The player is loading ...
Sign up to get updates from us
Episode 35: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to welcome Douglas Day, a bug bounty hunter known for his unique methodologies and collaborative spirit. We talk about his approach to finding new endpoints in applications, his ingenious technique of exploiting Intercom widgets, and collaboration preferences and tips at LHEs. We also touch on the struggle of justifying hobbies that don't generate income and the importance of finding enjoyment in the process.We hope you enjoy this episode as much as we did!
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
Today’s Guest:
https://twitter.com/ArchAngelDDay
https://hackerone.com/the_arch_angel
https://bugcrowd.com/arch_angel
100 Short Bug Bounty Rules
https://twitter.com/ArchAngelDDay/status/1661924038875435008
Blog about Intercom
https://dday.us/2021/11/03/h1vendorATO.html
Blog about Mapping Hacking
http://dday.us/2021/10/09/Mapyourhacking.html
Timestamps: (00:00:00) Introduction
(00:03:01) Douglas Day’s infosec and LHE intro
(00:10:42) Evolution and philosophy of collaboration
(00:23:08) Balancing Collaboration and Money
(00:29:43) Recap of 100 Short Bug Bounty Rules
(00:37:15) Bug-hunting Methodology
(00:45:45) Using match and replace to find new endpoints in bug hunting
(00:49:07) Exploiting Intercom widgets
(00:52:35) Facing Failure and enjoying the journey
(00:57:00) Managing work-life balance
(01:05:55) Auth-Z testing and documentation
(01:12:25) Vulnerabilities in applications
(01:17:05) Mapping Hacking Sessions
Joel Margolis (teknogeek)
Alrighty.
Justin Gardner (@rhynorater)
Boom, we're rolling. Douglas, welcome to the pod, man.
D Day
Thanks, good to be here.
Justin Gardner (@rhynorater)
Um, so I guess we'll start out today. We've got to, got to warm up, got to warm up our, our podcasting voices, our podcasting element. Um, tell me. Yeah. Hey, this guy's got it already. Let's, uh, let's, let's start off. Why don't you tell us a little bit about how you got into InfoSec and how you get eventually got into book bounties. Cause right now you're, you're on the program side as well as on the hacker side. Right.
D Day
I'll work on my radio voice.
D Day
More or less, yeah. I spend less time on the program side these days. However, I am associated with the Elastic Program. So, although I'm less and less active as the days go on.
Justin Gardner (@rhynorater)
Mm.
Justin Gardner (@rhynorater)
Nice.
Justin Gardner (@rhynorater)
Is your role just shifting with that or is it?
D Day
Yeah, yeah, I do a lot more infrastructure side security. So working on Terraform, Kubernetes, sort of running our InfoSec infrastructure and I passed on the bug bounty to our product security team. But we can get into that a bit later.
Justin Gardner (@rhynorater)
Yeah. So, so tell me about how you landed this, uh, this position at Elastic and kind of work back in your InfoSec history.
D Day
Sure. Yeah, I'll work backwards because it's probably a good way to go. So back in 2020, I was the number one hacker on the Elastic Bug Binding program. It was a very small program then. I think we were offering like 1K crypts. And for a very complicated tech stack like Elastic, that's pretty suboptimal. But I was the number one hacker nonetheless. And then around the turn of the...
Justin Gardner (@rhynorater)
Hmm.
D Day
turn of the new year they're looking for someone to run the Bug Bounty program and they thought why not take our number one hacker and have him build up the program. So I applied, threw him my hat to the application process and landed the job and then built out the Bug Bounty program over Elastic. It launched about two years later and I think we had the sixth most active Bug Bounty launch on the HackerOne platform. So yeah, we saw a...
Justin Gardner (@rhynorater)
Oh nice.
D Day
We had a very, very wide scope to start, so we saw a lot of submissions. But yeah, it was a pretty successful launch. But then moving backwards, this was, goodness, this was 2020, like the dawn of 2020, and I started my Bug Bounty career in... Yeah, yeah.
Justin Gardner (@rhynorater)
Hmm. The year of darkness, the year that everything changed.
D Day
Right, I know, right? But I started Bug Grounds, see, about two years before that, in October of, or I guess about a year and a half before that, in October of 2018, I'd gone to, I'd gone to B-Sides Portland in which Ben Siddiquiipur Nahomsek was running a, what do you call it, a presentation at B-Sides and I was like, oh hey, that looks pretty fun. I started my...
Justin Gardner (@rhynorater)
Nice.
D Day
Hacker One account that evening and they got my first bounty about two months later. Yeah.
Justin Gardner (@rhynorater)
Wow, dude, so Ben is a part of your origin story, huh? You met him right off the bat at that conference and that's how you weaseled your way into Bug Bounty?
D Day
Yeah, yeah, he is.
D Day
Yeah, yeah, and so it was kind of a, it was pretty slow at the start. I didn't expect to be part of the community like I am today. I didn't expect to ever be participating in live events. But about a year after I started, I created my account. I remember getting my very first live hacking event invite. I was at the gym, I was about to start a workout in the morning over at 24 hour fitness. And I get an email that's like, and this is like, shoot, this is mid July. And so the...
Joel Margolis (teknogeek)
Hehehe
D Day (03:41.365)
I was definitely a last minute addition. Like I didn't try to get an invite or anything. I think somebody dropped. And so I got a 702 invite for 2019, for the 2019 Vegas. And I was like, oh, what is this? What is the live hacking event? What is a dupe window? I don't know. So I showed up and I remember, I think I was talking to, I show up and not knowing what to expect. Very first live event. I think I-
Justin Gardner (@rhynorater)
Mm-hmm.
Justin Gardner (@rhynorater)
Nice dude.
D Day
I mistakenly didn't realize the value of the dupe window and so I spent maybe like two hours in the dupe window hacking and then thought I would do all my hacking at the event itself.
Justin Gardner (@rhynorater)
Oh no.
Joel Margolis (teknogeek)
Oh no.
Justin Gardner (@rhynorater)
Okay, okay, so for those of you that aren't familiar with live hacking event structure, so typically how it works, there's a, before the live hacking event, there is a window, you know, normally something like a week and a half, two weeks maybe sometimes, of period where you can, where everyone's hacking on the target, everyone knows the scope, everyone knows the policy, everything like that. But during that period, if you find any bugs that anyone else has found, and you submit them, then those dupes get split.
