Fuck all these "researchers" that port scan the shit out of my servers

Found this potential solution to your boss problems on reddit:

My entire bachelor's degree studies.

I did two senior projects solo because I couldn't tolerate the absolute mediocrity of my peers to be satisfied with a C+ or B "good enough!"

Other team lead: Hi DevOps Team, We need you to deploy this app to production. It's maintainers gave up on it in 2019, but we looked at it and it feels right.

Me: Uhm. That's not going to work. It'll fail the security scan before you can even finish the build in CI.

Other team lead: Yeah, this app is the right thing to do, and we needed it last week, but since that won't work, we'll just use this other very very infant technology that was just born yesterday. It's not stable in production, or on MySQL, or in AWS at all, but it's the other direction we can to go.

Me: What problem are you trying to solve in the first place?

Other team lead: Oh, we need access to the read from the production database.

I almost got caught by this during an interview:

const foo = ['a', 'b'];

const bar = foo.findIndex(x => x === 'a'); // 0

if (bar) { // I'm an idiot
console.log('Do something');
}

🤦‍♂️

Now we wait and see if they make change this commit message 🤣

I didn’t. I went for an interview and quizzed this multi-million £ business about their architecture: it sounded awful.
I made some diagrams on how I would’ve done it, how it would scale etc and why. They were blown away and wanted me to implement this structure including the job they wanted to hire me for.
They sent a contract over: had the wrong name on it
They corrected the name but I noticed the salary was incorrect
They sent a third and by this time I was offered an interview elsewhere so I went

The hirer then called me to say he was frustrated I hadn’t signed a contract yet making it sound like it was my fault for not wanting to sign an illegitimate contract. he then went on to say that the salary had been reduced, I asked why and they said they felt I wasn’t a senior developer.
So I took the other job and they kept their shitty architecture 💁🏼‍♀️

Man do I love receiving bug reports and comments in Turkish, Russian, Portuguese or Iranian. I should really just start replying to those in Polish.

I added a humorous pinned post saying “By the way, I can only reply to you either in English, Polish or Dutch :)” to the program where I receive such reports.
I am aware it won’t do jackshit, because people can’t read.

Kurwa.

i wish that was still a standard

✨cryptocurrencies✨

"Hey can you add (feature) on this backend"

> Looks at backend

> api.py

> 4K+ Lines

uhhh... is it me or our entire production is held by this single Python backend....?

This thing is running our hypervisor platform... Our IaaS platform... and it's one file....

WHAT THE FUCK

Family reaction story to me being a dev?

- My dad still refers to my profession as 'something in computers'.
- My older sister goes to her weirdo friends for technical advice because she thinks all I do is fill paper in printers (that's a long TL;DR story about a phone upgrade)
- My brother, a car mechanical genius thinks what I do is near God-like. He also races cars and can blabber on about the physics, aero-dynamics, weight ratios, etc and says "Oh, no way. I'm too stupid to do what you do." Then I'm like, "Dude, shut up, I can barely change my oil and you could replace an engine blindfolded", then he just laughs "Yea, probably."
- Baby sister just wants me to fix her phone. "Can you make <insert some random app> do <insert a random behavior the app was never designed to do>?". I'm like "Uh no, I didn't write Instagram", then she's like "I thought you went to school for computers?".
- My mom passed way (long battle with cancer). I'm sure she'd be proud, but still asking me to how to switch the channel so she could watch a movie on the VCR.
I can clearly see having this conversation with my mom.
Me: "Mom, why are you still using a VCR? I bought you a subscription to Netflix"
Mom: "Net what? Do I turn the dial to channel 2 or 3?"
Me: "No, its the Netflix button on the remote."
Mom: "Can't you come over and do this? I just want to watch my shows. Didn't you go to school to learn these things?"
Me: "No mom, that's not...um...never mind. I'll be right over."

StalkBoard App [more details]

Type letter "w" in wife's browser

"What is the ratio of open to closed doors in the world right now?"

"Why doesn't my baby molt her skin all at once while she grows?"

