Silk Road forums

Discussion => Silk Road discussion => Topic started by: TheProf on November 23, 2012, 03:06 am

Title: Not to incite panic, but
Post by: TheProf on November 23, 2012, 03:06 am
Is it possible that front page is a hack and is harvesting our passwords?
Title: Re: Not to incite panic, but
Post by: zenvoboy on November 23, 2012, 03:10 am
...panic incited.

As we sit here like baboons, scratching our heads as we enter our username and password and click enter, over and over again...

I'm lucky. I have 0BTC in my account.
Title: Re: Not to incite panic, but
Post by: rabbit88 on November 23, 2012, 03:11 am
URL looks good that was my first concern. I think what we have here is a brute force attack on the login page. The last time SR went down I believe it was someone using up all the resources after logging in with multiple accounts. Think they got the bad logins out ... now they are hitting the login page over and over with wrong userid's passwords in an attempt to disrupt.
Title: Re: Not to incite panic, but
Post by: unkn0wn_ on November 23, 2012, 03:12 am
If it was hacked they wouldn't bother attempting to collect passwords this way.

Hacking is very time sensitive. If the real goal is to steal money, they get in and get out quickly.

A login page capture would be to obvious and probably pointless since they'd have access to the full site.

Once you get access to a database, you can always crack the password encryptions.
Title: Re: Not to incite panic, but
Post by: TheProf on November 23, 2012, 03:17 am
I was thinking more along the lines of a hack to tor, or perhaps a stolen private key (for the tor hidden service).

I'm not paranoid but like zenvoboy as I was logging in over and over started thinking 'hmm wouldn't it be funny if ....' .. hmmmm
Title: Re: Not to incite panic, but
Post by: rabbit88 on November 23, 2012, 03:33 am
These attacks are hard to defend with giant data centers and resources that include teams of very smart guys.  DPR must feel very lonely when it comes down to defending the site from hackers DDOS and brute force attacks. 
Title: Re: Not to incite panic, but
Post by: h3n on November 23, 2012, 04:29 am
DPR must feel very lonely when it comes down to defending the site from hackers DDOS and brute force attacks.

Yes, people don't really understand this part well enough. DPR is making money, but that money is almost useless for maintaining the site. There are people who could help, but he can't hire them. He can't trust anyone. He is literally risking his life.

People really quickly lose perspective. We are all very lucky to be taking part in this.
Title: Re: Not to incite panic, but
Post by: residenteactual on November 23, 2012, 05:44 am
DPR must feel very lonely when it comes down to defending the site from hackers DDOS and brute force attacks.

Yes, people don't really understand this part well enough. DPR is making money, but that money is almost useless for maintaining the site. There are people who could help, but he can't hire them. He can't trust anyone. He is literally risking his life.

People really quickly lose perspective. We are all very lucky to be taking part in this.
Totally agree. This is a great moment in history, libertarianism in action. The greatest libertarian experiment in the information era. I am god damn proud and I regret NOTHING.
Title: Re: Not to incite panic, but
Post by: dbz4u on November 23, 2012, 05:50 am
DPR must feel very lonely when it comes down to defending the site from hackers DDOS and brute force attacks.

Yes, people don't really understand this part well enough. DPR is making money, but that money is almost useless for maintaining the site. There are people who could help, but he can't hire them. He can't trust anyone. He is literally risking his life.

People really quickly lose perspective. We are all very lucky to be taking part in this.
Totally agree. This is a great moment in history, libertarianism in action. The greatest libertarian experiment in the information era. I am god damn proud and I regret NOTHING.

Why not ask trusted vendors or buyers with programming expertise to work on small segmented parts of the site? That way the code would be broken up, so no user would have full access to the site, while still buffing up the infrastructure.

If the person has a vested interest in silk roads success, obviously they will do everything in their power to make this have the best backbone of any tor site on the web
Title: Re: Not to incite panic, but
Post by: h3n on November 23, 2012, 06:23 am
Why not ask trusted vendors or buyers with programming expertise to work on small segmented parts of the site?

