to divide this frontend into two parts, one that faces the users and other for administrators so I can release changes on both without works on one part blocking the other, but, I have many question, like, how do I manage authentication in two different React projects from one login page?
Maybe there are more problems than benefits, what do you think?3