[Suggestion] Market Admins should have to regularly prove ownership of market/keys.

The Dream Market Honeypot is only possible because SpeedStepper isn't required to sign any messages.

When Dream gets taken down, a la SR2, we're all going to say "We should have known! We could have prevented all these arrests"

I would recommend that every market maintain a canary, or at least be able to prove that they still control all admin keys on a regular basis.

In the meantime, if you are saying anything on Dream, without PGP, or if you're buying anything more than personal use amounts, you're taking a huge risk. If this is a choice you make, then you don't value your freedom or the freedom of your customers, and will have no room to complain when you are serving your time.


Comments


[10 Points] _PrinterPam_:

The Dream Market Honeypot

As they say in the legal realm: Assuming facts not in evidence.

maintain a canary

Read-up on what those, and under what circumstances they're useful (e.g., gag orders), and you'll soon realize that they're not really applicable to illegal conduct engaged in by anonymous individuals.

or at least be able to prove that they still control all admin keys on a regular basis.

Scenario 1: A bad actor hacks/infects a market server and acquires one or more private keys belonging to the admin and/or market. Now the bad actor can 'prove' (i.e., pretend to be) he is in possession of the key. Not really helpful in an anonymous world. Scenario 2: LE physically busts the admin and 'flips him,' or coerces him into handing-over passwords/private keys, and/or masquerades as the admin using the seized keys. Not really helpful in an anonymous world.

if you are saying anything on Dream, without PGP, or if you're buying anything more than personal use amounts, you're taking a huge risk.

What does that have to do with Dream? If you aren't encrypting your address or sensitive messages on any market, you're taking a huge risk. In fact if you order anything illegal, even if you encrypt everything, you're still taking a risk. Choose vendors carefully, encrypt sensitive info, and let's keep the tin-foil hat stuff for Tuesday's thread.


[3 Points] wombat2combat:

not commenting about dream but just saying that this is in general a good idea. it has been added to the superlist some time ago as a requirement since it adds the pressure to law enforcement to time their take over right and make sure they get access to the pgp key too.

You must publish a PGP signed message every week on the day you got listed on the superlist. That means, if you get listed on a Tuesday, you must publish a signed message that contains something like this on every Tuesday: 'As of <current date> the admins of <your market> are alive, free and not compromised. Here the hash of a Bitcoin block that got broadcasted today: <btc block hash>'. The message must be signed with your market PGP key and published at any time on the required day (UTC is used as the time zone). You only have to publish the 'canary' on your own market (e.g. under market.onion/canary.txt), the DNM community will take care of spreading and verifying it.

once we have taken care of the head mod issue [which is being worked on] we will add additonal mods to the superlist subs and do some changes over there which will also include enforcing these signed messages [for new markets only at the beginning].


[3 Points] DirtNapMarkets:

We need these markets to start paying a bond to operate in case they try and exit scam.


[2 Points] MasterM1nDDD:

WallStreet is doin something like that alread: Marketurl//verify.txt

Its a admin signed message updated every 2 weeks.

This also seems to be a critieria to get listed on the Superlist: /r/DNMSuperlist/comments/6pxw5p/updated_market_listing_criteria/

But i have a hard time to find this on any market that is listed on the Superlist.

/u/wombat2combat sure can help.


[1 Points] 2happytimes2:

I saw libertas post some proof that they where still the admins and not compromised on there subreddit yesterday, I think it was.


[1 Points] SpeedStepper:

right