26 (edited by jack 2018-07-08 17:06:17)

Ok, well I can't speak for Ethin, but thank you for clarifying your position on taxes, that does help. Now, it's hard to administrate? Ok, then get more admins, I'm sure there are plenty of folks who wouldn't mind helping. We never asked for content id or anything of that sort, but for your sake and everyone's you just gotta have a terms of service. I've wrote them before, I'd be more than willing to write one, even a short one, for anyaudio if you need someone to handle that.

I'm the only adventure at c: master hahahaha I have unlocked just about everything!

Thumbs up

27

@Sam_Tupy, ah, don't you love just bringing up the passed? Nice way to ruin your own argument. How do I know your not telling the truth that communications between PayPal and your site are encrypted? Hmmm... perhaps because number one, your site does not support SSL (if you go to https://samtupy.com, you get a browser error; the same applies to anyaudio), and therefore, number two means that a PayPal transaction ID and other such is going from a secure connection to an insecure one. That's bad because an attacker can sniff the transaction ID (and if any sensitive data happens to be transmitted) as soon as the connection leaves the secure gateway. Furthermore, I doubt you use MySQL, especially considering you store information from payments in text files for your games to retrieve. As for the taxes thing, again, I found that doubtful; I doubt you thought of it until I posted that you were probably not paying your taxes. Here's the thing, Sam, and we've all tried telling you this: just because you think that something is hard to administrate does not mean that that's an excuse for you to not have a terms of service. There are many generators out there you can use until you can pay for a professionally written document by a lawyer. You also need a privacy policy -- again something I've tried to tell you and something you've ignored! So, if its about who's discrediting whom, it would be you, not me, because unlike you, it seems, I've actually researched this thing.

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.

Thumbs up

28 (edited by pauliyobo 2018-07-08 20:01:19)

@post 26:
Even though, there's a difference between wanting to help, and behing able to handle an administration.

If you want to get in touch with me you can follow me on Twitter
have a nice day.
Paul

Thumbs up

29

Put the call out there saying you need help, but do it in an application process you design first, or people would be all over it and you'd get all sorts of undesirables. But, to be honest, it doesn't seem like you really care about the site. There are almost no updates, no feature additions even since its inception. A few things that annoy me is the search thing taking focus on page load, that's just uncalled for. If I want to search, I'll get there my self. I've only used the thing maybe 5 times in two years. Also the comments are in the wrong direction, if you want to follow a convo, you need to jump to the edit box and start up arrowing, that's just weird lol. The page thing is cool, that was like a finally moment. Also in comments when writing them, the box is hardly long enough and maybe three or four words fit on a line, so you have to do a say all.

I'm a cat! What's mine is mine, and what's yours is mine to :P XD

Thumbs up

30

And for the next round of coffee spilling Ethonic stupidity...
Again, it lands upon the shoulders of those who possess more advanced technical expertise to make some corrections. I literally see no validity in the above posts.

1. How does bringing up the past invalidate an argument? In fact, it serves to strengthen it. Ever heard the saying history repeats itself? Unless their are drastic changes, your flawed logic and insistence would lead one to believe your just repeating yourself.
2. I don't see a reason for anyaudio/samtupy.com to use SSL. Sure it could be nice, but I see no legit security implications here. When making a payment, you are automatically redirected to paypal to enter info, which is in fact using HTTPs. Paypal transactions are securely handled serverside anyway, so even if an attacker was able to sniff packets they wouldn't get much. Please describe in detail how an attack could be performed in this manner.
3. Read post 25, according to him payment data is *not* stored in text documents. Proof please?
4. yet, read post 25 again. Sam clearly said he was using mysql. I quite frankly don't care if you believe it or not. Being one  who has access to the code of anyaudio I can personally vouch for him. Also, if you do a simple nmap scan on anyaudio.net, mysql shows up as an open port. Of course not definitive proof, but I'd say that, along with the word of two with the code holds more weight than your clearly uneducated doubt, huh?

