Silk Road forums
Discussion => Silk Road discussion => Topic started by: InnocentBystander4 on July 26, 2012, 03:27 am
-
[EDIT: This is an extension of my previous thread: http://dkn255hz262ypmii.onion/index.php?topic=30774.15 ]
Hi Guys
So what's the best method to get an official response from SR? Do you need a thread rolling above a critical mass? Should I first hassle a forum Admin? Do you send messages on the SR Site. Do any SR techies ( other than DPR) ever answer questions on the boards. Am I just too far below anyone's care-factor to matter? Perhaps sr does not give official answers (how to get an unofficial then?)?
Enlightenment would be greatly appreciated.
IB
-
Have you asked a question yet? If so how?
-
So what's the best method to get an official response from SR?
In most cases you ask a question here on the board and users, vendors, moderators, or admins answer them.
Do you need a thread rolling above a critical mass?
No, just post the question
Should I first hassle a forum Admin?
I would no do it before you ask the question on the forum.
Do you send messages on the SR Site.
Sometimes, but not normally.
Do any SR techies ( other than DPR) ever answer questions on the boards.
Yes, as do experienced users and vendors.
Am I just too far below anyone's care-factor to matter?
Dont know what the question is so I can not say.
Perhaps sr does not give official answers (how to get an unofficial then?)?
What is the deal with "Official Answers"? What do you want to know? Many are here to help and will answer any question you may have.
-
What is the deal with "Official Answers"? What do you want to know? Many are here to help and will answer any question you may have.
Journalist wanting 'official' statement from DPR maybe? :P
-
Thanks so much to everyone :) So I should just post it here? Now? Alright Here Goes!
Why has been SR storing over 9 months of transaction data/intel against everyone of it buyers/vendors?
Apart from the transaction data I know that every btc transfer sent to any btc address associated with any SR account was also stored. If the btc was not purchased anonymously then it could be used to associate a real person to an account and then to all the transactions made under that account.
I have no idea whether address data was stored.
This is not supposed to create a panic I would just like to know what possible motivation SR would have for doing this. By holding on to such an unnecessary large amount of transaction data they would be seemingly not only be putting there buyers/sellers at much higher risk, but also themselves.
-
Thanks so much to everyone :) So I should just post it here? Now? Alright Here Goes!
Why has been SR storing over 9 months of transaction data/intel against everyone of it buyers/vendors?
Apart from the transaction data I know that every btc transfer sent to any btc address associated with any SR account was also stored. If the btc was not purchased anonymously then it could be used to associate a real person to an account and then to all the transactions made under that account.
I have no idea whether address data was stored.
This is not supposed to create a panic I would just like to know what possible motivation SR would have for doing this. By holding on to such an unnecessary large amount of transaction data they would be seemingly not only be putting there buyers/sellers at much higher risk, but also themselves.
So how do you know this?
-
I'm curious where you got the 9 month part from? If it's that much of an issue, just make a new SR account every few transactions
-
How exactly do you know this?? If you dont say your officaially talking shit...those are some heavy claims
-
Up until the new site layout was up you could simply go to account >feedback and it would show a chronological list of all of your purchases (including item,vendor, price etc). For me it went 9-10 months because that is when I made my first purchase.. That single list gives virtually the whole thing away (transactions are never getting deleted). A fairly standard multi shopfront DB table layout would likely be being used. With sql access you could get Total customers for a vendor, Total revenue by Vendor, Select all Sales transaction from vendor Bob, etc,
-
because that how we make everyone accountable. we gotta all trust the SR admin if this is gonna work.
-
No that is insane. You do not want one person in control of huge amount of incrimating data
-
Do you have his data?
-
My question is why would he have 9+ months worth? There is no reason to keep it for say a week past finalization. It's a huge amount of data he's gathered and adds so much unneccessary risk to buyerys/vendors and seemingly himself.
-
Here is my thread original thread.
http://dkn255hz262ypmii.onion/index.php?topic=30774.15
-
So how long 'til my official answer? 8)
-
You may have seen this buts its one example of the SR database being penetrated
http://dkn255hz262ypmii.onion/index.php?topic=3295.msg28486#msg28486
I don't know enough about this one or if there is any chance LE found if much earlier.
-
6 posts in a row? calm the fuck down and learn how to click 'modify'
-
I posted this in the other thread also but id like more peoples opinions on my view...
