Metasilk========A free and open source client application and API for making travelers on the Silk Road a little more comfortable. Primarily of interest to vendors who use the site frequently, though I find it useful even as a customer. For example, anytime I make a deposit I use Metasilk so that I'm automatically notified the minute SR credits my account.That said, it's unlikely to be worthwhile for your average weekend warrior. It's free, but honestly it took a lot of time -- if you like it and use it, BTC donations can be made to:1DLVXbayVtqMBiaK9SuoFzM7PchVb4uCt9... and would be greatly appreciated. Truthfully I use SR quite a bit and am more often than not completely broke.### PurposeIt started as a generic API for other utilities to interface with SR, but it turned into an always-on, always-current monitor for activity on your Silk Road account. It can be used either way, but the focus is really on it being a stand alone client app at this point. It notifies you of unread messages, outstanding orders, and always keeps you apprised of the current balance of your account (in both USD and BTC at once, naturally). It's actually about as pretty and easy to use as your average Windows program too if you just stick to the GUI.Basically it simulates full push notifications for activity on your Silk Road account, e.g. the way your mobile phone notifies you of email as soon as you get it (as opposed to pull notifications, which is what having to refresh the page is -- as in you're "pulling" the latest activity, it isn't being "pushed" to you as it happens).It launches into the GUI by default, but there's also a low level (nongraphical) terminal mode available for you to make use of if you like that sort of thing as much as I do. The program implements command history recall, history search, tab completion, etc. in the terminal interface. You can see usage information by using the standard Linux "-h" or "--help" arguments when executing the program if you're interested.The program is written in Ruby and uses GTK+2, Glade-3, and VRLib. It's confirmed as working in Linux, Windows 7, and Windows 8. Should work on a Mac or WinXP too, but don't quote me on it.### Feature list1. Status tray icon that flashes when there's new activity. Keeps flashing until you interact with it (so you'll know if something happened while AFK), and won't flash again until something new happens once it stops. 1.1 It also plays a sound file when a new message or a new order come in, so you can go play a video game while you wait or something. The two sound files are different so you know which event occurred without having to get up and look. 1.2 You can change the sounds if you want. Just replace "mail.wav" or "order.wav" with your own file(s) for it to play. Go ahead, overwrite the file. If it's a wav it'll work fine. An MP3 may or may not work on your system. 1.3 If you really want to play an MP3 but it isn't working, to convert from mp3 format to wav, type:     sudo apt-get install sox     sox audio_file.mp3 mail.wav   ... and prest-o change-o, it (sort of) plays your mp3 :)  1.4 Clicking on the status tray icon toggles visibility of the full status window so it isn't in your way all the time. 1.5 Let the mouse hover over the tray icon to show a brief tooltip with the current message count, order count, and balance shown.2. A cute little window that provides current account status at a glance, including BTC and USD at the same time (naturally). 2.1 It retries any failed connections automatically so that you know you're always seeing the latest information. Just sit back and let it do it's thing, it'll take care of all that hassle on its own.3. There's some mediocre support for sending messages and reading unread messages (including PGP encryption). Hopefully it'll make customer service slightly less aggravating for you.4. A slightly more advanced (as in non-graphical) mode if you want to use the terminal interface (run it with "-c" to get there). It's kind of like a Ruby version of bash, more or less; tab completion, command history, etc. I find GUI programming tedious and boring, so there's a lot of stuff that doesn't have buttons. 4.1 You can also evaluate any valid Ruby code on-the-fly in the terminal interface if you want to (the terminal interface command "irb" launches an interactive Ruby instance in the same addres space/environment as the app).5. The underlying API, which as the program wandered away from a generic SR API and toward an end user-centric utility got less and less useful. If it's helpful to you, then go ahead and use it. As an example of what I mean, you can use the project as a library for your own code and fetch 1 or more (including all) pages of your Silk Road inbox with a single method (see "Message::list" in the API docs). Each page is fetched simultaneously in a devoted thread, as is the case with many of the features it provides (it takes into account strain on the server though, so don't expect it to go fetching 53 pages at the same time or something). The return of Message::list is an array of Message objects, each containing all the