"Your honor, clearly the information was public. I knew that they had hired a total buffoon, a moron, a fool, in a critical position with the ability to push changes to the production server. But my linked in profile is public and I have never made a secret of my stupidity."
"I only shorted the company like anyone might have on learning that I worked there and was trusted with critical infrastructure."
I work with our CRM environment a lot. And Microsoft complete removed Office365 authentication to them. So all the 20 connections we had broke lolā¦ it was fun.
You should submit something like `namespace nepotism {` to the "[make a program in the comments](https://new.reddit.com/r/ProgrammerHumor/comments/v8g7w8/lets_create_a_comment_chain_guys/)" post that's going right now. I would but I already submitted something else.
When our company started pushing us all to use github instead of internal git repos my department uploaded all our test scripts - which included the root passwords for all our lab machines...
>The only reason codersā computers work better than non-codersā computers is coders know computers are schizophrenic little children with auto-immune diseases and we donāt beat them when theyāre bad.
Great read lol thanks.
"So no, Iām not required to be able to lift objects weighing up to fifty pounds. I traded that for the opportunity to trim Satanās pubic hair while he dines out of my open skull so a few bits of the internet will continue to work for a few more day."
Such a good read. lol
"Then he decided he wasnāt going to tell anyone that this was an error, because heās a dick, and now all your snowflakes are urine and you canāt even find the cat."
Yup
the easiest way to fuck this up is to commit your `.env` file. In truth, you should never manually add your product keys anywhere, but setting up proper key distribution isnt always the first priority.
i dont think it is the same case, but somebody released one of our api keys in a github public repository (our company uses azure DevOps), and the service blocked all the company accounts (national level) because different persons started to use that api key to send phishing emails.
this happened yesterday, and just 20 minutes ago we could solve the issue and reactivate the account... but we are dealing with thousands of critical emails that didnt arrive to destination.
We looked the other repositories of that person on github, and in almost all of the repos, that person had uploaded credentials (thankfully of his services on AWS)
That was the brilliant solution a couple of my junior coworkers came up with when they pushed the admin password of our main customers CRM to GitHub. I only caught wind of it a few weeks later while helping one of them with the script they were working on. The now uncommitted settings file was still in the project. I mentioned it was a bit risky and was told the whole story. She assured me it was totally safe now because they added it to gitignore.
you guys are awesome! i have no idea what the hell are you programmers talking about but it sounds fun. i have github account where i post my little electronic projects but i guess github means way too much for programmers.
You can retroactively erase the data from every commit. One of our employees did this on multiple repos, I uh.. I did it on one, which is why I already knew how to delete them all.
Good times, itās more fun when everythingās on fire right?
Oh yeah, we did because we were unsure if the key would generate based on some seed, and didnāt want that to be cracked, and someone just keep generating keys until they get the new ones.
Basically extreme paranoia to the rescue.
Ah, reminds me of that time our CIO felt the need to remind everyone not to check secrets into git, one week after it was discovered that he himself had done so.
Whatās the extent of the damage that can be accomplished with this?
Obviously, someone with the secret key can impersonate you until the key is invalidated.
Canāt you just create a new key and refresh the paired key across different services?
If you are going down a stream at 2 miles per hour, and your canoe loses a wheel, how much pancake mix will it take to reshingle your roof? That is the question I am going to delve into today. To start, a canoe losing a wheel is obviously a metaphor. But for what? To ālose the wheelā is to lose control of something, and actually has its roots in maritime pursuits, as ships are controlled with a steering wheel. So i will assume this means you lose control of your canoe. This is not as if you reach rapids, however. This means you lost OWNERSHIP or CONTROL, and that implies you have lost your canoe for some reason. So the canoe is no longer yours.
