Paranoid Developers - It's a long one
Backstory: I was a freelance web developer when I managed to land a place on a cyber security program with who I consider to be the world leaders in the field (details deliberately withheld; who's paranoid now?). Other than the basic security practices of web dev, my experience with Cyber was limited to the OU introduction course, so I was wholly unprepared for the level of, occasionally hysterical, paranoia that my fellow cohort seemed to perpetually live in. The following is a collection of stories from several of these people, because if I only wrote about one they would accuse me of providing too much data allowing an attacker to aggregate and steal their identity. They do use devrant so if you're reading this, know that I love you and that something is wrong with you.

That time when...

He wrote a social media network with end-to-end encryption before it was cool.

He wrote custom 64kb encryption for his academic HDD.

He removed the 3 HDD from his desktop and stored them in a safe, whenever he left the house.

He set up a pfsense virtualbox with a firewall policy to block the port the student monitoring software used (effectively rendering it useless and definitely in breach of the IT policy).

He used only hashes of passwords as passwords (which isn't actually good).

He kept a drill on the desk ready to destroy his HDD at a moments notice.

He started developing a device to drill through his HDD when he pushed a button. May or may not have finished it.

He set up a new email account for each individual online service.

He hosted a website from his own home server so he didn't have to host the files elsewhere (which is just awful for home network security).

He unplugged the home router and began scanning his devices and manually searching through the process list when his music stopped playing on the laptop several times (turns out he had a wobbly spacebar and the shaking washing machine provided enough jittering for a button press).

He brought his own privacy screen to work (remember, this is a security place, with like background checks and all sorts).

He gave his C programming coursework (a simple messaging program) 2048 bit encryption, which was not required.

He wrote a custom encryption for his other C programming coursework as well as writing out the enigma encryption because there was no library, again not required.

He bought a burner phone to visit the capital city.

He bought a burner phone whenever he left his hometown come to think of it.

He bought a smartphone online, wiped it and installed new firmware (it was Chinese; I'm not saying anything about the Chinese, you're the one thinking it).

He bought a smartphone and installed Kali Linux NetHunter so he could test WiFi networks he connected to before using them on his personal device.

(You might be noticing it's all he's. Maybe it is, maybe it isn't).

He ate a sim card.

He brought a balaclava to pentesting training (it was pretty meme).

He printed out his source code as a manual read-only method.

He made a rule on his academic email to block incoming mail from the academic body (to be fair this is a good spam policy).

He withdraws money from a different cashpoint everytime to avoid patterns in his behaviour (the irony).

He reported someone for hacking the centre's network when they built their own website for practice using XAMMP.

I'm going to stop there. I could tell you so many more stories about these guys, some about them being paranoid and some about the stupid antics Cyber Security and Information Assurance students get up to. Well done for making it this far. Hope you enjoyed it.

TLDR: Small family owned finance business woes as the “you-do-everything-now” network/sysadmin intern

Friday my boss, who is currently traveling in Vegas (hmmm), sends me an email asking me to punch a hole in our firewall so he can access our locally hosted Jira server that we use for time logging/task management.

Because of our lack of proper documentation I have to refer to my half completed network map and rely on some acrobatic cable tracing to discover that we use a SonicWall physical firewall. I then realize asking around that I don’t have access to the management interface because no one knows the password.

Using some lucky guesses and documentation I discover on a file share from four years ago, I piece together the username and password to log in only to discover that the enterprise support subscription is two years expired. The pretty and useful interface that I’m expecting has been deactivated and instead of a nice overview of firewall access rules the only thing I can access is an arcane table of network rules using abbreviated notation and five year old custom made objects representing our internal network.

An hour and a half later I have a solid understanding of SonicWallOS, its firewall rules, and our particular configuration and I’m able to direct external traffic from the right port to our internal server running Jira. I even configure a HIDS on the Jira server and throw up an iptables firewall quickly since the machine is now connected to the outside world.

After seeing how many access rules our firewall has, as a precaution I decide to run a quick nmap scan to see what our network looks like to an attacker.

