Request: Bitwasp-using markets? by gwern in DarkNetMarkets

[–]the_avid 1 point2 points  (0 children)

It is impossible to understate just how poor BitWasp is. I black-box tested a DNM that I didn't know was running BitWasp and found an SQL Injection bug in around 5 minutes (around ~50 requests in).

It was only when someone else pointed out that it was running BitWasp that I then discovered this project and discovered that the source code contained this bug - and there were a lot of markets running the same code.

I scrubbed all reference to BitWasp, because I didn't want anybody else knowing there was a bug and then digging into the code and hacking live sites - but the bug became public via deepdotweb and the BitWasp developers did an interview where they emphasized that BitWasp is development software - not to be used on 'real' sites.

I emailed them right away to get in touch, emailed again on the 30th of March and then again (after getting an angry comment response here on reddit, not in email) on the 16th of April. Just sent another email today as another last-resort bug reporting attempt, still no reply.

I had heard about BitWasp at the time of discovering the bug but had never looked at the code because I didn't know how many sites were running it live. The problem is at the core of the code. With the first bug I found I went into the source code and found that the exact same thing was happening in two other parts of the code base. So that is 3 bugs, all found in ~20 minutes, all give you full access to the remote database, none have been fixed (nor email acknowledged).

Warning in short is: stay away, even with multisig and whatever else, stay away. A list of sites running BitWasp would be a useful tool for the community here as a list of sites that one should not use.

Can add that Agora does not use BitWasp, neither does SR2. If you know the framework that BitWasp uses and the problems it has you'd know that it can be simple to test if a market is either using BitWasp or using the same framework (which is a large part of the problem).

Can we get some clarity on different multisig markets? by 99s9dsud9si in DarkNetMarkets

Can we get some clarity on different multisig markets? by 99s9dsud9si in DarkNetMarkets

[–]the_avid 1 point2 points  (0 children)

They're opsec has been very poor but its their traffic that takes me back there.

Where has Agora's opsec been poor?

Tor Escrow by pinkprincess1 in IFfmbHfnpaZjKFvyi1okT

[–]the_avid 0 points1 point  (0 children)

warnings signs were there with them lying about heartbleed and whyusheep being one of them

Cannabis Road: A Cannabis Only Marketplace by Crypto_CR in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

We've already had 2 well known security figures in the community, Jolly Roger and El Presidente, perform security checks on our site and report back without any major issues.

edit sent the admin an issue (not a huge one, just server info leaks). these endorsements are useless if they didn't see what I saw with a single request (I was checking the site to see if it BitWasp, which is a whole other bag of lols).

I wouldn't say the site is insecure, but I also wouldn't lend much weight to those endorsements. there is no way i would lend my name (and its a throwaway) to a sites security without spending at least a few days with it.

Warning next to bitwasp sites? by ahsdais9999k in DarkNetMarkets

So Agora moved... by [deleted] in IFfmbHfnpaZjKFvyi1okT

[–]the_avid 0 points1 point  (0 children)

a few days, unfortunately

So for my practical computer sciences term project, I am creating a simpler/centralized System of Encryption. Tell me if i should bring it online to the public by [deleted] in DarkNetMarkets

SCAM! MDMAZING by throwawaypigeon1 in DarkNetMarkets

[–]the_avid 1 point2 points  (0 children)

It's possible Agora placed him in forced vacation mode because of scam reports - if that is true then they may have blocked him from withdrawing. Agora are proactive about scammers, get in touch with their support and see what the status is with them having picked him up as a scammer or not and if there are any funds to distribute.

So Agora moved... by [deleted] in IFfmbHfnpaZjKFvyi1okT

[–]the_avid 2 points3 points  (0 children)

Upfront disclosure: I advised Agora with the heartbleed situation and the current change you're all now seeing.

Wasn't slow to react, just took their time and solicited a lot of opinion on what they should do before reacting/overreacting. Nobody really understood the complete implications of Heartbleed for clearnet servers up until 24 hours ago.

For Tor it is even worse, there is no research outside of what the Tor project published in the first 12 hours of the vulnerability being announced. A few markets blindly changed up their addresses after that post (even keeping old addresses on the old server etc.).

Agora reached a conclusion, after a lot of testing, monitoring etc. to start fresh - there is no connection between the old setup and new, but data / coins etc. will be migrated and users won't notice the difference once it is back up (which is difficult to pull of).

You should all reset your passwords / PINs once the site is back up, I think that will be mentioned or even enforced once everything is live again.

Possible Permanent Vacation (heartbleed) by LightYagami_ in DarkNetMarkets

[–]the_avid 1 point2 points  (0 children)

I'm hoping they bring /u/whyusheep out of retirement to defend them on this one

[vendor review] If you're looking for 4-fa, Check out noquarter on evolution. by cheapcab in DarkNetMarkets

[–]the_avid 2 points3 points  (0 children)

I read that as "four-factor authentication", thought it was a little overboard in terms of securing a login.

So, Now that the "Heartbleed" Vulnerability is out, What markets re not affected by this especially tumblers? by Titty_Bang_Bang_ in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

It is really difficult to tell. If a market states they were not using a vulnerable OpenSSL build, you have to just trust the admin is telling the truth.

It has become clear now that because of the trust issue all hidden sites should re-gen and reset passwords.

I wasn't going to recommend it based on my own research, but outside of the actual bug and if you were running on openssl or not the Tor Market incident demonstrates that you can't just take people at their word - reset keys & passwords.

Possible Permanent Vacation (heartbleed) by LightYagami_ in DarkNetMarkets

[–]the_avid 6 points7 points  (0 children)

All of us are in danger with this exploit allowing for the server memory to be exploited. At best, nothing was stolen. At worst, the tor key to the servers were directly compromised,

This only applies to the exploit on clearnet https sites, and it is because of how clearnet web servers are setup: the same process which shares the same memory heap (from where the leaked data originates) is shared by openssl and the process handling multiple client connections (using threads).

Even here, where it is tightly integrated with the web server, it is highly dependant on the server operating system. Some operating systems will allocate the memory in an area that is completely barren, thus the exploit potential is low, while others - usually more esoteric systems, will re-use the same part of the memory as they do when serving web application processes, which is where you can find session cookies.

What does this have to do with Tor hidden services, Tor bridges and Tor clients? Nothing. Each of those cases is also unique, but the headline news about the bug that you are reading about affecting clearnet sites and the bug with Tor are completely different.

I think it was good for the Tor project to be over-cautious in advising users to update, because they didn't have more information at the time. I've spent the past 72 hours actually reading source code and testing the exploit against Tor, and I have yet to manage to get it to give up anything useful. Openssl is integrated with the Tor process, and there are a couple of things that make it difficult to exploit:

a) to exploit a hidden service, you'd need to connect to it directly, which means exploiting all 7 machines in the circuit between you and the hidden service in-step.

b) the dropped connections on the hidden service are very noisy, unlike the bug when implemented in web servers. You get an info message that is logged, so hidden service owners have something to look for

c) other information in a tor memory heap just isn't as interesting as what it is in a web server.