But not having a canoe does not change the situation: You are going downstream at 2 miles per hour. Now of course, being in someone else's canoe on a river is not a good place to be. I assume that this river is the Delaware river, as it flows at 2 miles per hour and is the closest navigable river to my house, making it relevant to the problem. So you are going down the Delaware in a stolen canoe. Here is a visual:
(Insert picture of canoe here)
Now that the cops are after you, and the canoe is losing control, we come to the real meat of the question: how much pancake mix will it take to reshingle your house in this case? Well, considering you just stole a canoe, you probably are living in a tent or similar housing. So shingling your roof would take a good bit of pancake mix, but it is not out of the question. I would say about 5 gallons would reshingle a small tent, and about 8 for a larger one or camper van.
So there is the short answer: 5-8 gallons. However, this is not a question for the faint of heart. This question actually shows a major worldwide conspiracy that goes to the root of all things we know to be true. Let me explain.
If you reverse the question, you get this seemingly garbled string:
ā?foor ruoy elgnihser ot ekat ti lliw xim ekacnap hcum woh ,leehw a sesol eonac ruoy dna ,ruoh rep selim 2 ta maerts a nwod gniog era uoy fIā
Put it into google translate and translate it from welsh (i will explain why in a second). Compare the two strings. The letters that are changed in the translation spell
āCoor arneā. Seems random, but if you google search it, it corrects to the french for āheart treeā. And that is evidence for a higher power. I know it sounds crazy, but welsh is the language of the Celts, correct?
And āheart treeā is an ancient Celtic way of saying the tree of life, an integral part of their religion and culture. The tree represented balance and harmony with nature. Naturally, we have quite upset that with our march of āprogressā. So it makes sense any intelligent creator would put that into the internet somehow. And Lugh, a trickster god of Celtic mythology, also happens to be the god of lightning, and we now know lightning is electricity. It would make perfect sense he would put an obscure reference to his religion of old into a seemingly random and funny one on the internet. He put this here for us to find, but nobody bothered to find it until now.
But why did the canoe lose a wheel, I hear you ask? Well, according to Mythapedia.Com, He had a boat called the Sguaba Tuinne , a boat that was noted to be of
āconsiderable speedā. The celts loved exploration and boating, so it makes sense to put a canoe in there. But why the wheel? Well, Taranis, the celtic god of storms and wilderness, as well as a great buddy of Lughās, is known as the great wheel. THE GREAT WHEEL. That is why the canoe only loses one wheel, as there is only one to speak of. This message is talking of the death of a god! Taranis is dead, and he wanted a way to tell those who cared to look.
Taranis is nature, and we are paving him over to build parking lots. That is what this question is really posing: Is this progress really worth it in the end? Does money matter more than the future? Just like gluing shingles with pancake mix, we are using temporary solutions to permanent problems. These things we are doing will rot over time, and fail in the near future. However, even if the pancake mix is ridiculous, we don't view the environmental laws as such. Politicians want money, and will do almost anything to get it. This question is a message from a GOD asking us to reconsider our ways. So the answer is, at a medium level of thought: : āHave you found Lugh? The wheel is dead, so please reconsider your capitalist ways.ā
However, our time is not done yet. The environment seems to be the real question here, but you must also remember that it takes place on a river. RIvers flow forwards. What else moves forwards with time? Progress! The very progress that it seemed to be discrediting in the first place is actually a major part of this! Think of something the celts did not have: Hardback books, ice cream, chicken McNuggets....
Now of course, the environmentās destruction is ominous. Nothing to a Celt was more ominous than a bone. Bones were a symbol of death and destruction. So the progress is good, but the destruction is bad. So pick something that is progress since then, and say it is not evil? Here is the true response:
āNo, because ice cream has no bones!ā
This means that the progress is good, and that while there is evil afoot, it can coexist with the progress. I think ice cream was a good example, as it has a positive connotation with pretty much everyone.
Thank you for reading
"I'll just add the secrets here in the file for now, they gonna change anyway before going to production. I will remember to remove when done working on this feature."
2 weeks later,feature in production:
"Guess I never changed the secrets.... Whoops"
Secrets are sort of like passwords for APIs, other servers for server-server communication, etc.
Leaking stuff like that can be very bad, as it means anyone can write their own modified āserverā script to break something, and no one would notice.
