Password Locket

Pages: 1234
Fix the problem, make money, be happy. 
And be grateful that a small group of strangers on the internet cared enough honestly answer your request for advice.


Now, to address your concerns.

Ang wrote:
With all due respect, wasn't ssl encryption cracked/violated thereby the invention of tls.
And wasn't ssl designed and tested by these experts you refer to?
Seems to me like there stll exist room for improvement.regarless of who create it.

Apples to Oranges. This either highlights your lack of knowledge or you are being disingenuous. It is equivalent to saying:

Weren’t flintlock muskets found to be problematic, therefore necessitating the invention of modern firearms?
Wasn’t a musket created by your supposed firearms experts?
Seems to me like these experts are no better off than me.


In reality, improvements over time demonstrate that the security experts are doing their job: they actively seek, find, and fix problems with every bit of new knowledge they gain.

And it demonstrates a critical error in your own thinking: a security experts mistakes != your mistakes. They aren’t even in the same class.


Ang wrote:
Maybe it will be better to stop judging this app's merits based on your assumption of our lack of abilities in this field.

No. There is no assumption here.

A single developer (or two or three), unknown in the cryptographic world, unwilling to submit their algorthm for peer review (and get bragging rights) — but claiming that the encryption cannot be broken by those same experts — that’s absurd on the face of it. I don’t have to prove it to you. Anyone who knows anything about crypto can tell you the same.

Ang wrote:
Nor me or my developer claimed to be better than 100's of the worlds best experts in this field. You are the one making these insinuations and

You make those very claims right here in this very thread:

http://www.cplusplus.com/forum/lounge/253017/#msg1113084 wrote
@salem c: thank you for the response. My developer has not seen this particular article but is aware of the various encryption techniques and pitfalls discussed therein and thus claims that he has guarded against all of them.

On this basis he claims his own inability to crack this algorithm due to all pitfalls being avoided.

He also claims that he is aware of a variety of reverse engineering techniques and asserts that he has taken extensive steps to guard against it.

He therefore claims that reverse engineering of this app would be near impossible and would appreciate verification on that as well.

If it then can be confirmed that this app was not effectively reverse engineered and/or cracked then we will be able to claim that it is secure relative to the conditions imposed.

We can then reveal the source code and further test its security as well as have the anti reverse engineering components scrutinzed and perhaps improved upon.



Ang wrote:
Thank you though for being honest with me by letting me know that you don't have the skills to crack this app and most likely don't believe any of the other members on this site are capable as well.

I said that of myself and by way of opinion. This site is a general C++ forum. Not a cryptograpy and security forum.
Do I really need to explain this?

Ang wrote:
To be honest, after I received my first rude, condesending responses from this site, I was personally convinced that none
of you here are capable in this field to the level we are contemplating.

Only one member was rude, and I immediately complained in your favor.

Both before and after that everyone here has been absolutely professional, straightforward, and honest — exactly what you can expect from programming experts (both professionals and hobbyists). What you call condescending is our telling you, in no uncertain terms, that your encryption algorithm is crap. You asked. You got the answer. Repeatedly. Now you are crying foul over it.


Ang wrote:
Strangley enough though after claiming your inabilty in this field and that coupled with your claim that nobody will spend the time to do this for us for free, you guys still ended up spending time on an old algorithm that isn't allowing you to crack this app (otherwise you woul have been raving about it by now already).

You have just made our point for us.

You come here, a site that has nothing to do with cryptoanalysis, and we say “we aren’t experts in crypto, and are unlikely to spend time on it, but this is what we do know.”

And then we break your algorithm anyway. In less than three days.

Now you lie. You claim we didn’t break it, even though there is an entire thread on it. You claim that we are full of BS because we “[spent] time on an old algorithm”.

Where do you think that came from? It came straight from your application’s executable. The one what was available a week ago. Old? BS. This is the first thing any cracker will do to break your algorithm.


