Silk Road forums
Discussion => Off topic => Topic started by: LSDANK on October 28, 2011, 07:53 am
-
Is anyone else getting this message trying to reach OVDB? 504 Connect to g7pz322wcy6jnn4r.onion:80 failed: SOCKS error: host unreachable
-
same here...
Bob
-
The same here too
-
same here,all day long :(
-
DITTO, just tried
-
Been like this all day :(
-
The server is obviously down. It'll get fixed soon enough no doubt.
-
still down for me!
-
I got a msg on another forum, from a trusted source, that there had been a bigass bust on some vendor recently at OVDB...doesn't mean much as far as we're concerned over here, but has anybody heard anymore on that? I'll pursue my source, see if I can get more details on who and what, or at least the circumstances surrounding it...but again, they have different ways of doing things, and LE probably took note...as they do here, when people don't use btc...
-
are you talking about a more recent bust than ene? because that bust happened in august. there is only one big time vendor even working on OVDB right now, but he's been really hit-and-miss for months. I think they are just having issues with their sit, much like some other online drug vending site about a week ago.... I can't remember which one that was, but I'm sure OVDB is here for the long haul, mainly because they depend on each individual vendor and buyer handling their OWN security, unlike SR, where most people expect to be protected by the site admin. The main differences between there and here are that, you can't fake your own trust status there, as Admin screens vendors before giving them trust status, and their site is not profiting off of the deals made, or acting as a store of any kind. the individual members set their prices, post their listings, and run their business their way. I think that the government, and by this I mean the US government will have a harder time bringing OVDB down than silk road, because it is just a message board, and posting in a message board is covered under freedom of speach. Silk road has a store, where one can log on, click a button, and buy drugs. Well, that, and the fact that Silk Road's admin brought a bunch of attention to the site by doing an interview with a gawker reporter. (for those who remember the old forum, when the reporter tried to interview users, most of US declined).
sorry for the ramble, but I've been drinking a bit tonight
®
-
I'm not sure, it could have been the older bust. I still haven't heard yet...
I bounced around on OVDB a bit, back when SR was down, but I think SR's escrow format provides much more protection...unfortunately, it's being used less and less, and for the time being anyway, it's all too easy to muster up fake feedback on here. I wish we'd get some kind of seller rating closer to OVDB's, and that they would provide escrow...they are more like an 'insider's club' from the old days, but now that more and more people are getting aware of how to use TOR, times are changing...
Yeah, the gawker interview was a misstep, but I've seen some shit I didn't like on OVDB also. This is all kind of in it's infancy, hopefully both sites will kind of tighten up on the areas that need protecting. The more the merrier.
I haven't been to BlackMarket lately but I hear they now have escrow, so that's good. The more sites, the better, heat wise ;)
-
My friend thinks he knows the guy who made OVDB from a closed forum regardless I would stay away from the website because alot crazy shit went down on there. Just read some of the posts from some of the trusted people on the forum.
-
alot of handwaving and borderline fud in this thread, anyone have any factual info on what's currently going on?
My biggest concern about OVDB is admin. first things first: admin knows his shit, he's successfully demonstrated that operating in the open works when vendors run secure ops and people establish trust networks. Mission fucking accomplished for sure. Ene fucked himself, patchouli-stank hippie dooder doing his own regular mailings, in a place where he was the definition of sketchy, complete failure to implement security and deniability on all counts. derp. as admin said in an early post:
This forum is public. This forum is listed on Tor Hidden Wiki which is frequented by federal agents, and it is safe to assume there are federal agents on this forum. If you are not secure enough to counter them, it is foolish to vend here.
anyways. what people should be concerned about with OVDB is that admin has been totally AWOL for many months. his actual account's last posts keep promising changes & improvements mere weeks away, him having more time to put into the thing soon, then *poof*. since then it's overrun with unknowns (alot of them clueless dipshits no doubt spilling over from the phenomenon than is SR), vetting of accounts has ceased. business still goes on, but nobody's been minding the shop. is admin even around to notice it being down? will he ever issue a (properly signed) communication about current status? inquiring minds want to know.
-
Works for me. Like anywhere, you show some common sense and caution, and not trust anybody too much...Ripoffs and LE can talk the talk just as good as anybody, here and there both. Hang out a while, you'll see a few hands who are alright...but TOR, and all TOR sites have same risks. I was running latest TOR anyway, but a while back, I had troubles with site, mostly just irritations with pswds and such, but now it's fine....who's in charge there? Hell, who's in charge here? You never know. I think this site is safer, within the confines of btc and escrow...outside of that, I"ve bounced a few times on OVDB, nothing bad happened...but the whole 'trust' thing, works...until it doesn't.
