Re: Famous at last, though not in the best way

2014-03-18 Thread Peter M. Brigham 
On Mar 18, 2014, at 9:19 AM, Mike Kerner wrote:

> On the heroism, I'm just telling you what the writers of the posts seem to
> be saying, unless I'm reading them wrong.
> 
> I don't disagree that LC is a nice tool to have.  I do seem to spend enough
> time using it - but - I've used lots of tools that were nice.  Sometimes,
> though, in business, mass leads to growth.  I wasn't all that amped at
> being able to develop android apps, except for the fact that someone else
> who wants to develop for mobile can target ios and android with less work,
> which means more potential users, more potential revenue for RR, and thus,
> more potential goodies for me in the product.
> 
> Today's hackers are frequently tomorrow's badasses, because eventually they
> grow up and get a job.  I'll cheer the hackers latching on as a very big
> deal for tool growth.  Now that LC is OSS, they might even eventually fork
> it and do other very cool things with it that we can all thank them for,
> later.

It strikes me that in a perverse way this marks the entrance of LC into the 
mainstream of programming languages. For it to be used as a malware tool, I 
mean. It is after all just a tool, and tools can be used for good or ill. If 
it's a truly powerful tool, someone will discover how to misuse it sooner or 
later.

-- Peter

Peter M. Brigham
pmb...@gmail.com
http://home.comcast.net/~pmbrig


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Famous at last, though not in the best way

2014-03-18 Thread Bob Sneidar 
Awesome Richard. Erm… this isn’t going to hack my bank account is it…? ;-)

Bob


On Mar 18, 2014, at 07:43 , Richard Gaskin 
mailto:ambassa...@fourthworld.com>> wrote:

Hard to beat a full VM for containment, but for those of you who may need to 
run stacks from unknown sources within your main system I wrote a simple tool 
to help with that.

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Famous at last, though not in the best way

2014-03-18 Thread Mike Kerner 
CSO article:
http://www.csoonline.com/article/749849/bitcoin-stealing-malware-hidden-in-mt.-gox-data-dump-researcher-says?source=CSONLE_nlt_salted_hash_2014-03-18


On Tue, Mar 18, 2014 at 10:43 AM, Richard Gaskin  wrote:

> Mike Kerner wrote:
>
>  By the way, it appears the hackers were trying to uncover fraud at Mt.
>> Gox,
>> so they're actually being considered heroes, which is a little weird...
>>
>
> Weird or not, nice to see LC in the role of hero code.
>
>
>
>  And by the way, this is EXACTLY why when I download some random stack that
>> someone here has thrown in that allegedly does something very cool, I only
>> open it in an isolated VM until I can have a better look at it, first.
>>
>
> Hard to beat a full VM for containment, but for those of you who may need
> to run stacks from unknown sources within your main system I wrote a simple
> tool to help with that.
>
> 4W Secure Runner provides checkboxes for all the categories in the new
> securityPermissions property added in v6.1.3, so you can conveniently turn
> on the permissions you want to allow and then select a stack to open:
> 
>
> As with the older secureMode property (which is still supported, though
> more strictly than in older versions), once the security permissions are
> set they can only be made more restrictive during the current session, but
> cannot be lifted.  So if you run this tool, be sure you've saved any work
> you need first, since turning off the "disk" option will prevent any reads
> or writes to disk.
>
>
> --
>  Richard Gaskin
>  Fourth World
>  LiveCode training and consulting: http://www.fourthworld.com
>  Webzine for LiveCode developers: http://www.LiveCodeJournal.com
>  Follow me on Twitter:  http://twitter.com/FourthWorldSys
>
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>



-- 
On the first day, God created the heavens and the Earth
On the second day, God created the oceans.
On the third day, God put the animals on hold for a few hours,
   and did a little diving.
And God said, "This is good."
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Famous at last, though not in the best way

2014-03-18 Thread Richard Gaskin 

Mike Kerner wrote:


By the way, it appears the hackers were trying to uncover fraud at Mt. Gox,
so they're actually being considered heroes, which is a little weird...


Weird or not, nice to see LC in the role of hero code.



And by the way, this is EXACTLY why when I download some random stack that
someone here has thrown in that allegedly does something very cool, I only
open it in an isolated VM until I can have a better look at it, first.


