Silk Road forums

OP updated

UPDATE:  The issue has been resolved.  The hole that lead to the hacker gaining access to other vendor's images and postage options has been plugged.  I've sent a message to all vendors asking them to update their images and postage options if their listings were affected, so hopefully the listings will be back to normal soon.  I've turned off incognito mode on all accounts, so if you were using incognito browsing before, you'll need to re-enable it on your setting page.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey gang,

I'm aware of the image hack that has taken place and am working with my team to fix the issue.  Whoever was able to pull it off was is very skilled and clever.  Hopefully no one has fallen for it and sent money to any of these mystery addresses in the images.  So far as I can tell, the effect of the hack was limited to item images and no sensitive information has been leaked.

I have switched the default view for all accounts to "incognito" so images won't show up.  Also, it is looking like we will most likely lose the defaced images, so those will need to be re-uploaded.

I'm terribly sorry for the trouble this is causing, and we will get it cleaned up asap.

- -DPR

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJQ0V3+AAoJEAIiQjtnt/ol61wIAJgLMU7G9afQIPcEP11QQUfu
nvYAnM+BGsh6U/I65r5p7WzoLlIWTl+1mRIg3YNXMT/6UTphOMFKOv6/XXJig5o/
edja/1+5UJhLeOpXNuDlJDrLJqFGqGKu/swIn0rT2AmmxrgBcXYX+QUnoEZ4lJct
qMcKVX/j6PnWoT62RfmS5cirvbR7R6DB/ahzaVlihjx+XYzw5PiSmPthivQlUiLB
9XWibiO73kxq2cw/+hVvnhHFKbME1Ima1Q/JVX0knY+oAXIW0jeTrg7irDlg7ObL
Xn/w8WJ4GQ+qUkKn/jaY8Im3sFWLXDzWgC+VAAhmatEn49eSraVFA7kVX91tF6Q=
=LZjl
-----END PGP SIGNATURE-----

UPDATE (1912 UTC 11/26/2012): We've gone through the first step in our anti-ddos procedure and reopened the site to see if it was enough.  I'll be monitoring the situation until I am confident the site is stable.  Thanks for your patience.

I've closed the site because it appears to be under a DDoS attack.  The initial survey of the situation appears this way.  I will keep you updated here.  We have a plan in place to mitigate this and are going through the steps to execute this plan.

I would be interested to hear the opinion on this section of anyone who considers themselves a heroin addict.  Is the authors viewpoint valid?  Does he downplay or overemphasize anything?

He specifically mentions heroin addiction, but I suppose this would be applicable to anyone addicted to a controlled substance.

Thanks in advance for your input!

this thread is out of date, locking...

UPDATE (0051 UTC 11/24/2012): I think we have this problem taken care of for the time being.  I've said that so many times in the past couple of weeks that I hate to say it again, but we should be sailing smooth.  Thanks for your patience.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey everyone,

So sorry no one could login for the past 12 hours or so.  Ever since we came back up from the down-time, we've been having some trouble with the authentication controller.  For some reason it won't match the credentials you put in to the record, so it just kicks you back to the login screen.  I've restarted it and it is working fine again, so we'll be looking at what the issue might be today and hopefully sort it out.

DPR

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJQr4YTAAoJEAIiQjtnt/olYowH/3gnYJWlBYj0pi3lmgP0rnVJ
B6nDB8ln8hnR/9kASgYXZxD56QdpTG86VjyT+fAcJWx6qxhM0Jt/Lzk0dbdNF0pN
8EKc39eNbUp7yjPIvK4dhinyGjprB4k5DrfI4XvXaUv9XbmLCaKiHT8mG76FshZU
FRMPh3V4WINycNTOY/wAAmArxpsVCSP7MzjMwJuwkPqe105DC/5YTmy8EDfCCCCu
JLYXIjpx8UFK51ftG96hKL0t3vMqr5OPbEC/eZBJiCwgmRfFiR1GuLOhnq0q8yol
QQ9KKWBjioE9XrAcXSyFEENTbk+2p2e6BKcNHCLteVPb2DN9RQRIWMc2mswPHok=
=9rU2
-----END PGP SIGNATURE-----

I've heard mixed reports about site availability since we came back from the down-time.  Please everyone weigh in on how we are doing so I can get a better sense of it.

