I actually really like Qubes OS. I managed to get it installed on a flash drive (which took two flash drives) and I can just plug it in and run it.

Screenshots are a pain in the ass, though. Had to write (copy) a script for them.

Anyway, I'm backing up my main HDD in case everything explodes on me, but I'm going to try to move my Windows install over from legacy to UEFI to keep up on my PC's security. Wish me luck in.. Like, 10 hours.

At 4/12/16 01:29 PM, Glaiel-Gamer wrote: just saying Bombernauts actually did start off as a networked multiplayer co-op roguelike and I got as far as adding bombs and tiles and was like fuck it this is enough

3 years later and its not done yet

I understand. It's just not very constructive.

The nearest PC repair place is 10 miles from here.
There's an outdoor-mall area with a ton of cheap, unused offices.
It's directly next to a ton of housing and food places/general stores.
I know a thing or two about computers.

Hmmmm....

At 4/19/16 09:26 PM, egg82 wrote: The nearest PC repair place is 10 miles from here.
There's an outdoor-mall area with a ton of cheap, unused offices.
It's directly next to a ton of housing and food places/general stores.
I know a thing or two about computers.

I've worked as a computer tech and tech support for an ISP and they were both pretty shitty jobs that were not at all worth the money. But if you can tolerate dealing with computer-illiterate people who will often blame you for things that aren't your fault, more power to you.

At 4/19/16 09:45 PM, Diki wrote: I've worked as a computer tech and tech support for an ISP and they were both pretty shitty jobs that were not at all worth the money. But if you can tolerate dealing with computer-illiterate people who will often blame you for things that aren't your fault, more power to you.

I wouldn't be able to tolerate the people who torrented a new game or something and get malware from it.

I'd also prolly install EMET on every computer set to opt out/lockdown mode.

At 4/19/16 09:45 PM, Diki wrote: I've worked as a computer tech and tech support for an ISP and they were both pretty shitty jobs that were not at all worth the money. But if you can tolerate dealing with computer-illiterate people who will often blame you for things that aren't your fault, more power to you.

Part of me is a bit iffy on the idea because of that, but I honestly think with MSSE and EMET running silently in the background it should be alright.

Also, I've been in sales/customer service as well as IT myself. Believe me, I know exactly what I'm up against when it comes to both incompetence and getting blamed for random shit.

I know a guy that still blames me for just about everything wrong with his computer now even though he's gone through two new OSes and a new PC.

I also managed to pull a cheez-it out of a disk drive. Dunno why there was a cheez-it in the disk drive, but I don't question much any more.

At 4/19/16 10:14 PM, MSGhero wrote: I'd also prolly install EMET on every computer set to opt out/lockdown mode.

I was thinking I would have problems with setting everything to "Always On" but I set EMET up like this months ago and I haven't seen a single issue since.

At 4/19/16 10:49 PM, egg82 wrote: I was thinking I would have problems with setting everything to "Always On" but I set EMET up like this months ago and I haven't seen a single issue since.

I'm honestly not even sure I have it set up correctly. Nothing is highlighted in the "Running EMET" list, but I have everything but ASLR set to opt out.

I did have an issue with Spotify on like DEP or EAF or something, but it's not even listed in my app mitigation config panel now.

I just kinda installed EMET on the new comp and never looked back

Edit: I'm also on a beta (5.5), so maybe there are issues?

At 4/19/16 11:10 PM, MSGhero wrote: I'm honestly not even sure I have it set up correctly. Nothing is highlighted in the "Running EMET" list, but I have everything but ASLR set to opt out.

Always On is like Opt Out except that no programs can opt out.
I'm also running 5.5 - maybe it's the OS? Win 10 Pro x64

The whole "running EMET" thing is weird because it says nothing's running but when you look closer you can see what's being deployed on each item. Except that I don't have Outlook installed. Weird.

Also, I use the video downloader because YouTube sometimes likes to fuck with me and not load videos and then complain my connection speed sucks. Yeah. Apparently 600 down average isn't enough for it, but then other videos will play just fine at 1080p60 with me choking my connection speed down to 40.
The downloader itself is shareware (nag screen and that's really it) and seems sketch, but looks and works fine. Meh.

On a side-note, you would think hacking into the DoD's websites would be difficult, but they leave one hell of an attack surface wide open. That's only one one their websites.

