Password Locket

Pages: 1234

@helios:
Now we already know the algorithm you used and anyone can perform their cryptanalysis if they want to ...

And what happens when your crypanalysis lead you to same place those secure ones like Blow Fish do.

@dhayden:
For all I know, your app harvests my passwords and sells them.


Even if we could reverse the algorithm of PwdLocket's encryption (which we cannot), the fact that it is a desktop/laptop application and not a cloud based app implies that we have no access to its data unless we were to break into someones house physically to gain access to their computer (which would actually still be useless to us as we cannot reverse the algorithm ourselves to recover passwords ...) or to transmit the data to a remote location.
To ensure that we are not doing this you could easily enough yourself use an application like wireshark or zone alert to verify that no network comms is taking place from PwdLocket ever.
To this end then I will ensure all who use Password Locket that you are 100% safe from us having access to your passwords and simply put we have no such interest.
Our only goal with creating it was to have a utility that helps ourselves to remember our passwords in a secure manner and wished to share it with others so that they too can benefit from it and on the chance they do find it helpful hen hopefully we get the recognition for it (which isn't an evil thing).
And what happens when your crypanalysis lead you to same place those secure ones like Blow Fish do.

What happens when a child on a bike starts riding so fast that he reaches 80MPH and takes it to the freeway? Yes, a silly question right?


Even if we could reverse the algorithm of PwdLocket's encryption (which we cannot)

Again, just because YOU can't doesn't mean no one can. I once tied a knot I couldn't undue, but behold a friend came in with magic fingers.
Ang wrote:
Even if we could reverse the algorithm of PwdLocket's encryption (which we cannot)
Uh, "reversing the algorithm" is called decryption. And don't you have to do that within the application to display or use the passwords??
@dhayden: Uh - this reverse I'm speaking about is reverse to recover lost passwords without the recovery key ...
@zapshe:
What happens when a child on a bike starts riding so fast that he reaches 80MPH and takes it to the freeway? Yes, a silly question right?


Not a silly question in this context where helios assumed that my developer an/or his collaborators are not experienced in the field on encryption and app security.

Due to that misconception, he claimed that if he applies crypanalysis he would be able to crack it. My question therefore is valid as I see him standing with a mouth full of teeth when he finally realizes that Password Locket is as secure as it would have been if one used an algorithm like Blowfish.


Not a silly question in this context where helios assumed that my developer an/or his collaborators are not experienced in the field on encryption and app security.

Difference between experienced and knowledgeable. I'm not experienced in warfare, but I don't need to be to know that it's horrific and can be a slaughter house.



Due to that misconception, he claimed that if he applies cryptanalysis he would be able to crack it. My question therefore is valid as I see him standing with a mouth full of teeth when he finally realizes that Password Locket is as secure as it would have been if one used an algorithm like Blowfish.

I could write in a few minutes a better encryption algorithm that I myself and you wouldn't be able to break. That doesn't mean it's good or unbreakable. Let's say that we spend the time to actually break your stupid algorithm, you're being arrogant and condescending, so the incentive isn't there. Even if we shove it in your face, you're the only one that would benefit from that.


https://www.schneier.com/blog/about/contact.html - Maybe try to reach out to some crypto experts and.. I don't know... HIRE THEM?


Go to crypto.stackexchange.com with your algorithm.


Also recommend you read this:

https://crypto.stackexchange.com/questions/43272/why-is-writing-your-own-encryption-discouraged


I really like what was said in there:

Schneier stated:

Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break.


Also:

The comment about indistinguishability under different attack models is one reason why most "decipher this message crypto challenges" are completely bunk. They often simply give an attacker some ciphertext, ask them to decipher it, and declare victory when nobody produces the plaintext after some amount of time. Unfortunately that's not how crypto works in the real world; attackers have many more tricks up their sleeve in practice. They can trick computers into encrypting data of their choosing, they can trick computers into decrypting data of their choosing, and they can usually even do these things thousands, millions, or billions of times.


We are programmers doing what we do for work or fun. Most people here may not be experienced in encryption, but the fundamental understanding of it IS understood. Not only is your algorithm so weak that we found it would be possible to break it ourselves, but MUCH STRONGER encryptions that I wouldn't even know where to begin with can be cracked by someone who knows what they're doing.
Uh - this reverse I'm speaking about is reverse to recover lost passwords without the recovery key


Let's review.

I said "For all I know, your app harvests my passwords and sells them."

You rebutted by saying "Even if we could reverse the algorithm of PwdLocket's encryption (which we cannot) ..."

So you're claiming that my fears of password harvesting are unfounded because you can't reverse the algorithm.

I countered that hollow argument with the obvious: "Uh, 'reversing the algorithm' is called decryption. And don't you have to do that within the application to display or use the passwords??"

To which you responded "this reverse I'm speaking about is reverse to recover lost passwords without the recovery key"

Again, my point is that you might be harvesting passwords. No recovery key is necessary, just the decryption, which you obviously do.