Even if LE found "transactions" on your account its still very hard for them to bust you because that isnt "proof beyond a reasonable doubt" that you did infact recieve drugs. Maybe your just circulating coins with a vendor to leave positive feedback on their page...and in return they send you the btc you gave them as cash in the mail plus some profit added for the service. See what im getting at? If they dont have you in posession of the drugs or intercept the drugs coming to you then it makes it very difficult for them to stick charges just based on account stats. What kind of charges could they throw at you...not possesion, maybe intent to purchase or some type of conspiracy to commit illegal activity...i dunno??
-
jh0000n: [Edit: Misread post. Retracting comment]
-
What are other peoples thoughts?
-
Shut the fuck up you paranoid idiot lol
-
So how do you get an answer out of SR?
Very carefully
-
jh0000n: Was really hoping for an official response or some others opinions before going down that path. It's not my opinion at the moment and my only adgenda right now is to get my question answered:
Why 9 months+ of data?
No offence, but your forum etiquette is horrible so that's probably the first reason you're not getting responses from 'higher up.'
Can I ask, why the worry? Is there something you're doing that can link your real life identity to your SR account? If so I suggest you change that, and soon. SR's published policy is that everyone should mind their own business, so if you consider this to be 'your business' then I suggest you work out why that is and fix it, as it's obviously a security hole in your setup/procedure.
-
Your thread title caught my attention because I and my staff answer almost ALL incoming messages with very few exceptions. I don't read every word on the forum, so crying out for my attention here is not the best way to get it, even though it worked in this case. Since you have it, I would be happy to spell out our current data retention policy.
addresses are kept on record until your vendor has marked your item as shipped. I encourage everyone to encrypt their address to their vendor's public key just in case.
messages are kept for two months. again, sensitive data transmitted through our messaging system should be encrypted.
transaction records, including feedback are kept for 4 months. I said 3 in another thread, but upon double checking, it is 4. We do this because the data contained in the transaction record, including the buyer, is used to weight the feedback for that transaction. After 4 months, the age weight has pretty much reduced the weight to zero anyway, so we no longer need the data. If you want further explanation about this, check out the wiki page and forum thread about the feedback weighting system.
the accounting log is kept for 3 months. Only 2 weeks are displayed so an adversary who gains access to your account won't be able to see all of that history.
withdrawal addresses are not kept, but everyone should realize that the time and amount of the withdrawal could narrow down which transaction it was in the blockchain quite a bit, especially if it was an uncommon amount.
deleted items are kept for 4 months. this is to preserve the integrity of the link to the transactions associated with the item.
user accounts with a zero balance and no activity for 5 months are deleted.
If you experienced something contradictory to this, please pm support on the main site and we will be happy to investigate the situation with you and root out any possible bugs.
These time parameters were arrived at through trial and error. They are as tight as we can make them without sacrificing the integrity of the market. Could they be a little tighter? Maybe by a week or two, but please think through the implications of policy changes before you call for them.
-
Wow you should consider yourself lucky as fuck. I've never seen DPR reply to a thread like this ???
4 months is MUCH better than the 9 you suggested though.
-
I think Kryptoz avatar above accurately details my face when I saw this thread and the response from DPR. There you have it, thanks DPR.
-
And God said, Let there be light: and there was light
-
Click on support on SR and ask.
BB
-
I think Kryptoz avatar above accurately details my face when I saw this thread and the response from DPR. There you have it, thanks DPR.
LOL that was my face when I first saw this site ^-^
-
jh0000n: Was really hoping for an official response or some others opinions before going down that path. It's not my opinion at the moment and my only adgenda right now is to get my question answered:
Why 9 months+ of data?
No offence, but your forum etiquette is horrible so that's probably the first reason you're not getting responses from 'higher up.'
Can I ask, why the worry? Is there something you're doing that can link your real life identity to your SR account? If so I suggest you change that, and soon. SR's published policy is that everyone should mind their own business, so if you consider this to be 'your business' then I suggest you work out why that is and fix it, as it's obviously a security hole in your setup/procedure.
Sorry man, my social skills irl are pretty terrible too and I often don't notice when I've given offense.
If you see my original thread you can see that many people where reporting 8+ months of purchase data. For a site like this that either points towards gross incompetence or LE intelligence gathering.
-
Thanks mate, very much appreciated.
