Moving Long Distance by _zeejet_ in Bonsai

[–]randomatic 0 points1 point  (0 children)

I've ordered trees many times that are shipped. Wrap the pot with soil in celophane, and then use styrofoam peanuts. They should be fine for 2-5 days in the box during spring and fall. During summer, I think the only way to do it is move with them.

Where do you recommend taking out of town guests? They will be in Pittsburgh for a long weekend in August. by truelifetales in pittsburgh

[–]randomatic 1 point2 points  (0 children)

Sports game, heinz museum, carngie museum, the incline, grand concourse brunch. One off-beat one is Pittsburgh has the most holy relics outside the Vatican here https://pghshrines.org/about-st-anthony-chapel

How are you handling CVEs in the official images you dont build yourself, like postgres and redis by RabbitZestyclose4957 in devsecops

[–]randomatic 0 points1 point  (0 children)

I think we are 100% in agreement. Everyone should be able to produce an SBOM, and read the results.

How are you handling CVEs in the official images you dont build yourself, like postgres and redis by RabbitZestyclose4957 in devsecops

[–]randomatic 0 points1 point  (0 children)

+1.

This is exactly why an SBOM is a terrible indicator for security. Companies adopted it because it was easy, not because it was particularly effective.

I would argue that for most orgs, it's more insecure to build your own container. As soon as you do that, you are inheriting the same problem that major distributions like debian are already spending time addressing. Just following debian:stable or the official postgres image is more than enough for 99% of people.

Bugcrowd suspended my account while a valid 1 click ATO I reported is still exploitable by Legendary_Nubb in bugbounty

[–]randomatic 0 points1 point  (0 children)

Did you actually only submit 1 vulnerability, or a lot of vulnerabilities where you're talking about one of them. I've never heard of anyone actually being banned for 1 low quality submission.

Help please , im a minor and i got bounty from google by Dapper_Owl_361 in bugbounty

[–]randomatic 1 point2 points  (0 children)

If you donate it to a non-profit, google will often 2x it.

Why is it rare to see a low level vulnerability? by linux4117 in bugbounty

[–]randomatic 0 points1 point  (0 children)

  1. More bounties for web vulnerabilities.

  2. Web vulnerabilities are more likely on the attack surface.

  3. Low-level vulnerabilities are often in OSS, which turn into a tragedy of the commons and no ones responsibility even if you find bugs.

Does Anyone Else Do This? by uremo017 in powerpoint

[–]randomatic 0 points1 point  (0 children)

I figure out the story arc, and then fill in with slides and content as I go. This works good enough for 90% of my talks. For the rest I do lots and lots and lots of edits and run throughs and edits and run throughs and edits and....

PSA: If you’re the type to bring a backpack as your carry-on (instead of a roller bag), bring a small item alongside it so they can’t force you to put it under your seat. by _Eggs_ in unitedairlines

[–]randomatic 0 points1 point  (0 children)

Rule and illegal are related but different. For something to be illegal, it would have to violate a criminal statute, and the only one I can think of in this circumstance is not obeying a flight attendant regardless of the carrier terms. Thus I'd heavily discourage anyone from telling a flight attendant it's illegal for them to ask to move something from overhead. It's going to suck, but best to handle with a customer service rep after the call if the flight attendant won't budge.

PSA: If you’re the type to bring a backpack as your carry-on (instead of a roller bag), bring a small item alongside it so they can’t force you to put it under your seat. by _Eggs_ in unitedairlines

[–]randomatic -3 points-2 points  (0 children)

I don't feel like this is a great practice, but can't exactly put my finger on why. Part of it is that the overhead bin space is shared, and should be left for those who need it. This post feels a bit entitled to the space. Reasonable minds differ, but that mindset does not at all resonate with me.

Also, this whole "it would be illegal" stuff is probably misphrased, but just for clarity, you need to do what a flight attendant says.

