Weird and Cringe things you've seen while working in IT - Since everyone is too lazy to make such a thread where IT bros can vent

[TheDataHorder]

Additional contribution:

At some point I determined that passwords stored on the server for all user accounts were duplicated and locally stored on client devices that had the company software, and hashed with SHA-256(I think, IDR, but it was common), and all easily viewed in the local SQL database for the software. All the passwords were just sitting there, which seems like kind of a big flaw to me, but I'm just a know-nothing nerd under 50. Response to this was basically "Well, does anybody other than you know how to do that? No? Non-issue." Maybe I am full of shit, but I'm pretty sure it's a bad idea. Just off the top of my head, from my education, I thought you were supposed to hash a password the user entered, send it to the server, and compare it to the hash stored on the server for that user.
Thank god I wasn't in an actual cybersecurity role, I'd probably have lost my mind.

i can hear the boss music from those hackers salivating at such a opportunity.
i legitimately hope that something has been done about that, even script kiddies know NOT to have sensitive info on the end clients.
because that is how data breaches start.

 

[306h4Ge5eJUJ]

Just off the top of my head, from my education, I thought you were supposed to hash a password the user entered, send it to the server, and compare it to the hash stored on the server for that user.

You typically hash on the server, and importantly with a different salt for each user. The idea behind password hashing is that if an attacker ever gets the database, he will have to bruteforce the actual login password with no way to share work between different users, which hopefully buys your users enough time to change passwords. For this reason you should also choose a slow hash function, so not SHA-256.

Hashing on the client only makes it so that the server host can't see your password choice; from the server's point of view (which is what matters for an attacker), a client-side hashed password is just a randomly chosen password. It's hard to tell from your description which variant this software did, but obviously handing out the password database to every user is retarded.

 

[Moral plague]

You typically hash on the server, and importantly with a different salt for each user. The idea behind password hashing is that if an attacker ever gets the database, he will have to bruteforce the actual login password with no way to share work between different users, which hopefully buys your users enough time to change passwords. For this reason you should also choose a slow hash function, so not SHA-256.

Hashing on the client only makes it so that the server host can't see your password choice; from the server's point of view (which is what matters for an attacker), a client-side hashed password is just a randomly chosen password. It's hard to tell from your description which variant this software did, but obviously handing out the password database to every user is retarded.

Well, it's possible they weren't hashed at all. It's been a while. They might have just been in base64, which would make some more sense to me in retrospect, given that passwords of other users were visible as clear text in the browser console if you logged into the web admin portals and inspected certain pages. I'm not a developer, so I don't know how you even fuck that up. Small-medium-sized business in operation for 30+ years btw.
But yeah giving the password database out was completely retarded. The client database was massively bloated in general, too, with info not used by the current version of the software. Lots of PII too. Trust no company or government org to properly guard PII.

 

[Chickin BBQ]

Years and years ago, between actual IT jobs I worked for a computer repair outfit once. Seen some shit.

Most of the boxes that came in were your regular weed/cig smoke cleanup, run a few tools to clean up their shit and send them on their way. I'd run into some degen shit, but hey, people are gonna coom, even if they are more boom than zoom, if you get what I mean. Usually it was fairly innocuous.

There were two exceptions.

The first was the actual on-the-sex-offender-registry customer laptop that I ended having to up to call into the police. (Fucker had a folder called "Pizza" full of actual full-blown CP right there on his fucking desktop when I booted up the machine.) Didn't know that the owner was on the registry before, but I found out in a fucking hurry, when I called my boss with a "WTF". Apparently we actually had some deal with the local cops to keep an eye on his machine if it ever hit the shop. No idea what happened to him. I hope that it can be described with the phrase "good fucking riddance".

The second was came with a note from the boss that greeted me one morning stuck to a new laptop in the pile. Nothing unusual about that itself, but for the contents of the note.

"The box of latex gloves is under the desk. Otherwise, the usual."

Boss wasn't kidding, the latex gloves were required. The machine oozed some sort of liquid that I deduced to be some sort of body secretions. After doing a cold teardown & scrub in the ultrasonic of what I could, and with copious amounts of rubbing alcohol for everything, and getting it more-or-less into a touchable state, still refusing to touch it sans the protective veneer of latex, I booted it up and kicked off the malware and virus scans.

One of the scans had window with a scrolling list of files. I noticed some, uh, suspect things, and clicked around the filesystem a bit, to find absolute gigabytes of explicit Yaoi and Straight Shota. This was back in the days that most people had 120-ish GB hard drives in their laptops at most, this was about 80% full. Of Yaoi and SS. Whoever owned this thing had particular tastes. And smells.