Also reading the source and where/how and what Tor allocates in memory and where OpenSSL is. The worst case with the most sophisticated enemy in the world who knew about the bug before it was published isn't that bad. I think there are better ways to attack Tor.

Clients should update though, the client bug is nasty - you can exploit that but again it will only give up info on other tor first-hops and destinations (at worse, even that is difficult) unless you are using something like wget or lynx to do your banking and tor surfing at the same time :)

I was on top of this bug pretty quickly, my messages light up like crazy when the website went public. I almost reached to getting hidden services taken down, but it was clearer within minutes that a lot of Tor sites won't be vulnerable and those that are aren't at a risk level where immediate intervention to shut down the market is required.

What's happen now is contingency planning in-case someone did pull of the 1 in a 100 million hack. Spending an extra few days to weigh the implications won't have a huge impact here so its better to fix it once and well than to knee-jerk react and say you weren't vulnerable or get sucked into the hype of the clearnet attacks and say that your hidden site was exploited.

edit the other part here is the breakdown in the trust chain, something that /u/lukeskywalkr pointed out here in this comment and something i've been thinking about. As with the Tor Market incident you can't really trust, nor should you trust, a DNM admin that all is right. I know that most sites are ok, but because of the trust breakdown and different dynamics and threat nature of DNM's it's probably best to recommend that all hidden sites re-gen their key pairs and reset all user passwords.

[TorEscrow] We never had heartbeat enabled. by [deleted] in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

they are talking about extension from a protocol perspective, which is right - not from a building and installing a package - which is what torescrow were talking about

heartbeat is an extension of TLS, but it isn't an openssl extension

as soon as I read OP I something was up, because it was completely unlike every other response to the bug. the question is why would they lie and should you trust a website that lies about their security?

[TorEscrow] We never had heartbeat enabled. by [deleted] in DarkNetMarkets

[–]the_avid 4 points5 points  (0 children)

What are we wriggling out of exactly?

You're wriggling out of this:

We opt to build most of our packages from source and remove as many extraneous modules/extensions as possible.

We will not have to change our onion address because we were not vulnerable to the recently disclosed heartbleed bug. We did not have heartbeat extension enabled.

Which makes no sense to anybody even mildly informed about the topic.

I'm able to make assumptions about versions because heartbeat is only integrated into a single version. And i'll repeat again: it isn't a module or extension - but feel free to not update OP.

and since your support person isn't your magical unicorn rainbow-farting sysadmin you should probably tell them to tone it down, because they have been spewing crap all over this forum for the past 24 hours using a username with your markets name in it.

This OP doesn't help either, but lets move on - since nothing outside of a mea culpa would satisfy me since I know this OP is misleading and a lie (but you aren't going to do that) and we'd be wasting our time.

Our system administrator doesn't have the amount of free time you seem to have to argue with people on reddit.

probably because you have him building your entire system from source. what kind of sysadmin sweat shop are you running? learn about package management and free your sysadmin up to come here on reddit and fuck around with the rest of us.

[TorEscrow] We never had heartbeat enabled. by [deleted] in DarkNetMarkets

[–]the_avid 1 point2 points  (0 children)

We opt to build most of our packages from source and remove as many extraneous modules/extensions as possible.

We did not have heartbeat extension enabled.

seems pretty clear to me.

fyi there is no such thing as the 'heartbeat extension'.

edit: and I can see how you can wriggle out of this by saying: 'we just happen to be mentioning that we build our own packages, we weren't saying we compiled without heartbleed, we just happen to mention that and we weren't running a vulnerable version'. i'll give you that - it's about the only out you have, what else could you say?

"Heartbleed": Bitcoin also vulnerable by mdparity in DarkNetMarkets

[–]the_avid 2 points3 points  (0 children)

note: all that the Bitcoin project done was download the latest version of openssl and re-build their downloads. If you are not using a statically linked version of Bitcoin then your system update would suffice

This is exactly why we have libraries and dynamic linking, so that when you need to upgrade you only have one place to do it rather than updating every. single. application.

"Heartbleed": updating OpenSSL is not enough - a change of Onion address required for servers with vulnerable OpenSSL builds by mdparity in DarkNetMarkets

[–]the_avid 2 points3 points  (0 children)

you guys are full of shit. see my comment in the other thread

the rest of the thread here is just a clusterfuck, it just adds to what I said in my other comment. /u/lukeskywalkr is completely right and you're out of your depth - you shouldn't be misrepresenting this bug and its impact to users in order to advertise or one-up your own DNM - that is only serving your own interests (and it is lying) rather than the interests of the broader community.

saying that you build from source was the cool thing to say to prove you had hair on your chest back in the 90s. nobody does that anymore - modern configuration scripts know your system and architecture better than you do, and modern package management resolves conflicts better than any sysadmin can. not to mention that you miss the benefit of immediate patches (both Debian and RHEL had patches out for OpenSSL as the announcement was made) when you roll yourself, your missing out on the collective knowledge of the 30,000+ sysadmins and developers who put all their knowledge and effort into packaging systems

even the hard-core 'build from source' distributions now have their own packaging systems, be it dpkg or something like ports. there is a very good reason for that.

there are decent arguments for building from source and outside of package management, but you're not making them.

edit I don't even know why i'm arguing this, since its pretty clear you guys didn't even build from source and were lying. you just wanted to market your security to people who you thought were stupid and didn't know better.

ELI5: Open SSL Bug by cactusbutt123 in DarkNetMarkets

[–]the_avid 3 points4 points  (0 children)

They don't modify it. Here is what happens:

client sends a heartbeat message that contains two elements, the random string and the length of that string

the server then allocates memory in where to store the random string, but instead of measuring its length itself, it trusts the client when it says what the length is

the server then writes the random string into the memory it allocated, reads the entire allocation back and sends it to the client

so here is how you exploit it:

client sends a message with only one byte of 'random' content but says it is 65536 byes long. The server copies the memory but only writes on byte, so when it responds with the same length it ends up reading another part of the servers memory.

the 65536 limit is hard-coded as the maximum heartbeat size, if that wasn't there you could ask it to send back 64 megabytes of memory

so you end up getting back some random part of the servers memory - by constantly sending requests every x seconds you can get different memory results depending on what the server is doing at that time.

eg. if another user just happen to make a page request, you might find their entire HTTP headers, including the session cookie, in the memory data that is sent back to you

it all comes down to the server trusting the length parameter from the client and not calculating the length of the data the client sent itself.

