Silk Road forums

Discussion => Silk Road discussion => Topic started by: Concerned_Buyer on September 21, 2011, 04:38 am

Title: On the Recent Security Vulnerabilities
Post by: Concerned_Buyer on September 21, 2011, 04:38 am
First, I'd like to thank Silk Road for all the hard work he's put into the site. Thanks to him I'm smoking better bud than I have in a long time.

Next, a small amount of background information on me. In the real world I'm a web architect/developer. I'm also a buyer here, but I'm posting under another name because I'm not sure how this topic will be received and I don't want to do anything to risk my pristine buyer account.

I haven't seen much discussion on the recent security vulnerabilities, so I wanted to give my thoughts on them for those who may not know as much about the topic.

I first noticed "issues" with the website when I was playing around with the HTML/CSS (trying to make it a bit prettier). An alarm went off in my head when I realized that the layout for the Silk Road is table based. This is in no way a security issue, but it does show that whoever wrote the site is very behind the times in terms of web design. I didn't think much about it though because it's only aesthetics, and being good with HTML/CSS isn't really necessary to be a good backend dev (which is where most of the security concerns are here).

However, as I'm sure you've seen, there have been some vulnerabilities in the backend disclosed recently. This is very concerning to me because these bugs have not been advanced bugs, in fact they are very simple. Protecting against these things is net security 101. They are extremely common attacks, and I would expect even a green web developer straight out of school to have no problems protecting against them. If any of my employees let such a bug into production (especially on a site as security sensitive as this) I would fire them immediately. I continually hear people talk about how secure this site must be, and how extra money would help with "advanced" security, but it's clear that the site hasn't even made it to the point of basic security. If these vulnerabilities existed you can be certain that there are others waiting to be discovered (or that already have been).

So what does this mean to me? I will continue using the site, but will not trust it in any way. I will keep all bitcoins until right before a purchase, and I will tumble them myself. As long as my messages to sellers are encrypted with their pub-key I should still be safe. To be honest though, if another site gets a decent amount of vendors I will probably move along unless I see a serious improvement in the security here.

I feel kind of bad writing this, it seems like I'm ripping apart the work of someone who has done a lot for me. I really feel like less technical users should know the severity of the issues though.
Title: Re: On the Recent Security Vulnerabilities
Post by: Modoki on September 21, 2011, 11:08 am
I completely agree with you and think that SR should really fix up this basic security stuff before taking fees of 12.5%. While others like the admin of OVDB talk about 64 bit-OpenBSD with ASLR and VM isolation, SR still hast SQL injection and XSS issues. To disclose and use these vulnerabilities is normal hacker 101, it's what everybody tries first when trying to hack a site. wtf.
SR is a cool guy, but the commission rate and overall security issues are a really bad sign of how this may go on.
Much love
Title: Re: On the Recent Security Vulnerabilities
Post by: Raffael on September 21, 2011, 05:59 pm
Keep every communication especially addresses for shipment private using GPG.
Title: Re: On the Recent Security Vulnerabilities
Post by: anarcho47 on September 21, 2011, 06:33 pm
This stuff needs to be addressed ASAP.  If I find out too much of these issues aren't being dealt with, I'm out.
Title: Re: On the Recent Security Vulnerabilities
Post by: nomad bloodbath on September 21, 2011, 06:37 pm
I myself am very unhappy with the current state of Silk Road and not sure where my future lies at this time.

:(
nomad bloodbath
Title: Re: On the Recent Security Vulnerabilities
Post by: g4bb3r on September 21, 2011, 07:00 pm
I'm also unhappy with SR at the moment. It's clear that SR isn't a coder by profession, but simply someone with a decent computer knowledge base (enough to get this site up and running at least) who had a vision of this site and created it. I was OK with this at the inception of the site, I thought over a few months a lot of improvements would be made but so far very few new features have been implimented. He should really pay a real programmer to code the site and use that -- of course checking it for backdoors before putting it out into production.
Title: Re: On the Recent Security Vulnerabilities
Post by: dorito on September 21, 2011, 07:19 pm
SR has already been taken over by LE,its now operation cleanout
Title: Re: On the Recent Security Vulnerabilities
Post by: Concerned_Buyer on September 21, 2011, 10:28 pm
Edit: Removed endorsement of BlackMarket due to past connections with child porn I wasn't aware of.
Title: Re: On the Recent Security Vulnerabilities
Post by: RedRocket on September 21, 2011, 10:54 pm
youre not a concerned buyer,youre the owner of blackmarket and also a fucking pedofile...gtfo
Title: Re: On the Recent Security Vulnerabilities
Post by: Modoki on September 21, 2011, 11:23 pm
no way I move to BM. kimmo alm can suck my dick.
On another note, if SR goes south, I'll just go back to forums. well.
Would be a very sad thing though and I have faith in SR. He just needs to get his ducks in a row, maybe a bit of ass kicking and we'll be fine
Much love
M
Title: Re: On the Recent Security Vulnerabilities
Post by: Concerned_Buyer on September 21, 2011, 11:31 pm
youre not a concerned buyer,youre the owner of blackmarket and also a fucking pedofile...gtfo

No, I'm not.

no way I move to BM. kimmo alm can suck my dick.

