Silk Road forums
Discussion => Silk Road discussion => Topic started by: inigo on December 18, 2012, 08:05 pm
-
Obviously this is a scam. We will fix it as soon as possible, until then do NOT send coins to the address shown.
-
Can we get someone to look into the shipping options issue as well please.
-
What does this say about the sites general security? Don't make me feel to easy.
-
I just don't understand everybody here at silk Road I've been here on silk Road for about 4 months on and off I've only made five purchases all weed and pretty much kind of got what I paid for if the guy was standing in front of me I probably would have not made the deal on three of the transactions.
After my fifth purchase I met a vendor on the forms here he used to have a store on SR he left SR for reasons I do not know I think he said something about BTC being a ripoff OR a major pain in the ass.
anyway my point is that I've been buying from this gentleman for the past month and I must tell you I fill much more secure in the system that this guy uses he uses tor chat to communicate with you and you must call him on his burner phone either from a burner phone or other forms of phone communications that he will suggest to you that is secure. At first I thought this was a trap or something but after speaking with him for more than two weeks I thought to myself If this guys is the police then he has broken about five Laws just in conversations that we've had and the fact that he makes you use tor chat and burner phones are phones with burner security like features to communicate with
the orders are sent through tor chat in unison's with calling him on his burner phone to confirm order you are not allowed to discuss anything illegal over the phone he has a product list that has item numbers you're only allowed to discuss the item number nothing else.
and just for you naysayers there's about 17 people on the forms here that use this Guy.
His main rule is if you called the burner number he gives you and you do not recognize his voice on the other end hangup.
This is the old school way of dealing drugs one-on-one I know him he knows me this is the way I feel it should be done there is no way after the first initial meeting of course that you can buy from anybody but the dealer you been buying from the whole time.
you cannot say that about silk Road.
But that first contact is a mother Fucker I will give you that I was pulling hair out waiting on that free sample he sent me but after that ordering was way better than silk Road.
and you don't have some national DEA, LE and FBI and every other law enforcement agency on the planet with a big hard on to bust you for doing what SR is doing.sorry to tell you people this but silk Roads days are totally number just read the hidden wiki reports do you really think the DEA and the FBI are going to just sit around and let this go on and never do nothing about it I would not be surprised if the attack from today is an LE induced attack.
watch over the next 2 to 3 weeks how many vendors will disappear or pullout or will have reports of them being arrested.
the game is up.
if any of you fellow cannabis pot loving sweet leaf 420 friendly potheads want this guy's contact information send me a PM and I will respond with
-
I have to agree that SR's future does look a bit grim, with all the recent problems...
-
Don't be sceptic. Just study about tor hidden services - but wait, you all did that, didn't you?
-
I have to agree that SR's future does look a bit grim, with all the recent problems...
We hope not, we just got here, It would be nice to make a fortune before the shit hits the fan. We here at MM seriously hope that Silk Road will be here forever!
-
(subscribing)
-
Don't be sceptic. Just study about tor hidden services - but wait, you all did that, didn't you?
Tor hidden services have nothing to do with it
at this point with the attacks on SR and pending attacks from LED or what ever other police authority is security with the vendor I'm sorry the silk Road cannot guarantee you this anymore anybody who tells you otherwise is either a vendor or some way making money off the silk Road everybody thinks that because you use PGP encryption that you are safe. This is total bullshit if the vendor gets arrested and they seize his computer and they find PGP encryption's day will make the vendor give up the PGP encryption keys and a few people really think that your vendor is following the rules then you are the most trusting and stupidest people I've ever met.
do you really think that a meth dealer or a coke dealer and especially a marijuana dealer who smokes all day is going to follow the rules this is a website full of people who do everything but follow the rules.
-
Get anonymous on the blower. Im sure we could all chip a few bitcoins as voluntary protection money? I know I would. And I know anonymous need pot/bitcoins or hotpockets...
And as for SR bein taken down...
One of the unfortunate flaws of tor is it protects pedophiles. Id like to think (but to be honest im not sure) that this would be a far bigger priority for LE. And anonymous showed that unfortunately even these vile creature are protected by tors ingenuity. Surely sr is safe?
-
Don't be sceptic. Just study about tor hidden services - but wait, you all did that, didn't you?
Yeah Tor is SOOOO secure, nothing could EVER happen to SR. I'm so sick of hearing that shit. I'm not being skeptic. Shit HAS happened to SR, and it's unsettling. Just because SR is on Tor, doesn't mean it's invincible.
Anyway best of luck to the moderators and admin to get this fixed ASAP!!
-
Get anonymous on the blower. Im sure we could all chip a few bitcoins as voluntary protection money? I know I would. And I know anonymous need pot/bitcoins or hotpockets...
And as for SR bein taken down...
One of the unfortunate flaws of tor is it protects pedophiles. Id like to think (but to be honest im not sure) that this would be a far bigger priority for LE. And anonymous showed that unfortunately even these vile creature are protected by tors ingenuity. Surely sr is safe?
you just don't get it the reason why LE will pull out all the stops on silk Road and not on pedophiles is because the word pedophile is disgusting word and most people when confronted with this word/problem will pretend like there is nothing they can do about it or they pretend like they didn't even hear it.
example try bringing up a conversation about pedophiles at your local PTA. Then the week after same PTA meeting bring up the discussion about drugs see what kind of response you get I bet you $5000 that the discussion about pedophiles will last less than 30 seconds.
and the discussion about drugs will last for hours.
drugs is a household name that has been Villinized by our government so much that it has been de-villainized 25 years ago you could not say the word drugs in public without being shunned today you can talk about drugs in preschool and church on TV any where you like.
there are pedophile rings busted every day in United States that you never hear about.
but turn on the news any given day of the week and you will see something about a drug bust.
So my friend you saying that LE not being able to bust pedophiles would be enough reason to assume that they won't go after silk Road is just uneducated guessing
-
EDIT: Problem resolved...
Are you referring to the "SR QUICK BUY" pictures problem? If so, please check again, as I'm still seeing them for certain vendors.
-
What does this say about the sites general security? Don't make me feel to easy.
+1 This is the question people should ask not how long until it can be fixed.
-
Don't be sceptic. Just study about tor hidden services - but wait, you all did that, didn't you?
Yeah Tor is SOOOO secure, nothing could EVER happen to SR. I'm so sick of hearing that shit. I'm not being skeptic. Shit HAS happened to SR, and it's unsettling. Just because SR is on Tor, doesn't mean it's invincible.