[TorEscrow] We never had heartbeat enabled. by [deleted] in DarkNetMarkets

[–]the_avid 3 points4 points  (0 children)

yes they are - meant 1.0.1 and 1.0.0, they should probably increase the version number in any case, it isn't just confusing me (and I know the version numbers) its confusing a lot of people (if you don't know, recent openssl versions have been bumping just the last letter, which is build - eg. v1.0.1g)

!BTCFOG has not released any mention of heartbleed bug fix, warning to stay off! by btcfoghearbleed in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

Talk about panic. Has it occurred to you that they might not be running a vulnerable version?

ELI5: Open SSL Bug by cactusbutt123 in DarkNetMarkets

[–]the_avid 14 points15 points  (0 children)

OpenSSL is a cryptography library that implements the features behind the padlock in your browser and a ton of other places (like secure email, remote desktop servers) for both the server and the client.

It is used absolutely everywhere because it is the standard cryptography library. You likely can't make a request on the internet or with a phone today without passing through openssl somewhere in the process.

This bug was in a new feature called 'heartbeat' which has been out for around 2 years now. You might remember that a few years ago there was a large movement to get websites like GMail, Hotmail and Facebook etc. to be HTTPS (that is, padlocked) by default since it is a secure practice. The reason why the service providers erred and waited on implementing this instead of doing it from the beginning is that setting up a secure connection is computationally expensive.

If you requires 5,000 servers to serve your users with plain HTTP (no padlock), it might require you 7,000 servers to serve the same users with HTTPS (with padlock), so a lot of large website put the decision off.

What OpenSSL did to help them is implement the heartbeat feature. Here is what it does: normally when you first visit a site it does a handshake and establishes the padlock - this involves passing keys back and forward and verifying signatures, it all happens without the user seeing it. Normally after 10 or 20 seconds of inactivity if that user then went back to the same page and refreshed it or checked their emails again (or messages) it would go through the entire handshake procedure again. The handshake procedure was the most computationally expensive part of the process.

The idea with heartbeat was that you do the handshake once when a user first visits the site, and then every 5 or 10 seconds the client would send a 'heartbeat' message to let the server know they are still there. Think about it for sites like Gmail: most users keep Gmail open all day and it is a secure connection. Without heartbeat the client would check for new emails every 30 seconds and it would have to go through the handshake/initiation procedure every single time, which is expensive on the servers. With heartbeat, they do the handshake once and then they can keep the connection alive potentially forever (as long as the server keeps getting the messages).

The way heartbeat would work is the client would come up with some random data and send it to the server as part of the heartbeat message. To verify that it received the message, the server would take the same random data and send it back to the client.

The bug came up not in how the protocol was designed, but in how it was implemented. What was happening was that the server was constructing the response to the client without checking that what the client sent with the random data was of the correct length.

The way the exploit works is that the client asks the server to respond to a heartbeat and it tells it its random data is longer than it actually is, when the server responds when it goes to read back the same random data it exceeds its length and reads into its own memory - sending that data back to the client (up to 64KB).

The problem is that the memory in the computer is where all sorts of things are stored - private keys, session information, etc. And with each exploit heartbeat request you can get back a different part of the memory, and you're almost assured to get back some sensitive data.

The implication for Tor is both in clients and in relays - both need to be updated urgently. There is an implication for clients because even though they don't act as servers, they still have the server code in the openssl library and an advanced attacker can trick the Tor client into running that code.

edit i've spent some time actually testing this exploit against my own test hidden service and reading the source. I think the chances of a hidden service being completely compromised and located using this exploit are zero, the chances of the private key being taken are close to zero, the chance of some useless circuit information being exposed is more likely. I just did tens of thousands of requests against a test vulnerable hidden service and came back with nothing. looking at the code and how memory is allocated also backs up this finding that private keys are safe. I think its almost certain that some people, like governments, had access to this exploit previously but whats most likely is that it couldn't be used to break tor. The bigger worry for Tor is the client - if you can get a vulnerable user to route/visit a server that exploits it them it could spit out memory from your machine, which might be more interesting than what a hidden service gets back.

I think it was good for the Tor project to overestimate the potential impact, and while this bug is one of the worst in years for the clearnet - it isn't a 'sky is falling' moment for Tor.

[TorEscrow] We never had heartbeat enabled. by [deleted] in DarkNetMarkets

[–]the_avid 21 points22 points  (0 children)

I find it very difficult to believe that somebody was running v1.0.1x of openssl but compiled it without heartbeat support.

Heartbeat is not a "extraneous modules/extensions", it is a core part of openssl's implementation of TLS

There is no configuration option to disable heartbeat since it is a core feature:

https://github.com/openssl/openssl/blob/master/Configure

Further, you can't set CFLAGS when building openssl since it overrides with its own settings per-platform:

https://github.com/openssl/openssl/blob/master/Configure#L1216-L1219

Which means setting a CFLAG to pass on -DOPENSSL_NO_HEARTBEATS would have required going through the config, figuring this all out and overriding CC to include the CFLAG.

You wouldn't even know that the flag to disable heartbeats existed unless you read all the source code.

Anybody who was so determined to switch this feature off would have just stuck with the 0.9.x builds since 1.x doesn't actually give you anything (and what it does give you, you are going to all this trouble to switch off).

Now, in these past few days since this bug has been released i've barely slept and i've heard a hell of a lot of things from hundreds of sysadmins, most of the responses can be grouped into one of:

a) we were running the 0.9.x branch and were not vulnerable

b) we were running the 1.0.0 branch and were not vulnerable

c) we were running the 1.0.1x branch, was vulnerable and updated

This is the first and only time i've heard someone say that they ran the 1.0.1x branch but they disabled the bug. It's a really weird thing to lie about.

Most who were stuck with a vulnerable version of v1.1 were there because their distro bundled that version. If you are going to go to the trouble of building from source, why pick the same version? The only people who need it are those running large-scale https sites.

disabling heartbeat was a suggestion from the bug website for those on v1.0.1, but they wrote that advice based on seeing the flag right there in the code - they didn't actually check the configure scripts. It is advice that only makes sense after the bug - not before it. Nobody who attempted it thought it was practical, you just wait for the upstream patch and rebuild.

edit update because I got the silly version numbers mixed up

Fuck. You. I2p. by fucki2pintheass in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

they sponsored two Google Summer of Code projects that dealt with fixing hidden services. don't have links with me atm but search for 'hidden services need some love' IIRC that was the blog title

Fuck. You. I2p. by fucki2pintheass in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

There really isn't any research yet.

That is why i'd still consider tor 'more secure', because it has more users and an order of magnitude more research and testing invested into it. There have been at least a dozen proof-of-concept attacks against Tor that have been published and patched - I can't think of one for i2p - and it's not because they are not there, its because everybody is focused on Tor.

I heard it could potentially be better for the site operators.

It is much easier to run an eepsite than a Tor hidden service. The design for eepsites is better, but Tor are doing a lot of work around scaling hidden services.

Fuck. You. I2p. by fucki2pintheass in DarkNetMarkets

[–]the_avid 1 point2 points  (0 children)

i2p is not suitable for a lot of DNM users since it requires at least 30 minutes to boot up and register on the network.

