any captcha is valid?

[sacha16]

what is that?

just tried to connect with random letter and still got in..

[lithonius]

same result for me... random letters in captcha that don't match let me in. I'm using 2 factor authentication as well.

[sacha16]

Same here guys.. what made you think to try it in the first place if u dont mind me asking?

because I am exploring the site in depth and I m not feeling it just yet

[DoctorClu]

I'm seeing the same behavior.  I will make a post in bug reports if there isnt one already.

[Artist]

I assume you guys are all talking about the marketplace login CAPTCHA correct? I just want to clarify for myself and anyone else that may be wondering.

Moving on, this poses a major security threat if there are not other rate-limiting protections in place. For example, only allowing three login attempts per account per 15 minutes (per IP?).

Additionally, can anyone verify the CAPTCHA system ever worked to begin with? I.E. has anyone ever gotten an error stating that they submitted an invalid CAPTCHA? I'm wondering if this is just a temporary bug or embarrassing poor coding to the nth degree by development.

Artist

[The Rebellion]

WTF so all of our accounts can easily be brute forced right now. every vender could easily be robed

[Artist]

WTF so all of our accounts can easily be brute forced right now. every vender could easily be robed

This would only be possible if there are not any other rate limiting factors that protect the login system. Lets hope that's not the case

I've just written a script that could easily test for other rate limits (invalid logins per IP, invalid logins per account, etc) though I'm not sure if that would be taken kindly by the administration.

I PM'd the relevant threads regarding this issue to DPR.

Artist

EDIT: script finished, added short blurb about it

[DoctorClu]

Considering there is no money in the road right now, there is nothing to rob except your identity as a vendor. I've posted this in the bug reports so hopefully is gets addressed sooner than later. Afterwards, it is probably advisable to change your password if you are concerned.

[ManInTheMirror]

WTF so all of our accounts can easily be brute forced right now. every vender could easily be robed

This would only be possible if there are not any other rate limiting factors that protect the login system. Lets hope that's not the case

I PM'd the relevant threads regarding this issue to DPR.

Artist

And it would be only possible if you didn't activate PGP verification.
And it would be only possible if there were any btc on the accounts which are not until now.
And "easily" bruteforced is another point to argue about

[Artist]

WTF so all of our accounts can easily be brute forced right now. every vender could easily be robed

This would only be possible if there are not any other rate limiting factors that protect the login system. Lets hope that's not the case

I PM'd the relevant threads regarding this issue to DPR.

Artist

And it would be only possible if you didn't activate PGP verification.
And it would be only possible if there were any btc on the accounts which are not until now.
And "easily" bruteforced is another point to argue about

There have already been numerous noted problems with the PGP verification. Additionally, I would not put too much faith in it after seeing this issue concerning the CAPTCHAS.

I did not say anything about your second point, that was the user I quoted. However, whether or not there are coins in the account has nothing to with the possibility of accounts being brute forced. If you are talking about them being robbed in that instance, cracked passwords could be stored until market operations commence etc.

Your third point looks like it is attempting to say something clever but it is not really saying anything at all. Assuming the PGP verification works and there are no other rate limiting factors, it would be childsplay ("easy") to write a script to bruteforce the login. Whether or not it would be worthwhile or easy due to password complexity of the users here is another story.

Artist

EDIT: Spelling, spacing, signature,

[DoctorClu]

WTF so all of our accounts can easily be brute forced right now. every vender could easily be robed

This would only be possible if there are not any other rate limiting factors that protect the login system. Lets hope that's not the case

I PM'd the relevant threads regarding this issue to DPR.

Artist

And it would be only possible if you didn't activate PGP verification.
And it would be only possible if there were any btc on the accounts which are not until now.
And "easily" bruteforced is another point to argue about

There have already been numerous noted problems with the PGP verification. Additionally, I would not put too much faith in it after seeing this issue concerning the CAPTCHAS.

I did not say anything about your second point, that was the user I quoted. However, whether or not there are coins in the account has nothing to with the possibility of accounts being brute forced. If you are talking about them being robbed in that instance, cracked passwords could be stored until market operations commence etc.

Your third point looks like it is attempting to say something clever but it is not really saying anything at all. Assuming the PGP verification works and there are no other rate limiting factors, it would be childsplay ("easy") to write a script to bruteforce the login. Whether or not it would be worthwhile or easy due to password complexity of the users here is another story.

Artist

EDIT: Spelling, spacing, signature,

Unless there is not a pretty standard anti-brute forcing measure in place where the login is disabled for X amount of time after X amount of failures, that third point is completely valid. I haven't tested it myself.

