mod6: wb! you don't sleep much huh
a111: Logged on 2018-01-26 19:46 douchebag: Well, I'm just trying to figure out where my skillset could be best put to use, I would be more than capable of writing a V implementation or setting up an IRC bot. I'm trying to leave it to you guys to tell me where my skillset could best be put to use
a111: Logged on 2018-03-22 11:14 douchebag: I don't understand what a V is I have read about it, I have looked at examples and I still don't understand
a111: Logged on 2018-03-22 11:15 douchebag: If I understood it completely it would be no problem coding it.
ben_vulpes: oh and other obvious pentesting targets douchebag: qrrqobg jnyyrg (rot13)
ben_vulpes: douchebag: you can voice yourself you know
trinque: I seem to recall this kid being told to do things, came back with his snowflake personality and american dream.
ben_vulpes: mighta been asking an infantryman to fly a helicopter, who knows
trinque: if he could discover where the wallet actually lives, I'd be mighty impressed.
ben_vulpes: douchebag: don't tell me you lost your key
deedbot: Bad URL or network outage.
douchebag: Okay, do you want me to do a white box or black box audit?
ben_vulpes: i don't much give a shit, take some initiative and do something?
trinque: something other than the xss snore.
trinque: I don't much give a fuck if someone puts a script tag in a deed.
trinque: they're going to what, steal your session on a static site?
douchebag: Okay, I would be most useful if I could view the source of deedbot
ben_vulpes: but trinque what if someone visits a deedbot page and their browser executes it!?!?!
douchebag: How am I supposed to know the site was static?
trinque: douchebag: this is not where you parade your idiocy dubbed personality and aspirations and have them validated
trinque: this is where you submit and grow, or learn you're not worth it.
douchebag: Regardless of whether or not the javascript could do anything, it still allows HTML injection which can be used to publish fake content.
trinque: the content was signed, what fake
trinque: fuck, next we'll be stealing elections
trinque: long as you clear it first, I'll come visit
ben_vulpes: i'm going to need three rail cars of sugar and a fuckton of smallish pvc tubes
douchebag: I'm not here to argue with you children about whether or not you would have fallen for the attack. I provided a valid proof of concept like any professional would do.
ben_vulpes: funny how the twenty year old is fixated on growing up
trinque: starving for it, naturally
ben_vulpes: douchebag: but it doesn't have the ssl lock
ben_vulpes: consumers know not to trust websites without the magic green thingy
ben_vulpes: or do i not understand how fake content works, because actually i'm certain that i don't understand what this gpg-signed fake content is.
douchebag: Listen, I understand that you're all upset that I made you look like an idiot for not sanitizing all user input. These are habits that are picked up after you learn about programming a secure web application.
douchebag: asciilifeform: I'm not here to argue or to social engineer you. I provided a VALID proof of concept. Stop bitching about it and fix it.
☟︎ trinque: douchebag: the web as it is ought to burn; the notion that there are any professionals tending the shit adobe is hysterical.
ben_vulpes: douchebag: what is the concept again that you have proven? i am still waiting for the explanation of what precisely this social engineering attack does.
☟︎ ben_vulpes: i'm clearly just an amateur, but an advanced security consultant like yourself should have no troubles explaining it to a civvy
douchebag: Okay, why do you guys liek arguing so much? Is this why you guys don't get anything done?
☟︎☟︎☟︎☟︎ ben_vulpes: douchebag: gonna explain, per request, or continue faffing
ben_vulpes: threat model etc, like a Real Professional?
trinque: dispense the food pellet already ben_vulpes. dude said smartwords.
douchebag: I have the feeling that even if I got remote code execution
ben_vulpes: what, we'd argue with your sending btc to yourself?
douchebag: you guys would just be like "Oh well you told us about the RCE and we fixed it before you could do anything with it"
☟︎ a111: Logged on 2017-08-31 19:11 mircea_popescu: can't say i've encountered that many ; and can say that from actual lived experience, the "thinks he's jeddi" heuristic is a fine indicator for "head so far up ass the net result of sufficient whipping will be soap", ie
http://trilema.com/2015/the-anal-child/ mimisbrunnr: Logged on 2018-03-22 19:33 ben_vulpes: oh and twist, douchebag skip the responsible disclosure fingertrap and fuck 'em hard.
