some Security Ideas

[blumi40 222]

Hi all.

 

After playing a while with the security thinks of ubot i found a workaround for make my files a bit more secure.

to understand what that means u can download that files here http://content.wuala.com/contents/blumi40/ubotzeugs/the%20Bot.rar?dl=1

 

what it does u have to look by your self and test it by your self because my broken english isnt enougth to explane the system.

 

try it and leave your comments.

Files are for v4 but idea works also for 3.5

 

blumi

[Legend 181]

OK, so this hides a small txt file in a random location on the user's system, and then keeps track of its location in order to run.

 

While this would watermark the bot, anyone can still run it and auto-watermark their version so I fail to see how it would be a security measure... am I missing something?

 

Thanks for the interesting idea... it may be a good starting point for (or element of) a more robust system...

[blumi40 222]

OK, so this hides a small txt file in a random location on the user's system, and then keeps track of its location in order to run.

 

While this would watermark the bot, anyone can still run it and auto-watermark their version so I fail to see how it would be a security measure... am I missing something?

 

Thanks for the interesting idea... it may be a good starting point for (or element of) a more robust system...

 

its depence what your fantasy is playing whit...

as example the folder deep can be mutch deeper than yet also u can place placeholderfiles and filename much more tricky than i did in this example.... i dont wanna bring a complete security suite it was a idea i was use earlyer.

and this example is not for storing files for a long time but it is a possiblety to have a relative safe store for a tmp time thats all

[Bob The Builder 62]

its depence what your fantasy is playing whit...

as example the folder deep can be mutch deeper than yet also u can place placeholderfiles and filename much more tricky than i did in this example.... i dont wanna bring a complete security suite it was a idea i was use earlyer.

and this example is not for storing files for a long time but it is a possiblety to have a relative safe store for a tmp time thats all

 

I couldn't download it as the link is now broken. It if it is as Daune says, just places a file on the system, I don't see how it provides any security.

The easiest way is to log into a remote Wordpress installation to verify a login, and then delete the login if they are no longer a customer. You have to make sure you secure that installation as best you can though. It's not perfect, but it works.

[Legend 181]

I couldn't download it as the link is now broken. It if it is as Daune says, just places a file on the system, I don't see how it provides any security.

The easiest way is to log into a remote Wordpress installation to verify a login, and then delete the login if they are no longer a customer. You have to make sure you secure that installation as best you can though. It's not perfect, but it works.

 

Its a direct download link so you need to copy it and paste it into a browser window to work.

 

I'd like to learn more about this security idea. Would you actually have username and password entry fields in the UI to validate the install?

 

 

[Bob The Builder 62]

 

Its a direct download link so you need to copy it and paste it into a browser window to work.

 

I'd like to learn more about this security idea. Would you actually have username and password entry fields in the UI to validate the install?

 

You would have the end user fill in username and password and it would confirm they have an active account via a Wordpress install or any other system. Save the info to a file so they only need to do it once. It would be nicer with pop ups but not supported.

[Legend 181]

Thanks Bob, I'm definitely gonna try this out... http://ubotstudio.com/forum/public/style_emoticons/default/smile.gif

[blumi40 222]

I couldn't download it as the link is now broken. It if it is as Daune says, just places a file on the system, I don't see how it provides any security.

The easiest way is to log into a remote Wordpress installation to verify a login, and then delete the login if they are no longer a customer. You have to make sure you secure that installation as best you can though. It's not perfect, but it works.

 

No Bob!

A remote Login is as long good as long a user dont sniff socket

and if it is a wordpress the user knows also which formfields are calling

to fake that is realy easy

for example:

im a reg user of your bot whit a sniffer i scrape your postdata and the adress

after that i go to my c:\win\sys32\driver\hots and edit the dns adresse i scrape to my localapachewordpress

(127.0.0.1 bobswordpress.com)

For sure u need skill for doing that the same u need to find security files on the foldertrap.

Again the Foldertrap Example is for store tmp files and not for store login or reg infos

 

i try to bring next time couple of examples for use that maybe it clears the idea behind

[Bob The Builder 62]

 

No Bob!

A remote Login is as long good as long a user dont sniff socket

and if it is a wordpress the user knows also which formfields are calling

to fake that is realy easy

for example:

im a reg user of your bot whit a sniffer i scrape your postdata and the adress

after that i go to my c:\win\sys32\driver\hots and edit the dns adresse i scrape to my localapachewordpress

(127.0.0.1 bobswordpress.com)

For sure u need skill for doing that the same u need to find security files on the foldertrap.

Again the Foldertrap Example is for store tmp files and not for store login or reg infos

 

i try to bring next time couple of examples for use that maybe it clears the idea behind

there are ways around that using unique IDs and hidden data.

[LoWrIdErTJ - BotGuru 904]

Honestly we all pretty much understand the host file thing. But do we really need it in this site? I think it best to remove the posts regarding it so that it is not shared to those that dont know about it.

[blumi40 222]

there are ways around that using unique IDs and hidden data.

 

Bob if it is, like you say...

bring that secure idea to microsoft apple novell and deal whos pay the most for.

sorry for that smugly replay but to send and replay data from local to remote there are no 100% secure methode even see the newes storys about sslhacking.

If someone want to hack a application, he will find a way to do that we all know.

 

The only way to secure your bots is run it on a serversystem and let the user give only a htmlinterface where he can delegate the job and get the result that also got the goal that i dont must present the user a software which brandet with "Powert by you + uBot Studio" or "uBot compiled Bot"

 

:D

[Bob The Builder 62]

Bob if it is, like you say...

bring that secure idea to microsoft apple novell and deal whos pay the most for.

sorry for that smugly replay but to send and replay data from local to remote there are no 100% secure methode even see the newes storys about sslhacking.

