log☇︎
622000+ entries in 0.42s
mike_c: hm, i suppose the average teenager is.. 16?
Darkstone1: perhaps opinions of the masses differ.. but there is no way i'm going to insert my API keys in an online platform.
mircea_popescu: <mike_c> 20 year old bug, good luck figuring out author. <<< right, because nothing ever can be documented past the lifespan of the average teenager.
Darkstone1: I think there are too many -bad- platforms where people can put in their own stratety already.
mircea_popescu: * asciilifeform is just unendingly entertained that вредители are allowed to not only keep living, but contributing code to whatever. <<< not quite whatever. currently the fashionable idiocies du jour still hold currency with the crowd, that "not the man, but what he's saying" and "we're all equal" and similar socialisms. they won't last the evening.
BingoBoingo: <Darkstone1> can i ask you guys a question? I have an relatively succesfull trading bot (multi-digit bitcoin gain since the beginning of this year) but i an starting to lose intrest in further development. << Sounds like keeping it in your pocket until it interests you again may be the best option
mike_c: sell to suckers, profit.
mike_c: the only thing worthwhile is the automation. make it easy for non-programmers to put in their own methodologies.
punkman: Darkstone1, that's where the WoT helps
Darkstone1: it will just end up somewhere in the internet next week.
Darkstone1: but my parther thinks that selling the thing with source code is useless.
Darkstone1: that i you shouldn't buy anything that you can't inspect the source for i can certainly agree with.
punkman: maybe to some noobs with bitcents running Windows
rithm: the source and the math of the engine is what is worth buying
diametric: and i'd never run a trade bot i couldn't inspect the source for.
diametric: public trade bots are worthless.
rithm: Darkstone1, wite the whole thing yourself in PHP and release it to the world in production!
Darkstone1: it's not an exchange, its an trading bot.
Darkstone1: One of the questions i've been unable to answer is weither should sell the source code or only the product.
rithm: Darkstone1 find VC's to fund your new bitcoin trading exchange
Darkstone1: it certainly works, but as i said, i'm starting to lose intrest in further development. And i have a full-time job to attend to.
Darkstone1: I'm strugging in what the best way to 'commercialize' this thing is.
Darkstone1: can i ask you guys a question? I have an relatively succesfull trading bot (multi-digit bitcoin gain since the beginning of this year) but i an starting to lose intrest in further development.
thestringpuller: not equating the two, just saying similar tone.
thestringpuller: mircea_popescu: the most there is is me going on the record that .6.* is probably okay. << This sounded like a cartoon. Like the Family Guy cut away where the dude throws him a parachute with an anvil in it and says, "That one is probably okay"
asciilifeform: easier, in some cases, then modern piles of shit with 1000 authors
mike_c: oh. (smacks face) I was talking about author of exploit before, not bug. sorry for misinformation.
asciilifeform: and not by a pair of hands attached to a sniveling shill
asciilifeform: and still it was paraded as 'bug' - disembodied 'bug', that was placed there by the hand of god, or whatever
asciilifeform: i vaguely recall that mr. hearbleed was a pedigreed вредитель though.
asciilifeform is just unendingly entertained that вредители are allowed to not only keep living, but contributing code to whatever.
asciilifeform: so when do we get to see a public and fleshy punishment of author ?
atcbot: >> No data returned from CoinMiner.net << [PityThePool Hashrate]: 102.62 GH/s [iSpace Pool Hashrate]: 1.51 TH/s [P2P Hashrate]: 1.70 TH/s
mircea_popescu: Transcript for 24-09-2014, 1337 lines <<< we've done it, everyone. i hereby call the end of the #b-a party. thanks for all the lines, it's been a hoot etc!
mircea_popescu: The20YearIRCloud: the joys of people making money off of memes << nah, the hodl stuff is sa folk getting bitter butthurt at bitcoin's continued existence.
mircea_popescu: lobbes: and the paper wasn't even peer reviewed << in that guy's case, peers can be a misnomer :p
mircea_popescu: certainly right there.
mike_c: if you start with security in mind, then audits can be useful process during development.
mike_c: my point is you can't take existing turd and audit it to security.
mircea_popescu: in a security environment, security is auditable provided the comittment to security is not compromised in order to listen to some ziggler impersonator.
mircea_popescu: it is impossible if one allows runaway complexity for "ux" and other idiotic reasons. but then again so is any scenario of chasing two rabbits.
rithm: fuzz the captcha!
asciilifeform: to test against.
asciilifeform: for human body, death is the unambiguous spec
asciilifeform was never obsessed with 'spec' - but does think that one must arrive at what question is being answered before attempt is meaningful
mircea_popescu: doctors have been doing ok auditing the human body w/o any spec for a while now.
mircea_popescu: ThickAsThieves: is there a trustworthy wot-signed document of an auditor saying any version of bitcoin is safe? << the most there is is me going on the record that .6.* is probably okay.
mircea_popescu: which has like a picture on it and that's that.
mircea_popescu: their card has nothing but their name on it, which is kinda generic. nothing else. the boxes have NOTHING. no phone. no address. no website. nothing whatsoever.
mircea_popescu: so i just got totally outcarded. i find this nice chocolatier, buy three pounds of mixed chocolates in three boxes, ask for their card, and leave.
rithm: seeing something like that is bueno
mircea_popescu: mike_c it's a very large hole. odds of no pencildick managing to find it, ever... hm
mike_c: of course. so you have vulnerable bash. doesn't mean someone can hit it through your web server. i guess i gotta construct applicable http request.