EDIT: please post the output you get when verifying the signature.

ugh, I even had someone check the sig before I posted it.  You all are checking with the public key on my userpage, right?

https://silkroadvb5piz3r.onion.to/silkroad/user/923820dcc5

I've signed the message again with different software on a different OS.  Please confirm that this one checks out:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey gang,

What a week!  How do I even begin trying to summarize all of this?  A couple of weeks ago, we started seeing the accessibility and speed of Silk Road start to drop, especially around peak hours.  Monitoring the number of incoming connections, pageviews and registrations showed record breaking numbers, so the obvious conclusion was that we were getting an influx of new members that was overloading our current infrastructure.  We immediately went to work identifying and overcoming the bottlenecks in the system.  However, as each was overcome, demand for resources would fill in and run up against the next bottleneck.  In the past week we've literally been through every layer of our entire system from hardware, to software, to application making it more efficient and streamlined.  We did not rule out the possibility that the increased usage was due to a hacking attempt (known as denial of service, or DoS) and took this time to implement several security measures that had been in the works anyway.

Then the site went completely off-line.  There are a few things that I don't trust to anyone else, and that's the wallets, and rebooting the system.  I was away from my computer when the site went down, and came back a couple of days later to utter chaos on the forums.  I've pretty much been in communication since, but basically we did a full redeploy of the entire system including the new security and performance measures which turned out to be quite challenging in the end.  We ran into a few stumbling blocks, but were able to get past them.  I have to take a moment here to thank my team, both the customer support staff and the technical team.  These guys were right there with me the whole time and I don't think I could've gotten through it without them, certainly not as quickly.

So, now we are back.  What have I learned from all of this?  First off, it helped me realize just how much the site means to me and all of you.  These forums were like a battleground of opinion, with everyone expressing their concern.  By far the worst part of this whole thing was putting everyone through that uncertainty.  I knew nothing I could say would make any difference until you had access to your funds and were able to use the site again.  So mostly I just focused on getting us back up as quickly as I could without cutting any corners or taking any chances.  I also learned a ton about the limitations of the technology we rely on and the direction we need to go to keep Silk Road secure and scalable.

Thank you to everyone who encouraged and supported me and the team this week.  Your kind words were our fuel.  To anyone who doubted us, or suspected us of betrayal, again, I am so sorry to put you through that uncertainty.  It is not something I want to repeat ever again and you can rest assured I'll do everything I can to prevent and limit any future down time.  I know this whole market is based on the trust you put in me and I don't take that lightly.  It's an honor to serve you and though you don't know who I am, and have no recourse if I were to betray you, I hope that as time goes on I will have more opportunities to demonstrate that my intentions are genuine and no amount of money could buy my integrity.

Especially you old hats that have been around since the beginning, but this goes for everyone, you all are like family to me.  Sure we have some crazy cousins floating around, but they just add character, right?  Doesn't matter though, I love you all.  Of all the people in the world, you are the ones who are here, in the early stages of this revolution.  You are the ones getting this thing off the ground and driving it forward.  It is a privilege to have you by my side.  Thank you for your trust, faith, camaraderie and love.

Sincerely,
Dread Pirate Roberts

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJQp8UyAAoJEAIiQjtnt/olyusIALRRhZM49sth+5wudmHXeN4Z
HrhuUzIUQdNVYvK51moKFugB1oH2Fv+X7sp+2FRbUy1Ra5PqtvQBf9qo9xFsdlUj
QplvN20eXZ3+bRcjUqW8wKSDxO+BB+Q0twkE04uQj4igMgyWZjzdM5IFTxnIWmkg
c/HYH8hkS3BB2objHogiwQJhvX8F0A4ei1+K8id89owfv8RucP37aQxVPmpFEAD7
vnbE9KH5hHfw8gOeRKU5Vch4NfF0s6Zr2yFOBgx8tHsmARlsOjktXWVh0VfRCn1v
PFhQeypgblSPOmSSROCIfBxwei6sniC/kXi7/lJK5A7fqqjfge2HqBk8bBuflM8=
=mi48
-----END PGP SIGNATURE-----