I am not seeing the long term, what is the value of this over a Shodan API key? They both crawl public IPs and explore subdomains for exposed resources.

Short term, if you have limited the view to companies only with bug bounty programs, it seems useful if you want to complete a bug bounty but don't know where to start. But the mapping of public resources has already been done.

I think showing URLs with sensitive params exposed, services using default creds, or some extra value add over a commodity scanner would be valuable. But then you would just be running a bug bounty/ pentesting AI service for bigger enterprises.

Great feedback! I have some of these questions myself, which makes me think about where I'd like to take neobotnet. The URL data needs to be more refined and provide actionable insights to security teams and devs so they can take appropriate actions with the data. There's more to explore within this data, such as JS and API reconnaissance as also possible client side issues. I'm looking to gather user feedback to polish the tool. Thanks for the comment.

https://archive.ph/hL6cX - Paywall Bypass Link

You can set this with Windows' default firewall. Setting to strict mode with no whitelist causes a UAC alert every time a process attempts communication.

You most certainly have, most TV shows have product placement and while it used to be incredibly awkward, it is still going on today.

Examples: https://www.youtube.com/watch?v=AVcRMh3T_rE https://www.youtube.com/watch?v=CjcDJmioWng

I know about product placement and certainly don't care for it. It isn't intrusive to me as I can just ignore it while getting the information I want. Additionally, it is clearly not the same.

I cannot ignore an individual talking about NordVPN for 3 minutes.

Those examples blend in a lot better than most YouTube sponsors. I don't mind subtle product placement. Those didn't even name the product out loud, they just showed it off a bit.

It is a deliberate oversight, the author picked metrics and test based on the result not the other way around. Even the first test (# of jobs per location) should be adjusted to jobs per population or something else since most people value diversity in their social circles.

This is the inverse of accurate, uBlock Origin already has a MV3 extension in progress (beta at https://ublockorigin.com/ top middle of the page). As others have noted, uBO is not even named in the Google releases, this applies to all MV2 extensions.

Annoyed they are barrelling ahead with this still, but not an attack on uBO or ad-blockers directly. Seems like they even made some changes to service workers to enable ad-blockers as well.

Perhaps gorhill will weigh in with more comments if he sees this. Curious if any of their changes to MV3 actually moved the needle on the issues previously identified.

Perhaps it's less about billing and more about disincentivizing excessive use? Even if the service is free, it's not infinite and is ultimately a shared resource that should not be monopolized.

This looks incredible with the local search and context awareness. Curious if there is a comparison to other tools like photoprism about the advantages of Immich

As a internal security person (now a consultant for third parties): your approach is interesting, but still fails where all security tools do, who is going to install the agent on every box. The reason why every asset tracking solution is incomplete is because they are trying to correlate agent data and platform data. This is exacerbated by cloud computing since resources are much more transient and new servers lack gating by a governance org.

Complex AV tools are cool but they are so far down the chain of actually exploited vulns, they are not super useful most of the time. Usually the vulns used are old and just unpatched (check the latest DBIR data to see average age of exploited vuln). So a lot of time and effort goes into cajoling teams to update packages and having them say "we don't even call the vulnerable function."

My biggest issues: -Asset inventory (SANS Top 20 #1)

-Software inventory (SANS Top 20 #2)

-Tagging of ownership (what does this box do and who do I call if it goes bump in the night)

To answer your other questions: -Yes, but that is because we created it

-Yes, but only because we have tooling to do it across cloud envs

-No, we only look at deployed bins

-Signature based

-Getting useful code deployed to a box is hard enough, unless there a RCE this is so far down the list of threats on our threat model

-No idea, I assume pretty good since we use MITRE references, but making sure those are accurate to what we find is tough

-Yes, all of them (Fedora, Ubuntu, Arch, Alpine)

>The only possible purpose of making laws like this is so that the state can try to enforce some remedy whereby we're told how much we have to or are allowed to pay someone. Who in their right mind wants to sign up for that kind of risk?

How is this the logical conclusion you arrive at? Do you as a company not have a salary range for headcount? Do you not expect prices to be posted by your vendors leading to a lack in informational symmetry and haggling during every routine interaction?

Imagine if your landlord could arbitrarily raise your rent an untold amount with no notice. You of course have options, move or negotiate. But the informational asymmetry means it is harder for you to know if you are getting a good deal if every other landlord is listing their rent as $1-100000 per month or not telling you until after you spent the time checking out the property only to find it is way outside your budget.

The time cost of candidates finding your job, doing some basic research, prepping for X rounds of interviews, possible homework, dealing with hiring managers/ recruiters is insane once you figure folks usually apply to multiple jobs. Why not just tell them up front the salary like you do for role expectations and company culture drivel? Posting honest salary bands is fine to me, say seniors will get $100-150k or whatever, but the article shows clear malice towards any legitimate transparency up front.

> You of course have options

But in pretty much all cases, the renter incurs possibly substantial costs in time, money, and general well-being. So the mere act imposes a cost on the renter, even if the renter never pays the landlord an extra cent. Landlords know this, and if they can estimate those costs, they are able to increase rent freely as long as the present value of the rent increase is still less than the cost of moving and/or getting a lawyer. Employers have the same power, especially in tight labor markets.

Whether or not posting salary bands for a given position is a good idea or not a good idea, It rubs me the wrong way that a state government somehow imagines it has the authority to mandate this. And for what purpose? Why does a state make a law if not to enforce some as yet undefined remedy? What will this remedy be? I don't think we know yet but I for one do not want to find out. I have enough other problems to be concerned with.

There are 2 boxes in front of you each containing a tasty red apple. One of those boxes is filled with barbed wire, razor blades and broken glass with an apple in the middle. The other is just an empty box with an apple in it, and it happens to be priced lower.

Which apple do you choose?

The reason for the regulation is the same reason that a lot of regulations are made: companies refuse to do something that’s one of good/common sense/not evil unless they’re absolutely forced to.

The unwillingness of some to comply with the spirit (posting absurd ranges) of the law shows how there is no chance the information asymmetry between worker and the potential employer would be fixed by letting the companies do as they will.

What possible hazards do you honestly feel the WA law is leading to?

I’m all for it. Less for tech workers and more for blue collar workers who don’t have nearly as much career mobility. Having them able to understand the current wider market when looking will only help them get better and more livable work.