Hard to beat a full VM for containment, but for those of you who may 
need to run stacks from unknown sources within your main system I wrote 
a simple tool to help with that.


4W Secure Runner provides checkboxes for all the categories in the new 
securityPermissions property added in v6.1.3, so you can conveniently 
turn on the permissions you want to allow and then select a stack to open:



As with the older secureMode property (which is still supported, though 
more strictly than in older versions), once the security permissions are 
set they can only be made more restrictive during the current session, 
but cannot be lifted.  So if you run this tool, be sure you've saved any 
work you need first, since turning off the "disk" option will prevent 
any reads or writes to disk.


--
 Richard Gaskin
 Fourth World
 LiveCode training and consulting: http://www.fourthworld.com
 Webzine for LiveCode developers: http://www.LiveCodeJournal.com
 Follow me on Twitter:  http://twitter.com/FourthWorldSys

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Famous at last, though not in the best way

2014-03-18 Thread Curry Kenworthy 


Mike wrote:

I'll cheer the hackers latching on as a very big
deal for tool growth.


We could likewise hope for organized crime to latch on too; they have 
money to invest, and that could benefit everyone?


That's not to say that hackers could never be heroes. A technique or a 
tool can be used for good or ill, and definitely there are some such 
scenarios I could cheer for. Bring 'em!


But for now, generally I'll be cheering more for other sectors of the LC 
population. I see so many amazing ideas put in motion by folks here 
using LC that it's ironic to see only a nebulous coin nabber get 
attention. :)


Best wishes,

Curry K.


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Famous at last, though not in the best way

2014-03-18 Thread Mike Kerner 
On the heroism, I'm just telling you what the writers of the posts seem to
be saying, unless I'm reading them wrong.

I don't disagree that LC is a nice tool to have.  I do seem to spend enough
time using it - but - I've used lots of tools that were nice.  Sometimes,
though, in business, mass leads to growth.  I wasn't all that amped at
being able to develop android apps, except for the fact that someone else
who wants to develop for mobile can target ios and android with less work,
which means more potential users, more potential revenue for RR, and thus,
more potential goodies for me in the product.

Today's hackers are frequently tomorrow's badasses, because eventually they
grow up and get a job.  I'll cheer the hackers latching on as a very big
deal for tool growth.  Now that LC is OSS, they might even eventually fork
it and do other very cool things with it that we can all thank them for,
later.


On Mon, Mar 17, 2014 at 10:59 PM, Mike Kerner wrote:

> By the way, it appears the hackers were trying to uncover fraud at Mt.
> Gox, so they're actually being considered heroes, which is a little weird...
>
>
> And.it hit slashdot:
>
> http://it.slashdot.org/story/14/03/17/2220236/kaspersky-mt-gox-data-archive-contains-bitcoin-stealing-malware?utm_source=slashdot&utm_medium=twitter
>
> and itworld.com:
>
> http://www.itworld.com/security/410097/bitcoin-stealing-malware-hidden-mt-gox-data-dump-researcher-says
>
> coindesk:
>
> http://www.coindesk.com/mt-gox-hackers-claim-release-transaction-details-ceos-personal-data/
>
> Forbes:
>
> http://www.forbes.com/sites/andygreenberg/2014/03/09/hackers-hit-mt-gox-exchanges-ceo-claim-to-publish-evidence-of-fraud/
>
>
> Here's the reddit discussion of the guys hacking the source and working on
> it, some with debuggers, some by other means:
>
> http://www.reddit.com/r/Bitcoin/comments/200k30/the_tibannebackofficeexe_executable_is_wallet/
>
> More from Reddit:
>
> http://www.reddit.com/r/Bitcoin/comments/1zz21j/mtgox_2014_hack_database_revealed_live_from_mark/cfya3ni
>
> Wow.  620 mb.  Dang.
>
>
> On Mon, Mar 17, 2014 at 2:42 PM, Mike Kerner wrote:
>
>> Thanks for weighing in, boss!
>>
>> It's still cool in a very perverse way that somebody is using LC to
>> hack.  Besides me, anyway.  Now if I can get Glass to work with LC...
>>
>>
>>
>> --
>> On the first day, God created the heavens and the Earth
>> On the second day, God created the oceans.
>> On the third day, God put the animals on hold for a few hours,
>>and did a little diving.
>> And God said, "This is good."
>>
>
>
>
> --
> On the first day, God created the heavens and the Earth
> On the second day, God created the oceans.
> On the third day, God put the animals on hold for a few hours,
>and did a little diving.
> And God said, "This is good."
>



-- 
On the first day, God created the heavens and the Earth
On the second day, God created the oceans.
On the third day, God put the animals on hold for a few hours,
   and did a little diving.
And God said, "This is good."
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Famous at last, though not in the best way

2014-03-18 Thread Curry Kenworthy 


Mike wrote:

By the way, it appears the hackers were trying to uncover fraud at Mt. Gox,
so they're actually being considered heroes, which is a little weird...


