Cryptographic proof of the following message can be found at the bottom.
I started working for Absolem/Havana about a week ago as a security consultant. After showing them they had a lot of critical errors in their nginx configuration, server setup and code. I brought these issues to them privately and unlike other operators responded quickly and wanted to fix the issues. They then offered me 7.5% equity in all future profit for my continued services. Everything seemed to be going well. You may have noticed they no longer let you browse the market without logging in, no longer leak nginx in their headers and many other issues I won't go into.
After about a week of working with the developer ProbableFire, I quickly realized he completely ignorant of secure programming and sever administration. For example when I told him he should add some rate limiting configuration to his nginx, he asked for a guide because he had never done it before. He implemented ip based rate limiting and caused his site to DOS and went to sleep. The site DOSd itself for nearly 9 hours. ProbableFire completely misunderstood how Tor worked. I helped him correct it and make it cookie based. Over the week I encountered countless similar issues, proving time after time that this was his first major project and that he had no idea how to properly secure a sever.
Meanwhile Fidel who is the "business" side of the operation asked me to lie to the community saying I should use my reputation under the account /u/hacksforcrack to claim that there had been no security issues, because some vendors were not joining until a proper audit had been done.
Finding an exploit in their PHP code and improper permissions I was able to gain access to their server. The first thing I noticed was that they did not have an onion address assigned for their incoming port SSH connections. I confronted ProbableFire about this and he asked if he should do that, and that is when I decided I no longer wanted equity in a project that was clearly doomed to failure because of operator incompetence.
I started gathering the logs of all incoming SSH connections and times, gathering information about their riseup accounts, copying logs, the database, the onion address keys and even the code.
I notified them that I had done this and that their onion addresses were compromised, that they should pay me 5 BTC for the services I had already provided to this point because I no longer wanted to work for them. They refused.
After days of trying to queitly negotiate with them directly failed. So because I have no other choice I'm notifying the community. These operators are not only incompetent but they are liars. Their system is insecure and they will likely be arrested by DEA/FBI once they gain any popularity. It appears they encourage server side PGP encryption which in their case is not secure. The same goes for their server side implementation of multi-signature escrow.
If they continue to refuse to pay I will eventually leak the database and the IP addresses I have collected to the authorities or here, haven't decided yet. Seems to amount to the same result.
I was recently censored on their forums while they continue to pretend nothing is happening so that is why I posted this here.
It was fun while it lasted.
Game over kiddies, you need to pay up or relaunch under a different name and a different server.
Proof:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Absolem/Havana markets will compensate Hacks4What at a rate of 7.5% of gross profits as renumeration for services provided on an ongoing basis. This agreement will continue for as long as Hacks4What continues to provide the agreed services which include the following:
Hacks4What will be the technical lead in defending Absolem/Havana from external attacks, directing appropriate defensive stragegies as needed in critical situations.
Hacks4What will act as security consultant; he will keep up to date on the latest threats to hidden services and web servers, alerting Absolem/Havana admins of relevent 0-day exploits, providing recommendations for hardening services and operation.
Hacks4What will provide ongoing pentesting, auditing and alerts to new threats.
