chasemiller's comments

"ETHICAL hacker"

...yeah... I don't think those words mean what you think they mean...

yeah, google likes to have fun with the Bug Bounty program. See: https://bughunters.google.com/about/rules/google-friends/662...

Yes, it's a failure on DankStartup's part.

Not really much different than a user buying dankstartup.net, setting up a catch-all email, observing what comes in, and performing password resets for those accounts, allowing for account takeovers.

Calling it a vuln in oauth may be a bit hyperbolic, but Google could help prevent it.

OLEs were a phisher's dream

@danwilkerson, were you driving around the north hills ~1 hour ago?

Just passed one of these and thought to myself, huh, that's pretty neat, only to come home to see this post.

This.

And? Just people sharing their Ethereum Name Service (ENS) names. Still some of the biggest players in the crypto/NFT space on that list.

I think it's important to differentiate between domain name squatters and domain name investors. Squatters are typically registering trademarked names with the hopes of flipping them to the trademark holder, or registering accidentally expired domains names with the hopes of selling them back to the previous registrant (as in OP's case). This is wrong.

Legitimate domain name investors are typically investing in generic words, brandables, or exact search term match domains.

I used to get mad about domain investors having every name I wanted to use for a project, until someone analogized it to real estate investing. Everybody would open their store on Fifth Ave. in New York City if they could afford it. Unfortunately, storefronts there are very limited. This is basically what generic, one-word .com domains are (frequent sales of $1M+). Domain names are just digital real estate.

This explains the 30% 24hr growth of Stellar. Stellar has been working in this area for years and is built to facilitate exactly these types of transactions. I think they are probably the best positioned to take this on.

Also, Stellar USDC support was already slated for February.

I... just... wow.

Completely agree. We're working on an idea to handle the boring stuff as part of YC's Startup School 2019. GDPR, HIPAA, CCPA, PCI, etc. compliance + penetration testing and risk assessments.

We'll be building it at: https://secquity.com or if anyone has any specific questions, feel free to reach out at [email protected]

Bug bounties are a great way to get your feet wet. I've seen many devs (especially web devs) have a lot of success hacking on websites that are built with frameworks they are familiar with. I would recommend checking out Bugcrowd or Hackerone to get started.

Besides that, there are a ton of great online courses such as PWK/OSCP, and labs (HacktheBox).

tweetdeck.twitter.com

As a long time Keybase user and Stellar holder, I couldn't be more excited for this news! Congratulations to all!

>Mr Munro said it had taken him less than 10 seconds to find more than 1,000 examples.

I, too, can use Shodan.

An OK product/service that I have stuck with for too long out of stubborness/laziness. I would understand these changes if it seemed like there was actually active development happening on the product.

I'd say "any suggested alternatives" as well, but I think I can just read the other comments. :)

Wow, beautiful site!

I'm loving this trend of services to save me money (Paribus is one other example that I love). However, I too am concerned about handing financial information over to a third party. I'd love to hear the business model.

Hey @kenbaylor! I think that this is an awesome approach to addressing the issue of the infosec employee shortage. I've actually been kicking around the idea of building something similar for a while now, so it's exciting to see someone making progress in the area!

I saw the StealthWorker table at Shmoocon and wanted to swing by and ask some questions, but I got distracted by some of the other goings-on. Anyways, I finally got around to signing up a few days ago.

One issue that I have from the pentester's point of view is the lack of transparency after sign up. I haven't seen any confirmation that my application was received and is under review. However, I understand that StealthWorker is still in its infancy so this is understandable.

Excited to see what the future of StealthWorker holds!

The equity questions was mostly theoretical to get a better idea of how startups value security among their early employees. I completely agree that the business model would likely be unsustainable.

Hey dsacco, thanks for the great reply! I am a security guy on the outside of the startup world looking in and I was just trying to get a better feel for what the security landscape looks like.

You'll find that startups between seed funding and Series A are most likely to care about security. They have the funding to pay external firms for audits but they won't want to invest in a full-time security team just yet. After that, if they eventually get to "enterprise" level they'll care more about security and have both an in-house team and external reviews.

I figured this was the case. Pre-seed startups are too concerned with getting something to market and most who raise (and have something worth owning equity in) would have the funds to outsource to you.

As for your proposal of equity, I would never do this. Frankly, security services are closer to insurance than they are to building positive value. I have interacted with many startup founders, and most would not take an equity proposal like that for this reason. There are several obstacles.

The equity for security question was mostly hypothetical to get a better understanding for how security is valued among early employees. When I read the title of Jason's article, "It’s Time For You To Make Security a Core Feature — Not a Tax" all I could think of is what a hard sell that would be to both founders and customers, and you confirmed my assumptions. I completely agree that the business model is not sustainable.

Thanks again!