Cleaned it up, and was (un)lucky enough to be in the store turning over the machine to its owner Who ended up being a true and honest female, not even all that fat, but holy shit the stereotype of a greasy fujo if I ever saw one. I say unlucky because she walked walked in to the shop to a buddy of mine shooting the shit about whatever animes we were watching that season. So of course she decided to show up a month later to re-enact a anime-perfect weebster "ask out the protagonist" scene. Turning her down was easy -- I was banging an eastern european exchange student at the time -- so "sorry, taken" was the easy route out. I was too chickenshit to say "bitch you nasty". But hindsight is 20/20.

With my luck she browses the farms. Sorry, still not sorry

 

[Battlefield42]

I don't want to meet a female who is into yaoi despite being a fag myself.

 

[Archie_Kimkicker]

You typically hash on the server, and importantly with a different salt for each user. The idea behind password hashing is that if an attacker ever gets the database, he will have to bruteforce the actual login password with no way to share work between different users, which hopefully buys your users enough time to change passwords. For this reason you should also choose a slow hash function, so not SHA-256.

Hashing on the client only makes it so that the server host can't see your password choice; from the server's point of view (which is what matters for an attacker), a client-side hashed password is just a randomly chosen password. It's hard to tell from your description which variant this software did, but obviously handing out the password database to every user is retarded.

You can also add a second salt, called pepper, to the first salt. Since it is common for all records, you keep it in a separate place like a key vault.

 

[Sniperwoof]

I'm noticing a large increase in poojeet contractor who clearly lied on their CVs.

One dude's title was "Senior Infosec Engineer" and he had no idea what Active Directory or OIG were.

Fuckers probably making more than me too.

 

[Archie_Kimkicker]

I'm noticing a large increase in poojeet contractor who clearly lied on their CVs.

One dude's title was "Senior Infosec Engineer" and he had no idea what Active Directory or OIG were.

Fuckers probably making more than me too.

Pajeets literally throw randomized combinations of tech buzzwords in their fabricated resumes, and most recruiters rubber stamp them for the interview committee.

 

[Celebrate Nite]

Pajeets literally throw randomized combinations of tech buzzwords in their fabricated resumes, and most recruiters rubber stamp them for the interview committee.

From what I understand (and what was told to me in unemployment once) is that HR does everything automated, including hiring, so their programs search for keywords/terms that relate to what they are looking for. Apparently long resumes that list what you've done in the past are bad now, and turning your resume into a buzzword salad is what's "in" and "acceptable" now.

On the downside, temp agencies will take one look at that buzzword resume and think you're fucking mental and re-type a new resume on your behalf, so at this point, I just think it boils down to "nobody fucking knows anything and just talk out of their ass"

 

[Gender: Xenomorph]

From what I understand (and what was told to me in unemployment once) is that HR does everything automated, including hiring, so their programs search for keywords/terms that relate to what they are looking for. Apparently long resumes that list what you've done in the past are bad now, and turning your resume into a buzzword salad is what's "in" and "acceptable" now.

On the downside, temp agencies will take one look at that buzzword resume and think you're fucking mental and re-type a new resume on your behalf, so at this point, I just think it boils down to "nobody fucking knows anything and just talk out of their ass"

Leave it to pajeets to exploitmaxx any algorithm.

Yes, HR is completely automated, and yes, stalker child, it does prioritize CVs with as may keywords as possible. And yes again, stalker child, the HR clerks are incompetent people who have no clue what fucking tech is.

Combine 100 tags and unrelated skills thrown into a job application, with a CV that has 100 pointless and irrelevant keyword, and the machine will go BEEP BOOP BEEP BOOP THIS PAJEET HAS 5 YEARS OF RUST AND 15 YEARS OF PYTHON BEEP BOOP BEEP BOOP HE ASKS FOR $1000 MONTHLY BEEP BOOP BEEP BOOP PREMIUM CANDIDATE. To which, the HR clerks will toss some basic questions to them, the Pajeets will read a script, and get a stamp and move forward. When the CEO gets to them (if that ever happens) they will be greeted by 10 retarded pajeets with no basic understanding of english, let alone advanced IT concepts, and will think that literally anyone else is below that skill level and will have to train them (read, fire them in 2 months). Your 3 years of experience mean NOTHING when you're paired against 1000 pajeets who all have worked 5 years at GoogIe (with capital i, not L) as Lead Backend Programming Engineer and Fullstack Frontend Developer!