Now you did make one good argument:
Ang wrote:
To ensure that we are not doing this you could easily enough yourself use an application like wireshark or zone alert to verify that no network comms is taking place from PwdLocket ever.


Yes, I could, but it's that "ever" part that concerns me. Maybe your code waits 2 years before sending the passwords back to Russia or the NSA or where ever.

The point is, how can I trust you?

And Helio's disassembly shows that you're using a trivial algorithm.
At this point, Ang is just digging herself into a deeper and deeper hole. Anyone who finds this thread will easily discover the truth — she’s full of poop, and apparently cannot unclench her buttocks enough to let it go.

It is abundantly clear to people who know their stuff that:

  • She is a liar, contradicting herself and changing her story with every post
  • Her understanding of cryptography is woefully incorrect (and, apparently, based on movies)
  • <omitted...>


The funny thing is, she came here asking. Had she said nothing more than “Thank you, we will take using a proven encryption algorithm under advisement” and then done nothing, this thread would not appear as it is: a prominent mark on the worldwide internet against her product and her company. Her own aggressive commentary has instead condemned her and her company to online infamy. Good thing she didn’t try over at SO, they would have torn her to shreds. We were rather kind.


So... yeah, I’m going to leave it at that.
@zapshe:
Even if we shove it in your face, you're the only one that would benefit from that.


How do you figure - that would discredit me and my company completely as cracking it would constitute actual proof instead of just talk.
@Duthomhas:
She is a liar, contradicting herself and changing her story with every post


I don't suppose you care to actually point out what you mean by this, ie list my contradictions please.
@dhayden:
So you're claiming that my fears of password harvesting are unfounded because you can't reverse the algorithm.


Absolutely not, you should take the whole context and you'll realize that I have absolutely no access to this data as it will reside on people personal computers and laptops and not on some cloud based platform where the cloud owners have unlimited access.
@zapshe:
Not only is your algorithm so weak that we found it would be possible to break it ourselves


And once again I say PLEASE PROVE IT BIG MOUTH

and discredit me and my company - go for it.
How do you figure - that would discredit me and my company completely as cracking it would constitute actual proof instead of just talk.

Because you'd walk away realizing your encryption doesn't work and you should use something that's actually good. All we would have done is work to do that for you. Real companies HIRE people to do that, it's called research and development.


And once again I say PLEASE PROVE IT BIG MOUTH

My mouth isn't that big. I once found a banana with the same dimensions as my buddy down there. I tried, but found I likely wouldn't be able to get fun out of most women, I was sadly too big and even my mouth wasn't up to par.


and discredit me and my company - go for it.

You did that for yourself. Any reputable company would have done at least 5 minutes of research before this stupidity unfolded, yet here you are.



EDIT:

Also completely dismissed my link talking about making your own encryption algorithm. Typical.
Last edited on
Hey, zapshe, I think you are getting too emotionally involved here. Ang is a liar, and anyone who bothers to read this thread knows it.

Re: “And once again I say PLEASE PROVE IT BIG MOUTH”

This is pure baiting. Don’t let her get you upset or result to crude remarks — you only lower yourself to her level.

She thinks by continually repeating her desired version things that it somehow changes reality.

The reality is that within three days of posting a link to her application, helios recovered the algorithm, which was immediately recognizable as garbage and many of us instantly listed basic methods to crack it. (Whether or not we are up to implementing the methods in a week’s notice is irrelevant, it should be instructive that we knew enough to recognize the error and immediately list methods to exploit it.)

It does not matter that she refuses to accept any of this. It does not matter how many times she claims that the algorithm was not cracked (by claiming that cracking it is equivalent to someone spending time writing code to do it). It does not matter how many times she tries to twist our own words to mean something we did not say. It does not matter how many times she claims we don’t understand basic context. It doesn’t matter how many paragraphs she writes in rebuttal to what she calls “just talk” and “lip service”, or whether or not she is aware of the very hypocrisy in her own position.

Reality does not change no matter what she says.

Therefore, it does not matter how many times we offer her solid, correct advice to pay a professional for professional assessment, or if we link her to basic cryptographic knowledge written by actual crypto professionals, or link back to contradictions she has made in this very thread. She will roll on regardless.

tl;dr
Don’t let other people wind you up with their stupidity — don’t give other people control of your own emotions.

It is fine to enjoy the stupid for what it is, but don’t let her stupid infect you. She has to live with it. You don’t.
Don’t let other people wind you up with their stupidity — don’t give other people control of your own emotions.

Thanks Duthomhas. I was worked up over some things. Today has been me just running into stupid arguments one after another. They're just so convinced and smug with their stupidity it pisses me off.

I use to be more apathetic about these things, but it's something I'll have to relearn or learn to live without.

Thanks again, always appreciated.
No problem. We all need to be reminded every now and again, myself included.
So it's been a long time since I've posted here, and I'm well aware that this is a circus thread containing an undead horse. However... I found a couple of things that might be of interest.

First. has anyone had a look at the readme bundled with this program?