So what Douglas is saying here is that he didn't hack at all during this period where he was supposed to be hacking and prepping. And because of that, he probably lost himself the opportunity to get in on a bunch of bugs that he would have otherwise found and split those, you know, some of those low hanging fruits that other hackers will find, split the bounties on those. Is that, did I summarize that well enough?
D Day
Yeah, yeah, that's pretty accurate. So I came into the deep window with like one event and I remember showing up to the welcome party, I think it was at Topgolf that year. And I was like.
Justin Gardner (@rhynorater)
Hmm. Dude, no, that was I missed. I wanted to go to that so bad. I so I was flying in and I was on the plane and then like a sandstorm hit and it had to defer to a different airport and I missed your first live hacking event. You know, so sad, dude.
D Day
Oh, yeah, that's too bad.
Joel Margolis (teknogeek)
Wow. A sandstorm. That's crazy.
D Day (05:35.661)
Yeah, yeah. But so I'm there and I'm like talking with other people. I have no idea who these people are by their face. But I think like, I think like Pier Luke, you know, Ramsexy came up to me and he's like, so who are you? And I told him who I was and he like looked at my profile and he even asked, he's like, so how did you get invited to this? Because I, not that he was being mean or anything, but like I had no connect, I wasn't the plus one. I didn't know anybody else. And I was kind of like a
Justin Gardner (@rhynorater) (05:39.728)
jealous. Mm.
Justin Gardner (@rhynorater) (05:45.85)
Mm-hmm.
Justin Gardner (@rhynorater) (05:49.18)
Hahaha!
Joel Margolis (teknogeek) (05:50.094)
Hehehehe
Justin Gardner (@rhynorater) (05:55.326)
No! What the heck?
Joel Margolis (teknogeek) (05:55.724)
Yeah
Wow.
Justin Gardner (@rhynorater) (06:00.329)
No. Mm-hmm.
D Day (06:05.453)
a nobody hacker. I have no idea how I got invited. I was just like a random last minute edition. So I knew no one. But I had a great time at the event, learned, okay, you actually use the dupe window to hack. But most importantly, I made a couple of good connections who then plus oneed me to the Los Angeles event a couple months later. And then after that, I've sort of been on the live event train for the last four years.
Justin Gardner (@rhynorater) (06:11.861)
Mm-hmm.
D Day (06:34.166)
or three years, four years, yeah.
Justin Gardner (@rhynorater) (06:34.412)
Nice, yeah man, it's a ride, man, it really is. So, I mean, you went to that Los Angeles live hacking event and is that when the sort of collaboration train started? You know, from those connections you made and then you started collaborating every single event? Because that's, I mean, that's your go-to MO now, right?
Joel Margolis (teknogeek) (06:36.376)
Wild.
D Day (06:48.71)
Yes.
D Day (06:53.741)
Yep. Yeah, yeah, exactly. So I was a plus one. And given this was my second, so the LA event was my very second event. I still wasn't exactly sure how they were supposed to work. And so I was a Hogarth 45 plus one to that event. And I was like, hey, since I'm a plus one, I assumed that since I was this plus one, we'd have to team up. And so, and he was chill with it. And then I don't remember why, but we wanted to have like a.
Justin Gardner (@rhynorater) (07:08.444)
Mmm, yeah.
D Day (07:19.745)
a more bigger team. And so I think we grabbed we grabbed Remsexy and we grabbed Mr. Tux Racer for our for our team. Yeah, yeah, yeah. And so we just kind of went ham. I think it was Air Force that time. It was Air Force and Verizon Media and we just went ham on them. And we were we were a bit salty because this was before the Best Collaboration Award was a thing. I think they started it the like the following event or the event after. And so we like obliterated as a team.
Justin Gardner (@rhynorater) (07:25.698)
Mmm, great hackers.
Justin Gardner (@rhynorater) (07:32.442)
Mm.
Justin Gardner (@rhynorater) (07:43.909)
Mmm.
Joel Margolis (teknogeek) (07:47.319)
Yeah.
D Day (07:50.509)
and would have gotten the best team award, had that award existed at the time. But no, it was a great event. We did really well, and then subsequent events, I've just kind of gotten invited over and over again, fortunately. And yeah, I had such a fun time just kind of collabing during the dupe window this time, hopping on video calls.
sharing ideas, just kind of hanging out, talking about life or whatever with the guys and I just kind of haven't gone back. That's kind of how I've done most subsequent events. I have a number of events, like one or two, where I wasn't really... I think some of the virtual ones where I didn't collab as much. But for every event that I've been to in person, I've for sure tried to team up with one to...
Four other hackers, I suppose.
Joel Margolis (teknogeek) (08:48.854)
Yeah, I think it's really interesting to see how collabing has changed over the years in live hacking events. I think in the beginning, there was very little collaboration that was done and it was very like, only like tightly knit groups of people or people who were used to hacking with each other and now I feel like everybody collabs with everybody. There's a lot more knowledge sharing and a lot more open collaboration and that kind of stuff nowadays. But yeah, so when you're collaborating, would you say it's...
D Day (09:12.824)
There is, yeah.
Joel Margolis (teknogeek) (09:17.13)
mostly like the same people or do you split it up or?
D Day (09:22.113)
I think more or less the same people. I guess I just like collabing with people that I know and that I'm already friends with. Every once in a while, I'll want to collab with someone, but they'll also want to collab with someone else and so we'll bring them in and then that person becomes a friend of mine. But I've got a number of regulars, like all the French Canadians, almost all the French Canadians I've collabed with. Like I've collabed with DC, I've collabed with Pierluque, I've collabed with Sebastian, I've collabed with...
Justin Gardner (@rhynorater) (09:34.106)
Mm-hmm.
Justin Gardner (@rhynorater) (09:49.113)
Hmm.
D Day (09:50.497)
Jrock17 now. So a bunch of French Canadians. I've collabed with Alex Chapman a lot. I've collabed with RezZero a lot. Space Raccoon. Corvax even. So there's been a number of hackers that I've kind of worked with. Oh, Today Is New has been a common thread. Hussein. I mean I could go on and on the more I think about it.
Justin Gardner (@rhynorater) (09:52.141)
Mm.
Justin Gardner (@rhynorater) (10:14.448)
Yeah. Well, at the most recent live hacking events, I've kind of seen you with the group of Rezo and Alex Chapman.
D Day (10:23.726)
Mm-hmm.