[Artist]

DoctorChu,

That is is precisely what I meant when I said "other rate limiting factors" in my post that you quoted. You can see I basically said the exact same thing as you in my post previous to the one you quoted. I'm glad we are on the same page with our thoughts

Artist

[ManInTheMirror]

I just wanted to say that there is no reason to panic.
The PGP verification seems to work as it is meant to be, the problems had been with the activation of this feature.
There are many things which determinate how easily you can bruteforce the password, that is why I said it is a point to argue about.

I doubt the market will be ready today and I see this stage more as a beta. So calm down, it is good if bugs are found now and I bet everyone will be advised to change his password before anything could be compromised.

[giancarlo]

Correct, the CAPTCHA at login is seriously flawed.  And the whole two point verification, yeah I still don't get it.. there is nothing "invalid" about my PGP key but the site refuses to cooperate.  With just these two major security bugs still left unaddressed, I suppose I'm glad that the launch schedule is not being followed..

definitely a long way from unlocking all the features and letting things fly...

I'm sure they are doing their best but something as basic as the login not working properly is for sure reason for reasonable concern.  That being said, I'm sure it will be figured out in due time.

[DoctorClu]

DoctorChu,

That is is precisely what I meant when I said "other rate limiting factors" in my post that you quoted. You can see I basically said the exact same thing as you in my post previous to the one you quoted. I'm glad we are on the same page with our thoughts

Artist

Sorry mate, I missed your previous post.

[Artist]

I just wanted to say that there is no reason to panic.
The PGP verification seems to work as it is meant to be, the problems had been with the activation of this feature.
There are many things which determinate how easily you can bruteforce the password, that is why I said it is a point to argue about.

I doubt the market will be ready today and I see this stage more as a beta. So calm down, it is good if bugs are found now and I bet everyone will be advised to change his password before anything could be compromised.

I certainly agree that this is no reason to panic, though I do think it is a great reason to be cautious and more importantly CONCERNED.

The administration made a huge point of stating their belief that it is the user's responsibility to maintain their own personal security. I strongly disagree with this sentiment, though I still accept it. However I start to question this acceptance when it seems like there are issues left and right with the seemingly arbitrary security features they DO decide to provide. They give users the option to essentially fuck themselves over on important security that could land them in jail, but offer up or force security features through the website that are not nearly as vital.

Just some semi-relevant food for thought on the topic of security as it relates to the topic at hand.

Artist

[Artist]

DoctorChu,

That is is precisely what I meant when I said "other rate limiting factors" in my post that you quoted. You can see I basically said the exact same thing as you in my post previous to the one you quoted. I'm glad we are on the same page with our thoughts

Artist

Sorry mate, I missed your previous post.

'S all good! Just like seeing that we're on the same page even so! +1

Artist

[DoctorClu]

DoctorChu,

That is is precisely what I meant when I said "other rate limiting factors" in my post that you quoted. You can see I basically said the exact same thing as you in my post previous to the one you quoted. I'm glad we are on the same page with our thoughts

Artist

Sorry mate, I missed your previous post.

'S all good! Just like seeing that we're on the same page even so! +1

Artist

Back at ya

[ManInTheMirror]

I just wanted to say that there is no reason to panic.
The PGP verification seems to work as it is meant to be, the problems had been with the activation of this feature.
There are many things which determinate how easily you can bruteforce the password, that is why I said it is a point to argue about.

I doubt the market will be ready today and I see this stage more as a beta. So calm down, it is good if bugs are found now and I bet everyone will be advised to change his password before anything could be compromised.

I certainly agree that this is no reason to panic, though I do think it is a great reason to be cautious and more importantly CONCERNED.

The administration made a huge point of stating their belief that it is the user's responsibility to maintain their own personal security. I strongly disagree with this sentiment, though I still accept it. However I start to question this acceptance when it seems like there are issues left and right with the seemingly arbitrary security features they DO decide to provide. They give users the option to essentially fuck themselves over on important security that could land them in jail, but offer up or force security features through the website that are not nearly as vital.

Just some semi-relevant food for thought on the topic of security as it relates to the topic at hand.

Artist

I agree with you and I think you should test your script. There is no difference if you are doing this now with good intend or someone will run it to harm the market. Maybe you shouldn't test it on your own account as we don't know what will happen to an account with numerous false login.

[Artist]

I just wanted to say that there is no reason to panic.
The PGP verification seems to work as it is meant to be, the problems had been with the activation of this feature.
There are many things which determinate how easily you can bruteforce the password, that is why I said it is a point to argue about.

