40900+ entries in 0.254s
shinohai: I'm genuinely curious to see gpg operations performed in
a web app.
ben_vulpes: douchebag: surely you're not thinking of something that would eat
a mess of patches and sigs and vomit forth
a press, are you?
douchebag: I'll write something up and let one of you take
a look at it when I'm finished.
douchebag: I would like to clarify with someone that I properly understand everything required to create
a V implementation.
☟︎ douchebag: Well, I'm just trying to figure out where my skillset could be best put to use, I would be more than capable of writing
a V implementation or setting up an IRC bot. I'm trying to leave it to you guys to tell me where my skillset could best be put to use
☟︎ douchebag: Eh, perhaps. It's mainly just
a hobby of mine, and I'm constantly learning from it and it pays the bills for now.
shinohai snickers
a bit @ 'responsible disclosure'
douchebag: Everyone else I know is working some shitty job, not getting
a decent amount of experience, and they're just kind of stuck in the same place. Meanwhile, I'm just entertaining myself with the challenge of hacking these companies
douchebag: Not really, I know that by responsibly disclosing vulnerabilites to companies I am building
a pretty awesome resume which will benefit me later in life
douchebag: Not really too much, I've held onto coin and made
a bit here and there. Typically I end up selling it right away so that I can get my cash in hand and not have to worry about waiting for the price to fluctuate. I know I should have held onto it
BingoBoingo: douchebag: Have you tried flipping
a coin? Or failing that tire flipping
a bit?
phf: i've seen the machinery work many times, though for some reason it reminded me of the case where it misfired, in
a famous bit by feynman where he was cracking safes at los alamos, security resolution and the unexpected punchline is "don't let feynman near your safes"
mircea_popescu: phf the actual trick i use to force
a "no, go down obv branch" is by prepending
a "you know" or whatever. but, sure.
a111: Logged on 2018-01-25 23:37 NoSatoshisHear: centralized system, so one server counts the ticks, it would simply be
a demo of reddit "the button" style idiocy combined with gambling. Sounds viral, like the 1918 flu.
phf: but, the intent wasn't actually "of course x is bad", we've had conversation about that elsewhere, this was
a pure cause/purpose "you're fat" situation: that's literally how security theater propagates!
mircea_popescu: the problem is that illegitimacy crosses
a definition boundry (it doesn't mean the same thing in boston wharf side and in african village) and so leaves us stranded.
phf: mircea_popescu: i'm perhaps failing to find
a point at which your analogy connects with the situation. i read it as "don't know on things that seem trivial"
mircea_popescu: !~google he's here, he's here, he's here have no fear, stay by his side an' he'll take you for
a ride...
mircea_popescu: and so :
a homebreaker is
a female that delivers on the "easy" part which "anyone could do" (sex) and not on the hard part -- and there's no quotes there because how about YOU try polishing an oaken table the size of
a current usian garage each morning, plus rub the iron pots.
phf: wake me when there's
a "too easy" on btcbase
mircea_popescu: it's "unfair" (in the exact sense of childhood playground) and therefore "forbidden". because... obviously you can find
a MALE partner to work with ; the question is to get one of the speaking cows to do it.
mircea_popescu: phf is this repackageable into
a puritan argument against sluts ? if not, why not ?
a111: Logged on 2018-01-26 16:15 mircea_popescu: in fairness, kid's got me meditating about the nature of things ever since last night. see, the trouble is : in his syustem, he has actually found
a vulnerability, as
a factual matter. in my system this is entirely meaningless. why the difference ?
BingoBoingo: Eh, not such
a big deal. First weeks the bites itch and then your immune system stops caring and you cease to get quite the histamine reaction to the bites.
BingoBoingo: In other exploits, tonight I will be sleeping in
a different bed because axe time gas time has some for the chinches de cama!
a111: Logged on 2018-01-26 18:02 asciilifeform: mircea_popescu for instance prolly knew that one could paste
a js into his php thing. but had no particular reason to give
a damn
BingoBoingo: <asciilifeform>
http://btcbase.org/log/2018-01-26#1777052 << i'd like to make such
a challenge. but turns out that we do not even yet have
a usable formula for what exactly even is an exploit. << Dude finds way through pehbot commands to replace host machine BIOS with "Hypercard" binary that shipped with OS7
☝︎ ben_vulpes: douchebag: so someone sends someone else
a link with ?q=<script="diddledepageforme">, and unsuspecting b copies, pastes, reads everything but the url bar?
douchebag: Able to inject Javascript, such javascript could be used to create
a link that leads to logs that appear real, however they're completely fake
mircea_popescu: well, no, i mean something like "just because it has cogs in it doesn't mean it's
a clock, could be
a car transmission"
mircea_popescu: because usually cults are build around
a paranoid not
a narcisiac
mircea_popescu: in vaguely related lulz : there existed
a cult which had the girls prostitute themselves for membership. (apparently it was tried with boys too, but it didn't pay.) eventually they just listed them as proper whores with "escort agencies". apparently
a total of >quarter million men were made to feel religious however briefly during
a decade.
ben_vulpes: douchebag: how does this allow
a user to create fake logs?