This does seem possible, at least in some cases. If he were to specify what functionality he needed, people with no special access could code stuff for him. He could essentially write unit tests for the PHP class he needs, and other people could fill it in. But I'm not sure how often he needs stuff like that done. It's hard to say what SR's biggest problems are without talking about details.
Title: Re: Not to incite panic, but
Post by: smeghead on November 23, 2012, 06:34 am
panicking !   :-\
Title: Re: Not to incite panic, but
Post by: Psychadelia on November 23, 2012, 06:34 am
Possible, however extraordinarily unlikely. First and foremost I have no clue how someone would spoof the main site address so that anything trying to connect to the real SR actually got redirected to the fake address...and I have to guess this would be an even more difficult task with TOR hidden services. The only way this could really be done is if someone had control over or at least access to everyones internet connections and did a man in the middle attack with ARP Poisoning, on each and every single computer in the world connecting to SR. On the other hand I noticed mention of brute-force and DDoS, brute-force is already highly unlikely to be efficient when performed on clearnet sites, I can only imagine trying to set up a brute-force client to connect to a hidden service AND somehow figure out how to properly limit requests so that it wouldn't DoS the site accidentally while trying out every combination of passwords and usernames possible while keeping it running quickly enough that you get past the 4 letters/numbers/symbols mark within the first 24-48hrs. Brute-forcing is insainly time and resource consuming, and if someone was able to get in and replace the main page with a phishing page, as someone else pointed out, they also have access to our password hashes...could take like 5 minutes to get 50% of passwords with rainbow tables for example, and no one would have a clue anything was ever wrong. When hacking, especially for monetary gain, the most important thing is stealth. You have to be about as stealthy if not stealthier than the vendors sending packages here. You slip up on that stealth with SR you MIGHT serve SOME time, or even just some probation...entirely different story in the world of hacking. If you arent stealthy enough to begin with, you'll never get in. If you get in and don't remain stealthy, you won't be in for long, you lose everything you've worked for and possibly even get traced. After repeating that a few times, you end up with some very serious charges and possibly even a life sentence. If SR really gets hacked, we won't have such obvious signs, atleast until btc starts to go missing...unless they just want it down or it was done simply to show it could be done, in which case its more likely that there would just be a deface page than anything else.

Hope my "mini-rant" gives relief to anyone fearing that SR has been hacked now or in the past, and on the other hand I agree with dbz4u about basically making up a team comprised of trusted users to work on specific sections of code.
Title: Re: Not to incite panic, but
Post by: smeghead on November 23, 2012, 06:42 am
panic subsiding..
Title: Re: Not to incite panic, but
Post by: THUMBSuP. on November 23, 2012, 06:51 am
URL looks good that was my first concern. I think what we have here is a brute force attack on the login page. The last time SR went down I believe it was someone using up all the resources after logging in with multiple accounts. Think they got the bad logins out ... now they are hitting the login page over and over with wrong userid's passwords in an attempt to disrupt.

it is not someone trying to DDoS the "front page"..
it is 50k users all trying to log in over and over and over and over and over and over and over and over.


/thumbs
Title: Re: Not to incite panic, but
Post by: blowdrobro on November 23, 2012, 06:54 am
hahaha...I'm just worried about my drugs!
Title: Re: Not to incite panic, but
Post by: PrinceHumperdinck on November 23, 2012, 06:56 am
You fucks sound like you belong on desperate housewives. Give it a while and everything will be fine, it's Thanksgiving, put the pipe down and go eat some fucking turkey.
Title: Re: Not to incite panic, but
Post by: dbz4u on November 23, 2012, 07:08 am
Why not ask trusted vendors or buyers with programming expertise to work on small segmented parts of the site?

This does seem possible, at least in some cases. If he were to specify what functionality he needed, people with no special access could code stuff for him. He could essentially write unit tests for the PHP class he needs, and other people could fill it in. But I'm not sure how often he needs stuff like that done. It's hard to say what SR's biggest problems are without talking about details.

Yea thats exactly what i was thinking. I have very limited programming knowledge, but i assume it would be easy to segment the sites code into bits and pieces that trusted users could work on. As far as i see it, we have a huge coding force here, just needs to be tapped into in the right way. If anyone has any idea how DPR would implement something like this, would be great to make it its own thread
Title: Re: Not to incite panic, but
Post by: BlarghRawr on November 23, 2012, 08:04 am
I was thinking more along the lines of a hack to tor, or perhaps a stolen private key (for the tor hidden service).

I'm not paranoid but like zenvoboy as I was logging in over and over started thinking 'hmm wouldn't it be funny if ....' .. hmmmm
SR has gone down in this fashion before, when it was getting updated. Nothing to worry about.
Title: Re: Not to incite panic, but
Post by: morphineman on November 23, 2012, 08:08 am
dbz4u is that  all you have to offer on sr, quote someone and splash your brilliant answers to figure things out im sick of seeing you on a drug related site not talking about drugs but if your looking at having someone banned , have a look in the mirror,because you are just quoting and spewing  , non of either is needed on sr
Title: Re: Not to incite panic, but
Post by: jakers on November 23, 2012, 08:19 am
DPR must feel very lonely when it comes down to defending the site from hackers DDOS and brute force attacks.

Yes, people don't really understand this part well enough. DPR is making money, but that money is almost useless for maintaining the site. There are people who could help, but he can't hire them. He can't trust anyone. He is literally risking his life.