In your ideal DNM user situation, you would boot to USB or bootup a vm, decrypt your persistent info, login to the market, do what you need to do and then be out in minutes. The 30+ minutes i2p requires just to startup up just doesn't work in this scenario.

It just isn't realistic in a lot of scenarios to ask all DNM users to have an i2p router running all the time in preparation for making an order or, for vendors, processing orders.

has Outlaw Market been hacked? by isoutlawhacked in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

not a surprise, there were warnings when they launched here that the site was insecure.

Why does no one worry (more) about DDoS? by [deleted] in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

there has to be a real IP somewhere along the line.

There, that's better. You've come a long way from:

[the hidden server] needs to have a real IP to even use tor.

Why does no one worry (more) about DDoS? by [deleted] in DarkNetMarkets

[–]the_avid -1 points0 points  (0 children)

For your computer to connect to another through the internet you need an IP

That isn't what you originally said, you've changed your argument.

What you said above was:

It still needs to have a real IP to even use tor.

That is not correct.

After my reply, you then changed it to:

The computer running the virtual machine has to have an IP assigned to it by some service provider

That is also not correct. You have now changed it to:

For your computer to connect to another through the internet you need an IP.

That is still not correct.

What you should change your argument to next is: "at some point your network requires a bridge to a network that is on the internet and has a real IP", because that would be closer to the truth, and i'd agree with you when you say that.

Between a server running a hidden service and the real internet you can place an infinite number of gateways, NAT's, VPN connections, ISDN lines, X.25 - whatever the heck you want.

The key to defeating correlation attacks is to assure that your hidden server and/or tor gateway crash before your border router does, which is easy to do and in most cases you get that protection by default with a VPN setup (which was my reference to 'see above' as I explained that in another reply).

Your border router should be somewhere that is very busy - so you can hide your traffic amongst the traffic of many other websites, which is also easy to do. There are entire colocation centers where racks and racks of servers do not have a single public IP (this is what most large companies look like on the inside, it is common).

In any case, this still doesn't apply to the Agora case - which you insinuated in your OP since that was the web server being DoS'd.

Why does no one worry (more) about DDoS? by [deleted] in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

see below. i'm not going to waste my time for somebody who is misinformed about networking basics but feels it is his obligation to 'warn' the world. you are obviously shilling for somebody, why else would you pretend to know something about a topic you have no idea about?

We have updated our FAQ/DarkNetMarkets Guide. Come give it critiques! by hugsfordrugs in DarkNetMarkets

[–]the_avid 1 point2 points  (0 children)

setting up a VPN that will output from your home network, which will do exactly zilch to protect you from LE.

Jeremy Hammond of Lulzsec was busted because the FBI van infront of his house correlated his Tor traffic with his online aliases.

full complaint here:

http://www.scribd.com/doc/84134934/Hammond-Jeremy-Complaint

Why does no one worry (more) about DDoS? by [deleted] in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

Your last scenario has some huge leaps in it but still doesn't work because the Tor daemon on the virtual machine crashes before the router does, and you can only check the router (note that I mention this in my post )

Why does no one worry (more) about DDoS? by [deleted] in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

the computer running the virtual machine doesn't have to have a real IP either...

i'm 100% certain you are missing the point and don't know what you are talking about.

Announcing Bitwasp - with multi-signature transactions! by Vespco in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

I already have reached out, would you like me to send you a copy of the email?

edit I just realize that I didn't save my own copy of the email, you'll have to ask whoever is behind bitwasp@bitwasp.tk to forward it to you.

Announcing Bitwasp - with multi-signature transactions! by Vespco in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

You got a reply from the bitwasp email correct?

No I didn't. I asked you here if you wanted to be copied on the email.

I now get a response 4 days later in a public reddit thread (below). I don't understand why this is so complicated - the details I was asking for in my email were very straight forward.

Announcing Bitwasp - with multi-signature transactions! by Vespco in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

My initial email mentioned getting you onto the multisig copy of the software to test before releasing, which is the important thing here

You think asking me to test upcoming code is more important than patching 3 vulnerabilities in your existing product? You say i'm not working for you, but at the same time you not only want me to report existing bugs, but ask me to find new ones for you? What the hell..

2) there is a serious problem, but you'll show others before working with us.

I haven't shown anybody the bug. When I realized it was a bug in BitWasp I edited all my comments on reddit to remove reference to it. This was only made public because of the deepdotweb interview.

So, I'd like some details please, then we can work together.

No, you need to give me more details. This has been a shit-show from the start. I have 3 different people contacting me saying that they are from the BitWasp project, all saying very different things and who I should talk to. Only one of those people actually proved that they were from the Bitwasp project.

Your website has no security section, it has no contact details on where to report security issues, it has no PGP keys, it has no details of any bounties, it has no detail on what the process is or if you comply with any disclosure policies.

When I was finally told to send an email to the bitwasp email, I did - and I encrypted it, and now I get a response four days later in a public reddit comment. Seriously, what the actual fuck?

You need a secure way to report bug - i'm not going to file them in GitHub (as one of you suggested) because that just means the details will be made public and you'll have 3 0day exploits out in the wild.

You guys seriously need to get your shit together and come up with a secure way I can report bugs to you and get back to me on the details of your security program (which at the moment, appears non-existent).

Why does no one worry (more) about DDoS? by [deleted] in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

Congrats. You're looking at your private IP address.

That was my point ...

Announcing Bitwasp - with multi-signature transactions! by Vespco in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

What is the deal with making all these new feature announcements but not replying to my emails or messages about major security issues in BitWasp? Email sent 4 days ago now, pm's sent 5 days ago, 3 days ago and 24 hours ago.

You've got time to market insecure software to new victims markets but no time to address security issues? I'm the one being patient here and i'm working for you guys for free.

So what is the deal with Bitcoin Fog? by [deleted] in DarkNetMarkets

[–]the_avid 2 points3 points  (0 children)

Bitcoinfog is one of the most trusted long-running services on the darkwebs. Most of those posts you find reporting complaints get resolved with support and then OP doesn't come back to update it - but bitcoinfog is used a lot

if you do end up with an issue, contact support rather than starting a bitch thread here 10 minutes after waiting and not receiving coin

note that bitcoinfog randomizes the amount of time transfers take, this is part of the obfuscation process - you should always set aside at least 24h if you are planning out your deposits/withdrawals into markets.

Why does no one worry (more) about DDoS? by [deleted] in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

No for real though if you think you can use TOR without an IP

well, you thought exactly that only one reply ago, good to see you've come around. Here is you, only hours ago:

It still needs to have a real IP to even use tor.

Which was wrong. You are now correct, in that you do need an IP but it doesn't have to be a real IP.

Why does no one worry (more) about DDoS? by [deleted] in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

i'm specifically referring to online, where exploits would be used.

