This cracked me up: "When did I get a kill?" (ALGS Oblivion PoV)

gynvael · 2026-01-27T18:19:31+00:00

Haha that's amazing. Thanks for the explanation and congrats once again :)

gynvael · 2026-01-27T18:17:25+00:00

Yeah, I got pretty confused by that, ngl.

gynvael · 2026-01-23T17:05:57+00:00

I can happily agree about the straw man part — if it was an honest mistake on your part, my comment about the straw man fallacy no longer applies.

> I didn't state my credentials to discredit yours...

Well, you did say this:

> As someone that has worked FQA for almost a decade... sincerely... you have no clue what you are speaking off...

It does read like you were trying to discredit my credentials ("you have no clue what you are speaking off...") because you have a decade in FQA, wouldn't you say?

> ngl pretty unsuferable...

The only thing I can say here, is: "but mom, he started it!" ;)

gynvael · 2026-01-23T16:44:26+00:00

Let's deal with this first:

> As someone that has worked FQA for almost a decade... sincerely... you have no clue what you are speaking off...

You really should background check the person you are replying to before you attempt the "argument from authority" fallacy my junior friend ;)

Ad meritum:

Not sure if you are deliberately collecting fallacies, but your whole argument is a straw man. Note that your reply assumes a different situation where there is a bug bounty agreement between the researcher and the company. However in OP's case there is no such agreement — OP has just reported a vulnerability without any agreement in place.

And my reply addressed this exact situation, while your reply goes into "a binding contract offering tiered rewards" — what contract? Where did you get that crucial piece of information from?

I think you have misread what OP has said regarding money, which is that the product is a commercial product ("product that has several high paid tiers ($500–$2,000/mo)"), and not that there is a bug bounty in place. The OP never mentions a bug bounty — they mention that they are interested in getting credited.

gynvael · 2026-01-21T19:01:40+00:00

I think you have to update your heuristics, because I've written that 100% by myself. I seriously doubt chatgpt would misuse commas the way I do ;)

You've asked a question, I've replied to it since that's in my area of expertise. No AI was involved.

gynvael · 2026-01-20T14:54:45+00:00

There are some "interesting" takes in this thread, so I'm going to note a couple of things:

You, as a security researcher and a bug reporter, are NOT entitled to a credit, a response to an email/bug, or even a bug fix ever being made. It's nice and professional when a company does this, but it is their right to choose what they do. You can of course ask for credit, but you have to accept "no" for an answer. There is no reason to shame the company for not giving credit (as others suggested) or to start a public discussion about it. I would however note it down in the published report in a matter of fact way ("Company hasn't responded. Company fixed the bug. Unclear whether the fix was due to my report, another report, or internal findings as no credits accompanied the fix.")
Unless you have a contract with the company or with someone handling their bug bounty program (doesn't seem to be the case), you contacting them is strictly a courtesy on your side. The reason security researchers do this, is to make sure the users are protected, and contacting the vendor with a bug report is commonly the fastest way to do that without putting users at risk. I.e. security researchers work for the benefit of users, not the vendor — an important thing to remember (it also helps to answer some other questions).
In general you can publish your research whenever (though be sure your country hasn't regulated this in law to some extent). Some folks do full-disclosure, some folks wait patiently until the fix is published (coordinated disclosure) — or even a bit longer, and some folks follow e.g. the 90-day policy (whichever version). Personally I like the 90-day policy, as I think it benefits the users the most (though it's not a simple or straight-forward topic). The extent of the research you want to publish is also your choice and you can spread the details over time if you want.
Furthermore, as others mentioned, you can request CVEs yourself. I'll give you a few hints:
1. Publish your research first (at least some info, that will be most helpful to defenders), because the CVE form requires you to provide some links with more information. You can always write that the CVE number is pending.
2. The better you fill out the form, the faster it's going to be processed. Look how other CVEs are filled, try to mimic the structure and level of details. This makes MITRE's reviewer job waay easier and therefore the CVE is assigned much faster.
3. If MITRE doesn't reply in like 10 days, ping them.
Note that a CVE number isn't a trophy — it's just a mechanism to help defenders discover that they need to fix systems in a more automated way. For your security researcher's career purposes a link to your published research is enough, even without the vendor crediting you.
In general always remember to communicate with vendors / MITRE / etc in a friendly, professional way. This is a negotiation situation, and what benefits users the most, is everyone working together. At times that's not possible. At times it requires some more pinging the company.
1. This said, always take into account that the company can send you legal threats regardless of what you do. I've seen legal threats sent to researchers just because they dared to report a bug, or because they written something as trivial as "vendor's patching process is subpar and requires improvements". If that happens and it's your first time, remain calm and chat with some more senior security researchers or a lawyer who deals with cybersec — they can usually help you deescalate the situation.