"Will Python help me to make a robot friend for my toddler daughter"

"Where do I buy tensors for building robot brains"

"Why don't we solve aging population and climate change by not vaccinating boomers"

Me: ... "Seriously, why can't you just watch hardcore porn, like a normal person"

If anyone feels down, depressed or lonely. Please let me know we can have a google meet call and talk about whatever. You are important and you shouldn't feel alone this season or any other day.

Have a taco

I didn't manage to win a Hacktoberfest 2020 shirt because I don't use GitHub anymore (and they require that apparently) - but I figured I might as well have a go at it.

echo "- an amazing project" >> README.md
git add devduck.png
git commit -m "update docs"
git push devrant feed

Pls like, comment, share, and subscrieb to CodeWithCondor for moar laif hakz :3

I'm so motivated after joining this community and i want to start learning again and keep this up
I started to read eloquent js and watch cs50 course and meanwhile working on my forum
i love to hear your advices for a beginner Including opinion, book, etc.
share with me your experience, thanks a lot ;D

I absolutely love the email protocols.

IMAP:
x1 LOGIN user@domain password
x2 LIST "" "*"
x3 SELECT Inbox
x4 LOGOUT

Because a state machine is clearly too hard to implement in server software, clients must instead do the state machine thing and therefore it must be in the IMAP protocol.

SMTP:
I should be careful with this one since there's already more than enough spam on the interwebs, and it's a good thing that the "developers" of these email bombers don't know jack shit about the protocol. But suffice it to say that much like on a real letter, you have an envelope and a letter inside. You know these envelopes with a transparent window so you can print the address information on the letter? Or the "regular" envelopes where you write it on the envelope itself?
Yeah not with SMTP. Both your envelope and your letter have them, and they can be different. That's why you can have an email in your inbox that seemingly came from yourself. The mail server only checks for the envelope headers, and as long as everything checks out domain-wise and such, it will be accepted. Then the mail client checks the headers in the letter itself, the data field as far as the mail server is concerned (and it doesn't look at it). Can be something else, can be nothing at all. Emails can even be sent in the future or the past.

Postfix' main.cf:
You have this property "mynetworks" in /etc/postfix/main.cf where you'd imagine you put your own networks in, right? I dunno, to let Postfix discover what your networks are.. like it says on the tin? Haha, nope. This is a property that defines which networks are allowed no authentication at all to the mail server, and that is exactly what makes an open relay an open relay. If any one of the addresses in your networks (such as a gateway, every network has one) is also where your SMTP traffic flows into the mail server from, congrats the whole internet can now send through your mail server without authentication. And all because it was part of "your networks".

Yeah when it comes to naming things, the protocol designers sure have room for improvement... And fuck email.

Oh, bonus one - STARTTLS:
So SMTP has this thing called STARTTLS where you can.. unlike mynetworks, actually starts a TLS connection like it says on the tin. The problem is that almost every mail server uses self-signed certificates so they're basically meaningless. You don't have a chain of trust. Also not everyone supports it *cough* government *cough*, so if you want to send email to those servers, your TLS policy must be opportunistic, not enforced. And as an icing on the cake, if anything is wrong with the TLS connection (such as an MITM attack), the protocol will actively downgrade to plain. I dunno.. isn't that exactly what the MITM attacker wants? Yeah, great design right there. Are the designers of the email protocols fucking retarded?

I get to sleep with the hot secretary...

i.e. my wife

Just spent 30 minutes trying to work out why my page will not load a JavaScript file even though I could manually browse to the file:

<link rel="stylesheet" type="text/js" href="js/home.js" />

I then proceeded to take a 5 minute walk around the office and rethink my life decisions...

Looks like I’m getting fired 😶

6 hours into a 124gb upload and then the internet goes out due to a malfunctioning modem.

Just. Fucking. Great.

I'm getting ridiculously pissed off at Intel's Management Engine (etc.), yet again. I'm learning new terrifying things it does, and about more exploits. Anything this nefarious and overreaching and untouchable is evil by its very nature.

(tl;dr at the bottom.)

I also learned that -- as I suspected -- AMD has their own version of the bloody thing. Apparently theirs is a bit less scary than Intel's since you can ostensibly disable it, but i don't believe that because spy agencies exist and people are power-hungry and corrupt as hell when they get it.