Justin Gardner (@rhynorater) (10:23.76)
And that seems to be a pretty functional group that you guys have held across a couple live hacking events. And I noticed one of the main problems that I have with collaboration, because both Joel and I were a part of Disturbance, which was a giant hacking team that we had going on for a little while. But the way that we saw that, or the way that it worked.
worked out was there was so much variation in how everyone would perform at the live hacking events. So if you performed well, then you were losing money a lot of the time. But if you performed poorly, you were feeling like you were dragging your friends down. So those are both negative outcomes for me. This is why I rarely collab at live hacking events anymore beyond, or at least not full split collabs.
D Day (11:14.67)
Mm-hmm.
Justin Gardner (@rhynorater) (11:20.132)
And in the only scenario when it really works out well, for me is when we both add equal value and it just kind of edges out and we both have fun with it, right? And Joel and I were able to pull that off a live hacking event earlier this year, and that was great. But so my question to you is like, how do you deal with that up and down of collaboration and how do you communicate with your long-term collaboration partners?
D Day (11:30.982)
Uh huh.
Justin Gardner (@rhynorater) (11:49.156)
to make that work.
D Day (11:50.701)
Yeah, so I should purpose this by saying I've been to a lot of events. I think that if a live event was something that I knew was only going to happen once, then I'd have a lot more to lose. But, goodness, after 15 live events, I've been the under-contributor on some, I've been the over-contributor on some, and there have been some where it's been kind of in the middle. And I think that the sting of under-contributing and the sting of...
Justin Gardner (@rhynorater) (12:12.665)
Mm.
D Day (12:19.749)
losing money because you are an over contributor, they both sting less than the sting of showing up to an event by yourself empty handed. And so I think collabing and guaranteeing decent success because you've got a solid team, even if you might under contribute and feel like a bozo or you over contribute and feel like you lost some money, in the end it's basically guaranteeing, it's I guess hedging your risk.
Justin Gardner (@rhynorater) (12:28.24)
Mmm.
Joel Margolis (teknogeek) (12:29.303)
Yeah.
Justin Gardner (@rhynorater) (12:36.785)
Hmm.
Justin Gardner (@rhynorater) (12:40.401)
Mm-hmm.
Justin Gardner (@rhynorater) (12:49.502)
Mmm.
D Day (12:51.102)
diversifying your bug bounty portfolio in a way. So over the course of many events, I think it averages out. If you have somebody who's consistently underachieving, whether because they maybe aren't up to skill with live hacking events or are just not trying, then you can start to see those out over the course of time. But I don't know. The amount of fun I have with
with Bug Bounty events and the value I get just being a part of the community is worth the couple of live events where maybe I lose a few thousand dollars due to just over contributing. I think another part of it is it's really, really hard to quantify the value.
Justin Gardner (@rhynorater) (13:36.422)
Lay it on us, man.
Joel Margolis (teknogeek) (13:38.062)
Hehehe
D Day (13:41.837)
It's really hard to quantify the value that collaboration brings. There's been a number of times where I've been collaborating with someone who didn't submit, who themselves didn't submit a lot of bugs. But I, all of my bugs were because of a something that they, that they sent in Discord or Slack or whatever. You know, maybe they were like looking, maybe they were looking at some domain that I didn't realize was in scope. And then because they were looking at that domain, I found a link to another domain, which was super vulnerable. And I submitted tons of bugs on that. And it's like...
Justin Gardner (@rhynorater) (13:59.705)
Right, right.
Joel Margolis (teknogeek) (14:00.267)
Yeah.
Justin Gardner (@rhynorater) (14:08.524)
Mm-hmm.
D Day (14:10.401)
Okay, I'm the one that found all these bugs, but would I have found it? I don't know. And so it's real hard to quantify how much just being a part of the collaboration process adds to the team. And so maybe I'll figure out a way to add a dollar value to it, but I haven't reached that point yet.
Joel Margolis (teknogeek) (14:16.194)
Yeah.
Joel Margolis (teknogeek) (14:27.06)
Yeah.
Joel Margolis (teknogeek) (14:32.394)
Yeah, I've really noticed that a lot with like, so when, when events first went virtual, um, after in person, it was very difficult, I feel like, at least for me to like try and get that sense of like collaboration that you get at events. And I think a lot of it boils down to what you were talking about there, where it's not so much like that person submitted so many bugs or whatever. It's that the combined brain power of the people in the room.
is working towards like a singular goal. And so if you have five people looking at the same thing, there's so many more minds and threads thinking about that bug and how to be creative with it at the same time that make it so much easier to find impactful vulnerabilities when you're working as a group. And there's not an easy way to like measure that, right? Like you said, like just because they didn't submit a vulnerability doesn't mean that they didn't contribute significantly to that vulnerability. Just if you know,
Justin Gardner (@rhynorater) (15:05.754)
Mm-hmm.
D Day (15:11.577)
Yep. Absolutely.
Justin Gardner (@rhynorater) (15:22.727)
Mm-hmm. Yeah.
Joel Margolis (teknogeek) (15:23.886)
they're a collaborator on or whatever, that doesn't really get accounted for super well. And so I think like that whole aspect of it is very interesting. I'm curious, especially it seems like a lot of the people you work with are not people who are local to you. So are there certain things that you do when you're collaborating to help aid with that collaboration? I know for Justin and I it was very helpful for us to basically just be in a call all day, like all day, every day while we were hacking together. And that, yeah.
Justin Gardner (@rhynorater) (15:52.263)
12 hour Discord call.
Joel Margolis (teknogeek) (15:54.826)
Yeah, and that basically created sort of that same environment where you're next to each other, kind of. You're both looking at the same thing. You're both... Your minds are working on the same thing together. That type of stuff. Do you have any tricks that you use?
Justin Gardner (@rhynorater) (15:59.911)
Mmm.
D Day (16:07.781)
Yeah, so I also do video calls, video calls or audio calls. And it's so nice just to set one up, even if you're not talking that whole time, just to be like, oh, wait, I think I found something. And then the other person can kind of sidetrack what they're working on and help you just decide whether or not it's like a true positive or a false positive. And sometimes it's not, and you just go back to working. But just having that sort of desk buddy just on the other side of the screen is super, super helpful. And that's been where we've found some of our.
Justin Gardner (@rhynorater) (16:34.596)
Mm.