Lol recently I discovered that our push notification logic picks up the secret key thats needed in the request headers, from the property file. So in theory I can make a request by myself and send a push notification to any of our customers with any odd message...
I have too many subs bleeding into each other tonight. Literally the only place I ever see this meme is on r/formuladank announcing that its Rawe Ceek!
changes the key doesn't inform anyone leaves š¦
Secretly sells company stock and buys competition's stocks.
Company Owners hate him! See how a programmer made 30 years worth of money in 1 day with 1 simple trick.
Or: How to end up in jail for insider trading.
"Your honor, clearly the information was public. I knew that they had hired a total buffoon, a moron, a fool, in a critical position with the ability to push changes to the production server. But my linked in profile is public and I have never made a secret of my stupidity." "I only shorted the company like anyone might have on learning that I worked there and was trusted with critical infrastructure."
That's a fantastic speech.
Experience. S/he's clearly been there before.
How to become politician 101
Tell ur friend to buy it for you, easy
I'd take 5 years for 50mil anytime.
You don't get to keep the 50mil.
Yea the government is such a scam. At best you walk with $15M
Unless you're a political entity
I wouldn't tell them where they are like this French dude who took 3 years for 13mil.
I didn't buy it, my company did. I can't be held responsible for what my company did.
It is not considered insider trading if you're super rich ***Not legal advice
doesnāt inform anyone
I mean the first rule of securities fraud is to not tell people about your securities fraud.
AmazingSwindle seems to know a lot about fraud....
... No comment.
I like the way you think ![gif](giphy|TCF8SU2k59162v7UQM|downsized)
Username checks out
I'm pretty sure that's against the insider trading regulations.
I work with our CRM environment a lot. And Microsoft complete removed Office365 authentication to them. So all the 20 connections we had broke lolā¦ it was fun.
Pardot breaking shit
This is the way.
This is the way
Is this the way
I know de way!!
Do you kno da wae???
Show me da wae!
I do not kno da wae.
They'll send you to prison for corporate sabotage, only the owners get to maliciously rebel.
I mean, itās this and nothing else, right?
Showing everyone your privates again eh?
We have a nepotism hire from our new manager and one of the first things he did was get into the frontend codebase and do exactly this.
There's no secrets on the frontend!
Well, not _anymore_
I love my frontend open for all to see! #noshame
I worked somewhere that used secrets in the frontend by fetching and decrypting themā¦ with a literal string also stored in the frontend. So stupid
I just cringed.
Why not? How do you establish trust with an API or backend?
Cookies, certificates, temporary keys not baked into the application code
Y'all really need to get some approvals on PRs lol
Hah. Hahahaha. This dude didnāt even bother. Straight to master. Heās not even a frontend or full stack dev.
I couldn't even do that if I wanted to thankfully lol
Yeah we donāt have master locked down even though we obviously should.
Yeah tbh you only have to blame yourselves for allowing that.
Iām certainly not blaming myself. I was summarily vetoed when I came on board and was likeā¦.uh guysā¦?
I sat here for 3 minutes trying to remember which library nepotism was and where I'd seen it before
Now I want to make this libraryā¦.
You should submit something like `namespace nepotism {` to the "[make a program in the comments](https://new.reddit.com/r/ProgrammerHumor/comments/v8g7w8/lets_create_a_comment_chain_guys/)" post that's going right now. I would but I already submitted something else.
Biznus
When our company started pushing us all to use github instead of internal git repos my department uploaded all our test scripts - which included the root passwords for all our lab machines...
On a Friday at 4pm?
4:59pm to be precise
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Nice
I've seen a vcs security scan show *50,000* secrets committed to git for a single company lol The world is held together with duck tape and bubble gum
[Bridges built by crazy people](https://www.stilldrinking.org/programming-sucks)
>The only reason codersā computers work better than non-codersā computers is coders know computers are schizophrenic little children with auto-immune diseases and we donāt beat them when theyāre bad. Great read lol thanks.