//
//
// Password Locket Information
//
//
//////////////////////////////////////////////////////////////////////



IMPORTANT: On initial startup of the application the password required
will be the default which is: 'password'. This password
should be changed in order to ensure that the data protected
by the utility is secure.

After the main password (the password required for opening
the utility) has been changed, a file called 'PwdRecovery.key'
will be created. This file should be stored in a safe location
and only used in the event of recovering the main password.

Due to the data encryption techniques employed in this application
being very strong and therefore virtually unbreakable (or at least
not easily so), your password recovery key file will be your only
means of recovering your main password if forgotten. Ensure therefore
that you have this file backed up safely as not even we (ShanKoDev),
the owners of the encryption algorithms employed in this app will be
able to recover this for ourselves or anyone else.



CREATOR: <REDACTED>

COMPANY: ShanKoDev IT Systems


PURPOSE: A windows based application capable of running on very old
windows versions (Windows 98) to the latest (Windows 10+).
Its purpose is to allow for storing and retrieval of passwords
for other logon details in a secure manner.

Creator name redaction is mine. He doesn't seem terribly interested in associating with ShanKoDev, as when I went to his LinkedIn page, the company wasn't listed under past or present employers on the public parts of his profile. I'm fairly sure it's the same guy, since his page states he worked on the third project that's featured on the ShanKoSite.

To me, however, this is less interesting than the installer. I didn't run it, because I've yet to set up a Windows VM on my current machine, but I did point a number of archive extractors at it to see if any of them work.

As it turns out, there's a gzip archive embedded in that installer. Additionally, when you open the installer in a hex editor, you can find a copyright notice that looks like this:
Copyright (C) 1992-1993 Jean-loup Gailly
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2, or (at your option)
any later version.


I'm guessing this installer isn't quite free software (EDIT: as defined by the GPL's rules for derivative works), is it?

-Albatross
Last edited on
Welcome back, Awesome Person!

Understanding your analysis requires using brain cells a lot of people don’t seem to possess, and I suspect it will go over a lot of heads, but nice!

Anyway, hope you continue to show up from time to time. :O)
Thank you!

Sorry about that @ difficult-to-understand analysis. It was 1 AM when I wrote that post, and as IANAL I wanted to avoid making any claims about the legality of what they did. I'm also not sure what the copyright laws are like in South Africa (as per the ShanKoMailingAddress on their site). That said, I'm not sure how they'll meaningfully dispute it now that I actually pointed a decompiler at the installer and had a poke around. So here goes.

In short, for those who aren't aware of why what I found could be a problem, here it is: the ShanKoInstaller for the password locket is probably violating the license of a piece of software that it uses.

First off, I've reason to believe that large parts of gzip (which is licensed under the GNU General Public License) has been embedded into and used by the executable installer for password locket. Per the GNU GPL, that makes the installer a derived work. We'll get to the implications of that in a second, but first, an explanation of why I believe this.

Without even decompiling the installer, you can easily find the full license message from an ancient version of gzip (likely pre-2002) embedded in the program, just by opening the executable in a text editor that won't start crying when you try to open a binary file with it. A proper hex editor/viewer, of course, works too.

If you decompile the installer, then you can spot more of gzip's code than just some text that's also in gzip. An example? The do_list function ( https://github.com/att/uwin/blob/97a643a3c6678d4e648aea50b208ab70ae664782/src/cmd/gzip/gzip.c#L1326 ), although pretty thoroughly transformed by the compiler and decompiler, is easy to find and still recognizable. The printfs help give it away, and give context to the surrounding structure.

Side note, I'm not sure why they felt the need to use the gzip program in particular. One, there are numerous decompression libraries that are more permissively licensed, including ones that implement the same algorithm as gzip. Two, the original code that does the actual decompression in gzip is actually in the public domain. If they'd only used that, there wouldn't be a problem. But no, they've gone and went and used more, and were clumsy while doing it.

Now, the GPL requires a few things of derived works if you publicly distribute them (reminder: this is an installer that anyone is free to download), one of which is that the program's source code is made readily available to anyone who has a copy of the program. In the USA (and I imagine many other countries), the GPL is a legally-binding contract, which you could be sued for breaching.

So here's the question: where can I get a copy of the installer's source code? I'm pretty sure it's not bundled with the installer, and I couldn't find links anywhere on shankodev.com. Did the installer give instructions on how to get a copy of its source? I didn't see those instructions while sifting through the program. If they don't exist, then... well, ShanKoDev breached the GPL.

I know this is a fairly petty thing for me to draw attention to, but Ang here has been responding to claims of wrongdoing by saying "we didn't do anything wrong because you didn't prove that we did". So... here you go. Something wrong that the ShanKoPeople probably did that's fairly trivial to prove, at least compared to encryption security.

-Albatross

P.S: Why did I link a mirror of AT&T uwin when displaying the source? Well, I can't get the feeling out of my head that's where they would have gotten their copy of gzip from. I've no real proof for this. That said, it does also show the correct license message in case the ShanKoDefendant decides to argue about it.

EDIT: Clarification.
Last edited on
Pages: 1234