If this post has taught me anything, it's that your stupidity keeps showing up like a bad penny. I'd kindly suggest the following
1. GTFO
2. Do your homework
3. come back and write an educated technical post backing up your claims

Until you get some proof past what I can only interpret as the remains of a previous grudge, I'm done with this topic

You can follow me on twitter, @cartertemm

Thumbs up 0

31 (edited by Ethin 2018-07-08 23:56:43)

@30, I do know that mysql is an open port. That does not mean you use it. Just because a port is open does not mean it is used. As for reasons why HTTPS is better than HTTP... I should not have to explain why. After all, you, cartertem, the oh-so-knowledgeable security expert of the 21st century, you should already know... right? But, I guess you don't; check out https://www.brightlocal.com/2017/01/06/ … s-website, https://trevellyan.biz/why-your-website … d-of-http, https://www.entrepreneur.com/article/281633, and you can google the rest. I'll agree -- I'm no security expert either, so I'll shut down that little argument of yours before you can even type it. Really, the reasons why SSL should be used should be quite obvious, especially since for his website HTTP tracing is enabled. Of course, his PHP configuration is already available, giving a malicious user plenty of opportunities to do lots of damage. You say you have access to all his source code and can assert that he uses mysql... then mind telling me in vague terms what he uses it for? His website returns valid HTTP responses with junk HTTP methods, which for some browsers, if configured for security over accessibility, could generate false positives. If you go talk to a security expert about why you should use HTTPS vs. HTTP, and you explain your reasons why you feel HTTP is better, they'll shoot you down with a hole list of reasons why HTTPS should be used at all times.
Now, to answer yoru questions:
1. How does bringing up the past invalidate an argument? In fact, it serves to strengthen it. Ever heard the saying history repeats itself? Unless their are drastic changes, your flawed logic and insistence would lead one to believe your just repeating yourself.
I personally find bringing up the passed to justify your reasons (without, of course, a valid reason) dishonorable debating. If you want to argue about something, you should probably come armed and prepared whenever you post. Also, considering the fact that I haven't taken down his website since, your statement of "history repeats itself" is false, and will remain so.
2. I don't see a reason for anyaudio/samtupy.com to use SSL. Sure it could be nice, but I see no legit security implications here. When making a payment, you are automatically redirected to paypal to enter info, which is in fact using HTTPs. Paypal transactions are securely handled serverside anyway, so even if an attacker was able to sniff packets they wouldn't get much. Please describe in detail how an attack could be performed in this manner.
Again, I already described this in post 28; the main transaction is carried out through PayPal, which is secure, but PDT stuff is sent from a secure connection (i.e. PayPal) to an insecure connection, opening up a potential vulnerability for sniffing once its left the encrypted connection. For anyaudio, this should be quite obvious: it would be possible to sniff usernames and passwords (even admin ones) since its all over HTTP.
3. Read post 25, according to him payment data is *not* stored in text documents. Proof please?
Payments aren't stored in text documents? Bullshit. Tell me then how the server and client could exchange purchase IDs?
4. yet, read post 25 again. Sam clearly said he was using mysql. I quite frankly don't care if you believe it or not. Being one  who has access to the code of anyaudio I can personally vouch for him. Also, if you do a simple nmap scan on anyaudio.net, mysql shows up as an open port. Of course not definitive proof, but I'd say that, along with the word of two with the code holds more weight than your clearly uneducated doubt, huh?
Again, I've explained my reasons already. Just because a port is open does not mean its being used. That's like saying that if a mauls door is open that means its fully manned, staffed, and full of business life and transactions (even though it just might happen to be empty). Since I'm supposedly uneducated in this department (even though I have taken a security class and am going into cybersecurity as a secondary degree in college), tell me, without researching it, do you know what XSS is? How about XST? Let's not forget that he's vulnerable to OSVDB-877, OSVDB-3092, OSVDB-3268, and OSVDB-3233. These vulnerability database IDs are a bit obscure, so I'll indicate them for you: OSVDB-877 indicates that HTTP tracing is enabled; OSVDB-3092 indicates a directory that is available that shouldn't be (though, in this case, its /dev, so it should be fine), OSVDB-3268 indicates that directory indexing was enabled in a place it should not be, and OSVDB-3233 indicates a file was found that shouldn't be there. In the case of OSVDB-3268, this directory is /icons/, which contains apache's default icons, and for OSVDB-3233 indicates it found /icons/readme, which is a default apache file. And as for your insults, TBH, I really could care less what you think I should do. Your "thoughts" of what I should do (in particularly the first one) show just how immature you are. "Ethonic stupidity"? My, my, what an ego you have! If you're going to post insults and bullshit, you might as well not post at all. I've told Sam (as have many others) to do particular things (i.e. get a terms-of-service and learn to actually administrate properly) but he never listens. Say hello to the guy who thinks he knows more than absolutely everyone else, even lawyers. If you look up "should I get a terms of service for my website?" on Google, you'll find plenty of reasons why you should. But Sam thinks he's above all the pros who (yes) smarter than you, me, Sam, etc.