I doubt the market will be ready today and I see this stage more as a beta. So calm down, it is good if bugs are found now and I bet everyone will be advised to change his password before anything could be compromised.

I certainly agree that this is no reason to panic, though I do think it is a great reason to be cautious and more importantly CONCERNED.

The administration made a huge point of stating their belief that it is the user's responsibility to maintain their own personal security. I strongly disagree with this sentiment, though I still accept it. However I start to question this acceptance when it seems like there are issues left and right with the seemingly arbitrary security features they DO decide to provide. They give users the option to essentially fuck themselves over on important security that could land them in jail, but offer up or force security features through the website that are not nearly as vital.

Just some semi-relevant food for thought on the topic of security as it relates to the topic at hand.

Artist

I agree with you and I think you should test your script. There is no difference if you are doing this now with good intend or someone will run it to harm the market. Maybe you shouldn't test it on your own account as we don't know what will happen to an account with numerous false login.

I don't think there is much to gain out of testing it besides a potential ban. Even I did test it, I would not ethically be comfortable posting the results. If the results were bad news I wouldn't want to inspire "evil opportunists". Anyone that is curious should do so without posting before hand like I have. I just wanted to make it known that it is possible and remarkably easy to write a script that will test and see if there are any rate limiting factors and bruteforce if there are none.

For reference, I ironically opted to write the script in my language of choice: javascript

Artist

[ChemCat]

most places with the capcha...where ya see it all in caps....usually..for the most part....you can type them all in lowercase...


Nothing to freak out about..... 

[DoctorClu]

I just wanted to say that there is no reason to panic.
The PGP verification seems to work as it is meant to be, the problems had been with the activation of this feature.
There are many things which determinate how easily you can bruteforce the password, that is why I said it is a point to argue about.

I doubt the market will be ready today and I see this stage more as a beta. So calm down, it is good if bugs are found now and I bet everyone will be advised to change his password before anything could be compromised.

I certainly agree that this is no reason to panic, though I do think it is a great reason to be cautious and more importantly CONCERNED.

The administration made a huge point of stating their belief that it is the user's responsibility to maintain their own personal security. I strongly disagree with this sentiment, though I still accept it. However I start to question this acceptance when it seems like there are issues left and right with the seemingly arbitrary security features they DO decide to provide. They give users the option to essentially fuck themselves over on important security that could land them in jail, but offer up or force security features through the website that are not nearly as vital.

Just some semi-relevant food for thought on the topic of security as it relates to the topic at hand.

Artist

I agree with you and I think you should test your script. There is no difference if you are doing this now with good intend or someone will run it to harm the market. Maybe you shouldn't test it on your own account as we don't know what will happen to an account with numerous false login.

I don't think there is much to gain out of testing it besides a potential ban. Even I did test it, I would not ethically be comfortable posting the results. If the results were bad news I wouldn't want to inspire "evil opportunists". Anyone that is curious should do so without posting before hand like I have. I just wanted to make it known that it is possible and remarkably easy to write a script that will test and see if there are any rate limiting factors and bruteforce if there are none.

For reference, I ironically opted to write the script in my language of choice: javascript

Artist

Just message the mods to let them know you are doing it and enable Javascript while it is underway. If you can do it to test security, LE can do it to break it...

[ManInTheMirror]

most places with the capcha...where ya see it all in caps....usually..for the most part....you can type them all in lowercase...


Nothing to freak out about.....

No, you can type whatever you want.

[Artist]

Do you not see the pointlessness in messaging the moderators/admins? They already know if it is securely rate limited or not. If it was not rate limited and I asked them, they would definitely fix it before replying to me giving me a go-ahead.

Or is there something I'm missing here, or misunderstanding you maybe?

Artist

[giancarlo]

you can type anything in the CAPTCHA window (just type one letter if you want) and it is accepted.

Also, it was confirmed yesterday that you can fail the credential check unlimited times.  There is no lock out.  They really need to address this stuff.

[DoctorClu]

The mods may or may not have the ability to fix it. I would imagine DPR would need to take care of it. In the meantime, there is no harm is letting the mods know so you don't get banned, running your script and attempting to brute force your own account. It is simple vuln testing.

[Artist]

you can type anything in the CAPTCHA window (just type one letter if you want) and it is accepted.

Also, it was confirmed yesterday that you can fail the credential check unlimited times.  There is no lock out.  They really need to address this stuff.