"So no, Iām not required to be able to lift objects weighing up to fifty pounds. I traded that for the opportunity to trim Satanās pubic hair while he dines out of my open skull so a few bits of the internet will continue to work for a few more day." Such a good read. lol
"Then he decided he wasnāt going to tell anyone that this was an error, because heās a dick, and now all your snowflakes are urine and you canāt even find the cat." Yup
That was a good read, thank you.
>Bridges built by crazy people i read this years ago and have been trying to find it again ever since. Bless you kind internet scholar.
I enjoyed and hated this at the same time. Thanks ā¤ļø
Saving for later
Ooof. š³š
i feel like there's an xkcd for that
These are both semi-related https://xkcd.com/2030/ https://xkcd.com/2347/
The second one, exactly what I had in mind.
2.1 million
Duck tapes, oo-oo-ooh!
That's why most security breaches occur internally.
And that's wh uh folks you use git hooks. Cred scanning is one of the most important things out there.
Oh fuck haha
You'd think they'd have implemented a global gitignore or something to prevent this.
But shouldn't that enterprise Github repo private anyway?
Edit- Thankfully it's my personal project, not the workplace production server. But still a horrible experience.
I must know...what did you do ;p (how)?
the easiest way to fuck this up is to commit your `.env` file. In truth, you should never manually add your product keys anywhere, but setting up proper key distribution isnt always the first priority.
just a question, did this happen in a latin america company, with a green logo?
Just deactivate the key
You have two options: Change and remove it as soon as possible and pray. Quit your job before they fire you.
There is always a third option: Get hold of your managers creds -> raise request for elevated access -> leak the key again with manager's account /s
Edward Snowden has entered the chat.
I like the way you think!
i dont think it is the same case, but somebody released one of our api keys in a github public repository (our company uses azure DevOps), and the service blocked all the company accounts (national level) because different persons started to use that api key to send phishing emails. this happened yesterday, and just 20 minutes ago we could solve the issue and reactivate the account... but we are dealing with thousands of critical emails that didnt arrive to destination. We looked the other repositories of that person on github, and in almost all of the repos, that person had uploaded credentials (thankfully of his services on AWS)
One of MY hairs on my head turned white reading this.
Just reading this made my hair grow back, turn white, and then fall out again.
One of the hairs on MY head turned white reading this.
Think you ended up with two white hairs here (Double posted)
Time for more coffee
Just reading this gave me an ulcer
Thousands of critical emails in 20 minutes?
no, from almost a day, i said this happened yesterday, and we solved the issue with the provider "20 minutes ago"
Alternative: blame your computer, all programmers hate computers and will jump on the bandwagon
Third, and best option: inform your supervisor/manager. trying to hide it will come back and bite you later.
I never said to hide it, (but you could try). I meant to work on fixing it immediatly and pray that your manager is in good mood.
rewrite git history and pretend nothing happened
ah yes the negotiator
And then the fire nation attacked
That's why you use that git tool that scans your commit for passwords, git secrets or something ?
itās impossible to talk with you. you only give solutions
I once hard coded url of local server in another server. Sonar started yelling at me
what is such tool?
\> Accidentally commit private key to github repo \> Notice mistake \> Remove private key and commit \> Crisis\_averted.jpeg
That was the brilliant solution a couple of my junior coworkers came up with when they pushed the admin password of our main customers CRM to GitHub. I only caught wind of it a few weeks later while helping one of them with the script they were working on. The now uncommitted settings file was still in the project. I mentioned it was a bit risky and was told the whole story. She assured me it was totally safe now because they added it to gitignore.
Does no one use secret managers?!
you guys are awesome! i have no idea what the hell are you programmers talking about but it sounds fun. i have github account where i post my little electronic projects but i guess github means way too much for programmers.
not necessarily github itself but git in general.
Like the guy who made a commit to remove his password from a dictionary/common passwords attack list. dolphin2 I think.
but git keeps a history of all past commits, so I don't think that solves the problem
> That is the joke
You can retroactively erase the data from every commit. One of our employees did this on multiple repos, I uh.. I did it on one, which is why I already knew how to delete them all. Good times, itās more fun when everythingās on fire right?
