Information Technology (IT)

from some stuff i here they take advantage of the hype by overworking ppl and not givnig them work life balance

i kinda wanna try out a company like caterpillar, john deere, or an infrastructure company
 
Do you guys have any advice on whether or how to bring up discovering and reporting exploits? I've heard very opposite answers from employers.
I once discovered and reported a 0day exploit on Twitch that allowed me to log in on almost any account, including Twitch staff, without having to know their email or password but my communications with Twitch about it were essentially a non-prosecution agreement.
 
Belgium said:
Do you guys have any advice on whether or how to bring up discovering and reporting exploits? I've heard very opposite answers from employers.
I once discovered and reported a 0day exploit on Twitch that allowed me to log in on almost any account, including Twitch staff, without having to know their email or password but my communications with Twitch about it were essentially a non-prosecution agreement.
Click to expand...


Most companies will have a vulnerability disclosure program (vdp) or responsible disclosure program, looks like they have one as well; ``--twitch.tv/p/en/security/`` form is at bottom looks like they are using bugcrowd. Looks like its a point based program only so you wont get financially compensated.

Some companies actually have a bug bounty program where they will pay you for the report, based on the severity.

However, always read these /security programs first before you just start trying to find exploits on entities, that is not legal, and I would also recommend evaluating if they have safe harbor in place.
 
Anyone here “finesse” their way into QA?

If you know what I mean by finesse then yeah, that way lol
 
Last edited:
ponce said:
Most companies will have a vulnerability disclosure program (vdp) or responsible disclosure program, looks like they have one as well; ``--twitch.tv/p/en/security/`` form is at bottom looks like they are using bugcrowd. Looks like its a point based program only so you wont get financially compensated.

Some companies actually have a bug bounty program where they will pay you for the report, based on the severity.

However, always read these /security programs first before you just start trying to find exploits on entities, that is not legal, and I would also recommend evaluating if they have safe harbor in place.
Click to expand...
I definitely didn't go about it in the best way :lol: I logged in on the account of the staff member I reported it to, a person who has since been fired in a sexual harrassment scandal
The agreement was basically that I would get unbanned on Twitch and get to keep an account of my choosing in exchange for not mentioning the exploit to anyone as it was during their Amazon deal

Edit: In case anyone’s curious, here’s how it worked.
Before/during the Amazon deal, Twitch had a predecessor called ********* (JTV).
For well over a year, mostly while the Amazon deal was being worked out, both Twitch and JTV co-existed. Their login systems were connected but the JTV website, which started in 2007 or something, had different security systems.

What could go wrong?
One thing I started noticing was that an email verification link when received through JTV didn’t seem so random. In fact it seemed like the exact same link no matter how many different emails I tried to verify. So I set out on decrypting it the encrypted email verification and eventually found that it was just SHA-2. The email verification link basically just consisted of a SHA-2 encryption of your username and user ID. That’s all there was to it, and like many email verification links, these also logged you in automatically.

It didn’t work on every account, probably about 70% and all Twitch admins I tried, but the shorter the username, the higher the odds of getting logged in seemed to be
The only prerequisite was that the selfmade email verification link had to done on JTV
 
Last edited:
MakeNTGreatAgain said:
nah

buncha yuppies for the most part
Click to expand...
I would agree, but where else will you pull in. $225k + stock and not but a C suite employee?

It’s a diff vibe for sure but on the positive side imo. Once you get away from customer support roles, it straight “get your sh** done”.

No one is clock watching you, making sure you get you hours in etc.

There may be some Pocket watching lol
“How was their bonus bigger than mine” 😅

But where don’t they pocket watch
 
Belgium said:
Do you guys have any advice on whether or how to bring up discovering and reporting exploits? I've heard very opposite answers from employers.
I once discovered and reported a 0day exploit on Twitch that allowed me to log in on almost any account, including Twitch staff, without having to know their email or password but my communications with Twitch about it were essentially a non-prosecution agreement.
Click to expand...
Did they pay you a bug bounty? If you look on hackerone[.]con you can see what companies participate. If you’re a decent pen tester, it’s an easy way to make some extra cash.

