CTF style challenges like praetorian are the standard for offensive security roles. They are a fun time and really let the teams understand how you approach things.
Only bad experience with that was patreons ctf, the containers didn’t work so I spent the hour interview trying to get it to run. Horrible experience.
Yeah like the CTF style questions a lot, and would love to see something similar for the more "creative/production" based jobs.
Don't think it would be very appropriate to give someone who's job it is to develop novel/new stuff a challenge like that, but at the same time there are parallels.
Often development jobs have you need to read unfamiliar code that can be poorly documented and then have to either fix or integrate something new into a system. Would love to see something to assess's a candidates ability there.
Correlium was a big commercial player and made headlines. Anyone using this privately (and especially non-commercially) probably isn't at risk of action from Apple, although I wouldn't be surprised if Apple eventually tries to go after publicly hosted images.
I really doubt "literally" every software you used or worked for has multiple competitors doing the "exact" same thing. VC money can temporarily prop up multiple competitors doing the same thing, but over time, winners definitely spring up.
A lot of software that on the surface does the "exact same thing" often has different nuances, either to the business or the product that makes them appeal to different niches in the market.
Understanding the nuances and exploiting the market niche is your only goal when starting a business. It's not something you ever do or think about when working on software, but people who strike it out on their own quickly realize that simply building is not enough, you MUST give people a good reason to use your software. Just because you don't see or understand the nuances, does not mean they are not there.
I can’t think of a single software that does not have fierce competition. Just today, YouTube, slack, chrome, Claude, burpsuite, interm, obsidian, nest, outlook, Zillow, AWS, cloudflare,GitHub, Roborock, jetbrains.
They could all be replaced and do 90% of the job immediately and a week later figure out the last 10%.
As as for work, coinbase is not the only exchange, square is one of many, meta is another social media site.
1. Business gets a sale they might not have received otherwise.
2. Business receives funds in their preferred currency.
3. Customer gets what they want.
Not much different than me going to Vietnam with USD and then trying to buy a Nước mía (sugar cane juice) from a local vendor that can't legally accept USD.
My only alternative is to rely on a third party to convert my USD to VND. Which begs the question, why isn't this digital and why do we need the middlemen taking their cut of the transaction? Expand that out into larger purchases, which then imply you're a criminal unless you provide full KYC.
> Expand that out into larger purchases, which then imply you're a criminal unless you provide full KYC.
Well yeah, that's the whole point isn't it? Like, the business doesn't want to be getting paid out of ransomware ransoms, they want money in a clean currency, and so at some point someone has to exchange clean money for ransom tokens, and if you offer to do that without verification then you're essentially part of the ransomware industry and people will treat you accordingly.
* business doesn't want to be getting paid out of ransomware ransoms
Exactly why I said my point 2 above.
* at some point someone has to exchange clean money for ransom tokens
There is no such thing as "clean money" or "clean currency". There is fiat (aka: government money), which definitely isn't something I'd describe as "clean". It is usually backed by a bunch of people who tend to kill others (aka: US military) and that tends to be rather... dirty.
What is really going on is that they are referring to the crypto industry as some sort of "ransomware ransoms" and if you combine those two nonsense arguments (ransomware+clean), with the HN crypto hater bias, I didn't see it worth the effort to continue on, regardless of the downvotes I received.
He initially refused to retract the initial posts he had made..
He made a later post that said the hacker was a former employee being indicted and that he (the hacker) had contacted the media and leaked fake info about the hack.
Problem is that Brian never made it clear that the hacker was his own source for all the previous posts.
It sounds like the journalist(?) was in a tough spot, because it sounds like he either had to out his source which which journalists don't seem to be keen on doing, or leave it up.
How many future potential sources are going to go to him or avoid him now?
yep.. but i think there is the side of journalist responsibility with the truth to consider as well..
The moment he was aware his source likely provided him with incorrect information he should had, at minimum, retracted his previous posts..
He did not necessarily had to share who the source was, but he could inform that new information came to light that made so he could not trust the information he based his posts on so he was retracting it..
I’m not a crypto hater (I used to work security at coinbase) but I think that while a chrome or iPhone zeroday might be worth less in bug bounty it’s worth more for a security engineers career long term.
Having the iPhone bug and the accompanying conference talk and blog post will allow you get hired by nearly any good security or tech company. No one cares about blockchain bugs except other crypto companies. When I and a bunch of other coinbase engineers were looking for jobs we were looked down at for even working in crypto. And weren’t even in the blockchain team! Just regular engineers.
I myself have dedicated a couple of months to testing gnosis and curve that each have $2 million bounties but turned up short. Last year I switched to a ML based fuzzing research and was able to speak at defcon and got crazy offers after publication.
Serious Chrome and iPhone bug chains can be worth this much on the market, but the amount of engineering effort that goes into supporting that kind of pricing (across all the buyers, aggregated) is extreme. The subthread that unfolds from this comment is about fuzzing, but finding a vulnerability is a small part of actually selling it on the market.
Vendor bounties for these kinds of vulnerabilities are going to tend to be sharply lower than this crypto bounty, which was for a directly monetizable vulnerability. But there's a lot going into that vendor bounty price point.
Can you share more about ML based fuzzing? I do pretty basic fuzzing and that's been pretty useful at work for testing, and am keen to learn about better more modern approaches than mine!
Fuzzing is a massive field now. I don't know what you are doing specifically but this is a collection of good related papers: https://github.com/wcventure/FuzzingPaper.
I would find what is most like your problem domain and dig in :).
Very unlikely. There is a massive payday for the first person to find a major bug. Even if that bug does not result in extra crypto in your pocket, doesn't matter. Its trivial to make money on downward crypto price swings as well. Find bug, take short position, release bug, collect payday.
Probably not in scope for Project Zero? Or they find other stuff more interesting.
Security researchers don't work for free. I did some light searching and I couldn't find any sanctioned audits against Bitcoin core. The Bitcoin team should hire someone like trail of bits to do a multiple month audit.
But the "security researchers" wouldn't be working for free. Bitcoin has had an enormous bounty on its head for at least 10 years: "hack me and get paid millions/billions". It would be naïve to think there aren't highly skilled people continuously trying to do that.
Only bad experience with that was patreons ctf, the containers didn’t work so I spent the hour interview trying to get it to run. Horrible experience.