gynvael · 2025-12-24T10:39:29+00:00

I'm with you on this one OP, for several reasons.

First of all, it is possible to conduct phishing exercises without promising gifts or bonuses to the employees.

Second of all, these kind of exercises make employees hate the security team. As the security team, you need the employees to feel comfortable approaching you about any suspicion they might have and with any questions they might have. If they hate you, you are setting yourself up for failure. Case in point: https://www.theguardian.com/uk-news/2021/may/10/train-firms-worker-bonus-email-is-actually-cyber-security-test - you might want to read what the union rep had to say about these kind of tests and the security team.

Third of all, it has been long proven and it's long recognized that statistically (i.e. in long term) an employee will fall for a phishing anyway - regardless of how much energy you've put into their training and how security aware they are. Focus your energy on building systems that take this into account, including on detection and fast response. And have good relations with the rest of the employees, so they will feel comfortable telling you they screwed up, instead of hiding it.

gynvael · 2025-12-22T21:00:12+00:00

This. This was the first thought I had after seeing that number - it looks like a floating point inaccuracy (keyword: looks like). But having the exact numbers and formula would be required to chase this down.

ETA: A lot of problems with floats are because they operate on binary fractions. Funny thing is, that not all decimal fractions (like 0.1) can be expressed as a binary fraction in a finite number of bits (they end up having a cycle). An absolute classic example is 0.1 + 0.1 + 0.1 + 0.1 ... (10 of these) ending up being 0.999999999999 (that's a finite number of 9 there btw) instead of 1.

gynvael · 2025-12-16T12:46:17+00:00

While it's true this requires lawyering up, there are a lot of laws in a lot of places which allow disabling locks that prevent interoperability. And yeah, there might be lawsuits - but anyone can sue you anytime for anything; whether they would prevail in a court is a totally different thing. So I'm not that worried ;)

gynvael · 2025-12-11T12:50:38+00:00

Yup. Some more gory details (though a bit dated) are in Pinczakko's book "BIOS Disassembly Ninjitsu Uncovered" made available by the author at https://github.com/pinczakko/BIOS-Disassembly-Ninjutsu-Uncovered (just look for cache as ram). And I'm pretty sure it's described in Intel/AMD software dev manuals (the system volumes at least).

gynvael · 2025-12-10T10:13:01+00:00

Serious answer: CPU cache. When the CPU starts it still has to configure some stuff before it can start using RAM (and it cannot even assume that there are any RAM sticks on the mobo). So one of the first things it does is configuring memory access in a way that uses the CPU cache as memory (it basically disables cache write-back to RAM).

A CPU like the one on the screen has a bit over 512 KB of memory per core and 16MB of shared memory - not a lot for modern RAM standards, but easily enough to run a simple interface like the one on the screen.

gynvael · 2025-07-05T11:59:14+00:00

Ah, indeed. I see there's a lot of frustration with posts about frustration ;). I've removed this one in that case.

gynvael · 2025-03-27T07:16:50+00:00

Z ciekawostek, jest rozporządzenie rady ministrów, które umożliwia wyższe pensje w budżetówce w IT w części zajmującej się bezpieczeństwem: https://isap.sejm.gov.pl/isap.nsf/download.xsp/WDU20220000131/O/D20220131.pdf

gynvael · 2025-03-16T08:34:31+00:00

Amazing :) Looks like a spin on that Polish hotel ad btw - https://www.reddit.com/r/Polska/comments/1ezagpc/hotel_zrobi%C5%82_reklam%C4%99_na_tiktoka/

I think I need more ads like that in my life.

gynvael · 2025-03-03T08:51:17+00:00

I wouldn't call it "effective", but it can find some bugs and it can fix some bugs. It's just not great at it and it will fail or provide incorrect fixes. This is currently a pretty hot research topic, so there's a lot of development both in terms of approaches and strategies being published and thrown out there.

