[00:54:55] Costco fucking double downed on DEI while Walmart folded [00:54:56] Fuck yes [01:16:18] hell yeah :3 [01:28:32] They're good folks, I worked for them once ages back. A problem here or there like any corp, but they do genuinely try to do well by their employees. [01:29:21] [1/2] https://www.instagram.com/p/C_AxIfSNzgc/ [01:29:21] [2/2] I ust had to share this 😂 [01:30:27] Huh [01:43:26] Cool little video, well worth the 2 minute watch https://youtu.be/Y6AyfYp56_k? [01:51:30] wtf the WMF runs irl ads? [01:55:01] https://cdn.discordapp.com/attachments/615786602454581249/1332529128682815571/image0.jpg?ex=679595f5&is=67944475&hm=4048748b8b24920e1a1b03c0277ccfe6008a74cd185613e2f66a85ef4d883140& [01:55:13] holy shit miraheze button on bootleg phone [01:59:50] https://www.youtube.com/watch?v=qNLjPdIZF-o [01:59:58] no way :OO [02:03:41] Costco [02:06:08] Where's our royalties [02:32:28] They did have a wiki truck in NYC [02:32:34] huuuuh! [02:32:37] til! [02:33:03] The people featured in the beginning are my fellow WMNYC members [02:33:09] all very cool [02:33:23] Jim Richard and Epicgenius [02:57:40] Meta is now forcibly and unconsentually following accounts to JD Vance’s Instagram account(and possibly POTUS ans FLOTUS)…. [02:58:47] lmao what [02:58:49] really? [02:58:57] (also, what's FLOTUS?) [03:19:49] If you follow the POTUS/VP accounts they are controlled by the office so who runs them changes every 4/8 years. [03:20:23] Lots of folks don’t realize they aren’t following the specific person as a result so when it changes there’s “oh I’ve been forced to follow someone new” when it’s more “oh this account changed ownership” [03:20:37] FLOTUS is First Lady of the United States [03:41:35] First Lady of the United States [03:42:34] hm [03:42:39] Could be tbf [03:46:30] [1/2] My SO got got by this confusion as well. [03:46:30] [2/2] https://www.snopes.com/fact-check/trump-vance-facebook-meta/ [03:46:58] Definitely account transfers [03:47:53] Not to say meta isn't doing different shady shit [03:50:28] For sure 🙂 [04:09:45] big thanks for this [04:10:02] forwared to my mom to pass on to the people she told haha [04:10:21] This is how mis(and dis) information spreads so easily.. [04:10:22] Nooo worries. It's a weird one, and not outside pale of possibility in this weirdo times [04:11:50] zero judgement on going on this one, reputable folks were putting it forward as fact, only reason I thought to dig is I got burnt hard on the '16 transition of accounts [04:11:56] Is anything? [04:12:16] Hm? [04:12:52] Absolutely no, got stories right out of 1984 coming from my former colleagues that work for cloud.gov [04:12:53] I should have figured actually since my mother only was following JD and she had said she was only following Kamala [04:13:12] cloud.gov is a new one for me [04:13:21] Oh, basically this same thing happened in 2016 for the transition [04:14:10] I think its originally name was the 'digital transformation initiative', I don't remember precisely. [04:14:30] But core conceit is - hire folks from tech to help the govt do things better, faster. [04:14:32] Ypu worked for the Gov? [04:14:44] Not me personally, but folks I've worked with went on to join [04:15:06] Ah [04:15:23] cloud provider by and for the US government is interesting [04:15:44] I did mull on working for the state gov after I got laid off in Feb after a decade at the same company, but it took them three months to get back to me. 😄 [04:15:44] And as a hacker minded person, an incredibly tempting target for cyber attacks [04:15:59] hope they use MFA [04:16:04] LMAO [04:16:13] Oh that sounds so satisfying [04:17:31] ...yeah, not something I'd suggest trying. Security and countermeasures are a big part of their interview process. [04:20:12] YEAH. Like hell I’m trying to hack the government. I like my house, and the FBI is very rude at times 😂 [04:20:43] I did try to recruit one of those folks to volunteer at MH, but turns out their day job took just a bit more time than expeted during the time I was trying. [04:21:28] I would absolutely read a blog posr on it if someone did find a vuln on that though [04:21:52] I was reading a post today about a fun vuln someone found on Github.com/GHES [04:25:31] All you needed was to have owner access to any organization, and you could dump all of the Environmental variables that Ruby on Rails was running with 😂 [04:25:59] cloud.gov: WMCS, but the US [04:26:43] Github Enterprise Service had a few more that allowed it to become a full RCE, but the one on Github prod alone had enough production access keys you could cause havoc with anyways [04:26:51] Basically but also no [04:26:56] oh? [04:28:58] I think ™️ [04:29:35] Also blog/fourm post on AI- from 2009 