-
Wow you should consider yourself lucky as fuck. I've never seen DPR reply to a thread like this ???
4 months is MUCH better than the 9 you suggested though.
Thanks I do feel lucky but will try to get my responses with more decorum from now on.
I wasn't actually suggesting 9 months, that's how long my purchases were showing in my account.
-
Wow you should consider yourself lucky as fuck. I've never seen DPR reply to a thread like this ???
4 months is MUCH better than the 9 you suggested though.
Thanks I do feel lucky but will try to get my responses with more decorum from now on.
I wasn't actually suggesting 9 months, that's how long my purchases were showing in my account.
Most of the time, SR support on the site is actually pretty quick to respond (max 2 days in my experiences), but you have to think of how many questions and messages he gets EVERY day, it is a world wide market after all :)
Ahh my apologies, I've never noticed, as I just move on to a new account after a few purchases to avoid the problem completely :)
-
hey DPR, in OPs defense the documentation on this site is lacking, if you had posted all this information on the wiki people wouldnt be putting threads like this up.
-
That's why you anonymize your bitcoins before sending them to SR and pgp encrypt at least your address data when communicating with a vendor.
It doesn't matter what DPR says. If servers are compromised the FBI can change everything.
Interesting to know though!
-
Your thread title caught my attention because I and my staff answer almost ALL incoming messages with very few exceptions. I don't read every word on the forum, so crying out for my attention here is not the best way to get it, even though it worked in this case. Since you have it, I would be happy to spell out our current data retention policy.
addresses are kept on record until your vendor has marked your item as shipped. I encourage everyone to encrypt their address to their vendor's public key just in case.
messages are kept for two months. again, sensitive data transmitted through our messaging system should be encrypted.
transaction records, including feedback are kept for 4 months. I said 3 in another thread, but upon double checking, it is 4. We do this because the data contained in the transaction record, including the buyer, is used to weight the feedback for that transaction. After 4 months, the age weight has pretty much reduced the weight to zero anyway, so we no longer need the data. If you want further explanation about this, check out the wiki page and forum thread about the feedback weighting system.
the accounting log is kept for 3 months. Only 2 weeks are displayed so an adversary who gains access to your account won't be able to see all of that history.
withdrawal addresses are not kept, but everyone should realize that the time and amount of the withdrawal could narrow down which transaction it was in the blockchain quite a bit, especially if it was an uncommon amount.
deleted items are kept for 4 months. this is to preserve the integrity of the link to the transactions associated with the item.
user accounts with a zero balance and no activity for 5 months are deleted.
If you experienced something contradictory to this, please pm support on the main site and we will be happy to investigate the situation with you and root out any possible bugs.
These time parameters were arrived at through trial and error. They are as tight as we can make them without sacrificing the integrity of the market. Could they be a little tighter? Maybe by a week or two, but please think through the implications of policy changes before you call for them.
DPR: This still does not account for why myself and many others could previously see their entire purchase history (mine was 8 months plus). This was clearly not inline with your above data retention policy. This anomaly has not been explained nor acknowledged, but there was a near immediate modification that stopped users from seeing more than a 3 month history.
This case indicated a clear mismatch between what SR said they were storing and what they were actually storing. I'm not claiming this should be considered majorly important but I would like it to be taken on board with the weight people think it deserves. I would also like to encourage others to openly post anything they notice that may appear strange or inconsistent.
-
DPR: This still does not account for why myself and many others could previously see their entire purchase history (mine was 8 months plus). This was clearly not inline with your above data retention policy. This anomaly has not been explained nor acknowledged, but there was a near immediate modification that stopped users from seeing more than a 3 month history.
This case indicated a clear mismatch between what SR said they were storing and what they were actually storing. I'm not claiming this should be considered majorly important but I would like it to be taken on board with the weight people think it deserves. I would also like to encourage others to openly post anything they notice that may appear strange or inconsistent.
as I said:
"If you experienced something contradictory to this, please pm support on the main site and we will be happy to investigate the situation with you and root out any possible bugs."
-
DPR: This still does not account for why myself and many others could previously see their entire purchase history (mine was 8 months plus). This was clearly not inline with your above data retention policy. This anomaly has not been explained nor acknowledged, but there was a near immediate modification that stopped users from seeing more than a 3 month history.