The output doesn’t stop scrolling for a minute. Final count we have 38 ports wide open with a GOLDMINE of information from every web, DNS, and public server flooding my terminal. Our local domain controller has ports directly connected to the Internet. Several un-updated Windows Server 2008 machines with confidential business information have IIS 7.0 running connected directly to the internet (versions with confirmed remote code execution vulnerabilities). I’ve got my work cut out for me.

It looks like someone’s idea of allowing remote access to the office at some point was “port forward everything” instead of setting up a VPN. I learn the owners close personal friend did all their IT until 4 years ago, when the professional documentation stops. He retired and they’ve only invested in low cost students (like me!) to fill the gap. Some kid who port forwarded his home router for League at some point was like “let’s do that with production servers!”

At this point my boss emails me to see what I’ve done. I spit him back a link to use our Jira server. He sends me a reply “You haven’t logged any work in Jira, what have you been doing?”

Facepalm.

So I have that custom-made wifi router I've built. And it uses a USB wifi adapter with AC (wifi5) capability - the fastest one I could find in AliExpress.

I set it up a while ago - the internet access works fine, although speeds are somewhat sluggish. But hey, what to expect from a cheapo on Ali! Not to mention it's USB, not a PCIe...

A few days ago I ran a few speedtest.net tests with my actual AC router and the one I've built. Results were so different I wanted to cry :( some pathetic 23Mbps with my custom router :(

This evening I had some time on my hands and finally decided to have an umpteenth look.

nmcli d wifi
this is what caught my eye first. The RATE column listed my custom router as 54Mbps, whereas the actual router had 195Mbps.

I have reviewed the hostapd configuration sooo many times - this time nothing caught my eye as well.

Googling did not give anything obvious as well.

What do we do next? Yes, that's right - enable debug and read the logs.

> VHT (IEEE 802.11ac) with WPA/WPA2 requires CCMP/GCMP to be enabled, disabling VHT capabilities

This is one of the lines at the top of the log. Waaaaiiitttt.. VHT is something I definitely want with ac -- why does it disable that??? Sounds like a configuration fuckup rather than the HW limitation! And config fuckups CAN be fixed!

Turns out, an innocently looking
`wpa_pairwise=TKIP`
change into
`wpa_pairwise=TKIP CCMP`

made a world of a difference!

:wq
!hostapd
connect to the hostapd hotspot and run that iperf3 test again, and... Oh my. Oh boi! My pants fell off -- the speed increased >3x times!

A quick speedtest.net test deems my custom router's download speeds hardly any worse than the speeds obtained using my LInksys!!

The moral of the story: no matter how innocent some configurations look, they might make a huge difference. And RTFL [read the fucking logs]

In the pic -- left - my actual router, right - my custom-built router with a USB wifi adapter. Not too shabby!

Building my own router was a great idea. It solved almost all of my problems.

Almost.

Just recently have I started to build a GL CI pipeline for my project. >100 jobs for each commit - quite a bundle. Naturally, I have used up all my free runners' time after a few commits, so I had to build myself a runner. "My old i7 should do well" - I thought to myself and deployed the GL runner on my local k8s cluster.

And my router is my k8s master.

And this is the ping to my router (via wifi) every time after I push to GL :)

DAMN IT!

P.S. at least I have Noctua all over that PC - I can't hear a sound out of it while all the CPUs are at 100%

## Building my own router

IT HAS ALREADY PAID OFF!!!!!

So I (with my fam) have evacuated from the capital of Lithuania into a distant place - much smaller, where average age is prolly >30 or even >40 years. I live in a village now. In a house with very good neighbours. In fact these neighbours own that house :D

Back to the point.

So these neighbours used to share their wifi (w/ internet) between the two houses. They have the line, the mian router has quite a strong antenna and that other house has 2 repeaters: 1 on the outside wall and another one -- indoors. Sepeaters are connected sequentially, i.e. the indoors one is repeating the outdoors one. ikr....?

The first day was alright. We settled in, got everything set up wifi-wise. Peachy.

