log☇︎
123400+ entries in 0.076s
mircea_popescu: hanbot o shit yeah! you just cracked this nut wide open.
mircea_popescu: anyway, you're on to something here douchebag ; work on it, with serious dedication, by the time you're as old as the rest of these guys you'll prolly be more valuable than them.
hanbot: mircea_popescu : if you'd prefer, there's also a format to encapsulate em as base64: http://wotpaste.cascadianhacker.com/pastes/RlPyK/?raw=true
mircea_popescu: to quote the universal george c. "that's a fun age!"
mircea_popescu: how old are you, if you don't mind teh asking ?
mircea_popescu: i thought the whole "memory security" shit sandwich just got blown to smithereens coupla weeks ago.
douchebag: I plan on learning more about low level memory exploitation in the future, however it's a bit more difficult these days due to stack canaries and other protections to prevent that sort of stuff from happening.
mircea_popescu: but yes, fucking up the empire's "technology" ie, websites, is a perfectly fine entry point towards actual life.
douchebag: Ohh right, I understand. I agree, however to me I treat web application pentesting as almost a sort of game or puzzle, in my opinion it is rather entertaining challenge to be able to modify a web applications behavior in a way that leads to total comprimise.
mircea_popescu: i would definitely put up with this in exchange for all-svg.
mircea_popescu: hanbot http://trilema.com/2018/iti-minca-cinii-din-straita/ << pretty terrible, lost all transparency etc. but WILL WORK.
shinohai: Some of us do like to lul about it when it happens, notwithstanding.
mircea_popescu: sv there stands for silly-cons valey.
mircea_popescu: douchebag you're familiar with how there's a group of idle cocksuckers holding conferences and printing books about "technology!" which immutably consists of pointless websites run as investor swindles ? groupon, facebook, what have you. http://trilema.com/2015/you-know-what-gets-no-airplay-unflattering-truth/ sorta thing.
a111: Logged on 2018-01-07 20:28 mircea_popescu: he also wrote a lisp-is-faster-than-c item back in the days the microsoft hired hands were pissing all over o'reilly&marc "my middle name is cocksucker" andressen's java
douchebag: What do you mean by sv-powered tech?
mircea_popescu: hanbot ima put this in and see. standby
hanbot: re the binary files thing: here's a conversion of the rss feed image on the trilema footer ( http://trilema.com/wp-content/themes/trilema/images/rss.jpg ) : http://wotpaste.cascadianhacker.com/pastes/fLVsf/?raw=true thoughts?
mircea_popescu: notreally ; republic mostly despises the sv-powered "tech" ; you'll find pmarca's notion of "the web" doesn't carry much water, or interest, among actually competent computer folk.
a111: Logged on 2018-01-15 07:15 mircea_popescu: well, lessee, stuff that might be of professional interest to you then. http://trilema.com/how-the-beastforumcom-private-messaging-function-became-a-paid-user-only-item http://trilema.com/internet-census-2016 http://trilema.com/xenforo-no-better-than-vbulletin-certainly-not-all-that-different etc.
douchebag: Does anyone else in this chat into web application pentesting? ☟︎
douchebag: Last night I found a rather interesting vulnerability in a website for a bug bounty, second time I've been able to leverage SSRF to XXE, very fun stuff.
douchebag: Alright forsure, if I were to find something how would you want me to disclose the information to you in a secure manner?
mircea_popescu: go ahead. which site is that ?
douchebag: mircea_popescu: I'm a little bored at the moment and I'm looking to practice my web application pentesting skills, would you mind if I took a look at your site and try to identify any potenial vulnerabilities?
phf: (there's yet another solution is to actually provide a binary patcher, that uses some minimal delta algorithm to patch files, while also providing the patching details in plain text. so you could say that the result is readable in a sense that it takes file FOO and replaces bits #10 #1343 #325435 etc)
mircea_popescu: phf there's no direction re proper cuz of first principle issues, i dun want to make dumb part of the history.
phf: mircea_popescu: it's not clear to me what "properly handle" is, given the many conversations on the subj. there's no reason why it couldn't if there was some direction as far as proper. i'm personally leaning towards the idea that binary blobs shouldn't be in vpatch (as per latest thread on subj), but it's a non-pragmatic take ☟︎
hanbot: mircea_popescu they're further down in the vpatch. ugh.
