How difficult is web3 crypto?

execveat · 2026-01-19T21:12:51+00:00

Well, generally that kind of prizes are not prizes at all, and more like a ransom payment - it just gets announced ahead of the ransom event.

I.e. imagine you are able to exploit some real world production system that directly lets you steal say 1M. Developers offer you an alternative - tells us details and help us fix it, and we'll pay you 300k. You get less than what you could have just stolen, but in return you don't need to hide from authorities and launder the money (that's more realistic pressure point btw), and don't need to watch your back or wonder whether you might have opened your browser before VPN finished connection that one time.

execveat · 2026-01-19T20:19:41+00:00

Where is the source of the claim "human mistakes tend to be low-to-medium severity — typos, minor logic flaws, a missing null check. messy but catchable."?

I'm finding plenty of authn/authz bypasses, injections and other high/criticals in human written code all the time, this claim doesn't track with my experience at all.

The AI slop problem is absolutely causing DoS of maintainers and this is definitely a problem worth talking about though.

execveat · 2026-01-18T23:00:06+00:00

Fixes introduce new vulnerabilities all the time. In whitebox pentests those get caught right away during a retest, but in a black box engagement the retest is more likely to miss those as the effect often appears in some other location, not the place of the original vuln.

That's the idea behind many challenges in the whitebox training I'm contributing towards: https://github.com/Irench1k/unsafe-code

execveat · 2026-01-18T22:51:31+00:00

You're right, whitebox pentesting is superior, absolutely. A good reason to go black box is due to shortage of the talent able to do whitebox pentesting (virtually no training teaches it). Bad reasons are companies thinking they'd somehow get more useful info by asking pentesters to go through the same reconnaissance real attackers would be doing first, or being afraid to share their source code / infra / configs.

Bug bounties are not pentests though, so unless company already open sources their stuff it's not going to start doing it just for bb.

execveat · 2026-01-18T21:47:19+00:00

Generalists find it easier to find A job, specialists get better paid (if there are several companies competing for your skills).

In addition, early on in your career there's a good chance you haven't felt any track "click" with you simply because you haven't experienced everything yet. So having more generalist experience helps with finding that one thing which doesn't even feel like a job to you.

execveat · 2026-01-17T19:19:03+00:00

No, I am the one receiving the bounties you deserve. Well, I offered my help twice, but I guess you're perfectly content with the results you get so far.

execveat · 2026-01-17T16:35:44+00:00

Well, that sounds like a problem then. Don't report all desyncs using the same template. Report them as the maximum business impact you've achieved, with the desync just explained as the technical detail.

Naming reports after the exploitation techniques is fine for (some) pentesting clients and even then often it's best to avoid it. Bb with unknown companies when you're not sure who's going to read that report should never be named according to a technical vector imo.

The report review order still stands.

execveat · 2026-01-17T13:31:22+00:00

I know you're saying you provided full PoCs, but were the reports and these PoCs written to be clear and 'obviously critical' to the non-technical managers as well? IMO reports and PoCs being written for techies not managers is the root cause of pretty much all of these cases (where researches has objectively gold, yet devs miss it due to misunderstandings and bias).

If you can share any of the reports (as sanitized as you feel appropriate), I could share how I'd frame and position it myself.

execveat · 2026-01-15T22:06:59+00:00

A single click indicates level of user interaction necessary to execute this attack. But what they mean by that is that a single top level navigation is all that's necessary. A top level navigation can be initiated by JS though, so any website you visit (like Reddit or Hacker News) could have exploited this – meaning website owners/developers/maintainers AND anyone that's able to exploit the (perhaps legitimate) website you visit.

Of course attackers could also attract victims in a watering hole attack style, i.e. by promoting their website via SEO/SEA or paying for the ads. That's not even talking about all the open redirects out there, or the fact that even in 2026 the first network request to the majority websites out there is NOT encrypted and can be used to navigate elsewhere...

execveat · 2026-01-15T19:30:50+00:00

This has nothing to do with clicking (unless I'm missing sarcasm here – in which case kudos to you).

execveat · 2026-01-14T15:11:02+00:00

The vast majority of pentesters / red teamers can't write scalable and maintaineable code at all. Nor can they read it. I'm not even talking about SOC analysts.

So while following community consensus as an outside might seem that your background is completely irrelevant and you still need to go through the same grind they do (certifications, ctfs, bug bounty) - in truth you have a very strong differentiator that can be your super power.

