Quote from: pine on September 09, 2012, 09:46 amQuote from: LouisCyphre on September 06, 2012, 11:20 amQuote from: pine on September 06, 2012, 05:57 amA general point I neglected to mention which may explain some of this situation:People must understand that DPR isn't necessarily going to be pointing out every possible pitfall and removing them as options. For example, DPR's approach when I brought up the issue of LouisCyphre's program as a security concern for vendors was not "Yes, let's ban him, LE for sure" or "You're probably paranoid, Pine, I mean you think you're a platypus (but this is true)", it was "Go to the forum and have at it, let the vendors themselves decide what is best". This may seem strange, and it did to me at first blush, but I think the general idea, partly at least, is stemming from market based philosophy, is that being overly protective of a market could eventually lead to its downfall if people weren't recognizing 'issues' for themselves, whether or not they got them right or wrong.That is interesting since DPR already knew what I was doing before I made the listing. He has not (yet) taken me up on my offer to provide a copy of the code for his own peace of mind.You're right about the agorist philosophy behind his response too. You were asking him to regulate the market, which is the antithesis of what an agorist market is.Actually, after informing DPR of my suspicions, I asked for something quite different.Which was?Quote from: pine on September 09, 2012, 09:46 amQuote from: LouisCyphre on September 06, 2012, 11:36 amIt's even simpler than that: If you don't want to use it for whatever reason, don't buy it. If you do, buy it, I'll help you set it up, explain exactly what it does and how, provide best recommendations for secure use and if it turns out I'm fucking with you then you can provide that proof to DPR and he can terminate my account.That is priceless. So... you're implicitly saying that in the time frame it takes:A: You to realize this, which you almost certainly won't since that kinda misses the point of a deanonymizing exploit, andB: The time it takes the police to grab you by the time you realize they are inside the building.That the vendor will somehow obtain Internet access and dial up SR with a complaint. Because when a criminal is involved in computer based crime, LE agents always give them access to a laptop so he can skype his lawyer or whatever. I mean you're actually right, I cannot believe I did not think of this before. Hrmm, okay, good point.Quote from: pine on September 09, 2012, 09:46 amQuote from: xollero on September 07, 2012, 04:31 amAnd no. So long as the scripts themselves are not ridiculous mountains of tortured spaghetti code (in which case no-one should run it on general principle), there will be no room full of NSA spooks required to vet the code thoroughly. It will be relatively brief. Either it makes network connections, or it doesn't. Either it does unexpected IO, or it doesn't. This is not true at all.It is not as simple a brief Ctrl-F to search for code that makes network connections or examine I/O, finding exploits can be difficult. Myself and kmfkewm have come up with at least two perfectly plausible methods that are difficult to detect, and it's not as if we've spent months and months working out all the angles to make it come good like a real exploit tiger team would be doing.It does take more than just searching for the obvious, but if all IO operations are found and found to be clean then xollero is right.In SROPPy all the IO operations are incredibly obvious. In fact, let's see if there are any other Python coders present, here's one of the files in SROPPy 1.1. It reads a text file (text-files.list) containing a list of all the .txt files generated by the decryption command, reads each text file (username-transaction_number-address.txt) and then rewrites them as HTML files (username-transaction_number-address.txt.html). It's one of the largest files in that version (at a whopping 545 bytes).text2html.py:Code: [Select]#! /usr/bin/env python# Copyright (C) Louis Cyphre, 2012# lcyphre@tormail.org# Converts address text files to HTMLtxtlist = "text-files.list"lfile = open(txtlist, "rb")ldata = lfile.readlines()lfile.close()for string in ldata:  tfile = open(string.rstrip(), "rb")  tdata = tfile.readlines()  tfile.close()  nfile = open(string.rstrip()+".html", "a")  nfile.write("<html><body>")  for string in tdata:    nfile.write(string)    nfile.write("<br />")  nfile.write("</body></html>")  nfile.close()Now let's see if an exploit is buried in there. By the way, if that doesn't add up to 545 bytes then it just means there were more blank lines at the end, so add carriage returns (in Vim or Emacs) until it does and then check the SHA sum.As for Kmf's exploit, it made certain assumptions about network connectivity, the level of similarity (or lack thereof) between Ruby & Python and exactly what the --decrypt-files flag does in GPG (he assumed it writes to stdout, which it doesn't). I'll get back to him later.