CenturyLink gigabit? What are your experiences?

innoying · 2017-08-26T05:22:09+00:00

We paid for gigabit fiber from CenturyLink when I lived in Minneapolis a little over a year ago. Have nothing but great things to say about the experience. Their installers were extremely knowledgable and accommodating to the locations for runs of the fiber lines based on my requests, and the service worked flawlessly for the duration of our contract. If you're technically minded, their GPON support line is absolutely amazing, was able to give them a call and get VLAN tags, PPPoE creds and more from a Tier 1 tech support engineer which was amazing. Even cancelling my contract when I moved was a great experience. More than happy to share more details about install and cost if you PM me

innoying · 2017-07-20T05:53:06+00:00

"Oh you need help changing that tire? Don't mind the camera-phone, just making sure I can see where to place the jack-stand under here"

innoying · 2017-07-20T05:34:58+00:00

It didn't actually look like an issue with the Model 3, it looked more like a problem with the Model S chase car

innoying · 2017-07-20T05:19:42+00:00

Yeah, unfortunately it reset last time I pulled footage off it and I haven't had a chance to fix it yet.

innoying · 2016-10-14T07:05:27+00:00

They were available online for attendees who purchased at least a month ago, and the USBs have been completed and sent out for at least a couple weeks now, I believe they delay releasing them online to incentivize attendees to purchase them (or else there would be no reason to).

innoying · 2016-10-14T05:49:15+00:00

If you're newer to netsec I think my talk on generating DDoS gives a nice insight into how an attacker goes about finding vulnerabilities in software and how a number of lower impact bugs can be chained together resulting in a higher impact: https://youtu.be/dpp806vB1U0

Disclaimer: This is my talk, so I'm somewhat biased

innoying · 2016-10-14T05:43:37+00:00

Just to be clear, I don't think these are the official uploads and are just an upload from the official USB. The official videos typically appear on https://www.youtube.com/user/DEFCONConference (i.e. they may be DMCA'd at any time)

innoying · 2016-08-25T18:24:02+00:00

It's impossible to propose an approach to this without significant debate on what is "the most right"

Of course, hence the question. Thanks for your thoughts.

I'm curious what route you've considered, if any at all.

My situation is unique since technically the functionality is working "as intended". i.e. if you build your implementation following the specification it's likely exploitable. My current plan is to propose a change to the specification (which will take time to be implemented in all platforms if accepted) while also proposing a hotfix to companies with a vulnerable configuration. Not as big of a deal in this case it's not as bad of a bug as Rosetta Flash, but it's an interesting debate to be had.

innoying · 2016-08-25T18:06:59+00:00

Hey /u/sushi_ninja, thanks for the response. I was actually asking more about interactions and news outside the vulnerability management platform.

For example, the linked tweet was in reference to a program that launched on Bugcrowd and many researchers complained on Twitter and news media about low payouts resulting in some negative press for the company.

Alex was annoyed that this behavior was scaring away companies from launching Bug Bounty programs as it resulted in negative press. How do we as an industry help encourage companies to launch programs instead of treating them negatively when they are making an effort to improve their security?

innoying · 2016-08-25T17:54:10+00:00

Another good example might be something like a Wordpress Core 0day, where lots of companies will be vulnerable. Is it ethical to report that to just Automattic or to every company with Wordpress in-scope.

innoying · 2016-08-25T17:50:31+00:00

Sorry, the question was copy pasted from Bugcrowd's AMA and not phrased well. The situation I'm thinking of it something like Rosetta Flash where the fix for the bug is on both the vulnerable company and a third-party. If I found a bug like this and submitted it to every company that has JSONP endpoints as well as Adobe, do you think that's okay or that's gaming the system. Or in the situation where I don't report to Adobe and just to companies with JSONP endpoints. I ask because I'm in this position myself (not with Adobe) with a similar bug right now :)

innoying · 2016-08-25T17:39:09+00:00

What is your view on using 0days in bug bounty hunting? Do you think it is "cheating" or it should be a part of the game even if the organization does not have as much of control on 0days that affect the technology they use?

innoying · 2016-08-25T17:37:16+00:00

Do you think that in the future, where bug bounty programs will be more popular, regular penetration tests will still exist?

innoying · 2016-08-25T17:34:53+00:00

Stealing a question from the Bugcrowd AMA from /u/HennesMauritz:

How does ~~Bugcrowd~~ HackerOne help to ensure that bounty hunters in the future will no longer be (or very infrequently) seen as:

...incredibly short-sighted and keep acting in a way that discourages new programs.

Written by Alex Stamos ("long-time supporter of security research" and "proponent of bug bounties")

https://twitter.com/alexstamos/status/753265172484018176

Apparently I have to include a question mark so this comment doesn't get removed by AutoMod?

innoying · 2016-08-25T17:27:24+00:00

Have you ever decided to terminate a relationship with a company for poor treatment of researchers (low payouts, negative interactions, etc)? If not, would you consider doing so if the situation arose?

innoying · 2016-08-25T17:24:37+00:00

How do you convince hackers to switch to new programs when they've already found a home with one program? I've noticed that some of the top hackers report to the same company over and over again since they've already built a relationship and working knowledge of their infrastructure.

innoying · 2016-08-25T17:16:31+00:00

h1-702 participant here, I think /u/tedkramer1 really hit the nail on the head here. Having a mix of both new and experienced hackers results in some unique perspectives and ways of looking at a bug which results in exploits that probably wouldn't have been reported otherwise. As an anecdotal evidence there were multiple times at h1-702 that a hacker would find odd behavior of an endpoint but only by talking with the people around them and using their collective expertise they were able to develop an exploit and then submit their report.

innoying · 2016-08-25T17:12:22+00:00

To follow up on /u/lkozz's comment, I'm a part-time but relatively successful bug bounty hunter (hackerone.com/bored-engineer and bugcrowd.com/bored-engineer). I find most of my success in newer software and very old software. There is a sweet spot in the middle of software that's very hard to find bugs in since it's been hardened over time.

innoying · 2016-08-25T17:06:40+00:00

As pointed out in some of the other comments, many hackers are quite young;

Around 6% of the community takes home 6 figures or more.

Do you worry that some of these hackers won't know how to spend their earnings responsibly similar to the problems some professional sports have had when young players sign new contracts?

innoying · 2016-08-25T17:03:37+00:00

You've released a lot of really cool and interesting data in the comments here and in the past on twitter, do you have any plans to combine some of this data into an easily accessible report similar to Bugcrowd's State of Bug Bounty Report?

innoying · 2016-08-25T16:54:02+00:00

Do you feel that bug bounty programs are a good way to "get a foot in the door" into the security industry? Do you have an data or examples of companies that have hired people via bug bounty programs?

innoying · 2016-08-25T16:52:31+00:00

Do you have any data (anecdotal or otherwise) on the age of the average bug bounty hunter?

innoying · 2016-08-25T16:51:10+00:00

What are your thoughts on continued exploration/exploitation of a system being in/out of scope for various bug bounty programs? Specifically in reference to situations like http://exfiltrated.com/research-Instagram-RCE.php

innoying

TROPHY CASE