This case indicated a clear mismatch between what SR said they were storing and what they were actually storing. I'm not claiming this should be considered majorly important but I would like it to be taken on board with the weight people think it deserves. I would also like to encourage others to openly post anything they notice that may appear strange or inconsistent.
as I said:
"If you experienced something contradictory to this, please pm support on the main site and we will be happy to investigate the situation with you and root out any possible bugs."
Just thought I'd say a quick hello from the UK DPR, what you have achieved here is truly remarkable!
V.
-
DPR: This still does not account for why myself and many others could previously see their entire purchase history (mine was 8 months plus). This was clearly not inline with your above data retention policy. This anomaly has not been explained nor acknowledged, but there was a near immediate modification that stopped users from seeing more than a 3 month history.
This case indicated a clear mismatch between what SR said they were storing and what they were actually storing. I'm not claiming this should be considered majorly important but I would like it to be taken on board with the weight people think it deserves. I would also like to encourage others to openly post anything they notice that may appear strange or inconsistent.
as I said:
"If you experienced something contradictory to this, please pm support on the main site and we will be happy to investigate the situation with you and root out any possible bugs."
Will do. With your permission I'd like to post the resulting support conversation here.
Please do not think I am being deliberately malicious, I'm simply looking for an answer. My feelings towards you and this site are very much reflected in vlad1m1rs above post.
-
Posted to SR Support through the main SR site:
"Dear SR Support,
I am sending this on the advice of DPR in the hope that someone can determine why my data was/is being stored longer than the SR Data Retention Policy indicates it should be.
Prior to the very recent visual changes, it was evident that my purchase history was being stored for 8+ months. By going to my 'Account' => 'View feedback' all purchases were visible going right back to 8 or more months. I believe it included my first purchase. Although this was a 'feedback' page it stronly indicated that the full purchase/transaction record was being stored. DPR (in his Data Retention Policy) later confirmed this.
Various people on the forums also indicated that they too were experiencing this issue. You can see this in my original thread:
http://dkn255hz262ypmii.onion/index.php?topic=30774.15
DPR was nice enough to post SR's data retention policy and this clearly showed that my own, as well as others data was being stored much longer than it should have been. The Data Retention Policy can be seen here:
http://dkn255hz262ypmii.onion/index.php?topic=32573.msg370788#msg370788
In the interest of maximizing the security of the entire SR community, I would very much appreciate if you could investigate the above. If any issues are identified it would be great if you could provide a brief overview of what went wrong and in case the issue is ongoing any time-frames for a resolution.
Best Regards,
[REDACTED]"
-
Moderators please add this info to the wiki pending whatever the hell OP is seeing.
-
Moderators please add this info to the wiki pending whatever the hell OP is seeing.
Thanks for your support masterblaster. Please feel free to post anything you're unclear about and I'll do my best to help.
I would like to clarify though that this isn't something only I have seen. Please see my original thread ( http://dkn255hz262ypmii.onion/index.php?topic=30774.0 ) where various people confirm they were also able to see purchase histories going back a similar length. Also despite much debate nobody contradicts this or claims their purchase histories were any different.
Later in the thread DPR states that only 3 months of history is currently stored and asks if that number should be amended. This is a strange post as it contradicts what many people have already stated .
http://dkn255hz262ypmii.onion/index.php?topic=30774.msg355479#msg355479.
Soon after this the feedback page was modified so that users could only see 3 months of feedback/purchase history.
So far SR has not acknowledged that there was ever an issue. They have not said why, for at least some and possibly all users, purchase history was being stored for much longer than necessary (possibly indefinitely). They have also not said if this is still happening.
The question is why would a site as sensitive as SR want to keep potentially highly incriminating data (to vendors/buyers and SR) for any longer than absolutely necessary?
There is also a separate but related issue involving old btc addresses remaining associated with accounts but I'll leave that one for now.
-
Posted to SR Support through the main SR site:
"Dear SR Support,
I am sending this on the advice of DPR in the hope that someone can determine why my data was/is being stored longer than the SR Data Retention Policy indicates it should be.
Prior to the very recent visual changes, it was evident that my purchase history was being stored for 8+ months. By going to my 'Account' => 'View feedback' all purchases were visible going right back to 8 or more months. I believe it included my first purchase. Although this was a 'feedback' page it stronly indicated that the full purchase/transaction record was being stored. DPR (in his Data Retention Policy) later confirmed this.