D Day (16:37.653)
some of our coolest bugs when we were just working together on a Zoom call and then someone found something that was interesting and then we all just kind of dog piled on it and then boom.
Justin Gardner (@rhynorater) (16:47.656)
So I think I may sound a little bit like a negative Nancy with collaboration. I love collaboration, I really do. But here's the other thing with that, right? And I don't always mean to be bringing up the cons, but I gotta do it. So in those situations, Joel and I, we were pair hacking, pretty much, during this live hacking event, by the nature of what the target was and the way we were doing it. So it wasn't the two of us going down and looking at...
Joel Margolis (teknogeek) (16:52.194)
Hehehehe
D Day (17:05.264)
Mm-hmm.
Justin Gardner (@rhynorater) (17:14.424)
you know, different routes and that sort of thing. And then comparing notes, it was both of us looking at one screen saying, okay, what if we did this? What if we did that? You know, that sort of thing. And it worked out great. But in the past, I've done the route that you guys sort of just described of like both being on a video call, working on your own things, and then pulling people in when you need them. And it really, I guess it just depends on the person, right? But like sometimes you get that person that's like, hey, look at this, every like five minutes, right? And it's like...
D Day (17:42.616)
Oh yeah.
Justin Gardner (@rhynorater) (17:43.552)
Like, I can't think because as soon as I get in my flow state, you know, it's, I can't, you know, I get pulled out and pulled into something else. So I feel like I'm more becoming like a support hacker rather than, you know, somebody who's trying to find his own bugs. So I mean, I guess, I don't know if I want to put you on the spot and say like, have you ever experienced that with, you know, the people you've collaborated with, but what's your thoughts on the way we could deal with that collaboration little?
Miss out.
D Day (18:14.489)
Yeah, so I mean that does happen to me. I think I don't think either way is wrong or right. I think that I've been in, there have been times where I've been like in a flow state and like maybe like res0 has been just kind of like taking a more like wide scope and be like oh this thing's interesting and you know just slaps in like a fuzz or a fuff result into Discord you know something that's not even an application but might look interesting and I'll be like okay I'll
Justin Gardner (@rhynorater) (18:16.901)
Mm-hmm.
Justin Gardner (@rhynorater) (18:27.202)
Mm-hmm.
Mm-hmm.
Justin Gardner (@rhynorater) (18:35.593)
Mm-hmm.
Yeah.
Mm-hmm.
D Day (18:43.605)
I'll just have to be like, okay, I'm gonna, you know, mute, I wanna hop off the call for 20 minutes, 30 minutes, whatever, while I dig into this. Or, and he, I guess we've worked together enough that he can kind of know when I'm in a, like I'm focused on a bug and maybe it's just kind of having that relationship where he doesn't take offense if I'm like, okay, I need to focus on this. And then he'll usually be like, yeah, you focus on that, I'll dig deeper.
Justin Gardner (@rhynorater) (18:49.024)
Mm, mm.
Justin Gardner (@rhynorater) (18:54.489)
Mmm.
Justin Gardner (@rhynorater) (19:00.25)
Mm.
Mm.
D Day (19:12.301)
And, uh, no, it hasn't. I could see it. I could see it being coming like a problem if I was working with someone I hadn't worked with before and I didn't have that rapport and respect to be able to kindly, but, uh, reasonably be like, I need to, I need to focus for, for a few minutes.
Justin Gardner (@rhynorater) (19:12.474)
Yeah.
Justin Gardner (@rhynorater) (19:20.213)
Mm.
Justin Gardner (@rhynorater) (19:29.429)
Yeah, it sounds like good boundaries in hacking, right? You're saying, okay, you know what, at the end of the day.
I think this is counterproductive right now. So I'm going to say, Hey, I'm going to mute this channel for five minutes, you know, while everyone's doing the recon dump or, or I'm going to hop off this call and just like put on some, you know, whatever alpha neural beats or whatever those are that like makes your brain go into focus mode and that sort of thing. And then, you know, you can, you can make it happen as long as you're communicating well with your, with your collaborators. So I don't know, man, maybe I just wasn't, maybe I just wasn't, you know, my communication game wasn't on fleek in the past.
Joel Margolis (teknogeek) (19:36.538)
Thank you.
D Day (20:06.249)
Well, again, I don't think there's a right or wrong way to do it. I'm actually entertaining the idea of trying the next several events, just solo, to see what I can do. Because I think there's several ways to do collab. There's the collab that I do, that I usually do, which is just full-on team collab, split everything, which is going to act as a unit. But then there's people like, I think the way you sort of do collab and the way like
Joel Margolis (teknogeek) (20:06.489)
Bye.
Justin Gardner (@rhynorater) (20:15.556)
Hmm.
Justin Gardner (@rhynorater) (20:24.274)
Mmm.
Justin Gardner (@rhynorater) (20:34.309)
Mm-hmm.
D Day (20:35.085)
you know, go solo and then if you need help on a specific thing, pull in somebody. And that's potentially a way to go. There's also hackers like I can't think of anybody in particular that are just radio silent and no one knows what they're hacking on and then they come to the event with you know, 40 criticals and you're like where were you hacking this whole event? So maybe that's a fun way to try out. I don't know. I'm not, I know I've kind of got this
Joel Margolis (teknogeek) (20:49.74)
Yeah.
Justin Gardner (@rhynorater) (20:54.521)
Yeah.
D Day (21:04.733)
this reputation of being a full team collaborator, but I'm open to trying other things and I might do something new this year, or this upcoming year. So we'll see.
Justin Gardner (@rhynorater) (21:11.811)
Mm.
Joel Margolis (teknogeek) (21:18.438)
Yeah, I mean, it's really interesting to hear both sides, but I think for Justin, especially, it's a little bit different because you do this full-time for your main income. This is your full-time living. So the whole money-splitting aspect is a little bit different. And I think what I've found over the years of doing collaboration is one of the best ways you can do collaborations is just be explicit about whether or not you're working together on something. It's fine to work in the same space and bounce ideas off each other or throw interesting things in the chat.
Justin Gardner (@rhynorater) (21:29.176)
Mm-hmm. Right.
Justin Gardner (@rhynorater) (21:44.316)
Mm.