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.

Thumbs up

32

Ok! Before the gravy train leaves sanity behind entirely, let me just say that I agree with Ethin. Carter, of course being a contributor to this whole thing probably felt the need to defend Sam on this whole thing, and stoop to the low that is personal degradation. Uneducated? Ethonic stupidity? Oh, and if you're gonna be Mister Toughguy, learn how to speel his name properly. Lol. You'd be surprised how many times you could get hacked even if you have your shit together. Punchback got hacked twice on our Debian Vultr server, and Finn Turner advised we go to BSD hence my teamtalk bsd topic from a while back, and thus switched us over. Never got hacked the short time it was up, *spoiler alert: the reason we took ourselves down is nothing to do with potential hacking, just so we're clear and no one tries playing that card.*
But I digress. My point is that if you don't take security seriously it is really gonna bite you in the ass. Getting hacked for us meant that ssh login was disabled as the firewall was put up, a routine deletion of all major packages, and of course our website data was destroyed. Yeah, wouldn't want that happening would you? Even local backups can't always be of much help..

I'm the only adventure at c: master hahahaha I have unlocked just about everything!

Thumbs up

33

@32, exactly my point Security should always be one of your top concerns when running anything openly online.

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.

Thumbs up

34

What carter is saying, is that there is nothing on my website that is worth encrypting. There is no reason to get an SSL Cert to secure the stw setup file. Not having SSL on this server will not make my website vulnerable, because there is no creditcard and/or personal information being sent threw. This is why I use paypal, because I don't get access to personal information. If I thought I could benefit the website by getting a cert, I totally would. But in a case where no secure data is being sent, why bother. I use mysql to store records of the audio uploaded to anyaudio. There is no payment details that I need to store in sql, because paypal doesn't really send much. Anyway, unless more false information pops up, I'll et you point out what you feel is wrong with my security if you want and whatevs, but the original point of this topic was because someone wanted to know what was wrong with the website, and then Ethin just popped in and stated that he wishes it to happen again, before starting the jabbing and the misinformation spreading. So anyway, peace

I am a web designer, and a game developer. If you wish see me at http://www.samtupy.com

Thumbs up

35

@34, again, you completely ignore the facts that I've stated earlier (i.e. your website is vulnerable to XSS and XST, and that your PHP configuration file is open to the world). This is not misinformation that I am spreading, Sam; this is practical security advice. I am telling you to do things that any security professional would tell you to do. It maters not that you don't store payment info on file, or what your site is doing; what matters is your users protection, as well as protection of the data that is stored within. I'm going to be blunt and say that having your PHP.ini file open to the world clearly indicates, to most IT professionals and sysadmins, that you do not know how to configure Apache (or a web server in general). Like I said: I could care less what your site does. But what you should be caring about, no matter what, is the security of your server, its users and its data. Any IT professional, sysadmin, or security expert will tell you these things. If you keep ignoring these things it will come to bite you one of these days. Don't believe me? Just wait and see, then.

