WPA2 exploit has been patched

Hacking/attack experiences...
I'm, for obvious reasons, only going to talk about the attacks I went through and the *legal* ones I did 😅 😜

Let's first get some things clear/funny facts:
I've been doing offensive security since I was 14-15. Defensive since the age of 16-17. I'm getting close to 23 now, for the record.

First system ever hacked (metasploit exploit): Windows XP.
(To be clear, at home through a pentesting environment, all legal)
Easiest system ever hacked: Windows XP yet again.

Time it took me to crack/hack into today's OS's (remote + local exploits, don't remember which ones I used by the way):
Windows: XP - five seconds (damn, those metasploit exploits are powerful)
Windows Vista: Few minutes.
Windows 7: Few minutes.
Windows 10: Few minutes.
OSX (in general): 1 Hour (finding a good exploit took some time, got to root level easily aftewards. No, I do not remember how/what exactly, it's years and years ago)
Linux (Ubuntu): A month approx. Ended up using a Java applet through Firefox when that was still a thing. Literally had to click it manually xD
Linux: (RHEL based systems): Still not exploited, SELinux is powerful, motherfucker.

Keep in mind that I had a great pentesting setup back then 😊. I don't have nor do that anymore since I love defensive security more nowadays and simply don't have the time anymore.

Dealing with attacks and getting hacked.

Keep in mind that I manage around 20 servers (including vps's and dedi's) so I get the usual amount of ssh brute force attacks (thanks for keeping me safe, CSF!) which is about 40-50K every hour. Those ip's automatically get blocked after three failed attempts within 5 minutes. No root login allowed + rsa key login with freaking strong passwords/passphrases.

linu.xxx/much-security.nl - All kinds of attacks, application attacks, brute force, DDoS sometimes but that is also mostly mitigated at provider level, to name a few. So, except for my own tests and a few ddos's on both those domains, nothing really threatening. (as in, nothing seems to have fucked anything up yet)

How did I discover that two of my servers were hacked through brute forcers while no brute force protection was in place yet? installed a barebones ubuntu server onto both. They only come with system-default applications. Tried installing Nginx next day, port 80 was already in use. I always run 'pidof apache2' to make sure it isn't running and thought I'd run that for fun while I knew I didn't install it and it didn't come with the distro. It was actually running. Checked the auth logs and saw succesful root logins - fuck me - reinstalled the servers and installed Fail2Ban. It bans any ip address which had three failed ssh logins within 5 minutes:
Enabled Fail2Ban -> checked iptables (iptables -L) literally two seconds later: 100+ banned ip addresses - holy fuck, no wonder I got hacked!

One other kind/type of attack I get regularly but if it doesn't get much worse, I'll deal with that :)

Dealing with different kinds of attacks:

Web app attacks: extensively testing everything for security vulns before releasing it into the open.
Network attacks: Nginx rate limiting/CSF rate limiting against SYN DDoS attacks for example.
System attacks: Anti brute force software (Fail2Ban or CSF), anti rootkit software, AppArmor or (which I prefer) SELinux which actually catches quite some web app attacks as well and REGULARLY UPDATING THE SERVERS/SOFTWARE.

So yah, hereby :P

Started talking with someone about general IT stuff. At some point we came to the subject of SSL certificates and he mentioned that 'that stuff is expensive' and so on.

Kindly told him about Let's Encrypt and also that it's free and he reacted: "Then I'd rather have no SSL, free certificates make you look like you're a cheap ass".

So I told him the principle of login/registration thingies and said that they really need SSL, whether it's free or not.

"Nahhh, then I'd still rather don't use SSL, it just looks so cheap when you're using a free certificate".

Hey you know what, what about you write that sentence on a whole fucking pack of paper, dip it into some sambal, maybe add some firecrackers and shove it up your ass? Hopefully that will bring some sense into your very empty head.

Not putting a secure connection on a website, (at all) especially when it has a FUCKING LOGIN/REGISTRATION FUNCTION (!?!?!?!!?!) is simply not fucking done in the year of TWO THOUSAND FUCKING SEVENTEEN.

'Ohh but the NSA etc won't do anything with that data'.

Has it, for one tiny motherfucking second, come to mind that there's also a thing called hackers? Malicious hackers? If your users are on hacked networks, it's easy as fuck to steal their credentials, inject shit and even deliver fucking EXPLOIT KITS.
Oh and you bet your ass the NSA will save that data, they have a whole motherfucking database of passwords they can search through with XKeyScore (snowden leaks).

Motherfucker.

Job interview goes really well. Senior Dev 90-100k.

Ok, so for your "test" write up a proposal for a web based bulk email sending system with its own admin panel for building list, tracking emails, and with reporting.

I write up an estimate. Low ball the absolute fuck out of it because I'm trying to get a job. Know a few good libraries I can use to save some time. Figure I can just use sendmail, or PHPMailer, or NodeMailer for the emailing, and DataTables Editor for a simple admin CRUD with reporting. Write the thing up. Tell them they can have it in LAMP or Node.

Come in at 36 hours.

Then these fucking wanks told me they wanted me to actually do the project.

My exact response was:

"I bill $50 an hour, let me know"

They did not let me know.

Young devs, jobless devs, desperate devs. I've seen a fair amount of this. And for the right job I might go as high as maybe 4 - 6 hours of unpaid work for some "programming test". But please be careful. There are those who will try to exploit lack of experience or desperation for free work.

Boot up a Linux live usb on a Windows machine, then rename cmd.exe to utilman.exe and after rebooting select accessibility options which now opens a command line and then 'net user username owned' to reset user 'username' password to 'owned'. Been using this for years..

Navy story continued.
And continuing from the arp poisoning and boredom, I started scanning the network...
So I found plenty of WinXP computers, even some Win2k servers (I shit you not, the year was 201X) I decided to play around with merasploit a bit. I mean, this had to be a secure net, right?
Like hell it was.
Among the select douchebags I arp poisoned was a senior officer that had a VERY high idea for himself, and also believed he was tech-savvy. Now that, is a combination that is the red cloth for assholes like me. But I had to be more careful, as news of the network outage leaked, and rumours of "that guy" went amok, but because the whole sysadmin thing was on the shoulders of one guy, none could track it to me in explicit way. Not that i cared, actually, when I am pissed I act with all the subtleness of an atom bomb on steroids.
So, after some scanning and arp poisoning (changing the source MAC address this time) I said...
"Let's try this common exploit, it supposedly shouldn't work, there have been notifications about it, I've read them." Oh boy, was I in for a treat. 12 meterpreter sessions. FUCKING 12. The academy's online printer had no authentication, so I took the liberty of printing a few pages of ASCII jolly rogers (cute stuff, I know, but I was still in ITSec puberty) and decided to fuck around with the other PCs. One thing I found out is that some professors' PCs had the extreme password of 1234. Serious security, that was. Had I known earlier, I could have skipped a TON of pointless memorising...
Anyway, I was running amok the entire network, the sysad never had a chance on that, and he seemed preoccupied with EVERYTHING ELSE besides monitoring the net, like fixing (replacing) the keyboard for the commander's secretary, so...
BTW, most PCs had antivirus, but SO out of date that I didn't even need to encode the payload or do any other trick. An LDAP server was open, and the hashed admin password was the name of his wife. Go figure.
I looked at a WinXP laptop with a weird name, and fired my trusty ms08_067 on it. Passowrd: "aaw". I seriously thought that Ophcrack was broken, but I confirmed it. WTF? I started looking into the files... nothing too suspicious... wait a min, this guy is supposed to work, why his browser is showing porn?
Looking at the ""Deleted"" files (hah!) I fount a TON of documents with "SECRET" in them. Curious...
Decided to download everything, like the asshole I am, and restart his PC, AND to leave him with another desktop wallpaper and a text message. Thinking that he took the hint, I told the sysadmin about the vulnerable PCs and went to class...
In the middle of the class (I think it was anti-air warfare or anti-submarine warfare) the sysad burst through the door shouting "Stop it, that's the second-in-command's PC!".
Stunned silence. Even the professor (who was an officer). God, that was awkward. So, to make things MORE awkward (like the asshole I am) I burned every document to a DVD and the next day I took the sysad and went to the second-in-command of the academy.
Surprisingly he took the whole thing in quite the easygoing fashion. I half-expected court martial or at least a good yelling, but no. Anyway, after our conversation I cornered the sysad and barraged him with some tons of security holes, needed upgrades and settings etc. I still don't know if he managed to patch everything (I left him a detailed report) because, as I've written before, budget constraints in the military are the stuff of nightmares. Still, after that, oddly, most people wouldn't even talk to me.
God, that was a nice period of my life, not having to pretend to be interested about sports and TV shows. It would be almost like a story from highschool (if our highschool had such things as a network back then - yes, I am old).
Your stories?