douchebag: I read that, but I didn't think you were referring to yourselves
douchebag: So if I can pop any of your boxes and steal bitcoin - that's fair game?
ben_vulpes: unlike the rest of the world i hold myself to the standard i hold it to
douchebag: In that case, I'll get right to work
douchebag: Alright, I don't need the source code to pwn your shit
trinque: (lets see if he can find the food pellets himself!)
ben_vulpes: douchebag: how long do you figure this'll take?
douchebag: It will take as much time as it takes me
a111: Logged on 2018-03-23 04:08 douchebag: Which can be used for social engineering
deedbot: Bad URL or network outage.
a111: Logged on 2018-03-23 04:12 douchebag: asciilifeform: I'm not here to argue or to social engineer you. I provided a VALID proof of concept. Stop bitching about it and fix it.
douchebag: mircea_popescu: I have an honest question for you
douchebag: You're into BDSM and having slaves and such right? Is that what the dudes you got in here are fof?
mircea_popescu: no, i don't swing that way. the girls occasionally swoop in, but not commonly.
ben_vulpes: oh for the motherloving fuck hole of sin trb won't sendmany with two outputs to the same address
mircea_popescu: look into the datastruct, there's black magick reasons.
ben_vulpes: i'll take a clue if you have one handy
a111: Logged on 2018-03-23 04:13 ben_vulpes: douchebag: what is the concept again that you have proven? i am still waiting for the explanation of what precisely this social engineering attack does.
trinque: douchebag: so why would the deed command parse xml, let alone go look up a dtd?
ben_vulpes: mircea_popescu: i'd have settled for a plausible story of social engineering
mircea_popescu: douchebag it will reject unsigned material, look at what deeds it accepted in the past.
trinque: hey, he called us fags. can't be that pantsuited.
ben_vulpes: oh yeah im supposed to be upset at the bigotry
mircea_popescu: im starting to understand that "the opposite of talking is not listening, the opposite of talking is waiting for your turn" quip may have been adequate in the early postmodern stage ; but by now it's truly a case of "work efficiency is most work with least read." chucka wins in the end.
ben_vulpes: amazingly, rtfm only shows up in logs 41 times
a111: Logged on 2018-03-23 04:14 douchebag: Okay, why do you guys liek arguing so much? Is this why you guys don't get anything done?
a111: Logged on 2018-03-23 04:17 douchebag: you guys would just be like "Oh well you told us about the RCE and we fixed it before you could do anything with it"
ben_vulpes: kidding, but an understandable confusion
trinque: anyone that wants to pwn deedbot might consider that it's a wrapper around gpg.
ben_vulpes: asciilifeform: do you know anything about this data struct / can't have 2 outputs pointing to the same addr in a transaction mircea_popescu mentioned?
☟︎ trinque: and given that we're all still relying on it, exploits found and squashed in gpg would be lauded.
mircea_popescu: douchebag there's a lengthy history of people's contributions respek, but they have to be contributory.
douchebag: mircea_popescu: I was just shitposting sir, no need to explain
mircea_popescu: about as fair game as it gets ; part and parcel of history by now.
trinque: douchebag: why are you still trying the dtd thing?
douchebag: trinque: Because I haven't seen the source code so I don't know if dtd was disabled
mircea_popescu: douchebag you realise it rejects unsigned input, do you ?
douchebag: mircea_popescu: You realize I signed it
trinque: he's seeing if the XML parser somewhere pulls external schema files
trinque: douchebag: so perhaps the feeds parser thing does, even. I have no idea. What happens next?
douchebag: At best, local file disclosure. At worst, remote code execution
mircea_popescu: trinque he's not even wrong : someone clicks on the link with a shit browser, gets owned by that shit browser.