Is there some sort of problematic history with the operator of BlackMarket? I was just looking through the other options on the hidden wiki and it looked like the one with the most promise.
Title: Re: On the Recent Security Vulnerabilities
Post by: RedRocket on September 21, 2011, 11:48 pm
BM doesnt have a history(if you havent noticed,there is nothing on it)....oh come on,cut the crap man,youre the owner,trying to suck out all the sellers and buyers from silk road in these tough times....how can you even order on a site like that???are you mad?or are you the owner?...nobody in there right mind would order off there....

your following qoute,just gave you the fuck away;

""I actually just placed my first order on BlackMarket reloaded from a vendor that has listing both here and there. Looking at the HTML it looks like it was built by a real web developer. I also did a cursory look for SQL injection vulnerabilities and found no problems. This wasn't in depth, so don't take it as though it's perfectly secure, but I definitely trust the developer there more than here. The 4% commission rate is also nice.

If everything goes well I will continue looking at both sites, but I will lean towards using BlackMarket (hint hint vendors ;) )"""
Title: Re: On the Recent Security Vulnerabilities
Post by: RedRocket on September 21, 2011, 11:52 pm
who is the seller that is selling on BM and here??
Title: Re: On the Recent Security Vulnerabilities
Post by: RedRocket on September 21, 2011, 11:56 pm
BM is LE,when silk road gets shutdown oneday,everyone will move to BM,and we will be conducting business under LE's wing,how wonderful,new world order shite right there,all set up
Title: Re: On the Recent Security Vulnerabilities
Post by: Concerned_Buyer on September 22, 2011, 12:06 am
There was a time when Silk Road didn't have much of a history either, you have to start somewhere. I don't see how my quote gives anything away other than I'm trying alternatives to the Silk Road, and frankly, the pedofile remark was just uncalled for.

I won't list the seller here, but it's not hard to find, look at the weed vendors here and there, the usernames and public keys match.

I'm not saying that BlackMarket should absolutely be the successor to Silk Road, it just looked like the next best option to me while I was looking. If anyone has a LEGITIMATE beef with BlackMarket I would love to hear it.
Title: Re: On the Recent Security Vulnerabilities
Post by: Concerned_Buyer on September 22, 2011, 12:22 am
SR has already been taken over by LE,its now operation cleanout

BM is LE,when silk road gets shutdown oneday,everyone will move to BM,and we will be conducting business under LE's wing,how wonderful,new world order shite right there,all set up

It sounds like we're all already screwed :P
Title: Re: On the Recent Security Vulnerabilities
Post by: RedRocket on September 22, 2011, 12:54 am
you know exactly what i mean by pedofile,and so do a good few others, a very clever tactic created by LE to gain peoples trust in that site....look at you,asking us for the history of BM, so that more people will know and think its trustworthy.

a very clever tactic created by LE to gain peoples trust in that site-thats all it is..bet you didnt expect that,constable
Title: Re: On the Recent Security Vulnerabilities
Post by: wretched on September 22, 2011, 01:06 am
There was a time when Silk Road didn't have much of a history either, you have to start somewhere. I don't see how my quote gives anything away other than I'm trying alternatives to the Silk Road, and frankly, the pedofile remark was just uncalled for.

mrouid is selling both here and there.

I'm not saying that BlackMarket should be the successor to Silk Road, it just looked like the next best option to me while I was looking. If anyone has a LEGITIMATE beef with BlackMarket I would love to hear it.
start some
There was a time when Silk Road didn't have much of a history either, you have to start somewhere. I don't see how my quote gives anything away other than I'm trying alternatives to the Silk Road, and frankly, the pedofile remark was just uncalled for.

mrouid is selling both here and there.

I'm not saying that BlackMarket should be the successor to Silk Road, it just looked like the next best option to me while I was looking. If anyone has a LEGITIMATE beef with BlackMarket I would love to hear it.
ya, everyone has to where, but selling kiddie porn is not the right place to start. Even when the "reloaded" site came online, I even went over there and set up a seller account under a highly rated vendor here just to see how extensive their "SR verification" was, and they activated that seller account right away. I am NOT that vendor, nor have I ever used that account on BM, I just wanted to make sure they were actually doing the verification that they claimed. I can say without a shadow of a doubt that they did not do it in that case. That is the only LEGITIMATE beef I have with him. he is trying to get some of the SR business, but as far as I can tell it is nothing but scam city over there, and if they will verify a known SR account to anyone who asks, better steer clear!
Title: Re: On the Recent Security Vulnerabilities
Post by: Concerned_Buyer on September 22, 2011, 01:16 am
He should really pay a real programmer to code the site and use that -- of course checking it for backdoors before putting it out into production.

The question is, if you can't trust him to write the code, can you trust him to review it?
Title: Re: On the Recent Security Vulnerabilities
Post by: Concerned_Buyer on September 22, 2011, 01:21 am
Quote
but selling kiddie porn is not the right place to start.

Did the BlackMarket sell child porn before? The only thing I can find on the topic now is from the help page: "One single exclusion applies to this site: No Child Porn, please". If they have connections with child porn then I'm with you, I'm out.

I didn't see anything about Silk Road verification, but if they said they were verifying and weren't that sucks. In my case, the public key matches, so either the vendor is who they say they are or they can't decrypt my information.

Thanks for the reply wretched :)
Title: Re: On the Recent Security Vulnerabilities
Post by: rake on September 22, 2011, 04:16 am
Quote
but selling kiddie porn is not the right place to start.