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.

Thumbs up

36

It's come to bite me even when we were concerned about it ourselves, knowing that it's almost guaranteed to get you if you're careless with it. Both times we were hacked our server was sodomized. You could lose a lot more than just time, Sam.

I'm the only adventure at c: master hahahaha I have unlocked just about everything!

Thumbs up

37 (edited by Ethin 2018-07-09 06:00:55)

@36, 100 percent agreed. I don't give a shit what your server does. If its a server that'll be only up for about a minute to allow you to test something, real quick, its fine -- leave it insecure. But if you are going to deploy it for long-term use (i.e. longer than 5 hours), secure it. No questions. No ifs, buts or whys. Just do it. You'll give a sigh of relief when the brute-force scripts come calling. And believe me, I know what I'm talking about. My own server, which has been up for over 3 months now, has been fail-brute-forced (that is, the forcing has failed spectacularly) a total of 9,015 times as of July 09 0500 hours server time. Those brute-force attacks aren't very intelligent -- I'll give you that -- but if you fail to secure your password, and if an attacker figures out your root password....

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.

Thumbs up

38

And that is why no two characters should ever be the same. I do believe I once tried on a website to put unicode characters/emojis in the password once...yeah, unicode works, but it didn't like me putting emojis in passwords. Come on! Dictionary attack can't possibly run through those at least not until much later.
My point? I'm quite sure for every vulnerability that's in his server, his password is probably typable, and that's a problem. You need to make it long enough that you can't even remember it. Got a problem with that? Get a password manager, there's a free accessible one out here with encryption that's friggin hand-made and proven via a contest which nobody won that it is safe against pretty much anything.

I'm the only adventure at c: master hahahaha I have unlocked just about everything!

Thumbs up

39 (edited by Jason SW 2018-07-09 17:23:40)

If you want the best security with ssh, you should be using public/private key pairs, preferably with the private key encripted with a passphrase, and completely disallow password logins.
Use ed25519 keys, not RSA or anything else. Use this site to help you configure your servers and clients for best security:
https://stribika.github.io/2015/01/04/s … shell.html
You may also want to consider running your ssh server on a nonstandard port. This will make more work for any attackers. I realize that this is security by obscurity, but (IMO) as long as you have some real security measures to back it up, then extra security by obscurity couldn't hurt.

Thumbs up

40

You can never be too careful.

I'm the only adventure at c: master hahahaha I have unlocked just about everything!

Thumbs up

41

@40/39, indeed; my research has showed that ED25519 is the most secure elliptic curve we have, and that ECC is the future. I'll most likely be switching my server over to use elliptic curve cryptography shortly for everything that supports it. (My SSL certificate already uses AES-256-GCM-SHA-384, and so does my IRC network, so...)

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.

Thumbs up

42

Hi,
I don't know exactly what benefits ssl would provide, however what I can say is that js can be inserted into comments and evaluated. You should probably fix that.

Sincerely,
Lucas.

Thumbs up

43 (edited by defender 2018-07-09 21:50:26)

God it would be hilarious if Ethin made a website so everyone could nitpick each and every stupid little detail about it.
It's seriously a fucking blast watching two bloated egos go at it, especially when Ethin just can't give an inch to save him self and Sam pretends to be a consummate professional. ROFL
At least Sam actually accomplished  something tangible though... while Ethin can only nip at his heals out of what I assume is deep seeded jealousy?
Really, when you think about it, their actually quite alike in allot of ways, no wonder they can't stand each other!


Claps hands in glee and eggs them on.

This... -- Is CNN'.
Well Ted, it sure looks like there's been uh, quite a bit of violence around here
"aaoh, that violence was terrible'!"
Yeah it was, pretty bad.

