log☇︎
97300+ entries in 0.05s
asciilifeform: after the tax people get done with you, you'll ~owe~
mircea_popescu: well maybe not to him.
asciilifeform: or to you.
asciilifeform: understand ? microshit's '250k for exploit for win10' is SAME THING AS BOX OF CHOCOLATE to , e.g., asciilifeform .
asciilifeform: douchebag: i hold that it is impossible to sell exploits, and the NO ONE does it. what they do instead, is accept gifts of chocolate and flowers (aka 100s of k usd ) from usg agents, in exchange for keeping nsa vulns off the public forum for a few extra bonus months.
douchebag: asciilifeform: Well, if you're a vulnerability broker you're purchasing and selling exploits that have extremely high potential impact. I think it's safe to assume there's a high level of risk associated with holding
mircea_popescu: as it happens, mostly as a function of personal bias, ~everyone here with the exception of me assings value to engineering and no value to whoring. i tend to assign a value of about to cents to either, allowing for roundings.
mircea_popescu: neither this decision, nor the definitions of the terms involved, work as a matter of future projection. it's all in the past, the singer processes past experience one way, the engineer another way. that's all there is to it.
asciilifeform: douchebag: what makes you think you know what 'vulnerability broker' looks like ? or even that such a thing is even possible ?
mircea_popescu: douchebag, look, sooner or later you'll have to decide if you wish to be an engineer or a singer. it's one or the other, however you call them, the carpenter-or-whore dilemma.
douchebag: Now with that said, I think it would be a very interesting career being a vulnerability broker - however there are a lot more risks in terms of nations state attacks for that sort of stuff.
asciilifeform: nao either ~could~ , in deep theory, show up here , and ask nicely.
mircea_popescu: they lack the initiative to do anything about it and the means to do anything without the initiative and so on. chain of foibles.
mircea_popescu: asciilifeform, ceausescu is on the record with "they sell us todays' tech at tomorrow's prices, but what can you do". persians bought what could be bought. not like anyone sells them useful stuff.
douchebag: asciilifeform: Well I get what you're saying, breaking a prng is an incredibly effective attack vector. However, I feel that most companies are more at risk of actually being hacked via less-elegant means
mircea_popescu: danielpbarron, the anon-e-mouse thing is a reference to a cartoon serioes by alan moore.
asciilifeform: douchebag: perhaps poor example, because the poor idjit persians signed up for it, by buying siemens and running winblowz. but it is illustration of the point of MINIMAL bar for 'matters'
mircea_popescu: ^ you know what we mean by that ?
mircea_popescu: douchebag, it's not easy to construct a meaningful base for this comparison. how do you propose to count ?
asciilifeform: douchebag: what to you means 'owned' ? script kiddie on forum defaces crapple.com ? because this simply isn't interesting, to anyone here. the ONLY type of 'owned' worth caring about, is , e.g., natanz uranium centrifuge, destroyed by usg without firing a shot.
douchebag: mircea_popescu: Can you provide some references about companies being pwned via broken prng, and we can compare those that were pwned via SQLi, RCE, XXE, and IDOR?
mircea_popescu: i suppose "mine owne eyes" is a tough nut to crack.
douchebag: mircea_popescu: I've seen very few cases of a company being pwned by a prng being broken, I see companies getting pwned via SQLi, RCE, XXE, IDOR all the time
mircea_popescu: douchebag, 99% of criminals hacking companies are working for a criminal organisation calling itself "the united states govewrnment", and 99% of the time their hacks include some rng-breaking component,.
deedbot: http://danielpbarron.com/2018/i-would-certainly-not-like-to-be-a-bit-of-your-plankton/ << Daniel P. Barron - I would certainly not like to be a bit of your plankton.
douchebag: mircea_popescu: It's not a commonly used attack by criminals working to hack companies to steal information. It's not difficult for nations state actors, however a criminal is not going to work breaking a prng when they can just use default credentials to pwn their network
mircea_popescu: hey, his link was knee deep in "ethical considerations" and other pompous wank, dun talk to me, talk to the mentally splitten zeks, who steal from criminals but bend over for bureaucrats, discuss ethical minutia of imaginary situations and then work with doubletap usg, etc.
asciilifeform: chikatillo is every bit the godfearing loyal soldier of regime, as a street mugger is.
mircea_popescu: rare, in what terms. etc.
mircea_popescu: diana_coman, in either case the determination is tather premature. what's the rush. if he's a boy he has time by definition.
douchebag: asciilifeform: Well, when you take risk appetite into consideration - attacks involving breaking prng's are rather rare and diffucult to achieve
asciilifeform: mircea_popescu: 'serial killer' is a saint, to the police state, supplies neverending flow of serfs eager to bend over and get arse searched, 'for security'
asciilifeform: douchebag: if they 'cared about security', they'd have , for instance, FUCKGOATS ( whether purchased from snsa, or built 'independently', take your pick. ) do they ??