-
I've been meaning to try to get on there. Is there any way to do a PGP verification over there with anybody who has a rep on both sites?
-
Admin came back and made an announcement:
updated to the latest version of Tor, you should also because all versions except the most recent one are vulnerable to a deanonymizing attack that can be carried out by any malicious website you visit (or exit node you use). Also patched some other security flaws and did general hardening. Made a mistake that totally fucked everything, and unfortunately didn't make a backup first. Fortunately everything is configured on virtual drives, and I had various backups from previous dates in time. I used an old structure, updated everything to most recent versions as required, and then loaded the most recent sql database to it. There is a bug now that causes some peoples nyms to not be showing up next to their posts, particularly unknown ranked people it seems. I am not exactly sure what is causing this, but I think it has to do with updating the forum software to the latest version. It is an active bug, meaning that some posts are still not having usernames show up. I will certainly fix it because it cripples the useability of the forum, but I don't see it as a critical bug so I would rather have crippled forum up for a few days until I get time to really work on it, than take forum down until I get it fixed. I did take the forum down as soon as I saw that a new version of Tor was released though, and left it down for a while until I had time to work on it. Thankfully I learned about the new version of Tor immediately after it was released. Also there was a known vulnerability in the forum for a month before I got around to patching, I really fucked up there in not immediately patching but I have not been online much at all lately to check the changelogs of all the software that goes into running this forum. Everything is currently fully patched with no known vulnerabilities, I am just letting everyone know this in the spirit of full disclosure. I still can't find the exact details of the vulnerability, but I am currently under the impression that it would have allowed an attacker to hijack an administrative session by injecting attack javascript. Since I never have javascript enabled, this would have been prevented had anyone attempted it.
and then mentioned he wants a decentralized forum to be created, and after it is created plans to take OVDB down and let the scene manage itself
In short:
we need a decentralized forum, because it is better.
In long, we need a decentralized forum for a variety of reasons.
________________________________________________________________________
For one, [unrelated to project talking begins] I don't like the stress involved with running the only server responsible for OVDB. I also host multiple other forums. There are plenty of other private forums that I do not host and the scene could go on fine if I took all of my forums down, but I don't want to take them down I just don't want to be the sole person responsible for them. I don't want to take OVDB down, and I wont until a decentralized option is there to take its place. But I am really sick of running drug forums, both in a technical and an administrative role. I have been running them for five years now, and it's time for something new. I am also getting more and more distant from the scene. I don't need any new sources, the ones I have been using for years work great and I can get anything I want at great prices. I only keep in regular contact with a small circle anymore, and I am really simply just tired of the drama and such associated with the scene social structure. Plus the people from the original community are largely gone, and the more mainstream/commercialized the scene gets the less community feeling it has anyway. Also, Enelysion being busted has seriously made me reconsider my priorities, not that I am particularly worried about being busted, but the fact that someone from our inner circle was (finally, I guess) taken down really hit home to me and depressed me. In short, I am sick of running forums and participating much in scene related activities, but I don't want to leave until open (free as in, anyone can participate, and free as in, not taxed) sourcing is securely autonomous and doesn't require anything from me.[unrelated to project talking ends]
Secondly, it is of serious strategic advantage for the entire network. The goal is to transition from a model with heads to an all channel model. Imagine SR admin and I are both busted tomorrow. That is the essential end of the public sourcing community as it is currently known. Two heads are on that hydra, although there are many more on the private scene hydra I am far more concerned with the public scene these days. Also, having two heads means that resources of our adversaries can be focused onto those points. Also, the same model transition takes place for the actual communications structure. There is not much redundancy in our current model. Private forums have been hacked and erased multiple times, and although this is largely a failure of administration to make proper back ups it would be nice if everything was seamlessly redundant.
Thirdly, it gives the power to the participants. I have nothing against silk road, but I envision a community that takes care of itself more than I envision a commercial venture designed to make profit for its administrator. In my opinion, scene should be a movement not a commercial operation. I see that many people have plans of making sites that charge money for accounts or participation. I don't want this to be the standard method of operation in the future, and the best way to prevent it is by making tools that allow for the community to take care of its own communication needs.
Fourth of all, it can disconnect drug forum servers from the drug community. This is similar to freenet. If servers can be used to host posts from any group, and the operator of a given server is incapable of determining the posts they host, it removes liability from them. If the silk road or OVDB servers are located they will probably be shut down. Freenet servers have not been shut down yet, even though everyone knows they are all loaded with CP. The thing is they are also loaded with other things, and since everything on them is encrypted it disconnects the servers from CP in a way. We dont want to use freenet though.
