I just got done moving some SQL databases to a new server and needed an account with which to test their associated program. The one we had on file was out of date, so I decided "This program looks sufficiently horribly written, I'll just null out a user's password field in the user table."
One SELECT TOP 20 FROM USERS later and I'm staring at a list containing 20 users with their plaintext, unsalted, unhashed passwords. These were all decently complex, and, knowing they're average end users, I'm sure they're tied to bank accounts and social media the world over. I fucking hate programmers.
I also fucking hate "web designers" whose skillset stops at "i can install a wordpress plugin!"
If I get one more of those fuckers asking me "yeah just change this MX record so we can email from our website's form submission" I'm jumping through the internet at them. I had one who got pissy that I wouldn't give him rights to a corporate DNS account stating it was causing his SSL renewals to fail. I try and talk him through HTTP verification for renewal, but got nowhere. I, by the grace of god, somehow got flung to the top of the ladder straight to their CEO (It's a relatively small, local business) who agrees immediately to give me root access to their web server. I'm on there and find not one, but TWO fucking instances of LetsEncrypt certification software: the standard CertBot, and LEGo (Let's Encrypt for Go, because every aspiring web dev uses Go and calls it a momentous feat.) After digging a little further, turns out that cert was renewing perfectly fine but the fucker had been renewing from LEGo while still having certbot's renewal in cron. Digging even further, I found out his configured certificate location was not only actual copied files instead of a symlink, but he copied the incorrect, miles out of date CertBot certificate and chain.
I had another web vendor who a client went with because they were "much cheaper than everyone else," which meant "we host it on a shared environment." When their new site went live, their corporate email went down for anyone out-of-office. Turns out their "much cheaper" hosting software forces its own HTTPS root autodiscover for its own shitty IMAP, which takes precedence over our CNAME autodiscover.[domain] configuration. Not wanting to dedicate the rest of my natural life to constantly adding "ExcludeHTTPSRoot" to registries for every user on every computer, I contacted their hosting provider. Their response? "We can't turn this off for your domain, it's a shared resource for everyone in our shared hosting environments."
There's also the fucking print vendors, whose economic lot in life is to either shrivel up and die, as no one needs them to change fucking toner in 2019, or branch out to being a full MSP, which they're not even remotely knowledgeable or qualified for. We had one of those who branched out to web design (their customer website portfolio is all 404's and geocities vomit catastrophes) and VoIP. I had to deal with their VoIP not working at a client site, and, surprise surprise, they blamed our firewall. What followed was me showing them SIP exchange after SIP exchange where they're authenticating to the phones as 192.168.1.10 (falsified) with the packets originating from the entirely different LAN 10.1.2.3 (likewise.) I even showed them packet captures I took straight from our edge device with the RTP chain in its entirety, exported as a wav, showing that the voices that don't make it to the other end CLEARLY LEAVE OUR FIREWALL STILL INTACT, they refuse to acknowledge it's a problem on their end.
When I inquired as to what PBX solution they were using, they gave me "Oh it's a [their company name] phone system!" Yeah, okay. I also have one of those, and it runs on a specific Asterisk frontend. It might be a [my company] Phone System(tm) but I sure as fuck didn't program it. Regardless, we placated them by swapping their edge firewall from one vendor to another just to prove that it wasn't that. Phones still don't work. They still say it's the firewall.
Granted, they were accurate to a degree; when you have a hundred STUN provisioned phones using the same 20 RTP ports behind a single NAT device I guess you could consider it "a firewall issue."
I've got more bullshit for another time, for those so inclined.