This is where I realize they've deployed ModSecurity and I'm all sorts of fucked.

Also, they're hiding their IP address. I may have to try to get that from them if I can and see about performing a more standard pentest since I'm not fantastic at web-based application attacks.

At 4/19/16 11:56 PM, egg82 wrote: On a side-note, you would think hacking into the DoD's websites would be difficult, but they leave one hell of an attack surface wide open.

So wait, are you just pentesting random sites, or are you getting permission from them first? If you're not I'm pretty sure this is all sorts of illegal.

At 4/20/16 02:00 PM, PrettyMuchBryce wrote: So wait, are you just pentesting random sites, or are you getting permission from them first? If you're not I'm pretty sure this is all sorts of illegal.

https://hackerone.com/hackthepentagon
Hack the Pentagon ;)

They have a scope which I'm following strictly, but I'm having issues on gathering even basic information. Makes it incredibly difficult to pentest since for now I'm just operating on blind guesses.

At 4/20/16 02:47 PM, egg82 wrote: They have a scope which I'm following strictly, but I'm having issues on gathering even basic information. Makes it incredibly difficult to pentest since for now I'm just operating on blind guesses.

Ah ok. That's awesome. Have you ever claimed any bounties before ?

At 4/20/16 03:26 PM, PrettyMuchBryce wrote: Ah ok. That's awesome. Have you ever claimed any bounties before ?

Sadly no. All the pentests I've done have either been free for small businesses (resume building) or simply because I needed to borrow some random person's WiFi while I was in the area.

I've been thinking about doing something like that, but honestly I'd be competing with people who do this kind of thing 24/7 and I simply don't have the time. I'm also not THAT skilled. A lot of these are web apps and, again, I'm really not that good at attacking web apps. I do better in networks or attacking IPs directly. ModSecurity doesn't exactly improve the odds, either.

I was gonna say, I thought off-the-shelf pentesting software was usually pretty outdated and bad. It's my thinking that a lot of these people who are able to claim bounties from tech companies are privy to some vulnerability in a piece of technology that these companies might use (Rails, node.js, nginx, openssl) first, and then proceed to sniff around public APIs for a way to exploit this vulnerability.

I've always wanted to claim a bounty. I mean, you have to think that some of these APIs are enormous like Open Graph. There is probably something there to find, but like you say there are lots of professionals working 24/7 to find them which know 100x more about this stuff than I do. So probably won't happen.

I did make the Twitter API 500 once while sniffing around. That's about it.

At 4/20/16 04:56 PM, PrettyMuchBryce wrote: I was gonna say, I thought off-the-shelf pentesting software was usually pretty outdated and bad.

Depends. Most stuff that comes with Kali is good, and most of the time it only helps with information gathering anyway so the pentester has to be on top of vulns. Since I don't keep on web-based vulns (because I'd go insane if I did) I'm not huge into web pentests.

It's my thinking that a lot of these people who are able to claim bounties from tech companies are privy to some vulnerability in a piece of technology that these companies might use (Rails, node.js, nginx, openssl) first, and then proceed to sniff around public APIs for a way to exploit this vulnerability.

It's possible, but most of the time it's people sniffing around with specialized tools on a single target. WPScan is a good example of a higher-level, specialized web analysis program.

I did make the Twitter API 500 once while sniffing around. That's about it.

500 could potentially be a start. It's worth checking out, as are 403s. Not a guarantee of anything, though. In fact, 403s are indicative of ModSecurity more than anything else these days. I remember when the web was simpler and a 403 actually meant someone was hiding something :(

Another fake tech support scam, but this time they actually speak English.
During the entire call I was worried the company was actually legit. I did some searching after and figured out it was a scam, though.

At 4/23/16 05:22 AM, egg82 wrote: Another fake tech support scam, but this time they actually speak English.
During the entire call I was worried the company was actually legit. I did some searching after and figured out it was a scam, though.

Nice. These people are scumbags. Not sure they're doing anything illegal, but I'd agree that charging naive people to install garbage software is a pretty shitty thing to do.

I managed to kill a Wal-Mart monitor today by plugging it into the wrong port. Whoops!
Eh, at least they're still paying me.

I should be linking to this whenever I talk about multiplayer security.