relevant data of a single message in the inbox. You would then presumably proceed to make use of your ninja-coding skills to do super cool stuff with those messages instead of waiting for SR to implement all that sweet ninja goodness for you. You get the idea.Note that not all the method calls Metasilk provides are so neat and tidy: as I said, it turned into a client for end users mostly, but the API is still there -- that's what it uses itself, after all.If you write some sweet code that uses Metasilk to do the lifting, as always, donations for my time and effort would be appreciated. You're free to use it as you wish either way, PROVIDED you only use it in a manner consistent with your government's laws: I do not condone illegal activity of any kind, nor are you allowed to use this program in an illegal manner. Your download and use of this application signify your agreement to this legally binding End User Licensing Agreement. You are hereby notified of further restrictions on liability, fitness, and implications of distribution in the LICENSE.txt file. If you do not agree to these terms, you may not use this program until such time that you do agree.... because I'll come and find you and stop you, and... stuff. Yeah, and stuff: lots of it, too, so you best watch out!### Speed / reliabilityIt's not _much_ faster than a browser, but it is a little bit faster and it's a lot less irritating, that's for sure -- Metasilk doesn't just time out and say "unable to load page, try again later." It fucking tells you something went wrong so you know why you're going to be waiting a few seconds longer than you thought for an update, then it goes and it fucking tries it again. And again. And fucking again if it has to. Fuck this "manual reloading" shit. It also plays sounds so you don't have to wander over to your computer to check if you've got an order.It does a really good job of making things look smooth, but it's not magic or anything. Sometimes connections fail or are slow. You can just walk away if you want and it'll do what it has to do in order to keep its data as current as it can. If you like it and find yourself using it all the time, throw me some bitcoins now and then. The fact of the matter is I'm on SR for a reason: I don't like all drugs, but I'm very into my DoC and am more often than not quite literally broke. Help me get healthy organic fruits and veggies to offset the poisonous drugs a little bit, won't you? :) Yes. I am really a vegetarian health conscious drug addict. I want to do my DoC, not be sickly and unhealthy.### SecurityI consider myself a man of integrity and of my word: when I say that this program is in no way trying to harm you or anyone else, I hope that's good enough for most of you. If not though, it's open source software -- you can look at it and change it all you like. I'd be pretty delusional if I wrote malicious code and then expected that no one anywhere in the entire world would notice even while staring right at it, now wouldn't I be.### Caching sessions to fileMetasilk allows you to save the current session cookie and reuse it later in order to bypass the slow login. Why not solve the captcha programmatically? Doing that is incredibly difficult even for simple ones like SR uses; infact, most often people just buy subscriptions to captcha solving services -- which themselves usually use real people solving them in real-time.Passwords aren't saved, just the authentication token the website uses to identify you as properly logged in. Basically, if you don't explicitly logout, the site has no way of knowing your browser ever even closed -- so it continues to accept the cookie days later when it sees it again.If you like this feature, then use it. It's very convenient, and session cookies remain valid for quite a long time. It does, however, provide an attacker that gains access to your system complete access to your account without any additional information necessary (it will NOT compromise your PIN, however, so your transactions would still be as safe as they can be with someone else logged in as you -- but messages, account history, and everything else not PIN-protected would be in their hands).If at some point you decide you're not comfortable with the session cookies hanging around, then just start the program and select "save session" before you login. It'll save an empty/blank cookie, effectively clearing it (until you tell Metasilk to save a logged-in session cookie again). It's completely up to you, but security is only at risk if someone has access to that local (100% plaintext) file. It's just as secure as usual if nobody can get to the file.You can always wipe this away by deleting/shredding/whatever-you-want the "$HOME/.metasilk/cookies" file manually if you like, as well.