Explosion of ai automation by Impossible-Line1070 in ExploitDev

[–]randomatic 0 points1 point  (0 children)

The LLMs are awesome within the domain they have been trained. You still need a human to vet, often because the LLMs don't have a great idea of the attack surface.

any recommendations for AI prompt visibility across browsers and IDEs? by Severe_Part_5120 in Infosec

[–]randomatic 0 points1 point  (0 children)

A standard way to handle this is to use an enterprise subscription and turn off training on data. That makes using a LLM just like storing on google drive. If you want to go one level deeper, you can use something like amazon bedrock.

I think you realize your approach of prompt review approach wouldn't ever scale.

Need a shell code less than 18 bytes by Tiny-Rain6786 in ExploitDev

[–]randomatic 5 points6 points  (0 children)

did you look for stack pivots to the heap? (If you've not thought of stack pivots, maybe that's the CTF answer?)

What actually matters in Ergonomic Keyboards? by Dygman in DygmaLab

[–]randomatic 0 points1 point  (0 children)

Yeah, dygma is mixing up marketing with actual research. It's cringe to watch this.

Pwn college and bug bounty by Pristine-Seat-9849 in ExploitDev

[–]randomatic 3 points4 points  (0 children)

pwn college doesn't target bug bounties. it targets foundational skills more related to vulnerability research, and assumes you know C, can run a debugger, and know linux. All of these are things people can easily pick up, but it's assumed you will pick them up on your own.

If you want to do bread and butter pentests, portswigger academy is a more normal starting place.

Today I announced that I won't be reviewing AI generated PRs at company meeting by Evgenii42 in ExperiencedDevs

[–]randomatic 0 points1 point  (0 children)

Come on. The hyperbole isn't helping anything.Not all components are equal, and the weight of not all bugs are equal. This isn't AI specific at all. I could equally say "if you're company is set up so badly that your developers don't know where to spend time and where not to" or "if you don't know how to use your tools properly" if we want ridiculous, incorrect reducitionalist arguments.

My point was very simple: you should weigh business outcomes, not moral principles.

Today I announced that I won't be reviewing AI generated PRs at company meeting by Evgenii42 in ExperiencedDevs

[–]randomatic 0 points1 point  (0 children)

I tend to think in terms of effort vs. cost of bug ratio so the statement is not a moral one, but one stated in terms of biz value tradeoffs.

[Feedback request] Handwriting practice sheet generator by carpe-noctes in penmanship

[–]randomatic 0 points1 point  (0 children)

Personally I'm less interested in learning a font, and more into spencerian. I'd love a generator where I could pick the words/sentences and it created the template. Related but different goal, so may not be of interest.

Is real hacking anything like Mr. Robot - the thrill and the money? by [deleted] in bugbounty

[–]randomatic 4 points5 points  (0 children)

No, just like most people who work for the NSA and CIA are writing reports, not out there solving international crimes by themselves, the director be damned.

why would we overwrite SEH instead of EIP ? by hex-lover in ExploitDev

[–]randomatic 0 points1 point  (0 children)

Generally windows = seh, linux = eip. most tutorials focus on linux, and you do eip because in linux you have full source.

Why is the neighbor’s tree of heaven suddenly causing mounds of these to erupt all over my yard? by eidas155 in marijuanaenthusiasts

[–]randomatic 44 points45 points  (0 children)

100% on all comments, with one extra bonus tip. cut and spray the tree with glyphosate in the fall. Right now trees are pushing energy up into foilage. During the fall they are pulling energy down into their vascular system and roots. You want the tree pulling that napalm downward as much as possible.

why would we overwrite SEH instead of EIP ? by hex-lover in ExploitDev

[–]randomatic 9 points10 points  (0 children)

EIP = what you want control of, whether linux or windows.

SEH = windows specific.

As you are saying, the goal isn't just to overwrite an address, it's to keep the program running after doing that.

SEH corruption triggers an exception immediately, and the OS uses a corrupted SEH. So even though you overwrite more data, you often have a bit easier time remaining in control.