Silk Road forums

Discussion => Silk Road discussion => Topic started by: Evanescence on February 07, 2012, 10:24 pm

Title: Ethical Hacking of Vendors
Post by: Evanescence on February 07, 2012, 10:24 pm
Any opinions are whether this is a good idea or bad?

In the real world companies hire ethical hackers to find security weaknesses.

For SR it could would like this:
   1)  Vendor posts an ethical hacking bounty of bitcoins or product
   2)  Vendor puts an item on his car rear window like a Jesus fish or whatever
   3)  First one to post in the forum that vendor has a Jesus fish wins bounty

Think about it - if your ass could be found wouldn't you want to know how and fix it?
Title: Re: Ethical Hacking of Vendors
Post by: redforeva on February 07, 2012, 11:14 pm
Any opinions are whether this is a good idea or bad?

In the real world companies hire ethical hackers to find security weaknesses.

For SR it could would like this:
   1)  Vendor posts an ethical hacking bounty of bitcoins or product
   2)  Vendor puts an item on his car rear window like a Jesus fish or whatever
   3)  First one to post in the forum that vendor has a Jesus fish wins bounty

Think about it - if your ass could be found wouldn't you want to know how and fix it?
Really good idea, i think if there were to be something like this tho that it would be like a goose chase
Title: Re: Ethical Hacking of Vendors
Post by: pine on February 08, 2012, 12:02 am
I think it's a great idea.

If I were DPR, I might get a couple of private detectives to find me. That way you are covering your bases with 'friendly fire'. Same goes for any high profile vendors.
Title: Re: Ethical Hacking of Vendors
Post by: MagicMan on February 08, 2012, 12:09 am
I think it's a great idea.

If I were DPR, I might get a couple of private detectives to find me. That way you are covering your bases with 'friendly fire'. Same goes for any high profile vendors.

I don't think that would be in DPR's best interests. If he does it then the people who know about his enterprise goes from just DPR to DPR + private detective(s) + whoever the private detective(s) tell which would increase his risk exponentially and unnecessarily
Title: Re: Ethical Hacking of Vendors
Post by: anaballin on February 08, 2012, 12:10 am
Any opinions are whether this is a good idea or bad?

In the real world companies hire ethical hackers to find security weaknesses.

For SR it could would like this:
   1)  Vendor posts an ethical hacking bounty of bitcoins or product
   2)  Vendor puts an item on his car rear window like a Jesus fish or whatever
   3)  First one to post in the forum that vendor has a Jesus fish wins bounty

Think about it - if your ass could be found wouldn't you want to know how and fix it?

lol so dealers on SR should post things about themselves publicly so one of us can go find him? I guarantee you there are cops or law enforcement just waiting for someone to be as stupid to do this..
Title: Re: Ethical Hacking of Vendors
Post by: pine on February 08, 2012, 12:54 am
I think it's a great idea.

If I were DPR, I might get a couple of private detectives to find me. That way you are covering your bases with 'friendly fire'. Same goes for any high profile vendors.

I don't think that would be in DPR's best interests. If he does it then the people who know about his enterprise goes from just DPR to DPR + private detective(s) + whoever the private detective(s) tell which would increase his risk exponentially and unnecessarily

As Lenin said, "no person, no problem".

But seriously, it all depends on the implementation. It could compromise your security if you did it naively as you pointed out. But there's lots of other ways you can test parts of your security procedures. i.e. it doesn't have to be 'you'. It could be somebody else who is doing something similar to you. Maybe that sounds obscure, but you know what I mean I think.
Title: Re: Ethical Hacking of Vendors
Post by: MrDdroMcGillacutty on February 08, 2012, 01:05 am
Why dont you just get a personalized license plate.   H8 LE 24/7 
Same thing. Tag! Your locked up!
Title: Re: Ethical Hacking of Vendors
Post by: yaosh on February 08, 2012, 12:53 pm
Weird, I was dreaming last night that I was checking my vendor's physical security and pentesting his rig.  Yeah, I agree with this one.
Title: Re: Ethical Hacking of Vendors
Post by: sourman on February 13, 2012, 06:01 am
FWIW, the version of firefox (10.0) in the latest tor browser bundle build is exploitable via this bug:

Quote
Mozilla developers Andrew McCreight and Olli Pettay found that ReadPrototypeBindings will leave a XBL binding in a hash table even when the function fails. If this occurs, when the cycle collector reads this hash table and attempts to do a virtual method on this binding a crash will occur. This crash may be potentially exploitable.

I'm not sure if this exploit requires scripting that is (supposed to be) blocked via the NoScript add-on, torbutton, custom tweaks made by the tor foundation etc. but there is no way to to automatically update FF to 10.0.1 without doing it manually and possibly messing up the install.

This is why everyone should run TBB in a VM or sandbox. For the truly paranoid, you can boot off of read-only media and load the entire OS into RAM. This won't keep your SR account safe (use strong passwords dammit), but it will minimize the risk of the feds or some l33t h4x0r planting a persistent trojan on your machine. Just make sure you update your boot disc or whatever with the latest patches. If I were a vendor, I would take it one step further and use random wifi APs in different areas. At that point, it's highly unlikely that you'll be caught via network. There are much easier, more traditional ways to catch people in this business. Always be on your toes, be aware of your surroundings, and trust NO ONE.