This is an archived post. You won't be able to vote or comment.

all 34 comments

[–]the_avid 11 points12 points  (6 children)

you're running a DNM using Drupal on a Windows server, and you are loading fonts from a clearnet site (google, of all places)

are you intentionally fucking with me to make me believe you are actually doing that or are you really that stupid?

edit or is this a honeypot? please tell me its a joke or honeypot.

edit no. fucking. way. this really is a windows IIS 5.0 server, running Drupal 7.0 with a bunch of modules installed, loading resources from clearnet urls, being launched as a 'DNM'. i've seen it all now.

edit and just to make it clear for anyone to whom it isn't obvious, sanitarium_market and EXXTASY have the same admin, that is him here in the comments talking to himself using different accounts.

[–]galaxyandspace 1 point2 points  (1 child)

Those resources should be loaded from the main server, right?

[–]the_avid 2 points3 points  (0 children)

yep, or another hidden site.

the way it is now you are essentially giving google your server logs.

[–][deleted] 1 point2 points  (0 children)

You are a legend, Avid. Thanks for all you do for our community. :)

[–]pinkprincess1 0 points1 point  (0 children)

Funny honeypot was the first though I had when I first read it...

[–]DarkNetYoda[S] -2 points-1 points  (1 child)

OMG you are soooo smart. And you even have your own clearnet webblog. Wow your nuts are huge! Are you sure that your info is so correct? Can you prove it. Can any of you prove anything that you have said here at all?

There are no google fonts in our server. Honeypot or not, you'll not know, that is its function. In fact this server is specifically for this market and nothing else, just to be sure.

Drupal, so fuckin what. Now that you have exposed our top secret platform, all of the secret drupal ninjas can now hack us! Crap! You have done some serious community donations today. Better than that weirdo that hired the freelancer to build him a website on clearnet.

You blow a lot of smoke mrs avid. Surely you can do better. Lets get some facts. lets get some instabilities. lets get some proof that you have all that you need to steal, what? Crap.... what can you steal? You are not going to get passwords. Usernames are not hard as they are already buyers and vendors, no big deal there. Password required is a minimum of 12 and a maximum of (not going to tell you). So fuckin what if we require you to use a minimum standard in your password. It is obvious that noone else does, or at least the ones that have been exposed. You guys with 100 char passwords??? What is the point?? no security expert on Earth is saying 100 is the way to go. But ok, it still works. No problem here, but it does not make you a wizard, in fact it makes you dangerous to the website.

We offer two factor login. It is an option in your user profile. Take it or leave it.

Use what ever email you want or none at all. Who cares. It is not required to purchase in the market but how do you plan to get in contact with your vendor? Whats you master plan to tell the vendor where to ship your purchase? We will let you figure that one out.

Vendor requirements! Holy shit. What were we thinking when we decided that vendors need proof of established communications and identity control to help protect you as a buyer. NO Fe and forced escrow. Holy shit what assholes! We wonT allow you to FE. OMG we are tracking the delivery of your purchase to be sure that all is ok! What were we thinking. WHAT we are not even drug lords! We are not using what we are selling!! At least when we are dealing with your money, we are not too high to enter the correct addresses and send you money elsewhere.

Self destruction! What only in the movies! what idiots. To be clear, no the dam thing ain't going to blow up. We do not want to kill LE if they come, but we do want to protect the data, so yes the data will self destruct. The point here is simply to explain to you the physical security thought of in addition to all of the fancy BS that everyone says about their net security. If you do not want to consider the physical security aspects of a market which is conducting escrow functions and what happens to your main encrypted wallet once the servers are confiscated, then go back to SR. Last I checked, your wallets were confiscated and never returned.

[–]soapyone 1 point2 points  (2 children)

Lose the stupid password requirements. They do not make your site more secure. "Password must not match last 100 passwords." - lol what

[–]pinkprincess1 1 point2 points  (0 children)

Is this a joke?

[–]13tom13 1 point2 points  (4 children)

noones giving you their email, jog on!

[–]DarkNetYoda[S] 0 points1 point  (3 children)

again, same question to you. We do not want your real email address, but your GPG key in order to establish your identity and link that to a wallet, will be required. This is so you can get your money back and so that someone else can not imitate you and request your funds transferred to them. So whats your bright idea?