For those who don't know what the IME is, it's hardware godmode. It's a black box running obfuscated code on a coprocessor that's built into Intel cpus (all Intell cpus from 2008 on). It runs code continuously, even when the system is in S3 mode or powered off. As long as the psu is supplying current, it's running. It has its own mac and IP address, transmits out-of-band (so the OS can't see its traffic), some chips can even communicate via 3g, and it can accept remote commands, too. It has complete and unfettered access to everything, completely invisible to the OS. It can turn your computer on or off, use all hardware, access and change all data in ram and storage, etc. And all of this is completely transparent: when the IME interrupts, the cpu stores its state, pauses, runs the SMM (system management mode) code, restores the state, and resumes normal operation. Its memory always returns 0xff when read by the os, and all writes fail. So everything about it is completely hidden from the OS, though the OS can trigger the IME/SMM to run various functions through interrupts, too. But this system is also required for the CPU to even function, so killing it bricks your CPU. Which, ofc, you can do via exploits. Or install ring-2 keyloggers. or do fucking anything else you want to.

tl;dr IME is a hardware godmode, and if someone compromises this (and there have been many exploits), their code runs at ring-2 permissions (above kernel (0), above hypervisor (-1)). They can do anything and everything on/to your system, completely invisibly, and can even install persistent malware that lives inside your bloody cpu. And guess who has keys for this? Go on, guess. you're probably right. Are they completely trustworthy? No? You're probably right again.

There is absolutely no reason for this sort of thing to exist, and its existence can only makes things worse. It enables spying of literally all kinds, it enables cpu-resident malware, bricking your physical cpu, reading/modifying anything anywhere, taking control of your hardware, etc. Literal godmode. and some of it cannot be patched, meaning more than a few exploits require replacing your cpu to protect against.

And why does this exist?
Ostensibly to allow sysadmins to remote-manage fleets of computers, which it does. But it allows fucking everything else, too. and keys to it exist. and people are absolutely not trustworthy. especially those in power -- who are most likely to have access to said keys.

The only reason this exists is because fucking power-hungry doucherockets exist.

Cheers to all Javascript programmers 🥂

Suggesting a book called *You don t know JS* which aims to teach javascript right from the very basics to most advanced concepts, hence is helpful for both beginners & maestros.

The book is available for free on Github
https://github.com/getify/...

Peer review is a life saver!!! My colleague just saved me my job as i almost published this fucking block to production.

Found this gem somewhere on dev.to 😂😂

Do you people prefer a central tool to manage multiple servers? If so, what are some good opensource ones you'd recommend? is Kibana a thing? I'm a CLI purist, and I'm a little concerned about a large attack surface on something so centralized

Thanks!

Making the switch over to a Mac was the best decision I ever made as a developer

Hey everyone,

Merry Christmas to everyone who celebrates, happy holidays to everyone, and happy almost-new-year!

We had a bit of a slow year in terms of devRant updates, but we gained some momentum towards the end of the year and we're looking forward to carrying it into 2020. Recently, we launched what I think are our coolest new avatar items yet (https://devrant.com/rants/2322869/...) and behind the scenes we got our iOS/Android apps on the latest version of the frameworks we use, which will help us continue to improve stability. Still, we definitely would have liked to do more, but we're optimistic the coming year will bring great things for devRant.

One thing we are very proud of is this year we had our best year ever in terms of platform stability and uptime. Despite the platform growing and our userbase growing, we had almost no complete app downtime even though our infrastructure is minimal. A large part of this is thanks to devRant++ supporters, who allow us to maintain a small but effective tier of infrastructure and redundancy.

In the coming year, we're going to launch one of our most ambitious initiatives yet, and we're also going to continue to improve the devRant experience itself. We want to try to gather more user feedback, so we'll be working on a way to do that too. Stay tuned, more on this stuff coming soon.

As always, thank you everyone, and thanks for your amazing contributions to the devRant community! And thank you to our awesome devRant++ supporters for continuing to be the main drivers to keeping devRant up and running.

Looking forward to 2020,
- David and Tim

So i just realized why servers are called "servers"

because they SERVE CLIENTS!

I've only been a web dev for 7 years...*facepalm for life*