Did the BlackMarket sell child porn before?

Yes.  And the site got hacked as the owners refusal to remove CP listings made it a target.
Title: Re: On the Recent Security Vulnerabilities
Post by: BitcoinPot on September 22, 2011, 04:42 am
BM owner or not, I'm going to have to agree with the OP about the security issues. SQL injections should not be an issue these days because noone should be using string concat for anything in SQL anymore. Every modern library has some function or another that will fill in query parameters for you, properly escaped and everything. Please fix these issues, I'm willing to help, but I hope you don't allow it from a new member with no rep.
Title: Re: On the Recent Security Vulnerabilities
Post by: lookbehindyou on September 22, 2011, 05:51 am
BM owner or not, I'm going to have to agree with the OP about the security issues. SQL injections should not be an issue these days because noone should be using string concat for anything in SQL anymore. Every modern library has some function or another that will fill in query parameters for you, properly escaped and everything. Please fix these issues, I'm willing to help, but I hope you don't allow it from a new member with no rep.

I'm the guy who discovered the vulns.

I design 'paranoid systems', very well known in certain circles.
Most popular design:

3 dedicated servers, running OpenBSD.

First server is app server.
Runs software written in Haskell and/or Python. Runs effectively as a RPC server. Deals with parsed data only. Stores all session state in state server.

Second server is state server.
Runs pgsql or other relational database. Sensitive data stored on a separate peripheral, encrypted in transit, with anti-handling devices dumping 500v out of a big capacitor across the memory chips.

Third server is frontend.
Communicates with app server, translating requests into RPC and back. Everything sanitized. The only server with a public IP.

Optional: fourth server, watchdog server. Pings all servers and does sanity checking. Connected to relays which immediately axe the power supply to any machine that has anomalies.

One of these systems was a BBS in the early 80s, and has now been converted only through the frontend into a HTML/HTTP/AJAX site.


Silk Road? Nah, it's a "cool internet startup" security level, not a 'we're doing illegal shit!' level.




Silk Road is shittily designed. Sorry.
CodeIgniter HAS A FUCKING ORM.

... and Silk Road uses it
except when it randomly doesn't.

if the CIA/FBI/NSA ever notice SR, they'll pretty much already have it compromised.


it's also running on an old version of PHP... and Ubuntu Server.

come on guys.
Title: Re: On the Recent Security Vulnerabilities
Post by: young habitat on September 22, 2011, 06:29 am
lookbehindyou, tell us a little more about the SQL injection hole you found. It sounds like the type of vulnerability where if someone with minimal SQL experience typed in something like "Durban's Poison" they would see an SQL error and realize that they could then run queries on the rest of the database.

CodeIgniter is pretty good, and it's taking care of a lot of the security problems SR forgot to worry about, but it can't take care of all of them.

SR:

This SQL injection on the search feature lookbehindyou talked about sounds really serious. That's the type of vulnerability that even the least-dedicated semi-experienced hacker will notice immediately. And if it's as bad as it sounds, that hacker had access to a *ton* of information. Are you looking through the past couple months logs for SQL errors and long queries? You should be. Because I bet lookbehindyou wasn't the first person to find this hole.

How are you encrypting our passwords? MD5? MD5+Salt?

What happens to our personal information after it's not needed anymore? Is that stuff just piling up in your database? Is there anyway that we can have our names and addresses not stored in plaintext on the server? The fact that he saw unencrypted names of customers from this hole is really scary to me.

Let's open up a dialogue so that we can figure out how to make this work for everyone.
Title: Re: On the Recent Security Vulnerabilities
Post by: rake on September 22, 2011, 07:26 am
What happens to our personal information after it's not needed anymore? Is that stuff just piling up in your database? Is there anyway that we can have our names and addresses not stored in plaintext on the server? The fact that he saw unencrypted names of customers from this hole is really scary to me.

Let's open up a dialogue so that we can figure out how to make this work for everyone.

People need to read the buyers guide.
If you are shipping drugs to your own home...  DON'T.
If you are using your real name... DON'T.
Sending vendors the address details without PGP encryption... DON'T.

If someone hacked the DB server when I have orders in there, the only thing they will find in the address field is a PGP message.  If lookbehindyou managed to get some plaintext addresses from orders which are still marked as processing, don't lump all the blame on SR, the users are also at fault for not following the Buyers guide.
Title: Re: On the Recent Security Vulnerabilities
Post by: Modoki on September 22, 2011, 12:53 pm
yeah, but still, rake - SR doesn't take commission for nothing. I am sure he can make a decent living off of this site if he is clever, but yet he has to fix up some stuff. definitely.
And lookbehindyou is pretty much right: the security level is way below what it seemed to be.
On the other hand, you can do illegal shit pretty good without proper security as long it's not mega illegal. The thing is, the FBI can't be compared to the NSA, lookbehindyou. I say, if the NSA wants to fuck us up, this will be done in no time.
If the feds want to bring us down, they will try to spread FUD and bust single sellers by trying to make them do something stupid.
For example, I get roughly one enquiry per week asking if I can do accept bank wire or meet in person. This is how the feds would most likely try to bust someone, besides surveillance and correlation attacks on a rather basic level.
NSA would do correlation attacks based on things like your writing style, can do van-eck-phreaking, have shit like echelon. No way to get past this if you still have to fight sql-injection.
Much love
and don't lose faith.
if SR goes downhill, we will have other options. The genie is out of the bottle, and we all know it.
M
Title: Re: On the Recent Security Vulnerabilities
Post by: treebeard on September 22, 2011, 02:30 pm
damn, it is a little disheartening to hear so much doubt from a lot of well established SR members. 