Hacks4What will keep all information about Absolem/Havana's systems and business operations strictly confidential and will not report vulnerabilities or attacks to anyone outside of Absolem/Havana's management team.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCgAGBQJVR7fSAAoJEHCQmkxXtiGFfW8IAMFYAF7hvOcDmDFii1CPrDS7
VU0JVP4L36egNpx6GiFmT0HxaOGCLoUkskycZi+PYPOa3/a6jM1rkCELcWsfpfz3
q76awvoG+OlYUAM6eEaIbgJvDgxEEqi1xrITLyOjnkEhfbsFhJ2kYDkFuOhthoEN
+g2zOuOP8leajrrDR8oi65tY11hZ+L6d5OlcGZJyHOLWapzcErZVDaG/w9+0egRw
KGk0zCRnMooP1OeUtf8c9VPCiyJVbQnbJlcs34XNOdyKsa3NWu5lhqx4toEMmcRh
EaR12keFaI2TwZlHv209AlWkyI7GNP4ZO2zV7xABnWP0OPf+mi/jfMCv04xiUHg=
=uukX
-----END PGP SIGNATURE-----
Copy of their key in the situation they try to replace it and pretend this is not happening:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQENBFVHov4BCADmhOLozYVSmxgNP7Y8uMhXJ/fq+Om7UygmfVA08WKGm11YHtju
9e2dD1TPX/xfM0EBjkfZMytt46EygeMiaOhP/TX2fTE+65rElV4iwmx+rM5/zBSq
XRUNDKCi57aIylvkGriF5Zmo/Lr1TCuo8DMwcdOSXuAzjJRBmH+Jhs6Nmb01MpP4
CW49R/4/ObdyVZOPe2MHTxJQjhbfZSwXmSGdDwjItCo3fxNI7ytTf1UjxZ8D8S91
5GBQcjnIN0H14QGcF/KF2PUZofIH3pRV94cET1QmH6xyzIjZ6olT2Vy//o3B7kqM
WryaT4qyAFwy0YN08ukJEF0Jxo5suxecubUXABEBAAG0B0Fic29sZW2JATwEEwEK
ACYFAlVHov4CGwMFCQloGnIFCwkIBwMFFQoJCAsEFgIBAAIeAQIXgAAKCRBwkJpM
V7YhhV33CADKlh+UiAeF22YO01v4bwFVM94XQdgKb+4LzpOHKykT6dgcnv8tBBoy
gZPgyRdS80ihdI6ym0KG0TjnBpTaPVU0Bmsgw0pGYPhogdIbssr4WVcYW8zKaOTJ
1hfv1m5FYX9gumTZ68j61aTLmXfkyr3+PFj70knE88mNzDhh1rYNXs1FcC02VZcW
FuwAPkL2l/lJNOhhIu52ZeJnvH1ZSLnoZRKfy8ywKFFd+lqo4j8Ksu7ttVhx6gT/
V1VueC+mIlpIziV9nLcesarY/IZAIkrgK9DtosCsvnCFCSpyt+7fv6m+JYFERDaU
B5oItWE8h2f2fAdTxx1Zi1eNwcO7Pk0luQENBFVHov4BCADheUDMgHzZx617Roi8
gSGoeBGRkVl7UatLJ67BKiwXPqITEhYD6LHi9gYewWoS3RERpizapkF3cWomE1g2
eG/MKLG+/vQclZ9Ng2yKbEEkehuA2GSy/kFdGSRWWoXiNmoOILStRhTeRdZ+GzOn
e7KZCZ9uqhUdU1kRJ0q5+lOgzYixMxJAfQrnykw9IKzXSTAJ/12MZzFKdtKTiVrA
Wvc80xM+EnHQKfqA5xtHeVB5cmjKVy+US6SbNHA+mf5CCVfCNvI9qGYrcWu10/MT
eEQ2/vaT5TviO7+52s7D+SoijPfgRxDPVwzDzWBVNPFJxvb9dcnHQ/sflIy4BtWD
LGAJABEBAAGJASUEGAEKAA8FAlVHov4CGwwFCQloGnIACgkQcJCaTFe2IYWCDwgA
oUApIAde2dSv5PTmF+UPksKchWAWIjEeKjKgOv9Sh/XKkbbtFtW8kcg116F2XEDc
er7Zvk6+OfVhB/PxwMP1uwqvWNKW2c4qPw+74MbXdXz53WxgaHv4X3s/fchG1cJL
hNjYA5SRwXNGv64wYTeK577fwRI8J7Ry7eDBWO7ZU3Rz+meuvBg0FqRFZlEnradf
/2zJnOpa15PIi3BiD0r2bT9VERGp+/MbQuh0SdYMJFG7je2eFYL++wIn6u/QaAph
CNu9H0uemMgsUPT52rwgM9ciWraeasmIr+Bnxf3Ps8c0CEQR1HHNAI8lbGuYPTC8
TCuxPOruVTR5TRuN8LoxGA==
=+7cW
-----END PGP PUBLIC KEY BLOCK-----
EDIT Here is the transaction they paid me 1 BTC for telling them they needed to add max client body size in their nginx config.
https://blockchain.info/tx/36096306d15f28b63254c309e6133f42002a5281e19eba93d7a17c31b204120a
I hope you tumbled those coins Fidel, otherwise :(
Man when the page header reads "stay for the drama", I didn't think it would mean DAILY drama, but it does.