> "Technical Note: This file, pocorgtfo15.pdf, is valid as PDF document and as a ZIP file of the relevant source code. Those of you who have laser projection equipment supporting the ILDA standard will find that this issue can be handily projected by your laser beams."
So this file is a PDF that's also a ZIP, and the archive contains - among other things - a song in MP3, and another PDF that's also a Git repo. Oh, and the whole bundle is supposedly laser-projector-compatible (that fact I can't verify - I have no access to such equipment).
> The polyglot file pocorgtfo10.pdf is valid as a PDF, as a ZIP file, and as an LSMV recording of a Tool Assisted Speedrun (TAS) that exploits Pokémon Red in a Super GameBoy on a Super NES. The result of the exploit is a chat room that plays the text of PoC‖GTFO 10:3. Run it in LSNES with the Gambatte plugin, the Japanese version of the Super Game Boy ROM and the USA/Europe version of Pokémon Red.
Has anyone ever been able to make a polyglot executable file that runs on Windows, Linux, and macOS? (Without cheating by adding a PE loader to Linux or anything like that)
All of those file types use header magic (if for macOS you mean Mach-O), so you can't combine them. For macOS containers (app bundle, DMG), though, you might be able to, depending on how strict the OS is about having random data prepended to the container. But that still won't let you combine PE and ELF.
True, but Linux executes some things that aren't ELF and Windows executes tons of things that aren't PE. I wish someone would come up with something, because how awesome would it be to be able to distribute a single executable for all desktop platforms?
If the goal is any execution, you can do it on older (but still used in some places) Windows versions with COM, or if a) it's possible to construct a minimal executable without non-text characters, or b) there's a scripting engine that accepts non-text characters (raw, not just encoded), you could do it with a script. Off the top of my head I can't think of what else you might run in Windows, but I'm much less familiar with Linux.
I wrote an ILDA parser in Rust [1], and I also have a virtual EtherDream laser projection DAC (also in Rust [2]) that you can play this against if you're interested.
I'll try to fire this up tonight and see what renders.
If the 0day in your familiar pastures dwindles, despair not! Rather, bestir yourself to where programmers are led astray from the sacred Assembly, neither understanding what their programming languages compile to, nor asking to see how their data is stored or transmitted in the true bits of the wire. For those who follow their computation through the layers shall gain 0day and pwn, and those who say “we trust in our APIs, in our proofs, and in our memory models and need not burden ourselves with confusing engineering detail that has no scientific value anyhow” shall surely provide an abundance of 0day and pwnage sufficient for all of us.
Consistent with the journal's quirky, biblical style, this book comes with all the trimmings: a leatherette cover, ribbon bookmark, bible paper, and gilt-edged pages. The book features more than 80 technical essays from numerous famous hackers
It seems like a beautiful edition, I'd like to buy it. However, shipping to Europe costs almost as much as the actual book (25$). Are there other sites that sell it? My local Amazon usually has most No Starch books in stock, but I can't find this one.
FWIW, anyone shipping single books from the US to Europe will have roughly the same shipping price; for sure you won't find any under $20, unless some European web store has ordered a few hundred copies for redistribution.
Both the linked PDF and the archive.org PDF were downloading quite slowly for me -- I've uploaded a copy here which (for the time being) should be reasonably quick: http://lithium.redfern.me/pocorgtfo15.pdf
What a wonderful publication. Reminds me of the Internet pre-2000. Fun times, and kudos to you if you are a PoC || GTFO contributor/publisher and reading this.
Not the main PDF. If you unzip (!) the main PDF, you get the copy of the "Git as PDF" article in its own separate file (PDFGitPolyglot.pdf), and that latter file you can use as a git repo.
This is all impressive, but the PDF format is what makes all the magic possible. Among its features that make such a thing easily achievable:
- The relevant table-of-content of its data is located at the end, unlike most other file format. (You can put it near the begnning too, known as "optimized PDF" to make displaying the first page faster when downloading sequentially.)
- The PDF format is, surprisingly, text with embeeded byte streams which can contain any data.
- It does require a !PDF marker near the beginning, but it doesn't need to be first.
- It support natively ZIP compression, so embedding a ZIP inside is easy.
- ZIP allows "cheating" by not really compressing data, thus allowing data verbatim and allowing large chunks of arbitrary data, as long as you can control the first few bytes.
With these technical freedom, building a PDF that look like multiple file format is more accessible.
I think each issue does include the relevant source code. So if you have the PDF file and are reading about the code, you already have the code available and you don't need GitHub.