Joel Margolis (teknogeek) (21:47.402)
But if somebody like dives into a hole, like, you know, unless they're, yeah, unless they're asking for help, like, yeah, you can maybe insert yourself in there. But unless they're like kind of like it's open ended, like, you know, that's kind of their bug. Right. And then on the other side of it, it's like you can ask me like, hey, do you want to dive in on this together? Like, this is pretty interesting. Come take a look at this. And like then you know, I think that's fair game for you guys to like count that as like working together on something. But otherwise, I think there is still like that.
Justin Gardner (@rhynorater) (21:51.873)
As I do. Ha ha ha.
Justin Gardner (@rhynorater) (22:01.53)
Mm-hmm.
Justin Gardner (@rhynorater) (22:06.376)
Mm-hmm.
Joel Margolis (teknogeek) (22:17.138)
sense of like working together. There's like a whole concept of this for ADHD, where I think it's, I forget what it's called specifically, but it's like buddy, like working with a buddy. And just like simply the presence of someone else doing work at the same time as you are helps you be more productive, because you feel like you're like doing stuff together and like there's more judgment if you're like not on task and all that kind of stuff. And so that aspect of literally just like being in a video call, even if you're not working together, I think adds a lot.
Justin Gardner (@rhynorater) (22:31.043)
Mmm.
Yeah.
Joel Margolis (teknogeek) (22:45.314)
to the productivity and the ability to work together and have those collaboration moments, even if you're not explicitly working together all the time on everything.
Justin Gardner (@rhynorater) (22:53.64)
Mm.
D Day (22:54.833)
Yeah, I can totally see that. And I do want to sort of plus one what you said about, I think it depends on your stage of life and how you treat Bug Bounty. For me, as somebody with a full-time job, Bug Bounty money is kind of like monopoly money at this point, it just feels like prizes and it's cool. Whereas if it was what I was buying my groceries with or buying my podcasting equipment with, then it would feel...
Justin Gardner (@rhynorater) (23:14.544)
Mm-hmm.
Justin Gardner (@rhynorater) (23:22.882)
Hahaha
Joel Margolis (teknogeek) (23:23.662)
Hehehe
D Day (23:24.481)
it would feel I would probably be much more conscientious of how it was how it was split and spent.
Justin Gardner (@rhynorater) (23:32.652)
Yeah, yeah. And because of that, you know, when I've done collabs in the past, I've been like, Hey, especially with hackers, I respect like Joel, I've been like, Hey, you know, I'd like to collab. I'd even potentially be down to do a full split collab. But we have to be putting in similar time investments because if I'm putting in 50, 60 hours a week and you know, you're putting in 15 to 20, because you've got a full-time job.
and I'm not gonna blame you for not putting in 50, 60 hours a week when you got a full-time job, then that's not gonna even out very well. And so I've always just kind of been explicit with people. And I do like the approach as well of having, here I am again, bringing the negative Nancy shit up, but the chat where you throw interesting stuff in and stuff like that, but here's the problem with that for me, right, is that
Let's say I find an endpoint and I fully exploit that endpoint. Right? And I had like maybe dropped it in the chat, but no one's around and then they hadn't seen it. And then I go back and I was like, oh, I fully exploited it, right? But then that time somebody else on the team had seen it. And now I'm sort of, you know, they say, okay, how's that going? And it's like, oh, I popped it, I'm good. You know, right? Now I've sort of robbed them of the opportunity.
to exploit that endpoint had they found it themselves. So this information trading thing is really, really tricky. And like you said, you don't have to be, when you're doing this for fun, which some of us are, even though it's big dollars, it's not as intense. But when you're doing this professionally and you're a professional life hacking event competitor, then these things get a little bit dicier.
Joel Margolis (teknogeek) (25:03.458)
Yeah.
Justin Gardner (@rhynorater) (25:25.133)
So, I mean, what do you guys think about that? Do you think I'm being a little too uptight about that or what?
D Day (25:30.403)
No.
Joel Margolis (teknogeek) (25:30.67)
I mean, it's really case by case, right? Like, there are so many edge cases that are really difficult, and I think just having good communication in those moments and just being... The conversation's not gonna be necessarily fun because it's kind of about money and it's a little bit sensitive and all that kind of stuff, but I think just being upfront and honest and trying to meet in the middle somewhere, like wherever it makes sense, not necessarily in the middle, but wherever it makes sense, then I think that that's...
Justin Gardner (@rhynorater) (25:45.008)
Mm-hmm.
Justin Gardner (@rhynorater) (25:48.197)
Mm-hmm.
Justin Gardner (@rhynorater) (25:57.561)
Mm-hmm.
Joel Margolis (teknogeek) (26:00.086)
You know, just go in with best intent and... Yeah.
Justin Gardner (@rhynorater) (26:03.064)
Yeah, what do you think Douglas?
D Day (26:05.241)
So a bit tangential, but one thing that I found that works outside of the context of live events is doing scope splitting. So to give you an example, a couple of months back I was in a private HackerOne challenge for the Department of Defense with Res0.
And I had been going really, really hard. I got invited a couple days before he did, and I had been going really hard on one particular application out of the entire scope. And he joins and we want to collab together. And I'm like, look, man, I already tore asset A up entirely. I'm happy to collab with you. You've already started working on asset B. I'm happy to collaborate with you. How about we just, you stay off of asset A, I'll stay off of asset B, because you're already starting to go down that drain. And then everything else, we split.
And it ended up working pretty well. I felt like I was able to tear up my scope item that I had already gone very deep on and I got to know. And then he was able to do the same with some of his scope, although he got a bit of a later start than I did. And then we split everything else and it was very lucrative for both of us.
Justin Gardner (@rhynorater) (27:00.154)
Mmm.
Justin Gardner (@rhynorater) (27:20.999)
Mm.
Justin Gardner (@rhynorater) (27:26.048)
Yeah, and that saves him time too, because he's not going and duping at you on asset A. When we're not in the live hacking event scene, the collaboration thing is very different, because at the end of the day, whoever submits the report gets the bounty. And so in those sort of situations, it's a little bit easier. But the split scope thing, I think that's a good shot, and I think it can definitely work in some scenarios.
D Day (27:29.285)
Yes, yes, yep.
Joel Margolis (teknogeek) (27:52.75)
Cool. Okay. That's collabing. I feel like we've covered that. So I did want... Hold on.
Justin Gardner (@rhynorater) (27:56.86)
No, no, no
D Day (27:58.01)
Yeah.