Heroes? I seriously doubt it.

The only scenario I could imagine for that argument would mean instead 
of using the heroism as cover for the bitcoin stealer, they developed 
the stealer as part of the heroics and used a public means to distribute 
it, hoping to snag the Mt Gox people again instead of anyone else? And 
using good old 419er type logic, that only greedy people would get 
affected or scammed?


It would take a lot of faith to see it that way instead of as a simple 
criminal operation to steal fund accounts. But even giving them the 
benefit of all possible doubts, still at best it was designed to snoop 
on others besides the target, the target was assumed guilty, and once 
the assumption was made these types usually deface www and disclose 
stolen data regardless of whether their "investigation" shows any guilt.


That's like saying the NSA would be big heroes if they also did some 
defacing and dumping - no thanks. Most hackers are just people overly 
full of themselves and imitating the very tactics of the big 
corporations and secretive government entities they rant and rave about. 
I would have hoped that if we have LC-based hackers, they would be 
higher class.


And I don't think we need to try and spin this as some kind of example 
that LC has finally come of age. People have been doing truly remarkable 
and praiseworthy things with LC for a long time, maybe less sensational 
but much more interesting that this.


Besides, I didn't like their coding style. LiveCode shouldn't look like 
it wants to be Javascript. So I hope it doesn't end up posted to the LC 
tutorial section. :)


Best wishes,

Curry K.


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Famous at last, though not in the best way

2014-03-17 Thread Mike Kerner 
And by the way, this is EXACTLY why when I download some random stack that
someone here has thrown in that allegedly does something very cool, I only
open it in an isolated VM until I can have a better look at it, first.


On Mon, Mar 17, 2014 at 10:59 PM, Mike Kerner wrote:

> By the way, it appears the hackers were trying to uncover fraud at Mt.
> Gox, so they're actually being considered heroes, which is a little weird...
>
>
> And.it hit slashdot:
>
> http://it.slashdot.org/story/14/03/17/2220236/kaspersky-mt-gox-data-archive-contains-bitcoin-stealing-malware?utm_source=slashdot&utm_medium=twitter
>
> and itworld.com:
>
> http://www.itworld.com/security/410097/bitcoin-stealing-malware-hidden-mt-gox-data-dump-researcher-says
>
> coindesk:
>
> http://www.coindesk.com/mt-gox-hackers-claim-release-transaction-details-ceos-personal-data/
>
> Forbes:
>
> http://www.forbes.com/sites/andygreenberg/2014/03/09/hackers-hit-mt-gox-exchanges-ceo-claim-to-publish-evidence-of-fraud/
>
>
> Here's the reddit discussion of the guys hacking the source and working on
> it, some with debuggers, some by other means:
>
> http://www.reddit.com/r/Bitcoin/comments/200k30/the_tibannebackofficeexe_executable_is_wallet/
>
> More from Reddit:
>
> http://www.reddit.com/r/Bitcoin/comments/1zz21j/mtgox_2014_hack_database_revealed_live_from_mark/cfya3ni
>
> Wow.  620 mb.  Dang.
>
>
> On Mon, Mar 17, 2014 at 2:42 PM, Mike Kerner wrote:
>
>> Thanks for weighing in, boss!
>>
>> It's still cool in a very perverse way that somebody is using LC to
>> hack.  Besides me, anyway.  Now if I can get Glass to work with LC...
>>
>>
>>
>> --
>> On the first day, God created the heavens and the Earth
>> On the second day, God created the oceans.
>> On the third day, God put the animals on hold for a few hours,
>>and did a little diving.
>> And God said, "This is good."
>>
>
>
>
> --
> On the first day, God created the heavens and the Earth
> On the second day, God created the oceans.
> On the third day, God put the animals on hold for a few hours,
>and did a little diving.
> And God said, "This is good."
>



-- 
On the first day, God created the heavens and the Earth
On the second day, God created the oceans.
On the third day, God put the animals on hold for a few hours,
   and did a little diving.
And God said, "This is good."
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Famous at last, though not in the best way

2014-03-17 Thread Mike Kerner 
By the way, it appears the hackers were trying to uncover fraud at Mt. Gox,
so they're actually being considered heroes, which is a little weird...