ben_vulpes: !!rate douchebag 1 found a couple of unsanitized fields
deedbot: mircea_popescu rated douchebag 1 at 2018/01/15 07:34:46 << hyde.solutions
trinque: this was always the risk with browsers, all of which are shit
ben_vulpes: !!v 5ED3EC02EC8E0E2CD0B44A6AB9D3AE484D24C2FEA7F2F0A5929655D4D385E33F
deedbot: ben_vulpes rated douchebag 1 << found a couple of unsanitized fields
mircea_popescu: note that eg trilema (mp-wp, w/e) takes steps to mitigate this. by for instance not permitting html entities in user contributed fields, see ?
douchebag: The XML shit I am doing has nothing to do with the web browser
douchebag: it has to do with the XML parser on the server side
trinque is aware of both of these types of problems
trinque: but then what, now you're on the deedbot server and ?
mircea_popescu: what, making deedbot go "trinque sniffs dirty undies" isn't bereft of lulz value.
douchebag: I would then look around and determine how it could be best leveraged
trinque: mind giving me a sentence that isn't so widely applicable?
mircea_popescu: anyway, what we have here is a tacit miss-standard, and the discussion is probably of most interest to people who aim to make their own blog thing, phf spyked whoever was looking at lisping it. because on one hand there's the older trilema standard that's web compatible, and on the other hand there's the emerging no shits given approach like on the deedbot site say, "what am i going to do now, alter deeds to mitigate sht brow
mircea_popescu: this is a source of constant surprise, consider all the time phf sunk into chasing unicode obscura on his logger.
douchebag: trinque: I would reprogram deedbot to become self aware and take over the world
trinque declared the line of nomoars pretty far out on this one, aha.
trinque: at any rate I'm not questioning you to make you not diddle the XML holes. in your log reading you might've heard me refer to servers as outdoor toilets.
mircea_popescu: we'll have to come to a unified set of something here in any case. as it stands right now it's not obvious whether one can or can't point shitfox at random republican website ; nor where to look to find out.
☟︎ trinque can trivially make the thing serve up text/plain right now
trinque: but the gentleman's browser on the other side is still the mess it was
mircea_popescu: possibly that's the correct cut of this knot, "if you're not sanitizing force pages be text/plain"
mircea_popescu: trinque yes, but we don't care about that. we just care about our not being dumb.
mircea_popescu: consider something simple : i took pride publicly on how trilema doesn't load google analytics, thereby giving away the usual set of telemetrics to the usg. fine and good. but your site can be coaxed to load ???.burpcollaborator.net by 3rd party ? so every time a "normal" browser goes by it looks up wtf that doctype is and so on ?
trinque: this line of reasoning leads to me going and getting an SSL cert
trinque: because mitm can do the same thing to you
mircea_popescu: hence my comment above,. " we'll have to come to a unified set of something here". just because the line isn't drawn.
trinque: on my end, JS is off and otherwise whitelisted where used.
trinque: thing blocks all external items by origin
mircea_popescu: "modern" or however we shall call the shit browser errs on the side of loading everything it can
mircea_popescu: because it was made by and for idiots from back in the day the web was ~equal to ye olde finger utility.
a111: Logged on 2018-03-22 17:06 douchebag: Wouldn't it make sense to make sure you're doing something the right way before you go ahead and do it?
mircea_popescu: in the end there's two broken points of old html, not merely the whole "statefulness on stateless protocol" cookies bs ; but also the "will mix code in the data nyah nyah nyah".
mircea_popescu: amusingly enough, the WHOLE UTILITY, and in any case the absolutely only reasons people use, like and like to use the web is specifically because of those two things. which makes naggum's perl rant misplaced : perl exhibits the characteristics he bemoans incidentally ; html is fundamentally build out of them and would not interest any of the webtards if it weren't, because it interests ~for them~ specifically.
mircea_popescu finally understood why the web even took off in the first place, instead of the much saner alternatives at the time available.