Fifth of all, it can add a lot of technical security improvements for the scene by transitioning away from browsers and toward custom client and server side applications. Your average web browser is not anywhere near as secure as a custom made client side application can be. Browsers are made to do a lot of things. I will give a simple example, browsers support flash which can side channel Tor but a custom client side forum software will not support flash. It wont support Javascript. It wont have a fingerprint. Of course these examples only really apply much to noobs since more skilled people can harden their browsers significantly, but in general no matter how much you harden your browser it is going to have needless bloat in it. It wasn't made just for surfing drug forums, it was made for doing lots of things. By removing this bloat, we can significantly harden the application layer. We can also do cool things, like support high latency posting / mixing to protect from a large variety of attacks. Not everyone wants high latency, but tau or alpha mixing can be utilized to let people specify their own latency requirements. I think low latency systems like Tor are not proper for our threat model, and I truly think that the only reason the feds have not totally pwnt Tor is due to extreme incompetence on their part. Tor is good enough for now though, and it is better than any VPN. It is also good to enter through, particularly if you use a bridge. I think you should use a private tor bridge to enter the public Tor network, and then use the public Tor network to connect to high latency mixes.
Sixth of all, it can make things easier. Private messages should automatically be encrypted with strong encryption algorithms. GPG is easy enough to use, but everyone would prefer if things were fully and transparently automated I think. Also, using GPG to encrypt all posts on a forum is possible...so nothing on the server is in plaintext. But it is a pain in the ass to do things like this. Our application should make this transparent. And it should support multiple groups so communications can really be compartmentalized to a need to know basis, as required. There are probably other things that can be taken into consideration. Some vendors don't want to deal with private messages and only want orders, maybe we can have it so the private message system takes on more of an order form model for them with fields for address/payment info/etc. There are lots of things we can tweak to make vending and sourcing easier and more secure.
_________________________________________________________________
What exactly do we need though? Here is a quick list of things that are required.
*No unencrypted communications should ever touch any of the servers ||||| This is in contrast to this forum, where all posts are stored in plaintext. Even though they are on mounted encrypted virtual drives, there are plenty of attacks that can get to them. Even if we use physical intrusion detection systems, there are methods of getting around them in many cases. Any why do something expensive like this when things can just be encrypted client side?
*High latency mixing of posts should be supported |||| This is in contrast to this forum, which relies entirely on Tor. If your entry node is owned by the DEA and they scrape this forum in real time (or get access to the publicly displayed timestamps on posts) they can link you to your session on the forum via a timing/fingerprinting attack. All low latency systems are weak to this sort of attack. I am not comfortable with this level of anonymity.
*Redundancy should be obtained. If a single server goes down, the entire community should lose nothing other than a server. Posts should be distributed over many servers. Indexing should be done over many servers. |||| This is in contrast to this forum, where a single server compromise could cause serious down time at the very least and lost posts at the worst. Also, this forum has down time. A cloud of fifty volunteer run servers will not have total communications down time.
*All encryption operations should be automatic and secure ||| as compared to this forum, where you need to rely on GPG, or other forums with automatic server side encryption that is total shit just like hushmails is
*Use of the network should be group independent, and groups fluid ||| as compared to this forum, where all users are users of open source. You can't really seamlessly use my servers to host your own forums on top of them. At best you need to ask me to set a forum up for you, and I have root access to the server so I can gain access to your forum. I can also gain access to the posts on your forum unless they are all encrypted with a GPG key I don't have access to. Also, if you do use my server to host your own groups forum, they are part of your group. I can't really manage a thousand peoples forums by myself. But if I configured an IRC server, anyone could make their own protected channel with their own set of invited participants. This leads to compartmentalization, and fluid group structures. We want a forum system that easily allows for multiple channels to be created, using the same resources as other unrelated channels.