https://web.archive.org/web/20240707230035/https://cubist.cs.washington.edu/Security/2009/03/13/security-reviews-ai/ [04:29:39] interestign! [04:37:56] a:oneko_zzz: [04:57:00] blahaj is soft,,, [05:29:43] https://samcurry.net/hacking-subaru [05:29:46] the fucking implications oh my god [05:31:19] A prime example of why we badly need privacy laws to prevent this from happening [05:33:16] yes [05:33:19] but like [05:33:23] why do we have remote unlock [05:33:37] why does an employee have access to arbitrarily set owners without permission [05:44:52] This looks like a sysadmin panel, which, largely, the permissions make sense for, though reassignment of owner is more sensitive by far [05:45:46] Yay for quick patching though, good job subaru team [06:57:00] i love lazy programmers [06:57:03] > The user/s cannot be emailed. [06:57:14] this codebase is already plauged to be stuck with english [06:57:40] so could've done `The user${users.length !== 1 ? "s" : ""} cannot be emailed.` [07:00:54] i feel like y'all would have a little chuckle when you know where this site is hosted: https://policies.compass.education/ [07:08:04] Claire no you can’t do that [07:08:12] [1/2] you can only link to their home page [07:08:12] [2/2] https://cdn.discordapp.com/attachments/615786602454581249/1332607941618040923/image0.jpg?ex=6795df5b&is=67948ddb&hm=039ceae3223084d59b1aad90974a1350312ef48077f61c9567ce3c6e9316d7d2& [07:11:07] SHIT- [07:11:29] okay, so the goal is to find an open redirect on their home pag-e [07:26:44] also what is a “legal” hyperlink [07:26:57] does it have to conform to the standards set by the w3c [07:27:42] “we reserve the right to withdraw linking permission” [07:28:04] you never gave anyone permission in the first place it is a hyperlink on the World Wide Web [07:28:54] first you go to their home page [07:29:25] then you enter into the address bar `javascript:window.location('https://policies.compass.education/');` [07:29:38] if you can’t find a redirect [07:29:40] make one [07:31:01] it doesn’t matter that I forgot the `.assign` bit and that’s not syntactically valid JavaScript as a result [07:31:13] wait is that an illegal hyperlink? [07:32:20] i mean [07:32:25] not really an open redirect tbh [07:32:31] and it is syntactically correct [07:32:40] just that you can't do a fn call on location :p [07:43:23] oh you’ll be happy to know [07:43:45] ? [07:43:47] http://mgdl.mobi/e/index.html has a working form doodad now [07:43:56] it’s done in the worst way possible [07:43:59] but it works [07:45:54] oh my god lol [07:46:28] ^ the dreaded moment of realization [07:47:18] it’s actually easier for me because 1: free error handling and 2: I don’t have to have a massive switch in the PHP file or make it read from a database or something [07:48:17] yay \o/ [07:48:58] you can probably do it all in nginx though [07:49:31] https://nginx.org/en/docs/http/ngx_http_rewrite_module.html#rewrite [07:50:47] yeah there’s a long comment explaining why I chose to do it how I did [07:50:51] https://cdn.discordapp.com/attachments/615786602454581249/1332618675898810439/IMG_6510.png?ex=6795e95b&is=679497db&hm=fa71e796c5c57e62aac831cd65414e6330826e22783ac25f7618534fb8f2f81a& [07:51:38] hmm oki [07:52:19] the browser gives up loading content on one page once it begins loading another, so the one second delay ensures the page and gif are loaded fully so they can appear to the end user [07:53:44] https://youtu.be/CSO1KWLGd50?si=oyM2uH89UCyOYAwM at about 21:06 in this video, ashens fails to notice the browser is loading content for instance [07:54:54] none of the pages on my site are super content heavy mind you [07:55:11] but most of these function solely over 2G so there is going to be a speed cap [07:55:19] god, i'm immobilised by blahaj [13:18:28] Jesus [13:18:29] Also [13:18:32] > A little over a year ago, I bought my mom a 2023 Subaru Impreza with the promise that she would let me borrow it to try and hack it. I’d spent the last few years hunting for vulnerabilities in other automakers, but didn’t yet have the chance to look at Subaru [13:18:48] heh ^^; [13:19:14] I LOVE these blogs [13:19:20] Need to finish reading g later [13:19:21] me tooooo [13:19:26] If you have more sent them over! [13:19:43] Oh I found one yesterday for a vuln in GitHub prod and GHES [13:20:09] GHES lead to RCE, GH.com just lots of prod access keys [13:54:59] ah great xD [14:00:58] [1/2] Costco showed up on my YouTube ha [14:00:58] [2/2] https://youtube.com/shorts/f8z_wfoMAL0 [14:18:35] I love Subaru [14:18:38] That was such a good read [14:19:12] But notwithstanding -- surely taking over a employees account like that is illegal? Even if reporting it afterwards? [14:20:42] i suppose it can be? [14:21:00] going