And.it hit slashdot:
http://it.slashdot.org/story/14/03/17/2220236/kaspersky-mt-gox-data-archive-contains-bitcoin-stealing-malware?utm_source=slashdot&utm_medium=twitter

and itworld.com:
http://www.itworld.com/security/410097/bitcoin-stealing-malware-hidden-mt-gox-data-dump-researcher-says

coindesk:
http://www.coindesk.com/mt-gox-hackers-claim-release-transaction-details-ceos-personal-data/

Forbes:
http://www.forbes.com/sites/andygreenberg/2014/03/09/hackers-hit-mt-gox-exchanges-ceo-claim-to-publish-evidence-of-fraud/


Here's the reddit discussion of the guys hacking the source and working on
it, some with debuggers, some by other means:
http://www.reddit.com/r/Bitcoin/comments/200k30/the_tibannebackofficeexe_executable_is_wallet/

More from Reddit:
http://www.reddit.com/r/Bitcoin/comments/1zz21j/mtgox_2014_hack_database_revealed_live_from_mark/cfya3ni

Wow.  620 mb.  Dang.


On Mon, Mar 17, 2014 at 2:42 PM, Mike Kerner wrote:

> Thanks for weighing in, boss!
>
> It's still cool in a very perverse way that somebody is using LC to hack.
> Besides me, anyway.  Now if I can get Glass to work with LC...
>
>
>
> --
> On the first day, God created the heavens and the Earth
> On the second day, God created the oceans.
> On the third day, God put the animals on hold for a few hours,
>and did a little diving.
> And God said, "This is good."
>



-- 
On the first day, God created the heavens and the Earth
On the second day, God created the oceans.
On the third day, God put the animals on hold for a few hours,
   and did a little diving.
And God said, "This is good."
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Famous at last, though not in the best way

2014-03-17 Thread Mike Kerner 
Thanks for weighing in, boss!

It's still cool in a very perverse way that somebody is using LC to hack.
Besides me, anyway.  Now if I can get Glass to work with LC...


-- 
On the first day, God created the heavens and the Earth
On the second day, God created the oceans.
On the third day, God put the animals on hold for a few hours,
   and did a little diving.
And God said, "This is good."
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Famous at last, though not in the best way

2014-03-17 Thread Kevin Miller 
Hi folks,

The offending application was built with version 5.0.0 of LiveCode. That
is long before the improved script security features introduced during the
6 series. It is now much harder to get a memory dump of a script from a
password-protected stack. It would require catching the memory dump at
exactly the right time - which is not the easiest thing to do without the
original source code.

To put this in perspective, the theoretical ability to dump memory has
been present since the early 90s. This is the first recorded time I¹ve
seen of someone actually doing it. It is much, much harder in the latest
version. However there isn¹t any way we could make a script 100% secure
against this sort of attack without moving to full compilation. Even then,
there will always be ways of decompiling some of any application,
accessing the variables etc like there is in every other app in any
language.

Full compilation would be better, but when you consider the number of
processor architectures and platforms we support, its non-trivial to say
the least. It *is* something we eventually plan to do after every single
other thing out there is done but its going to be a very long time.

In the mean time, the security is about as good as we can make it in the
present version and far better than the version used to do this.

Kind regards,

Kevin

Kevin Miller ~ ke...@runrev.com ~ http://www.livecode.com/
LiveCode: Everyone can code




On 17/03/2014 17:11, "Mike Kerner"  wrote:

>Now that we're off in the weeds, yes, there are not just disassemblers,
>but
>decompilers as well, and there have been for 40 years.  I think I used my
>first one on an Apple ][.
>
>The thing with those tools is that you don't get the variable names, or
>comments, or the exact control structures, etc., because they don't know
>what the author was trying to do (and often they aren't sure what language
>- computer or human) the code was written in, although depending on the
>platform, often humans can figure that part out.  If you run an
>application
>through a decompiler/disassembler, you get something that if you recompile
>it will work, but it is not a road map to what the person was thinking,
>because optimizing compilers in particular take all sorts of liberties
>with
>the original source to get an executable that is smaller and/or runs
>faster.
>
>Even though you get source (and at least in theory can get source in
>whatever source language you want), that doesn't save you a lot of time.
>HOWEVER, if the code is just encrypted, it is far, far easier to get to
>back to what the author is really doing.
>
>Stuxnet, for instance, is a binary that isn't particularly large, but the
>malware experts have been trying for years to decipher all of it, and they
>have not, yet.
>
>
>On Mon, Mar 17, 2014 at 12:59 PM, Richard Gaskin
>> wrote:
>
>> Mike Kerner wrote:
>>
>>> See thread from other list - we had static compilation of HC stacks and
>>> projects back in the 80's and early 90's with Heizer Software's
>>>CompileIt!
>>> and Double-XX! (the exclamation points were part of the name).
>>>
>>
>> Those were clever, but a LOT of work to attempt to use well.  Still,
>> compilation could be done, but I'd sooner see it pursued for the
>> performance gain than the perceived security benefit.
>>
>> While it's true that a disassembler wouldn't be able to reconstruct the
>> LiveCode source (yet), modern disassemblers can produce readable C, some
>> even C#, so the seeming security is only a matter of degrees.
>>
>>
>> --
>>  Richard Gaskin
>>  Fourth World
>>  LiveCode training and consulting: http://www.fourthworld.com
>>  Webzine for LiveCode developers: http://www.LiveCodeJournal.com
>>  Follow me on Twitter:  http://twitter.com/FourthWorldSys
>>
>> ___
>> use-livecode mailing list
>> use-livecode@lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your
>> subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>
>
>
>
>-- 
>On the first day, God created the heavens and the Earth
>On the second day, God created the oceans.
>On the third day, God put the animals on hold for a few hours,
>   and did a little diving.
>And God said, "This is good."
>___
>use-livecode mailing list
>use-livecode@lists.runrev.com
>Please visit this url to subscribe, unsubscribe and manage your
>subscription preferences:
>http://lists.runrev.com/mailman/listinfo/use-livecode



___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Famous at last, though not in the best way

2014-03-17 Thread Richard Gaskin 

Mike Kerner wrote:

Stuxnet, for instance, is a binary that isn't particularly large, but the
malware experts have been trying for years to decipher all of it, and they
have not, yet.


I've heard worse complaints about some of my LiveCode scripts. ;)

--
 Richard Gaskin
 Fourth World
 LiveCode training and consulting: http://www.fourthworld.com
 Webzine for LiveCode developers: http://www.LiveCodeJournal.com
 Follow me on Twitter:  http://twitter.com/FourthWorldSys

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Famous at last, though not in the best way

2014-03-17 Thread Mike Kerner 
Now that we're off in the weeds, yes, there are not just disassemblers, but
decompilers as well, and there have been for 40 years.  I think I used my
first one on an Apple ][.

The thing with those tools is that you don't get the variable names, or
comments, or the exact control structures, etc., because they don't know
what the author was trying to do (and often they aren't sure what language
- computer or human) the code was written in, although depending on the
platform, often humans can figure that part out.  If you run an application
through a decompiler/disassembler, you get something that if you recompile
it will work, but it is not a road map to what the person was thinking,
because optimizing compilers in particular take all sorts of liberties with
the original source to get an executable that is smaller and/or runs faster.

Even though you get source (and at least in theory can get source in
whatever source language you want), that doesn't save you a lot of time.
HOWEVER, if the code is just encrypted, it is far, far easier to get to
back to what the author is really doing.

Stuxnet, for instance, is a binary that isn't particularly large, but the
malware experts have been trying for years to decipher all of it, and they
have not, yet.