Thumbs up +1

44 (edited by Ethin 2018-07-09 22:02:41)

@defender, I don't need to accomplish anything tangible on this particular forum to be successful. I'm jealous? Of Sam? Definitely not. Sam has done nothing unique at all. You know what would be hilarious, Defender? If you yourself could make something tangible.... oh wait, you can't! Sorry, wrong person!
Honestly, man, how immature and stupid can you be? Grow the fuck up.

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.

Thumbs up

45 (edited by defender 2018-07-09 23:11:33)

In the ag.net community he sure has, and in the ag.net community you sure haven't.
And your right, I really haven't either, that's why I don't sign up for projects any more, but I also don't pretend to know shit I don't, or try to find every tiny little issue with someone else's work I possibly can.
Because I have enough common sense to not shove my foot in my own mouth, or screw over others with bad info/incompetency.

This... -- Is CNN'.
Well Ted, it sure looks like there's been uh, quite a bit of violence around here
"aaoh, that violence was terrible'!"
Yeah it was, pretty bad.

Thumbs up

46

@45, I haven't, perhaps. But you haven't either. So its quite hypocritical of you, you know, to say that I haven't made something tangible when you yourself haven't. Grow up and actually act mature.. you might actually get somewhere. I try to be civilized but, you know, on this forum sometimes the only way to get through to someone is to be blunt as all hell.

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.

Thumbs up

47

I am not really shocked to see the absurd amount of misinformation flying around here, nor am I shocked to see Ethin and his general attitude.
For those of you hanging on to Ethin's coat tails, I'm going to preface this by saying that any google of my name, my github, etc shows work I have done and accomplished in the past. Googling Sam's name shows work that he's done, whether or not you like it. googling Ethin, well, that just gets you lots of forum posts where he's ranting and screaming while refusing to back up any of the points he makes, lots of copy-pasted code, lots of links and articles he really knows nothing of. ethin's strongest skill isn't so much in his ability to understand this material, as it is in being able to find long words and terminology, string them together and formulate cogent sentences that, to the outsider look like he has a modicum of knowledge pertaining to what he's talking about. Unfortunately this is not true, so please take a journey with me through this circus of a thread and lets deconstruct some of these claims being made. Before we embark on this voyage, It's pretty clear to anyone who has seen my posts with regard to Sam that I am far from his biggest fan. If there are valid criticisms to fling at him, and there are a boatload, I can assure you, I'm happy to sit back and just read. In this case though, I find it insulting, annoying and outright absurd that someone with a worse reputation can fling the rocks he is. So buckle your seatbelts, and lets go.

@15:
I'm the ghost of christmas past, here to point out all your self-serving arrogant views and why they're wrong, so lets just start from the basics, shall we?
PCI-DSS compliance costs thousands and thousands of dollars, requires pen testing and is usually only useful when you're trying to become a payment gateway. In this case, Sam (at last look) was not attempting to be a payment gateway or a PoS (point of sale), but was using Paypal for that. Records stored in cleartext are scary enough, and Sam has enough faults and the security sense of a rock, lets not complicate matters by flinging standards into the mix of which you know nothing of, shall we? I also find it interesting that you're quoting government law and cherry-picking individual passages to come up with something that fits your narrative. How about you go do something for the community at large, publish something, open source something, create a business using your vast knowledge and skillset. In short, you're all talk and no show, which isn't really surprising to anyone, but I suppose having an absurd number of audiogame posts is great for your resume. Unless you have proof that sam is violating these terms, I would recommend you relax with the accusations.
@21:
Nothing requires he be PCI-dss compliant, so please for the love of god stop throwing that term around like you know what it means. If every company ever that took payments through a payment gateway like Paypal were required to be PCI-dss compliant, companies would not exist. it costs thousands, tends of thousands of dollars to establish.
@27:
If you had any idea how these payments work, you would know that payment details are not communicated. Paypal provides you a form which redirects you to their site. Payment transactions are done through that site. Paypal has various APIs to notify you when payments are complete. All transactions are done within the confines of Paypal itself.
#31:
Nothing says a site has to use https. A user's login information should be protected and if anyaudio doesn't do that it's a problem, but simple browsing does not require it. Secondly, you're conflating two issues: Sam's use (or lack there of) of HTTPS with how, if and when he uses MySQL, so lets work on that one for a second, shall we?