Ang wrote:
So just to be clear, your great dicovery / analysis did not allow you to crack this app and most likely wont help you even if you spend 1000s of years trying to crack it..

You lie again.

Not only did we recover your algorithm, we exposed all of its weaknesses, and listed multiple methods for breaking it. And, notably, its weaknesses are very basic, don’t-do-this-crypto-101 newbie problems.

No one wants to spend much time on breaking it because it is pathetic, and we have other things we would rather spend our time on. Maybe in a month or two one of us will play with it enough to actually write code that does it, but you won’t care. You have already decided that your crypto is too good because non-experts haven’t put a few days into writing code to prove the obvious failures in your algorithm.


Ang wrote:
Please also stop assuming things about us.

Repeat yourself all you want. We have not made any assumption. We have shown you, very clearly, that your app's encryption is garbage.

If you want to know something, then just ask me directly and thereby avoid all these assumptions which make for bad conversation.

You lie. The very first response in this thread directly asked you for the most important piece of information:
salem c wrote:
Just post the git repo we can download the source from.

You refused.


Ang wrote:
Unfortunately though I did not come here for anyones permission or approval to release/launch/promote this app.

WTF? Who said you need our permission or approval for anything?
You asked us our opinion.
We gave it.
And now you are angry.

You might want to reflect on why you are so upset about it.


Angie wrote:
Btw in case it was not clear, I am a woman and not a man.

I don’t see how your gender has any bearing on this conversation at all.

[edit] Fixed BBCode typo
Last edited on
tl;dr
Ang wrote:
We would therefore appreciate it if anyone on this site could help us verify the encryption level security of it. Typically the movies show there exist people with abilities that can crack virtually any encryption. Somehow I believe that is science fiction but would like to see if there is any element of truth in it. Currently the developer who created it claims that he self will not be able to recover a lost password even with having all the algorithm at his disposal. We therefore believe this app is secure but this could be due to our own abilities being inadequate at solving this but would appreciate someone on this site (or refer us to someone who has) could show us otherwise.


Here you go:

  • Level of security 
    Almost none; the encryption can be broken by very basic methods.

  • [...stuff about movies...
    Movies are fantasy. I do hope they aren’t all you know about how encryption works.

  • The developer can’t break it 
    That means nothing. Crypto experts can break it. Non-crypto experts did break it.

  • We believe...; show us otherwise 
    Done. But you reject the proof.

  • Could be due to our own abilities being inadequate 
    Your own abilites are inadequate.

You want to be taken seriously?
Then stop being stupid. Fix your program. Advertise the fact.

Or let your pride ruin your business.
I was personally convinced that none of you here are capable in this field to the level we are contemplating.

Understand that programming is a language. You can speak English, but that doesn't mean you can walk into a room full of scientists and understand their lingo. Just because we know C++, doesn't mean we could code for hospital hardware - a lot of us wouldn't know the medical side of things.

The issue here is that no one here to my knowledge is a crypto expert - that's not our jobs, yet I don't doubt that they could crack your software if they really tried and had the patience for it.

So just to be clear, your great dicovery / analysis did not allow you to crack this app and most likely wont help you even if you spend 1000s of years trying to crack it..

The point of the discovery was that your software is crackable, and likely would be easy for someone who has spent years studying how to crack encryptions. Since most of us, I'd assume, haven't even tried to crack encryptions before, there's a bit of a learning curve as an employer would say. If it takes us weeks or months to crack it, it would say nothing about how long it would take someone who actually knows what they're doing and wants to break it.


Everyone's argument here is for your own benefit in that these other encryptions haven't been broken yet. Why do you want to use an in-house encryption method? For advertising purposes?


I am a woman and not a man.