At 4/27/16 01:13 PM, egg82 wrote: I should be linking to this whenever I talk about multiplayer security.

That is.. very surprising. For my current game I am making everything 100% server authoritative, but I will say that I can understand why some games would not be interested in this. Whether it is for performance reasons, or time reasons I think there are valid exceptions to the rule. You can definitely build a successful and fun game without doing this the "right" way.

For a AAA game, however; I'm not sure there is a good excuse.

I remember a long while back, we had just discovered that in AS3, if a FileReference object lost scope, your download or upload would cancel. I don't remember who specifically was part of this, but I remember it being a massive shock and only one sentence in the API docs.

Well, I'm saving and loading with OpenFL, which just uses flash's native methods on flash export. It turns out, if you try to browse/load a file, you need to be listening for both a PROGRESS event and a SELECTED event. If you're only listening to one, neither will dispatch. I distinctly remember from years ago thinking loading local files (which load ~instantly) was impossible and giving up on trying to load something.

Fuck.

At 4/27/16 08:03 PM, MSGhero wrote: Fuck.

Speaking of dumb shit that makes no sense: I was making a site for a client who wanted mobile support, and the site required a lot of JS stuff for it to function more intuitively. I found out that on iOS (and probably OSX) that elements will not trigger a click event if they're not an anchor element or if they do not have a pointer cursor style set in the CSS. (Regardless of which web browser is being used; happened in both Safari and Chrome.)

That was a fun glitch to debug.

Like, I've never had much respect for Apple or their products, but Christ. This is beyond retarded. Why the fuck would CSS styles change functionality in JavaScript? This is why I never support Apple products if given the choice.

At 4/27/16 08:03 PM, MSGhero wrote: Stuff

Speaking of Haxe I was bored last night and decided to try out OpenFL again. Last time I used it I was pretty disappointed with how frequent the cross-platform inconsistencies came up for me.

Unfortunately due to a Haxe bug I couldn't even run the setup script for OpenFL:
https://github.com/HaxeFoundation/haxe/issues/5155

Welp.

At 4/28/16 02:35 PM, PrettyMuchBryce wrote:

Speaking of Haxe I was bored last night and decided to try out OpenFL again. Last time I used it I was pretty disappointed with how frequent the cross-platform inconsistencies came up for me.

Unfortunately due to a Haxe bug I couldn't even run the setup script for OpenFL:
https://github.com/HaxeFoundation/haxe/issues/5155

Welp.

??????

Haxe 3.2.1? haxelib install openfl? haxelib run openfl setup?

And what does that issue you linked have to do with it?

At 4/28/16 05:05 PM, MSGhero wrote: And what does that issue you linked have to do with it?

I get an error "Invalid field access : split", when trying to run the setup script.

Looks like it has something to do with the way that the toString() method is defined in Haxe.

https://github.com/openfl/openfl/issues/1058

At 4/28/16 06:28 PM, PrettyMuchBryce wrote: I get an error "Invalid field access : split", when trying to run the setup script.

Looks like it has something to do with the way that the toString() method is defined in Haxe.

https://github.com/openfl/openfl/issues/1058

You can add me on skype (MSGhero16) if you want help because I did not encounter that issue when setting up openfl on my new comp. Furthermore, the haxe issue was milestoned to 3.4, and 3.3 is the next release. And you aren't the first person to install OpenFL in the months since haxe-master was updated to 3.2.1.

Making a new program that I've been needing for a while.
Uses Tor and Privoxy to create a proxy server that round-robins requests through random Tor nodes.

I'll be using it to bypass IP blocking when brute-forcing passwords, but I can see a lot of other use for it.

Obviously not done and still buggy, but the PoC is there. I'll upload to Github when I'm done.

(I'm aware that what I'm creating already exists here, but it isn't cross-platform)

I didn't check the video I posted and apparently it got cut off at the end. Weird.
Repost.

Edit: Holy christ what is with my recording software right now?

There!
Done. Jeez. Didn't think it'd be that hard to record a quick video :/

Just got a scam call @egg82. I'm not comfortable enough to troll him, but he knew my number and what model computer I have. Looked up the number, and people have had their product numbers read out to them and stuff. Like where does this person get that info?

Unless I have actually been downloading malicious files every day, i.e. lecture notes for school.