This is an archived post. You won't be able to vote or comment.

you are viewing a single comment's thread.

view the rest of the comments →

[–]canwegoback 109 points110 points  (30 children)

This comment comes from the thread.

I know everything.

I know who you are. More specifically, I know your consumer IP address, your name, your age, and your place of birth. You have not configured your Tor correctly, by the way.

I was able to gain access to the server shortly after you put it up.

I know you used an Ubuntu machine running Apache 2.2.22 on port 4986, binded to 127.0.0.1. Binding to localhost doesn't magically solve all your security problems, by the way.

I know you used an outdated version of phpMyAdmin to access the PBF database and perform searches and maintenance tasks. I know had set up a crontab to periodically curl http://ajd4yqq7ngzmqo3p.onion/cron.php. I know you also set up testing scripts on multiple occasions, at http://ajd4yqq7ngzmqo3p.onion/tt.php (PHPCoinAddress test) and http://ajd4yqq7ngzmqo3p.onion/ttt.php (pathetic code with a very insecure method of "tumbling" coins).

More importantly, I know you exported the "sr" database in phpMyAdmin right before the purge. And I know you backed up www.tar.gz to http://ajd4yqq7ngzmqo3p.onion/www.tar.gz. Unfortunately for you, both of these dumps are in my possession.

I recorded all transfers you sent through the bitcoind RPC interface. I have not yet filtered these transactions but it should not be difficult.

Some of the addresses: - 1ABkVAMaLZZFZ4w4zWqTYZnLZBXTfYLKBh - 19YrMzTFJBBvDpv43Bi9nbTPewY7jLqdTK - 1PfDu6ki4XLd7TPBJjih6wY3yzyBaG1h6N - 15Bvuuzu4LtaDc5HKHzK4YCK8TqEftgRVR - 14YpbZ49oqq6pss28WJnjBvQDXhNSGrYXL - 1Ns3GvhgeP8uK6ht3xzZC64xUaZVwygX2y

The database dump I downloaded contains these tables: - orders - users - market - items - messages - navigation - wallets - feedback - bonds - bookmarks

You have 24 hours to respond to this post. If this post is deleted, I will take it personally.

EDIT: Looks like this guy is a joke, here's his follow-up comment.

The deadline was not met. I will undertake appropriate actions over the next 48 hours. I am still going through the aprox. 1,719 private messages in the database.

I have forwarded most transaction records to the appropriate authorities, as well as the website source code and database dump. The database dump also contained 181 orders/escrows, of which at least approximately 3/4 contained unencrypted names and addresses. All Bitcoin deposit and withdrawal records has been forwarded to an agency which I will not name.

Let this serve as a warning to the pathetic anarchist scum out there, terrorizing the Internet with your drug cancer. The number of drug-related overdoses and homicides has spiked in the past decade. The Internet is not a place for junkies to score drugs.

And someone's response to his comment:

Come on guys, please tell me you all are seeing right through this bullshit. MDPR has so many faces and Iknoweverything is one of them and it is actually a sign of fear and weakness on MDPR's part. He wants the community to feel like justice was served so that no one will initiate a witch hunt for him, he's full of shit and hoping some real qualified hacker isn't right on his ass. It had to be more to this than stealing four cents worth of bitcoins and if not then he is is one dumb criminal. I am over him and all his antics and I personally think it is a blatant slap in the face because not only did he steal from everyone but he's rubbing it in. Unless IKE releases something to the public everyone should ignore his ass too.

[–]bullsrun 20 points21 points  (0 children)

Can't wait to see the conclusion...

[–]jake45g 1 point2 points  (0 children)

lol isn't that same MrHankey who was all over the smp forum a week or so back? Saying how much he loved it there, best place ever. etc.

[–]slicksr 8 points9 points  (2 children)

Yeah, I'll assume this guy's right and suggest you do the right thing MettaDPR... if your stuff was this easy to find, I suspect this could get ugly. Run yes, but don't take other people's money with you.

[–][deleted]  (1 child)

[deleted]

    [–]AwkwardCow 1 point2 points  (0 children)

    From one pirate to another...

    [–]mewkittyboo -1 points0 points  (2 children)

    I highly doubt there were that many messages inside the market. I doubt there even a dozen transactions either.

    [–]mewkittyboo 1 point2 points  (0 children)

    It seems there were more, it's still coming out in plain view as we speak.