I picked this book up about a year ago. It’s pretty good fwiw.
DD943E64-EBB7-4D45-849D-2EA3C22AFBC1.jpeg
 
Belgium said:
I definitely didn't go about it in the best way :lol: I logged in on the account of the staff member I reported it to, a person who has since been fired in a sexual harrassment scandal
The agreement was basically that I would get unbanned on Twitch and get to keep an account of my choosing in exchange for not mentioning the exploit to anyone as it was during their Amazon deal

Edit: In case anyone’s curious, here’s how it worked.
Before/during the Amazon deal, Twitch had a predecessor called ********* (JTV).
For well over a year, mostly while the Amazon deal was being worked out, both Twitch and JTV co-existed. Their login systems were connected but the JTV website, which started in 2007 or something, had different security systems.

What could go wrong?
One thing I started noticing was that an email verification link when received through JTV didn’t seem so random. In fact it seemed like the exact same link no matter how many different emails I tried to verify. So I set out on decrypting it the encrypted email verification and eventually found that it was just SHA-2. The email verification link basically just consisted of a SHA-2 encryption of your username and user ID. That’s all there was to it, and like many email verification links, these also logged you in automatically.

It didn’t work on every account, probably about 70% and all Twitch admins I tried, but the shorter the username, the higher the odds of getting logged in seemed to be
The only prerequisite was that the selfmade email verification link had to done on JTV
Click to expand...
This is solid work. They def shoulda paid you a bounty lol
 
block506 said:
This is solid work. They def shoulda paid you a bounty lol
Click to expand...
Normally they at least put you on a "security hall of fame" but I was seen as a sort of notorious figure amongst Twitch's security team so I was kept off of it.
I mainly just wanted my permanent ip ban to be wiped so I wouldn't have to keep using a VPN and a new account every other day. As you can probably guess, I initially got a permanent ip ban for account theft.

In a way they did pay me. Aside from getting my suspensions wiped, I was also allowed to keep an inactive stolen account of my choosing. Because it's effectively the 'rarest' username on the platform, in the past year or so I've gotten legitimate offers for it ranging from $6k to $10k.

C48C1A56-41B8-44DC-B2F3-BA76676AF86E.jpeg


E5FFAF93-DC5F-4162-88B8-017DB33C1B22.jpeg
 
Last edited:
Anybody got a home lab setup?

Just set up a little active directory Lab and gonna use that to experiment. Trying to figure out where to start.
 
I used to have a rack, routers and switch. But I generally just use VMWare workstation…

Cisco has dCloud. You can get a free Azure account. VMWare player is free. Microsoft gives evaluation copies of their software. Kali Linux is free. Most Linuxes are too (not named Red Hat which is really for the support but you can also get that for free). Cisco Packet Tracer is free if you get a Netacad account. GNS3 and EVE-NG are free. Developer libraries are free.
 
Belgium said:
Normally they at least put you on a "security hall of fame" but I was seen as a sort of notorious figure amongst Twitch's security team so I was kept off of it.
I mainly just wanted my permanent ip ban to be wiped so I wouldn't have to keep using a VPN and a new account every other day. As you can probably guess, I initially got a permanent ip ban for account theft.

In a way they did pay me. Aside from getting my suspensions wiped, I was also allowed to keep an inactive stolen account of my choosing. Because it's effectively the 'rarest' username on the platform, in the past year or so I've gotten legitimate offers for it ranging from $6k to $10k.

C48C1A56-41B8-44DC-B2F3-BA76676AF86E.jpeg


E5FFAF93-DC5F-4162-88B8-017DB33C1B22.jpeg
Click to expand...

