1. tptacek 2 hours ago

   For modern scientific rebuttals to race science, I'd start with Sasha Gusev and Eric Turkheimer. You'll read about things like missing heritability and the methodological problems of twin studies (which are grave). I'd also read Cosma Shalizi's "g, a statistical myth", which is also fun just from a sort of mid-level math/stat perspective. A classic in the field that still holds up is Ned Block's "Race, Genes, and IQ", written as a response to The Bell Curve.

   I don't have offhand good links to critiques of Gould that are on any site I would recommend you read.

2. tptacek 2 hours ago

   So it's a serverside bug that basically creates a more-severe stored DOM corruption vulnerability? Yeah, that's not worth anything to any buyer of vulnerabilities that I know exists. Maybe you know ones that I don't know.
3. tptacek 2 hours ago

   Are these things you think it stands to reason the IC must be doing, or things you know for a fact that they are doing? It stands to reason for a lot of people that the IC must stockpile vulnerabilities, but they don't (they keep just a couple working ones) --- just as an example of counterintuitive things about how CNE works.
4. tptacek 3 hours ago

   It's pronounced "aggie".
5. tptacek 3 hours ago

   An RCE in what? Nobody's buying your Discord RCE.
6. tptacek 3 hours ago

   Every pentest misses stuff. That's kind of the point I'm making. But yeah: as someone with a software security background, when you contract a test, you want them to find stuff!
7. tptacek 15 hours ago

   Do you know this or do you just think it should be true?
8. tptacek 18 hours ago

   His LLM tool rules. I cite it too. Used it a bunch earlier this year for the municipal data work I was donig. Why wouldn't he cite it? Avoiding these kinds of mean-spirited criticisms would require him to twist himself into a pretzel. I'd rather we just all agree not to say shit like this.
9. tptacek 18 hours ago

   Also because nobody actively exploited them! You're using the word "detected" to mean "discovered", which nobody working in the field would ever do.
10. tptacek 18 hours ago

    I don't know why he would bother submitting any of his own pieces --- they're all going to get submitted anyways.
11. tptacek 18 hours ago

    Really? Tell me a story about someone selling an XSS vulnerability on Telegram.

    ("The CVSS chart"?)

    Moments later

    Why do people keep bringing up "Zerodium" as if it's a thing?

12. tptacek 18 hours ago

    Ehhhhhh careful, Mismeasure hasn't held up well, and there are better arguments.
13. tptacek 19 hours ago

    This is identical to a comment you wrote on the other story about these vulnerabilities that's higher up on the front page, which isn't great.
14. tptacek 19 hours ago

    Nobody is disputing that a wide variety of vulnerabilities are "useful", only that there's no market for most of them. I'd still urgently fix an XSS.
15. tptacek 19 hours ago

    Where by "self promotion" you mean "sharing his thoughts"?
16. tptacek 19 hours ago

    Again, here you have not so much sold a vulnerability as you have planned a heist. I agree, preemptively: you can get a lot of money from a well-executed heist!
17. tptacek 19 hours ago

    Maybe? I don't know enough about the vulnerability. Is it serverside? Then it isn't worth very much.
18. tptacek 19 hours ago

    Have you used it? How does it work? How do you drive it? We tried a lot of different things. Is it not paravirtualized, the way vGPUs are?
19. tptacek 19 hours ago

    The premise that "fucking companies are misers" operate on that I don't share is that vulnerabilities are finite and that, in the general case, there's an existential cost to not identifying and fixing them. From decades of vulnerability research work, including (over the past 5 years) as a buyer rather than a seller of that work: put 2 different teams on a project, get 2 different sets of vulnerabilities, with maybe 30-50% overlap. Keep doing that; you'll keep finding stuff.

    Seen through that light, bug bounty programs are engineering services, not a security control. A thing generalist developers definitely don't get about high-end bug bounty programs is that they are more about focusing internal resources than they are about generating any particular set of bugs. They're a way of prioritizing triage and hardening work, driven by external incentives.

    The idea that Discord is, like, eliminating their XSS risk by bidding for XSS vulnerabilities from bounty hunters; I mean, just, obviously no, right?

20. tptacek 20 hours ago

    I directionally agree with you but we could go another 20 comments deep on exactly what the purpose of an external pentest or red-team exercise is and how it might not match up perfectly with what an amateur web hacker is currently doing. But like: yeah, they could get into that business, at least until AI eats it.

This user hasn’t submitted anything.