We number with BCD in honor of the HP48 calculator's floating point implementation, which matches decimal rounding errors. 0x0A, &c., are reserved for special issues in the future ;-)
They're not necessarily unbiased or even anonymous (in a meaningful way). The problem which is set might somehow favour applicants from certain backgrounds. The language used might be unnecessarily complex or use local idioms. The comments and variable names might betray the candidate as a non-native (but perfectly proficient) English speaker. If the candidate uses company hardware, the keyboard may be set to a different layout to what the candidate is used to.
There are lots of ways any test which (ostensibly) aims to test raw ability can be very biased indeed. A lecturer of mine once told a story about a horrible experience he had during an exam trying to whisper an explanation of the rules of Checkers to a student who was from a country where the game was rarely played - the possibility hadn't even crossed his mind.
Declaring the interview style you use as "unbiased" from the start seems like a great way to get complacent and have large amounts of bias creep in unnoticed.
Be intimately familiar with, and fully accepting of and comfortable with, every culture that applicants may potentially come from.
Or, explicitly require / assume that all applicants be fully familiar with your culture.
Or, define an industry standard artificial culture - whether implicit or explicit - and require everyone on both sides to be familiar with it. This could include things like suits and golf for execs, hoodies and beer for techies, social justice activism for webdevs, etc...
I'm hardly an expert, though I'd probably suggest focusing on avoiding the four pitfalls I mentioned. Like any hard process, it involves working hard to achieve gradual improvement, learning from others where appropriate.
However, I can guarantee that resting on your laurels and calling your process "unbiased" from the start won't work.
Under US labour law, any test where minority candidates don't pass at four-fifths the rate of others is presumed to be racially biased unless proven otherwise in court.
Judges don't have to study stats and end up writing most of these laws.
Your test may work perfectly and prove that the only people who can "do the work" within your company's structure are a narrow demographic of $current_majority.
If your company structure/culture is broken your "unbiased" test probably will be too.
> a ton of unpaid work for companies they're applying to
Okay, that's a logistical objection to work-sample tests, which is easily rebutted with, "Simply don't assign _a ton_ of unpaid work" to your candidates.
The process we use for hiring software developers at my current employer:
1. Clone this git repository.
2. Build a trivial feature (e.g. adding a search feature to an
existing blog platform).
3. Send a patch or pull request.
Everyone who's being considered gets the same task, and we base our decision off of several factors: Did they implement a working solution? How much new code did they need to create (knowing that the framework does 99% of this already, and is documented)? If so, did they write unit-testable code? Did they write unit tests? Did they find any of the intentional vulnerabilities?
It should, realistically, take most people 2-3 hours at most to complete this task successfully. If they're familiar with PHP development, probably 15-20 minutes. Furthermore, it can be completed at their leisure.
If that seems unreasonable, contrast it with the cost of taking a day off work to get dressed up and perform an in-person interview during business hours with complete strangers who are scrutinizing you for fitness, with a very high chance of not getting accepted.
The burden of work-sample tests shouldn't be on candidates; the burden should lie with the company to ensure they're collecting objective facts about candidates rather than making subjective decisions.
In situations where a subthread is already off-topic and destined for the bottom, I try to make a substantive contribution. It's possible to pull out some interesting conversation even from the dregs.
It's true that it grows the subthread, but the [-] button exists now.
Hah, I suppose it is! But sadly, it's the only effective solution I've found for dealing with e.g. actual Nazis that tried to encroach on my social circle.
I'm not quite sure how you get from "this can be misread" to "break their stubbornness or isolate them". Are people who might be put off by the title "stubborn"?
I see, I had only thought of it in terms of people who might be put off. Those who actually open the book would soon realise that it's not that meaning.
Fortunately, there are no intentional racists in that title.
While I presume you mean to say that you think that people who go around calling others morons are the real morons, you've written it in a way that suggests you think such a thing is linked to clinical mental retardation.
I've seen it frequently used on American websites, and on numerous articles submitted to HN (social issues in the US being a frequent topic of inquiry)
I don't think it's surprising that people would read it that way.
Naked PoC's mean that if there was a particular price in a stock/future/whatever that had more volume done at it than any other price for the day...it's "naked" the next day until the price returns to it.
EG... if today APPL traded at $105 for more shares than any other price, and tomorrow the price is $106, we would say the naked PoC is $105 until it was revisited.
So this file is a PDF that's also a ZIP, and the archive contains - among other things - a song in MP3, and another PDF that's also a Git repo. Oh, and the whole bundle is supposedly laser-projector-compatible (that fact I can't verify - I have no access to such equipment).
I love this <3.