API tools faq
paste
Advertisement
Guest User

Security discussion

a guest
Apr 20th, 2015
282
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.27 KB | None | 0 0
raw download clone embed print report
  1. (2:24:53 PM) Wolf`: syntaks: hey
  2. (2:25:22 PM) syntaks: hey
  3. (2:25:24 PM) syntaks: what's up?
  4. (2:25:38 PM) Wolf`: first, where's the github? The one on the official site ain't been touched since Feb
  5. (2:25:43 PM) Wolf`: and that was the initial commit
  6. (2:25:50 PM) syntaks: what git are you looking at?
  7. (2:26:27 PM) syntaks: https://github.com/bellacoin/neoscoin ?
  8. (2:26:49 PM) Stoner19: Wolf` the security stuff you're probably looking for is closed source currently
  9. (2:26:51 PM) syntaks: wow i actually have to update the multi-algo in there what the hell
  10. (2:27:01 PM) syntaks: how did that slip by
  11. (2:27:57 PM) Wolf`: Stoner19: well, hell of a security system :P
  12. (2:28:07 PM) syntaks: Wolf`: ?
  13. (2:28:22 PM) Wolf`: syntaks: a closed source one, was making fun; I assume you're gonna open source it
  14. (2:28:28 PM) syntaks: bad assumption :)
  15. (2:28:38 PM) Wolf`: syntaks: Ohhhhh.
  16. (2:28:42 PM) Wolf`: So many things make sense now.
  17. (2:29:01 PM) syntaks: the final system isn't even in the code as of now
  18. (2:29:12 PM) syntaks: ironically, i'm waiting on the funds for an obfuscator
  19. (2:29:23 PM) Wolf`: hehe.
  20. (2:29:33 PM) Wolf`: If the computer can read it, so can a human
  21. (2:29:36 PM) Wolf`: it's a pain in the ass.
  22. (2:29:39 PM) Wolf`: but it's doable.
  23. (2:29:41 PM) syntaks: yup i'm too familiar
  24. (2:29:51 PM) syntaks: but at least it won't be simple for everyone :)
  25. (2:30:14 PM) syntaks: this one is $750
  26. (2:30:14 PM) Wolf`: syntaks: doesn't need to be; someone just needs to do it and make a tool/document it
  27. (2:30:26 PM) syntaks: it's pretty decent from what i've seen and read from others
  28. (2:30:41 PM) Stoner19: Wolf` that's no different than any other software then, right?
  29. (2:30:56 PM) Wolf`: Stoner19: not exactly
  30. (2:31:12 PM) Wolf`: Stoner19: the security of bitcoin doesn't rely on people not being able to reverse engineer it
  31. (2:31:27 PM) Wolf`: the security of a LOT of code doesn;t
  32. (2:31:28 PM) syntaks: Wolf`: this isn't blockchain security we're talking about
  33. (2:31:29 PM) Wolf`: *doesn't
  34. (2:31:32 PM) Wolf`: syntaks: I know
  35. (2:31:37 PM) syntaks: i agree with your point
  36. (2:31:39 PM) syntaks: 100%
  37. (2:31:43 PM) Wolf`: syntaks: and I believe your idea is unworkable without closed source
  38. (2:31:52 PM) syntaks: i wholeheartedly agree there too
  39. (2:32:05 PM) syntaks: there are 2 unknowns here though
  40. (2:32:14 PM) syntaks: 1. the method in its entirety
  41. (2:32:25 PM) syntaks: 2. a few ideas i've been toying with to change that
  42. (2:32:30 PM) syntaks: and actually move it onto the blockchain itself
  43. (2:32:59 PM) Wolf`: mmm... I shouldn't have to RE your code, not too much
  44. (2:33:10 PM) Wolf`: just the wallet format
  45. (2:33:34 PM) Wolf`: plus, if anyone has a corrupted wallet issue...
  46. (2:33:46 PM) Wolf`: this should be interesting.
  47. (2:34:01 PM) Wolf`: Finally, a coin that's not boring as fuck
  48. (2:34:01 PM) syntaks: the wallet and interface are separate
  49. (2:34:13 PM) Wolf`: I figured
  50. (2:34:19 PM) syntaks: however when the wallet loads up
  51. (2:34:38 PM) syntaks: it checks to see if the keys in there are belonging to the person running them
  52. (2:34:52 PM) Wolf`: of course it does - wouldn't make sense otherwise
  53. (2:34:54 PM) syntaks: i mean there are a few basic laws in place
  54. (2:34:59 PM) syntaks: 1. keep a passphrase
  55. (2:35:07 PM) Wolf`: now, what happens if my shit dies, and I need to load my shit up on my laptop?