phf: you're going to run into png's that are admin interface ux elements that you can't just delete
mircea_popescu: let people provide their fucking own avatar favicon etc.
mircea_popescu: hanbot honestly looking at the list, just delete them
phf: third solution, that's latest conversation in logs on subj is that perhaps binary blobs don't really belong in a vdiff which is a human readable code container, and should just be packed separately into e.g. a signed TAR archive and unpacked into place as a second pass
phf: second solution that was entertained by ascii was to base64 encode binaries and have a second pass with something like makefile to pack them back into place
phf: the oldest solution, by i believe mp, is "replace all the mp-wp images with their svg equivalents"
phf: hanbot: there's no policy on this, it's an unsolved problem with lots of different solutions
deedbot: http://trilema.com/2018/iti-minca-cinii-din-straita/ << Trilema - Iti minca cinii din straita
hanbot: i'm trying to make a genesis for mp-wp ; first coupla lines of vdiff's output could be a problem: http://wotpaste.cascadianhacker.com/pastes/irACN/?raw=true . what's the policy on this?
mircea_popescu: meanwhile in "i'm just the doorman", http://78.media.tumblr.com/6c5e2674d445a6547e578c7061b531e2/tumblr_inline_o2qnfetugT1thjhje_1280.jpg
mircea_popescu: BingoBoingo how the hell can that thing contain NO numeric characters ?! do it properly, x - y - z - k = q.
phf: did you get the source directly from mp, or did i republish it? i remember being asked for the source and putting it up at some point, but i don't remember by whom and too lazy to log in this case
mircea_popescu: don't do that.
shinohai: Hmmm ... I may have put it in there to test or something.
a111: Logged on 2018-01-21 19:23 hanbot: hey shinohai, what is wp-patch2.diff in the mp-wp hosted @ http://btcinfo.sdf.org/uploads/wp-mp.tar.gz ? i see no sig, no...from where/whom is it?
phf: http://btcbase.org/log/2018-01-21#1773562 << pretty sure that's one of mine, it's either comments.diff or it could be a diff against the baseline wp of that vintage (i wanted to see what kind of modifications exactly mp version introduced) ☝︎
mircea_popescu: it all comes back down to "byte is machine word but idiots wanna do dumb shit", im pretty sure
mircea_popescu: basically, 32 bit had an int type that became incompatible with 64 bit for ~no reason
mircea_popescu: trinque i can tell you it was a multi-week pain in the ass to clear the shit out of eulora codebase.
trinque: and has the type
trinque: my current wager is folks that had it were using a gcc5, which is defaulted to a later standard for C ☟︎
trinque: anyhow if anyone recalls specifically why int64_t was present on some systems and not others, I'd be interested for the HISTORY file.
jhvh1: BingoBoingo: The operation succeeded.
BingoBoingo: !~later tell mircea_popescu http://wotpaste.cascadianhacker.com/pastes/DZ3Mc/?raw=true
shinohai: Boffing purple drank is best way to kill ALL retardation.
mod6 is having some fun stepping through some ffa procedures
a111: Logged on 2018-01-20 15:43 mircea_popescu: spyked re pingback thing, doesn't even have to be that hand-generated ; just walk the db, extract all links, construct the calls as shown and make curl calls. can be a bash script.
mircea_popescu: sometimes (often) wordpress manages to lose a pingback ; that thing will walk your db, spit out properly formatted xml payloads for all links in all your (published) posts. the resuilt can be run as a bash script to catch up on any missed pingbacks.
hanbot: mircea_popescu, what is this pingback-updater.php item?
trinque: http://btcbase.org/log/2016-07-03#1496554 << iirc it was this ☝︎
shinohai: It all appears to be code related to comments.
mircea_popescu: hm, i don't recall that diff file hanbot
shinohai: I like that `bbisp`
BingoBoingo: <mircea_popescu> BingoBoingo do a few trades with the locals to get a feeling of the place an' report ; also gpgram me the story of bbisp fiat holdings ab origine. << Will do
shinohai: Worth looking into tho, I should grep and see if this patch was applied at some point in there. Thanks for notifying!
shinohai: The only garbage I remember in the one on my site was I changed icons in the images/ directory, otherwise I believe as I received.