Carding Forums, Ponzi Schemes and Law Enforcement: A background on Evolution Marketplace by the_avid in IFfmbHfnpaZjKFvyi1okT

[–]the_avid[S] 0 points1 point  (0 children)

this weekend! i keep having to push it because I have real-work related stuff to deliver first, which is late atm

Someone sent 0.001 BTC to my address that is related to SilkRoad by btc0x001 in DarkNetMarkets

[–]the_avid 2 points3 points  (0 children)

OP makes up a reason to post a potentially popular post with a fake link to blockchain.info in it. we all read, click the link to look at the transaction and then think 'might as well check my wallet while i'm here!' not realizing the site is fake.

it might not be a phishing link now, but OP can edit in/out the link or come back in a day, insert a phishing link and then leave this post in the archive for others to find / click on.

IMO a rule on the sub should be that you can't hyperlink but instead have to include links typed out - it is too easy to ninja-edit posts and insert/remove phishing links

Why does no one worry (more) about DDoS? by [deleted] in DarkNetMarkets

[–]the_avid 1 point2 points  (0 children)

It still needs to have a real IP to even use tor.

No it doesn't.

I'm on Tor right now and the IP address of this machine is 192.168.0.15

The configuration for most hidden service servers is (edit: or should be):

virtual machine [web server] => virtual machine [tor proxy] => real hardware => internet

where the first two machines are on virtual private networks with non-public IP addresses.

Why does no one worry (more) about DDoS? by [deleted] in DarkNetMarkets

[–]the_avid 4 points5 points  (0 children)

The Agora DDoS had nothing to do with any effort to uncover the location of the hidden service. There are two parts to the answer as to why this is a certainty.

First, the Agora attack was made directly against the web server and was an effort to brute-force common dictionary passwords. This was thwarted with the implementation of a CAPTCHA and some intelligent session throttling, but not before the hacker obtained the passwords for 3 accounts and then used the information contained within to attempt to extort Agora.

Second, not all DDoS are equal and there are many different attack types against Tor that can be (in some circumstances where the server config is insecure) or could have (past tense) been used to uncover hidden services. Most people bundle these together and refer to them as just 'DDoS attacks', but they are very different.

The first type of attack, where you directly DoS a hidden service web server and then find a real IP that is also not responding only works when the hidden service server is on the public internet. Most DNM's are setup to run in virtual machines, so there is nothing to correlate the attack against (except perhaps border routers, and in those cases you'll likely only discover introduction points).

The second type of attack, as referenced in the paper 'Locating Hidden Services' were patched in Tor eons ago.

The third type, the flow control/snip attack was patched back in January.

Most of the Tor-based attacks against hidden services don't target the actual hidden service server, they target the Tor network itself. For the Tor-network attack types, were they being carried out against a site - you wouldn't notice it as a user (except perhaps circuits being dropped and re-established). In any case, these issues have all been disclosed, discussed and patched.

A market being DDoS'd should be taken offline immediately.

That is the wrong solution and in the case of there actually being a correlation attack you would only be helping their cause. The better solution is rate-limiting and blocking entry guards that keep dropping and re-establishing circuits.

The markets that have their shit together are already doing this and are wary of any attack based on brute-forcing circuits.

Thats likely how SR was located

This has never been proven. It is much more likely that the server was either a) hacked or b) was dumping PHP info or debug information since Silk Road was prone to both security issues and lapses in error reporting. There is a forum post on the old forum (can't find a mirror at the moment) of a user reporting that the source code of the login page was displaying all the servers environment variables.

The two options as to how the SR server were found are, either:

a) Silk Road was run by inexperienced programmers and sysadmins who made a mistake and accidentally leaked server information, which was picked up by LE

or,

b) the NSA has uncovered a new, previously undiscovered vulnerability in Tor and used this not against Al Qaeda, but against an online drug market. This method is so secret that it is not mentioned in internal NSA docs (which say the opposite) and nor was it detected by Tor developers or admins. This theoretical attack worked against the main Silk Road server, but not against the forum server (for some reason).

This very method has been disclosed in the snowden leaks as a way the NSA would locate the real IP of a tor server.

the documents revealed that the NSA struggle with Tor, specifically:

the documents suggest that the fundamental security of the Tor service remains intact. One top-secret presentation, titled 'Tor Stinks', states: "We will never be able to de-anonymize all Tor users all the time." It continues: "With manual analysis we can de-anonymize a very small fraction of Tor users," and says the agency has had "no success de-anonymizing a user in response" to a specific request.

and the one proof-of-concept they did have was about identifying exit traffic by running a large number of nodes and correlating:

documents detail proof-of-concept attacks, including several relying on the large-scale online surveillance systems maintained by the NSA and GCHQ through internet cable taps.

One such technique is based on trying to spot patterns in the signals entering and leaving the Tor network, to try to de-anonymise its users. The effort was based on a long-discussed theoretical weakness of the network: that if one agency controlled a large number of the "exits" from the Tor network, they could identify a large amount of the traffic passing through it.

which has nothing to do with uncovering hidden services.

In short, were there an LE effort to uncover hidden services - as far fetched and hypothetical as that scenario is - you wouldn't find out about it because the site is down.

What if a vendor gives your address to LE? by [deleted] in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

you just need a standard format to pack it in so that it is unique.

VENDOR_SALT:NUM:STREETNAME:ZIP

or some variation. hash misses and forgivable in any case.

it would all depend on why vendors are storing addresses, my impression is for accounting/record purposes, in which case a hash of some standardized pack format would suffice.

Which market is the least likely to fuck me over as of right now? by StuffyKnows2Much in IFfmbHfnpaZjKFvyi1okT

[–]the_avid 0 points1 point  (0 children)

I didn't announce it, just mentioned it in a few comments. Started with helping them out when the site was going down and now with other things.

i'm going to start disclosing it on any comment where i'm attacking another market for whatever reason.

one difference is that they didn't hire me - I actually reached out to them after finding that the market was actually well put together. They don't hang out on reddit so it took a few weeks to prove that I knew what I was talking about and could help them.

What if a vendor gives your address to LE? by [deleted] in DarkNetMarkets

Silk Road paid me back 0.16btc of 0.25btc by EkafEman42 in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

I find it funny how no matter how many times you can fuck someone, they will still make excuses for you. Stockholm syndrome at its finest.

People are grateful that Silk Road returned half of their money at half the value, it is really insane if you take an outsiders perspective view of it.

This is why some DNMs will continue to lie and rip people off, because not only do they get away with it, they become heroes. It really is perverse.

edit: OP, this wasn't aimed at you, just a general comment because I see same / similar comments everywhere / all the time.