do y'all think the hiring of a new developer which SR recently posted about in the forums would help resolve these issues in a timely and acceptable way?
Title: Re: On the Recent Security Vulnerabilities
Post by: Modoki on September 22, 2011, 02:44 pm
If you ask me, I wouldn't have announced this publicly - and I had hired the admin of OVDB. He even said he would help for free, and he sure is at least a good improvement. It's not that he is a uber unix god, but he sure gets it together.
On another note, I don't question SRs concept in any way or even question SRs good will. However, I'd wish SR to communicate more what he wants (except money) and maybe get a bit back on track of what was his idea.
Much love
M
Title: Re: On the Recent Security Vulnerabilities
Post by: Concerned_Buyer on September 22, 2011, 03:09 pm
How are you encrypting our passwords? MD5? MD5+Salt?
I certainly hope not. Hopefully he is at least using SHA-1+Salt, and preferably something like bcrypt. This is exactly the type of thing that should be public information too, if it's done securely then there is no problem with that and we'll all sleep a little better. Security through obscurity is not security.

If someone hacked the DB server when I have orders in there, the only thing they will find in the address field is a PGP message.  If lookbehindyou managed to get some plaintext addresses from orders which are still marked as processing, don't lump all the blame on SR, the users are also at fault for not following the Buyers guide.
What if an attacker changes the public key listed with a sellers account?

do y'all think the hiring of a new developer which SR recently posted about in the forums would help resolve these issues in a timely and acceptable way?
It might, but there is the problem of trust. I'm sure there are quite a few of us that could help out, but Silk Road shouldn't trust most of us, and if he does it shows he's not paranoid enough.

I think Silk Road should have more of a presence in the forum, this is the sort of topic he should be responding to publicly if he wants to maintain our trust. Another possibility I've been mulling over is an open source web app that sites like these could use, then we can all review and contribute to the code, and people running the sites only have to worry about securing and maintaining the server.
Title: Re: On the Recent Security Vulnerabilities
Post by: EnterTheMatrix on September 22, 2011, 04:00 pm
This stuff needs to be addressed ASAP.  If I find out too much of these issues aren't being dealt with, I'm out.

+1 Security MUST be paramount!

Without it, we will have nothing except jail time and no easy access to AMAZING substances.
Title: Re: On the Recent Security Vulnerabilities
Post by: EnterTheMatrix on September 22, 2011, 04:01 pm
SR has already been taken over by LE,its now operation cleanout

What a fucking stupid comment, where is your proof? Idiot...
Title: Re: On the Recent Security Vulnerabilities
Post by: Concerned_Buyer on September 22, 2011, 04:31 pm
it's also running on an old version of PHP... and Ubuntu Server.
:O Have you suggested to Silk Road that he change that? Also, thanks for properly disclosing the XSS and SQL injection.

The thing is, the FBI can't be compared to the NSA, lookbehindyou. I say, if the NSA wants to fuck us up, this will be done in no time.
If the feds want to bring us down, they will try to spread FUD and bust single sellers by trying to make them do something stupid.
No doubt the FBI isn't in the same class as the NSA, but if they can't handle simple XSS or SQL injection that's a pretty sad state of affairs.
Title: Re: On the Recent Security Vulnerabilities
Post by: Modoki on September 22, 2011, 04:52 pm
well, actually I guess FBI and such federal investigation organizations can do XSS and sql injection. To assume anything else would be stupid. However, they are pretty much incapable of busts via virtual means, apparently. Its maybe just not how they work. On another note, this whole stuff may be just too small for them, who knows. After all, there are and especially were tons of vendors who sold meth and H and such and took payment via cash in mail. This is pretty much insane, but it worked most of the time. If the feds would've just used a tiny bit of surveillance, they could have easilty busted most of them.
Anyway, use great security. You don't want to be the first to recognize they've learned something. Be more than one step ahead - this includes hardening yourself against such exploits, and in this sanitized arguments for SQL handling and keeping the latest version is pretty much basic. I am still waiting for SR to explain something about this...
Much love
M
Title: Re: On the Recent Security Vulnerabilities
Post by: zirkelwin on September 22, 2011, 05:25 pm
I am still waiting for SR to explain something about this...

+1
Title: Re: On the Recent Security Vulnerabilities
Post by: softlyraining on September 23, 2011, 04:16 am
Just google "Silk Road market" or some such thing on the open internet.  Yeah, LE knows about it.  It's a matter of when they choose to invest their resources and get over bureaucratic inertia and the snarl of red tape they have to go through to start a new type of investigation into something they've never done before.

Look up what happened before the Commission Case and how long it took before they actually got it set up: the Feds have trouble moving quickly on most issues.  That isn't going to stop certain types of attacks though, and we have no idea whether or not they already have a few hooks in, especially with the recently revealed security issues.
Title: Re: On the Recent Security Vulnerabilities
Post by: SR_Seller_Accounts on September 23, 2011, 04:40 am
An alarm went off in my head when I realized that the layout for the Silk Road is table based. This is in no way a security issue, but it does show that whoever wrote the site is very behind the times in terms of web design.