The second day repeaters refused to issue a DHCP IP. That's something, right? Alright, nvm - I don't mind setting up static IPs. In fact I prefer them over the DHCP magic!

And by the noon both repeaters were connectable but neither of them could provide internet connection... We that sucks! I restarted both of them a few times, neighbours restarted their main router -- still no luck.

Here comes my router [God am I happy with this purchase and the whole idea of a customized router!!! Thanks @hakx20!].

I brought it outside, plugged it in. Connected to it through it's hotspot, used nmcli to connect to neighbours' main router with an internal wifi card (that shitty mPCIe operating in USB mode. yes, the same one, manufactured in 2003. Yes, in g mode.). A couple of iptables rules for traffic forwarding et voila! I have built my own repeater! And tomorrow I can WFH w/o any issues.

Yes, hardware routers are faster and easier to maintain. Yes, hardware routers are cheaper and usually have nicer bells and whistles. But when hardware fails you and the last thing you want is going to the public (shop), soldering rod won't help you. A software solution becomes the easiest to set up, considering you know how to.

Boi am I so happy about my purchase! CentOS router FTW!

P.S. even though we've fled the city we are responsible citizens and we've self-quarantined ourselves for the 14 days period. No local person any closer than 10 meters for the whole period until we're cleared. Being away from the city gives us sooo much freedom! Especialy now, when cities are shitting bricks in fear.

Last week I wired up my home network (including custom modem and routers) myself, because the stuff my ISP wanted me to use was garbage.
Luckily Germany has "router-freedom" so ISPs are not allowed to force us to use their device to dial into the network.
I did everything myself, because the 'technicians' they kept sending me were just idiots who didn't know anything, considering the highly paid job they are doing. Usually they told me, to get the device from my ISP, because my "Router" (actually a business grade, standalone Modem by Cisco, to feed my Router) didn't even have WiFi ( lol ). Also all Technicians didn't arrive at the agreed date but at some other time. I wasn't able to wait any longer.
So I did it myself.

Consider me something more like a student of theoretical computer science. Not actually supposed to be experienced with hardware stuff.

The ISP is serving me with a DOCSIS 3.0 Network based on the television cable network in my city. For some reason they are providing the internet-access to only one socket in the apartment, which has a rather uncommon "WICLIC" connector. After having trouble getting an adapter for WICLIC to common coaxial F-Connectors (used by every DOCSIS-Modem), I made one myself.

After setting up everything (not that hard, once the connectors fit) my modem told me, that, while I'm perfectly connected to the ISPs internal Network, I still can't access the internet.

So I called the ISP...
After getting ranted at, about that what I'm doing is illegal and only certified employees are allowed to do this and I will break more, than actually do good and that I can't just connect my own "Router" (again I needed to correct her: Modem) I hang up the phone.
Also she accused me of hacking their devices because I'm not supposed to see my IP address... (My Modem told me on its web interface. I didn't even need telnet for that.)
I went to the ISPs head office, told the first desk as many technical terms as I could remember and got forwarded to something like the main technician.

He was a really nice guy. The only sane and qualified person I dealt with at this company. He asked me for my Address and Device Model, I told him my MAC and last internal IP, I had seen and he activated my internet access within a minute.
We talked a while about the stupid connector that ISP is using in the homes and he gifted me some nicer adapters to connect my modem to the wall.

Why do ISPs hate their customers that much?

Years ago was the first time I put custom firmware on our wndr3700 router, it hasn't crashed since.

I bought a wndr4700, faster, 5ghz, possibility for a hard drive.
It's been 3 years and still no custom firmware.

Custom router profile which allows only SO, documentations and similar sites.

After waiting 3+ years, I finally found custom firmware for my netgear wndr4700.
LEDE project(based on openwrt), you are amazing.

Now just to figure out the 10000 options i have now.

Anyone that can help me?
Per example, my router should be capable of 300 mbit theory and 200 mbit practical.
But the custom firmware says max 150mbit.

what the f....