We are pleased to announce our new market. by MrNiceGuySamson in DarkNetMarkets

[–]the_avid 1 point2 points  (0 children)

if you want to send me an email on theavid at safe-mail.net i'll copy you on what I sent. key ID is EFDCB2A7

http://keys.gnupg.net/pks/lookup?op=vindex&search=theavid%40safe-mail.net&fingerprint=on

We are pleased to announce our new market. by MrNiceGuySamson in DarkNetMarkets

[–]the_avid 1 point2 points  (0 children)

sent an email yesterday to the person who emailed me from the bitwasp email address

Fucked. by Fuckedd in DarkNetMarkets

[–]the_avid 10 points11 points  (0 children)

Happens to everybody at least once. Contact the market using another username and give them as much information about your account (things you would know that other people wouln't) and see if they will reset it for you. Explain to them what happen in the same way you explained to us here now. They might wait a day or two incase they consider your attempt a hijack - but dump everything you can think of about the account - when you signed up, what orders you made, etc. and help prove to them you are the account owner.

After you lose your passwords once, you learn to create TrueCrypt containers and backup everywhere.

I agree with the other comment about not needing Tails - just running Whonix or Tor with TrueCrypt container should suffice if you're just making the odd order.

We are pleased to announce our new market. by MrNiceGuySamson in DarkNetMarkets

[–]the_avid 2 points3 points  (0 children)

I already know this market.

I think don't go near any market that uses BitWasp.

We are pleased to announce our new market. by MrNiceGuySamson in DarkNetMarkets

[–]the_avid 2 points3 points  (0 children)

This is a definitely an issue to consider.

Understatement of the century.

BitWasp is insecure. No ifs, no buts. I haven't reported my 3 issues yet, so all BitWasp markets as they stand are currently vulnerable to exploits that are rather simple to execute.

I'll eventually get around to reporting them, in the interim I should probably do a post warning users not to go anywhere near BitWasp markets.

The developers themselves said in their interview with DeepDotWeb that nobody should be running a live market on BitWasp at the moment.

Did Silk Road 2.0 Ever fix the "Transaction Malleability" problem that "Lost" all our Bitcoins? by Vendor_BBMC in DarkNetMarkets

[–]the_avid 1 point2 points  (0 children)

relax dude, I said it's possible - not that it happen the way they said it did. if you implement a system where you automatically retry transactions based on checking the txid then that is exactly what would happen if someone has broadcast a malformed copy that was accepted by the blockchain

thats exactly what the malleability bug is.

personally I believe they lost a lot less to the withdrawal bugs than they let on, and used the funds that they reported as stolen as part of the payback scheme and to continue paying themselves.

Did Silk Road 2.0 Ever fix the "Transaction Malleability" problem that "Lost" all our Bitcoins? by Vendor_BBMC in DarkNetMarkets

[–]the_avid 1 point2 points  (0 children)

It was possible because of auto-withdrawal and the way it was designed - it would check withdrawals using txn id and if they didn't go through it would retry them.

First post here. Lurker for a long time. Re: research_chemical_inc by DopeLopeThenMoreDope in DarkNetMarkets

[–]the_avid 7 points8 points  (0 children)

Just something that I want to mention before I say anything else: this comment i'm leaving has nothing to do with OP or what is going on here. I'm totally unfamiliar with the situation or what is going on, I rarely click on the threads, etc. The part of this post about doxing someone got my attention. Anyway.

Good scammers and fraudsters always do things that observers would believe is not typical of a scammer. There is almost never a successful scam or fraud where the scammer behaves typically, as most would assume scammers would. Obvious scams only last days, but you string people along in a scam or con by walking the tight rope between appearing legit but at the same time conning enough to make it a successful scam.

You see this everywhere. Madoff got away with it for so long because everybody kept making excuses for him. He didn't even have to defend himself, he has surrogates (his victims) who would make comments about Madoff not needing to scam because he is already so successful, that if it was a ponzi the SEC would have already shut it down, that he has 'special' access to the markets in his role as a market maker which allows him to front-run, etc. etc.

Look at the recent Hiniguel scam, there were a lot of examples there as well. He took a small portion of the coins he stole and donated them to victims of the SR2 hack. For every comment about a missing delivery or Hiniguel possibly be a scammer, there would be 10 people replying 'if he was a scammer, why would he donate coins?', or 'if he was a scammer, what is he still doing here?'. It allowed him to prolong the scam

So scammers do things that aren't typical. The typical scam behavior is very different to what people believe scam behavior to be.

Again, this is not a comment on this situation here at all since I know nothing about it (nor really wish to), but in the period of a successful scam running and having not been exposed yet it is very common to hear 'if he was scam, then why would ..', etc.

Scams, cons, ponzi's etc. go through cycles - you have the cycle where credibility is established which then switches to scams being pulled off, and then cycle back to establishing credibility again, and then back to drawing funds via the scam again. These waves have a habit of getting larger at each cycle, since the rebuilding credibility phases often convince people who are sitting on the fence to jump into the scam.

Madoff, Ponzi, etc. ploughed all the money and more that they had scammed back into the scheme in order to pick up another cycle of victims. It is the large big wave of scams (as large as you can make it) when you exit and the big money is made.

Now to answer your question, and again - I know nothing about this and am completely not suggesting anything (And apologies to the vendor) - but the simple answer to your question would be that a vendor could temporarily use an escrow marketplace in the phase where credibility is re-established. Once enough trust is regained, it is abandoned for some reason or another and then the phase of vacuuming up funds begins again.

BITCOIN FOG IS NOT SAFE! by [deleted] in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

you should probably give them more time than hours

this happens all the time, people freak out - rush to make a post, and then figure out the problem a day or so later.

BITCOIN FOG IS NOT SAFE! by [deleted] in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

errr, did you try contacting support?

Moronic Monday - It's your weekly stupid questions thread! by AutoModerator in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

after using one wallet for a while, throw it away and go and create another one. 'a while' can be anywhere from 3-12 months.

Moronic Monday - It's your weekly stupid questions thread! by AutoModerator in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

because you don't want too much of a history of address associations in one wallet, in the same way servers are scrubbed on transactions.

Agora hacked by pinkprincess1 in IFfmbHfnpaZjKFvyi1okT

[–]the_avid 3 points4 points  (0 children)

I take hacked to mean access to server or access to a database, not a status screen

Agora hacked by pinkprincess1 in IFfmbHfnpaZjKFvyi1okT

[–]the_avid 7 points8 points  (0 children)

some people really do have a completely different definition of 'hacked'

Moronic Monday - It's your weekly stupid questions thread! by AutoModerator in DarkNetMarkets

[–]the_avid 1 point2 points  (0 children)

yes, or any hot wallet where the address is shared with a lot of other (legit) users

Moronic Monday - It's your weekly stupid questions thread! by AutoModerator in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

you can if you want to, but it can be explained away with 'I paid a guy online for something' if anything is ever linked back to your clearnet wallet. You should setup new wallets periodically in any case

Prezi Got Pwned: A Tale of Responsible Disclosure by digicat in netsec

[–]the_avid 4 points5 points  (0 children)

seen fixes like this before that also end up getting broken, and the next post will be something like 'well, it turns out if you pass an array or a null character to urlopen ..', or 'if you pass a URL of form ...', etc.

test, not filter.

edit: just notice guy above made same point, but better.