I remember you educating the forum on how lucrative selling rare account handles could be in a random thread way back when but had no idea you were bandito’n them thangs. :lol: :pimp:
 
spiderjericho said:
I used to have a rack, routers and switch. But I generally just use VMWare workstation…

Cisco has dCloud. You can get a free Azure account. VMWare player is free. Microsoft gives evaluation copies of their software. Kali Linux is free. Most Linuxes are too (not named Red Hat which is really for the support but you can also get that for free). Cisco Packet Tracer is free if you get a Netacad account. GNS3 and EVE-NG are free. Developer libraries are free.
Click to expand...
Used to have switches and a bunch of diff devices but essentially they took up too much room for something I could do virtually or cloud based. Still got my cheese grater Mac Pro though, probably get rid of it unless I figure out a project to do with it.
 
Belgium said:
I definitely didn't go about it in the best way :lol: I logged in on the account of the staff member I reported it to, a person who has since been fired in a sexual harrassment scandal
The agreement was basically that I would get unbanned on Twitch and get to keep an account of my choosing in exchange for not mentioning the exploit to anyone as it was during their Amazon deal

Edit: In case anyone’s curious, here’s how it worked.
Before/during the Amazon deal, Twitch had a predecessor called ********* (JTV).
For well over a year, mostly while the Amazon deal was being worked out, both Twitch and JTV co-existed. Their login systems were connected but the JTV website, which started in 2007 or something, had different security systems.

What could go wrong?
One thing I started noticing was that an email verification link when received through JTV didn’t seem so random. In fact it seemed like the exact same link no matter how many different emails I tried to verify. So I set out on decrypting it the encrypted email verification and eventually found that it was just SHA-2. The email verification link basically just consisted of a SHA-2 encryption of your username and user ID. That’s all there was to it, and like many email verification links, these also logged you in automatically.

It didn’t work on every account, probably about 70% and all Twitch admins I tried, but the shorter the username, the higher the odds of getting logged in seemed to be
The only prerequisite was that the selfmade email verification link had to done on JTV
Click to expand...
damn thats fire bruh! congrats to you
block506 said:
I would agree, but where else will you pull in. $225k + stock and not but a C suite employee?

It’s a diff vibe for sure but on the positive side imo. Once you get away from customer support roles, it straight “get your sh** done”.

No one is clock watching you, making sure you get you hours in etc.

There may be some Pocket watching lol
“How was their bonus bigger than mine” 😅

But where don’t they pocket watch
Click to expand...

idk where else, thats what im tryna figure out :lol:
 
block506 said:
I would agree, but where else will you pull in. $225k + stock and not but a C suite employee?

It’s a diff vibe for sure but on the positive side imo. Once you get away from customer support roles, it straight “get your sh** done”.

No one is clock watching you, making sure you get you hours in etc.

There may be some Pocket watching lol
“How was their bonus bigger than mine” 😅

But where don’t they pocket watch
Click to expand...


Devs are making $225k at FAANG? :nerd:
 
Mark Antony said:
What kinda non management titles are hitting that 225k at FAANG?
Click to expand...
SWEs
Network engineers
PMs
Security analysts

Folk really should check levels.fyi

Those TCs are real lol

Now the that 225 isn’t all cash, but cash + rsu+ cash bonus will come up to that.




06B080A9-2B57-48E6-AA90-27F7F75B8381.png
 

Attachments

  • A198C49A-3AB7-48DF-B792-431BAEA4FAB0.png
    A198C49A-3AB7-48DF-B792-431BAEA4FAB0.png
    158.7 KB · Views: 287
  • 6552B2E1-6C18-4BF9-A006-36BA73A03F8E.png
    6552B2E1-6C18-4BF9-A006-36BA73A03F8E.png
    152.8 KB · Views: 764
Last edited:
You must log in or register to reply here.

Thread Gallery

View Full Gallery

The ultimate sneaker enthusiast community.

NikeTalk was created as a way of giving back to both the sneaker enthusiast community and to the greater global community of which we are all a part.

NikeTalk is NOT affiliated with Nike Inc. in any way, shape, or form. All opinions expressed herein do not necessarily reflect those of Nike, Inc.

© 1999-2024 NikeTalk.com

Share this page

Back
Top Bottom