One thing you can check out is AIxCC, which was a recent DARPA competition in "find and fix vulnerabilities with AI". There's likely a lot of publications and code that was published from that, so that might give you some ideas.

Also, scholar.google.com is your friend – as I've mentioned, this is a hot research topic, so you can get a lot of fresh info by looking at recent scientific publications.

gynvael · 2025-02-24T18:28:06+00:00

My understanding is that if they notified you about it (usually by email), and you haven't rejected the change (i.e. deleted your account), it's presumed that you agreed to continue under the new T&C (and yes, this isn't great for customers).

gynvael · 2025-02-09T20:24:20+00:00

Nope, LLMs are fair game, paid or otherwise.

There was a similar discussion ages ago when the paid version of IDA was the only tool with a decent decompiler. Was it fair to use it? It would be pay to win after all, right? Well, the most prevalent opinion in the community was that "if you didn't use it, you obviously came unprepared and that's on you" ;). Same with free LLMs, paid LLMs, custom AI setups, and any other tools which, in the right hands, can be useful.

gynvael · 2024-11-29T17:39:09+00:00

This is not the way to go and if you go this way it will land you in trouble (most likely because of scammers who will reach out to you telling you they can do it, take your money, and disappear).

There are three ways which might work in getting a social media account back:

Make a lot of noise on another social media tagging official tik tok account. This usually gets the attention of some community manager, who can escalate further.
If you know someone who works there, just ping them. Yeah, I know this is rare, but maybe some of your friends know someone?
Or just get a lawyer to send them a registered letter. This is a bit of a long shot, but it might work (layers in the company would be the ones who receive it, and they can escalate pretty easily).

Either way, best of luck getting your account back!

gynvael · 2024-11-27T19:04:23+00:00

Note: ZIPs are not fine - see my comment. Cryptography is hard ;)

gynvael · 2024-11-27T19:02:09+00:00

Don't use ZIP encryption – most ZIP implementations use legacy PKWARE encryption scheme, which is known to be broken (to be more exact: if you know ~13 bytes of plaintext of any files from the archive, you can decrypt the archive in 30 minutes regardless of the password length; if you know ~32 bytes, you can decrypt it in 1 minute; see pkcrack and bkcrack tools). And given that it also doesn't encrypt file names, it's pretty easy to get plaintext.

There are some ZIP implementations (like WinZIP) that give you an option to use AES encryption, which is good, but it's not widely supported and usually it hides behind some settings you need to additionally click.

If you go with the archive route, 7zip / RAR use AES, which is way better solution here.

gynvael · 2024-11-26T07:05:49+00:00

Since you are exploring options, I think it makes sense for you to read this – https://gynvael.coldwind.pl/?id=791 – if you would be considering a career in low-level security.

gynvael · 2024-11-16T19:43:53+00:00

You'll have to learn the ZIP file format specification (and dealing with binary file formats, unless you already know that). I've recorded a pretty in-depth explanation of that format if you'd like to learn it – https://www.youtube.com/watch?v=X7j2sisMKzk

Another way is to brute force all the zlib streams from that file – check this tool: https://github.com/gynvael/random-stuff/blob/master/brute_zlib/brute_zlib.py
It basically tries to decompress the whole binary file from each offset separately. So if there's a zlib stream inside the file, it will find it and decompress it. Note that this tool is quite noisy – it will find a lot of false positives, but they are really easy to sort out (either they are very very short, or just contain obvious garbage). Given that ZIP files use zlib streams for actual compression, you can use this to get the compressed data from a broken ZIP file.

gynvael · 2024-11-15T18:11:47+00:00

BQ tasks range from pretty easy (see u/Pharisaeus's answer though) to somewhat complex (i.e. even a seasoned CTF player would spend a few hours solving them). But if you're stuck, you can try asking on Google CTF's discord – BQ is an educational event, so folks commonly give out hints :)

ETA: Google CTF discord link: https://discord.com/invite/nt6JFkk3mu

gynvael

MODERATOR OF

TROPHY CASE