diana_coman: douchebag, from here it really looks like your end goal is really "that the world finally finds my hobby extremely useful and terribly important to the point that it ALSO becomes very meaningful" ☟︎
mircea_popescu: point in case, there are OVER A DOZEN serial killers active in california right now ; and nobody can be arsed to even know this.
douchebag: Well actually, I've found there are a lot of companies who actually do care about security. Primarily because they run bug bounty programs instead of sueing the fuck about anyone who points out their security flaws.
asciilifeform: well guess what, asciilifeform & friends had 'crystal ball' that actually ~did~ something . guess how much diff it made in 'marketplace'.
mircea_popescu: n the 60s small cities stopped prosecutting petty theft. by now -- everything but murder is entirely opaque, and even murder is not actually researched in any seriousness.
mircea_popescu: w enforcement is ever more a vacuous activity, consisting of a narrow few items. "found drugs in house / car" "found '''child pornography''' on computer / guy was holding a gun in the bank" etc. all that's still ongoing are tyhe "taskforces", driven by specific special interest groups, the "drugs", the "sex trafficking", the "money laundering" etc. in the 70s large cities stopped prosecuting breaking and entering, much like i
a111: Logged on 2018-05-22 22:24 ben_vulpes: unrelated, "She had initially hesitated to work on criminal cases because she was unsure of legal and ethical issues, especially if people uploading their DNA to GEDmatch were unaware police were trawling through the database." https://archive.is/6zrLD#selection-1651.70-1651.284
mircea_popescu: http://btcbase.org/log/2018-05-22#1816908 << i'll point something out, in the vein of the previous "tripartite idiocy" discussion : law enforcement consists of very minimal work, and even less useful work these days. you know those century-old complicated "murder investigations", with barry fitzgerald going "tis a heavy case" and so on ? NONE of that still exist ; the line-ups to pick up suspects are mostly gone, etcetera. la ☝︎
a111: Logged on 2018-01-23 06:31 mircea_popescu: aite, here : "does ubervu have a chance of ever being profitable ? absolutely never. there's complicated considerations involved, but principally determinant two : first, and absolutely unsurmountable, is that such products do not add any value, but are merely used in the way witches use crystal balls. exactly in the way. therefore, the more popular witches decide the brand of "best" crystal balls
asciilifeform: look back to the http://btcbase.org/log/2018-01-23#1774662 thread. ☝︎
asciilifeform: douchebag: absolutely NO usd-paying customers of the 'security industry' give HALF A SHIT about actual results. if you do not get this through your thick skull now, you can learn it on own skin later, it doesn't make much diff to asciilifeform , which one you choose.
asciilifeform: ( it isn't any seekrit that asciilifeform is , among other things, a burned-out veteran of 'b' , yrs past )
douchebag: I would be doing a more comprehensive audit, as well as telling them exactly what they need to do to actually be secure their company - even though my service would require more work for them it would be a betterend result for them
asciilifeform: mircea_popescu: so far it doesn't look to me like he's at risk of http://qntra.net/2018/05/us-kangaroo-court-issues-conviction-for-kidnapped-antivirus-operator/ , instead he's at risk of a) running 'the next mandiant' , and making 'million dollars', and thinking as result that he has something to do with 'security' or that the million is 'actual money' or, far more likely, b ) ending in sad , tall pile of hollywood-waitress-style bo
douchebag: Well, most security firms just run a scanner and tell companies to "update x install y to pass compliance"
mircea_popescu: http://btcbase.org/log/2018-05-22#1816901 << understand, most of the "tasks" you'll get here, and for a long while, are principally useful to you, in that they get you to fix things about yourself, such as the foregoing. ☝︎
diana_coman: heh, weren't you just "I wanna pass compliance tests" one sec ago?
mircea_popescu: douchebag, it doesn't pay for companies to actually care about their security, because of the principal-agent problem and the easy exit "nobody could have predicted" offers.
douchebag: Primarily because they would know upfront, this isn't just an audit to help them pass compliance tests
asciilifeform: ( i'll immediately admit that i am not familiar with the story )
mircea_popescu: % of the gross or no deal. hollywood is notorious for cooking books.
mircea_popescu: every fucking noob knows this. KNOW THIS.
douchebag: diana_coman: I'd imagine that only companies who actually care about their security would purchase my services
mircea_popescu: OF THE GROSS.