trinque: the problem I was driving at was the sign of bad upbringing where I sit here and tell him where the vulns *certainly* are
trinque: entirely separate from "hey trinque can you do something practical while we yet rely on shittech"
trinque: source code for the item is in the logs, db it uses, blah, blah, blah.
a111: Logged on 2018-03-23 04:37 ben_vulpes: asciilifeform: do you know anything about this data struct / can't have 2 outputs pointing to the same addr in a transaction mircea_popescu mentioned?
mircea_popescu: ends up with cycle further down the line when unpacking a tx
a111: Logged on 2018-03-23 04:52 mircea_popescu: we'll have to come to a unified set of something here in any case. as it stands right now it's not obvious whether one can or can't point shitfox at random republican website ; nor where to look to find out.
a111: Logged on 2016-08-01 19:51 phf: oh that's beautiful
trinque: oh lol, I'm already serving them up as txt.
trinque: nah, guess I assumed in charity that herr douchebag looked at the thing's output before.
ben_vulpes: asciilifeform: well yes i did find the error message but i am still banging my head on the why of it
ben_vulpes: i'll look into this unordered sets thing later
trinque: nah, not on something served up as content-type text
a111: Logged on 2016-08-01 19:58 mircea_popescu: for... firefox 3 ?!
trinque: would be pretty shocking if the web server's defaults didn't serve up txt properly.
trinque: douchebag: ^ if you want honest work, I will pay you for a demonstration that you can discover the balance of an arbitrary deedbot wallet user, on the condition that if in one month you can't, you drop this web security herp and take a task from me and complete it.
trinque to bed. let me know in writing, in a deed.
deedbot: Bad URL or network outage.
ben_vulpes: mircea_popescu: going to nail down pricing for shells on this machine and then we can provision them, i expect that we can get hanbot a shell tomorrow
☟︎ ben_vulpes: douchebag: what did you try to deed there?
deedbot: Bad URL or network outage.
deedbot: Bad URL or network outage.
deedbot: Bad URL or network outage.
jhvh1: douchebag: (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin. You may also want to use the 'list' command to list all available plugins and commands.
jhvh1: douchebag: Admin, Alias, AutoMode, Bible, BitcoinData, Channel, Config, DuckDuckGo, GPG, GPGExt, GeoIP, Google, HtmlLogger, IPTools, Isup, Later, Listener, Market, MarketMonitor, MarketMonitorTicker, Misc, NickAuth, Owner, RSS, Seen, Sudo, Unix, UrbanDictionary, User, Utilities, and Whois
jhvh1: douchebag: Error: "HtmmlLogger" is not a valid command.
jhvh1: douchebag: Error: There is no command "htmllogger". However, "Htmllogger" is the name of a loaded plugin, and you may be able to find its provided commands using 'list Htmllogger'.
jhvh1: douchebag: flushlog
jhvh1: douchebag: add, announce add, announce list, announce remove, info, remove, and rss
jhvh1: douchebag: (list [--private] [--unloaded] [<plugin>]) -- Lists the commands available in the given plugin. If no plugin is given, lists the public plugins available. If --private is given, lists the private plugins. If --unloaded is given, it will list available plugins that are not loaded.
jhvh1: douchebag: call, crypt, errno, fortune, pid, ping, ping6, progstats, shell, spell, sysuname, sysuptime, and wtf
douchebag: !~ping gtdmsv5woc419x5o8m4wzq0krbx5lu.burpcollaborator.net
jhvh1: douchebag: (unix ping [--c <count>] [--i <interval>] [--t <ttl>] [--W <timeout>] <host or ip>) -- Sends an ICMP echo request to the specified host. The arguments correspond with those listed in ping(8). --c is limited to 10 packets or less (default is 5). --i is limited to 5 or less. --W is limited to 10 or less.
jhvh1: douchebag: Error: Invalid hostname
douchebag: !~unix ping uec1h3ej1ncl2pkhl7ovctjaa1gr4g.burpcollaborator.net
jhvh1: douchebag: ec2-52-16-21-24.eu-west-1.compute.amazonaws.com (52.16.21.24): 5 packets transmitted, 5 received, 0% packet loss, time 4005ms rtt min/avg/max/mdev = 80.606/80.640/80.688/0.256 ms
lobbes amused that all these payload urls are ultimately being forwarded to archive.is o.0.