Joel Margolis (teknogeek) (28:04.534)
I know, I know, but if I let you keep going, we're gonna spend an hour talking about collabing. So we do wanna talk to Douglas about a couple other things. And one of those things is this tweet thread that you did. I think this is just March or May, May of this year? Yeah, so you had this, yeah, it was called 100 very short bug bounty rules. And it's basically just a thread. I don't know if this was a brain dump or if you had pre-planned this. Maybe you could tell us a little bit about how you came up with this,
Justin Gardner (@rhynorater) (28:09.692)
Thanks for watching!
Okay, alright.
Justin Gardner (@rhynorater) (28:18.076)
Mmm. Yeah, this is great.
D Day (28:20.604)
Yeah, I think a few months ago.
Joel Margolis (teknogeek) (28:33.322)
I think it's a great concept and it was basically just like a list of a hundred things that you should sort of probably be doing when you're doing bug bounty. And these are, these range from little tidbits of you should use burp suite pro to really in depth stuff. Like, so why don't you walk us through a little bit about what sort of spurred you to do this and what the process was like and all that.
Justin Gardner (@rhynorater) (28:51.356)
It's gold.
D Day (28:58.295)
Yeah. So, kind of a funny story there. So I'm a fan of this stoic author, Ryan Holiday. I've been reading his stuff for a few years, and he had put out this like hundred very short stoic rules for life, and it was a great thread. I think I liked it, and we tweeted it, whatever. And then RezZeroJoseph decided, like I guess he follows him as well, and then made some like...
like a mirror tweet and it was like 10 very short bug bounty rules. And I was so like frustrated that yeah, that he only did 10. And I'm like, come on, if you're going to copy something like as beautiful as this, it, it needs to be done like the right way. And so like out of spite, I was just like, no, I'm going to do a hundred just to show you that it can be done. And so I think I spent like, I didn't use like chat, GBT or anything. I just spent probably like 90 minutes, um, in the like late afternoon, just like.
Justin Gardner (@rhynorater) (29:29.968)
What a scrub.
Joel Margolis (teknogeek) (29:32.078)
10, only 10.
Justin Gardner (@rhynorater) (29:41.404)
Ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha
Joel Margolis (teknogeek) (29:43.158)
Haha
Justin Gardner (@rhynorater) (29:51.201)
Oh, oof.
D Day (29:53.785)
typing them up as fast as I could. And I tried to have a mix of more philosophical, behavioral tips as well as technical tips because not everyone wants just to have your, don't stop trying or if you're having a hard time, just take a break. That kind of gets tried and exhausting. But also coming up with 100 technical bug-bounding tips would be extremely difficult.
Justin Gardner (@rhynorater) (29:54.924)
Mm-hmm.
D Day (30:21.273)
Also, my AirPods are going to die the same time I switch to my MacBook speakers or MacBook Mac.
Justin Gardner (@rhynorater) (30:25.172)
You're good. If that's the, if that's the case, we can, we can cut the audio and reset it back up. But I really enjoyed this, this whole long tweet. And I appreciate also that you did a hundred of them because like, I don't know.
D Day (30:36.049)
Mm-hmm.
Justin Gardner (@rhynorater) (30:38.048)
I haven't done much content creating before I started this podcast. And then I've started doing some content stuff since then. It's freaking hard, my dude. It is very challenging to come up with all the content and stuff like that you need to run a successful, to do a good tweet that gets good takeoff with the community and stuff like that. So I definitely appreciate this. But I had a couple of questions about some of these that I wanted to kind of dive into. So
D Day (31:03.429)
Sure, yep. Yep, let's do it.
Justin Gardner (@rhynorater) (31:07.364)
All right, so number one, starting off right at the very beginning, it's a very good place to start. You say spend at least 30 minutes on a new target, okay? And then you say later on, give yourself a no-bug time limit. This is on item number 15. Give yourself a no-bug time limit.
I do three hours. So for me, I'm one of those people that it takes me a little bit more time to start finding bugs on an application normally. So I'm wondering how you reconcile these two and what that first 30 minutes looks like versus the first three hours.
D Day (31:34.449)
Mm-hmm.
D Day (31:40.933)
Yep, yeah, so the first 30 minutes, I kind of go into this on my home sec talk, but I basically go, assuming it's a SaaS application, which is where I spend most of my time, I go straight to user management and I look, okay, how many different types of users are there? Is there like just like two? If that's the case, then there's probably not going to be as many bugs that sort of fit my flavor. Or are there custom roles where you can make a, have like an entire like matrix of, okay, this user.
Justin Gardner (@rhynorater) (31:57.242)
Mm-hmm.
D Day (32:07.653)
You can give them this permission but not this permission. And then you can have an admin role that has every single permission except for this permission. And then just like the more complicated the role structure, the more confident I'm going to be that there's going to be bugs. So first 30 minutes goes straight to user management and especially like the user invite flow because that's where I find most of my criticals and higher severity bugs. Like if I can invite myself to someone else's organization.
Justin Gardner (@rhynorater) (32:14.021)
Mm-hmm.
D Day (32:35.65)
It's been critical. If I can invite myself as another user, but who has higher permissions, it's like, okay, that's at least a high.
Justin Gardner (@rhynorater) (32:36.752)
Mm-hmm.
Justin Gardner (@rhynorater) (32:46.071)
So a lot of your methodology, and I believe I even saw it in that tweet, but a lot of your methodology is built around.
uh, this whole piece of user auth matrices and like, you know, or organization and stuff like that. And I think that's really good. And I think that's awesome to have a bread and butter like that. And certainly I think in the last life hacking, I guess, the last one that I really participated in, um, in London, you know, I saw your, some of your brilliance with that, right? With your, the way you get the apps fully configured and the way you kind of come up with these really crazy attack scenarios. And I really appreciated that.
but I'm wondering how you approach applications that don't have this. So in that first 30 minutes, would you say, if you came to an application that doesn't have user roles and stuff like that, are you moving along to and checking all the other targets before you come back?
D Day (33:41.317)
Probably. I think it also depends on how complex the application is. I think my other sort of type of bug is business logic errors. And so maybe it's an application where there's going to be lots of bugs having to do with just bypassing logic that's very unique to that application. Maybe it's a...
Justin Gardner (@rhynorater) (33:42.888)
Mm, okay.
Justin Gardner (@rhynorater) (33:52.279)
Mm-hmm.
Justin Gardner (@rhynorater) (34:02.066)
Mm.