On Mon, Mar 17, 2014 at 12:59 PM, Richard Gaskin  wrote:

> Mike Kerner wrote:
>
>> See thread from other list - we had static compilation of HC stacks and
>> projects back in the 80's and early 90's with Heizer Software's CompileIt!
>> and Double-XX! (the exclamation points were part of the name).
>>
>
> Those were clever, but a LOT of work to attempt to use well.  Still,
> compilation could be done, but I'd sooner see it pursued for the
> performance gain than the perceived security benefit.
>
> While it's true that a disassembler wouldn't be able to reconstruct the
> LiveCode source (yet), modern disassemblers can produce readable C, some
> even C#, so the seeming security is only a matter of degrees.
>
>
> --
>  Richard Gaskin
>  Fourth World
>  LiveCode training and consulting: http://www.fourthworld.com
>  Webzine for LiveCode developers: http://www.LiveCodeJournal.com
>  Follow me on Twitter:  http://twitter.com/FourthWorldSys
>
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>



-- 
On the first day, God created the heavens and the Earth
On the second day, God created the oceans.
On the third day, God put the animals on hold for a few hours,
   and did a little diving.
And God said, "This is good."
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Famous at last, though not in the best way

2014-03-17 Thread Richard Gaskin 

Mike Kerner wrote:

See thread from other list - we had static compilation of HC stacks and
projects back in the 80's and early 90's with Heizer Software's CompileIt!
and Double-XX! (the exclamation points were part of the name).


Those were clever, but a LOT of work to attempt to use well.  Still, 
compilation could be done, but I'd sooner see it pursued for the 
performance gain than the perceived security benefit.


While it's true that a disassembler wouldn't be able to reconstruct the 
LiveCode source (yet), modern disassemblers can produce readable C, some 
even C#, so the seeming security is only a matter of degrees.


--
 Richard Gaskin
 Fourth World
 LiveCode training and consulting: http://www.fourthworld.com
 Webzine for LiveCode developers: http://www.LiveCodeJournal.com
 Follow me on Twitter:  http://twitter.com/FourthWorldSys

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Famous at last, though not in the best way

2014-03-17 Thread Mike Kerner 
It doesn't require an experienced security expert.  Memory dumps are very
easy, and the tools are cheap.

MG is MobGUI, and John is, of course, John.

See thread from other list - we had static compilation of HC stacks and
projects back in the 80's and early 90's with Heizer Software's CompileIt!
and Double-XX! (the exclamation points were part of the name).  CompileIt!
was originally a tool for using HT to write XCMD's and XFCN's, but soon
after, Double-XX came out as a way to build fully-compiled standalones from
HC stacks.  It worked great.  I wrote the first HC-based
Anti-virus/anti-trojan this way.  It stopped the idiotic Dukakis trojan,
and several others with only a handful of lines of code.  Then I built
several database applications for my employer at the time, all
fully-compiled, double-clickable applications.  It was all just HC stacks
with a few restrictions placed on them by Heizer Software, the creators of
CompileIt! and Double-XX!


On Mon, Mar 17, 2014 at 12:24 PM, Richard Gaskin  wrote:

> Mike Kerner wrote:
>
> > Decompiling does not result in original source code.  As it is, the
> > kiddies can just copy/paste.  The dump that Kaspersky included, even
> > had a line that was commented out.
>
> So it seems they can only "copy and paste" if an experienced security
> expert has first provided a RAM dump.
>
> While always an issue with every dynamically-compiled language, how easy
> is it to fully dump RAM?  Has anyone here successfully done it?
>
> Still, I agree it merits consideration.
>
> Given the nature of the language static compilation may not be possible.
>  What other means may be useful?
>
>
>
> > Think about it - if you have the Pro version, yeah, your source is
> > encrypted, until it's decrypted when the app is loaded.  Then it's
> > just sitting there for someone to take.  I avoided doing this with
> > MG when John went AWOL, but there is nothing that would have stopped
> > someone with no scruples from doing it themselves.
>
> I think I may have missed some posts:  what is "MG" and who is "John"?
>
>
> --
>  Richard Gaskin
>  Fourth World
>  LiveCode training and consulting: http://www.fourthworld.com
>  Webzine for LiveCode developers: http://www.LiveCodeJournal.com
>  Follow me on Twitter:  http://twitter.com/FourthWorldSys
>
>
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>



-- 
On the first day, God created the heavens and the Earth
On the second day, God created the oceans.
On the third day, God put the animals on hold for a few hours,
   and did a little diving.
And God said, "This is good."
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Famous at last, though not in the best way

2014-03-17 Thread Richard Gaskin 

Mike Kerner wrote:

> Decompiling does not result in original source code.  As it is, the
> kiddies can just copy/paste.  The dump that Kaspersky included, even
> had a line that was commented out.