mircea_popescu: asciilifeform i got
a hardbound copy. shall i have it transcribed ?
mircea_popescu: in entirely unrelated lulz : i recommend to the expert entomologist item #341 of the assembly of the state of new york, entered into record april 12, 1838 (
a message from W L Marcy, the governor).
a111: Logged on 2018-01-25 16:29 mircea_popescu: wait wait, i might have
a pill
a111: Logged on 2016-08-01 20:03 phf: mircea_popescu:
a lot of xss detection "solutions" rely on grepping for known bad input, like "script" or whatever. and there are ways to sidestep that, like '<scr' + 'ipt>' or
a='ipt>';'<scr'+
a. in this case whoever is fucking with detection by using this truly wtf feature i've never heard of, <meta charset="
a">b</meta> that apparently parses b according to charset
a rules
mircea_popescu: hey, i was looking for
a pretext to get
a test, so bbs.
mircea_popescu: this is EXACTLY how it goes, and perhaps why there has not yet existed such
a thing as
a fully implemented specification or
a fully specified implementation in empire lands.
a111: Logged on 2018-01-25 16:42 asciilifeform: i dun actually disagree with mircea_popescu : i never liked bigendianism . but it did come from
a particular cost analysis , ftr.
mircea_popescu: imo
a fabulous textbook example of how the imperial vulnerability cycle goes. 1. make
a bad spec,
a la SMGL ; 2. implement some portions of it only, because
http://btcbase.org/log/2018-01-25#1776189 ; 3. discover the bad spec is vulnerable, issue "best practices" for people to "santize". obviously this will not be made by 1 if 2 wasn't, so... 4) implement slightly more of the spec, throw security in disarray.
☝︎ mircea_popescu: (because they didn't parse svg tags prior, not because "it doesn't work", he could have made it to work with plain script, so it's
a separate issue, but quite germane)
mircea_popescu: there's
a pile of browser captures linked in there yest.
mircea_popescu: this triad : links, pingbacks, selection reference make up
a whole NEW hypertext. just as far from the old as that was from text.
mircea_popescu: without the ability to link INSIDE my output $value would decrease sensibly. not
a little.
a lot.
mircea_popescu: if i'm responsible for the above why am i not responsible for sending emmylark nude on
a harley to luser's house to tear out intel ME out of his chip ?
a111: Logged on 2018-01-16 17:08 mircea_popescu: (also, let it be pointed out for the benefit of the future noob : the use of xargs with shit from curl is dancing with the wolves. finest way to lose
a box.)
mircea_popescu: asciilifeform there's two fundamental items i can readily identify, maybe more. 1. i actually did plop an echo $_GET in there. is this just bad coding ? is it
a legitimate assumption ? 2. he has
a point, as long as it's on trilema.com,
a script has powers OUTSIDE of its implicit scope, "steal cookies" whatever. is this ~actually~ bad systems design ?
a111: Logged on 2015-08-13 19:00 phf: mats: well, i actually meant the opposite. classes of attacks can be eliminated by not using c. i think that majority of the attacks come from leaky abstractions. there's no <string> in c, but there's
a null terminated memory region. there's no <sql> in perl, but there's
a character array with sql text in it. one of the solutions is to plug abstraction holes on
a level of the language, in such
a way that you can't not use improved abstractions
mircea_popescu: in fairness, kid's got me meditating about the nature of things ever since last night. see, the trouble is : in his syustem, he has actually found
a vulnerability, as
a factual matter. in my system this is entirely meaningless. why the difference ?
☟︎ lobbes: Most of the 'dynamic' bits of the www are php+sqlite3. lobbesbot is limnoria (fork of supybot,
a common python bot api), also atop sqlite3
a111: Logged on 2018-01-26 07:09 douchebag: Are there any sites any of you guys would like me to check out? I'm
a bit bored right now and I am always up for
a challenge :-)
lobbes:
http://btcbase.org/log/2018-01-26#1776736 << you really should do the homework trinque pointed you to, but if you are done with that and bored again, plox to look at logs.minigame.bz, lobbesblog.com and lobbesbot? I'm
a meganoob so you may find something. I've no shame, so disclose whatever you can find here. I'll toss
a handful of satoshis your way if you do (and
a wot rating)
☝︎ a111: Logged on 2018-01-26 08:59 douchebag: Well, since RSS is in XML format I was testing
a popular vulnerability that occurs in XML parsers which uses external entities, allowing an attacker to exfiltrate data
mircea_popescu: but i thought they already had
a perfect medium of exchange called the unified standard dosidoe!
mircea_popescu: i rated you, so now the bot will allow you to voice yourself. say /query deedbot and then !!up ; it will give you
a thing to decrypt, give the result back to it as !!v <string>
emmylark: I'm talking to you through the Freenode server in my IRC client. It made me register
a name and email.
mircea_popescu: say /msg nickserv register your_password your_email_address ; use
a good password and an email you actually can read, they'll send you
a verification thing. this way someone else can't steal your name.
deedbot: Provide
a paste URL to the ascii-armored GPG public key or the full 40 character key fingerprint without spaces or dashes.
mircea_popescu: now put your public key in
a paste and say !!register url