So I'm making some changes to my setup. I'm relieving my current router from its duties and retiring it as a mini PC for my desktop setup. And I got my hands on a Dell Optiplex that will become my new router.

Now, firstly, the Optiplex came w/o a wifi antenna. I booted it up into a LinuxMint install USB for the first time and didn't expect much from it, but to my surprise, I got a popup: "There are wifi networks available". At that spot there was also my Fenvi PCI wifi card's antenna of my current (soon-to-be-previous) PC and it was barely seeing any wifi, and there came Optiplex with NO antenna attached to it and it managed to maintain stronger and more stable signal. wtf....

Alright, it's Fenvi, it's chinese -- there's probably not much I should expect from it.

Then I hooked it up right next to my current router with an external USB wifi adapter having 4x6dBi antennas on it, serving as my current wifi AP. Trying out hostapd configs, searching for the right channels,... should I test it? Naah, it still doesn't have an antenna - it won't reach my laptop. Meeh, for shits and giggles! `hostapd -d /etc/hostapd/hostapd_custom.conf`, on my lappy `nmcli d wifi rescan; sleep 5; nmcli d wifi` and... wtf... To my surprise, the AP was there! A thick wall away, no antenna whatsoever, and I still could connect to that Optiplex AP and post this rant!

What magic is this??? I'm now a bit concerned about ordering an antenna for it - I'm worried it could either worsen the signal or make it so strong that it'll fry my brains overnight.

A year ago I built my first todo, not from a tutorial, but using basic libraries and nw.js, and doing basic dom manipulations.

It had drag n drop, icons, and basic saving and loading. And I was satisfied.

Since then I've been working odd jobs.

And today I've decided to stretch out a bit, and build a basic airtable clone, because I think I can.
And also because I hate anything without an offline option.

First thing I realized was I wasn't about to duplicate all the features of a spreadsheet from scratch. I'd need a base to work from.

I spent about an hour looking.
Core features needed would be trivial serialization or saving/loading.

Proper event support for when a cell, row, or column changed, or was selected. Necessary for triggering validation and serialization/saving.

Custom column types.

Embedding html in cells.

Reorderable columns

Optional but nice to have:

Changeable column width and row height.

Drag and drop on rows and columns.

Right click menu support out of the box.

After that hour I had a few I wanted to test.

And started looking at frameworks to support the SPA aspects.

Both mithril and riot have minimal router support. But theres also a ton of other leightweight frameworks and libraries worthy of prototyping in, solid, marko, svelte, etc.
I didn't want to futz with lots of overhead, babeling/gulping/grunting/webpacking or any complex configuration-over-convention.

Didn't care for dom vs shadow dom. Its a prototype not a startup.

And I didn't care to do it the "right way". Learning curve here was antithesis to experimenting. I was trying to get away from plugin, configuration-over-convention, astronaut architecture, monolithic frameworks, the works.

Could I import the library without five dozen dependancies and learning four different tools before getting to hello world?
"But if you know IJK then its quick to get started!", except I don't, so it won't. I didn't want that.

Could I get cheap component-oriented designs?

Was I managing complex state embedded in a monolith that took over the entire layout and conventions of my code, like the world balanced on the back of a turtle?

Did it obscure the dom and state, and the standard way of doing things or *compliment* those?

As for validation, theres a number of vanilla libraries, one of which treats validation similar to unit testing, which seems kinda novel.

For presentation and backend I could do NW.JS, which would remove some of the complications, by putting everything in one script. Or if I wanted to make it a web backend, and avoid writing it in something that ran like a potato strapped to a nuclear rocket (visual studio), I could skip TS and go with python and quart, an async variation of flask.
This has the advantage that using something thats *not* JS, namely python, for interacting with a proper database, and would allow self-hosting or putting it online so people can share data and access in real time with others.

And because I'm horrible, and do things the wrong way for convenience, I could use tailwind.
Because it pisses people off.

How easy (or hard) would it be to recreate a basic functional clone of the core of airtable?

I don't know, but I have feeling I'm going to find out!