*Administration and social construction should not be hierarchial. This is very important. ||| This is as compared to this forum, where I assign trust ranks to people, where I am responsible for managing things / adding forums / deleting objectionable posts [not that I ever will, lol] etc. The trust rank system should be entirely decentralized. Then I can still assign to nyms how much I trust them, but so can anyone else. People should be able to see a new nym for the first time and be able to see how much other nyms they already know trust it. This should happen automatically and in multiple formats [think web of trust graphs, encrypted review system for something similar to a decentralized safeorscam, textual information, number scores, scales, raw information, etc etc]. The forum structure itself should be decided by clients. Who they see posts from should be decided by mutual agreement. Alice can block posts from Bob, Bob can block posts from Alice, Bob can prevent his posts from being seen by Alice, Alice can prevent her posts from being seen by Bob. Groups should be possible to form that are isolated from other groups, with single people being part of multiple groups/compartments. Want a weapons section? Accept posts related to weapons, or posts from people who talk about weapons. Don't want a weapons section? Block posts from compartments related to weapons, or people who offer to sell weapons. Simple. Now you censor yourself instead of others.
*There should be a perception of one forum. This is the same way that this forum is. However, the forum should look different to every participant depending on the compartments they are part of / who is on their "buddy list". I should be able to make a post in a thread here and specify that only fizzy and tarpaulin can read it, with cryptographic certainty. Anyone else who reads the same thread will see the posts they are "cleared" for, but not the post I made for me fizzy and tarpaulin. A compartment can be small like this, or large enough that it is essentially its own private forum piggy backing on top of the cloud of volunteer run servers.
*Everything should be cryptographically secure. Authentication, encryption, etc etc.
But what specific attacks are there to worry about?
Well, here is one example. Let's say we use a simple system to mirror OVDB over two servers, for redundancy. The person who runs the second server is automatically in position to do half of a timing attack, since they can see traffic coming to the server. Of course this can already be done with a fingerprinting attack and timestamps, but just for example. I know I am not doing a timing attack against people who use the forum, but if twenty people mirror the forum I dont know how many of them want to do timing attacks against you. It will be safer to use my server than one of the mirrors. We need to remove the ability for the mirror nodes to do this sort of attack. The best way to do this is to have a high latency mixing network, so timing attacks like this are no longer possible for anyone to do.
We want to have a volunteer network of 'forum nodes' without an attacker being in a position to do much by virtue of you using their node.
________________________________________
So how much progress has been made on this?
Assume that we are essentially starting from scratch on the programming. We had a lot of work done with Java, but the programmer working on it pretty much fucked off after he was half way done. We were tired of waiting for him to finish and demanded a refund. Now it is being done by someone else who wanted to do it mostly in Ruby. Now the goal is to do it in Ruby. We have one paid lead developer working on it, but want to crowd source volunteers. Many people from various underground / security oriented communities have already discussed the project, and specific components of it, and feedback from several people with various backgrounds / skill levels / opinions , has been taken into consideration. If you are skilled with Ruby, if you will at least audit the current lead developers code it will be appreciated. If you think you can help program it, even in small ways...it is also appreciated. If you can help us brainstorm on design, it is also appreciated. We have had many different specs but none are currently in stone, they change as people find attacks on them or simply as we find better ways of doing things. It has very much been a work in progress for quite a while now, with a lot of input from a lot of people...but it is really time to just get the thing fucking done wink. If we can think of improvements they can be implemented into the new system because we don't have much code done currently and it wont be an issue as we can implement them early on.
One thing we decided on was the use of Pynchon Gate for the message retrieval system. This is currently largely finished being coded, and was written by some very smart security people. This project was fully independent of ours, but its use as a component in our system is probably the best choice for multiple reasons. For one, the people who made it are out of our pay grade and out of our skill level. For two, it is already almost done being programmed and it will save our programmers time and work as they wont need to make a custom message retrieval system. For three, it is a good system and has been studied by researchers in the academic community. Other than this, we do not have a strong design in mind. Components from previous designs will work their way into the finalized system, and we will discuss these components in this thread. Please continue to brainstorm with us here, and help with code / auditing / design if you can. We will also need graphics work to be done for a GUI system. Also, if you don't have any skills strongly related to this project you can still help by discussing end user feature requests you are looking for. What would make sourcing online safer, easier, more fun for you?
Last thing: we really want this to be done as soon as possible.
-
I've been meaning to try to get on there. Is there any way to do a PGP verification over there with anybody who has a rep on both sites?
I don't know, since I'm a buyer...but I hung out there quite a bit when this site was down...(and lost some money on the newly formed BlackMarket site ) I saw some sellers from here, that seemed to have a good rep there. They seemed to be using the same usernames, and one of them could probably help you...
-
Okay, I'm signed up over there.
Under the username AnarchoCapistalist47.
I'm just going to lurk a while but if anybody from there wants to do a transactions through OVDB to help me out I'll do a serious discount on my Jack Herrer for the ups.
-
OVDB? is that what is called or is it an abbriviasion for something?