I'm going to reiterate this again:

The administration have taken a stance stating that they believe the user should be responsible for his or her own security. If that is the case, why does the site offer any personal security features/requirements to the user at? Then on the other hand, they refuse to offer others that are arguably significantly more important.

Here are some examples:
The marketplace DOES REQUIRE users to have a sufficiently long withdrawal PIN/passcode. Seems obvious to have a long one regardless of the requirement, right? But it makes sense to require it because doing so is looking for the best interests of your users. It is just the right thing to do if you care about the security of your users MONEY.

The marketplace DOES NOT REQUIRE users to utilize PGP for sending their addresses/personal information to a vendor during the order process. However, like before it makes sense that users should do this regardless of a requirement. It would certainly be in the best interest of your users to require it. Why? Because unlike where if your PIN gets compromised, you wont just lose money in this situation. If the website gets compromised by LE just as it did last time it will their LIBERTY that users will be at risk of losing.

So why are is the excuse of "it is the user's responsibility to manage their personal security" being used as a scapegoat as to why PGP encryption won't be implemented as a order requirement. I have personally demonstrated to administrators that this is technically feasible without using javascript.

There is no excuse.

Artist

[ModernLove]

WTF so all of our accounts can easily be brute forced right now. every vender could easily be robed

Unless I'm completely misunderstanding what this thread is about (which is always a possibility), I don't see how we could all be easily robbed because the captcha thing doesn't work. You have a strong password, right? So unless someone can bruteforce your password, he's not getting into your account. And if he has your password, it doesn't matter if the captcha works correctly or not. Right?

Of course the captcha should be fixed, but I'm not seeing how it places our accounts in danger of being robbed.

[AliceInWonderland]

Some of you are talking about a feature that locks the account if there are numeorus failed login-attempts.

I think this is a very bad idea, sim ply because that would allow for the possibility of deliberately locking vendors out of their accounts simply from knowing their usernames.

I do agree that something should be done, but this is not it.

[Mr Lucy]

I have twice on the new SR site been asked to enter all my details again because the captcha didn't match the one i entered.

Also it would be wise to have a log in name different to your actual in-silkraod name. How can a hacker try to brutally force your account open if he only knows your SR name, but not your log in name?

[Dread Pirate Roberts]

This is a temporary issue we're currently investigating, there is nothing to panic about as we're aware already.

Also, "brute-forcing" is extraordinarily difficult across Tor. If you have a 4 character password and make us of both a number, letter and special character combination, there are 12,117,361 possible combinations to try. At 5 characters this rises to 714,924,299 and 6 characters to 42,180,533,641 so you can see a brute force attack across tor on login credentials is completely infeasible - this kind of brute force attack would only work on such small combination fields if you had a file locally you want to crack or it will a bit of ciphertext not requiring interaction across a web page to conduct it.

[ManInTheMirror]

What you people still don't understand is that if someone is trying to bruteforce your password there are XXXXX false log in on a username. Don't you think an admin of a website can see these attemps to crack the password?

Calm down, change your password when the market really opens. And enable pgpg verification which protects you thousand times better than a captcha. I noticed pgp verification changes the passphrase after a false input so no chance to bruteforce the decrypted string.

[Dread Pirate Roberts]

You would have thought a serious problem like this would be seen to a bit faster

If you have a 5 character or longer passphrase, this is not a problem, CAPTCHA's on the deep web are like a placebo given the latency and speed limitations, plus we have optional features such as PGP authenticated login to prevent these problems. We have actually fixed it and will be rolling it out with the bitcoin transaction update shortly.

[DoctorClu]

You would have thought a serious problem like this would be seen to a bit faster

If you have a 5 character or longer passphrase, this is not a problem, CAPTCHA's on the deep web are like a placebo given the latency and speed limitations, plus we have optional features such as PGP authenticated login to prevent these problems. We have actually fixed it and will be rolling it out with the bitcoin transaction update shortly.

Thanks DPR. Does this mean wallets are being made available?

[Dread Pirate Roberts]

Wallets for deposit and purchasing will be rolled out shortly yes.

[DoctorClu]

Wallets for deposit and purchasing will be rolled out shortly yes.

Brilliant!! Thanks again.

[oxyflight]

Wallets for deposit and purchasing will be rolled out shortly yes.

very awesome. thank you dpr

[giancarlo]

This problem is still not fixed. You can get in with random letters in the captcha on the second attempt every time

^^THIS.  For some strange reason, the first attempt always gives you an error but the second attempt using the same bogus CAPTCHA lets you in everytime.