D Day (34:03.449)
For example, I think you tweeted about this not too long ago, but maybe it's an application that has lots of levels of subscriptions. And so that's lots of opportunities for paywall bypasses. Like if you can make a business-level subscription, which gives you access to features ABC, but then also an enterprise-level application, which gives you access to features XYZ, then I try to, as a free trial, can I get...
Justin Gardner (@rhynorater) (34:09.753)
Mm-hmm.
Yeah.
D Day (34:29.185)
access to business level. As a business level, can I get access to enterprise level features? And then oftentimes, if the program is very good, every single feature that I can get access to is a separate bug, especially if I can find one where the paywall is actually enforced, because then I have evidence that it wouldn't be a single fix. Like, for example, if I can...
Justin Gardner (@rhynorater) (34:42.224)
Hmm.
D Day (34:54.465)
If as a business level user, I can't get access to Enterprise Feature X, but I can get access to Enterprise Features Y and Z, it's like, okay, Y and Z are going to be separate bugs because if they're the same bug, then I wouldn't be able to, then I should also be able to get access to X, but I can't. Yeah. So, Business Logic and, or yeah, Business Logic bugs are kind of my second go-to after user authorization bugs.
Justin Gardner (@rhynorater) (35:01.573)
Mm-hmm.
Justin Gardner (@rhynorater) (35:05.968)
share.
Justin Gardner (@rhynorater) (35:10.156)
access X. Nice.
Joel Margolis (teknogeek) (35:22.798)
Nice. That's really cool. So we, I mean, I don't want to go through like all of these, so maybe this is a good time to talk a little bit about methodology since we're kind of already on that on that route. So can you walk us through sort of how you approach a new target? Because you're always hacking and like I think it's really impressive to see how quickly you hop onto a program or are able to just like find bugs and navigate it and get it mapped out super quickly. So how what's sort of what's your.
Justin Gardner (@rhynorater) (35:39.462)
Mm.
Justin Gardner (@rhynorater) (35:47.437)
Yeah.
D Day (35:49.105)
Thank you.
Joel Margolis (teknogeek) (35:51.946)
approach, like what's your general approach look like?
D Day (35:54.989)
Yeah, so one of my secrets is that I actually spend a lot of time on very small programs. I think it's kind of, there's a lot of hackers that go after those really, really big ones like Shopify or I'm trying to think of public programs that I can talk about, PayPal, GitHub, you know, these large programs that pay very large, large criticals and large mediums and large highs. But I'd say...
Justin Gardner (@rhynorater) (36:05.526)
Mm-hmm.
D Day (36:20.857)
maybe like over 50% of my bugs are on programs that offer like $500 mediums and $1,000 highs. And I just find a lot of them and I kind of turn through smaller programs. And every once in a while I find a really good program that's very high paying and I'll spend a long time there and kind of become an anchor hacker there. But I've got a, I think if you look, I think Hacker One has the ability to show you your average bounty.
Justin Gardner (@rhynorater) (36:27.364)
Wow.
Justin Gardner (@rhynorater) (36:47.964)
Mm.
D Day (36:48.037)
And my average bounty is only like $700. And so I submit a lot of $500 mediums and a lot of $1,000 highs. And those are over a huge spread of programs. You know, I'm not, I think I was talking to some hackers a while back and they're like, yeah, I've probably submitted bugs to 30 or so different programs. I think I'm close to like two or 300 different programs that I've.
Justin Gardner (@rhynorater) (36:51.377)
Mm.
Justin Gardner (@rhynorater) (36:56.644)
Mm.
D Day (37:17.465)
I've submitted bugs too. Yeah, just because I just spent time on the small ones, and I just kind of churned through the files, submit one or two, and move on. So maybe I'm taking the quick and easy route, but it's been working well.
Justin Gardner (@rhynorater) (37:18.256)
Wow, that's nuts.
Justin Gardner (@rhynorater) (37:34.64)
Wow, that's really cool. So I guess that, you know, with moving so quickly, you know, you've got this three hour time limit, you get to the end of that three hours. Let's say you haven't found anything. Is that a hard stop for you normally or?
Joel Margolis (teknogeek) (37:35.062)
super interesting.
D Day (37:50.921)
Usually, and I say three hours, and in my tweet I said three hours, if it's a smaller program and a smaller scope, it's not going to be three hours. You know, if it's a WordPress site, I'm not going to spend three hours trying to break a WordPress site. But like, on the most complicated application, yeah, if I get to three hours, I should backtrack and say outside of the context of a live event where I am being paid and asked to spend time on one particular program. It's like, okay.
Justin Gardner (@rhynorater) (37:53.008)
Wow, that's crazy.
Justin Gardner (@rhynorater) (38:03.053)
Right, of course, yeah.
Justin Gardner (@rhynorater) (38:16.092)
Mm-hmm. Right. Mm.
D Day (38:21.041)
If I get to three hours and I haven't found anything, I'm usually not going to find something unless I put in another ten. At that point I finally might be able to start finding things. But like I said, I go through a lot of small programs and so if I haven't found anything after three hours, I'd rather move on to a smaller program where I can find something in an hour. It just keeps me motivated.
Justin Gardner (@rhynorater) (38:45.028)
Wow. That's absolutely crazy to me, Leanne. I spend so much more time on an actual target before I move along. I probably will spend 20 hours, maybe three, four hacking sessions on a target without finding a bug if I think this is a high-value target. But I guess I will say, I do typically go for the programs with the higher payouts, though. So that's really impressive to me that you're able to find.
D Day (39:08.465)
Yep.
Justin Gardner (@rhynorater) (39:11.568)
bugs that, you know, in that three hours. And Joel, I mean, do you, I mean, where do you lie in that? In that, I'm curious.
Joel Margolis (teknogeek) (39:18.99)
Well, I was gonna ask two questions about that. So for me, I'm like kind of in the middle on that where I'll spend a decent amount of time hacking and I try to identify a tax surface and decide sort of as I'm going whether or not this attack surface is something that I wanna spend a ton of time on because if it's something that seems small, like, I don't know. If I'm hacking on something and it's just one GraphQL API endpoint and it's not a particularly large GraphQL and
Justin Gardner (@rhynorater) (39:22.076)
Uh-huh.
Justin Gardner (@rhynorater) (39:33.096)
Mm.
Mm-hmm.