 

[Fagnacious D]

Leave it to pajeets to exploitmaxx any algorithm.

Yes, HR is completely automated, and yes, stalker child, it does prioritize CVs with as may keywords as possible. And yes again, stalker child, the HR clerks are incompetent people who have no clue what fucking tech is.

Combine 100 tags and unrelated skills thrown into a job application, with a CV that has 100 pointless and irrelevant keyword, and the machine will go BEEP BOOP BEEP BOOP THIS PAJEET HAS 5 YEARS OF RUST AND 15 YEARS OF PYTHON BEEP BOOP BEEP BOOP HE ASKS FOR $1000 MONTHLY BEEP BOOP BEEP BOOP PREMIUM CANDIDATE. To which, the HR clerks will toss some basic questions to them, the Pajeets will read a script, and get a stamp and move forward. When the CEO gets to them (if that ever happens) they will be greeted by 10 retarded pajeets with no basic understanding of english, let alone advanced IT concepts, and will think that literally anyone else is below that skill level and will have to train them (read, fire them in 2 months). Your 3 years of experience mean NOTHING when you're paired against 1000 pajeets who all have worked 5 years at GoogIe (with capital i, not L) as Lead Backend Programming Engineer and Fullstack Frontend Developer!

Not only that but, a great deal of job postings these days are fake. They exist to collect data on wages, skills and, other things candidates might have so they can get a rough idea of how little they can pay their next victim.

 

[Spruce Supremacist]

Reading this thread once again affirmed to me that computers and IT as a whole should've stayed a niche for the technologically competent or would at least demand the user to have a certified license of sorts as proof of competency to be serviced if needed. All it led to is interfaces getting constantly dumbed down to the lowest common denominator (the denominator getting further proportionally dumber in the process) and thus hindering the power users where programs become glorified pictogram guessing games unless you force yourself to approach them from the perspective of a double digit IQ consumer. IMO this is a worldwide societal problem - more people than not in this world are not mentally capable and should NOT be allowed to use any kind of technology more complex than an early 00s feature phone.

Most valuable IT-related lesson my friend taught me when dealing with relatives and computers is to feign ignorance by replying to any problem they have with their machines with that you yourself don't know the answer to whatever problem they're having with it. Last straw was having to help out an aunt that couldn't get her wireless mouse working because she was holding it backwards.

IMO the paradox of software and hardware is that while they're both getting dumbed down to be retard-proof and appeal to double digit IQ simpletons, the trend chasing with constantly changing designs in both areas became so stylized that it negates the retard-proofing that's been done, making it even less intuitive and comprehensible than the hardware and software philosophies of the 90s and early 00s.

Yes, I am very MATI about his.

 

[Bananadana]

Most valuable IT-related lesson my friend taught me when dealing with relatives and computers is to feign ignorance by replying to any problem they have with their machines with that you yourself don't know the answer to whatever problem they're having with it. Last straw was having to help out an aunt that couldn't get her wireless mouse working because she was holding it backwards.

Yeah it feels like as soon as you start helping people they somehow become even more retarded.
Like their brain goes "Oh i can just stop trying to think? Well dont mind if i dont!" and just goes into power-saving mode as soon as they know that you know how to work on computer shit.
I want to be nice to people (and used to be when i was younger), but i have adapted a hard "next of kin or i am just as retarded as you" tactic and tell my next of kin to not tell anyone what i know. If some NPC person i dont even know that well wants to have a tech babysitter because they are too lazy to plug in a monitor or google their extremely basic problem and read for 5 minutes, then they can pay the companies that offer such services commercially.

And surprise, magically their brains start working again when faced with coughing up 150 bucks for their laziness and they do manage to fix their retarded problem on their own.
Almost like they didnt really need actual help to begin with and just view you as some convenient and free "make problem go away with minimal effort" option.
Only exception is elderly family members since those are the only people who i can actually believe when they say they dont know how to google a problem.
Those also tend to not produce a new retarded and ungodly boring windows related problem every time we meet.

 

[I'm Really Feeling It]

Watching a country-scale delivery company publicly expose their FortiManager VM and block the two addresses their SASE uses when steering corporate traffic to it. Or TLDR, they blocked the two things they had to whitelist on the server, and allow everything else.

They tried to pin it on the SASE not working right, we spent multiple days trying stuff out and communicating with higher-level support, until I just broke and complained to my colleagues that the URL works normally when I access it through fucking public mobile networks, our own office network, our own SASE IP, everything. They chose to bypass it in the end, as if we were the ones lacking sense and they were biting the bullet.