So it seems they can only "copy and paste" if an experienced security 
expert has first provided a RAM dump.


While always an issue with every dynamically-compiled language, how easy 
is it to fully dump RAM?  Has anyone here successfully done it?


Still, I agree it merits consideration.

Given the nature of the language static compilation may not be possible. 
 What other means may be useful?



> Think about it - if you have the Pro version, yeah, your source is
> encrypted, until it's decrypted when the app is loaded.  Then it's
> just sitting there for someone to take.  I avoided doing this with
> MG when John went AWOL, but there is nothing that would have stopped
> someone with no scruples from doing it themselves.

I think I may have missed some posts:  what is "MG" and who is "John"?

--
 Richard Gaskin
 Fourth World
 LiveCode training and consulting: http://www.fourthworld.com
 Webzine for LiveCode developers: http://www.LiveCodeJournal.com
 Follow me on Twitter:  http://twitter.com/FourthWorldSys


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Famous at last, though not in the best way

2014-03-17 Thread Mike Kerner 
Decompiling does not result in original source code.  As it is, the kiddies
can just copy/paste.  The dump that Kaspersky included, even had a line
that was commented out.

Think about it - if you have the Pro version, yeah, your source is
encrypted, until it's decrypted when the app is loaded.  Then it's just
sitting there for someone to take.  I avoided doing this with MG when John
went AWOL, but there is nothing that would have stopped someone with no
scruples from doing it themselves.


On Mon, Mar 17, 2014 at 12:02 PM, Richard Gaskin  wrote:

> Mike Kerner wrote:
>
>> 3) It might be nice if some day my code was ACTUALLY compiled, not just
>> encrypted, and then tossed through the interpreter, especially if we want
>> the tool to be used by more than just script kiddies, because script
>> kiddies will take this and run with it.
>>
>
> I would enjoy the performance benefits of static compilation, but as long
> as the source language is easy to use how it would compilation deter
> "script kiddies"?
>
>
> --
>  Richard Gaskin
>  Fourth World
>  LiveCode training and consulting: http://www.fourthworld.com
>  Webzine for LiveCode developers: http://www.LiveCodeJournal.com
>  Follow me on Twitter:  http://twitter.com/FourthWorldSys
>
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>



-- 
On the first day, God created the heavens and the Earth
On the second day, God created the oceans.
On the third day, God put the animals on hold for a few hours,
   and did a little diving.
And God said, "This is good."
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Famous at last, though not in the best way

2014-03-17 Thread Andrew Kluthe 
On Mon, Mar 17, 2014 at 10:34 AM, Mike Kerner wrote:

> More needs to be done in the pro version to protect source and


I don't know. I have a feeling that this was done using the open source
version and it was incorrectly reported as encrypted or mistaken as being
encrypted prior to loading it into memory. I could be wrong though.


-- 
Regards,

Andrew Kluthe
and...@ctech.me
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Famous at last, though not in the best way

2014-03-17 Thread Richard Gaskin 

Mike Kerner wrote:

3) It might be nice if some day my code was ACTUALLY compiled, not just
encrypted, and then tossed through the interpreter, especially if we want
the tool to be used by more than just script kiddies, because script
kiddies will take this and run with it.


I would enjoy the performance benefits of static compilation, but as 
long as the source language is easy to use how it would compilation 
deter "script kiddies"?


--
 Richard Gaskin
 Fourth World
 LiveCode training and consulting: http://www.fourthworld.com
 Webzine for LiveCode developers: http://www.LiveCodeJournal.com
 Follow me on Twitter:  http://twitter.com/FourthWorldSys

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Famous at last, though not in the best way

2014-03-17 Thread Mike Kerner 
I disagree - this is the best way.  Nothing says "badass" like having
hackers blast out something that Kaspersky can then throw down for all to
see.

HOWEVER, they mention that the source was encrypted because the developer
was using the pro version so
1) More needs to be done in the pro version to protect source and
2) A Pro user wrote this.  One would think it would then be possible to
figure out who that was, and I assume, since we have both the source and
the encrypted code, it should be straightforward to determine what the key
was, and then there's the whole thing about them asking for help along the
way while they were working on this project.
3) It might be nice if some day my code was ACTUALLY compiled, not just
encrypted, and then tossed through the interpreter, especially if we want
the tool to be used by more than just script kiddies, because script
kiddies will take this and run with it.


