Whoever does the security at Darknet Heroes is an incompetent

Seriously, requiring a PGP key during signup?? For buyers? Here's the problem: having an identifying key in your PGP keyring actually decreases security when the feds go to connect your account to a computer or identity. Most users do not practice proper keyring security. PGP is pretty useless for buyers anyway, as long as they encrypt their address.

Just adding more layers that look like security isn't security. What types of attacks are being prevented here anyway? Stolen accounts? Why not go the traditional PIN route like any other marketplace? Just makes no sense.

Edit1: Also, requiring a number in the password does not increase security. It actually reduces the bruteforce/dictionary keyspace if you exclude all passwords with <1 number.

Edit2: Also leaking platform information in headers: "Server: lighttpd/1.4.35" Coolio. I hope this is false flag info.

Edit3: Server is running PHP. Change your damn session ID variable name.


Comments


[4 Points] rikkeemartina:

Requiring PGP during signup weeds out complete newbies. I like that. There are lots of OG vendors there that appreciate the smart buyers it attracts. Any OPSEC-minded buyer would know not to have their PGP key lying around in the open. And it explains why DHL has had zero disputes since launch, except one recent minor dispute in the last week if I'm not mistaken.


[3 Points] burnaccountdnm:

There's so many issues with other markets and very little with DHL that I feel like people are just trying to find any possible thing to complain about. I mean seriously, your primary market complaint is that you require PGP to sign up?


[2 Points] MDMangel:

OP are you serious!?!? /u/AutoModerator, what do you think this guys problem with DHL reeeeealy is? And /u/sapiophile loves grilling people over shit like this.


[2 Points] 4-MAR:

And the message that "System" sends you:

-----BEGIN PGP MESSAGE-----
Version: ADDER AutoEncrypt v2.8.11

Now we know another program this server is running.


[2 Points] DHL-1:

Thank you for taking time investigating our security.

Let me address your points a bit here.

We require PGP keys from all users to make sure that any message ever sent are secure (excluding those that intentionally are not encrypted by clicking the appropriate checkbox).

Judging from history no other market has ever forced this on their users which leads to bad situations like the FBI still investigating and raiding people that ordered back on SR1. Did they even start investigating the treasure trove that SR2 was?

We won't allow any useful information to get into the wrong hands should our server ever be found. We too,have some surprises up our sleeves should that day ever come.But paramount is the security of our users and that will never change. Also this is the big reason why we take forever implementing the Market V1.0, we recently agreed we could have built 3 maybe 5 "fly-by-night" markets in the same timeframe, but as it looks we are nearly the only ones who plan in advance and mean to sincerely advance the DNM scene and show that a nearly fraud free environment for peaceful exchange is actually possibly.

PGP us not useless for buyers, it actually is their single most important defense.

I can see your point, that LEO finding a users keyring and then find the same key registered on a market "could" lead to a bad situation BUT a) it is no proof that the user really registered there.I could pull a 100k keys from a pulic key server and just auto register random accounts with those keys attached. Will the FBI handcuff all of these people?

b) If LEO advances that far as to get to your keyring then you already failed at all other OpSec measures like encrypting your HDD, using Tails, using Whonix and so on. And they have to seize our Keyring as well to make sense of it, don't forget that. Not sure how they gonna do that when we are finished with the beta phase of our market.

c) As another user pointed out no investigation will start from a PGP key.It starts the moment they discover drugs in the mail.

Regarding your EDIT1:

Requiring a number in the password will increase security if it makes the user choose a more secure password. It will otherwise very slightly decrease security as an attacker can assume that all passwords contain a number. That decrease is however very very small. We specifically tell users to use a password manager like KeePassX to generate passwords with a high entropy.

Regarding your EDIT2: Please hack it. Even if it where lighttpd, have fun changing only one bit in our READ ONLY filesystems without an alert reaching us immediately since the checksums of every deployment are validated every few minutes.

Regarding your EDIT3: Good point. It's already included in our issue list, but again the same READ ONLY parameter avoids further exploitation of this fact.

Regarding a user comment about: Version: ADDER AutoEncrypt v2.8.11

5 BTC for the user who can find out what the acronym ADDER stands for. It's origin was a inside joke before we launched so we just used that..not much to it. So indeed it is for Vanity purposes.

The SHA512 hash for the solution (all small caps, no spaces) = a3959a970b9ae29cff84f35f95a8159e03916a02dd6a7ef8277a81f5f96226cfc9684fd3313c5f984d4f524d003079fc58b10bd9a6a3fa716802cb15a1511034

As a final note let me say that we are still beta and are working day in day out to finish our infrastructure. When it it's done ...I guess you know that phrase about "torched earth"..

Again thank you for investigating and trying to prevent harm to the community. This is always appreciated.

Cheers!

EDIT1: Forgot to explain about the use of PGP auth for nearly everything. It allows us to finegrain permissions for staff and admins so no member of staff can ever act badly like changing balances or keys or even xpubx (they cannot see those anyway).Even if somebody hacks the database every sensitive bit is signed and validated so entries without the correct signature are ignored and the last known good one is used.Also avoids a lot of attempts in social engineering and blackmail since every change is always documented exactly by signature. Another fact is that it avoids all phishing but onioncloners but we work on a antidote for that as well. And last but not least it indeed weeds out all newbies. We don't want any users on the market that are not able to implement and use the most basic security precautions.


[-2 Points] 4-MAR:

Careful - insulting people's favorite market will get you downvoted and ignored by their cult followers even if you're trying to help.

I like your style (seriously fuck DHL's shitty market pretending to be all elite, what a crock of shit!), but you could have worded this in ways that would have got it upvoted.