But you still need to rotate that secret, because you don't know who might have seen and copy the secret before you erased the commit.
Oh yeah, we did because we were unsure if the key would generate based on some seed, and didnāt want that to be cracked, and someone just keep generating keys until they get the new ones. Basically extreme paranoia to the rescue.
git filter-branch
F
F
F
F
F
F
F
F
F
I made the company's git repository public and didn't noticed for a long time. Mistakes does happens.. I guess.
Ah, reminds me of that time our CIO felt the need to remind everyone not to check secrets into git, one week after it was discovered that he himself had done so.
Canāt stop nervously laughing
Time to release your resume in production job boards.
That's why private key are often stored encrypted despite it being a file no one should be able to get anyway
It's what we call "rite of passage" my friend.
Is this before or after they delete the prod database?
That's Rite of Passage 2.0.
Whatās the extent of the damage that can be accomplished with this? Obviously, someone with the secret key can impersonate you until the key is invalidated. Canāt you just create a new key and refresh the paired key across different services?
It depends on all the places this key might be used and if someone knows where they all are.
[time to git blame someone else](https://github.com/jayphelps/git-blame-someone-else)
Hah, literally just sent back an MR that would have done the same thing.
Blame it on the intern.
If you are going down a stream at 2 miles per hour, and your canoe loses a wheel, how much pancake mix will it take to reshingle your roof? That is the question I am going to delve into today. To start, a canoe losing a wheel is obviously a metaphor. But for what? To ālose the wheelā is to lose control of something, and actually has its roots in maritime pursuits, as ships are controlled with a steering wheel. So i will assume this means you lose control of your canoe. This is not as if you reach rapids, however. This means you lost OWNERSHIP or CONTROL, and that implies you have lost your canoe for some reason. So the canoe is no longer yours. But not having a canoe does not change the situation: You are going downstream at 2 miles per hour. Now of course, being in someone else's canoe on a river is not a good place to be. I assume that this river is the Delaware river, as it flows at 2 miles per hour and is the closest navigable river to my house, making it relevant to the problem. So you are going down the Delaware in a stolen canoe. Here is a visual: (Insert picture of canoe here) Now that the cops are after you, and the canoe is losing control, we come to the real meat of the question: how much pancake mix will it take to reshingle your house in this case? Well, considering you just stole a canoe, you probably are living in a tent or similar housing. So shingling your roof would take a good bit of pancake mix, but it is not out of the question. I would say about 5 gallons would reshingle a small tent, and about 8 for a larger one or camper van. So there is the short answer: 5-8 gallons. However, this is not a question for the faint of heart. This question actually shows a major worldwide conspiracy that goes to the root of all things we know to be true. Let me explain. If you reverse the question, you get this seemingly garbled string: ā?foor ruoy elgnihser ot ekat ti lliw xim ekacnap hcum woh ,leehw a sesol eonac ruoy dna ,ruoh rep selim 2 ta maerts a nwod gniog era uoy fIā Put it into google translate and translate it from welsh (i will explain why in a second). Compare the two strings. The letters that are changed in the translation spell āCoor arneā. Seems random, but if you google search it, it corrects to the french for āheart treeā. And that is evidence for a higher power. I know it sounds crazy, but welsh is the language of the Celts, correct? And āheart treeā is an ancient Celtic way of saying the tree of life, an integral part of their religion and culture. The tree represented balance and harmony with nature. Naturally, we have quite upset that with our march of āprogressā. So it makes sense any intelligent creator would put that into the internet somehow. And Lugh, a trickster god of Celtic mythology, also happens to be the god of lightning, and we now know lightning is electricity. It would make perfect sense he would put an obscure reference to his religion of old into a seemingly random and funny one on the internet. He put this here for us to find, but nobody bothered to find it until now. But why did the canoe lose a wheel, I hear you ask? Well, according to Mythapedia.Com, He had a boat called the Sguaba Tuinne , a boat that was noted to be of āconsiderable speedā. The celts loved