Mysql is nothing more than a data storage mechenism, just as text files, redis, postgresql, etc are data storage mechenisms. One's use or decision to use either of these does not create higher levels of security and lends itself to various issues. So the tl/dr version is sam's use or lack of use of MYSql means nothing, but thanks for playing.
@35:
Where is your proof that his website is vulnorable to XSS and XST? Can you explain in your own words without a barrage of links and pointing fingers at security experts what this means and how Sam is vulnorable? Can you tell me what attacks can be created via usage of Sam's php.ini file? What data does it disclose that can create an attack vector?
#37:
You're presumably counting the number of failed SSH logins, which has nothing to do with XSS, XST or anything else and is just a bunch of bots scanning ports and trying to connect. Please make a connection.
#44:
Do we really have to resort to cursing? You've spent this entire thread, quite literally making baseless claims. Here's your chance, step up and show your skills. Show why people should listen to you, why what you say matters more than the dog turd I just scraped off my shoe, and more importantly do something besides flood people with lots of fansy looking acronyms you scrape from Google and some links. I can ask you to do all of these things, but you and I know that what this will devolve into is you whining and crying and you'll accomplish none of these.

Thumbs up +4

48

@Ethin Just stop acting like a damn lunatic, all you ever do is scream and shout and throw weighty words around, copy and paste dictionary definitions, copy and paste code, just chill the fuck out. Honest, why you even here, you don't contribute positively ever, all you do is run your mouth all the time. I mean, where is this energy going to, look at that. People don't even listen to you because you've sullied your reputation so badly. Shit I would probably have a better shot at convincing someone even though my only experience in coding is MOO, BGT and enough Python to make me chuck my keyboard across the room. SO really expenditure of energy and all that, you might as well be screaming into a wind tunnel ramped up to full speed.

Seriously, I don't even see you talking about games, except an aside or something in someone else's thread, or GTAV, and certainly the amount of times you scream and shout and act like a baboon far outweighs the times you talk about games. SO what are you doing here, what's your purpose. I mean even if you stopped right now, stopped this god complex shit, stopped going ape at people, stopped acting like the second coming of Christ and his webster dictionary in hand, even if you stopped now, it would take a few years for people to come back around to you, and you'd have to do a complete 180. So yeah. I really can't think of anyone with a lower rep than you, and I'm not sorry to say that because its the absolute truth.

I'm a cat! What's mine is mine, and what's yours is mine to :P XD

Thumbs up +1

49 (edited by Ethin 2018-07-09 23:42:45)

