User Controls
Posts by Sophie
-
2016-03-13 at 9:44 PM UTC in Let's talk crypto.On the subject of ransomware, http://www.darkreading.com/operations/two-biggest-reasons-ransomware-keeps-winning/d/d-id/1324631?_mc=RSS_DR_EDT
[greentext]>law enforcement has on times advised to simply pay the ransom[/greentext]
[greentext]>some law enforcement agencies have, themselves, paid ransomware operators.[/greentext]
[greentext]>some organizations are paying several thousand dollars at a time to recover systems[/greentext]
Ransomware is big business.
-
2016-03-13 at 9:19 PM UTC in Let's talk crypto.
As to OP, yeah, while novel cryptography is famously difficult using well tested implementations like you'll find in pycrypto for things like ransomware shouldn't be incredibly complex. I'd be interested in how you would propose to get whatever you were trying to extort from targets in a way that doesn't lead back to you. It's kinda hard to ask granny to go buy some bitcoin and transfer it to your account to get her family pictures back but obviously you can't just slap up a paypal account and call it a day.
That would imply the only people getting infected would be grannies and while there certainly would be a few to fall victim, the general population is far less computer literate as you make it seem to be. Besides you could select for demographic by carefully choosing the way in which you deliver the ransomware, for instance, binding the executable to an innocent one belonging to a game or something and distributing through torrents would mean you get people interested in games which generally means younger people. In contrast a spam campaign is far less indiscriminate. -
2016-03-13 at 5:03 PM UTC in Humanities majors should kill themselves
It's reality -> math or reality <-> math. Whether math is applied or inherent. I know this shit nigga. I say it's reality <-> math because of the feedback loop of mental processes on reality. Humans induce mathematics from the environment and then apply it back. Whether some of the data bits of the objective state of being are lost in translation is irrelevant. It just indicates the limitations of particular person's psychology in the feedback loop.
Until you can demonstrate what Lanny meant when he said this:I compute conways life with hashing at ln(n)/20 cycles/minute
Everything you say is objectively invalid. -
2016-03-13 at 4:17 PM UTC in Any Space Niggas On Minds?Never heard of it.
-
2016-03-13 at 3:30 PM UTC in The website obesity crisis
Woo, someone remembers. Btw, why u stole my avatar, bro dude?
I did not, my avatar remains a little anime girl. Your shit must be buggy and of course i remember it was a good post fam. -
2016-03-13 at 3:06 PM UTC in Whoever designed AutoIT should be shot in the face.Traversing the intertubes i found a post by someone who had made a pseudorandom string generator in AutoIT. Here's what it looks like.
Func _pGenerate($sLen)
Local $aCharset = StringSplit("0123456789!@#$%^&*-_=+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ", "")
Local $sRand = 0, $sDupCheck = 0, $sReturn = ""
For $i = 1 to $sLen
$sRand = Round(Random(1, $aCharset[0], 1))
if $sRand < ($sDupCheck - 4) OR $sRand > ($sDupCheck + 4) Then
$sReturn &= $aCharset[$sRand]
$sDupCheck = $sRand
Else
$i -= 1
EndIf
Next
Return $sReturn
EndFunc ;==> _pGenerate()
Look at this monstrosity and what's up with all the silly dollar signs anyway? Besides i don't know if the guy messed his syntax up or this is actually how you do it but the else in his if/else statement is capitalized while the if is not (-_-")
From the top of my head, python does this in 3 lines of code and that's including import statements.
import random, string
def string_generator(length=10,chars=string.ascii_uppercase + string.ascii_lowercase + string.digits):
return ''.join(random.choice(chars) for _ in range(length)
Now if you will excuse me i have to scrub the filth that is AutoIT syntax from my retinas. -
2016-03-13 at 2:20 PM UTC in Let's talk crypto.
Interesting stuff. Seems like the best encryption would be your own home made encryption system, which may actually(sadly) be illegal one day.
Not to mention extremely complex. Poorly implemented crypto is arguably worse than no crypto at all because it provides the illusion of safety. -
2016-03-12 at 11:42 PM UTC in Nostalgia Thread
l. Using MSN messenger but not really having any friends so pretending to be offline every time I logged in.
That's sad :( Some times i had to put my status on offline just to get some peace and quiet. -
2016-03-12 at 2:57 AM UTC in I took too many Noot Herbs and now I'm DyingSaint John's Wort is actually a TCA, primarily.