Anyway best of luck to the moderators and admin to get this fixed ASAP!!
I'm with you dude I think the people that keep saying that silk Road is secure is either a vendor or in some way works for silk Road because what they are saying is complete bull all you have to do is read their own forms in the four months that I've been here silk Road has gone off-line nine times and each time they come back with some bullshit about how secure we are now I run a e-commerce website as my business if I was to go off-line nine times in four months I would fire the people running my e-commerce the only way that silk Road would have gone off-line is from a hack are over loaded bandwidth which I don't think silk Road has a bandwidth problem so standard logical thinking tells me that silk Road is way too unsecured this is the reason I do not buy off silk Road anymore.
I do love these forms th0 and have many friends here.
I mean I just don't get it if your local bank was to tell you that they had a hacker hacking and to their online banking website but for you not to worry because they have it under control with no security checks no security monitoring system and no automatic alert system for one a hacker innovates and they wait 12 hours to tell you this and this 12 hours you have read many reports on a local form that is attached to that bank that people and that bank accounts are coming up with missing money.
How long would it take you to get in your car and drive down to that bank and take out your fuck in money.
this is what is happening on silk Road right now and all you have are bunch of people( bank employees) telling you a bunch of bull about don't worry about it your money safe and secure with us.
It all sounds like a big scam to me.
The guy I buy my weed from used to have a vendor's account on SR but from his mouth the security at SR was a joke and constantly having trouble with BTC
he is a high-grade marijuana dealer that I fill as the perfect TOR system if you want his contact information PM me
-
Follow these basic security principals always, and complications like this mean very little.
1) Work within Escrow
If you work within the escrow system, then you have the added relief of being able to receive support from the site administrators. Transferring bitcoins between user accounts is easy to do within the site. Transferring bitcoins back from some random bitcoin address is impossible. (like the quickpay address) Do not send coins straight to an address if you're purchasing anything. When you send money straight to an address, you might as well just call that a donation.
2) Encrypt all communication
There are many ways for attackers to pull information out of a website. Everytime the website is updated with a new feature new bugs can be introduced. While I personally think this is a javascript/sql injection issue, if you encrypt all of your communication straight to the vendor, then the attacker must have the VENDOR's private key, which is not contained within Silk Road. This way, the attacker can have access to the database, but cannot read any of the sensitive information.
Its really that easy to stay safe.......... Escrow protects your purchases, and encryption protects your address.
If you need help with setting up PGP encryption, or you want to test your encryption, PLEASE PLEASE reference this onion: http://p3lr4cdm3pv4plyj.onion/
it has most of the PGP guides listed here in the forums, and has tools for testing your encryption as well.
basically.... trust no one, and trust that the site is never secure.
Good luck, Happy Hunting, Enjoy the holidaze
-wicked420
-
We dont know much about computers, hacking and stuff, but is it safe to assume that, the pictures being put up had to have been done from the inside out? like someone on the inside changed them, I mean like a disgruntled employee or someone like that.
We think if a hacker got into the site, they would wait for the right moment, or set things up, to make the moment right and take all the coins.Why waste your time with some weird quick-buy bullshit? Wheres the point in that? Also, is it all the same address that the coins are supposed to be sent to or a bunch of them, I cant get on Silk Road now, We seem to be having logging on issues but if it is the same address we can see how much they have scammed already. I assume some people don't use the forums and will log on, see no shipping option and send the coins to the address thinking this is a new update or something.
This cant be too good.
MM
-
Ok 420 I hear ya. These forums can be an inhospitable place lol.
No point going paranoid and trying to spread fear. I know nothing about tor computers etc correct but I know worrying about it wont help. Whoever runs this place isnt messing about. Theyve lasted years now and the sites still here so are you telling me LE have just been touching themselves all this time? Theyve most likely already dropped there biggest moves to bring down sr and they havent worked. Who knows how many steps dpr and his crew is ahead? Im pretty suee theyre a tiny little bit security conscious since getting caught will be a very long time in jail maybe even forever! Im feeling pretty good about the situation and im happy to leave the few hundred I have remaining in my sr wallet.
And plus I think after seeing how many politicians/celebrities abuse kids and get away with it their whole lives (jimmy saville) maybe yes I am stupid to think LE give a flying fuck about stopping the really dangerous people instead of chasing a few pot heads and ravers whilst creating an unregulated untracable cash machine for anyone willing to be violent
-
Tor as a software project has been around for 10 years. It's developed in the open and a large hacker and academic research community studies it. There are known potential attacks against Tor, but nothing that has been successful on the deployed network, despite the fact that it's a big target (the biggest anonymous network). As such, Tor seems pretty secure.
We don't know that about SR. It's developed in secret by who knows who. We can't know if it is secure until something like this happens, and then we only know that it is insecure. This is an attack on the application layer, not Tor.
-
What does this say about the sites general security? Don't make me feel to easy.
I agree.
I'm not normally one to lend my voice to calls for announcements etc. when issues arise, but this requires a full and thorough explanation as to how it happened and why it happened. Steps taken to ensure it will not happen again should not become public knowledge, of course, but if it is the case that an outsider has managed to gained access to the SR image database then that is something of major concern.
(Note: This is conjecture; there is no evidence that this is the case.)
On top of the security aspect, it also makes vendors whose listings are showing these pictures look very bad to potential customers who are unaware that this is an error.
These vendors pay a sizeable fee for the privilege of vending here, and pay continuous commission for the privilege of maintaining their presence - it is absolutely unacceptable for something like this to occur.
The scammer decided only to put "SR Quick Pay: Address etc." in the picture rather than posting something such as "Vendor arrested by Law Enforcement - customer information compromised" or the like; something of that nature could have an irreparable impact on a vendor's future and repeat business.
Wholly unacceptable, DPR. Whilst we appreciate the unprecedented challenges that you face keeping a market such as this online, this is a very serious issue that demands an explanation.
Many thanks to inigo, however, for the initial announcement.
- grahamgreene
-
EDIT: Problem resolved...
Are you referring to the "SR QUICK BUY" pictures problem? If so, please check again, as I'm still seeing them for certain vendors.
It was another problem, which was fortunately unrelated to this.
-
Don't be sceptic. Just study about tor hidden services - but wait, you all did that, didn't you?
