Quote from: pine on September 09, 2012, 09:42 amQuote from: LouisCyphre on September 06, 2012, 09:39 amQuote from: pine on September 06, 2012, 03:30 amTo avoid sneaky tricks, the rule is simple and highly efficient. Don't trust software from anonymous sources with extreme prejudice with the exception of the specific situation kmfkewm has mentioned. And even then you have to watch it. The forum could be populated by 1001 people and 1000 of them could be sock puppets. LE have used such software on carding forums and the like with great effect before now.Then don't buy it. I'm not forcing anyone to, it's their choice.This is about security, not some kind of "quality control" issue. As many people can buy your software as they like, but they should be informed of how hazardous that proposition could be, hence this thread.This thread isn't about investigating whether or not SROPPy is secure, that's merely a part of it. It's also about tarring and feathering me. If you'd just wanted answers you could have at least started with a PM, but you didn't, instead you went to DPR to get me shut down and when that didn't work you went for a public attack and smear campaign. Don't believe your own hype.Quote from: pine on September 09, 2012, 09:42 amQuote from: LouisCyphre on September 06, 2012, 09:39 amThere are far better vector's for attack on this site than a handful of scripts that can be read before their run or run on a disconnected system.Seriously, if I wanted to do that I'd be planting malicious code in a compressed file that was automatically loaded, like a JPG for example. Put it in an avatar and then make a post attacking a particular vendor to lure that vendor into an argument and force them to load it.This is nowhere near as simple as you're claiming. Image based exploits exist. But if it was as trivial as you're implying, it would have already been done a long time ago indeed.I never said it was trivial. I said the strategy behind that kind of attack makes more sense for the cops to employ than what you're asserting I've done by offering some code for sale.Quote from: pine on September 09, 2012, 09:42 amQuote from: LouisCyphre on September 06, 2012, 09:39 amYes, there is, but I'm not forcing anyone to buy or use this. I am providing a product which some vendors may elect to purchase and use and others may choose not to. It's a free market.This is.. beside the point. Forcing people to do things isn't even a possibility on here. This is a strawman argument, you're pretending my arguments are something other than what they are.While you're pretending that I am someone I'm not and that my code is something it's not just because I don't do what you tell me to do.Quote from: pine on September 09, 2012, 09:42 amQuote from: LouisCyphre on September 06, 2012, 09:39 amQuote from: pine on September 06, 2012, 03:30 amI have already described at least 3 different attacks in this one post alone that you cannot possibly address in your description of what you say is happening because the code is not capable of being properly audited. Any programs from anonymous sources need to be visible on the forum period.One of which requires network access, which is not required by the program. One involves a false assumption about the use of cryptography in the script (it calls GPG *once* with a decryption command). The last requires planting a backdoor in any of the following: Python (probably already on your system, if it's compromised you're already fucked), Bash (same as Python), GPG (extensively audited already) or HTMLDOC (if you're worried, skip that part).Once more, you are not even implying it here, you are saying it outright, that we should trust you. This is your original sin. Original sin?! Oh please ... no one has to even trust me. All they have to do is hook up an old PC with no network connectivity and a printer if that's still a concern after buying it.Quote from: pine on September 09, 2012, 09:42 amI seem to remember that your advertisement had *no* caveats about getting somebody else to verify the code against your claims. I seem to remember your advertisement had *no* caveats about using a checksum to make sure you didn't do a bait 'n switch with your program. If I'd made a dodgy version of the code then all I'd have to do is post the hashes of the dodgy version which would, of course, then match when a user checked them. So that means sod all.Quote from: pine on September 09, 2012, 09:42 am*Everything* you said about that only came after this thread. So we have no evidence you had any plans at all to perform any double checking of any kind whatsoever. Whether they would actually work isn't even the question, it's that you apparently thought vendors would merrily download your software without checking it was without exploitation. The vendor that acquired the code from you, if this vendor is actually indeed real and not just a sock puppet, if they did not carefully audit the code, then the vendor is either naive or an idiot.Definitely not a sock puppet, they've been here for a lot longer than I have.The only proof I can provide, though, is the payment I received for the proof-of-concept shell script which was posted earlier. That payment is here:http://blockchain.info/tx/8adb275fdb11f82349e98adfcb34a17caea53091e48afbc46f3c0b9d9d4f0a43Quote from: pine on September 09, 2012, 09:42 amThis is the entire point of this