What is this post about?
This post is about issues regarding AlphaBay and what impact they have on the DNM community as well as this sub.
Who wrote this post?
It was written and checked by the mods of /r/darknetmarkets and reflects their opinion.
What happened?
To focus on the four major issues of Alphabay:
1 - 11th March 2016: BigMuscles, an AlphaBay staff member and moderator asks a user for his private key. He made it very clear that he really means the private key and not the public key of the user. AlphaBay has responded and stated that it was caused by the language barrier (because BigMuscles is not a native speaker) and "no harm was done".
2 - 15th March 2016: BigMuscles, an AlphaBay staff member and moderator asks the same user for his private key again despite the recent trouble that his previous requests for private keys caused. Till this day, BigMuscles has not received any sort of punishment and is still a AlphaBay staff member and moderator.
3 - 26 April 2016: AlphaBay made their API public and it was discovered that everybody was able to get thousands of private messages that users sent on AlphaBay. The link is to uneddit.com because many comments in the original thread were deleted.
4 - 22 January 2017: The user /u/Cipher0007 made a post about being able to access over 200k private messages and a list of over 1 million AlphaBay usernames. The vulnerability has been verified by several users and us mods. Cipher0007 also stated that he opened 3 different tickets on AlphaBay explaining the security issue prior to his reddit posts. Since he has not received a response, he decided to inform the community on reddit. After the reddit drama the bug was fixed after 5 hours due to the big community reaction.
What does that mean?
Referring to the points from above:
1: A market should never ask it's users for private keys. Dismissing the situation by saying that the user has not shared his private key any way and "no harm was done" is unacceptable. Even if a user should know to never share his private key, it is the job of a market to provide a secure platform for it's users.
2: BigMuscles showed absolutely no insight and asked again for the private key of a user. This shows that the language barrier argument is not a valid argument: if he really is so bad with English that he does not even know the difference between a private and a public key, he should be fired immediately after the first incident. Or at least someone should have the talk about private and public keys with him. That he asked for a private key a second time can only mean that he has a clear malicious intend.
3: The bug was a rookie mistake. Basic software testing would include testing if the software authenticates the user properly and only gives the user the data that he is authorized to view. The incident showed a frightening lack of secure coding knowledge among the AlphaBay staff.
4: The same points as above. Some users may say "Does not matter, users should have used PGP anyway". It is the job of a market to take security as serious as possible and protect every single one of it's users. The more security layers, the better. Yes, the users are partially responsible by not encrypting sensitive information themselves. However that does under no circumstances take the responsibility from AlphaBay away. Since users often tend to not do the desired actions (e.g. not encrypting sensitive data with PGP), the market has to do everything to keep the private messages private and not forward the blame to the users for such mistakes. Also given the high profile that AlphaBay has and the simplicity of the vulnerabilities it is likely that law enforcement had access to many user messages too.
We would also like to thank /u/Cipher0007 for handling the disclosure of the vulnerability immensely exemplary. He could have easily leaked all the private data or sell the vulnerability to law enforcement. But he did not. Thank you /u/Cipher0007.
What are the consequences?
We, the mod team of /r/darknetmarkets, think that even only one of the above four reasons would be enough to purge a smaller market from the superlist. AlphaBay made four of them. AlphaBay showed that they can not run a market securely and care little about the well-being of their users. The size of the user base should not be an excuse to let such a danger for the community be listed on the superlist.
We are therefore in favor of removing AlphaBay from the superlist for now. We would also like to replace it with detailed warnings about the four issues mentioned above.
We could mention other well-known link sources like deepdotweb.com and dnstats.net on the superlist where users can still find AlphaBay links. Furthermore automod still only allows white-listed onion links (that includes AlphaBay links) to be posted. So the possibility that someone gets phished because AlphaBay is not directly listed on the superlist, is basically non-existent.
What should I do now?
We are aware that this is not a step we can simply make without the community. We therefore ask you to tell your opinion on that issue in the comments. Do you think that it is the right step? Then make a short comment saying that. Do you think that is not the right step? Then tell us why you think AlphaBay should still be on the superlist.
Whatever you comment: keep it down-to-earth and support it with strong arguments and facts. This will ensure that your comment will be read and is a useful part of the discussion. Comments that for example insult people or are off-topic are not welcomed.
Regardless of what we eventually do, AlphaBay will continue to exist because there are many AlphaBay users who do not visit this sub and will probably continue to use the market.
We have not yet discussed under which circumstances a market (not just AlphaBay) gets relisted on the superlist. If you have ideas for it, please share them in the comments too.
What can I do to protect myself in the future?
Besides reading and following the guides on /r/darknetmarketsnoobs there are a few points we would like to mention here:
always encrypt sensitive data by yourself AND on your computer. Letting the market encrypt the message for you is not secure because they can always store the plaintext version of it somewhere, before encrypting and sending it. Furthermore if a market is compromised by law enforcement it is very likely that they use the above mentioned attack to harvest buyer addresses.
market admins: you could create a "security hotline". This is a separate support system specifically for security bugs which should be checked as often as possible. If a new message gets send, the market staff should receive an important notification and immediately check on it. If a user misuses that hotline, he should get banned.
delete old messages that contain incriminating information. It is not the ideal way, but it reduces the risk of a third party reading these messages.
always use different usernames on markets and other platforms such as reddit. If someone is able to break into your account on one site, you do not want to loose access to all your other accounts too and get your money stolen.
For those that think these things go unnoticed.
http://www.ibtimes.co.uk/alphabay-leak-over-200000-private-messages-dark-web-drugs-marketplace-hacked-1602824
https://www.bleepingcomputer.com/news/security/bug-allowed-access-to-over-218k-private-messages-on-dark-web-marketplace-alphabay/