Not that it matters. I doubt there would have been a difference in treatment. We don't discriminate. If I was a turtle that could be on this forum and code C++, I'd get the same treatment. But, since I'm a good looking turtle, maybe I do get special treatment <3


EDIT: BTW, your installer set off Windows Defender AND Malwarebytes. I trust it I suppose, but good for you to know if you intend to launch the product.
Last edited on
On the Internet, nobody knows you're a dog.
On the Internet, nobody knows you're a dog.

OP might misread that. Translation:

Everyone on the internet tries looks competent and cool.
IRL, not so much.

[edit]
Added tries.
Last edited on
Also,
http://www.cplusplus.com/forum/lounge/249621/2/#msg1100300 wrote
    I  HAZ
  
    /' _
  (°.o /
   |  `.
   || ( `.
   cc C_,)~~  
   
   COMPILER


I was going to reference another thread, but one of the first responses is unsavory language for this particular context, so...

I have given you enough clues to find it, though. “and you cannot prove otherwise.”
Last edited on
Actually, the translation is "on the Internet nobody judges you for what you are, only for what you say and do".

If you're a dog but act like a human, nobody will know.
If you're a woman and don't want to be treated differently for it, just don't say your sex and nobody will know.
If you publish a great encryption algorithm, nobody will know that you wrote in your gimp suit.
If you publish a lame encryption algorithm and act like you've turned water into gasoline, everyone will know you're a twit.
Last edited on
From what I'm now seeing the person who was being "disrespectful," and was scolded for it, seems to have been ahead of the curve.
Btw - off topic - Helios, what did you use to disassemble to program?
Ghidra and IDA.
Ghidra's decompiler is in some aspects better than IDA's, but this time it threw up when it encountered the floating point operations, so I had to fill the gaps by looking at the disassembly in IDA. Ghidra has a disassembly view, but it only shows the code in the order it appears in the binary; IDA builds a flowchart that lets you follow the jumps more easily.

By the way, finding the encryption function was super easy. There was a DLL called SomethingSomethingCrypt.dll that exported "SomeClass::Encrypt(const char *,const char *, int)" (C++ symbols encode their signature into their mangled name).
in light of the above, this passage is particularly funny
Ang wrote:
he is aware of a variety of reverse engineering techniques and asserts that he has taken extensive steps to guard against it.
I think this entire thread has been a surreal yet amusing bit of diversion.
Thanks for the info Helios !

EDIT: IDA's flowchart is nice, but I don't think I'll like my assembly CS class! But it'll be good to learn.
Last edited on
Eh. You get used to it. Normal x86 code is mostly ALU instructions. It only gets annoying when you get to weird CISC instructions like REP STO*, or floating point operations.

Fun fact #1: In x86, MOV, XOR, and a few other instructions, are Turing-complete.
https://github.com/xoreaxeaxeax/movfuscator
https://github.com/xoreaxeaxeax/movfuscator/tree/master/post

Fun fact #2: An x86 instruction can be arbitrarily long:
https://web.archive.org/web/20131109063453/https://www.onlinedisassembler.com/blog/?p=23
Last edited on
@Duthomhas:
• Use an algorithm already broken by non-experts
.

SHOW ME PROOF

If you are referring to helios failed attempt then you appear to be on a completely different page then what he is on.

According to his own words he claims he will be able to do so if he goes at it for 2 weeks.
This definitely isn't the same as claiming that it was already cracked.

Otherwise if it was cracked by another of the non experts on this site then please show me where this is - I either missed that post or its been done in a different thread to this one which would be stupid - why not just post it here where it is relevant.

If all you can however provide is lip service instead of actual evidence, then anyone can also claim that TwoFish and AES-256 have been broken by us without providing any evidence at all.

Btw, we also don't believe helios claims that he will be able to crack this app in 2 weeks. And we will unfortunately not be paying you or anyone else for attempting or pretending to attempt to crack this app.
What would happen after you really try your utmost for 2 weeks and find yourself no closer than you were when starting - do we pay you for your non expert attempt that failed and how long more will you continue trying.
Seems like you could be paid indefinetly for the rest of your life if you are never able to crack this app.
Maybe you should crack this app before we pay any money.