Yeah Tor is SOOOO secure, nothing could EVER happen to SR. I'm so sick of hearing that shit. I'm not being skeptic. Shit HAS happened to SR, and it's unsettling. Just because SR is on Tor, doesn't mean it's invincible.
Anyway best of luck to the moderators and admin to get this fixed ASAP!!
I'm with you dude I think the people that keep saying that silk Road is secure is either a vendor or in some way works for silk Road because what they are saying is complete bull all you have to do is read their own forms in the four months that I've been here silk Road has gone off-line nine times and each time they come back with some bullshit about how secure we are now I run a e-commerce website as my business if I was to go off-line nine times in four months I would fire the people running my e-commerce the only way that silk Road would have gone off-line is from a hack are over loaded bandwidth which I don't think silk Road has a bandwidth problem so standard logical thinking tells me that silk Road is way too unsecured this is the reason I do not buy off silk Road anymore.
I do love these forms th0 and have many friends here.
I mean I just don't get it if your local bank was to tell you that they had a hacker hacking and to their online banking website but for you not to worry because they have it under control with no security checks no security monitoring system and no automatic alert system for one a hacker innovates and they wait 12 hours to tell you this and this 12 hours you have read many reports on a local form that is attached to that bank that people and that bank accounts are coming up with missing money.
How long would it take you to get in your car and drive down to that bank and take out your fuck in money.
this is what is happening on silk Road right now and all you have are bunch of people( bank employees) telling you a bunch of bull about don't worry about it your money safe and secure with us.
It all sounds like a big scam to me.
The guy I buy my weed from used to have a vendor's account on SR but from his mouth the security at SR was a joke and constantly having trouble with BTC
he is a high-grade marijuana dealer that I fill as the perfect TOR system if you want his contact information PM me
I mean no offense, but can you just be quiet now?
I think we all get it, your dealer (you) sells weed and he (you) does it in a better way than Silk Road, so we can get his (your) details if we PM you.....and Silk Road is crap.
We understand. Thanks.
-
Don't be sceptic. Just study about tor hidden services - but wait, you all did that, didn't you?
Yeah Tor is SOOOO secure, nothing could EVER happen to SR. I'm so sick of hearing that shit. I'm not being skeptic. Shit HAS happened to SR, and it's unsettling. Just because SR is on Tor, doesn't mean it's invincible.
Anyway best of luck to the moderators and admin to get this fixed ASAP!!
I'm with you dude I think the people that keep saying that silk Road is secure is either a vendor or in some way works for silk Road because what they are saying is complete bull all you have to do is read their own forms in the four months that I've been here silk Road has gone off-line nine times and each time they come back with some bullshit about how secure we are now I run a e-commerce website as my business if I was to go off-line nine times in four months I would fire the people running my e-commerce the only way that silk Road would have gone off-line is from a hack are over loaded bandwidth which I don't think silk Road has a bandwidth problem so standard logical thinking tells me that silk Road is way too unsecured this is the reason I do not buy off silk Road anymore.
I do love these forms th0 and have many friends here.
I mean I just don't get it if your local bank was to tell you that they had a hacker hacking and to their online banking website but for you not to worry because they have it under control with no security checks no security monitoring system and no automatic alert system for one a hacker innovates and they wait 12 hours to tell you this and this 12 hours you have read many reports on a local form that is attached to that bank that people and that bank accounts are coming up with missing money.
How long would it take you to get in your car and drive down to that bank and take out your fuck in money.
this is what is happening on silk Road right now and all you have are bunch of people( bank employees) telling you a bunch of bull about don't worry about it your money safe and secure with us.
It all sounds like a big scam to me.
The guy I buy my weed from used to have a vendor's account on SR but from his mouth the security at SR was a joke and constantly having trouble with BTC
he is a high-grade marijuana dealer that I fill as the perfect TOR system if you want his contact information PM me
I mean no offense, but can you just be quiet now?
I think we all get it, your dealer (you) sells weed and he (you) does it in a better way than Silk Road, so we can get his (your) details if we PM you.....and Silk Road is crap.
We understand. Thanks.
+1
aint that the truth
-
:-X [REDACTED]
-
subscribing
-
Subscribing
-
One of the unfortunate flaws of tor is it protects pedophiles. Id like to think (but to be honest im not sure) that this would be a far bigger priority for LE. And anonymous showed that unfortunately even these vile creature are protected by tors ingenuity. Surely sr is safe?
Like the time anonymous took down SR, saying they where practicing techniques to take down pedophile websites, SR got taken down then few hours later they apologized and took down a load of pedo sites. Im sure there are people just as smart as DPR...
Anyway it will get resolved, im sure its just a learning curve though. Each time something like this happens (from other hackers not LE) he can patch over them and soon become very secure, never know what others working for LE could do though,.
-
How come the site is still up and running, should it be down for repairs or not accessible or something like that? Every minute that the site stays up is another minute for the hackers to scam the Silk Road members.
MM
-
My listings have been affected by this. I can confirm what was reported earlier; the altered images will return and shipping options will be deleted, even if the listings are manually fixed. I have been able to withdraw coins from the site still and I would ask that anyone who has an outstanding order with me, to finalize early. All placed orders have been sent and will be arriving within 2 days, but I would feel a little better not having money in escrow. It does take about 20-30 minutes for the listings to be corrupted and the site appears to be working normally, otherwise. If anyone is comfortable ordering, I will try to keep my listings clean, with shipping options. I will ask that you finalize early, but I will be able to get orders out before Thursday so they'll arrive by Saturday.
Lastly, I have total faith in the Dread Pirate Roberts and so should you. I could write several paragraphs on why that is, but will save you all the time. This is certainly disconcerting and a large nuisance, as well, but it could be far worse and I'm confident that DPR will come through.
-
How come the site is still up and running, should it be down for repairs or not accessible or something like that? Every minute that the site stays up is another minute for the hackers to scam the Silk Road members.
MM
That is exactly how I feel.
-
Do shipping options and images work on private listings? If so vendors can just do business with private listings for now?
-
What does this say about the sites general security? Don't make me feel to easy.
I agree.
I'm not normally one to lend my voice to calls for announcements etc. when issues arise, but this requires a full and thorough explanation as to how it happened and why it happened. Steps taken to ensure it will not happen again should not become public knowledge, of course, but if it is the case that an outsider has managed to gained access to the SR image database then that is something of major concern.
(Note: This is conjecture; there is no evidence that this is the case.)
On top of the security aspect, it also makes vendors whose listings are showing these pictures look very bad to potential customers who are unaware that this is an error.
These vendors pay a sizeable fee for the privilege of vending here, and pay continuous commission for the privilege of maintaining their presence - it is absolutely unacceptable for something like this to occur.
The scammer decided only to put "SR Quick Pay: Address etc." in the picture rather than posting something such as "Vendor arrested by Law Enforcement - customer information compromised" or the like; something of that nature could have an irreparable impact on a vendor's future and repeat business.
Wholly unacceptable, DPR. Whilst we appreciate the unprecedented challenges that you face keeping a market such as this online, this is a very serious issue that demands an explanation.
Many thanks to inigo, however, for the initial announcement.
- grahamgreene
Sorry, I had to laugh at this one.
Maybe you should go complain to your country's consumer protection agency.
Normally, this would be a "vote with your feet" situation. I've only been here a week, but already it's clear that SR's success is all about access and volume. The recent publicity has brought a lot of new people (inc. me) I'm sure. This is dangerous, but also GOOD, right? What other site provides as large a pool of potential buyers? I can see BML, but at least where I am there just isn't nearly as much volume as SR.
-
Do shipping options and images work on private listings? If so vendors can just do business with private listings for now?
They do seem to be working for those. It seems to be strictly based on listing popularity.
-
How come the site is still up and running, should it be down for repairs or not accessible or something like that? Every minute that the site stays up is another minute for the hackers to scam the Silk Road members.
MM
If DPR gave two shits about the members do you think we would have this problem in the first place? fuck the cunt
Apologies to DPR fanboys who may feel butthurt after reading my comment
-
I don't know who you are. I don't know what you want. If you are looking for ransom, I can tell you I don't have money. But what I do have are a very particular set of skills; skills I have acquired over a very long career. Skills that make me a nightmare for people like you. If you let my bitcoins go now, that'll be the end of it. I will not look for you, I will not pursue you. But if you don't, I will look for you, I will find you, and I will kill you. .fuckin hackers.
-
How come the site is still up and running, should it be down for repairs or not accessible or something like that? Every minute that the site stays up is another minute for the hackers to scam the Silk Road members.
MM
That is exactly how I feel.
Were starting to wonder if DPR has access to the site, If he does, then there is no reason the site should be up and allowing these hackers to make money off the good souls of Silk Road. Do you think its possible that the hackers took full control of the site but because of some security measures that DPR put in place they cant move the coins, and this is why the site is still up and why the listings have been changed to direct payment somewhere else. Also, all the mods are missing and from what we read the site has been having issues for months, maybe an employee went rogue or something.
???
-
Do shipping options and images work on private listings? If so vendors can just do business with private listings for now?
They do seem to be working for those. It seems to be strictly based on listing popularity.
So you can make private listings for your customers until everything gets sorted. Have them PM for the amount or whatever and give them the link. That seems like a decent temporary solution. I don't know exactly how the vendor thing works so I may be wrong.
-
So as long as I did not fall for the quick buy address and sent payment to the vendor as normal through SR I should be good?
-
As a Computer Science major it is clear to me that this is a result of a SQL injection exploit. Clearly, the hosting server needs to be patched because I'm willing to bet it's using vulnerable software. It is possible, however, that this is a zero-day attack but I highly doubt that seeing as how we aren't seeing widespread mainstream attacks elsewhere on the clearnet sites. In other words: To fix this attack, take the server down and apply updates ASAP!
Fortunately, if I'm right in my assumptions, this attack is pretty harmless in the grand scheme of things. If anything, it is an important reminder of why it is always important to keep your software updated.
-
Someone was saying SQL injection. How does hacker access the files at SR and able to edit the pictures like that? This means that they have already hacked into SR database and control of the files. Just imagine what they'd do with your information. Either that someone got the hosted server's pass.
I suggest each user of SR main can only create single user in the forum, or that the forum should be at least visible only to logged in members, not guest.
-
Sorry, I had to laugh at this one.
Maybe you should go complain to your country's consumer protection agency.
Normally, this would be a "vote with your feet" situation. I've only been here a week, but already it's clear that SR's success is all about access and volume. The recent publicity has brought a lot of new people (inc. me) I'm sure. This is dangerous, but also GOOD, right? What other site provides as large a pool of potential buyers? I can see BML, but at least where I am there just isn't nearly as much volume as SR.
Ah. Perhaps you should read my previous posts, along with words 3 - 16 from my post you quoted. The last issue that sprung up here, regarding the moderators, had members calling for an explanation. In that case, an explanation was not required (you'll have to read the thread to understand why as I need my bed, I'm afraid); however, in this case, an explanation IS required as the current situation is something that undermines trust in Silk Road, and undermines trust in vendors when a buyer sees a picture with "SR QuickBuy!" on it without knowing that there is a reason for it which falls outside of the vendor's control.
Vendors pay commission to sell here, with customers paying that commission by proxy as it is factored into the prices charged; therefore, every one of us, both buyer and seller, needs an explanation as to how and why this issue has occurred. Perhaps you should spend more time researching how things work on Silk Road, thus giving you more insight as to why an explanation is required in this instance, and less time advising people to complain to their country's consumer protection agency.
To reply to the rest of your post: yes, SR's success is indeed all about access and volume; we have 90%+ up-time, which, for a site such as this is absolutely remarkable. We also has a huge volume of sellers and buyers here, so we do have the volume.
Yes, it is good that new people are here. Silk Road is not just a place to buy drugs, it is also the manifestation of a revolutionary idea and a hotbed of agorism - the more people that get exposed to that, the better.
And I presume you mean 'BMR', not 'BML'. There is a very limited pool of potential buyers over there, and it is also rife with scams, mainly due to the low cost of obtaining vendor privileges.
I'm not entirely sure what any of your post had to do with the topic at hand though. This issue is not being caused by an influx of new members, nor has it got anything to do with access nor volume, so nothing that you said is even remotely related to the topic under discussion.
- grahamgreene
-
Private Listings seem to be unaffected by the hack and the site is working properly, other than the shipping and images. I still will ask for early finalization, just to be safe, but if you look at my vendor page, you'll feel very secure in doing that. As soon as the order is finalized, you can know that it will go out as soon as possible. Right now, as a test, I'll be offering 1/8 and 1/4 oz listings.
1/8
http://silkroadvb5piz3r.onion/silkroad/item/9ce7beec54
1/4
http://silkroadvb5piz3r.onion/silkroad/item/3a3068e01b
Lastly, I encourage people to stop freaking out. DPR is the man.
-
A SQL injection attack wouldn't be necessary if an attacker had root access to the server or database. Keep in mind that if an attacker had full access to the server they could just modify the code so bitcoins are redirected to their account. You wouldn't even notice anything was suspect until its too late. This is why the attack is so half-assed. They have very little access to modify anything of worth so they are just modifying the pictures and deactivating shipping options.
As to why private listings are working: I'm 99% sure the SQL injection that is being used on SR involves manually injecting it on vendor listings. As a result, the attackers can't access private listings without knowing the URL. Unfortunately, once the URL becomes known the attack can be deployed once again. I'll be interested to see if californicationbuds URL's posted above get attacked.
-
A SQL injection attack wouldn't be necessary if an attacker had root access to the server or database. Keep in mind that if an attacker had full access to the server they could just modify the code so bitcoins are redirected to their account. You wouldn't even notice anything was suspect until its too late. This is why the attack is so half-assed. They have very little access to modify anything of worth so they are just modifying the pictures and deactivating shipping options.
As to why private listings are working: I'm 99% sure the SQL injection that is being used on SR involves manually injecting it on vendor listings. As a result, the attackers can't access private listings without knowing the URL. Unfortunately, once the URL becomes known the attack can be deployed once again. I'll be interested to see if californicationbuds URL's posted above get attacked.
My God... could it possibly be... LOGIC?! :o
-
Funny how the only vendors with the "quick buy" address' are the ones who do ample business ::)
-
Please keep SR up and running! It is a true freedom to have. I wish that those who are attacking SR in the name of greed, could see that
SR is a freedom worth defending tooth and nail.
-
A SQL injection attack wouldn't be necessary if an attacker had root access to the server or database. Keep in mind that if an attacker had full access to the server they could just modify the code so bitcoins are redirected to their account. You wouldn't even notice anything was suspect until its too late. This is why the attack is so half-assed. They have very little access to modify anything of worth so they are just modifying the pictures and deactivating shipping options.
As to why private listings are working: I'm 99% sure the SQL injection that is being used on SR involves manually injecting it on vendor listings. As a result, the attackers can't access private listings without knowing the URL. Unfortunately, once the URL becomes known the attack can be deployed once again. I'll be interested to see if californicationbuds URL's posted above get attacked.
I agree with pretty much everything, with the exception of the Private Listings. The pages are sortable by 'bestselling' and 'seller rank', so I am guessing they are targeting those listings automatically. I have made my regular listings private, so the URL didn't even change, which is what leads me to believe this.
-
A SQL injection attack wouldn't be necessary if an attacker had root access to the server or database. Keep in mind that if an attacker had full access to the server they could just modify the code so bitcoins are redirected to their account. You wouldn't even notice anything was suspect until its too late. This is why the attack is so half-assed. They have very little access to modify anything of worth so they are just modifying the pictures and deactivating shipping options.
As to why private listings are working: I'm 99% sure the SQL injection that is being used on SR involves manually injecting it on vendor listings. As a result, the attackers can't access private listings without knowing the URL. Unfortunately, once the URL becomes known the attack can be deployed once again. I'll be interested to see if californicationbuds URL's posted above get attacked.
I agree with pretty much everything, with the exception of the Private Listings. The pages are sortable by 'bestselling' and 'seller rank', so I am guessing they are targeting those listings automatically. I have made my regular listings private, so the URL didn't even change, which is what leads me to believe this.
Nice of you to implement my idea :)
-
This shit just makes me sick. I really hope nobody actually fell for this scam. Leave SR alone you stupid fucking hackers! Or at least try harder next time lol I don't know who would have actually been naive enough to fall for this. (Just kidding don't try it at all assholes. Start earning your money instead of attempting to steal it!)
-
A SQL injection attack wouldn't be necessary if an attacker had root access to the server or database. Keep in mind that if an attacker had full access to the server they could just modify the code so bitcoins are redirected to their account. You wouldn't even notice anything was suspect until its too late. This is why the attack is so half-assed. They have very little access to modify anything of worth so they are just modifying the pictures and deactivating shipping options.
As to why private listings are working: I'm 99% sure the SQL injection that is being used on SR involves manually injecting it on vendor listings. As a result, the attackers can't access private listings without knowing the URL. Unfortunately, once the URL becomes known the attack can be deployed once again. I'll be interested to see if californicationbuds URL's posted above get attacked.
I agree with pretty much everything, with the exception of the Private Listings. The pages are sortable by 'bestselling' and 'seller rank', so I am guessing they are targeting those listings automatically. I have made my regular listings private, so the URL didn't even change, which is what leads me to believe this.
Nice of you to implement my idea :)
Ha, I apologize if I did, I just saw that post and replied. Great minds, I guess.
-
I've just gotten a message from someone who tried to buy through one of the private listings. In short, it does not work. He said that the shipping option can be selected, but then when the address is entered and the order is submitted, the buyer is taken to a blank order screen. His money stayed in his account and I received no order. So, the Private Listing idea is out.
-
Just for fun, I typed out the SR Quickbuy addresses from the 3 bestselling listings and checked them on blockchain.info, to see fi anyone has fallen for it yet:
http://blockchain.info/address/1D4gsuh4M3Xv8ms8vkTVhb8kq2tkPnVgBr
http://blockchain.info/address/1KEQYmgyqNSVU2DPrWKRZAPyjvPDt6TdCe
http://blockchain.info/address/1NAKpJAuWHS3cqjBoMNzsbvRbVz7s3Rb4E
There are no transactions and no balance on any of those three yet. So far, it looks like it's doing a lot more harm to SR than it is doing good for the scammer(s).
It's actually a pretty shitty scam. We'll see if they make any money on it.
-
There are people saying they are only targeting big vendors and etc, but we are now being "Quick Buy'ed" as well. Most of our listing are now conquered and reloading the picture won't do anything...It gets tagged a couple of minutes after. We had problems with our shipping options once a couple of days ago but now they seem stable...
I hope the attacker is defeated soon and whoever does this...fuck off!
-
If people are falling "victim" maybe they should have read some threads first...
I mean...if you jump on here one day and load up your bitcoin and start spending like mad, not asking whos who, and whats what...your gonna get taken. That's fairly black and white people. :o
Read, read, read! Learn! Sit back and freakin' observe...
Peace all..
-0nion-
-
Just for fun, I typed out the SR Quickbuy addresses from the 3 bestselling listings and checked them on blockchain.info, to see fi anyone has fallen for it yet:
http://blockchain.info/address/1D4gsuh4M3Xv8ms8vkTVhb8kq2tkPnVgBr
http://blockchain.info/address/1KEQYmgyqNSVU2DPrWKRZAPyjvPDt6TdCe
http://blockchain.info/address/1NAKpJAuWHS3cqjBoMNzsbvRbVz7s3Rb4E
There are no transactions and no balance on any of those three yet. So far, it looks like it's doing a lot more harm to SR than it is doing good for the scammer(s).
It's actually a pretty shitty scam. We'll see if they make any money on it.
Aww, they went through all that effort for nothing! Poor scammers.
-
So I have been messaging vendors, trying to see how I can place an order tomorrow.
I am getting worried here. Many of the vendors are suggesting that since the order system is so compromised that I contact them on tornail and place the order by telling them what I want and sending BTC to their wallet address.
Am I being paranoid, or is it possible some vendor accounts have been hacked? Maybe they have access to the messages in vendors accounts?
Any vendors having trouble logging in?
-
Fucking hell mate, as i've say before & i will remind you guys again DPR & Crew.
SR have to invest heavily on security.
I dont care what it takes.
Just do what you guys have to do with all that coin fee that vendors have been pouring in to sr pocket.
Forget the design / inovations / other future applications project for a moment, your home work is site security.
How the fuck can my listing have a picture of those "quick fucking buy" (sorry for the explicit language) but its IMHO.
Most certainly that something is wrong in the coding / security app if the hackers can penetrate with this kind of action.
Remember DPR: stay hungry & stay foolish!
-
i just ordered 4000 worth of shit and i didnt bat an eye went through and everything..
vender said everything is fine
ts not a real hack
its like a kid who found out how to unlock your iphone..
but all the apps are locked and its useless ..
so they take a bunch of screen shots lol
-
Are vendors required to setup shipping options? If not, can a customer submit an order without selecting a shipping method?
I ask because a possible workaround for listings which aren't stealth would be to setup listings that include the shipping cost in the price of the item and just tell customers to ignore selecting shipping options altogether. Obviously, your image may still get hijacked but it is better than not getting any business at all.
-
Are vendors required to setup shipping options? If not, can a customer submit an order without selecting a shipping method?
I ask because a possible workaround for listings which aren't stealth would be to setup listings that include the shipping cost in the price of the item and just tell customers to ignore selecting shipping options altogether. Obviously, your image may still get hijacked but it is better than not getting any business at all.
Yes, even digital goods require a shipping option to be selected before they can be submitted. They usually just put one option for 0 BTC that you have to select and update the cart with before you can submit.
-
Just do what you guys have to do with all that coin fee that vendors have been pouring in to sr pocket.
Everybody keeps acting like this a problem you can solve by throwing more money at it. As if DPR can post public job listings for programmers and whip out his credit card for purchase new servers. Security is already hard, but it's a lot harder when trying to stay anonymous. You can't buy trust. You can't scale to fill a data center and stay anonymous.
If these problems could be fixed with bitcoins alone, they would already be fixed.
-
I'll repost my comment from another thread:
I just wanted to say that I deposited money into SR today and it took 1.5 hours to get from instawallet to SR (which is the usual amount it takes for me to get a deposit on SR), so no worries there. I just placed an order and had no problems. I wouldn't panic and start cancelling orders and withdrawing all your BTC just yet. Everything seems fine. The vendor I just bought from had their most popular listings compromised by the hackers watermark (and the shipping options disappeared), but either they or the SR admins fixed something, because the shipping options reappeared and the watermark disappeared and I was able to order like normal.
-
Obviously this is a scam.
Sure, as it begun with the problems on SR you call the feedback about it "conspiracy theory", and didnt want to make a news about it, also why DPR and the Mods are gone.
But maybe know you will work to fix it. Before someone steal your chair whereon you sit, ouf course. I think this will have an interesting ending.
-
Is there any reason why I should NOT finalize for a received order just yet?
Does the hack have anything to do with escrow/finalizing?
can anyone enlighten me???
-
Just for fun, I typed out the SR Quickbuy addresses from the 3 bestselling listings and checked them on blockchain.info, to see fi anyone has fallen for it yet:
http://blockchain.info/address/1D4gsuh4M3Xv8ms8vkTVhb8kq2tkPnVgBr
http://blockchain.info/address/1KEQYmgyqNSVU2DPrWKRZAPyjvPDt6TdCe
http://blockchain.info/address/1NAKpJAuWHS3cqjBoMNzsbvRbVz7s3Rb4E
There are no transactions and no balance on any of those three yet. So far, it looks like it's doing a lot more harm to SR than it is doing good for the scammer(s).
It's actually a pretty shitty scam. We'll see if they make any money on it.
Aww, they went through all that effort for nothing! Poor scammers.
I hope I don't sound too sympathetic. It's just such a pathetic situation all around.
-
Is there any reason why I should NOT finalize for a received order just yet?
Does the hack have anything to do with escrow/finalizing?
can anyone enlighten me???
Yes, you should finalize.
-
Just for fun, I typed out the SR Quickbuy addresses from the 3 bestselling listings and checked them on blockchain.info, to see fi anyone has fallen for it yet:
http://blockchain.info/address/1D4gsuh4M3Xv8ms8vkTVhb8kq2tkPnVgBr
http://blockchain.info/address/1KEQYmgyqNSVU2DPrWKRZAPyjvPDt6TdCe
http://blockchain.info/address/1NAKpJAuWHS3cqjBoMNzsbvRbVz7s3Rb4E
There are no transactions and no balance on any of those three yet. So far, it looks like it's doing a lot more harm to SR than it is doing good for the scammer(s).
It's actually a pretty shitty scam. We'll see if they make any money on it.
Aww, they went through all that effort for nothing! Poor scammers.
I hope I don't sound too sympathetic. It's just such a pathetic situation all around.
I don't think you sound sympathetic at all. I was just making fun of the scammers. Its just funny to think that they probably put a ton of effort into this, and aren't getting anything out of it! There are so many instances of people getting ripped off on SR by scammers who barely had to do anything. And now these "hackers" come and probably think they have the ultimate scam going, and aren't getting shit.
-
Just for fun, I typed out the SR Quickbuy addresses from the 3 bestselling listings and checked them on blockchain.info, to see fi anyone has fallen for it yet:
http://blockchain.info/address/1D4gsuh4M3Xv8ms8vkTVhb8kq2tkPnVgBr
http://blockchain.info/address/1KEQYmgyqNSVU2DPrWKRZAPyjvPDt6TdCe
http://blockchain.info/address/1NAKpJAuWHS3cqjBoMNzsbvRbVz7s3Rb4E
There are no transactions and no balance on any of those three yet. So far, it looks like it's doing a lot more harm to SR than it is doing good for the scammer(s).
It's actually a pretty shitty scam. We'll see if they make any money on it.
Aww, they went through all that effort for nothing! Poor scammers.
I hope I don't sound too sympathetic. It's just such a pathetic situation all around.
I don't think you sound sympathetic at all. I was just making fun of the scammers. Its just funny to think that they probably put a ton of effort into this, and aren't getting anything out of it! There are so many instances of people getting ripped off on SR by scammers who barely had to do anything. And now these "hackers" come and probably think they have the ultimate scam going, and aren't getting shit.
What you have to take into consideration is that many of the SR members do not use, or do not know about the forums. There for they are very ill informed, I wouldnt be surprised if who ever is at the receiving end of those BTC addys hasnt already made off like bandits. How do you think all the scamming vendors make it worth their while, so much so that they will keep returning under new aliases to continue their evil trickery *caughs*mtljohn *hem*, among many others.
Shit Id say that on the general requirement of newbs with under 5 purchases being 'obligated' to FE alone, a scammer can make his moneys worth for the time and effort invested. They continue rocking until their pinched & thrown out.. then new alias, repeat ...
-
I have been reading all threads associated with this.
It appears that some SR buyers are falling for this, and vendors are getting messages about it.
Doesn't seem like many are falling for this bullshit, and it definitely seems like an epic fail considering the amount of effort that was put into this, however, some people are sending BTC to those fuckers.
Can't have anything nice... some peoples kids...
There is a reason the mods aren't chiming in btw, and I assure you it is for good reasoning. Nothing to worry about there.
Cheers,
NWD
-
Just for fun, I typed out the SR Quickbuy addresses from the 3 bestselling listings and checked them on blockchain.info, to see fi anyone has fallen for it yet:
http://blockchain.info/address/1D4gsuh4M3Xv8ms8vkTVhb8kq2tkPnVgBr
http://blockchain.info/address/1KEQYmgyqNSVU2DPrWKRZAPyjvPDt6TdCe
http://blockchain.info/address/1NAKpJAuWHS3cqjBoMNzsbvRbVz7s3Rb4E
There are no transactions and no balance on any of those three yet. So far, it looks like it's doing a lot more harm to SR than it is doing good for the scammer(s).
It's actually a pretty shitty scam. We'll see if they make any money on it.
Aww, they went through all that effort for nothing! Poor scammers.
I hope I don't sound too sympathetic. It's just such a pathetic situation all around.
I don't think you sound sympathetic at all. I was just making fun of the scammers. Its just funny to think that they probably put a ton of effort into this, and aren't getting anything out of it! There are so many instances of people getting ripped off on SR by scammers who barely had to do anything. And now these "hackers" come and probably think they have the ultimate scam going, and aren't getting shit.
What you have to take into consideration is that many of the SR members do not use, or do not know about the forums. There for they are very ill informed, I wouldnt be surprised if who ever is at the receiving end of those BTC addys hasnt already made off like bandits. How do you think all the scamming vendors make it worth their while, so much so that they will keep returning under new aliases to continue their evil trickery *caughs*mtljohn *hem*, among many others.
Shit Id say that on the general requirement of newbs with under 5 purchases being 'obligated' to FE alone, a scammer can make his moneys worth for the time and effort invested. They continue rocking until their pinched & thrown out.. then new alias, repeat ...
There's not even any activity, at least on these three. I think the primary reason is that it is a lot harder to throw your money away than it is to spend it.
I do agree about the low-information status of many of the users, though. It might turn out to be worth the scammer's or scammers' time, but I haven't seen the evidence yet. They'll probably net a few BTC, but I doubt they'll get much unless there's something big I'm missing here.
-
I have been reading all threads associated with this.
It appears that some SR buyers are falling for this, and vendors are getting messages about it.
Doesn't seem like many are falling for this bullshit, and it definitely seems like an epic fail considering the amount of effort that was put into this, however, some people are sending BTC to those fuckers.
I have heard this too, but can anyone point to an address in the block chain along with the listing / image in which it appears? All the ones I check are at zero, so yeah, overall it seems like an epic failure.
-
What we want to know is how come its going on 18+ hours of this and we have yet to hear from DPR, the site is still up and this is bad for business. It should be down by now to save the people from being scammed. Something is starting to smell fishy to me.
Mrs Magic Moments
-
What we want to know is how come its going on 18+ hours of this and we have yet to hear from DPR, the site is still up and this is bad for business. It should be down by now to save the people from being scammed. Something is starting to smell fishy to me.
Mrs Magic Moments
This. I am hoping it is just paranoia but one way or the other this is starting to look very bad.
-
What we want to know is how come its going on 18+ hours of this and we have yet to hear from DPR, the site is still up and this is bad for business. It should be down by now to save the people from being scammed. Something is starting to smell fishy to me.
Mrs Magic Moments
This. I am hoping it is just paranoia but one way or the other this is starting to look very bad.
DPR has replied...
http://dkn255hz262ypmii.onion/index.php?topic=94596.0;topicseen
-
looks like all picture on SR have been taken down..still cant order tho... this is getting real annoying seeing i just loaded up on bbitcoins :'(
-
How the FUCK can this be happening? That's all you have to say, mod? It's a scam? No fucking shit. It's also a huge revelation for everyone: Silk Road has no security. Some scammer just edited all your fucking photos and the shipping options. All of our names and addresses can't possibly be secure. Whoever runs this site should also be very, very scared... as all of us should be.
-
I think some of these posts could be used as a good argument as to why narcotics should remain illegal....
Drug induced paranoia anyone?
Let's all just calm down a little. Time will tell. :)
-
I think some of these posts could be used as a good argument as to why narcotics should remain illegal....
Drug induced paranoia anyone?
Let's all just calm down a little. Time will tell. :)
or, maybe in your case, drug induced Pronoia.
-
seems to be fixed
-
All of our names and addresses can't possibly be secure. Whoever runs this site should also be very, very scared... as all of us should be.
I don't know about you but I have ALWAYS used the vendor's public PGP key and encrypted my delivery address when placing orders. You shouldn't be sending your address in plain text; every layer of security you can add is another layer of security someone else would have to penetrate to make you have a bad day.
Does this hack worry me? Fuck yes it does and I don't even spend that much money on the road. I read in another thread a suggestion I think DPR should entertain which is to offer BTC rewards for people that can find security holes and vulnerabilities in the site so he can work on fixing them. He needs to be proactive about this stuff after this image hack.
But I also realize that a site like this will inevitably always be a target of hackers and law enforcement and we always need to be aware of that as users of the site, and the admins of the site need to be especially aware of it and take all possible measures to protect its stability and security, just like we should take all possible measures to protect our own security including sending delivery addresses encrypted with the vendor's PGP key.
-
Someone was saying SQL injection. How does hacker access the files at SR and able to edit the pictures like that? This means that they have already hacked into SR database and control of the files.
I imagine the images here are stored as base64 strings in the database so that they can easily be put inline with the html(loads way faster on tor that way). No file access would be needed, only database access.
-
How the FUCK can this be happening? That's all you have to say, mod? It's a scam? No fucking shit. It's also a huge revelation for everyone: Silk Road has no security. Some scammer just edited all your fucking photos and the shipping options. All of our names and addresses can't possibly be secure. Whoever runs this site should also be very, very scared... as all of us should be.
You keep your name and address stored on the site? Probably unwise.
-
SR is Here forever you fuckin parnoid fuckin HOMOS.
-
If your scared dont come back to this site(nothing to worry about). Dont buy spice.
-
I think some of these posts could be used as a good argument as to why narcotics should remain illegal....
Drug induced paranoia anyone?
Let's all just calm down a little. Time will tell. :)
I'm sorry to have to disagree with you Abby, but this is not"drug induced" paranoia,
Paranoia by definition is:
Psychiatry. a mental disorder characterized by systematized delusions and the projection of personal conflicts, which are ascribed to the supposed hostility of others, sometimes progressing to disturbances of consciousness and aggressive acts believed to be performed in self-defense or as a mission.
2.
baseless or excessive suspicion of the motives of others.
We know you were talking about number 2 because its safe to say that the majority of people on here have little to no real psychiatric issues. But, the fact is, the accusations and people being worried and or paranoid as you put it, are not baseless, Someone or some people did hack the website, with all the money on the site, little of which actually belongs to DPR and the countless lost sales to the top vendors, goes to show you how many "bases" these guys are on. How bad it is that something like this happens to the site? We think it may be a total game changer for everyone watching. We here at MM had been following the threads about the Road and its issues. never once was there any real info out there showing us that the site was, lets say: "weak". But now there's no doubt, that the site has been compromised. Each and every buyer, vendor, LE agent, reporter and most importantly the hackers know this by now. Everyone who is against the Road is working overdrive right now trying to figure out how these people got in, where did they get to, are they still there, how did they do it ect.
MM
-
Disclaimer: I'm running late so I haven't had time to read anything but the first and last page, so this might have already been said before:
Just wanted to say it might be a good idea to, oh I don't know, post a tiny little warning on the front page so people don't give thousands of bitcoins to the hackers (which they almost certainly already have.) It could read something like:
"SITE HAS BEEN COMPROMISED. USE CAUTION."
A fun project would be to record all the addresses in the contaminated images and see exactly how much money flowed into them as a result of this little scam.
Glad I randomly decided to doublecheck the PGP key on a vendor's page against the one I already had saved before placing an order just now. Jesus Christ...
-
Glad I randomly decided to doublecheck the PGP key on a vendor's page against the one I already had saved before placing an order just now. Jesus Christ...
Why, had the vendors public PGP key been changed as well? As in, the hacker is trying to get peoples address?
-
Glad I randomly decided to doublecheck the PGP key on a vendor's page against the one I already had saved before placing an order just now. Jesus Christ...
Why, had the vendors public PGP key been changed as well? As in, the hacker is trying to get peoples address?
No, sorry, didn't mean to imply that it had. Just something to be on the lookout for, since the site has been, you know, hacked. :P
But like CompSci said, they don't seem to have the ability to mess with anything else. If PGP keys started changing my faith would be shaken quite a bit. That would be as unnerving as fuck. This is small beans, I realize.
I wonder if the site is on autopilot right now.
(I take it everyone's gone somewhere else... Now to check the other threads...)
-
Couple of things we must remember.
1. SR activity is small fry as far as LE are concerned - 20 million in a 300 billion dollar international trade is hardly ground shaking
2. LE would have to consider very carefully how much resource they dedicate to breaking this thing ?
3. Disrupting its activity would probably be a better option.
4. getting a whole bunch of pot heads paranoid as hell inst a difficult thing to do.
What happens when they get paranoid - they leave SR and go back out on the street where it is all the more dangerous and the chances of getting caught, a lot higher.
Report from QLD Aus recently quoting from a classified report stating that technically interrupting SR would be difficult, costly and time consuming. Much easier to get a hand full of agents involved and disrupt things for the sole purpose of making them scared.
Quite clever actually.
There is obviously LE agents reading this stuff and I say to them " wouldnt your time be better spend dealing with real problems ?"
-
Hi, I'm editing this post as I see the problem of remaining Quick Buy images has been spotted and mentioned in the other thread. I'm removing vendor and listing I posted as there are a few that have been noticed now.
-
As a nube, I certainly appreciate helpful posts on what to watch out for, as well as the informative replies. Looks like it's going to take a while to read up on everything.
Thanks, everyone!
-
The guy I buy my weed from used to have a vendor's account on SR but from his mouth the security at SR was a joke and constantly having trouble with BTC
he is a high-grade marijuana dealer that I fill as the perfect TOR system if you want his contact information PM me
Fucking mtlsavile, I feel sorry for the idiots dealing with your dumbass. As for SR, if you haven't treated it like it was compromised from day 1 you're probably going to have issues at some point.