My Case Study The way I look at it there are two types of noes...the vague one and the affirmative one. Common sense needs to come into play of course with how you distinguish the two. Maybe this has been covered already, but I thought to share a recent experience I had with it (both in the verbal sense as well as action sense). Most people won't come across my type of situation but the concept remains the same and if I was able to do it given the hostile environment I was in then anybody should be able to turn some of those noes into yeses in your future endeavors. It's a bit of a story since it's a case study so if you don't want to read it...don't read it. As always, if you like my share feel free to hit the Thanks button. My expertise: Exploits My targets: Casinos My offer: Consulting Two months ago I offered consulting to a company after exploiting their system...they took me up on it. The deal was $3,000 per exploit I found. First one they paid me, second one they paid me. A week or so later they relaunch the game and ask me if I can find anything new with it...I did within the hour. I contact them back informing them of this and stated I could get a video made showing it shortly. He says he'll inform his partners and get back to me after the weekend so no need to do it yet. Monday comes and I notice the game is back online and the vulnerability is no longer there. I emailed him stating my frustration as it appeared I was now used as a guinea pig to answer the question of whether it's secured or not...but not to show them where it was and how to fix it. That's where the "cheap labor" would come in to keep pentesting the site. This is not the deal we had. Is it good business policy to get cheap labor? Sure. But as the old saying goes...you pay for what you get. When I received a response I was informed that I would be paid a fraction of what the Agreement was since it only took a very short time to find and that my services will now be only used for Yes or No responses pertaining to if their games are secure and I would now be paid at their discretion. The balls on these guys. I knew which side of the fence I had to stand on now. I could have fucked them over for more than 3k on numerous occasions but I was trying to build something of a relationship with them via consulting. After the game was "fixed" and back online, I dropped what I was doing and dedicated the rest of my day to it. I didn't take NO for an answer with whether I could break the game again. The game was offline for several days to put in the patches so clearly if it was relaunched then everything had to be secure, right? Well, I wasn't going to accept that contention. This wasn't about money anymore. It's one thing to not afford the original Agreement and to work something out with me. It's another thing to railroad me because you got cheaper labor somewhere else and think some guy off of Odesk charging $15 an hour is somehow comparable to me. Later that day I had the game cracked again. I wasn't paid my "Yes or No" fee yet so I waited for them to send it. That night the exploit was deployed and I got paid...on my terms. Fuck them! My loyalties were misguided based on me trying to go somewhat legit. I knew what had to be done. The next morning, their BTC wallet was empty and the game was pulled offline again...I didn't say a word to them. I could have waited until the weekend when I knew they would put more in for the heavier action but I wanted to leave a message...if you cross me during the day you'll be sorry by the time night hits. I then focused my attention to their blackjack game which I wasn't able to crack in the whole 2 months of me "working" with them. I had a shit load of motivation and money was only 1% of it. They probably weren't worried about blackjack since I wasn''t able to do anything with it before. But I was up for the challenge. I spent around $400 testing the game out. A lot of my procedures come from aborting and/or malfunctioning the game so I knew heavy testing would come at a larger price. I refused to accept their blackjack game being non-breakable and I was just wasting money. There had to be something...and there was. This vulnerability didn't come up every time but when it did it paid off huge. I launched the exploit at night and once again by the time morning hit their wallet was empty and the game was offline. Over the next few days they kept their wallet super thin. I sent the owner a skype message to see if they wanted the fix. I knew what I was getting into but business is business and I'm not afraid to purpose an offer to a company I exploited. So, I'll leave out most of the shit talking and insults they threw at me and skip to where my offers come in, the rejections that follow and how I turned that NO into a YES! This was a skype conversation but I'll take out the misc skype details and just leave the text. ME: Blackjack down? THEM: you tell me you want 1,000,000,000 to find the defect? good hit on the video poker too the other day? can?t say your not good so what?s up.. you got an itch to steal more, or what? ME: (1st offer) just wanted to know why what's up with blackjack. why, did someone crack it? thought you had video poker are secured too? you pay for what you get it suppose. you want the fix for blackjack? there's a reason why I did it during the day...to get your attention don't need to hide behind doing it during the wee hours while you're sleeping well, if you're interested, feel free to present an offer. otherwise have your crackerjack team spend days on it. THEM: (1st rejection) i?m not interested in dealing with people I can?t trust, and you sir have clearly proven (on 3 occasions now) i can?t trust you i will have the crackerjack guys attempt to put some bandaids on it ME: (2nd offer) i get the job done, i could care less what you think of me. you want a feel good employee, lol I'm a businessman...I don't take your shit talking personally. If you wish to present an offer to me tomorrow or whenever, feel free to do so. THEM: i?m letting the owners know, we gotta shut down you?re right, i?m wrong - i?m an idiot Praise be unto Him ME: My offer still stands though. Otherwise, drink some redbull and keep that wallet thiiinnnnn THEM: (2nd rejection) Cool story bro ME: (3rd offer) (here I was looking for an affirmative NO and I would be on my way) so I know for future reference and to avoid unnecessary conversations with you, is it a moot point trying to offer the fix for what I will continue to find on your site? if so, that's cool, we don't need to communicate any further. I don't reach out to you to just talk. If working with me is off the table going forward then it doesn't make much sense talking any further. So if it is, say so now. THEM: so we saw that you could double after you received blackjack. If you have other exploits on blackjack - we haven?t found them yet ME: yeah, there's more. doesn't do me any good either since my response will only induce you to hire cheaper labor to look for it and patch it, just like you did before THEM: How much do you personally think you could ?get? from it? In reality - you did a good job last week. ME: (4th offer) if you want to make a deal for the rest of the exploit we can THEM: shoot - give me the offer, knowing you could probably get away with it later tonight at 2 AM when I?m asleep Trust me, the conversation was a lot more contentious than what was included but you can see here that even in situations like this you can sometimes turn that NO into a YES and make money from it. Don't always take what someone says or what a situation brings at face value. There's oftentimes more to the story...or exploit in my case.