@Greywolf: Yes, it is true that I came to this site asking for my software to be reviewed and subsequently also provided parameters concerning the request. Certain members from this site then chose to insult my copany
and my developer on an almost personel level due to them not having the required skills to accommodate the request.

Nowhere in my initial responses or original post did I insult members in this group or this group as a whole. Quite the opposite actually, my approaching this site / forum was a sign of great respect from our side and
instead of treating us with the same respect, you (members of this site) chose to disrespect us by insulting my company, developer and elements of the app that are subjective to personal taste like the way the app looks.

Please note that we did not claim to be front end specialists nor did we claim this apps looks to be great. We therefore deem your "review" in this regard as unfair and don`t believe source code for this app will be treated
with the fairness it should receive. I therefore believe your ability to judge fairly is inhibited by your bias toward the conditions surrounding the Password Locket app and possibly some other causes. In order ascertain
this without debating endlessly in large cyclic argumentative logic why you cannot review this apps security without having its source and why we feel providing source will defeat our application shieling and the real request
we made, we would like to estimate your ability to judge another app we released that should avoid the bias elements associated with the Password Locket app.

The app KtxMnu (stands for Context Menu) installs a submenu to your right click context menu for the windows file system. The items in this submenu can be customized by updating a text based ini file. This app should avoid the areas of bias you displayed when reviewing the Password Locket in that you should have no argument about why you cannot proceed without having the source code, nor should there be any crappy comments about the look, as you have full control through KtxMnu to make your context submenu look exactly how you want it by choosing your own menu items and bitmaps.

Let us see if this can be judge from your side without bias. Personally we feel this app
is brilliant and should really make any beginner programmer look quite good. You can download KtxMnu directly from: http://www.shankoev.com/KtxMnu_files/KtxMnu_Installer.zip.

KtxMnu has its own thread: http://www.cplusplus.com/forum/lounge/256368/

We will also be posting some videos on youtube demonstrating how to install, use and update - however these videos will mainly be useful to beginners.

I think you're a bit confused. The moment to show the source code was before someone else disassembled your binaries. Now we already know the algorithm you used and anyone can perform their cryptanalysis if they want to (which they won't). Why would anyone care to convince you to show them the source code at this point?

Take a hike, bozo.
Nowhere in my initial responses or original post did I insult members in this group or this group as a whole. Quite the opposite actually, my approaching this site / forum was a sign of great respect from our side and
instead of treating us with the same respect, you (members of this site) chose to disrespect us by insulting my company, developer and elements of the app that are subjective to personal taste like the way the app looks.

When you do something and it's your whole life, one can be very critical of it. You chose to ignore advice and say that you know best, which easily ticks people off. And lastly, your application's security is not a matter of opinion.

Maybe you should crack this app before we pay any money.

Make us an offer. How much if we crack your silly algorithm?
Heh, still going, eh?


Ang wrote:
SHOW ME PROOF

No.
LOL

As already pointed out to you — several times — it is incumbent upon you to prove your algorithm. You do this by going through the usual channels of cryptographic experts.

Instead, you want the whole world to take your word for it without this critical litmus.


If you are referring to helios failed attempt then you [Duthomhas] appear to be on a completely different page then what he [helios] is on.

And now you prove yourself a liar. You use leading language to misrepresent our own positions to us.
That’s some pretty solid brass balls.

Helios easily recovered your algorithm, which showed it to be little more than a fancy linear congruential permutation. I am not the only one who immediately recognized it for that and pointed out the ease by which it can be cracked. We even listed methods to do it.

You claim that we are “on a different page” and that “helios failed” because he didn’t bother to actually write code that cracks your algorithm.

Because you are a liar.

Your algorithm is already proven broken, and very obviously so.


Ang wrote:
Otherwise if it was cracked by another of the non experts on this site then please show me where this is - I either missed that post or its been done in a different thread to this one which would be stupid - why not just post it here where it is relevant.