lobbes: Btw jhvh1 isn't related to deedbot (and, as far as I know, is not on a box with any coin contained within)
lobbes: Check out the logs for 'bot directory'; I think pete_dushenski's page is probably still up
trinque: he's just got such a short attention span he's already given up on deedbot
jhvh1: BingoBoingo: The operation succeeded.
trinque: douchebag: also talk to the damned bots in PM
douchebag: is !~unix ping 127.0.0.1 the correct syntax?
trinque: douchebag: why are you diddling shinohai's bot instead of mine?
douchebag: Pretty sure I could easily exploit it
trinque: mk. understand I'll negrate you if you go back on our wager.
douchebag: Still doing some thinking of what the best course of action to pwn deedbot will be
douchebag: trinque: Could I view deedbots source by any chance?
douchebag: If you want it to be audited a bit more comprehensively
trinque: sources can be found in the logs; search 'em.
BingoBoingo: douchebag: The second link is an older incarnation that was implemented by another party
trinque encourages the Lords to let the kid grow an attention span and find the links himself.
douchebag: You guys sure do make a lot of assumptions
☟︎ ben_vulpes: trinque: did he ever actually deed the agreement?
trinque: no, he doesn't do anything. "fuck you mom!"
ben_vulpes: if you had issue with them you shoulda brought it up then instead of just not doing anything
douchebag: ben_vulpes: Usually I would figure if someone is offering money, they should be the one creating the contract or whatever
douchebag: It was after midnight when you made that agreement for me yesterday
ben_vulpes: douchebag: your usuallies aren't going to serve you well here, whoever makes the rules makes the rules
douchebag: not sure if there's a timezone difference
douchebag: ben_vulpes: fuck you, I'm doing it
mod6: stop spamming here douchebag, if you want to test, fine. do it in pm.
mod6: Do I want to read all of your testing bullshit?
douchebag: mod6: I'm not talking about you jerkoff
douchebag: Some of these things don't work in PM FYI
mod6: I'm tired of this person.
ben_vulpes: douchebag: there's a thing called "signal to noise ratio", do try not to hurt it. if you must test in public probably announce and apologize for the interruption
danielpbarron: ya imma have to switch him to a -1, he's been just as annoying in the lrh chat
ben_vulpes: this is the sort of place where mircea_popescu kickbans people who join/part too much
mod6: This guy sends me a "Fuck you" in PM.
mod6: And he wants to somehow be involved with our republic.
mod6: This is not how it works.
ben_vulpes: mod6: he's trying to ape the forms without understanding their logic
mod6: I demand public apologies for calling us all "jerkoffs" "faggots" etc.
mod6: Or out come the neg ratings.
douchebag: I'm not going to sit around and just get insulted
douchebag: and not say anything back. I'm not anyones bitch
mod6: When did I insult? Link to log plz.
douchebag: trinque told me I can test his bot. Some of the features don't work in PM
douchebag: "Do I want to read all of your testing bullsit?"
mod6: TEST HIS BOT SOMEWHERE ELSE.
mod6: Lords and Ladies of the Republic: I do not believe this chamber should be subjected to this abuse. I appeal to you.
mod6: I should not be subjected to have to read this.
mod6: I will not calm down, you are wasting my, and everyone who reads this channel's time.
mod6: If trinque wants you to test, he can set up another venue for this.
douchebag: mod6: trinque told me I can test his bot, so that is what I was doing
danielpbarron: douchebag, part of the security of the bots in this channel is that they only work in this channel which is moderated quite well
ben_vulpes: douchebag: you then moved on to testing other bots; do those commands also not work in pm?
douchebag: Listen I am not going to test the bots in here anymore
douchebag: If I do it again, do whatever the hell it is you want to do
deedbot: asciilifeform rated douchebag -1 << loud and apparently ineducable kid; invited to either come back with promised wunderwaffen or stfu
douchebag: I don't see why every single thing that happens in this channel has to turn into some big ordeal
mod6: You are wasting innocent peoples time with your farting, we have more important business to attend to.