 

[Magicicada_septendecula]

Tech interviews are such BS.

Nobody values your skills and experience, instead they expect you to memorize and recite a middle school programming book.

I don't know how it is in other areas, but in Android and iOS development, nearly every fortune 500 company gets their interview questions from the same list of ~100 possible questions, which may still be available online with some searching. If 100 is too much to memorize, focusing on the details of design patterns like MVC and MVVM will make up for anything you don't answer correctly. I got some pretty good companies on my resume using this strategy. I was never asked about my history, how I work with others, even the lame "what is your greatest weakness" question every HR bitch is so fond of, just the head Pajeet robotically asking technical questions and me giving the memorized answers.
I wouldn't recommend staying in long, you will burn out pretty fast. I think they only hire locals when the Pajeets have screwed up in some way, usually they made the code impossible to maintain since most of my work was refactoring their nightmare-inducing code, and once things work right, they break their promises to keep you on as a full-time hire.
At nearly all of these jobs, I'd open the IDE for the first time to find over 1,000 warnings and several errors (miraculously still compiled since the errors were in some dependency like a Maven or Cocoapod dependency). At one where we worked on the app of a major pharmacy/retail chain, they claimed they simply did not want to use Google or Apple pay. Google and Apple have (or had, this was a few years ago) some minimum standards for those services to be available in your app which our could not meet, which tells me you don't want to be putting your payment information in the app's native payment system anyway.

 

[HackerX]

Pajeets literally throw randomized combinations of tech buzzwords in their fabricated resumes, and most recruiters rubber stamp them for the interview committee.

From what I understand (and what was told to me in unemployment once) is that HR does everything automated, including hiring, so their programs search for keywords/terms that relate to what they are looking for. Apparently long resumes that list what you've done in the past are bad now, and turning your resume into a buzzword salad is what's "in" and "acceptable" now.

On the downside, temp agencies will take one look at that buzzword resume and think you're fucking mental and re-type a new resume on your behalf, so at this point, I just think it boils down to "nobody fucking knows anything and just talk out of their ass"

Leave it to pajeets to exploitmaxx any algorithm.

Yes, HR is completely automated, and yes, stalker child, it does prioritize CVs with as may keywords as possible. And yes again, stalker child, the HR clerks are incompetent people who have no clue what fucking tech is.

A few years ago, I had to explain to a recruiter that CISSP superseded Sec+.
On a related note, certifications are a major contributing factor to the buzzword resume nonsense because they are quantifiable. The "intent" of a certification isn't the piece of paper, but the skills allegedly learned, but braindumps and the like are rampant. OSCP was pretty notorious with being able to pay pajeets to cheat before they revamped it. (And that was a practical exam.)

Really, it was God damn DoD 8570 that propelled certs to their position in the industry. CEH (Certified Ethical Hacker) is a pet peeve of mine because of how overvalued it is due to early adoption by 8570. I'm convinced someone in the DoD received a massive kickback since there's no other valid explanation.

 

[burntKale]

Pajeets literally throw randomized combinations of tech buzzwords in their fabricated resumes, and most recruiters rubber stamp them for the interview committee.

The worse part is when these rarts took a degree that is not related to computers at all and decides to lecture you about the new tech buzzwords just because they took a 10 dollar udemy course on python (they did not even finished chapter 1).

 

[Disco Inferno]

I'm noticing a large increase in poojeet contractor who clearly lied on their CVs.

One dude's title was "Senior Infosec Engineer" and he had no idea what Active Directory or OIG were.

Fuckers probably making more than me too.

I hate contract agencies with a passion. They're predatory, purposely under pay, offer no benefits and use loop holes to fuck you over.

I had a friend that accepted a year long contract via an agency. He dislocated his shoulder in a freak accident while on the clock. Not only did those gutless Street shitters make him pay out of pocket, but they expected him to continue working.

 

[grump]

I don't work in IT but I knew I guy who used CDRs because he couldn't figure out how to use a USB drive. I also knew a guy who thought computer storage space with literally the space in the case.

 

[Susanna]

I’m going to be that nightmare engineer who turns up with a personal laptop to enroll today.

Because two applications I (seldom) need to use are only available for windows, naturally I’m only allowed a windows laptop. I can’t stand the thing no matter how much I try to CBT hypnotise myself into thinking it’s not so bad. So I bought a MacBook Air I’m going to use for practically all my work, and then RDP into the garbage windows laptop the one time a week I need to use the software exclusive to that OS.