-
2016-03-11 at 10:06 PM UTC in Let's talk crypto.Lol i typed the twitter. I'mma call it the twitter from now on.
-
2016-03-11 at 9:08 PM UTC in ATT: Crazy Mike and/or SophieI'm on my way home at the moment, i'll get back to you in a bit.
-
2016-03-11 at 8:34 PM UTC in Let's talk crypto.And let's put it to some interesting use. So every once in a while there's a hype on the twitter among the more seriuos infosec related accounts, mostly a set of researchers and cyber journalists that i follow, the hype is usually about the latest ransomware to hit the scene. The concept of ransomware is rather simple. 1. Deliver payload 2. Encrypt user data with public key 3. Drop a notice of extortion with instructions on how the victim may aquire the private key for decryption.
Now i can imagine you don't just hammer out a hardcore cryptographic algorithm during your lunch break with a cup of coffee. But realistically the crypto part seems to me the only thing complex about ransomware, besides if you're just encrypting personal data such as family pictures, videos, music. word and/or PDF documents you probably don't even have to worry about finding a privilege escalation exploit particular to the type of environment you're in, since the program doesn't affect any system files it could run within the context of the user that has been infected. I imagine not having to have a specific exploit for different platforms would make cross platform compatibility much more feasible. Although as is the case with Windows at least, peristence mechanisms and encrypting backup files would require admin privilege, however reflective DLL injection into a process that is allowed to escalate it's own privilege by design would be a feasible way of bypassing UAC. Furthermore, if you sacrifice the ability to dynamically update public keys and make sure the malware itself generates the ransom note, there would effectively be no need for C&C infrastructure, which is arguably better practice from an operational security standpoint at least.
All in all the biggest hurdle is the crypto part. Now luckily i can code with cheatmode on since i do python and python comes with a rather dank crypto module(PyCrypto) which incidentally has been upgraded to powerlevel >9000 as ezPyCrypto and easy it is. Say we would want to encrypt a string with 4096 bit RSA we'd do this.
from ezPyCrypto import key
myKey = key(4096)
# Export and print pubkey, you could do this for pub/priv pairs as well and write them to a file
publicKey = myKey.exportKey()
print publicKey
myNewKey = key(0)
myNewKey.importKey(publicKey)
testEnc = myNewKey.encString("Bitches don't know 'bout my crypto")
print myKey.decString(testEnc)
Now our session contains the value for our 4096 RSA encrypted string. Alternatively i could export both public and private keys, start a new session and use my public key to encrypt data on the fly. If you happen to have any experience with this or the PyCrypto module in general i'd be interested to hear how you have implemented it's functionality or any issues you encountered when working with these modules.
Now i was thinking, making a python based ransomware seems to be well within my capabilities unless i am missing a crucial piece of information(In which case i'd love to know), as such i am tempted to give this a go. With a tool like peCloak i could even add dank encoding to the compiled binary to frustrate forensics/reverse engineering efforts. Truth be told i'd probably just make the thing, push to github and get mad stars yo.
Also, general crypto and ransomware thread. -
2016-03-11 at 7:02 PM UTC in fuck
Probably virtual drives
You know your 'trick' sucks when even Spectral can figure it out. -
2016-03-11 at 1:04 PM UTC in I think about killing myself a lot
Most people do drugs because they are smart.
I am not smart and therefore do not do drugs.
Makes sense. (n_n") -
2016-03-11 at 12:28 PM UTC in Lanny doesn't fix this website because he doesn't know how to and he's Dumb.
Lanny is actually very knowledgeable. He can write a script which can ban you thousands of times.
I have yet to see you accomplish such a feat. Lanny may be a flamboyant homosexual but you're objectively gayer than him. -
2016-03-10 at 8:47 PM UTC in scientific warezAr you majoring in engineering? I see they offer trial versions as well, depending on the kind of limitations the trial versions come with i'd assume it'd be possible to reverse engineer them and crack them yourself, if all else fails.
-
2016-03-10 at 7:23 PM UTC in Allah
-
2016-03-10 at 5:52 AM UTC in Lanny Serious QuestionFanny is a shrewd cat puncher.
-
2016-03-10 at 12:57 AM UTC in Where did all the totseans go?
Well this is fucking gay. My internet crashed and now it won't let me back in the room.
Reboot? Idk. -
2016-03-10 at 12:32 AM UTC in Where did all the totseans go?
Let's talk on tinychat
Partyvan? GF is asleep so no audio though.