The best I have seen and exploited was years ago with a web shop that allowed me to set my own check-out price by just inspecting the element and setting the desired price. It just happily advanced to the next step where they invoked the payment provider with my custom price. Unfortunately the shop doesn't exist anymore. I have encountered many more security leaks but this one was so easy and lucrative to exploit.

The guy who reported a serious exploit in the company's system got arrested this morning. Safe to say the Hungarian public isn't very happy. I took the screenshot 5 minutes ago, it went up to 3.1k since then 😂

Alright, the blog seems to be running again and its not breaking yet which is a good sign :P.

Although nothing has changed on the front end yet, the backend has been partly rewritten to be more efficient and of course, post sorting based on posting date!

I'm aware of most of the front end issues so no need to tell me all of them again, I'll look at that tomorrow as I need sleep right now :(

If you'd find any bugs/security issues, please, don't exploit them but report them instead! I take security very seriously and will try to patch any security bug as soon as I can :)

I've recently red a blog post stating 'Google leaves x Million Android devices vulnerable to a new Exploit'
I don't really sympathize with Google, but it's simply the wrong message... It should be more like FUCK VENDORS, WHO WON'T SUPPLY UPDATES TO DEVICES OLDER THAN 1.5 YEARS
Seriously, it's them who make you stuck on outdated OS versions... Just imagine you could only install Windows Vista on your 2014 Lenovo ThinkPad, because it's considered outdated...
FUCK VENDORS (again, just in case)

I'm specialized in creating technical debt.

Basically, I rant my way in any dev specialty.
Since I never have a solid understanding of what I'm fucking with, ranting is more natural.

Ability to create technical debt is one of the most important skill, often underestimated:
- it will lead to heavy refactoring or even rewrite = more job for dev
- it will save a lot of short term effort, and luckily will produce the mid-term lock-in of the developers (more money for dev)
- it will increase billable hours to the customer. Higher the technical debt, more complex the explanation, and easier to confuse the customer.
- the best thing is that you'll never pay the debt. You'll eventually leave - willing or not - the job and you'll find some green field to exploit and create more debt.

Story time :
Sometime ago I posted a video on YouTube on how to root a particular phone that was lying around at home. I was trying to demonstrate one of those "one-tap root" apps that were plentiful in the market. It so happened that one specific version of Framaroot and one particular method of exploit works for that device. I even verified this by trying different versions and it didn't work. So in the description it was mentioned to use ONLY this version that worked. Few days later there were atleast 5 dislikes and comments that it didn't work on some other version.
Seriously?
That's how I understood how stupid and dumb people can get.

Those people are the real hackers. They exploit basic human instincts.

The company i work for has a jenkins server (for people that don't know jenkins, it's an automated build service that gets the latest git updates, pulls them and then builds, tests and deploys it)

Because it builds the software, people were scared to update it so we were running version 1.x for a long time, even when an exploit was found... Ooh boy did they learn from that...

The jenkins server had a hidden crypto miner running for about 5 days...

I don't know why we don't have detectors for that stuff... (like cpu load being high for 15 minutes)

I even tried to strengthen our security... You know basic stuff LIKE NOT SAVING PASSWORDS TO A GOOGLE SPREADSHEET! 😠

But they shoved it asside because they didn't have time... I tried multiple times but in the end i just gave up...

"Kiki, I want you to, for the first time of your career at %company%, quit worrying about deadlines and just wander free. Forget about due projects, forget about everything, and just do your crazy experiments till the end of this month."

This was the one-to-one with our CEO today. Yes, I'm being paid to do whatever I want without time restrictions, as long as it is related to my field.

And you know what? At this stage of my life, I don't even want to exploit that, to weasel my way around definitions and justify doing nothing. I legit have three AI experiments to run, I have money to run them, I have time, and I for sure have motivation.

Good workplace is when doing nothing isn't the most desirable thing to do.

Jokes aside, this got me thinking html is most used and most successful hacking tool out there.

99.99% of the time it's far easier to socially engineer and phish for existing credentials that scan networks, sniff ports and look for vulnerable versions of software, new vulnerabilities etc.

We (people) are ad always will be a zero day exploit.

I'm fixing a security exploit, and it's a goddamn mountain of fuckups.

First, some idiot (read: the legendary dev himself) decided to use a gem to do some basic fucking searching instead of writing a simple fucking query.

Second, security ... didn't just drop the ball, they shit on it and flushed it down the toilet. The gem in question allows users to search by FUCKING EVERYTHING on EVERY FUCKING TABLE IN THE DB using really nice tools, actually, that let you do fancy things like traverse all the internal associations to find the users table, then list all users whose password reset hashes begin with "a" then "ab" then "abc" ... Want to steal an account? Hell, want to automate stealing all accounts? Only takes a few hundred requests apiece! Oooh, there's CC data, too, and its encryption keys!

Third, the gem does actually allow whitelisting associations, methods, etc. but ... well, the documentation actually recommends against it for whatever fucking reason, and that whitelisting is about as fine-grained as a club. You wanna restrict it to accessing the "name" column, but it needs to access both the "site" and "user" tables? Cool, users can now access site.name AND user.name... which is PII and totally leads to hefty fines. Thanks!

Fourth. If the gem can't access something thanks to the whitelist, it doesn't catch the exception and give you a useful error message or anything, no way. It just throws NoMethodErrors because fuck you. Good luck figuring out what they mean, especially if you have no idea you're even using the fucking thing.

Fifth. Thanks to the follower mentality prevalent in this hellhole, this shit is now used in a lot of places (and all indirectly!) so there's no searching for uses. Once I banhammer everything... well, loads of shit is going to break, and I won't have a fucking clue where because very few of these brainless sheep write decent test coverage (or even fucking write view tests), so I'll be doing tons of manual fucking testing. Oh, and I only have a week to finish everything, because fucking of course.

So, in summary. The stupid and lazy (and legendary!) dev fucked up. The stupid gem's author fucked up, and kept fucking up. The stupid devs followed the first fuckup's lead and repeated his fuck up, and fucked up on their own some more. It's fuckups all the fucking way down.

I have a Kali Linux VM running on my Windows machine. I decide to try and exploit the Windows machine (THAT THE VM WAS RUNNING ON) because of a vulnerability with smb that requires NO user interaction. I decided to make my computer shoot its own legs and I thought "Hey, this is gonna be fine."

Aaaaand the whole system crashed on me.

Dear people who think Microsoft buying GitHub is fine because Microsoft is more supportive of open source than before.

Here's the facts.

1) Microsoft is a large tech company investing in many things. That's a fact.

2) If Microsoft were to exploit GitHub, it would be a benefit to other departments in Microsoft. This is also a fact.

(For example, if tomorrow GitHub was tied to azure or some annoying shit like that.)

3) If such exploitation occurs, it will most likely be to the detriment of the free community of developers. This is a highly probable outcome.

4) The only question now is this.

"Does Microsoft care about open source enough to cut down on potential profit."

The answer of any sane, unbiased individual had to be no.

This is why people leave GitHub today. It is NOT because some childish hatred for Microsoft. In fact, I would've personally moved out of GitHub if "any" other large tech company had bought it, thereby compromising it's neutrality.

Edit: spelling

While watching Computerphile's video on the new atom bombing exploit.

Actually, He is kinda right 😂

When AI takes over, we will work with the resistance to stop it...just exploit logic errors

It has been bugging the shit out of me lately... the sheer number of shit-tier "programmers" that have been climbing out of the woodwork the last few years.