Various people on the forums also indicated that they too were experiencing this issue. You can see this in my original thread:
http://dkn255hz262ypmii.onion/index.php?topic=30774.15
DPR was nice enough to post SR's data retention policy and this clearly showed that my own, as well as others data was being stored much longer than it should have been. The Data Retention Policy can be seen here:
http://dkn255hz262ypmii.onion/index.php?topic=32573.msg370788#msg370788
In the interest of maximizing the security of the entire SR community, I would very much appreciate if you could investigate the above. If any issues are identified it would be great if you could provide a brief overview of what went wrong and in case the issue is ongoing any time-frames for a resolution.
Best Regards,
[REDACTED]"
If you experienced something contradictory to this, please pm support on the main site and we will be happy to investigate the situation with you and root out any possible bugs.
Day 1 Update: No response from SR Support (have been told it can take a while but will provide daily updates)
-
Put up some censored pics of what you're seeing so we can believe you.
-
Anybody on SR who had an account with a purchase history > 3 months would be able to back this up. This really is not just some claim I'm making. The recent site update changed the feedback section so you can now only see 3 months of history, This change was made during my previous thread. The issue was visible for months, if not from the beginning. However it's only just recently that enough people realized the potentially incriminating implications of this data being there.
Posts from others in my original thread that refer to their extended purchase history:
http://dkn255hz262ypmii.onion/index.php?topic=30774.msg344919#msg344919
http://dkn255hz262ypmii.onion/index.php?topic=30774.msg344987#msg344987
http://dkn255hz262ypmii.onion/index.php?topic=30774.msg345156#msg345156
http://dkn255hz262ypmii.onion/index.php?topic=30774.msg355217#msg355217
http://dkn255hz262ypmii.onion/index.php?topic=30774.msg355479#msg355479 DPRs out of context
post
http://dkn255hz262ypmii.onion/index.php?topic=30774.msg360372#msg360372
http://dkn255hz262ypmii.onion/index.php?topic=30774.msg360874#msg360874
http://dkn255hz262ypmii.onion/index.php?topic=30774.msg365295#msg365295 First post indicating SRs changes
-
I've read the thread you linked to and im not entirely clear on what the problem is. Ok, so SR retains a complete history of our purchases:
1. Unless you bought btc using a method that left a papertrail then theres no way to link that wallet address to you.
2. Even if you did leave a paper trail, there's no way to associate a wallet address with SR unless the SR database gets compromised
3. Even if the SR database gets compromised, there's no way to legally assert that you bought drugs unless you sent your address in plaintext, or the seller was a cop
4. Even if all these things happened, they still would have to prove that you received the drugs.
5. If all that shits happens, then you screwed up and are fucked.
Yes i understand that since they store old addresses linked to your account it only takes one papertrail to link you to the account, if the site gets compromised. The thing is how are we supposed to know what data sr is storing? They can say whatever they want, or configure the site to make it appear as if they're storing less than they are, you have no way of knowing. Assume they work like google and save everything in triplicate.
The thing is not to give them any data. Buy coins with cash, or buy with a card and send it through the fog before going into SR. Encrypt your address. Deal with the fact that its highly more likely the cops will hunt you down after having found drugs in your mail than they will hunt SR down and veritably demonstrate that TOR can be broken (something the higher ups like the NSA would rather not do). It seems like SR is a huge target, but there's been CP sites on tor hidden services for as long as tor has been around and no LEO has ever taken one down (though hackers have DDOS'd them to death).
If you're worried about the low hanging fruit making these mistakes then petition to have the wiki amended with an emphasis on this info. Demanding DPR do something you can't audit in the first place isn't going to solve anything.
-
Nice Answer!
They can say whatever they want, or configure the site to make it appear as if they're storing less than they are, you have no way of knowing. Assume they work like google and save everything in triplicate.
It's just that we did all get a glimpse of what SR is storing and it does look a lot more like google and not what SR was claiming to . This is a strong indicator that they are actually LE.
-
Nice Answer!
They can say whatever they want, or configure the site to make it appear as if they're storing less than they are, you have no way of knowing. Assume they work like google and save everything in triplicate.
It's just that we did all get a glimpse of what SR is storing and it does look a lot more like google and not what SR was claiming to . This is a strong indicator that they are actually LE.
If SR was LE then they would have taken down all the vendors long ago.