Well, looks like TheDruMonSer is another fucking scammer... by camelcult in DarkNetMarkets

[–]the_avid -1 points0 points  (0 children)

TCF was hacked, it is why it ceased to exist. Carding markets have a long history of being infiltrated since there is a very large and well-developed multi-agency team that works the markets.

The only reason Silk Road ever got attention was because of the Gawker article and the Senate inquiry (which was typical grandstanding to the public on a 'hot' issue where 'something has to be done!'). Even then, with all the attention - the gov agencies couldn't get their act together and co-operate - there were at least 4 separate investigations that we now know of.

The lifespan of the average carding forum is very short. Most DNM's die down with other issues (often security, scams), while with carding forums every few months you get one of these with indictements or arrests.

Just in the past year there have been multiple arrests and indictements. Here is one, here is one more, and here is another (another sting, no less), and the first indictment that included RICO charges (holy fuck) against a carders market

I've got a ton of other stats that I will be publishing as part of a broader writeup.

Users can make their own decisions based on that information, but the facts are that TCF was hacked and carding markets have a history of infiltration since the mid-90s because of the large and dedicated law enforcement emphasis.

There are also things that I know that I can't disclose, and because I can't disclose how or why I know it you can take this part to be worth the price of admission and decide to believe it or not based on other known facts, and it is this: Tor Carding Forum was (and its new incarnation still is) extensively profiled by both law enforcement agencies in a dozen or more jurisdictions and private security companies. They posed as buyers and sellers. The Target breach was revealed because private security co's and the feds had been buying up dumps on the forums. You would be extremely naive if you believed that there wasn't an extensive law enforcement presence on the old forums and the new - users themselves (although the average IQ is low) refer to it often enough.

My recommendation is always going to be that drug users should stay away from anything carding-affiliated. The stats don't lie: more arrests, more indictments, more stings, more hacks, more LE attention, better skilled and experienced LE, multi-agency and DOJ co-operation, etc. etc. If you don't want to get caught up in this driftnet then you should stay away from it.

My interests have always been disclosed and are as follows: I did work for Drugslist for about 5 week which finished over 2 weeks ago. During the Agora DDoS attack I advised them (I reached out to them) and helped them out. I'm hoping to do more with Agora in the future. I've also helped/avised a number of vendors on OPSEC issues. At the time I wrote the post about Evolution I wasn't working for any DNM or planning to.

So agora user limit has been reached. Thank god! by [deleted] in DarkNetMarkets

[–]the_avid 1 point2 points  (0 children)

it's temporary, used to throttle traffic/attacks.

Moronic Monday - It's your weekly stupid questions thread! by AutoModerator in DarkNetMarkets

[–]the_avid 5 points6 points  (0 children)

Tumbling by definition is mixing 'dirty' coins with clean coins. DNM's don't have clean coins, so they don't tumble - they only obfuscate.

Do either:

coinbase => blockchain clearnet wallet => blockchain darknet wallet (separate browser, tor) => shared send => DNM

or:

coinbase => blockchain clearnet wallet => blockchain darknet wallet (separate browser, tor) => bitcoinfog => DNM

Generate new addresses each time, and don't send the same amount - instead at each step send either a higher / lower amount than what you are transferring and either leave or pickup some change at each transfer point.

Otherwise you can pull up the blockchain and just ask to see all transactions of x amount in this time period.

If you want, you can also break up the transactions into smaller chunks and wait random periods of time between each step.

Doing things like leaving change, generating a unique address, breaking into chunks, waiting random periods of time is what the tumbler sites automate (as well as passing through a large shared wallet)

Security Sunday Fail Trio: Redsun,EXXTACY & Unnamed Market by deepdot in DeepDotWeb

[–]the_avid 1 point2 points  (0 children)

You run both Sanitarium and EXXTASY. It is weird to watch you talk to yourself with each account in the comment threads.

Sanitarium also has issues, but i'm less interested in that site since it isn't a drug DNM.

New Market.. EXXTACY by DarkNetYoda in DarkNetMarkets

[–]the_avid 2 points3 points  (0 children)

yep, or another hidden site.

the way it is now you are essentially giving google your server logs.

introducing the newest DNM noobs: 'my nice guy market'. by the_avid in IFfmbHfnpaZjKFvyi1okT

[–]the_avid[S] 4 points5 points  (0 children)

I probably should have actually hacked that silly EXXTACY site - i'll see how the admin reacts. I really don't want to get sucked into sinking hours or days on end with these things like last time.

I made it all pretty and stuff. by [deleted] in DarkNetMarkets

[–]the_avid 3 points4 points  (0 children)

you've done the right thing.

I made it all pretty and stuff. by [deleted] in DarkNetMarkets

I made it all pretty and stuff. by [deleted] in DarkNetMarkets

New Market.. EXXTACY by DarkNetYoda in DarkNetMarkets

[–]the_avid 3 points4 points  (0 children)

the security requirements for Exxtacy will remain high.

lol. seriously, go home.

New Market.. EXXTACY by DarkNetYoda in DarkNetMarkets

[–]the_avid 9 points10 points  (0 children)

you're running a DNM using Drupal on a Windows server, and you are loading fonts from a clearnet site (google, of all places)

are you intentionally fucking with me to make me believe you are actually doing that or are you really that stupid?

edit or is this a honeypot? please tell me its a joke or honeypot.

edit no. fucking. way. this really is a windows IIS 5.0 server, running Drupal 7.0 with a bunch of modules installed, loading resources from clearnet urls, being launched as a 'DNM'. i've seen it all now.

edit and just to make it clear for anyone to whom it isn't obvious, sanitarium_market and EXXTASY have the same admin, that is him here in the comments talking to himself using different accounts.

We would like to hire a few security guys from here to check our site and system for any flaws we might have missed. by MrNiceGuySamson in DarkNetMarkets

[–]the_avid 5 points6 points  (0 children)

don't hire this guy, he is an idiot.

he is the user who 'tracked down' the Sheep Marketplace hacker to an address that was a btc-e hot wallet.

We would like to hire a few security guys from here to check our site and system for any flaws we might have missed. by MrNiceGuySamson in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

thanks for the mention but i'm flat out at the moment, haven't even replied to some weeks-old emails with inquiries

Who do I speak to as far as announcing a new market? by MrNiceGuySamson in DarkNetMarkets

[–]the_avid 1 point2 points  (0 children)

just curious, but at approx what times UTC do you sleep?

Announcing Piratey Darkness - A Completely Different Kind of Marketplace by PirateyDarkness in DarkNetMarkets

[–]the_avid 1 point2 points  (0 children)

Hilarious but also sad since a lot of it is based on what real markets have said / done.