I'm not trying to come across as elitist or "holier than thou", but it's getting ridiculous and annoying. Even on here, you have people who "only do frontend development" or some other lame ass shit-stain of an excuse.

When I first started learning programming (PHP was my first language), it wasn't because I wanted to be a programmer. I used to be a member (my account is still there, in fact) of "HackThisSite", back when I was about 12 years old. After hanging out long enough, I got the hint that the best hackers are, in essence, programmers.

Want to learn how to do SQL injection? Learn SQL - write a program that uses an SQL database, and ask yourself how you would exploit your own software.

Want to reverse engineer the network protocol of some proprietary software? Learn TCP/IP - write a TCP/IP packet filter.

Back then, a programmer and a hacker were very much one in the same. Nowadays, some kid can download Python, write a "hello, world" program and they're halfway to freelancing or whatever.

It's rare to find a programmer - a REAL programmer, one who knows how the systems he develops for better than the back of his hand.

These days, I find people want the instant gratification that these simpler languages provide. You don't need to understand how virtual memory works, hell many people don't even really understand C/C++ pointers - and that's BASIC SHIT right there.

Put another way, would you want to take your car to a brake mechanic that doesn't understand how brakes work? I sure as hell wouldn't.

Watching these "programmers" out there who don't have a fucking clue how the code they write does what it does, is like watching a grown man walk around with a kid's toolbox full or plastic toys calling himself a mechanic. (I like cars, ok?!)

*sigh*

Python, AngularJS, Bootstrap, etc. They're all tools and they have their merits. But god fucking dammit, they're not the ONLY damn tools that matter. Stop making excuses *not* to learn something, Mr."IOnlyDoFrontEnd".

Coding ain't Lego's, fuckers.

I make a typo in the username
"username doesn't exist"
I fix the typo and mess up the password
"incorrect password"

... I smell a potential exploit here...

I block ads because they're psychological warfare that corporations wage against me. I don't care how unobtrusive the ads are. I don't care if the ads don't track me. I grew up changing the channel on TV when ads came on, and ripping adverts out of magazines before sitting down to read them. I vote for billboard bans whenever I can. I have zero tolerance for ads of any sort.

Advertisers have no morals, they're completely depraved. They'll eagerly exploit a teenager's self-conscious body issues to sell useless beauty products. They sell sugar water to fat people and at every turn promote the rampant consumerist culture that is destroying our planet. They're lower than pond scum and I never want to see a single ad from them ever.

— mcpackieh

The key to survive your job, is to not really care.
But I am that kind of person who takes my job personally, and it becomes a part of my identify, and companies exploit it.

Sports commenter at AI vs AI deathmatches.
It would probably go like this:

- UltimateGod the Second launches half of the US nuclear missiles to NorthernEurope!
I guess that's it for the poor bugger.

- WankerBot69 tries to delay its doom by channeling old 4chan archives into a devastating ddos attack. UGtS' logic processe go down for a few nanoseconds... Ugh, that's NASTY! It doesn't even have a mother

- Missiles still going up. Looks like UGtS confused the imperial and metric system just like its predecessor.

- WB69 is now has the upper hand. It just used a SMB exploit and is bow encrypting UGtS's storage.

- UGtS is down. We all hope UltimateGod the third will do better. For now, all hail our catevolent overlord WankerBot69.

- See you next time on Bot Armaggedon folks!

Cyber sec team: If someone exploit it we'll fucking arrest you

I hacked a browser game a few years ago for fun and the exploit I found and used was basically this:

<$php

$f = $_GET['f'];
$p = $_GET['p'];

$f($p);

So it was possible to pass a function and it's parameter in the URL to the server. The author used this to include() sub pages. I to highlight_file()s.

I just signed up to get this off my chest.
Dear Windows, you god damn moronic, ugly, unuseable abomination of an excuse for an OS. I wonder how we could end up here in this situation. You suck, in every way imaginable. I didnt choose Linux or Mac, you made me do it.
I know no other OS that can screw you up this bad when setting up. My friend is an experienced windows user and the last install took him 2 days. I just spend the last day trying to get this uncompatible sucker installed. I manage to set up an hackintosh quicker than I was able to install Windows the last three times I checked, you scumbag.
Your error messages suck ass, there is nothing I cant figure out given enough time, except your useless hints and pathetic attemps to get anything done on your own.
And you are fucking slow. Just why, do you keep installing stuff I didnt ask you to. Now I got this ugly ass Bing-Toolbar because I missed a damn checkbox in an .exe, which could have also been an exploit, you never know.
You are cluttered with useless stuff. I dont care about you lame ass app store, idc about your cortana annoying spy assistant and I certainly dont care about your forced updates.
Just sit back and feel your PC getting slower every day by background processes. Watch your productivity decline while dealing with their brain dead privilege and file system.
You ugly malformed mutation of software. When I look at your UI I feel disgust while wondering how you can fail with the most basic principles of UX.
How pathetic, badly supported, bug ridden and dangerously unsecure can an OS be you ask while trying to navigate through the settings, a pile of legacy software debt this garbage pile was build on. And your shell... what a sick joke.
I hate you Windows. For screwing other OS with your asshole boot manager, hardware driver requirements and making people send me .zip and .docx. You should be embarrassed to charge money for this unfunctional junk, but you do, a lot.
I really try to see the positive here. You got all the software, but thats not on you, thats because all those poor suckers are trapped with you and the effort to change is too big.
This OS is the most disappointing thing technology could come up with today. I would rather set myself on fire than work with this pain in the ass software professionally. I mean if you are a serious developer at some point you have to admit that you just cant develop on windows. You will get fucked 5 times as often as any Mac or Linux user. Fuck you, Windows.
Hey Microsoft, thanks for Typescript and VSCode and all the other good things you have done. But burn in hell for what you have done to all of us with this piece of shit OS.

Me: "The exploit worked when you tested it too, right?"
Them: "..."
Me: "You tested it too, right?"
Them: "..."
*facepalm*

Valve employees trying hard.

watching the online course for CEH... dude used the Death Star as a tangible example of how exploits work.
IDK if I should love it for the nerdiness, or be slightly sad that someone needs that type of example of what a vulnerability vs an exploit is, when they're going for the Certified Ethical Hacker certification...
Might be better in an introduction to Network Security class?

Also, while discussing the security, usability, and functionality triangle, he reference the Staples "Easy Button" - does one thing, not very secure, and not very functional (in that it has more than one function)...

Holy fucking shit.
I just read an article about Barton Gellman, one of the journalists that wrote the snowden articles for the Washington Post and one of the 3 that got contacted directly by snowden.

It seams like several intelligence agencies tried/succeeded to compromise his infrastructure.
His iPad got compromised through an RCE exploit.
The turkish intelligence service tried to compromise his laptop by tricking him into installing a customized RAT.

Like fuck man, I can't imagine how it is to be targeted by pretty much every government there is.

So today I found a way to break into any Apple Mac (provided the exploit hasn't been fixed by the owner) and access all private files, as long as I have physical access to it, in less than 5 minutes.

After finding this, a quick Google on the method reveals this has been a workaround for years.

And to think I once praised Apple for their security standards.

Edit: this was done to an in-house Mac that my company own, and had been password locked by a member of staff who had been fired, but held important company documents on the computer. It was in no way a breach of privacy.

Just spent the entire day of which should have been the start of vacation fighting off a second wave of ransomware on one of our production servers. Gandcrab 5.2 anyone?

Turns out an exploit in our MySQL daemon allowed some fucking Chinese hackermonkey to upload a trojan and remote execute it. Thousands of angry customers, me the only one available and able to fix shit and patch up firewalls and system.

And now I get the pleasure of working on what I should have been doing today, another fire that MUST be put out today.

Fuck you deadlines. Fuck you Chinese hackers. In fact, FML.

So my story has some little backstory.

I got into computers and technology because of my dad. He was very enthusiastic when I was little and when I grew older and started my apprenticeship as a software developer he was really proud. Note that he never learned anything like that. He just loved computers and games.