danielpbarron: because it is publically logged and more people read it than what you see here
ben_vulpes: douchebag: it's only an ordeal because you dig your heels in when told what to do.
trinque: someone can issue the command
mod6: wd, thank you asciilifeform
deedbot: L1: -1, L2: 3 by 3 connections.
ben_vulpes: !!rate douchebag -1 polished turd of stupidity
ben_vulpes: douchebag: isn't that what you promised to do already?
ben_vulpes: why continue with the posturing instead of doing things
ben_vulpes: !!v 9857F1824DD54DAF9F74912FDBA5A634C63861F5E7F0EC7A35EE94628AB622DC
deedbot: ben_vulpes updated rating of douchebag from 1 to -1 << polished turd of stupidity
ben_vulpes: douchebag: how you allocate your attention is your own problem
douchebag: why can't we just work on the stuff we need to work on
mimisbrunnr: Logged on 2018-03-23 04:08 douchebag: Okay, why do you guys liek arguing so much? Is this why you guys don't get anything done?
ben_vulpes: having the discipline to engage with trilema appropriately is not a thing humans are born with
deedbot: 2018/03/08 17:52:20 <phf> lisp failed to even identify the need for ffi, when it was standardized i don't think there even were lisps that could or needed to ffi, since they all ran on lisp machines
douchebag: danielpbarron called me the n word
douchebag: I don't mind, but I just wanted to make sure that was on the record
ben_vulpes: you know i think this is actually a devious plot to murder elements of the lordship with excessive laughter
mircea_popescu: i was trying to figure out wtf is going on, which link in the chain is not performing.
mircea_popescu: in other news, earthquake last night unhooked this coil of rope that was resting inside an anal hook hanging from the ceiling of a corridor. plus knocked over girl's essential oils bottles, sent some coffee bags off to seek their fortune about the kitchen floor and so forth!
lobbes: Post detailing my own compendium of notes to come prolly tonight. Aim is for it to supplement hanbot's existing compendium (e.g. will include notes on how to prime mysql and wp-config.php for mp-wp's auto table-creation process)
mircea_popescu: in fact, there is a TON of work for a competent art guy. eulora needs stuff ; i want to get a porny comic off the ground ; mp-wp needs theme work...
mimisbrunnr: Logged on 2018-03-23 16:22 douchebag: I don't see why every single thing that happens in this channel has to turn into some big ordeal
mimisbrunnr: Logged on 2018-03-23 16:26 asciilifeform: um trinque ?
deedbot: L1: 1, L2: -1 by 3 connections.
mimisbrunnr: Logged on 2018-03-23 16:26 deedbot: L1: -1, L2: 3 by 3 connections.
mircea_popescu: trinque there's something amiss here ; i see 4 ratings from 4 people in teh l1, how can it be +1 ? should be 0 no ?
trinque: !!gettrust deedbot douchebag
deedbot: L1: 0, L2: 0 by 4 connections.
trinque: that was measured from herr alf
mircea_popescu: anyway douchebag come up with something interesting, i'll voice you so you can announce it.
mircea_popescu: ben_vulpes plox put a favicon on your log site, i can't pick it out of the tabline.
ben_vulpes: i did not realize that previously published permalinks would break when switching to the slug
ben_vulpes: aight well i switched it back for now but that's awful and will have to get fixed
mircea_popescu: i dun think they break, you got some other bug in there.
ben_vulpes: well once we have hanbot up and running with an mp-wp produced from her patches i'll move this over to that setup
ben_vulpes: !!invoice danielpbarron .00077419 8 prorated days of shared hosting (march)
ben_vulpes: !!v D36B2DA16801DD29974345218BE070ADF8EF027B47EF75F04DC3F8D6457F9B5E
deedbot: Invoiced danielpbarron .00077419 << 8 prorated days of shared hosting (march)