With gmail now encrypted, do you think vendors might allow communication through there? by sconces in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

Did everybody see the story about how Microsoft tracked down an employee who was leaking code to a blogger by reading his Hotmail account? Turns out that the terms of service of most of the major webmail providers allows them to do this.

So the corporations have access to your email with no warrant via the terms of service, and the government has direct access to it via Prism.

I trust the online companies like Google about as much as I trust the US government.

The google announcement about using encryption has little impact on users - its about Google's internal infrastructure and preventing sniffing via physical taps (something that came out via Snowden). There is no way anybody involved in darknets etc. should be using Gmail (or hotmail, or yahoo mail, etc.)

What's the current take on BitcoinFog? by 2wr in DarkNetMarkets

[–]the_avid 3 points4 points  (0 children)

That is by design, it wouldn't be an effective mixer if it just sent transactions back out out straight away.

You also shouldn't always leave the time period to the default 6 hours, make it longer and randomize it each time you use it.

Best way to create multiple. disposable Bitcoin wallets by 9BS in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

blockchain.info

the only requirement of yours that it doesn't meet is no Javascript - but the reason why it is so popular is because your private key is stored locally in your browser, and you can back it up and it uses the blockchain info API through the browser to do everything.

So it has the convenience of an online wallet but the security of an offline wallet. You can also generate (and label/organize) as many addresses as you want, plus they have no issue with access over tor.

Install a browser plugin like ScriptSafe and allow only that single blockchain.info resource file (it is all within that page). The javascript is open source, accessible and has been checked/audited thoroughly by the bitcoin community. Make sure you access the site over https and use a very long randomly generated password (it encrypts your wallet using that same password)

Moral Conflicts of a Moderator by IGetDankShit in IFfmbHfnpaZjKFvyi1okT

[–]the_avid 2 points3 points  (0 children)

drop all the other stuff because at some point something is going to go wrong that will bring the wrong type of attention to the sub and it'll be gone for good

reddit is already dealing with a lot of PR pressure around allowing gun sales, they have actually flip-flopped on allowing them or not and the lobby groups will likely persist. if they found this place it would only make it worse, IMO

same applies to carding and person ID info, only a matter of time before a blogger discovers that there is a reddit sub 'enabling' these markets (forget that there aren't direct deals, you all know how public spin works).

as an example, look at how the founder of reddit was ambushed in this interview and ended up changing his pov:

http://www.fastcolabs.com/3025789/alexis-ohanian-takes-an-unexpected-stand-on-reddits-gun-problem

edit: i'd like to add that like last time i philosophically agree with being able to sell/trade whatever, but this is more a practical requirement. i also don't think it should be a decision taken by a few people and forced on all, but rather polled to users

Time to get serious about LEO by elburritoh in DarkNetMarkets

[–]the_avid 1 point2 points  (0 children)

There is a key thing that most people miss, and that is that most OPSEC failures are social and not technological. There is no software you can install that can prevent you from visiting your personal Facebook page or using your real Gmail account while logged into your underground persona.

You need to not only setup the separate technology environment, but you need to split yourself into personas. When you boot into Tails or open your Tor browser with your DNM buyer/vendor identity you need to forget everything else you know about yourself and leave it behind.

This is very difficult to pull of well, and even experienced people get it wrong. When you are in your DNM persona you shouldn't even be reading the same newspaper websites you read using your real persona - everything needs to be completely isolated. It goes so far as writing styles, personality, etc.

IMO this is much more important than some of the tech improvements you can make. You'd rather somebody be running a separate browser on the same machine but be disciplined with identity isolation than someone who is booting into Tails but log into their personal bitcoin wallet.

If you look at the history of arrests in a large number of cases (might be all?) there is a failure in this department - the cases aren't made with breaking tech alone.

The most recent example - that pedo network, the guys went to the trouble of setting up hidden sites, running vm's etc. but in the end a few of them were speaking to each other using their real Skype accounts. From the outside it might look like a wtf moment (just as Ross posting his personal Gmail account was) but it is easy to become complacent and slip between id's.

Copypasta of Alice's apology/explanation - March 19 by theweedprince in DarkNetMarkets

[–]the_avid 1 point2 points  (0 children)

Trillion dollar clearnet e-commerce runs on credit cards, which moneys can't be irreversibly stolen from the websites.

Money can't be irreversibly stolen from sites which accept credit cards? did I read that right? credit card fraud is billions in losses per year

IT is the same type of infrastructure that has been built around credit card fraud that needs to be built around bitcoin. IT will happen, just need to get there in the same way we did with credit cards and online commerce.

Copypasta of Alice's apology/explanation - March 19 by theweedprince in DarkNetMarkets

[–]the_avid 0 points1 point  (0 children)

They can publish a proof of holdings, but how do you know if the funds in that address (or those addresses) equal the amount that are held in the escrow system?

you create an address for every vendors escrow and give it a unique ID, which the vendor would know. you then publish all the ID's and all the amounts.

that is one way, we've (meaning myself and just a bunch of other random tech heads) have discussed other ways.

Also, how do you demonstrate that an address is cold storage or not? It's just an address, like any other.

you don't, I mis-typed that, but the blockchain is public so you do or can show that funds are split

And how exactly does a site publish why their secure? Where is the comprehensive checklist for them to follow?

Look at a site like Paypal, have an entire tab dedicated to security. Clearnet sites also have compliance standards which are published like PCI and the ISO suite, along with the specific security standards. No reason why DNM sites can't have similar. I was doing exactly that with a DNM before it died.

Sure they can lie about it, or hire someone for compliance that would lie for them as well, but even the process of writing up your security steps contributes to weeding out the good from the bad.

Copypasta of Alice's apology/explanation - March 19 by theweedprince in DarkNetMarkets

[–]the_avid 2 points3 points  (0 children)

You wouldn't, the plan is not viable. Vendors will just have to absorb their losses and move on - you can make up your losses quicker by moving to another market, earning sales and keeping it yourself rather than paying it out to some silly market compensation scheme.

Copypasta of Alice's apology/explanation - March 19 by theweedprince in DarkNetMarkets

[–]the_avid 2 points3 points  (0 children)

I bet that most of these issues could be resolved with proper security measures and keeping just about all of the funds in cold storage.

Add to that: sites with on-site escrow should publish a proof-of-holdings daily. They are also able to demonstrate cold storage. A cryptographic solution to what we have in real life with FDIC and audits of banks.

And it is time that sites do more than just say they are secure, they should publish details of why they are secure. There hasn't been a single DNM to date that hasn't made bold claims about their security practices, and the number where this has proven to be false dwindles by the day.

reddit gold

In Summation

Want to say thanks to %(recipient)s for this comment? Give them a month of reddit gold.

By purchasing Reddit Gold, you agree to the Reddit User Agreement.

  • make my gift anonymous
  • include a message

Please select a payment method.

Give gold often? Consider buying creddits to use, they're 40% cheaper if purchased in a set of 12.

Would you like to learn more about giving gold?