    [–]AwkwardCow 11 points12 points  (0 children)

    Damn....crazy how much people can find out.

    [–]AdamSandlerFan 1 point2 points  (12 children)

    This makes me think - how long till other marketplaces are proven secure?

    [–]u-void 16 points17 points  (0 children)

    Nothing is deemed "secure", anything is only ever "secure right now"

    [–]aZeex2ai 10 points11 points  (7 children)

    Security is not something you prove, it's something you do.

    [–]badwolfhosting 0 points1 point  (6 children)

    When hosting services such as this, host's are obliged to "prove" that they are in fact using appropriate security precautions.
    For the end user, it is very much a "do" situation.

    [–]aZeex2ai -1 points0 points  (5 children)

    I am aware of medical and payment card industry regulations for hosts in the US hosting certain kinds of data. When a company "proves" it is compliant with the PCI-DSS standard, it is not proof that it is secure, only proof that it complied with the standard.

    Mathematically proving the security of large complex systems like computers is currently impossible.

    Hosts can never prove they are secure. That is why they can only take steps to improve security.

    Check out Bruce Schneier.

    [–]badwolfhosting 1 point2 points  (4 children)

    These types of hosting services and their regulator agencies are strictly monitored. You have contact information, WHOIS data, and there are definite people that are responsible for the sites activities and security procedures.
    With hidden services, most hosting companies are not actually companies - not registered, not legal, and not paying taxes or answering to oversight agencies. This is why hidden hosts should explain what security precautions they take, and provide proof that they actually use the security procedures they claim they do.

    [–]aZeex2ai -1 points0 points  (3 children)

    hidden hosts should explain what security precautions they take, and provide proof that they actually use the security procedures they claim they do.

    This does nothing in actually making them secure.

    [–]badwolfhosting 1 point2 points  (2 children)

    How would you suggest a hidden service make itself more secure while assuring it's clients that the security precautions are legitimate (example: actually encrypting data instead of simply lying to a customer and providing no proof that you actually encrypt data)?

    [–]aZeex2ai -1 points0 points  (1 child)

    How would you suggest a hidden service make itself more secure

    The first thing to do would be to research the design flaws of the current implementation of hidden services, the mistakes made by hosts of hidden services in the past, and what you can learn from them. It is not an easy task.

    [–]badwolfhosting 2 points3 points  (0 children)

    These are all prerequisites of the development cycle - we are talking about upon the release, how does a hidden hosting provider prove the security measures they claim to take are actually being implemented?
    There is a reason we are not releasing our services (marketplace) for another 2 months at least.
    But - once we get it developed, debugged, and security penetration tests compete we still need to convince the users that we are actually taking the precautions we claim (as should every other hosting service, if they did what they claimed SR and FH would still be up), and explain in simple and technical detail what the said precautions would do and how they would work to benefit the end user.

    [–]slicksr 8 points9 points  (2 children)

    Something is only secure until someone else breaks into it.

    The only true way to secure something is to put it in a place where nobody, not even you can access it. But even the world's most secure safe has a door, and a way to open that door. From that perspective, the only way to stop someone getting something is to destroy it.

    [–]CDRCRDS 0 points1 point  (1 child)

    Are you suggesting someone should rob SR and then re - encrypt the bitcoins?

    [–]slicksr 0 points1 point  (0 children)

    It is theoretically possible although that wasn't what I was talking about.

    The bitcoins exist, and presumably so do the private keys for those coins. As long as someone can access them, anyone can potentially get them.

    [–]ManOfIndica 0 points1 point  (0 children)

    You're brilliant, out this faggot to all the angry people he stole from, hell hittup LE. I never affiliated with black flag but this is fucked up.

    [–]sadkowju 0 points1 point  (0 children)

    Holy shit!

    [–]GEAUX_BUTTHOLE -1 points0 points  (0 children)

    ♪┌(・。・)┘♪♪♪♪♪♪♪♪

    [–]u-void -1 points0 points  (0 children)

    Awesome

    reddit gold

    In Summation

    Want to say thanks to %(recipient)s for this comment? Give them a month of reddit gold.

    By purchasing Reddit Gold, you agree to the Reddit User Agreement.

    • make my gift anonymous
    • include a message

    Please select a payment method.

    Give gold often? Consider buying creddits to use, they're 40% cheaper if purchased in a set of 12.

    Would you like to learn more about giving gold?