Tables are designed for tabular data display. It has been the standard since 1993 and is STILL the standard for tabular data display, which is precisely what SR uses the tables for.


In the real world I'm a web architect/developer.

... or a self-taught web development (front end) neophyte that has a lot to learn.

You mentioned Security 101 ... I suggest you start with HTML 101.
Title: Re: On the Recent Security Vulnerabilities
Post by: young habitat on September 23, 2011, 04:56 am

Tables are designed for tabular data display. It has been the standard since 1993 and is STILL the standard for tabular data display, which is precisely what SR uses the tables for.

Yeah I agree. Tables aren't like some antiquated, insecure form of web design. Tables might not be hip in the web design community anymore, but they work perfectly for SR. Not a priority imo.
Title: Re: On the Recent Security Vulnerabilities
Post by: Concerned_Buyer on September 23, 2011, 05:12 am
An alarm went off in my head when I realized that the layout for the Silk Road is table based. This is in no way a security issue, but it does show that whoever wrote the site is very behind the times in terms of web design.

Tables are designed for tabular data display. It has been the standard since 1993 and is STILL the standard for tabular data display, which is precisely what SR uses the tables for.
Everything you've said is true, but do you know what else SR uses tables for? Layout. Take a look at the source (you obviously haven't), what's the first tag you see after the body? It's a table. Now look at every other modern website out there. What's the first tag you see? Probably a div. Tables are fantastic for tabular data, I use them all the time, they're not great for layout. As young habitat pointed out though (and I said in my original post), it's not a big deal, but it does scream amateur.

In the real world I'm a web architect/developer.

... or a self-taught web development (front end) neophyte that has a lot to learn.

You mentioned Security 101 ... I suggest you start with HTML 101.

When I started in this business tables were the standard way of doing layouts. That was well over 10 years ago.
Title: Re: On the Recent Security Vulnerabilities
Post by: envious on September 23, 2011, 05:15 am
SR_Seller_Accounts is just a troll. Look at all his posts.
Title: Re: On the Recent Security Vulnerabilities
Post by: SR_Seller_Accounts on September 23, 2011, 08:08 am
SR_Seller_Accounts is just a troll. Look at all his posts.

He incorrectly blasted SR for using tables.

I responded to and corrected his ignorance.

IF that is trolling, then I stand proudly guilty in solidarity with my fellow trolls.
Title: Re: On the Recent Security Vulnerabilities
Post by: keldog09 on September 23, 2011, 10:17 am
Quote
However, they are pretty much incapable of busts via virtual means, apparently.

When law mixes with the Internet it becomes a rather confusing stew that no one usually does anything about because the paperwork is ABSOLUTE death. I'm not saying that one should underestimate LE though, because when they really want us gone, we'll be gone. Fuckin pigs.

This thread really bothers me for two reasons: SR not being present and all of the obvious trolling. I don't have the coding know-how to say whether it's complete bullshit or not, but this thread is pushin on my bullshit button pretty hardcore.

I hope SR posts soon. :/
Title: Re: On the Recent Security Vulnerabilities
Post by: Concerned_Buyer on September 23, 2011, 03:37 pm
SR_Seller_Accounts is just a troll. Look at all his posts.

He incorrectly blasted SR for using tables.

I responded to and corrected his ignorance.

IF that is trolling, then I stand proudly guilty in solidarity with my fellow trolls.

You took my comment on tables out of context (ignoring that I said it wasn't a huge deal), and made an argument based on exclusion of facts (omitting that SR uses tables not just for displaying tabular data, but also for layout).

Instead of making a proper argument against mine you resorted to calling me names to try to discredit me.

You're trolling.
Title: Re: On the Recent Security Vulnerabilities
Post by: wretched on September 23, 2011, 04:13 pm
I wouldn't be too concerned with others discrediting you, you did a pretty good job of that yourself by advertising for the black market
Title: Re: On the Recent Security Vulnerabilities
Post by: Concerned_Buyer on September 23, 2011, 04:19 pm
I wouldn't be too concerned with others discrediting you, you did a pretty good job of that yourself by advertising for the black market

Admittedly that endorsement was premature. I was/am disgruntled with SR and was in too big of a hurry to find an alternative. I didn't properly research the BMs past. I've now edited that post and removed the endorsement.
Title: Re: On the Recent Security Vulnerabilities
Post by: Concerned_Buyer on September 23, 2011, 05:16 pm
I'm going to go ahead and dispose of this account now, the discussion has at least been started now and my credibility has been damaged by me being an idiot earlier in the thread and endorsing BM.

No-one should take my word for it anyways, I encourage everyone to ask a web developer they know and trust whether XSS and SQL injection should still be an issue with modern web development.

To the non-troll posters, thanks for your responses, I hope SR posts soon and addresses these issues.
Title: Re: On the Recent Security Vulnerabilities
Post by: anarcho47 on September 23, 2011, 08:08 pm
There's nothing WRONG with endorsing BM, anybody who jumps all over you for that is a fucking moron.

