PSA: the Middle-Earth Market Admin is a Liar

I've been meaning to write about the Middle Earth info page for a while now. It's infuruating. I'm a customer only because there are certain vendors that I use that only operate on MEM. Imagine my joy however when my vendor went on vacation and I decided to withdrawal without making a purchase.. Learned that lesson! And that dumb "No Money? Eye of Sauron is watching you" message if you try to withdrawal with no money in your account.

This is all taken from http://mango7u3rivtwxy7.onion/pages/welcome/

This marketplace has been built with one thing in mind, security.

Remember when they created the market and they had mandatory JavaScript? They (supposedly) have security in mind for the server it's hosted on, but they don't mind sacrificing your security to obtain that security.

Every single feature of this marketplace has been custom built by us and us alone. There is absolutely no third-party software whatsoever.

That's funny, because a peek at your headers shows that you're running nginx as a frontend caching proxy while presumably running apache as the server. You also have gzip configured, and I'm sure you're running PHP.

We back-up the market multiple times daily and have multiple servers. If a server is compromised, Middle-Earth would re-spawn under a new URL with all user's BTC safe and untouched.

Uh huh.

It is not possible to retrieve any data from the servers, they are heavily encrypted and will shutdown/wipe if tampered with in any way.

If you know anything about encryption, you'll know that this is a LIE. The way encryption works is that after you enter the decryption passphrase it stays in memory until shutdown. Otherwise, you would have to continually enter the passphrase for as long as the system is running, for every single read/write operation. I don't believe you about tamper detection, you're not that skilled.

The forum is on-site for security reasons. It is not a good idea to have off-site forums, they are security holes. SMF (SimpleMachineForums) have been hacked again and again in DarkNet's history. Additionally, that would be third-party software which as I said before, we do not use.

No, now you're lying again, you do use third party software. Yes, SMF has had security vulnerabilities along with most other software with large codebases (see: exploit-db.com). I know that your forum software is coded by you, and provided you coded everything properly it may be more secure than SMF (just wait until a vulnerability comes out that you know nothing about though. PHP unserialize() anyone?) However, it would still be more secure to host it on its own server. I don't know if you're lying or simply uneducated.

Everything is about security. Security security security.

Yep, mmmmkay.

/rant


Comments


[3 Points] throwaxanny:

I thought it was well known that marketplace sucks?


[1 Points] Jesus_Tor:

Take a bar, mate.


[1 Points] FrozenMCVegetableCok:

In regards to the claim of building every software package, They're actually referring to having compiled the software packages you mentioned from source code themselves, not writing their own software. There are some source code changes suggested when building the packages for use with onion services by the tor project.

It doesn't mean they actually did it.


[1 Points] young_k:

I don't know if you're right or wrong, and I don't know if they are lying or not, but you didn't exactly prove anything they said was a lie with your rant :(

I was looking forward to some solid evidence. Even headers can be spoofed quite easily...(not that I think they were)