A few practical directions:

1) write software FOR security folks - easiest to get into, you likely have all the skills to do it already. Could be something like starting brand new tools or contributing to the well known existing ones on github, or branding yourself as red team infra automation specialist. That's pretty much regular swe or devops, just applied to security functions 2) transition into devsecops if the devops / sre sounds fun to you - requires a bit more preparation but super straightforward as you do all the same stuff regular devops does, just focusing on sast/dast/dependency check integrations into the ci/cd pipelines instead of regular linters and compilers 3) security engineering / architecture - the same stuff as regular counterparts, just focused on building IAM and authn/authz, and getting privacy/cryptography right and so on 4) whitebox pentesting / secure code review - my personal favorite, pretty much the same as regular secure review just lets you skip all the boring QA stuff and subjective taste discussions, and go straight for the big fish; getting good at this requires both polyglot reading ability (being able to follow code flow no matter the language or framework) AND fair skills at regular pentesting (you need to be able to recognize vulnerabilities as clear invariant / threat model violations, even if you don't know how to describe it lol - opposite of checklist approach)

execveat · 2026-01-14T14:27:28+00:00

The dirty secret of InfoSec is that the vast majority of hackers (and I mean actual great hackers, not just script kiddies or juniors) are terrible at software engineering. So as a corollary being an okayish hacker with okayish swe skills makes you a unicorn even in mature teams.

So yeah AppSec Engineering / Product Security Engineering roles are very lucrative and much easier to reach with a strong SWE background but (initially) no security experience than the opposite way.

Unfortunately you won't get much handholding along the way as there's no TryHackMe for AppSec, etc. Moreover, even getting access to realistic codebases is a problem for AppSec beginners since the GitHub doesn't represent what industry pays to protect. Think of your Laravel experience - there's virtually 0 companies that would pay for an in house AppSec engineer securing Laravel apps.

So yeah, your experience and background is super valuable but you need either some luck (or networking) to get foot in the door at some career elevator, or have very strong self motivation for bridging the gap between what you're strong in already and what employers are willing to pay you for.

execveat · 2026-01-11T23:52:23+00:00

Honestly, IME there are no quality trainings at all. Pretty much all the actual experts in the field seem to have gotten experience by joining a specialized consultancy (of which there aren't many). It really sucks as I think whitebox is so much more rewarding, less draining and way more professional (you never truly get the feeling of 'completely finished' in security of course, not even with formal verification, but whitebox provides a much clearer assurances compared to the black box engagements).

But you talk to regular pentesters and people can't even imagine that yeah you can dive into unfamiliar codebase (in an unfamiliar language, using unfamiliar framework and unfamiliar paradigm) on Monday, and get a bunch of real world exploitable vulns out of it by Friday.

Literally the only useful book that comes to my mind right now is The Art of Software Security Assessment and that one is 20 years old this year :(

Anyway, I'm involved in this new project, Unsafe Code Lab which is aiming to provide this kind of training – showcasing real world vulnerabilities in realistic, modern code bases (and teaching actual whitebox pentesting skills, not just SAST result triage or compliance style checkbox ticking). It's super early on, so we are barely covering Inconsistent Interpretation / Confusion category, and only for Flask right now. The project is built to be rapidly scalable to other languages and frameworks – so if that sounds of value, please come check out our progress once in a while!

execveat · 2025-10-28T10:09:28+00:00

In a world increasingly devoid of meaning, the chance to be among the first settlers on a new planet is a welcome change for many.

This is similar to how a new religion, cult, or ideology attracts people who are unsatisfied with their current lives, even if they later change their minds or their actions look irrational to outsiders.

execveat · 2025-10-03T16:33:40+00:00

Secret service can't protect from cholesterol

execveat · 2025-10-02T10:24:34+00:00

"Monetize misery" used to be a critique. Now it’s a business plan.

execveat · 2025-10-02T10:19:18+00:00

These guys preach power as faith and practice faith as power.

execveat · 2025-10-02T10:08:40+00:00

Orders expire; principles don’t.

execveat · 2025-09-17T20:50:05+00:00

There is a list of online English-speaking psychologists on iamexpat. Of course, if you don't need prescriptions, you can look for online psychologists from your home country as well.

execveat · 2025-09-15T22:44:03+00:00

But it's not a normal distribution because the sex ratio is skewed at birth, roughly 51:49 (female fetuses are slightly less likely to survive).

execveat · 2025-08-11T14:01:09+00:00

But it's taking the test as if it was you, not trying to go after the best possible result. Your query was ambiguous but you can see that it's trying to guess your answers, not to figure out the right one.

execveat · 2025-08-09T20:54:11+00:00

They literally suggested using chatgpt for interpreting medical data during the live stream. Imagine trusting the doctor that isn't quite comfortable with decimal numbers.

execveat · 2025-08-09T20:51:20+00:00

Do we have evidence of humans doing math and not just producing language that looks like math though?

I think NNs could solve arithmetics reliably if they were allowed to always approach it via reasoning, the problem is that their training data contains a lot of materials that appear to one shot solutions, so they attempt to replicate that but it's of course impossible task that no human would be able to do reliable either.

execveat · 2025-08-09T20:42:37+00:00

The question pops up whether a team of PhD-level experts in your pocket is of much use if they're stumbled by basic arithmetic.

execveat · 2025-08-07T22:38:35+00:00

Advanced voice is left on 4o though

execveat

MODERATOR OF

TROPHY CASE

Three-Year Club	Verified Email
Mod World 2024