diana_coman: asciilifeform, for all the world if the above doesn't scream "boy" at you (instead of dwarf, I don't know what else can)
mircea_popescu: douchebag, the risk is, of course, that you end up the next http://qntra.net/2018/05/us-kangaroo-court-issues-conviction-for-kidnapped-antivirus-operator/
mircea_popescu: asciilifeform, let me give you a little puzzler here. so, stanley wojtowicz, the guy that robbed a brooklyn bank to pay for lizzie eden's sex change operation but failed to produce any money this way, nevertheless got paid when sidney lumet made his film. he was paid, 1% of the net. what's wrong with this ?
asciilifeform: douchebag: 'security business' in the form in which it exists today, is strictly religious/ritual arm of usg church; legitimate security business consists solely and strictly in the systematic disassembly of usg; and once disassembled properly, it will exist no longer.
diana_coman: douchebag, does it matter in your books who are the customers?
douchebag: Installing security software that intercepts all traffic (even ssl traffic) on a windows server 2003 install made me cringe
douchebag: I want to work a fulfilling job where I know that I am actually providing a good service and giving customers a high quality security audit as well as high quality security products ☟︎
asciilifeform: prolly because ibm and oracle won't dispense fresh, thick greens of printolade for uttering heresies ?
mircea_popescu: sounds like a terribly crummy job.
mircea_popescu: strategic advice reserved for more senior roles, or do they simply not like any permanent fixes ?
douchebag: Because that wouldn't be good for business, all they let me do is install security software and configure it for customers
douchebag: asciilifeform: Well, the security firm I currently work for doesn't allow me to give customers actual advice on security. eg. "Hey maybe running windows server 2003 isn't a good idea for your company"
a111: Logged on 2018-05-22 22:19 asciilifeform: but imho it does not indicate that douchebag has learned anything in his time here.
mircea_popescu: http://btcbase.org/log/2018-05-22#1816892 << dood, what are you talking about. ☝︎
asciilifeform: douchebag: do you understand the difference ?
asciilifeform: douchebag: the world's first ACTUAL security firm ?
douchebag: Well I can, but I'd like to have a job doing it. Perhaps start a security firm someday
diana_coman goes to offer commercial penetration testing, sampling and peppering services
diana_coman: well, you can offer them already, what sort of goal is this
asciilifeform: douchebag: and the 'fool's gold', usd, will buy only miami, for so long as there's any miami left, and there's long queue of people ahead of you.
douchebag: diana_coman: I'd like to offer commercial penetration testing services
asciilifeform: douchebag: for so long as you understand that you become a usg electro-echafaudage expert, and your fortune will rise and fall with usg's -- like patent lawyer's -- then why not, do it
douchebag: regardless, I'd like to learn more about it over time
douchebag: I think reverse engineering is cool as fuck, however it's not going to be very helpful to achieve my end goal
douchebag: also asciilifeform, for the type of job I would like to have web application exploitation, network attacks, and social engineering attacks are the main things I need to focus on
asciilifeform: plankton moves with the current, what.
ben_vulpes: "But the positive feedback since the Golden State Killer case convinced her to make the plunge."
ben_vulpes: yes but the "unsure if i should do this until people cheered for me" bit was lulzy
ben_vulpes: unrelated, "She had initially hesitated to work on criminal cases because she was unsure of legal and ethical issues, especially if people uploading their DNA to GEDmatch were unaware police were trawling through the database." https://archive.is/6zrLD#selection-1651.70-1651.284 ☟︎
douchebag: asciilifeform: When it comes to web application exploitation - I'm a pro and it's rather profitible
asciilifeform: so far, shows dangerous symptoms of the latter
asciilifeform: diana_coman: i'd like to determine if 'short because boy' or 'short because dwarf'
asciilifeform: but douchebag if you want to 'security expert', web liquishit won't cut it here.
asciilifeform: nobody was born knowing these. or carpentry. or anything else but sucking tit
asciilifeform: douchebag: you did ~only~ the minimal interpretation of what was asked. like a schoolboy. instead of, e.g., annotating this list with 'is this an actual vuln in actual physical trb'
mimisbrunnr: Logged on 2018-05-09 23:29 ben_vulpes: ACTION curious to see if the guy leaves off at 'osint' copypasta
asciilifeform: douchebag: that's precisely the problem !
douchebag: asciilifeform: Keep in mind, this is not the type of auditing I usually do.
asciilifeform: but imho it does not indicate that douchebag has learned anything in his time here. ☟︎
asciilifeform: nao granted this might technically satisfy in re what douchebag promised to trinque ( lessee if the latter -- agrees 0
asciilifeform: douchebag: understand that this behaviour 1) has a name 2) might work LITERALLY EVERYWHERE ELSE on planet, but won't work here.
a111: 12 results for "exam taking", http://btcbase.org/log-search?q=exam%20taking
asciilifeform: !#s exam taking