47 replies to this topic

[LoganDark]

I have no code to show here. Existing computers running my password lock will continue to function but will not show they are running my system.

new post here

Edited by LoganDark, 07 March 2016 - 11:48 PM.

[Anavrins]

This is all great but...

LoganDark, on 07 December 2015 - 02:39 AM, said:

Password is encrypted using secret code

#-- Don't concentrate intensely on figuring out how the encryption system works. It's simple but complicated.

It's not complicated at all, putting your encrypted password in the code() function will give you the original...
Would be better using an actual one-way function like SHA256 for storing passwords.

The system also does not work, my correct password doesn't unlock the computer.
You can terminate it with ctrl+t despite you saying it can't.
Did you try your program before posting it?

The startup file also runs a pastebin link, which you can edit, and possibly replace with a virus or backdoor.
Edit: Seems you prefer editing your post rather than replying to the thread, here's my answer.
Rolling out patches like this seems like a good idea in theory, but for a password lock, security comes before convenience, you can't have the two at the same time.
Since you put your name in there, you can easily identify who uses your lock, the possibility for you to change the code and put a backdoor in to break into someones computer after rebooting is very real.
It might not be your intentions to do that, but directly running external code that can be modified without notice, I wouldn't put my trust into that.

Edited by Anavrins, 07 December 2015 - 09:16 AM.

[LoganDark]

Post removed

Edited by LoganDark, 09 December 2015 - 05:26 AM.

[Luca_S]

Removed, because the errors have been fixed.

Edited by Luca0208, 11 December 2015 - 08:15 PM.

[LoganDark]

Post removed

Edited by LoganDark, 09 December 2015 - 06:03 AM.

[Luca_S]

LoganDark, on 07 December 2015 - 06:07 PM, said:

Edit: Luca0208, please remove your post. I do not like people looking to publish a hack for my system. Please only post issues, not how to hack my system.

Fix it, then you don't longer have the problem. And no you don't need to decrypt something. I recommend you to do this:

[Creator]

There is a SHA API on the forums. If you can't find it, here is one. (This is the one forums, not by me.)

By the way, figuring out the wat to hack the system can be done by looking at the code. The only way to prevent this is by hashing passwords.

[Lyqyd]

Luca0208, shortened/redirecting URLs are not allowed, please post a link to the ultimate destination when linking things.

[minizbot2012]

A true one-way hash creates the same output for the same input; different output for different input; and doesn't need to be reversed if implemented properly, simply compare the hashed outputs.

LoganDark, on 07 December 2015 - 06:07 PM, said:

Edit: Luca0208, please remove your post. I do not like people looking to publish a hack for my system. Please only post issues, not how to hack my system.

Response to a hack: A way to hack a system is an issue, a major one actually.

EDIT: you're coding is simple rot 13 it seems, but for numbers it is in reverse order, this is way too easy to crack the password from the file (besides disk startup IMO ruins the idea of password locks).
EDIT 2: direct pastebin link for his program: http://pastebin.com/qKcNunWN
EDIT 3: also you're free to use the snippet of the java hashcode function found here: http://pastebin.com/duwcL34w
EDIT 4: also there's free hosting out there (such as google app engine)

Edited by minizbot2012, 07 December 2015 - 10:33 PM.

[Creator]

Exactly. You have my respect, sir!

[LoganDark]

Post removed

Edited by LoganDark, 09 December 2015 - 05:27 AM.

[Anavrins]

That's the thing, if you don't have a sense for security, you shouldn't do security at all.
Yes a password lock is a great beginner thing to write, but posting it on the forum with the label "Cannot be terminated, encrypted with secret code" when these statement are just false is just...

Now I did not say that you're bad and you should quit, not at all, all I did is point out potential security issues in hope to enlighten potential users looking for a good password lock.

Fact is that most people playing with CC plays on a server that provides some kind of claim security that prevents other player from placing blocks and thus bypassing protections.
In that case preventing termination is good enough, you could store the password unaltered if you so desire.
The reason why most of the people are using un-reversible hashes like SHA2 is mostly for prevention in case you forgot to re-lock your computer, and someone sneaks up and learns your password in hope you re-use the same in other places.

You also say that were dumbasses who can't undertand that your security can always be reverse engineered.
But what you don't understand is that we've been suggesting you to use something like SHA2 instead, which is used for real-world application, and is made hard, even impossible to reverse.

Edited by Anavrins, 08 December 2015 - 04:22 AM.

[Lyqyd]

No code to show, locked.

Threads merged and re-opened.

[Dog]

I haven't tested it, but I did see one thing in your code that I'd recommend doing differently.

On line 189 you set os.pullEvent = os.pullEventRaw but you don't backup os.pullEvent or restore it when the script is done. This will disable CTRL-T for everything on that computer until a restart (which will run your login and disable CTRL-T again).

I'd recommend doing the following. On line 189 backup os.pullEvent before pointing it os.pullEventRaw...

local oldPullEvent = os.pullEvent
os.pullEvent = os.pullEventRaw

Then at the end of your code, restore os.pullEvent so the computer operates as expected...

os.pullEvent = oldPullEvent

Edited by Dog, 09 December 2015 - 05:23 AM.

[LoganDark]

Dog, on 09 December 2015 - 05:23 AM, said:

I haven't tested it, but I did see one thing in your code that I'd recommend doing differently.

On line 189 you set os.pullEvent = os.pullEventRaw but you don't backup os.pullEvent or restore it when the script is done. This will disable CTRL-T for everything on that computer until a restart (which will run your login and disable CTRL-T again).

I'd recommend doing the following. On line 189 backup os.pullEvent before pointing it os.pullEventRaw...

local oldPullEvent = os.pullEvent
os.pullEvent = os.pullEventRaw

Then at the end of your code, restore os.pullEvent so the computer operates as expected...

os.pullEvent = oldPullEvent

Oh, sorry. I seem to have forgotten the fact that the os.pullEvent is global. Silly me, fixed. Restarting the computer will apply the patch.

Also, not to be rude or anything, but you do not have to provide a method to restore it. I can figure things out on my own.

P.S. You did not offend me, what I have written may suggest you have.

Edited by LoganDark, 09 December 2015 - 05:32 AM.

[LoganDark]

Next time, try to explain to me how to use the algorithm. I'm not good at figuring things out unless you point out that I need to.

Edited by LoganDark, 01 February 2016 - 06:16 PM.

[LoganDark]

Post removed

Edited by LoganDark, 01 February 2016 - 06:15 PM.

[Creator]

If I were you, I'd interpret it as "Make your lock worthy of being used by the community." Don't take it as an insult.

[Anavrins]

LoganDark, on 13 December 2015 - 10:38 PM, said:

Anavrins, on 08 December 2015 - 04:20 AM, said:

... in hope to enlighten potential users looking for a good password lock ...

So you're saying users should detour from my password lock and find another one that's "better"?

That's you saying I'm bad and I should quit.

You offended me deeply...

I'm sorry that you get easily offended by criticism, I wrote a whole paragraph trying to make it as much constructive as possible.
What I mean by that is I wanted to notice users that your code didn't have any protections against termination, despite you stating it did, (it does now, but not in your first version).
Of course nobody is going to want a security system that's bypassable in the simplest of ways.

Edited by Anavrins, 14 December 2015 - 12:48 AM.

[LoganDark]

Sorry, post removed

Edited by LoganDark, 24 December 2015 - 08:11 AM.