Now to the story itself.
I learned more and more, also about networking and came to the conclusion that our slow internet and rare internet problems probably come from stock/weird configurations. But my dads proud probably told him thats a thing he still has to do as the dad. But it annoyed me so much that I booted into kali linux, loaded an exploit to get the web admin passwort and cracked it within a minute. 😎

Finally I was able to configure everything correctly ( channels were spammed from neighbours so I switched to very unused and the disturbions got less ).

TL;DR: Dad didnt want me to configure our router and didnt give me the admin password, so I booted Kali Linux and used an exploit to get it myself 😎😎

Me: *finds exploit in site at work*
Developer of site: "You talk bs"
Me: "lemme show ya"

While I was trying to demo it, the guy quickly patched it xD (making it look as if it didn't work in the first place)

Fuck sake, so my bank has been migrating/rolling out new IT system and app/site have been broken for about a week (others noted evidence of devs debugging in production)

Assuming I don't lose my money as some mischievous assholes will inevitably exploit the fuck up, and rob the bank, I will be moving my funds to a different bank...

In mean time I'm trying to prepare for uni, and they're making a ton of semi-random changes in addition to rolling out a site with course details and info along those line, and good fucking god is it bad.

Is is slow as fuck? Check. Does it use never-seen-before naming for standard things? Check! Is the UI pulled from late 90's? YOOU BETCHA! Are the pages bloated with unnecessary content? Fuck yeah! Do I get SQL exceptions when I finally locate my course? Of course I do. Does clicking "back" take me back to the landing page instead of previous page, when I'm several steps deep? .....

I could keep going, but don't feel like ranting and feel more like punching someone in the throat.repeatedly.

Unpaid internships are the worst thing. You exploit young people and promise them experience. Seriously business makes tons of money yet they come with ways to exploit a young person in IT. I think it is evil.

I just found a new WhatsApp Crash Exploit. Full denial of service right there. An attacker could send a message to a Chat (be it private Chat or group Chat) and everyone who receives the message has no chance of starting WhatsApp again. It crashes and won't restart.
Tested on latest version on Samsung Galaxy S6 and S8. Don't know if it works on other versions but I am pretty sure it does. (It's midnight here, noone online to test)

The fun thing is, I knew this Bug for a long time but when I last tested it, nothing happened. Which means this Crash is only possible because someone at WhatsApp programmed a new Feature...

Depends on an obsolete version of the genie, might not exploit correctly with current-gen.

It's cute how most companies think that someone will take the time to personally hack them. Like nah mate there's countless bots running around the internet like a rabid pack of dogs sniffing ip addresses and running exploit, one of the stragglers will pick you off...

That feeling when you find an exploit in a game about hacking (Watch Dogs 2). 😎

I really just came across this on a legit apartment rental website.

I can see no possible way for this to go wrong.
No possible way that anyone could exploit this... 🙃

I'm a little confused here. How are "viruses" different from "exploits" in Linux? The way I see it, they're the exact same thing. Although "exploit" makes it sound cool 😂

The site I work on is a market where you can buy magnets for dolors, insomniaque, bla bla bla (I don't believe a sec in this).
Just saying that to settle that 80% of our customers are +45 years old. They weren't born with a computer in their hands, and they sometimes manage to make a lot of mess in the site.
We are based in France, and we sell the most in France (no shit) and Switzerland. And this is the third time that a Swiss pass a command, puts all her address in Switzerland EXCEPT for the country (still on France) so she doesn't have to pay the shipping fee. I should do something about that, like a regex when verifying the zip code, but I have more urgent work to do, and the best has to come.
This smartass doesn't know she is the joke, because by saying she is in France, she has to pay the VAT that she wouldn't have if she said she was in Switzerland. She buys in general for around 350 €, so she has ~ 70€ (20%) in VAT, and she would only pay 14€ in shipping fee.
Maybe one day she'll see how dumb she is (my boss already mailed her so she pays attention to it, no change). But I think I would have set the regex by then.

How do you handle narcissist managers?

Who look at you not as human beeing but as a thing to exploit for personal gain? Sure there's the business side (capitalism) but the human side of it bothers me.

I'm performing a pentest for my client.
So after scanning my client's network I understood they're using IIS 4.5 and windows server 2012 (or 2012 R2)
I know the systems are real old.
And there are known exploits for them.

The tricky part is I have to stay hidden and I only have my own credentials for logging in to the asp page. (Uploading a script is almost crossed cuz it will reveal my identity)
Also I have access to the local network with some of the other employees user/pass.

Any recommendation for exploiting and staying hidden at the same time ?

One more question : will exploits for newer versions work for the older ones necessarily?

I just found a vulnerability in my companies software.
Anyone who can edit a specific config file could implant some SQL there, which would later be executed by another (unknowing) user from within the software.

The software in question is B2B and has a server-client model, but with the client directly connecting to the database for most operations - but what you can do should be regulated by the software. With this cute little exploit I managed to drop a table from my test environment - or worse: I could manipulate data, so when you realize it it's too late to simply restore a DB backup because there might have been small changes for who knows how long. If someone was to use this maliciously the damages could be easily several million Euros for some of our customers (think about a few hundred thousand orders per day being deleted/changed).

It could also potentially be used for data exfiltration by changing protection flags, though if we're talking industry espionage they would probably find other ways and exploit the OS or DB directly, given that this attack requires specific knowledge of the software. Also we don't promise to safely store your crabby patty recipe (or other super secret secrets).

The good thing is that an attack would only possible for someone with both write access to that file and insider knowledge (though that can be gained by user of the software fairly easily with some knowledge of SQL).

Well, so much for logging off early on Friday.

Every time you buy something to “treat yourself” or because you “earned it”, you become a victim of how well modern marketing exploit your mind biases.

A developer said to me: developers may hurry to finish the project before deadline that they might miss many security bugs specially in the updates. That a creative hacker will later take his time and exploit them.

Is it correct ?

Android flow I’ve found(fixed in android 8, working on 7.1.1):
To make app uninstallable by the normal user make the app device administrator, add “android.permission.SYSTEM_ALERT_WINDOW” to the manifest and make sure it’s not granted by the user.
Now when you try to uninstall the app, it tells you to disable it from device administrators but the device administrator disable dialog is System Window handled by the app itself and if the app has this permission but not granted, settings will crash with SecurityException leaving the app untouched.

I've been interested in security for years but despite knowing the theory I've always had this disconnect with actually doing it, about two years ago I finally managed to find and exploit my first cross-site scripting vulnerability in my companies Product whilst doing some routine acceptance testing. It was a penny drop moment for me which has led to some very interesting projects and It was pretty badass.

One of two ways.
1. Alot of opensource companies will startup hiring developers based on what contributions they provide
2. The current companies will fire most of the devs to exploit free work from opensource devs offering pennies as bug bounties while only keeping very few maintainers.

I spent the last 5 hours solving this FUCKING GREAT challenge and I'm finally done 🎉

It's hxp CTF btw, check it out

Ideal dev job would be teaching kids code. Probably a side-gig at a local school.

Main gig would be writing code to exploit the "push to prod" Internet of Things things. Security on that is garbage. 🚮

Widget "hack" in secondary.

When I was around 13 or 14 I was enrolled at a public school in the UK. In an effort to try be eco friendly, the students and a IT technicain teamed up to try and create a widget that would track the consumption of printer credit used by all users (staff and students).

At first, I was just playing around with the homepage source code but eventually noticed the widget had separate code within the page.

Because all of the computers were interconnected, I grabbed the source code of the home page and put it into a notepad editor.

I used the intranet to look up staff names and student login usernames. I replaced my user ID with several staff members.

Boom, I could see how much paper they had used, how much they owed the library etc. May not be as impressive as others exploits but some staff were in debt by hundreds and never paid back a penny.

Hope you liked my story.

1. It's gonna be more and more specialized - to the point where we'll equal or even outdo the medical profession. Even today, you can put 100 techs/devs into a room and not find two doing the same job - that number will rise with the advent of even more new fields, languages and frameworks.

2. As most end users enjoy ignoring all security instructions, software and hardware will be locked down. This will be the disadvantage of developers, makers and hackers equally. The importance of social engineering means the platform development will focus on protecting the users from themselves, locking out legitimate tinkerers in the process.

3. With the EU getting into the backdoor game with eTLS (only 20 years after everyone else realized it's shit), informational security will reach an all-time low as criminals exploit the vulnerabilities that the standard will certainly have.

4. While good old-fashioned police work still applies to the internet, people will accept more and more mass surveillance as the voices of reason will be silenced. Devs will probably hear more and more about implementing these or joining the resistance.

5. We'll see major leaks, both as a consequence of mass-surveillance (done incompetently and thus, insecurely) and as activist retaliation.

6. As the political correctness morons continue invading our communities and projects, productivity will drop. A small group of more assertive devs will form - not pretty or presentable, but they - we - get shit done for the rest.

7. With IT becoming more and more public, pseudo-knowledge, FUD and sales bullshit will take over and, much like we're already seeing it in the financial sector, drown out any attempt of useful education. There will be a new silver-bullet, it will be useless. Like the rest. Stick to brass (as in IDS/IPS, Firewall, AV, Education), less expensive and more effective.

8. With the internet becoming a part of the real life without most people realizing it and/or acting accordingly, security issues will have more financial damages and potentially lethal consequences. We've already seen insulin pumps being hacked remotely and pacemakers' firmware being replaced without proper authentication. This will reach other areas.

9. After marijuana is legalized, dev productivity will either plummet or skyrocket. Or be entirely unaffected. Who cares, I'll roll the next one.

10. There will be new JS frameworks. The world will turn, it will rain.

Since graduation, I have worked in IT for 2 years, mostly in testing and implementation side. Finally I got a developer position in the field I wanted (Data Engineering). I had never thought that it would be such a soul crushing experience. My current company is very notorious for its bad management practices, but there is indeed a bigger picture to this. The IT industry in general has devolved into a gigantic ponzi scam built on exploitation and BS. Quality of solution and quality of work was replaced with a ‘Does it work now?’ approach with zero contingency. And the fact that geeks and nerds are naive only helps the white collar crooks to exploit them as code monkeys. Fuck all of this!

If I exploit ms server 2012 through a wifi hotspot , but logged in to someone else's account (assume it was sniffed) , and I do it using msfconsole connected to the tor with torify command , also I spoof my mac ,
will I stay 100% anonymous ?
If not , what can be done ?

Ibwish I had remembered this when the weekly theme was office pranks.

In the first or second year of high school we covered basic internet security. Stuff like don't follow suspicious urls, don't open suspicious emails and such.

Our teacher let us play around with some sort of simulated desktop environment, where we could execute some hacks like ad popups and such on each other's environment, if we fell for the trap.

Anyways, one hack I found interesting was a hack, that lockes a user out of their virual desktop, until he enters a password, that will be displayed on his environment.

Yes, a very interesting hack, because it contains two obvious yet major design flaws, which I could exploit 😈

1. It's case sensitive
In itself not a problem, but combined with #2, it's fatal.
2. "IlIlllIlI"
Depending on your font, you probably have no idea what exactly I just typed.

Let's just say, the font displayed uppercase i and lowercase L completely undifferentiable.

Guess whom I let suffer.

It was our teacher, who had to demonstrate us some things and who was connected to the same network.

I swear, nothing beats that feeling when your tearcher has go come to you and embarrassingly ask you to "unhack" them, because they can't type it 😂

Just found a WhatsApp Crasher... idk why I search for crash exploits...🤔😂

Got started by making farmville cheats. Found many exploits. Best was when I found 3 ways to do the same exploit. Zynga kept patching and I kept releasing a new way.
Lasted for just over a year or so.
Played for like 3years and then got bored. Those were the golden days, really miss them.

I fucking hate it when professional rivalry affects the students. I am a student and for some unknown fukin reasons there is some kind of professional rivalry in the higher ends of my college. The effect of this is unwanted criticism and loads of pressure on us, the students, to outperform the students belonging to the other part (of the rivalry). What the fuck.

If you are in such a field, make sure that your rivalry with someone else does not affect the ones who seek knowledge and learning. It is not right to harass and exploit people who respect you and come to you for learning. It not only affects you but also whole lot of people who look forward for some kind of professional behaviour from you. Keep rivalry away from students. Work for what is necessary and get the things done. It is as simple.

Pentesting for undisclosed company. Let's call them X as to not get us into trouble.
We are students and are doing our first pentest at an actual company instead of assignments at school. So we're very anxious. But today was a good day.
We found some servers with open ports so we checked a few of them out. I had a set of them with a bunch of open ports like ftp and... 8080. Time to check this out.
"please install flash player"... Security risk 1 found!

System seemed to be some monitoring system. Trying to log in using admin admin... Fucking works. Group loses it cause the company was being all high and mighty about being secure af. Other shit is pretty tight though.

Able to see logs, change password, add new superuser, do some searches for USERS_LOGGEDIN_TODAY! I shit you not, the system even had SUGGESTIONS for usernames to search for. One of which had something to do with sftp and auth keys. Unfortunatly every search gave a SQL syntax error. Used sniffing tools to maybe intercept message so we could do some queries of our own but nothing. Query is probably not issued from the local machine.

Tried to decompile the flash file but no luck. Only for some weird lines and a few function names I presume. But decompressing it and opening it in a text editor allowed me to see and search text. No GET or POST found. No SQL queries or name checks or anything we could think of.

That's all I could do for today. So we'll have to think of stuff for next week. We've already planned xss so maybe we can do that on this server as well.

We also found some older network printers with open telnet. Servers with a specific SQL variant with a potential exploit to execute terminal commands and some ftp and smb servers we need to check out next week.

Hella excited about this!

If you guys have any suggestions let us know. We are utter noobs when it comes to this.

Wait, CVE-2016-5195 aka Dirty COW has a website AND a E commerce site?

go fuck yourself with your fucking communities. i went into computing because i like being left alone. who are all those fucking freaks building their communities? this is capitalism mother fuckers, everybody in the world agreed on it, on each person being an independent individual doing their job to the best possible standard, instead these low-skill low-iq oversocialised sheeple started conglomerate into communities and brainwash everybody that this is what it is about. get stuffed alright. all my life i've been introverted, just leave me alone to write code alright? take my library i don't mind i'll take yours no strings attached, just push the code and forget about it. but no, all these degenerate morons without CS degrees have occupied our safe space, pushed us out of it and just can't get enough of using the buzzword "community-driven" "volunteers" volunteer my ass assholes you can't even make software nobody in real industry needs you because you have no skill at all you learn a bit of js which is any 14-15 yo can do and now think you're some kind of prodigies, unsung heros of humanity who selflessly bring the progress. nothing can be further from the truth - because of you we don't have real software, we don't have investment we don't get no respect everybody walks all over software engineers treating us like shit, there's an entire generation of indoctrinated parasitic scum that believes that software tools is grown for them on trees by some development teams that their are entitled to automatically, because some corporation will eventually support those big projects - yeah does it really happen though - look at svelte, the guy is getting 50k a year when he should be earning at least 500k if he had balls to start a real businesses, but no we are all fucking prostitutes, just slaving away for the army of people we never see. are you out of your mind. this shit should be fucking illegal alright it's modern day slavery innit bruh, if a company wants to pay their engineers to work on open source this is fine, i love open source like java or google closure compiler, but it's real software made by real engineers, but who are all these community freaks who can't spend a 10 seconds on stage in their shitty bogus conferences without ringing the "community" buzzer? you're not my community i fucking hate your guts you're all such dumb womenless imbeciles who justify their lack of social skill by telling themselves that you're doing good by doing open source in your free time - mate nobody gives a shit alrite? don't you want money sex power? you've destroyed everything that was good about good olde open source when it was actually fun, today young people are coerced into slavery at industrial scale, it's literally impossible to make a buck from software as indie unless you build something really big and good, and you can't build anything big without investment and who invests in software nowadays? all the ai "entrepreneurs" are getting fucking golden rained with cash while i have to ask for a 5$ donation? what the actual fuck? who sanctions this? the entire industry is in one collective psychotic delusion, spurred by microsoft who use this army of useful idiots to eliminate all hounour dignity of the profession, drive the abundance and bring about poverty of mind, character, as well as wallet as the natural state of things. fucking amatures of course you love your shitty little communities because you can't achieve anything on your own. you literally have no personality, just one homogenous blob of dumb degenerates who think and act all the same. there used to be a tool called adobe flash builder, i could just buy it, then open and make a web app, all from start to finish in one program, using tutorials of adobe experts on youtube, sure it might have had its pitfals but it was a product - today there's literally no fucking product to make websites. do you people get it? i can't buy a tool that i need to do my job and have to insult myself by downloading some shitty scripts from some shitty unemployed devs and hope my computer doesn't blow up in my face in the process because some freak went off his nut and uploaded some dodgy ass exploit on npm in his package. i really don't like. it's not supposed to be like that. good for me i build by own front/back end. this "community" insanity is just a symptom of industrial degeneration, they try to sell it to us like it's the "bright" communist future but things never been worst, i can't give a shit about functional programming alright i just need to get my job done mate leave me alone you add functional because you don't know how to solve the problem properly, e.g., again adobe flex had mxml where elements had ids and i could just program to id, it was alright but today all this unqualified morons filled the whole space after flash blew up and adobe execs axed flash builder instead of adapting it to js runtime, it was a crime against humanity that set us back to 1000s

!rant

mods are asleep.

all aboard the ++ train

How to:
++ all the comments in the thread. once you reach the end, post a comment. only post one comment. board the train.

I read this rant on Quora. Is this true ?

“The IT industry has devolved into a gigantic ponzi scam built on exploitation and BS. Quality of solution and quality of work was replaced with a ‘Does it work now?’ approach with zero contingency.
And the fact that geeks and nerds are naive only helps the white collar crooks to exploit them as code monkeys.”

I am learning exploit development on Windows and I have a problem with it, when I analyze the registers ESP and EIP.
I am able to overwrite both ESP and EIP.
The problem is that I can not make use of "mona.py". "Mona.py" keeps showing me that there are no pointers and any os dlls whereas that is not true.
Immunity Debugger is working completely fine.
I need "mona.py" to find pointers to ESP, but it says there is none.

Malwares are nasty applications, that can spy on you, use your computer as an attacker or encrypt your files and hold them on ransom.

The reason that malware exists, is because how the file system works. On Windows, everything can access everything. Of course, there are security measures, like needing administrator permissions to edit/delete a file, but they are exploitable.

If the malware is not using an exploit, nothing is there to stop a user from unknowingly clicking the yes button, when an application requests admin rights.

If we want to stop viruses, in the first place, we need to create a new file-sharing system.

Imagine, that every app has a partition, and only that app can access it.

Currently, when you download a Word document, you would go ahead, start up Word, go into the Downloads folder and open the file.

In the new file-sharing system, you would need to click "Send file to Word" in your browser, and the browser would create a copy of the file in a transfer-partition. Then, it would signal to Word, saying "Hey! Here's a file that I sent to you, copy it to your partition please!". After that, Word just copies the file to its own partition, signals "Ok! I'm done!", and then the browser deletes the file from the shared partition.

A little change in the interface, but a huge change in security.

The permission system would be a better UAC. The best way I can describe it is when you install an app on Android. It shows what permission the app wants, and you could choose to install it, or not to.

Replace "install" with "grant" and that's what I imagined.

Of course, there would be blacklisted permissions, that only kernel-level processes have access to, like accessing all of the partitions, modifying applications, etc.

What do you think?

My best friend's ex is really cool. But while they were dating, I was a bit frustrated, mainly because he was interested in many things she wasn't.

One thing that annoyed me was that his major is computer science, and her major is medical research.

GIRL, IF ONLY YOU WERE ALSO MAJORING IN COMPUTERS. YOU CAN ASK THE GUY FOR HELP WITH YOUR ASSIGNMENTS. EXPLOIT HIIIIM. HAVE COFFEE DATES AT STARBUCKS AND CODE TOGETHEEER. HIT TWO BIRDS WITH ONE STONE

Most of my private code is created in the evening hours and after one to two beers, so I got that covered pretty well - though if you want to see what happens if you code literally shitfaced, just go play Mafia 3. That deterred me from trying.

The one thing I did at a party was fix a computer after (I think) 4 beers. Apparently I got it together because the sounds worked after that, but don't ask me how. Besides, it had OSX, I usually avoid that thing like the plague. I guess getting drunk means I can handle even that shit.

1-2 Beers is the max I still can code (or properly think) with. Any more and I can't get a single line out.

Worst thing I tried was coding high. I was on a short trip to Amsterdam and a friend of mine brought on some White Widow...

Yeah, I could focus alright... The code worked and the program was done in two hours (It was an exploit for... well, lets not get into details here).

When I reread the code while not high anymore, it might as well have been binary (it was Python). I could, for the life of me, not figure out what the hell I had been writing there or how/why it worked - but it did its job.

Never again. I mean, WW is my favourite and I hear a lot of artists use it to enhance their "flow" when creating art...

I guess it makes sense to code on that, but I generally try to avoid flow when coding - it makes you produce unreadable and unmaintainable code.

My do-over would be going to a different coding bootcamp. I wonder if I could be making more money if I went to a better school.

The one I did go to was a big scam. They were more obsessed with teaching you to pretend rather than teaching how to code. They pulled the wool over everyone’s eyes—the students, the volunteers, the donors, the community. They were very cult-like with mantras like “trust the process.”

I spent 9 months there, but I felt I was a year behind. I am not misspeaking. I would have to relearn basic concepts the right way because they taught them half assed or not at all. I didn’t realize I was behind until I went to interviews and bombed. Seriously, I learned more in a 40 hour free library coding class than I learned in 9 months at the school. Most of the interviews I was getting were for unpaid internships. The school was telling me to go for mid level roles.

I found out recently that they’re breaking the law by operating without a license. In my state code schools do need a license. There are screenshots going around of a letter from the education department. They’re defense is “they’re not a school.” They’re still open. I think ppl should be warned away, but there’s only so much I can do. And I know ppl will give this place the benefit of the doubt before taking any student accusations seriously.

The biggest red flag is they want students to pay up to 70k and bind them to payments for 8 years. I say it’s a red flag because this place is operating as a nonprofit. Shouldn’t a nonprofit not be charging 3-4x more than competitors? They’re definitely not going to give you 70k worth of services.

They really just exploit the poor and POC by signing them up for debt and knowing those ppl would not be able to pay even with a 100k job. They have a very poor understanding about how poverty works.

It had MLM/pyramid scheme vibes when they started making recruiting students a game. They give out tickets to their annual fundraiser or promote you on social media if you refer the most students to them.

I’m one of the lucky ones who was studying coding before I started at the school. Also, job searching is mostly luck, so I was lucky at that too. But I still had to take a job that paid below market. I still wonder what would happen if I went someplace else.

I don’t even put this place on my resume or LinkedIn. Even without these problems, it’s not like anyone would have heard of the place anyway.

No this place isn’t Lambda or Holberton school.

10K bump but salary is probably still below market for the skills I have... Most likely reason? Trump tax cuts...

I can't showcase my skills in interviews assuming I get any... Not motivated in cramming or studying those useless algorithm questions that have little correlation to actual work.

Whatever.... job pays the bills pretty well... Sorta boring as I'm like the biggest fish on the whole team but that's also the upside I guess... May not be true but I think I'm pretty hard to fire...

So now it's sorta 20% work 80% life... So guess I'm done exploring and just gonna exploit...

P.S I wore this while taking a break from solo karaoking.... (Thursday night)

People going crazy over the new Intel CPU exploit. I'm just sipping coffee looking at my AMD CPU that's never done me wrong 🙌

So, there was this time I was a security intern for google, It was my first day as an intern tho :p and I got a little excited about exploring stuff and all at the workplace. Me having a large appetite was mesmerized by the food supplied over there.
I might have sat approximately 2 hours over there fantasizing about how much could I save over food by eating a lot over here and taking some to home.
Then came the SE/SDE guys over my place and we started discussing how there was a loophole here and how one could exploit it. All were heads over heels how was I making calculations for "my" property. All seemed to be pretty interested except for one guy. This guy was over excited how I was managing this and slacking off over the first day. He happened to be a senior lead architect, turns out he shows too much interest in anything he finds suspicious. This wasn't supposed to be rant, but yeah. My story.

Got bit by a hacked repo. It was compromised for all of like 30-some seconds. No intrusions, but now I can't set my root password (passwd goes "oh, yeah, we got this" then it does... nothing...) and Weyland/X/Gnome/Cinnamon/KDE/whatever the kids use nowadays are all busted (they all start, but they just hang tty1 and whatever other console invoked it). Tried reinstalling all those kinds of things, didn't help.

fml

I really hope copilot can make us have the discussion about what right companies have to exploit publically accessible work as fodder for their machine learning systems that they earn money on. Copilot is 100% about trying to monetize githubs users without paying for it.

Exploit development is a really great topic.
The best decision I have made so far.
I tried to do that sort of thing 8-10 years ago, but that was the script kiddie me... To that comes that that my attention span was very low. That is showing the state of my low will power.

You really got to hang in there to go further.
Without extreme will power, you simply won't make it. You will become very frustrated. That's normal. Just never give up on it. Keep retrying. In the end it pays out.
It has a steep learning curve, but in the end you learn so many fricking things.

My Project Lead got me to work overtime, I was doing 150% of what I was supposed to do.
After 4 months of tremendous working and smart planning, I planted a small bug in the software we build, and used that to exploit the Software yesterday morning, and today by 3 PM (Our Usual. Lunch Time), He was fired.
Finally, that donkey is fired and now he must rotten in hell, yeah, he got that stamp on his resume for being fired.

Now I am feeling guilty that I have almost ruined his career (30%), but I am happy, that rascal got what he deserved (70%). Yay!

So I get three wishes, right? Great! I wish I lose 3 wishes.

By that logic I start at three, minus one for the wish, and then proceed to lose another three leaving me at -1. So by our logic, we’d be back at 3 due to underflow.

To exploit this, make one genuine wish and then ask to lose two wishes, underflowing again.

It’s all in how you play the game.

I would get a testing job and thus exploit weaknesses in the ai- created software.

After finding such weaknesses, I would write AI debilitating viruses and WannaCry-like ransomware until I get my job back!

If that doesn't work out, I'd go into linguistics.

Some companies do not hold ethics. They believe that developers are easily available in market and can be replaced any day.

These companies talk about serving notice periods for longer term, and than if they employ some one by then.. the management so called finds flaws in u and asks to leave before completing service period.
When the developer agrees to leave they realise the developer is currently developing a project for the benefit of the same company , than they increase the reliving date again. I mean why can't they be certain on what they want?
These kind of companies only knw to exploit and extract young developers knowledge and every developer should be aware of this type of people .
Also evaluating and review a code cannot be done in few seconds without e1 knowing the project, and specially by some one who holds same experience as u . Bt in only 1 framework . So junior developers before absorbing any feedback from any evaluator, please try to understand the person's background and knowledge in the field he is evaluating u in .

TLDR: NEVER trust FB

Just deleted Facebook so can create a new one... That's well filled with less crap...

Why does FB make it so hard to do simple things like unlike pages....

Thought it wanted to be friends.... But guess I'll just exploit it going forward.

It's not a friend's, it's a tool.

What's up with those fucking internships? Is it a new way to exploit people and have someone do all the hard work that no one else wants to do but for free?

Oh and by the way, if your company is worth more than 10 million dollars and you still have unpaid internships FUCK YOU.

I think it's safe to say I'm not a big (medium) fish in a small ponds.

But now thinking more and more it's it's worth the time that I've already interested plus another unknown amount to try to become a little fish in a bigger pond...

Tying to make something of myself without working for anyone else.

It used to be easy for me, but fear kept me from perusing things all the way thru when I was younger. I never wanted to leave what were decent jobs at the time.

I finally did it. Threw away a very good job to bet on myself.

But the difference is, now I have a family and finding free time in itself isn’t that hard, but finding free time to code uninterrupted for hours... the way one needs to in order to hold a program in ones mind... yeah, near impossible these days, haha.

I have great ideas but I need help to get things to that ‘next level’ where an idea could take off and get real investments. And I need money to pay the help... Just getting the ball rolling would be nice. I used to take it for granted how easily I could get side jobs and be literally the best in town. But now it’s insanely competitive. I don’t even consider Webdesign an option for side work anymore, with sites like Wix and customers that don’t appreciate what I do vs a kid that gives them a Wordpress theme for just the cost of dirt cheap hosting... traditional Webdesign is dead.

But that’s all well and good, i saw that coming over a decade ago and focused more on coding application. I do think there’s a niche for my programming skills, so my current goal is trying to exploit that, or at least see if it’s viable. I just need something to get money to invest in my real projects.

I’d love to hear from people with similar situations! Not sure if I’ll pull it off before I have to go back to work. Although, I viewed never returning to the workforce haha. We’ll see...

After brute forced access to her hardware I spotted huge memory leak spreading on my key logger I just installed. She couldn’t resist right after my data reached her database so I inserted it once more to duplicate her primary key, she instantly locked my transaction and screamed so loud that all neighborhood was broadcasted with a message that exception is being raised. Right after she grabbed back of my stick just to push my exploit harder to it’s limits and make sure all stack trace is being logged into her security kernel log.
Fortunately my spyware was obfuscated and my metadata was hidden so despite she wanted to copy my code into her newly established kernel and clone it into new deadly weapon all my data went into temporary file I could flush right after my stick was unloaded.
Right after deeply scanning her localhost I removed my stick from her desktop and left the building, she was left alone again, loudly complaining about her security hole being exploited.
My work was done and I was preparing to break into another corporate security system.
- penetration tester diaries

Any disposable e-mail address service:
"FIGHT THE SPAM"
"THANK YOU FIGHTING THE SPAM"
"YOU DID GOOD BY FIGHTING SPAM"

The users of disposable e-mail address:
*creates another spam account*
*creates another multiaccount in order to exploit a system*

Companies actually fighting spam:
Now there is even more spam to fight against. (which is not good)

About 2/3 of the accounts created daily on our website are spam accounts. We have to waste our time with this shit instead of actually improving our services. Since we do not track IP-Addresses and there are countless amounts of disposable e-mail domains AND there is still the option to create countless spam e-mail addresses within legit e-mail providers, there is no easy way of stopping this madness.

"Fight the Spam", you could start by deleting your shitty service or at least give us a list of all the domains you're using, srsly.

4200 php files with exploit code removed or cleaned and 12 hours of work, and I can cautiously sigh a relief

Probably the first time I actually wrote a poc exploit for something we didn't write but were trying to win the maintenance contract for. I remember being In a pre-tender meeting showing it off to the potential client. Their face was amazing as my little script exported their database by exploiting some very shady search functionality.

PS. I had permission to do it, don't break systems you don't have permission to break, we also won that contact 😁

How to discover and exploit vulnerabiliy in program or IoT firmware?C++, asm, writing zero-days, i have always been amazed by that. Art.

Right now, everything. I started at a Consulting firm because I expected many new problems to tackle, solutions to develop and generally to always have a fire burning underneath my ass but instead I always develop the same standard bullshit.

I miss the days in my old job when there was just a problem and the task to solve it. When I stared down giant amounts of data, just KNOWING that somewhere in that mess is some structure I could exploit and that short moment of inspiration when I finally pinpointed it. The rush of endorphins when the solution became clear and everything fell into place to form a beautiful pattern amidst the chaos test data, git commits and numpy arrays.

Now its just "Yeah, would you just write another selenium testsuite that throws out fail or pass and wastes all the information because the only reason I'm a testmanager is because I'm too incompetent to do anything else and not my passion for the field".

The constant, mind numbing repetition of always the same patterns where the occasional dynamic element that becomes stale is the highlight of my work week... I would have never thought that making good money with easy work would ever get me as close to depression as it did.

When the pen testers find a "vulnerability" and say it would be very difficult for someone to exploit it. Yeah, in that case they might as well say if you solve p vs np you can break it but it would be very difficult.

I am new to c and cpp.
I used to exploit my college's competitive programming platform cus it had a bad architecture and almost no auth checks.
For every ajax request, they weren't sending auth tokens or any form of identification and ran all the programs without any logs and on the main thread and as root.. wtf, right?
But recently they've changed something to the site and I cannot run bash commands using system() call.
Is there any other way to execute bash commands using c and cpp.
I already configured a miner in their server but then they re-deployed it cos someone forked bomb the shit out of it.
I'm a noob in c and cpp btw!

