Quote from: pine on September 06, 2012, 03:30 amQuote from: Sands on September 05, 2012, 06:23 pmThink what you will, but you can always use his software on a machine thats not connected to the net.Of course. All vendors use physical Air Gaps by burning information from the Internet on read only CD/DVDs, decrypt on the isolated machine, and then in order to communicate back across the Air Gap they use either the keyboard to transfer information across to the networked machine using their eyeballs, or else they utilize something like a checksum to ensure the information coming back on a read only CD/DVD is precisely what was intended to come back across. This will mean manually adding up and knowing the exact data.Because that's pretty much the only way what you said would work, could work. Otherwise it just doesn't. So what you said is essentially for practical purposes complete bullshit.Given all the software does, you can do that.Quote from: pine on September 06, 2012, 03:30 amQuote from: sickgirl on September 05, 2012, 08:07 pmAm I missing something here? This piece of software is released under the GPL, which means that the source code is readily accessible, Cannot be licensed under GPL otherwise.Yes. Because it's totally irrelevant so long as the code is not explicitly posted whereby it can be audited. For several reasons, four of which are:A: What you get today, may not be what you get tomorrow. A bait and switch is as simple as it gets with exploits.Easily proven wrong with SHA256 checksums. Actually, there's a point, better go and add that for the individual files.Quote from: pine on September 06, 2012, 03:30 amB: The exploit may not be in the actual software, ever. The malware could be in the related pieces of software you need to acquire to make it 'work'. e.g. HTMLDOCs. This was a exploit achieved by the Vietnamese Secret Service against Tor users a few years ago. People downloaded Tor and it was fine. But they needed to download a language set for Vietnamese for the windows operating system. Turned out the backdoor was in that language set they downloaded, and everybody who was reading Vietnamese on windows had become part of the Vietnamese Secret Service's botnet.That's also how Anonymous got the kiddie fiddlers, by getting them to use an infected version of Tor Button.As for HTMLDOC, you can examine its code. Alternatively you can skip it and just opt for printing plain text or even the HTML. I only included the HTML to PDF function because the vendor who originally contacted me wanted to print to envelopes and HTMLDOC allowed easy generation of a PDF which matched the layout of the template the vendor provided to me.Quote from: pine on September 06, 2012, 03:30 amC: The vast majority of vendors will not be computer programmers and will have to rely on trust in somebody else's judgement. This is very bad. If you have a flock of apparent experts telling you it's legitimate, you let down your guard and then you get fucked.The code isn't that complex, I can step them through the essentials of what it does and then they can ask someone not connected to all of this whether I'm full of shit or not.Quote from: pine on September 06, 2012, 03:30 amD: There are extremely clever ways of putting exploits into code, even when it's capable of being monitored, it can be hard to tell. It's not like reading a book, even experienced programers could be caught out if they are not trained to analyze potentially malicious code. Code analyis for finding memory leaks and other bugs is one thing, hunting down a backdoor is something else completely.Don't expect an exploit to be straight forward. They are deliberately engineered to obfuscate the origin of the exploit. That is kind of the entire point of an exploit.Yes there are, but if LE were really trying to do what you say they'd just use a JPG with a malicious exploit in it to fire up whenever the image is loaded.