### Other data filesMetasilk does not keep any data anywhere except for the $HOME/.metasilk directory. If you remove everything in that directory, there won't be any trace of your Silk Road activities left (except what a forensics expert could recover from the disk, which poses the same risk as such a circumstance always does). It also will never save your password or username. Note that it's possible to specify the directory Metasilk uses for data files (see the "-d" startup parameter). If you do that, obviously the previous statement is no longer true -- Metasilk will not store that location nor remind you of it next time you run the program. If you specify the directory, it's your responsibility to remember the contents of it. If you really care, that is; there's hardly anything in the files anyway though.## ZOMG, H4x3rz!Given that the Firefox browser most people use (the Tor browser is a version of Firefox) is ridiculously complex and full-featured for what we need, Metasilk is actually safer. What makes me say that, you might ask (and rightly so): Metasilk does not include a JavaScript interpreter. It does not parse HTML, XML, or any other markup beyond scanning for data points to internalize for use with its API (the GUI gets it's info via the underlying API). It does not support Java or any other plugins or extensions. It has no forgotten or dated features from 1992 that provide yet another zero-day exploit to be used by those out to do you harm. It does only what it needs to do with the site, and that's it.If you don't know, zero-day exploits/attacks are ones that have never been seen before (as in the attack takes place on day zero). They're often catastrophic and nearly impossible to detect -- for a time, anyway.## Data leaks, e.g. rogue DNS queriesThere are none that I know of. Metasilk will never allow a TCP connection to bypass Tor (this only applies to connections Metasilk makes, note that it doesn't mean Metasilk protects any other programs). It makes no DNS queries itself, it only connects to Tor and passes the info along. Other than the SR onion site, it does connect a few times an hour to bitcoincharts.com through Tor -- this is in order to show you accurate USD + BTC values at the same time (bitcoincharts.com offers a free-to-query-on-occasion API for various exchange data). As you know, SR only provides your balance in either BTC or USD, not both: Metasilk needs to get the most current value of a bitcoin from somebody somewhere so it can calculate the one SR isn't giving it.Every program has bugs. Period. Mine are not exceptions to this. I do, however, consider your (and my) safety to be a matter of the highest priority. I don't take it lightly when someone assumes I know what I'm talking about and places their faith in me one way or another; I recognize that anyone who uses this program is trusting me, and I have no plans of proving anyone's trust as misplaced. There are mean people out there who would like to see us all, buyer and seller alike, lose our basic freedom. I don't plan on making that any easier for them to accomplish.If you find any issues, be sure to point it out to me and anyone else you feel compelled to tell. You'll probably want to tell me FIRST, though, so I can fix it quickly before you go telling everyone everywhere how to make use of whatever bug you've found. Always remember that these are very serious charges vendors are playing with: responsible disclosure could save decades of many people's lives, or even their actual life itself. In short, please think about the people who want to steal from and/or arrest us all before you go yapping publicly.Feel free to bring things up with me if you're concerned. There's no shame in being wrong -- it happens to all of us now and then -- so if you suspect something, go ahead and send me some mail (preferably encrypted) mail about it. Please provide your own public key for me to encrypt my response with as well. I tend to err on the side of caution, and if you're asking me for sensitive information and/or not giving me a way to encrypt my message, I'm likely going to assume you're trying to bait me or aren't a careful enough person for me to associate with in such matters.That means I'd delete your message and write you off as someone who's more trouble than you're worth. Nothing personal, you understand: it's just my strong interest in self preservation.INSTALLATION============Just run `make' to install all dependencies, then run `metasilk.rb' to use the program. This is with Ubuntu, the most common Linux distribution, in mind. Basically what it needs is Ruby 1.9 and some gems, but the gem installation doesn't vary from distro to distro, so once you get Ruby 1.9 installed the "gem" command can take care of the rest (just type "make gems" if you have to).If you want to see what things are going to be installed, just run "make -n" so that it'll show you without doing any of them. Or decide later and run it without root privileges for now -- no harm in watching it repeatedly fail to change anything at all (not to mention fail to run, since it won't have any of the required libraries to use). To be clear, Metasilk does not require any special privileges to run. It does need to download and install a few harmless dependencies that it uses though, which requires escalated permissions to do. All the gritty low-level details of what it "installs" are in the Makefile if you want to look.