On Mon, Mar 17, 2014 at 10:32 AM, Richard Gaskin  wrote:

> Martin Baxter wrote:
>
> > Our favourite tool used to make bitcoin wallet stealing malware:
> >
> >  Malware_from_the_MtGox_leak_archive>
>
> Given how many orders of magnitude more malware is written in C, Java,
> PHP, Flash, and others, I see this as an inevitable and ultimately healthy
> sign that LiveCode is finding its way among the great programming languages.
>
> --
>  Richard Gaskin
>  Fourth World
>  LiveCode training and consulting: http://www.fourthworld.com
>  Webzine for LiveCode developers: http://www.LiveCodeJournal.com
>  Follow me on Twitter:  http://twitter.com/FourthWorldSys
>
>
>
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>



-- 
On the first day, God created the heavens and the Earth
On the second day, God created the oceans.
On the third day, God put the animals on hold for a few hours,
   and did a little diving.
And God said, "This is good."
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Famous at last, though not in the best way

2014-03-17 Thread Richard Gaskin 

Martin Baxter wrote:

> Our favourite tool used to make bitcoin wallet stealing malware:
>
> 



Given how many orders of magnitude more malware is written in C, Java, 
PHP, Flash, and others, I see this as an inevitable and ultimately 
healthy sign that LiveCode is finding its way among the great 
programming languages.


--
 Richard Gaskin
 Fourth World
 LiveCode training and consulting: http://www.fourthworld.com
 Webzine for LiveCode developers: http://www.LiveCodeJournal.com
 Follow me on Twitter:  http://twitter.com/FourthWorldSys


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Famous at last, though not in the best way

2014-03-17 Thread Curry Kenworthy 


Richmond:


I'm sorry to disappoint you; but THAT was NOT me.


I was already disappointed about that when reading the article; the 
coding style indicates someone who is more comfortable in traditional 
programming languages and not a lover of linguistics.


Unless that was a clever ploy of disguising the coding style! :)

We have a lot of gravy-train and handout mentality growing over here 
too, and new innovative forms of government corruption spring up just 
like new forms of malware. So don't feel isolated over there.


Best wishes,

Curry K.


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Famous at last, though not in the best way

2014-03-17 Thread Richmond 


On 03/17/2014 10:53 AM, Martin Baxter wrote:

Our favourite tool used to make bitcoin wallet stealing malware:



Martin




On a further note: I find it hilarious that Kaspersky should employ a 
Russian
resident in Moscow to identify Bulgarian MalWare. This is already 
suspect, even
if Sergey Lozhkin is, himself, 100% upright; Russians have taught most 
Bulgarian hackers

what they know.

Big brother teaches little brother how to smoke.

Richmond.

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Famous at last, though not in the best way

2014-03-17 Thread Richmond 


On 03/17/2014 10:53 AM, Martin Baxter wrote:

Our favourite tool used to make bitcoin wallet stealing malware:



Martin




"The Command and Сontrol server, which used to be located in Bulgaria 
seems like has been shutdown is now offline."


I'm sorry to disappoint you; but THAT was NOT me.

Even if for no other reason than that sort of coding is a bit beyond me!

Bulgaria, unfortunately, is an incredibly corrupt country, and Bulgarian 
programmers are very good [as in 'clever, capable', NOT as in 'morally 
good'].


The EU keeps pressurising Bulgaria to stamp out corruption; but as 
corruption riddles
the government there is no hope of that. Until Bulgarians can see that 
there is a clear
advantage in not being corrupt corruption will never stop. Markets are 
controlled by oligarchs

who have direct links to the government.

Bulgarians wonder why they are not benefitting from EU membership; and 
are so short-sighted
that they cannot see that the enormously bent nature of their country 
goes hand in hand with
the lack of benefits. But as they see EU membership as a sort of 
gravy-train with endless
free handouts I wonder if the fact that nothing is, ultimately, free 
will ever sink in.


I have been trying to explain to kids / teenagers here that pirating 
Windows and sofware
is wrong [morally, legally, financially] and feel that I am getting a 
bit tired of banging my

head against a brick wall. Corruption has become almost culturally endemic.

Sorry to spoil your lunch.

Richmond.

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Famous at last, though not in the best way

2014-03-17 Thread Martin Baxter 
Our favourite tool used to make bitcoin wallet stealing malware:



Martin

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode