turtles's comments

ah, cheers.

I assume the reason for doing this is to confirm the symmetric key now in use is known between both parties?

In the TLS handshake: "The server generates its own hash, and then decrypts the client-sent hash to verify that it matches"

The server decrypts a hash? But thats not how hashes work.

“30 seconds”. You should have told him 6 hours. If he needs it done quicker hire someone else. Enjoy your day.

Yeah. I'm also like wtf. The website looks about 10 years old.

I assume the owners have good communication, and persuasion skills. Which is admirable, since I lack them.

Hi, this is a bit of a random one, but I have product that relies on GPS accuracy, and would love to hear if you guys have any ideas on how I can improve this, as well as my current implementation. Mind if I drop you an email? Cheers.

Had been thinking of moving to CA, but might as well stay in Sydney by the sounds of it.

Is there a possibly for the Senior Security Engineer role to be remote?

This is not the type of Uber driver I want. I don't want someone complaining about their life choices when I'm paying for an agreed service from A to B.

This is a big problem with taxi drivers is australia. At 2am you'll be lucky to get a taxi home, because they change over at 3, so they don't like to go 10 minutes in the opposite direction.

I'm glad there is the Uber alternative!

ah. Thanks!

A junior pentester as remote, thats risky.

Can someone please ELI5 why this is good, and what they can be used for? I'm assuming machine learning...

Son, you've got the wrong attitude.

Using IQ as an indicator for a good candidate is flawed, and just plain stupid. That would not be a company I'd have any interest in working for.

Some honest feedback. I can see you put a fair bit of effort into making this. However, I don't fully understand the idea and this is a big problem.

From what I do understand is I can create passwords using this, and write anonymous messages. 1, why wouldn't I use a simpler password generator in a password storing app. 2, why wouldnt I just post on a forum with an anonymous account.

In addition to this, the gui is not obvious and does not flow well.

I'd suggest personally investigating these points further, for learning purposes. Then each time you come up with a new idea, Google the crap out of it and see if anyone else has made anything similar, or if you could do it better. Both of these points could have essays around them! This will drastically help you assess your market before putting in a lot of time to build something.

I've been in your position a number of times.

Yes, sorry, my statement was lacking context. I was referring to someone selling to a criminal organisation.

Can be lucrative, but time consuming. When I got home from work, I'd be straight on my computer looking for 0days. I'd basically do this most nights and weekends. While I was at work, I'd also be checking my fuzzers, seeing if I had any new exceptions. I'd even take holidays if I was working on something I was really interested in, or had found a bug and was trying to exploit it.

I had quite a lot of fun for years doing it, though it was draining and I grew tired of it. When I'd see an exception I'd get so excited - it was like a constant rollercoaster of highs then it would flatten out to a middle area, eventually hitting low when your fuzzer was finding less bugs. I find the VR cycle goes like this, at least for me:

* research your target - obtain a whole bunch of background knowledge, e.g. protocols or file specs. Hopefully you can find out what you want on-the-line, otherwise you have to try your best at reverse engineering (RE) your target.

* depending on how you're hunting for vulns, you'll be doing either fuzzing or binary analysis (RE). So if you're fuzzing, you need to write your fuzzer. The offset on time regarding fuzzing vs binary analysis (a topic of its own!) I usually find comes out relatively evenly (target dependant however).

* running your fuzzer (obviously not required if you're doing binary analysis)

* going through your exceptions, narrowing them down based on exploitability from the little crash dump info you have. Then figuring out what caused the crash. This can be quite difficult and time consuming depending on your target, for example, analysing a crash in a compressed stream in an adobe reader document. Again, as an example, if you have 10 unique crashes this can take a while.

* now that you understand what went wrong and you believe it is exploitable, you need to figure out how to do just that. I like to think exploitation is a field of its own. Some of the best exploit writers dont do so well finding 0days, but exploiting them is another story!

* then the easy part, mail your people and wait to see an offer.

You need to be able to motivate yourself to do well in VR. As I mentioned at the top of this post, seeing an exception would be a pretty big high for me, chasing this is what I think enabled me to do it for so long. All this takes so much time, from a couple of hours to days to months. While I'm on it, I often hear people say you need to be smart to do this type of stuff. Not true. Persistence is what is required. Being smart only takes you so far.

In the end, there's easier ways to make money, though I wouldn't be where I am now if I never did vuln research (VR). Still got friends that do it now, they never seem to tire from it!

I would highly recommend anyone getting into security to do VR for a period of time. Release a bunch of bugs responsibly to the public for free - it gets your name out there (can be worth more than the bug itself in the end). Only after you've released a few publicly should you look at selling the next. You learn lots of different skills you'll use throughout your security career and it will put you into that top tier of security professionals.

I still do a bit here and there. Its not as stimulating as it used to be for me anymore. :(

Overall, its a pretty awesome life.

* Apologies if there are typos above, didnt have time to review it.

Its straight up illegal.

What OP doesn't mention is that there are legitimate brokers. You dont have to use those shitty hackerone services.

If you have something now and you want to immediately get rid of it, the best place to go is somewhere like ZDI. Eventually you'll make contacts with legitimate companies though. I've met contacts through conferences or people I know. Most people I know, wont buy from just anyone - since its risky for them also.

Source: I did this for many years. Works out to be an awesome bonus on your current day job!