SR went down shortly after the gawker rush, a bunch of people migrated over there to keep getting supply.  Unfortunately some dickless-fuck scammers had already made a bunch of accounts using the names of established sellers here (and buyers weren't using PGP to verify identity), BM had no escrow, so a shitload of people got scammed.

On top of that, BM was trying to attract a larger market share by saying NO RESTRICTIONS on any listings, including counterfeit currency, fake ID's, firearms/explosives, and child porn.  The latter attracted, and rightly so, the ire of one of the more infamous hacker groups, who sent the entire site database to the FBI and created a redirect from BM to the FBI's site.  This was simply vendetta hacking, but it has damaged BM's rep enough that nobody will touch it.

At the time I even set up a seller account over there becuase nobody knew if SR was coming back or not.  I might be the cannabis seller the OP is referring to, who knows, but if you checked my last-seen over there it should say a couple of months, since I bailed on BM even before the whole CP issue blew up because so many people were getting scammed I knew it would be pointless to pursue selling on there.

As for the security of the site, I would recommend instead of nattering back and forth like a bunch of little boys on whose SQL dick hangs lower and how many cheap HTTP whores you've fucked, we start looking at this whole fucking situation ratioanally and have at this like a community instead of a bunch of whiny asshats.

I don't know the first fucking thing about PGP, SQL or programming web security.  I know how to source good product and deliver it consistently to people who want it.  That is my role here.  Maybe from time to time I enjoy taking a paddle to the little asses of the useless trolls too, but that's just entertainment to me.

If you are ACTUALLY concerned about the security issues, and DO know something about this, and DO give a shit about the community's longevity, I would suggest taking a more adult approach to dealing with problems.

Compile an actual, functional list of the issues that concern you.  Be specific.  Take a few of the more pertinent ones and send them to SR in a PGP encrypted message to his key.  Your time isn't free either, and i know that SR is looking for a Unix Admin and have some money to offer, so tell SR those ones are a freebie, but you have found (x) number of issues that also concern you.  If he'll pay you a bit for your time, you will be willing to go over the other ones with him, and if actually implements the shit you recommend to pay you accordingly since you are saving his ass.  I can't imagine SR is constantly lurking the forums, so a little proactivity and some PM's might go a lot further.  SR has answered every single one of my PM's since I first came to this site and seems to check those regularly.  I'm sure if you put ***Security Issues*** in the subject he would give it a read.

He has just as much or more to lose than any of us from LE compromising the site.  I dont' think he'll brush it off if you take a proactive approach.  if he does, it might be time to start looking for a new home - but at the same token he knows this so it's still in his best interest to get shit together.

In the meantime, a lot of us need to grow up and stop gnattering at each other and start tackling this shit head-on.  bitching and whining and breaking out the fucking belt ruler gets nobody anywhere, and I for one thank the OP for starting this thread because this entire issue is of paramount importance to us maturing and meeting our individual and cooperative goals as a community.

let's actually do it.
Title: Re: On the Recent Security Vulnerabilities
Post by: Tokin' Minority on September 23, 2011, 09:09 pm
I  totally agree with Anarcho on the need to address this immediately as a community. I do have some questions:

The main question is have all the discovered vulns been confirmed fixed? I think this is very important and I wish SR would post in this thread. Even just an "aware and on top of it" note.

Also, what can we do proactively? actually start pen-testing the site and look for more issues to compile a list that will be presented to SR and/or the community? I would contribute BTCs if there's a collective effort to pay a reputable, symphatetic security pro to inspect and implement improvements.  Or SR could let trusted members who are also coders to look at the application (not the actual database) and give it a proper audit.

I'm obviously also sensitive to the need for secrecy and understand that a closed system ("release as little info as possible") has its advantages. However the OP did raise serious issues that concern us all.

I guess I agree that there needs to be action on this, I'm just not sure what that would be, especially without SR's cooperation. I think OP's idea of open-sourcing the code that runs the site and setting up a "paranoid system" like what lookbehindyou described may be the best way in the long run. Again, we could all contribute time/knowledge/money to such effort. But that's for another discussion.

Back to the question: anything we users can do now?
 

Title: Re: On the Recent Security Vulnerabilities
Post by: dorito on September 23, 2011, 09:53 pm
There's nothing WRONG with endorsing BM, anybody who jumps all over you for that is a fucking moron.

SR went down shortly after the gawker rush, a bunch of people migrated over there to keep getting supply.  Unfortunately some dickless-fuck scammers had already made a bunch of accounts using the names of established sellers here (and buyers weren't using PGP to verify identity), BM had no escrow, so a shitload of people got scammed.

On top of that, BM was trying to attract a larger market share by saying NO RESTRICTIONS on any listings, including counterfeit currency, fake ID's, firearms/explosives, and child porn.  The latter attracted, and rightly so, the ire of one of the more infamous hacker groups, who sent the entire site database to the FBI and created a redirect from BM to the FBI's site.  This was simply vendetta hacking, but it has damaged BM's rep enough that nobody will touch it.

At the time I even set up a seller account over there becuase nobody knew if SR was coming back or not.  I might be the cannabis seller the OP is referring to, who knows, but if you checked my last-seen over there it should say a couple of months, since I bailed on BM even before the whole CP issue blew up because so many people were getting scammed I knew it would be pointless to pursue selling on there.