Joel Margolis (teknogeek) (39:48.626)
I start poking at it and I don't see any real red flags. Yeah, I'm sure there's probably some bugs hidden in there, but I'm not sure how much more time I'm gonna go spend on that program if I see that they have systemic security measures that aren't like, yeah, they, I'm sure there are, again, areas where it's not, you know, perfectly airtight, but that is not necessary. Like if I wanna make a, you know, farmer program or something like, and I see something that's secured, I'm not gonna spend a bunch more time on that because I wanna make some money. I wanna optimize my time there.
Justin Gardner (@rhynorater) (39:56.997)
Mm.
Joel Margolis (teknogeek) (40:18.866)
I was curious, if you spend whatever your time limit on a program and then you find nothing and you hit your no bug limit, what comes next? Say you've been hacking for, you just started, you spent three hours, you've been going for three hours, you found nothing, you just hit your no bug limit. What do you do for the rest of the day? Do you just stop hacking or what? Do you have a backup plan?
D Day (40:41.061)
I mean, if it's in one day, I usually will all stop. I rear, outside of the context of a live event where I'm basically treating Bug Bounty as a full-time job, I'll stop for the day. I can't hack for more than three hours in one day, unless I happen to start in the morning and then I have some time seven hours later in the evening. I'm not gonna...
Justin Gardner (@rhynorater) (41:04.122)
Mm-mm.
Joel Margolis (teknogeek) (41:04.31)
Justin's making a face like, I can't hack for less than three hours.
Justin Gardner (@rhynorater) (41:07.537)
Are you freaking kidding me right now, dude? Like, are you telling me that you never, you very rarely hack for longer than three hour contiguous periods? Oh my God, how do you even, oh my gosh.
D Day (41:09.689)
Yeah.
D Day (41:17.689)
Yeah, that's pretty... I get so tired.
My eyes hurt, man.
Joel Margolis (teknogeek) (41:24.6)
I
Justin Gardner (@rhynorater) (41:26.224)
Dude, this guy's a beast. This guy is an absolute beast. I could never, I would never find anything.
Joel Margolis (teknogeek) (41:28.27)
That's crazy.
D Day (41:30.013)
I feel like...
Oh, okay, well.
Joel Margolis (teknogeek) (41:33.378)
So the other thing I wanted to ask was, like you mentioned that, except for like, for live hacking events, like you'd normally have like a no bug limit and then you stop hacking or move on or whatever. What does that look like for a live hacking event in terms of success rate? Do you find that it's better to spend the time and just keep pushing on that target, even if you pass your no bug limit? Or do you find better success?
D Day (42:00.653)
So I yes in a live back event. I think that the targets are much deeper and the payouts are much higher than my typical 3k crit programs and so yeah, I'll spend I'll spend a lot more time like for example if it's You know like there was an event in Austin last year and it was It was on it was github, you know, and it took me like three hours just to get github enterprise server set up
Justin Gardner (@rhynorater) (42:22.672)
Mm-hmm.
D Day (42:29.853)
It's like, okay, so... And so I'm going to spend more time in the context of a live hacking event where there's much higher payouts and much deeper complex applications. But live hacking events are only a small portion of the year. And so the rest of the year, I'm just trying to maximize my time, like you were talking about Joel, and just kind of turn through programs and find the best...
Justin Gardner (@rhynorater) (42:29.956)
Yeah. Hahaha. Yup. Hahaha.
Joel Margolis (teknogeek) (42:31.746)
Yeah, yeah easily
D Day (42:59.889)
time for money balance.
Justin Gardner (@rhynorater) (43:03.28)
Wow, that's really cool. I definitely have not done very much program churning, and I've got 500 freaking invites sitting there that I've never even looked at. So I feel like maybe I should go through and just hit them real fast, maybe even bring it down to like, well actually, you said 30 minutes, even for the first initial assessment, so maybe I'll hit them 30 minutes, 30 minutes, 30 minutes, 30 minutes, and see if they've got some interesting features, and especially when you've got those programs
D Day (43:10.958)
EEE
Justin Gardner (@rhynorater) (43:33.188)
5K crits, or 6K or 7K, those are not your big 40K crits or whatever from some of these other programs, but they still are pretty good. And so I think there's definitely some really good monetary opportunity for those programs, especially for someone like me who's a full-time hunter. Okay, so let's go back to the tweet. Next one that I wanted to talk about, and this kind of ties in.
D Day (43:56.741)
Right.
Justin Gardner (@rhynorater) (44:01.644)
was the match and replace rules. You say quote 13, use match and replace rules to find new endpoints. Now, I use match and replace rules for lots of things. I think a lot of the top hackers do. And I'm wondering how, I'm interested by the fact that you said to find new endpoints. So could you tell me exactly how that works for you?
D Day (44:22.373)
Yep, are you still able to hear me? Cause I think my AirPods died.
Justin Gardner (@rhynorater) (44:27.028)
Uh, yeah, let's see here. We are able to hear you, but it is different. So I'm going to see.
Joel Margolis (teknogeek) (44:32.726)
Yeah. Let's mark the time and then we'll do a cut here.
Justin Gardner (@rhynorater) (44:36.58)
Yeah. Do you have other AirPods? Like does your wife have AirPods? Cause they were substantially better than this mic.
D Day (44:45.557)
Uh, no.
Justin Gardner (@rhynorater) (44:46.84)
Okay. That's okay. It's
Joel Margolis (teknogeek) (44:49.526)
Which mic is it using right now? Is it using like webcam mic or something?
Justin Gardner (@rhynorater) (44:57.093)
We can't hear you.
Joel Margolis (teknogeek) (44:57.238)
You just totally cut out.
D Day (45:00.483)
I'm using my earbuds but it is it's I had to switch which audio device was coming through.
Justin Gardner (@rhynorater) (45:11.524)
Alright, I'm gonna go ahead and cut it, and then I think we'll try to figure something out.
Joel Margolis (teknogeek) (45:15.414)
Yeah, we can do this.
Justin Gardner (@rhynorater) (45:17.092)
Okay.
Hacker, Puzzler, Philospher
https://tinyurl.com/4r3d6nad
https://tinyurl.com/2p8wknje
https://tinyurl.com/28b4chjt
https://tinyurl.com/2tp6h7d4
https://tinyurl.com/yavwrzmm
https://tinyurl.com/2unffe7d
https://tinyurl.com/mr4dvtps
https://tinyurl.com/4xwdn9a2