People really quickly lose perspective. We are all very lucky to be taking part in this.
Totally agree. This is a great moment in history, libertarianism in action. The greatest libertarian experiment in the information era. I am god damn proud and I regret NOTHING.

More to the point, if this site is being maliciously targeted, Then, hey, whoever is doing it is/are some mother fuckers, not just that, but you are some bitch ass mother fucking rat-soup-eating, insecure, no business, boring mother fuckers, fucking shitheads!  Fucking.. WTF, you want to make me waste my motherfucking time, thinking I forgot my password, like what, did I change it when I wasn't paying attention?  Fuck you punk.  Who the fuck would be such a cock-sucking cunt?  Like I have all day and not a short window while visiting the extended family on holiday, with my big ass tower PC, you fucking fucks.

Anyway, I'm going to go relax now.  Bitch ass mother fucker!  I'll kill you loser, get a life!  Really, you need to find a life worth living, not this pointless shit you think is impressive.  Ok, NOW I am going to relax. :)  ass munch
Title: Re: Not to incite panic, but
Post by: microboilie on November 23, 2012, 08:44 am
I didn't realise it was thanksgiving in the states, I imagine a lot of people have had a few drinks, are still up and refreshing every 5 seconds, lets hope you all had a wonderful day and will soon be going to sleep and giving us europeans a chance to log in. really if you do that, I will give you all the thanks in the world.
Title: Re: Not to incite panic, but
Post by: LainOfTheWired1984 on November 23, 2012, 08:52 am
I didn't realise it was thanksgiving in the states, I imagine a lot of people have had a few drinks, are still up and refreshing every 5 seconds, lets hope you all had a wonderful day and will soon be going to sleep and giving us europeans a chance to log in. really if you do that, I will give you all the thanks in the world.

ehh... no aaahuhuhu ahuhuhu. <Beavis and Butthead>

you got me lol
Title: Re: Not to incite panic, but
Post by: CharlieAndMollie on November 23, 2012, 08:57 am
OMG: already the paranoia hits the road once more.
Just stay calm, all it takes is some time.
Title: Re: Not to incite panic, but
Post by: sniper123 on November 23, 2012, 09:00 am
Holllly fuck I've tried to ignore all this panic in the forums but chill the fuck out. It should not matter what people message you, who orders. Your security should be the same across the board. Assume LE is ordering from you, if you dont think your security is up to part to handle that quit now before youre in jail. I answer all emails by the same standards, I dont give special treatment to anyone. I dont care if I Send 100g to the DEA because I use the same security for all orders and as dumb as the DEA can be I dont think they'd be dumb enough to do something really obvious. Much more likely its a dumb, ignorant or on drugs users. So chill the fuck out and happily accept LE money.
This guy! +1 When you getting more 6-apb?
Title: Re: Not to incite panic, but
Post by: allblack on November 23, 2012, 09:32 am
so much lol inside
Title: Re: Not to incite panic, but
Post by: Nevita on November 23, 2012, 09:45 am
You guys are forgetting the PIN thing ;)  no money can go out without knowing your PIN ;)

Paranoia levels going down.. ;D
Title: Re: Not to incite panic, but
Post by: brokenfone on November 23, 2012, 09:50 am
GG OP, says he isn't going to incite panic, but then tries to  ???
Title: Re: Not to incite panic, but
Post by: brokenfone on November 23, 2012, 09:57 am
You ever notice your dick is angled 15% to the left? Seriously I am tired of seeing the same thing across the forums and learn to read:

The capcha is not changing because the server is down, it can't access the server to give you more capchas its simply using the ones loaded in the loading page.
Title: Re: Not to incite panic, but
Post by: brokenfone on November 23, 2012, 10:04 am
No it's not random, the word at the beginning is a number of words they have made themselves, the three numbers are always randomly generated. Since SR is down it can't reach the server to start giving you new words, therefore it's just showing a select amount of words with a random number interval.
Title: Re: Not to incite panic, but
Post by: cerealpilla on November 23, 2012, 10:11 am
hahaha...I'm just worried about my drugs!

Title: Re: Not to incite panic, but
Post by: MySecretAccount on November 23, 2012, 10:30 am
Irony in every direction, intentional and not. I suggest we incite panic to see if it has a calming effect.

Thoughts?
Title: Re: Not to incite panic, but
Post by: opensky on November 23, 2012, 11:44 am
Irony in every direction, intentional and not. I suggest we incite panic to see if it has a calming effect.

Thoughts?

That seems to work
Title: Re: Not to incite panic, but
Post by: ronswanson77 on November 23, 2012, 01:07 pm
Irony in every direction, intentional and not. I suggest we incite panic to see if it has a calming effect.

Thoughts?

/agree