You seem to have missed quite a lot. You came here asking for validation of your program. We informed you we weren’t the right people to ask, but broke your algorithm anyway.

It is you who has become offended and rude. Because we didn’t respond with what you wanted to read. Sucks to be ruled by your pride, doesn’t it?


Ang wrote:
If all you can however provide is lip service instead of actual evidence, then anyone can also claim that TwoFish and AES-256 have been broken by us without providing any evidence at all.

Again, you offer logical fallacy.

Lip service is simply saying what you wish to be true — which is exactly what you are doing: “our algorithm is uncrackable because no one has [bothered to] crack it”.

Evidence is the exact opposite: “here’s the code to your algorithm; it is easily identifiable as a LC*, and can be cracked by at least the following methods...”

You then equate that straightforward logic with a false proposition: “your [claim that forum members didn’t make] can be used to discredit [algorithms that have been proven secure by the process forum members recommended to you]”.

You liar.

Go and vet your algorithm through the standard cryptographer’s channels.
Once you do that, feel free to come back and tell us we are wicked for rejecting your a priori claim about an unbreakable method.


Ang wrote:
Btw, we also don’t believe helios claims that he will be able to crack this app in 2 weeks. And we will unfortunately not be paying you or anyone else for attempting or pretending to attempt to crack this app.

You can believe whatever you want.
Come for advice, refuse to take it, refuse to take the steps to prove your algorithm valid (which includes spending money on experts!)... and claim everyone else is a liar.

You liar.


Certain members from this site then chose to insult my copany
and my developer on an almost personel level due to them not having the required skills to accommodate the request.

Nowhere in my initial responses or original post did I insult members in this group or this group as a whole. Quite the opposite actually, my approaching this site / forum was a sign of great respect from our side and
instead of treating us with the same respect, you (members of this site) chose to disrespect us by insulting my company, developer and elements of the app that are subjective to personal taste like the way the app looks.


I have already refuted this bald claim in this very thread. Only one person made a disparaging remark, and I immediately responded in your favor.

You say you came here as a matter of respect for the forum. Maybe you did, initially. But that respect evaporated the instant we did not all agree that your app is amazing. Instead, you outright rejected our advice, repeatedly claiming that your developer knows better.


We may not be crypto experts, but we are CS experts. Those of us who have responded to this thread have worked for decades in the industry. And we know enough to say that your algorithm is BS.


>>>>> OUR ADVICE REMAINS THE SAME
>>>>> Use a known, proven algorithm like TwoFish or AES,
>>>>> advertise the fact,
>>>>> and make good, safe money.


Ang wrote:
Please note that [a lot of mixed-up crap about looking pretty and judgementalism and BS that goes: if we release our source it is less secure]

You don’t seem to want to accept that that very statement reveals you to be completely and hopelessly clueless about application security.

>>>>> I pity the poor saps that believe your advertising and trust their secrets to your software.


Ang wrote:
... we would like to estimate your ability to judge another app we released that should avoid the bias elements associated with the Password Locket app.

[stuff advertizing another application]

LOL, are you joking?

You aren’t just a liar. You’re a filthy spammer.



Get lost.
The wreckage is > 9000
I've only skimmed this long thread, but I want to point out something that I haven't seen yet. My apologies if it's been mentioned already.

Even if you were using a proven encryption method, I still wouldn't use your app because it really boils down to you saying "give me all your passwords. You can trust me." From my perspective, that's no more trustworthy than some guy on the street saying "hey, give me all your passwords. When you need one, just call me and I'll tell you what it is."

You're a complete stranger to me. Why should I trust you? For all I know, your app harvests my passwords and sells them. Your code isn't available for inspection. Even if it were, I'd want to compile it myself to ensure that the app actually comes from the source code.

The easy part of what you're doing is encryption. The hard part is credibility.
Pages: 1234