Howdy,
Whyusheep had recently made claims which do have some merit but over blown and has not provided any security issues or exploits. If he really claims to be a great guy trying to help everyone, he should provide me privately with the IP that he claims he has obtained - I will do what's best: ask everyone to withdrawal any funds and I will shutdown BlackBank permanently - and wipe the harddrive for security.
However, he hasn't provided anything.
As stated in this post:
All markets reveal a banner and some in the top 5 also reveals the versions. Out of all these markets, I am the only one who actually took what whyusheep said into consideration and made changes.
I care about security because we are a community. We look out for eachother - not post 'exploits' publicly on Reddit or forums where LE has access just to gratify a little ego.
Imagine the damage if he DID really find a huge exploit and posted it here. I'm sure LE would use that information immediately, find the location immediately, and take the market down and confiscate all vendor/buyer details they can find.
If one day he finds a script that DOES penetrate a system, he'll boast how he did it here first, giving the LE everything they need. Just as he was boasting how he can search Google for exploits for my webserver; LE can also do the same the moment they read the details.
The proper procedure for pentesting is to keep details discrete between the market and pentester:
- Announce a vulnerability exists to the members
- Take the site offline to repair any vulnerabilities
- After the patch is completed, the details of the vulnerability announced to the rest of the public
Not announce any details you have on you on your exploit first so LE has a chance to access the exploit, jeopardizing both the buyers and vendors information, simply to feed an ego.
I'm sure that everyone here knows that LE is constantly watching this subreddit.
If you come to BlackBank, you will see that I immediately announced the issue, even when it was just speculation. I believe that members of the community should always be made aware and informed of any security issue, whether they are small or big, whether if they are rumors or true.
Every detail counts.
Cheers,
MDParity
I had forgotten about the whyusheep and the_avid subplot.
it was getting interesting with the dueling knights thing for a while but I got a bit bored with it after a while. Glad to see it back, though!