Naphex: mike_c: check is simple cause bash shouldn't run anything in the env
mike_c: yes, that checks if bash is vuln.
mircea_popescu: i also quoted a test for 6271 yest.
mircea_popescu: this is the 7169 one, where it fucks up the exporting circumventing the fix
mike_c: any good way to check if you're actually vulnerable?
kuzetsa: mircea_popescu: I was just thinking the same thing
mircea_popescu: Naphex no thaths the 6271 one
asciilifeform: mircea_popescu: recall how self-proclaimed (or accused...) alchemists were treated. do you mean to say that, if they were put through the right punishments, they would have discovered neutron bombardment synthesis of Au at economical price?
assbot: This is being actively exploited. We (CloudFlare) put in place WAF rules to bloc... | Hacker News
mircea_popescu: export badvar='() { (a)=>\';bash -c "hackerfile echo vulnerable";grep vulnerable hackerfile||echo safe << if anyone wants to test it
nubbins`: debian = ubuntu in the sense that england = usa
kuzetsa: ubuntu dragged their backside too
gribble: CVE-2014-7169: Bash Fix Incomplete, Still Exploitable | Hacker News: <https://news.ycombinator.com/item?id=8365158>; What is the CVE-2014-6271 bash vulnerability, and how do I fix it?: <http://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-and-how-do-i-fix-it>; (CVE-2014-6271) bug introduced, and what is the patch that fully: (1 more message)
xmj: kuzetsa: freebsd patched 6271 yesterday 17:04 UTC and 7169 today 15:38 UTC
kuzetsa: the initial "fix" was for a parsing flaw described in CVE-2014-6271 (shellshock) which a lot of distros patched but then didn't get CVE-2014-7169 as well (a different type of issue with bash)
mircea_popescu: rather than dedicating yourself to being friends with idiots, dedicate yourself to being enemitous to idiots.
mircea_popescu: bounce: plenty money hiring people to do the reading and lots of lawyers to paper over the obvious problems with threats of large fines << alternatively skip the lawyers thing and hurt people that fuck up.
mircea_popescu: that is the thing. they only seem complex to the lazy and to the stupidly vain. but otherwise, the mechanisms are damned simple.
kuzetsa: mircea_popescu: there's 2 different patches
asciilifeform: this is the fundamental reason why 'software sucks'
asciilifeform: unless you can actually build 'borg' that share a mind, rather than just army or clan, the organization cannot understand mechanisms too large for the cleverest member to understand. for any useful value of 'understand.'
mircea_popescu: Naphex wasn't the patch bad ?
mircea_popescu: ThickAsThieves: i often think about that, how the hell can someone who cannot/willnot read code, ever be the steward of a software project safely? <<< you know i don't actually read all that much code at all. i guess i could, more or less, but i wouldn't trust myself to understand it. by which i don't mean "what it does", but i do mean "what we can absolutely say about this program"
kuzetsa: Naphex: yeah, I decided to compile a new kernel anyway so I rebooted after making sure bash was patched :)
asciilifeform: but the analogy falls apart here. what we have, in organization, is cray's 1024 chickens.
mike_c: kuzetsa: ok, thanks
Naphex: rithm: even if you're spam filter is roll your own, if SUBJECT gets passed in Env along the pipeline, and if on the pipeline something hits /bin/sh / /bin/bash it will run
asciilifeform: well sure - ultimately all organization is based on this
kuzetsa: mike_c: I'm certain that the public-internet-facing daemons on the system in question don't pass stuff around using environment variables
mircea_popescu: how is it done ? why, by not acting towards a goal, but from a cause.
asciilifeform: one can chop heads if job is not done, but if it isn't doable given the available constraints - you just end with a tall pile of heads
mircea_popescu: asciilifeform this is where you're wrong. because consider, what is your definition of "human mind" ? could you in fact have two human minds that are identically the same one mind for this purpose ? turns out you can, it's the most important field of research of the vory.
Naphex: mike_c: no, you can change env regardless, its just that if bash interpets the env it runs
rithm: my testing alligns with what Naphex just said about authentication
mike_c: yes, but i thought shocky thingy required cgi/bash to chane env
Naphex: and pass it around, if corrupted env hits bash it runs and the end
asciilifeform: until the entire machine stack (chemical, electronic, os, etc) fits in a human mind - doesn't have to be that of alcoholic bum off the street, could be six people alive - then you have a system a reasonable man will sign his life under.
Naphex: mircea_popescu: yeah but that doesn't hit sh until successful login
kuzetsa: Naphex: I don't have any mail daemon on that particular system either
Naphex: kuzetsa: mail servers will pass through env as well, on the pipeline while filtering them mails
mircea_popescu: asciilifeform point is not to fix anything.
Naphex: and if that env hits bash it runs
asciilifeform: also it is possible that i used a bad example. man has indeed invented hydrogen bomb. but securing 50 years of turdolade by 'fixing mistakes' is more akin to jumping 1km. no athlete has jumped 1km, and beatings will not create one.
mircea_popescu: if the process of figuring out what is safe worked, we wouldn't have the bug in the first place.
Naphex: but it should be no problem unless thet env hits apache
Naphex: apache still passes stuff through env by default
mircea_popescu: mike_c notice how little beating is actually needed, among civilised adults that interiorise the wot model.