thread. Depending on trust in a single anonymous person's judgement is a recipe for a complete catastrophe for your operational security i.e. Do not pass Go, go to Jail. It doesn't even need trust, see above.Quote from: pine on September 09, 2012, 09:42 amI can't be 100% certain, but reading material on image exploitation, you quickly come to the understanding that doing one would likely have to involve the use of a zero day exploit. Even if it were not at that level of difficulty, it's definitely somewhere in that ballpark. How do I know? Because I'm typing this right now and am not in police custody. If it were easy to do, LE would have already done it to everybody on SR.Once again, I never said it would be easy. I said that the strategy behind such an attack makes more sense than what you're claiming I'm doing.Quote from: pine on September 09, 2012, 09:42 amQuote from: LouisCyphre on September 06, 2012, 09:39 amQuote from: pine on September 06, 2012, 03:30 amQuote from: LouisCyphre on September 06, 2012, 12:06 amThe LE accusation only holds true if the code can somehow report on users, which it doesn't. We really have no way to know that without the code being placed on this forum. Your attitude is from the get-go that we should take your word for it.And your attitude from the get-go has been completely paranoid, accusatory and frankly offensive. I'm also now convinced that even if and/or when the code is posted to the forums (which frankly I wouldn't trust for a real security audit, with one or two very rare exceptions) that you'd still come up with some reason to stick to your attack.Yes, you're correct.My attitude is paranoid because you have to be to survive here. I am accusing you of very suspect LE-like behaviour and it's completely irrelevant to the discussion whether me accusing you of being a LE agent hurts your feelings.My feelings? No. But you're attacking my reputation and even though this is a pseudonym I feel it is worth defending.You may notice that I haven't, for example, given either you or Kmf any negative karma for what's happened in this thread.Quote from: pine on September 09, 2012, 09:42 amIf the drug war ends, and it turns out that you were not a LE agent after all, but a python programmer with a lack of introspection who intended to do the right thing, then I will personally give you five hundred US dollars to recompense you for lost custom and aggravation, along of course with a sincere apology. Unfortunately this is unlikely for reasons beyond our control. It is unfortunate, you'd be down $500, but I'd want that apology in writing and signed.Quote from: pine on September 09, 2012, 09:42 amToday's situation is that you look extremely guilty to me. As the old saying goes, looks can be deceiving.Quote from: pine on September 09, 2012, 09:42 amOf course it wouldn't make a jot of difference if you posted code to the forums. We *have no* way to know it was the code or a version with the exploit edited out of it. Not rocket science! So you can make this argument about posting code to the forum, but can't see how it applies to checksums. That makes it look like you're only applying logic where it supports your argument.Quote from: pine on September 09, 2012, 09:42 amThe thread is not about pine trying to get free software out of some open source fanatical resolve, it is about the very great difficulty of trusting somebody who has acted in a very suspicious way.Once again, trust is not required.As for auditing the code, find me a decent Python programmer on Silk Road and I'll talk to them about auditing it.Quote from: pine on September 09, 2012, 09:42 amQuote from: LouisCyphre on September 06, 2012, 09:39 amQuote from: pine on September 06, 2012, 03:30 amQuote from: LouisCyphre on September 06, 2012, 12:06 amIt can quite easily run on a completely disconnected system. It makes no difference to the program.Like I said to Sands, this is basically impossible because it's impractical for vendors without appropriate utilization of an Air Gap.Then they should employ one. Seriously, some old cheap PC with no USB and all the ethernet ports ripped out running a bare minimum install. Data transferred to it via read-only media and no data EVER transferred off it and it's done. How much would it cost using hardware from 6 or 7 years ago? Fifty bucks? A hundred?If as a result of this thread every vendor went and got an Air Gap, I would be flabbergasted. Delighted, but in some kind of shock.Sounds like a good basis for another project in the Security forum along the same lines as PGP Club.Quote from: pine on September 09, 2012, 09:42 amEvery time a vendor has to make a reply to a customer, they have to burn data to 2 read only DVD/CDs. Once to find out what the message was, once to make the reply.While it is obviously the case a vendor could make 'batch replies' or 'batch reads' if not replying, you are trivializing what is a serious amount of work and more importantly the delay in responding to customers. You're also missing the fact that a great many vendors are transient vendors, not permanent fixtures to the marketplace, in fact the majority of them are probably temp vendors rather than in it for the long haul.This only holds if using the bash script I posted in this thread on, I think it was the second day (I can't tell you which page because I changed my settings to display 25 posts per page a while back).