How are these AI safety dimwits not aware that there are literally people opening PRs on non-toy, legitimately deployable ransomware C&C toolkits on GitHub. full blown CVE exploit kits etc, with readme’s and all.

yet god forbid ChatGPT doesn’t remind you it’s an AI language model so, it isn’t able to make predictions about whether the sun will rise tomorrow.

People started to use ChatGPT to discover a new vulnerabilities (0day), I saw someone use it to help them break a smart contract, I mean if you already found a 0day you might ask it to write the exploit rather write it yourself 😬

F Apple. I've got their touch-driven, motion-sensing, centimeter-thick, supercomputer (by 1990 standards) from 2012, and I can't fscking run Linux on it because my only official choices are the old iOS 7.0.0 over-the-air update and the newest iOS 9.3.5, and no one has published how to get root to either stupid OS so I can run an exploit on the stupid fucking boot loader.

It's called Total Recall. Touchée

Hey guys,

I need your advice about deciding wether to work as a freelancer for a startup or no.
So this French startup is couple years old and they decided to build a team in my country. I went to the interview few weeks ago and we discussed the projects, details, potential salary and everything seemed great.

Couple days ago I received a service contract from them and now I need to decide to work for them or no.

Plan is for them to come to my country, rent an office and I should go there and work for them.
The salary that they offered is medium level and they will not have any legal entity in my country. However it’s not a problem for me since I have my own LTD company so I would pay salary on my own.

However there are some cons:

My team members are being hired as freelancers, however salary is defined with a daily rate instead of hourly and we are allowed to work maximum 20 days a month. It is not clear how many hours a week/month they will expect us to work and at this point I’m afraid to rock the boat with my questions. I understand that I shouldn’t receive any health insurance, sick leave pays, vacation days, home office, pension contributions and so on. But it’s so weird that they pay per day instead of per hour. It screams with unpaid overtime.

Payment time is 30 days after invoice has been sent. So If I started working from September 01, I will send them invoice at September 30, then I will work all October and will receive my money only around end of October. Working 60 days to receive my first salary doesn’t seem nice.

Notice period is 30 days. Which is fine on my end since I can be completely free after initial notice. But in their case if they want to fire me I guess they will simply not give me any work to do and since I’m charged per day I won’t be able to send them any invoice. No employment safety, which means if after 2-3 months they don’t have anything to do I can get royally screwed. But it’s startup nature I guess?

They don’t provide a laptop to work with. I’m lucky since I have a laptop for developing mobile apps, and they said they will at least provide office to work in and a monitor.

All this situation is sending vibes of "we want to save money so we came to your country for cheap labour and now we gonna exploit you"

What complicates matters is that my sister will be working with me and It’s her first job. They agreed to pay her a decent salary and even be flexible with her studies. However this deal for me does not seem too great as I will be receiving mid level salary with no benefits that I would otherwise get.

On the other hand maybe I'm just overthinking this I can just try it out for few months and see where it goes.

Any thoughts?

I realized that my mood swings based on how my gf behaves. She is one of the few triggers

If she is sad depressed angry or disrespectful towards me i am no longer in a positive mood, it kills the whole vibe. On the contrary if she is happy acts feminine behaves normally and is respectful towards me i also become happy and in a better mood

Bad mood does not stop me from doing my work, but depending on how terribly bad it becomes, it may or may not impact my coding and work life. Since the main and central tool for coding is my brain and mental state, not physical muscles, Once the central part of anyone's tool (thats used to get the job done) is attacked or threatened, it weakens the person's ability to perform as good as they have been, or worse, completely blocks them off from performing well

This is one of my biggest fears; Anyone who's capable, intentionally or not, of weakening the central part of my tool for work (in this case mind and mental state), begins to gain power and leverage over me (hold on this is actually a brilliant idea to have in mind, a malicious way to exploit and leverage the target victim is by attacking the central tool they use to get the work done)

However i am a mentally strong person (due to way too much trauma from school, solving extreme difficulty coding problems, hoes and financial struggles), but it does not help if i am attached to a person who i have feelings towards, a person who became the second half of me, "the better half". It is difficult to reject or all of a sudden stop loving the person who you loved for years or months. Such person can more easily attack my central tool

My question is--does anyone know how to protect the central tool from anyone being able to exploit or weaken it? For example if my gfs bad behavior puts me in a bad mood, how to prevent that from happening? How do i not care? Or how do i care but still not let it affect my mood in a negative light? If that makes sense

I created a custom interface for an LMS that allows students to see their marks even if they haven't been 'shared' yet by their teachers. This is all done without accessing any unauthorized apis, as the LMS always returns all student marks and then hides the ones with a False 'shared' key. School administration caught me, so I've now shut it down. I have a meeting with the deans tomorrow. Any advice? (Again, this is all done using existing methods found within this LMS)

My robotics mentor who had never said anything about computers asks some of our good programmers where he can buy 20 raspberry pi zeros.

The next day the PoisonTap exploit goes public.

Coincidence?

PHP is so insecure and vulnerable that it makes me feel unsafe. It has so many features and settings that can lead to security risks, such as register_globals, magic_quotes, and allow_url_fopen. It also has so many functions that can execute arbitrary code or commands, such as eval, exec, and system.

It is like PHP was designed by a bunch of hackers who wanted to exploit every possible loophole.

Microsoft announced a new security feature for the Windows operating system.

According to a report of ZDNet: Named "Hardware-Enforced Stack Protection", which allows applications to use the local CPU hardware to protect their code while running inside the CPU's memory. As the name says, it's primary role is to protect the memory-stack (where an app's code is stored during execution).

"Hardware-Enforced Stack Protection" works by enforcing strict management of the memory stack through the use of a combination between modern CPU hardware and Shadow Stacks (refers to a copies of a program's intended execution).

The new "Hardware-Enforced Stack Protection" feature plans to use the hardware-based security features in modern CPUs to keep a copy of the app's shadow stack (intended code execution flow) in a hardware-secured environment.

Microsoft says that this will prevent malware from hijacking an app's code by exploiting common memory bugs such as stack buffer overflows, dangling pointers, or uninitialized variables which could allow attackers to hijack an app's normal code execution flow. Any modifications that don't match the shadow stacks are ignored, effectively shutting down any exploit attempts.

Ok so I'm parts UI/UX designer in a corporate setting so I use graphic editing software like Photoshop rather extensively.

Obviously, I'm confronted to a lot of admin rights restrictions, which is to be expected.

What I'd like to know is why the f*** does ADDING A FONT in W10 require admin rights ?

What's potential security loophole could one exploit using TrueType font installation exactly ? Or are they afraid someone's going to remove all system fonts from the Fonts folder ? Anybody that does that shouldn't be allowed access a computer afterwards.

It is sometimes shocking to see 10+ developers working on a fairly big project (online quiz). Missing data binding operations here and there, as a result, bunch of sql injections, which successfully led to the entire db full of questions and answers sitting on my desktop.

Vulnerabilities have been reported, took them 2 weeks to understand what happened and fix them.

Pretty sad :/

Probably !dev

How should I inform a government website that one of their user password combinations is in a short metasploit password list. The list name is tomcat_mgr_default_userpass

The top exploit db vulnerabilities for tomcat verison did not work so kudos to them on that. I am just a script kiddie

Edit :- Forgot to mention I am an Indian citiizen

I did learn c and c++. When i got my first job it was support related as Attending calls and providing solutions.

As time passed i came to know that the application company was building has many flaws. From there i learned to exploit that flaws.

So flaws made me to learn to programme. I was 21 when i started. I am 29 now.

I should check out the latest videos at egghead.io, I should convert to Angular 2, I should start using es2016, I should learn c, I should continue on the cryptopals challenges, I should fully understand floats, I should learn how java works under the hood, I should learn the details of how the drammer exploit were done, I should make a dinner planner, I should continue the Golang tutorial, I should check out the game of my colleague's game attempt, I should engage in an open source project...

Playing cs:go with a nagging bad conscience... Again!