As for the security of the site, I would recommend instead of nattering back and forth like a bunch of little boys on whose SQL dick hangs lower and how many cheap HTTP whores you've fucked, we start looking at this whole fucking situation ratioanally and have at this like a community instead of a bunch of whiny asshats.

I don't know the first fucking thing about PGP, SQL or programming web security.  I know how to source good product and deliver it consistently to people who want it.  That is my role here.  Maybe from time to time I enjoy taking a paddle to the little asses of the useless trolls too, but that's just entertainment to me.

If you are ACTUALLY concerned about the security issues, and DO know something about this, and DO give a shit about the community's longevity, I would suggest taking a more adult approach to dealing with problems.

Compile an actual, functional list of the issues that concern you.  Be specific.  Take a few of the more pertinent ones and send them to SR in a PGP encrypted message to his key.  Your time isn't free either, and i know that SR is looking for a Unix Admin and have some money to offer, so tell SR those ones are a freebie, but you have found (x) number of issues that also concern you.  If he'll pay you a bit for your time, you will be willing to go over the other ones with him, and if actually implements the shit you recommend to pay you accordingly since you are saving his ass.  I can't imagine SR is constantly lurking the forums, so a little proactivity and some PM's might go a lot further.  SR has answered every single one of my PM's since I first came to this site and seems to check those regularly.  I'm sure if you put ***Security Issues*** in the subject he would give it a read.

He has just as much or more to lose than any of us from LE compromising the site.  I dont' think he'll brush it off if you take a proactive approach.  if he does, it might be time to start looking for a new home - but at the same token he knows this so it's still in his best interest to get shit together.

In the meantime, a lot of us need to grow up and stop gnattering at each other and start tackling this shit head-on.  bitching and whining and breaking out the fucking belt ruler gets nobody anywhere, and I for one thank the OP for starting this thread because this entire issue is of paramount importance to us maturing and meeting our individual and cooperative goals as a community.

let's actually do it.


Title: Re: On the Recent Security Vulnerabilities
Post by: LexusMiles on September 23, 2011, 10:11 pm
As for the security of the site, I would recommend instead of nattering back and forth like a bunch of little boys on whose SQL dick hangs lower and how many cheap HTTP whores you've fucked, we start looking at this whole fucking situation ratioanally and have at this like a community instead of a bunch of whiny asshats.
[..]
I for one thank the OP for starting this thread because this entire issue is of paramount importance to us maturing and meeting our individual and cooperative goals as a community.

Seriously, excellent post. Emphasis on "meeting our individual and cooperative goals as a community" <-- this is where its at. With this in mind, only good changes will come to effect.

Quote from: dorito
tl;dr

Long, yes.. but worth the read..
Title: Re: On the Recent Security Vulnerabilities
Post by: anarcho47 on September 23, 2011, 10:35 pm
dorito.... grow up.  In the amount of time it took you to quote me, copy that picture and upload its uselessness to this site, you could have read 2/3 of my post, and exercised an apparently much-out-of-shape brain cell or two.

This is the kind of shit we don't have time for on these forums.  4chan awaits you, snack.
Title: Re: On the Recent Security Vulnerabilities
Post by: treebeard on September 23, 2011, 11:03 pm
goddamn am I glad we have someone like anarcho on here taking care of shit with a level head, I get to relax and lurk knowing the points I want to raise and the fools I want to smack down will soon be dealt with by his swift, anarchtic fist.
Title: Re: On the Recent Security Vulnerabilities
Post by: anarcho47 on September 24, 2011, 02:07 am
I a rational-utilitarian most of the time.  This thread has been very far from that.  i'm more into handshakes than fists, but sometimes the boat starts heading for the waterfall and somebody (it just happened to be me this time) has to kick the rudder back the other way.

This stuff concerns me as much as the next I'm-sticking-around-here-because-this-is-fucking-awesome-sauce participant.  I want it dealt with, not whined about.  I am fairly certain SR doesn't even know this thread exists quite yet.
Title: Re: On the Recent Security Vulnerabilities
Post by: Modoki on September 24, 2011, 03:14 am
I am sorry, but I do have to kind of not agree with you on the thesis that this thread is largely whining. It's just putting emphasis on the fact that these vulnerabilities should simply not exist, and, in all honesty, I wouldn't really have thought of the fact they could. This is not cheap http whore fuck bragging or whatever, it's rather for people like you, who, as you said, have the job to deliver goods and not understand technicalities, so that you understand this is a very serious concern.
On another note, I am pretty certain SR knows about this thread or at the very least read similar concerns in the other thread made by lookbehindyou.
Moreover, you are right - we have to be kind of proactive. And I see that we are doing this right now: We create a thread were several concerned people signal to the community that there is some issue. I for myself am nowhere near tech savvy enough to be a hired admin or even being able to disclose severe issues. I would have managed to do the SQL injection, maybe, but I'd had to discover it first. Thus, I can't really be proactive in the way you said - write PMs and address the issues to SR. Rather, I choose to sign the message that this thread provides: "There is some serious issue, and at the very least you should communicate on it, especially in a time where you just wanted to double SRs commission. And please take a look if there are more such issues, because more of these will make me back out."
This is what we endorsed - not whining and not joining BM.
Much love,
M
Title: Re: On the Recent Security Vulnerabilities
Post by: treebeard on September 24, 2011, 03:42 am
I wish he'd just give us a sign!

Please, almighty SR? 