[–]13tom13 0 points1 point  (2 children)

my bright idea is to wait an see what market works best security wise and use that. i see i misead what you wrote soz i thought u were after actual emails nobody makes a GPG with a real email anyway

[–]DarkNetYoda[S] 0 points1 point  (1 child)

fair enough. There just need to be a way for Buyers to identify themselves, to protect their money. Regardless of false email or not, the GPG key must match the registered email. It is the only way to verify an identity when it comes to refunding 1000s

[–]13tom13 0 points1 point  (0 children)

an alternative could be a secuirty mnemonic given to you once you set up the account that you only see once and have to remember. evolution has that

[–]weirdfishh 0 points1 point  (0 children)

cunts

[–]darknetsolutions 0 points1 point  (3 children)

Password Requirements

Password must contain at least 2 lowercase characters.
Password must contain at least 2 digits.
Password must not contain the username.
Password must contain at least 2 uppercase characters.
Password must not match last 100 passwords.
Password may only be changed in 2 hours from the last change.
Password must be at least 12 characters in length.
Password must contain at least 2 letters.
Password must have a minimum of 2 digits in order to place any digits at the start or end of the password.

You have no clue what you are doing.

[–]DarkNetYoda[S] 0 points1 point  (2 children)

is too complicated for you huh.....

[–]darknetsolutions 0 points1 point  (0 children)

No, too unprofessional and stupid.

[–]Sanitarium-Market 0 points1 point  (1 child)

We logged in to this guy and did not see these magic security issues that you guys mention. We were not forced to use a Real email address. System did not care what email we used at all. We did see that they "recommend" that we use a valid address but that was only for the bank features, not the buying features.

So they have a password policy.... whats the big deal. We also noticed that the forced us to use 12 characters or less. Don't see an issue with that.

We do not see where they are loading anything from external sources???? Google?? Where do you see that??

So what if they are running Drupal or anything else. Is there some darknet requirement to run an unproven platform hired over a freelancer website, designed by some guy in India or something? If they have it locked down, who cares what they are running.

Mr Avid might be a smart guy, but we do not see what he has revealed that is sooooo legendary or even damaging, nor do we find and of the problems that you guys are talking about.

I say you DOX him if i is soo bad. Why threat when you can actually do it. If you guys actually have a real security issue, you should state exactly what it is and then demonstrate some further intelligence by providing proof.

You guys are tearing up this market and you haven't even said anything proven yet.

Are you sure it is not a honeypot? Are you sure they are running Winblows? If so then how. id you do some magic hacking and look at the HTTP headers like any other smart guy? Are you sure that you can even trust what you saw?

Our recommendation (take it or leave it) is perhaps to help build your community. It is obvious that the past markets are not lasting too long. When these guys open a new market, dox, hack em or what ever you claim to do and then move on.

[–]DarkNetYoda[S] 0 points1 point  (0 children)

thanks for the up..... i think

[–]Sanitarium-Market 0 points1 point  (0 children)

omg a generator tag.... really. we will all die now!! LE will get this guy for sure by tracking his generator tag. Good work by the guy that caught that one. We almost walked into a governement trap!!

[–]DarkNetYoda[S] -2 points-1 points  (8 children)

Regardless of your comments, the security requirements for Exxtacy will remain high. The Password requirements are not their for those whom know what they are doing. They are their for those whom do not. Since previous markets which have been hacked reveal that users are still using weak passwords which are dictionary crackable with brute force, regardless of historical consequences, this market will enforce password quality and policies. We apologize for any inconvenience. You will also be required to change your password every 30 days. These are the minimum security requirements for corporations, which are accepted practices, they can certainly serve you well too.

[–]the_avid 2 points3 points  (0 children)

the security requirements for Exxtacy will remain high.

lol. seriously, go home.

[–]DestyLP 0 points1 point  (0 children)

Ha Haha Ha

[–]darknetsolutions 0 points1 point  (3 children)

If you keep going I'll dox you. Seriously, you're patchwork server is shit. Get out now while you still can.

[–]Sanitarium-Market 0 points1 point  (0 children)

dox him, get it over with. they accepted the risk when they opened a market.

[–]DarkNetYoda[S] 0 points1 point  (1 child)

Still waiting.... was the Generator tag the massive doxing that we deserved??? Haven't you broke into the database yet and acquired the root password? Break out your dick and lets get to measur'in

reddit gold

In Summation

Want to say thanks to %(recipient)s for this comment? Give them a month of reddit gold.

By purchasing Reddit Gold, you agree to the Reddit User Agreement.

  • make my gift anonymous
  • include a message

Please select a payment method.

Give gold often? Consider buying creddits to use, they're 40% cheaper if purchased in a set of 12.

Would you like to learn more about giving gold?