Silk Road forums

Discussion => Security => Topic started by: kmfkewm on February 20, 2013, 02:18 pm

Title: kmfkewms helpful advice regarding using programs from people on SR
Post by: kmfkewm on February 20, 2013, 02:18 pm
1. If it is not open source don't touch it

2. Compile it yourself, if they provide binaries only don't touch them

3. Wait for people who know the language it is in to go over the code and verify it. Multiple people. Preferably people with high post counts or good reputations.

4. If their code requires that you use external programs or libraries, only use them if you independently download them, not if they are bundled together

5. Download any potentially required additional software anonymously through Tor , from the official source only

6. Make sure that any required additional software is open source and well known, not some shit thrown together by the person offering the original program but presented as separate

7. The code must be posted publicly and available to everyone for auditing purposes. Sorry, no selling closed source programs here, it isn't secure. Sorry, no restricted access to code here, everyone needs to be able to see it to help the community determine if it is safe.

8. Avoid buying preconfigured USB devices or electronics here. There are legitimate open source options like Liberte and Tails. Use those, they are free !

In general you should avoid using programs created by people on silk road. There could be some valid exceptions! If you don't violate any of the stated rules here, and someone offers something really nice and useful, you should be pretty safe. If any of the above rules are violated, don't touch that shit.
Title: Re: kmfkewms helpful advice regarding using programs from people on SR
Post by: kmfkewm on February 20, 2013, 02:24 pm
People posting code here:

1. Post all of your code in your original post (posts if it is too big) announcing your program. Sign and timestamp the code. Don't edit your posts in the future, they should not have an edited mark on them.

2. Don't try to bundle other software with yours. If other libraries or programs are required, specify this. People can go and find them and download them themselves.

people auditing code here:

1. Post the sha512 hash of the signed timestamped code you audited.

2. Describe how thoroughly you audited the code and your level of expertise in auditing code

people using programs from here:

1. Make sure you compile from the source, as I said before

2. After seeing enough people have audited the code to feel safe, sha-512 sum the available code to make sure that it is the same thing that has been audited.

potential updates to the program should be posted and signed and audited as well, preferably released as patches to the current code base.