after security researchers is a good way to make sure that they don't report vulns to you though [14:21:06] Kudos to Subaru for patching it so quickly [14:21:08] Yeah i guess [14:21:28] (But also, shame on Subaru for having those kind of vulnerabilities anyway) [14:21:40] yeah, that's how i feel ^^; [14:24:44] It'd be against the law ye [14:25:11] And most vulnerability disclosure policies that exist generally would be restrictive about going that far [14:25:47] I mean the law is pretty wide in scope [14:26:02] It's 100% illegal [14:26:35] Most companies won't prosecute though because generally they'd rather know [14:26:41] Yeah true [14:26:50] They don't want white hat people worried to report for fear of prosecution [14:27:12] BlankEclair: what time is it? [14:27:17] uh damn [14:27:20] 1:27 am [14:27:29] BlankEclair: and what am I going to say? [14:27:35] GO THE FUCK TO SLEEP ^^; [14:27:52] BlankEclair: yes, now do it please [14:27:58] okay, okay [14:30:10] @originalauthority https://www.legislation.gov.uk/ukpga/1990/18/section/1 would be the relevant offence in the UK [14:30:40] Interesting [14:30:50] Also i wish they'd update that website it fuckin sucks ass [14:31:12] If you intend to actual take a car without consent, that'd be an offence under Section 2 too [14:31:27] If you could take control of a car, you'd manage section 3ZA too [14:31:55] Good evening, guys [14:31:59] Which could bring a life sentence at the top end of the scale [14:32:14] @rhinosf1 can you get ops on IRC to k line Claire please [14:32:25] We need to tempkick her out to go to sleep [14:32:30] Hello [14:32:30] @pixldev she quit [14:32:31] Woah [14:32:50] Yay [14:32:51] Haven't changed my server nickname for a long time [14:32:59] God, I miss CGW [14:33:27] You should tell them using mailto:legislation@nationalarchives.gov.uk?subject=Legislation%20enquiry [14:33:47] I promise you people actually read feedback [14:34:22] She actually listens for some reason when I tell her to sleep [14:34:25] It surprises me [14:35:30] It's open source too https://github.com/legislation/website-frontend [14:35:34] @originalauthority [14:36:04] No commits in 3 years 😭😭😭 [14:36:08] Standard uk gov [14:36:58] I see some of their repos do get updated [14:37:05] So it probably just hasn't been touched in 3 years [14:37:23] I think the US gov has some public repos if you wanna shit on my government too [14:38:21] Always [14:38:26] The repo looks to be mirrored from an internal bitbucket / kits [14:38:44] All UK government public facing services should be open source [14:38:48] By default [14:39:06] WHAT [14:39:19] The UK government has a GitHub account? [14:39:50] https://www.gov.uk/service-manual/service-standard/point-12-make-new-source-code-open [14:39:54] @katsumikougen.vn multiple [14:41:09] I think there's literally 0 reasons a repo shouldn't be open source. If its fully secure -- which it should be -- theres no reason a code base that doesnt directly include any data, should be private [14:41:10] https://gov.uk/alphagov is the main one for GDS things [14:41:38] https://github.com/alphagov is the main one for GDS things [14:41:52] For services, pretty much ye [14:42:14] There are things that do need to remain private for good reason [14:42:20] Well yeah, I wouldn't expect them to make the trident source code stuff etc public but [14:42:33] But front end services there is very little reason [14:43:33] I mean if you can't find it, you should be able to FOI it and FOI the reason for non-compliance with the service standard [14:43:46] If it's under gov.uk and public, it should have had a service assessment [14:44:40] Well even private should [14:48:17] That's probably not wrote by anyone in government tbh [14:51:00] Really any gov. If it’s public facing and no good reason to keep it closed, things paid for by the people should be given to the people [14:51:10] Trident? [14:51:47] Nuclear deterrent [14:52:21] Hmmmmm [14:52:25] Other governments should do too ye [14:52:26] I can’t see the logic [14:52:37] But I can't really comment on the actions other governments [14:52:38] Can* [15:06:59] @originalauthority should love closed source, rip off contracts given they fund his salary though [15:08:23] Yes, I wholeheartedly agree that they are a rip off [15:09:10] You are [15:09:11] 100% [15:10:21] For the contracts im working on at the minute for planning we charge on an application fee basis and we take 95% of the fee [15:10:41] Ie if the application cost £100 we take £95 and the council gets the other £5 lol [15:10:54] and how much benefit does the taxpayer gain [15:10:56] Zilch [15:11:01] Well kinda [15:11:14] They get a far faster service than they would've got from the council initially [15:11:20]