shinohai: I was unsure hanbot, I don't recall if I ever asked mp about it, or why it was included in the copy I got originally.
hanbot: hey shinohai, what is wp-patch2.diff in the mp-wp hosted @ http://btcinfo.sdf.org/uploads/wp-mp.tar.gz ? i see no sig, no...from where/whom is it? ☟︎☟︎
mircea_popescu: meanwhile in "this is what YOU MUST DO! TODAY!!! so your shithole country/town/life/whatever picks up", http://78.media.tumblr.com/c04a49b94572fe2aaeb4208cc78b4a6e/tumblr_od98qpXtJo1uu92gho1_1280.png
asciilifeform: it was hilarious, i went into a couplea pharmacies, saw ~nuffin that was recognizable as actual pharma, mostly various gerovitals, groundhog fats, snake oils (literally)
mircea_popescu: asciilifeform thatactuallyworked.!!!
asciilifeform in 'museum of komunnist konsoomer' leafed through ancient ro mags, and ran into the 'gerovital' lulgem
mircea_popescu: adaptive text!
asciilifeform: ( hey recall those old ru forums with integrals ! )
mircea_popescu: t well because you only have to pay for the number of days and weeks that the equipment would be used.The back office library is like a gold mine of thousand dollar methods used by the leading earners in the business.
mircea_popescu: Obedience training should be calm, firm, [url=<snip>wholesalenfljerseyscheap.cc/]Cheap NFL Jerseys Wholesale[/url], quiet,[url=<snip>wholesalenfljerseyscheap.cc/]Cheap Jerseys Online[/url], and persuasive, rather then demanding or sharp. This is why; getting all the information about most suitable nuts and bolts detroit company is important.Another benefit of renting construction equipment is that you get to manage your budge
mircea_popescu: ahaha check this shit out!
asciilifeform: i've been tempted to replace the idjit captcha with... pehcode riddle
mircea_popescu: yeah, in order to show up i have to approve it, so it's no accident.
asciilifeform: sometimes i see obvious spamola on trilema. but always assume that mircea_popescu let it through for lulz/collectiblevalue
mircea_popescu: that's the past 5, covering a coupla days. so i guess it's more than 1/day
asciilifeform: i'm satisfied that hanbot showed mp-wp to be usable on nfs
asciilifeform: hanbot: if you post one, i'd like to try it.
asciilifeform: hanbot: i'd luvv a working-with-nfs patchset on mp's wp. unfortunately my own wwwism proved insufficient to make it go.
hanbot: 10k marked spam comments means spammy ips are stored and attempted comments from same don't show up in admin, subjectively over time it's seemed i need to spend less time mopping shitcomments. and i didn't post proper patches, but will.
asciilifeform: other thing, does it require a php that has write permission to the disk ?
mircea_popescu: it has a queue of items to be reviewed (by default everything with a link goes in there). so in this sense it takes some training.
mircea_popescu: asciilifeform i dun expect it is possible for it to not work if wp otherwise does work.
mircea_popescu: one thing it does is <input type="text" name="author18c6e55" with that hash changing daily (or how often you please) ; another thing it does is a "refuse from ips in spam list" ; there's more i might nor recall right off.
mircea_popescu: there's a number of parts to it! but it makes no foreign calls / doesn't rely on the akismet bs, if you can run php oyu definitely should be able to run it
asciilifeform: mircea_popescu didja ever describe how your spamfilter worked, in the logz ?
mircea_popescu: it's the expectation here.
asciilifeform: i'd luvv to find that i botched it with idjit mistake and in fact it worx
mircea_popescu: my own notes say "he for some reason confused the ip of the people leaving comments with his own, went off tangent ; to be rediscussed later".
asciilifeform: lulzily enuff, still there, http://asciilifeform.com , sitting sadly
mircea_popescu: i think so, yes.
mircea_popescu: i have the feeling we discuss this periodically. what's dynamic ip to do with it ?
mircea_popescu: use mp-wp, dun have the problem.
asciilifeform: and i dun have a dedicated slave to delete'em.
mircea_popescu: asciilifeform he has an excellent point though. it's fucking unseemly, EVERYONe must report to google they're reading loper ? come the fuck on.
mircea_popescu: yet to date we've always evaluated.