If I must sacrifice, I swear I'll stop smoking weed...

*pffft*

right after I finish this J of course.
Title: Re: On the Recent Security Vulnerabilities
Post by: Dread Pirate Roberts on September 24, 2011, 06:01 pm
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I was just alerted to this thread by Anarcho47 and have read every word, except the parts that were removed by their authors.  I don't spend a whole lot of time on the forums, because I am almost always alerted to important threads on the main site.  Every message that comes in from the contact us link gets read and 90% get replied to, so please feel free to contact me with any concerns you have.

There were a couple of specific questions I'll address first.  Passwords are hashed twice using sha256, once with a global salt and again with a user specific salt.  Also, our servers are fully up to date and updates are checked for daily.  How we handle addresses is explained in the buyer's guide.

Your concerns are completely valid.  It is absolutely terrible that there was an injection vulnerability in the search bar, and an XSS vuln in the subject line of the messages.  Thankfully they were discovered by someone benevolent and we could take action to remedy them.  There are no known holes in the site at the moment, but that doesn't mean they aren't there.

I accept my limitations and the discovery of these holes was further confirmation that for Silk Road to grow and thrive, people with far more expertise need to be brought in.  There's another thread about hiring, but long story short, we now have two brilliant IT professionals with more than 25 years of combined development and administration experience who I trust and who are committed to making our site as secure as possible.  Development of a new and much improved back-end is underway, and an audit of the current code will begin this coming week with a full re-write coming thereafter.

I just want to reassure you that I am doing everything I can to fulfill on your expectations of me and the site and I apologize for where I have come up short.  Thank you for the trust you have put in me.  I will not stop fighting this fight.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iQEcBAEBAgAGBQJOfhquAAoJEAIiQjtnt/olbRsH/iCTKFtFQVQ6QTu9YeSTZP0q
7hXYme77eJ89wVx/jFWP+rdVnn6I3ArsYGYiTGKelGSTLWxt2YVImc7CRbOfC7Mg
kNQB/mPBq9UZk1aYZbBTLkMf8/SmPaH7O/RNHoKAbUgluhk2/XMce7I/qdL3x732
YqARZZKialWN2XP1d0+jg/aEUJOxvpBQJYSCFxGog4NRyrr0vgeduvAVKGtGknfo
unQHNTU0n4p89XmYj4YAGz6UTiJqb3tp0tUJADdWbbEeoe4fCBXcNxE/50Qfquaw
RjB+rM0A00Sy3iWMK8FcT4VgVuUNcH5NowaPfvAIzR3cQnrJ3xjI4KvYgDnisAY=
=uFL9
-----END PGP SIGNATURE-----
Title: Re: On the Recent Security Vulnerabilities
Post by: treebeard on September 24, 2011, 07:49 pm
fuck yeah! I love when my prayers get answered.

thank you SR, for giving everyone the shoulder-hug of reassurance they needed.
Title: Re: On the Recent Security Vulnerabilities
Post by: anarcho47 on September 24, 2011, 08:51 pm
plus, beard, you can ship all that extra weed you aren't going to smoke my way.  I'll sell it for a good price ;)
Title: Re: On the Recent Security Vulnerabilities
Post by: LexusMiles on September 24, 2011, 08:55 pm
I will not stop fighting this fight

Amen to this.
Title: Re: On the Recent Security Vulnerabilities
Post by: Modoki on September 24, 2011, 09:29 pm
Seriously, SR, I really love your style. You are truly understanding what you want and what this is. No shit, I really underestimated you several times now. My biggest apologies for this failure by me.
You signed your message. You addressed the issues, and you have improvements. Nice work, I will stand behind you and fight with you ;)
Much love, and good luck to all of us! Take care!
Title: Re: On the Recent Security Vulnerabilities
Post by: treebeard on September 24, 2011, 10:11 pm
plus, beard, you can ship all that extra weed you aren't going to smoke my way.  I'll sell it for a good price ;)

haha, I forgot to say I had my fingers crossed when I made the plea.
Title: Re: On the Recent Security Vulnerabilities
Post by: anarcho47 on September 25, 2011, 12:58 am
I'm going to let you get away with it this once........ ;)

I think real, long-lasting peace would be found by you coming by the store and purchasing some of my fine wares.   
Title: Re: On the Recent Security Vulnerabilities
Post by: Freq on September 27, 2011, 08:16 am
Improve improve improve! To my understanding, we are still in a period where LE has not decided to invest their resources in any action to take down SR. We must improve the site rapidly before they see it as an opportunity to infiltrate. Valuable information like names and addresses seem properly protected, but the user joining system and rating systems could be exploited to ruin SR.

We have something very special on our hands. The power of modern technology has merged with the minds of intelligent individuals who are daring enough to work in the black market. Think about it, most people involved in the drug trade aren't very smart. How many of them could successfully sell in this market, or even simply access the site? Words like encryption, tor, and bitcoin are not part of their vocabulary, yet they are the primary target for LE. We must keep growing strong and we will never be defeated! If we stay on our toes, we could always be just a little too complex for LE to consider fucking with. If we stand still, they will catch up and pounce on the chance to destroy this new opportunity for drug trade.

I'm just throwing out my visions.
Title: Re: On the Recent Security Vulnerabilities
Post by: tres on June 29, 2012, 05:32 am
-