  56. (2:35:20 PM) syntaks: then we re-register your shit
  57. (2:35:21 PM) syntaks: :)
  58. (2:35:29 PM) syntaks: IF you've set a pin
  59. (2:35:44 PM) syntaks: if you haven't i won't help with that most likely unless there's undenyable proof it's yours
  60. (2:36:15 PM) syntaks: but as far as the basic laws go
  61. (2:36:22 PM) syntaks: the interface protection is just there to serve to protect a few things
  62. (2:36:32 PM) syntaks: 1. someone from walking up and stealing your funds
  63. (2:36:44 PM) syntaks: 2. someone from reading your config options (api keys for example)
  64. (2:36:49 PM) syntaks: 3. an extra layer
  65. (2:37:02 PM) syntaks: if you combine that with a strong passphrase you're in good shape so far
  66. (2:37:12 PM) syntaks: everything is also restricted to localhost
  67. (2:37:20 PM) Wolf`: Hm. So I need to capture the wallet password, any other info, and use API to drain the wallet... OR
  68. (2:37:28 PM) Wolf`: wait until they unlock it and do it
  69. (2:37:50 PM) syntaks: which is where the virtual keyboard comes in handy
  70. (2:38:00 PM) syntaks: and there's no api
  71. (2:38:14 PM) syntaks: the api keys i mentioned were pertaining to the exchanges and mining pool
  72. (2:38:27 PM) syntaks: so they'd have to capture traffic on the loopback if anything
  73. (2:38:38 PM) syntaks: if someone can set up a listener like that
  74. (2:38:42 PM) syntaks: you have bigger issues
  75. (2:38:46 PM) syntaks: however with that said
  76. (2:38:56 PM) syntaks: if someone's at your machine and able to do that
  77. (2:39:08 PM) syntaks: other areas need to be fixed :)
  78. (2:39:13 PM) Wolf`: syntaks: virtual keyboard can be bypassed
  79. (2:39:17 PM) Wolf`: syntaks: fake clicks
  80. (2:39:31 PM) Wolf`: variation of the techniques used to scam ad companies
  81. (2:39:36 PM) syntaks: fake clicks?
  82. (2:39:47 PM) Wolf`: syntaks: yeah - I can make clicks happen from WinAPI
  83. (2:39:51 PM) syntaks: sure
  84. (2:39:55 PM) syntaks: but it's not based on clicks
  85. (2:40:01 PM) syntaks: it's based on the characters entered in the keyboard
  86. (2:40:18 PM) Wolf`: well, if it's a virtual keyboard, then... ah. Well, I can insert those even easier
  87. (2:40:30 PM) syntaks: you mean keeping track of mouse movement?
  88. (2:40:47 PM) syntaks: recording the mouse clicks etc?
  89. (2:40:48 PM) Wolf`: syntaks: no, I'd be watching active window, probably
  90. (2:40:55 PM) syntaks: oh well if you were watching it then sure
  91. (2:40:56 PM) Wolf`: syntaks: I was thinking that
  92. (2:40:58 PM) syntaks: but again
  93. (2:41:00 PM) syntaks: this all falls back to
  94. (2:41:05 PM) syntaks: if someone is on your machine
  95. (2:41:07 PM) syntaks: able to exploit it like that
  96. (2:41:14 PM) syntaks: the *least* of your concerns is your neos wallet
  97. (2:41:38 PM) Wolf`: syntaks: it's not hard
  98. (2:41:54 PM) Wolf`: syntaks: unpriv to SYSTEM rights in 7 ain't too hard to do
  99. (2:42:01 PM) syntaks: i know
  100. (2:42:12 PM) syntaks: it's just a matter of someone getting on there to begin with
  101. (2:42:20 PM) Wolf`: and at that point, usually I've managed to get a kernel bug, so I can dump code into kernel mode and run that
  102. (2:42:21 PM) syntaks: it also depends on their attack
  103. (2:42:24 PM) syntaks: what they're aiming to do
  104. (2:42:27 PM) Wolf`: syntaks: remote code exec
  105. (2:42:38 PM) Wolf`: which can happen... any number of ways
  106. (2:42:41 PM) syntaks: yup
  107. (2:42:57 PM) syntaks: like i've said
  108. (2:43:01 PM) Wolf`: but it seems you know your shit
  109. (2:43:02 PM) syntaks: it's in no way a be-all end-all system
  110. (2:43:23 PM) syntaks: i mean i can't fabricate anti-screen-recording in there
  111. (2:43:41 PM) syntaks: the other option i was actually going to put in there
  112. (2:43:47 PM) Stoner19: appears to be a bit more NEOS accumulation. I've lost my spot on the richlist in the top 20
  113. (2:43:47 PM) syntaks: but i haven't heard back from my friend's lawyer
  114. (2:43:56 PM) syntaks: is taking a webcam snap
  115. (2:43:59 PM) syntaks: on bad local access
  116. (2:44:13 PM) syntaks: which the machine would already have been given permission to access the webcam by the valid owner
  117. (2:44:18 PM) syntaks: so permissions isn't an issue
  118. (2:44:31 PM) Wolf`: syntaks: you're running on the OS - anything the OS sees, you see, and I control what the OS sees if I can get into kernel mode
  119. (2:44:32 PM) syntaks: but it was just a one-off idea
  120. (2:44:38 PM) syntaks: Wolf`: absolutely
  121. (2:44:46 PM) Wolf`: I've had some fun times modifying undocumented structures in Win 7
  122. (2:44:58 PM) Wolf`: I managed to make a process disappear. No API hooking, either
  123. (2:45:06 PM) Wolf`: Windows itself did not know of its existence
  124. (2:45:09 PM) syntaks: nice
  125. (2:45:10 PM) Wolf`: but it continued to run :3
  126. (2:45:52 PM) syntaks: i mean the bottom line is if someone wants to get into whatever
  127. (2:45:55 PM) syntaks: they're going to find a way
  128. (2:46:09 PM) syntaks: it's just matter of putting in the effort to make that as difficult as you can
  129. (2:46:13 PM) syntaks: which is all i've done
  130. (2:46:46 PM) syntaks: the new technique i want to put in the code is better in a few ways
  131. (2:46:57 PM) syntaks: and the idea i've been kicking around for using the blockchain i'm dying to test out
  132. (2:47:02 PM) syntaks: it just needs some fine tuning
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!