If someone want to hack a application, he will find a way to do that we all know.

 

The only way to secure your bots is run it on a serversystem and let the user give only a htmlinterface where he can delegate the job and get the result that also got the goal that i dont must present the user a software which brandet with "Powert by you + uBot Studio" or "uBot compiled Bot"

 

:D

 

It is kind of hard to understand your posts due to the broken English, but I will give it a go.

 

It can be done, is it 100% sure, no, nothing really is. I can guarantee though SSL hijacking is not in the skill set of 99.9999999999% of my customers and most likely yours as well. I'd say 100%, but there may just be one every 5M customers that has the skill.

 

Let me put this simply.

 

I distribute a bot with no protection, it will be on mediafire in 10 minutes.'

I add protection, one that is relatively hard to break for 99.99% of the population, it won't likely show up on media fire. If it does, it will likely only be used by a small few, rather than a large majority.

 

That being said, I have no clue how you believe your method is going to provide any level of protection.

 

Using your theory, everyone should just rob a bank. Sure there are police and security, but it CAN BE DONE.

[blumi40 222]

It is kind of hard to understand your posts due to the broken English, but I will give it a go.

 

It can be done, is it 100% sure, no, nothing really is. I can guarantee though SSL hijacking is not in the skill set of 99.9999999999% of my customers and most likely yours as well. I'd say 100%, but there may just be one every 5M customers that has the skill.

 

Let me put this simply.

 

I distribute a bot with no protection, it will be on mediafire in 10 minutes.'

I add protection, one that is relatively hard to break for 99.99% of the population, it won't likely show up on media fire. If it does, it will likely only be used by a small few, rather than a large majority.

 

That being said, I have no clue how you believe your method is going to provide any level of protection.

 

Using your theory, everyone should just rob a bank. Sure there are police and security, but it CAN BE DONE.

 

yes my english is broken sorry for

[Legend 181]

It can be done, is it 100% sure, no, nothing really is. I can guarantee though SSL hijacking is not in the skill set of 99.9999999999% of my customers and most likely yours as well.

 

This is quite true, and those with the ability to sniff sockets can probably write (or steal) better code than mine anyway, so the old adage that "an ounce of prevention is worth a pound of cure" certainly makes it a worthwhile solution...

 

 

 

[blumi40 222]

This is quite true, and those with the ability to sniff sockets can probably write (or steal) better code than mine anyway, so the old adage that "an ounce of prevention is worth a pound of cure" certainly makes it a worthwhile solution...

 

rofl ~ means your code is so bad, noone would steel it :D

[Legend 181]

rofl ~ means your code is so bad, noone would steel it :D

 

exactly! http://ubotstudio.com/forum/public/style_emoticons/default/laugh.gif

[blumi40 222]

It can be done, is it 100% sure, no, nothing really is. I can guarantee though SSL hijacking is not in the skill set of 99.9999999999% of my customers and most likely yours as well. I'd say 100%, but there may just be one every 5M customers that has the skill.

 

Bob its not the User who cracks Programs, its not the User who bring that to the warezscene.

And think about some Argument.

Bots are doing for automate Thinks. Example: We all knows what it means to use free Proxys and many of use provide Bots who got the proxyrun Routine in it.

People who use that Kind of Bots, knows also the Rulez inet is working. If we all here knows a new Technik to do tricky thinks on a better Way ~ we do ! And for many of us it is doesnt matter if the new methode works in the grey Market.

Also most of Costumers are dont care of it if it is not kriminal there use it.

And u realy belive that People who works in that GreyMarket Area dont know the rigt Source to analyze Codes Programs etc? im not sure !

I'm belive in u if u telling us u didnt got any Problems about that for Years. Maybe your Bots are to special for the masses.

 

Anyway ~ the foldertrap is only a idea for the forumfolks who got ideas to pimp that up. If u dont understand the idea behind...for sure it makes no sence for u to use it.

 

blumi

[Bob The Builder 62]

This all sounds very... Ok?

 

I will post mine in another thread when it's completed..

 

1.) User enters PayPal transaction ID in Tools->Licensing

2.) Bot uses RegEx to encode transaction ID...

1={sdf|43d|SD3|mb9}

2={856|dd2|95b|d8w}

etc..

 

3.) Bot uses Shell to gather the hardware ID for the computer

(cmd, ipconfig/all, $find regex(?<=physical address.+:\s))

 

4.) Bot encodes physical address into the same RegEx code.

5.) Bot writes #TransactionID & #PhysADD to new text file. %APP%\license.txt

 

On program start...

 

1.) Bot checks for the existence of license.txt, if it exists, it decodes the RegEx.

2.) The bot decodes the RegEx. Returning the Transaction ID and Physical Address.

3.) The bot checks for the existence of a matching code at my website. site.com/license.txt?ref=TRANSID

4.) The bot gathers the physical address again and makes sure it matches the one in the file.

 

Best part is... Neither code matches, the codes are basically spintax. So the one in the license.txt doesn't even exist on my website.. If they did find the file with all the codes, they couldn't CTRL-F their code. If they share with a friend, the address won't match. Plus, I'll see their transaction ID requesting license information from multiple IP addresses.

 

If any of these conditions are untrue... Set loop limit to 5 and navigate,salespage,wait.

 

I created one a bot that downloads from a specific location a tool I wrote in C# to get the hard drive serial number and motherboard serial number, then deletes the file. I ended up getting Protect Gold, but it really isn't polished and I don't like how you have to make so many copies of everything.