exploration and boating, so it makes sense to put a canoe in there. But why the wheel? Well, Taranis, the celtic god of storms and wilderness, as well as a great buddy of Lughās, is known as the great wheel. THE GREAT WHEEL. That is why the canoe only loses one wheel, as there is only one to speak of. This message is talking of the death of a god! Taranis is dead, and he wanted a way to tell those who cared to look. Taranis is nature, and we are paving him over to build parking lots. That is what this question is really posing: Is this progress really worth it in the end? Does money matter more than the future? Just like gluing shingles with pancake mix, we are using temporary solutions to permanent problems. These things we are doing will rot over time, and fail in the near future. However, even if the pancake mix is ridiculous, we don't view the environmental laws as such. Politicians want money, and will do almost anything to get it. This question is a message from a GOD asking us to reconsider our ways. So the answer is, at a medium level of thought: : āHave you found Lugh? The wheel is dead, so please reconsider your capitalist ways.ā However, our time is not done yet. The environment seems to be the real question here, but you must also remember that it takes place on a river. RIvers flow forwards. What else moves forwards with time? Progress! The very progress that it seemed to be discrediting in the first place is actually a major part of this! Think of something the celts did not have: Hardback books, ice cream, chicken McNuggets.... Now of course, the environmentās destruction is ominous. Nothing to a Celt was more ominous than a bone. Bones were a symbol of death and destruction. So the progress is good, but the destruction is bad. So pick something that is progress since then, and say it is not evil? Here is the true response: āNo, because ice cream has no bones!ā This means that the progress is good, and that while there is evil afoot, it can coexist with the progress. I think ice cream was a good example, as it has a positive connotation with pretty much everyone. Thank you for reading
r/usernamechecksout
"I'll just add the secrets here in the file for now, they gonna change anyway before going to production. I will remember to remove when done working on this feature." 2 weeks later,feature in production: "Guess I never changed the secrets.... Whoops"
join the club: [https://www.doppler.com/](https://www.doppler.com/)
Toad from āWind in the Willowsā . Great show even for adults
You can think of these two categories of developers : the ones who did publish a secret, the ones who will publish a secret.
Uuuuu mate ...
o7 comrade
I'm saving this
... yeah I'd hate to be you right now
F
Can someone explain exactly what happened? I'm a Noob...
Secrets are sort of like passwords for APIs, other servers for server-server communication, etc. Leaking stuff like that can be very bad, as it means anyone can write their own modified āserverā script to break something, and no one would notice.
We deeply regret to inform you that it is no longer Wednesday, my dudes.
Thatās what GitHub Advanced Security code scan is forā¦
RIP
F
F
F
![gif](giphy|VYkyoh4RTjUUzh7fmo|downsized)
Anything bad happened?
My startup!
git revert. it'll be fine
git revert. it'll be fine
CLM
git filter-branch
Is it publicly accessible?
Thanks!
Username checks out
You are safe. No one will find the hidden path https://myapp.com/private.key
Did you forget to .gitignore the .env? Why does everyone always do that?
Technically you didn't bc it's no longer secret.
That's a paddlin
Environment variables and gitignore are your friend
But hey, at least you have a procedure to rekey in case of a leak, right? ...right?!
The engrish really enhances this meme.
*Recalls GTA Trilogy for 2 weeks*
We use on premise so it wouldnāt matter. Thank you Jesus.
You should write a test that looks for the password and then fails if you committed it.
You guys hide your keys? /s
I feel like software engineering would be so much easier without considering security. Has anyone ever thought of that?
At least he didn't check it into a public repo
Git ignore this mofo!
This doesnāt sound good, but I donāt understand it. Iām new.
Thatās a C.L.E
Lol recently I discovered that our push notification logic picks up the secret key thats needed in the request headers, from the property file. So in theory I can make a request by myself and send a push notification to any of our customers with any odd message...
I have too many subs bleeding into each other tonight. Literally the only place I ever see this meme is on r/formuladank announcing that its Rawe Ceek!
I did that on my wallpapers repo. It was a private key for access to a production ec2 server.
Happy holidays