@47, aha. I was wondering when your preferably unwanted presence would show itself. I'm amazed you've never been banned from mailing lists and from other sites when you come in here and act like you know everything just because you've made a few github projects and have contributed to the FreeBSD kernel. I can quite happily assure you that, while I can understand you want to come in here and prove us all how you're more intelligent and knowledgable than everyone else on this forum and security experts alike, you're approach is most likely worse than mine. Now... let me dissolve some of that bullshit you spew:
Googling "sorressean" brings up your twitter profile (https://twitter.com/sorressean), your git hub page (https://github.com/sorressean), Aspen (https://github.com/sorressean/Aspen), Your Drupal user account (https://www.drupal.org/u/sorressean), Yoru stack overflow profile (https://stackoverflow.com/users/336484/sorressean), Some forum on MUD bytes (http://www.mudbytes.net/forum/18), Your own rant against empiremud (https://forum.audiogames.net/viewtopic.php?id=24056), Nodeka: prospectives from a blind player (http://www.topmudsites.com/forums/showthread.php?t=7647), something which I'm not really sure is actually connected to you (https://www.deezer.com/en/track/438704632), and some images on google images.
Googling me brings up my Facebook profile (https://www.facebook.com/ethin.woolf), My Youtube channel (which I'm inactive on because I don't have a streaming setup that works with youtube) (https://www.youtube.com/channel/UC4S47m … DdEW1xWSOQ), An old linked in profile of mine (https://www.linkedin.com/in/ethin-probst-4a7a20149), My own stack overflow user (https://stackoverflow.com/users/4309245), My sound cloud profile (nothing on there atm) (https://soundcloud.com/ethin-probst), Something else from sound cloud (https://soundcloud.com/ethin-probst/followers), replied tweets from me (https://twitter.com/microsoftaddmin), a message that I submitted to the GCC mailing list at one point (https://gcc.gnu.org/ml/gcc/2016-06/msg00014.html), and that's it, unless you go to page 2. The only "screaming" you ever find is on page 3 and beyond, and most people don't go that deep into google search results.
Finally, googling Sam brings up: his website (http://www.samtupy.com), his games (http://www.samtupy.com/games), His twitter profile (https://twitter.com/samtupy1?lang=en), An ag.net post (on page one of all things) (https://forum.audiogames.net/viewtopic.php?id=23825), something from the blind geek zone (http://www.blind-geek-zone.net/the-sam-tupy-website), A youtube channel (https://www.youtube.com/playlist?list=P … NvMWh2YuJq), and some instragram stuff which I'm not sure if he's associated with. And that's on page one.
So, there goes pretty much all that bullshit in your very first paragraph, mr. I-know-everything-there-is-to-know-about-the-universe.
Now, as for your other paragraphs...
You ask: "Where is your proof that his website is vulnorable to XSS and XST?" Have you ever heard of two very well-known and respected open-source tools called Nikto and OpenVAS? Go ahead and run Nikto on his website, you will find that it indicates he's vulnerable to XSS and XST (cross-site scripting and cross-site tracing). Second, you ask: "Can you explain in your own words without a barrage of links and pointing fingers at security experts what this means and how Sam is vulnorable?" You know, acting like a know-it-all when you can't even spell "vulnerable" right.... hmmm.... not good, man. As for the answer: for XSS, if an attacker is able to hijack a users browser to Sam's website (using something like BeEf), they would be able to inject a malicious payload into the HTTP request. Done properly, the website would then echo back the payload, causing it to be executed. XST, or cross-site tracing, relies on the idea that a hacker can already inject javascript into the browser that the user is using and, since the browser is already hijacked, or XSS has taken place (or, even, the attacker has managed to perform an MITM attack to redirect the user to a different page), the attacker can already inject javascript. Therefore, when the browser retrieves the HTML body (which contains the aforementioned malicious javascript), the XST attack will cause the web server to reflect (that is, resend) the vulnerability right back at the client, causing the client (the web browser) to execute that malicious javascript. Finally, you ask: "Can you tell me what attacks can be created via usage of Sam's php.ini file? What data does it disclose that can create an attack vector?" The file itself, on its own, would not create an attack vector. The vulnerability comes in the fact that the php.ini file may disclose configuration information to an attacker which could give them information for other attacks like remote code injection. This depends, of course, on whether his installation of PHP has been misconfigured. Its a very common rule though that that file should not be public.
Now, you're probably going to come back at me with  some more bullshit of yours. That's fine. As for the taxes thing, I'll agree that I should've added somewhere that I think that he wasn't. Because its only a theory, but I think I can appropriately theorize, knowing Sam well enough, that he wouldn't pay taxes unless his parents were doing it for him. He's earning an income, after all. So, now that you've read all of this, I'd only to ask how you've changed? I do remember a particular forum post you made about a month back where you said that 10 years ago you were like me, acting like me, and that you learned to change. Clearly, post 47 completely negates that post, clearly you haven't changed one inkling at all!

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.

Thumbs up

50

@48, I am most definitely not the only one who acts the way I do. You've definitely done it, sorressean has done it, everyone as. Saying that I'm acting like I have a god complex just because sorressean posted all that stuff in post 47... makes me think you're the type who will play follow the leader.

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.

Thumbs up