Silk Road forums
Discussion => Silk Road discussion => Topic started by: dsynth on November 10, 2012, 07:02 pm
-
Hi everyone,
As everyone knows the silk road is currently down and there is a small bit of panic creeping into the community. I'm sure DPR will get everything sorted, but I think these currently problems really make it clear how centralized the current drug marketplace community is. It give's LE a far to small of a target to pin down when the site is run by a handful of people.
It's my opinion that like Tor, Bitcoins and the internet in general, the online drug marketplaces should become much more distributed and it is the next logical step for breaking down the war on drugs. For that reason I have begun developing an open source Silkroad alternative, currently called BitWasp. It is currently not ready to go live but with the help of the talented developers in our community it can become a vibrant successful project. There is some new interesting security features implemented in Bitwasp such as optional on-the-fly PGP encryption of message in the browser with JS. There is also features for account project. A vendor can have their public key in their profile and enable 2-factor authentication. On logging in a token is generated and encrypted with the sellers public key. They must then decrypt the message with their private key and enter the decrypted token before being logged in. this will completely avoid account compromise via phishing.
As a community working together we can develop a secure, full featured system and develop it faster the busy developers of the silk road can. I'm happy to hear everyone's suggestions and I would urge all interested developers to check out the code on github, http://github.com/Bit-Wasp/Bitwasp. Please submit pull request for any features you would like and discuss it on the wiki or the forums at the http://thelaboratory.org/.
Just like to emphasis the system is not currently ready to be used on a live site, bitcoin escrow/integration and the rating system needs to be completed but I think as a community we can do it and make it successful.
Looking forward to hearing everyone's opinions,
dsynth
-
Hi everyone,
As everyone knows the silk road is currently down and there is a small bit of panic creeping into the community. I'm sure DPR will get everything sorted, but I think these currently problems really make it clear how centralized the current drug marketplace community is. It give's LE a far to small of a target to pin down when the site is run by a handful of people.
It's my opinion that like Tor, Bitcoins and the internet in general, the online drug marketplaces should become much more distributed and it is the next logical step for breaking down the war on drugs. For that reason I have begun developing an open source Silkroad alternative, currently called BitWasp. It is currently not ready to go live but with the help of the talented developers in our community it can become a vibrant successful project. There is some new interesting security features implemented in Bitwasp such as optional on-the-fly PGP encryption of message in the browser with JS. There is also features for account project. A vendor can have their public key in their profile and enable 2-factor authentication. On logging in a token is generated and encrypted with the sellers public key. They must then decrypt the message with their private key and enter the decrypted token before being logged in. this will completely avoid account compromise via phishing.
As a community working together we can develop a secure, full featured system and develop it faster the busy developers of the silk road can. I'm happy to hear everyone's suggestions and I would urge all interested developers to check out the code on github, http://github.com/Bit-Wasp/Bitwasp. Please submit pull request for any features you would like and discuss it on the wiki or the forums at the http://thelaboratory.org/.
Just like to emphasis the system is not currently ready to be used on a live site, bitcoin escrow/integration and the rating system needs to be completed but I think as a community we can do it and make it successful.
Looking forward to hearing everyone's opinions,
dsynth
You're the author of BitWasp? +1 to you sir. The project has a lot of potential and a lot of genius ideas are already implemented. Keep up the good work :)
-
I've heard a lot of good things about bitwasp. I hope you can get the support you need. It's hard to combine darknet with open source, but with SR having such payload problems, you just might get the impetus and support you need.
-
Very nice!
-
I'm all for your goals, but if you haven't realized it yet, you have to burn the name "dsynth" and post a retraction of everything you just said unless you want to be targeted as an accessory, conspiracy, and whatever else they want to charge you with.
Github is well within the reach of the law. And one of these days, you may screw up and check in a change w/o Tor running or something.
-
I just registered an account with github specifically to support Bitwasp. I have no idea how it works. I think Silk Road is Great, and I want to support alternatives. I'll back it up with Bitcoin but I'm not a big spender. I wish.
-
Thanks for the feedback everyone, its great to hear that there is interest. All donations are very much appreciated but what we really need are developers who are willing to contribute and review the code. Hopefully we can make this a success.
I'm am developing this solely because I believe its the best way I personally can fight the war on drugs. I will not be running any live marketplace's on Tor nor will I be assisting anyone else running an illicit tor marketplace. Thankful its not yet illegal to write code/text.
If you have any ideas please let us know. Another feature we will be implementing is a waited rating system, this will allow each site admin stator to create a hidden formula based on transaction value, number of orders, dispute ratio etc which will determine each user's rating. A secret and unique algrithim will help avoid against tactics of scammers with lots of low price orders etc.
Hopefully SR is back up soon anyways!
-
I think it is totally legitimate that the community would want a marketplace ruled by the community itself. I am not doubting DPR's abilities or legitimacy, but the lack of information and updates + the constant down times these last 2 weeks make it obvious that the centralized nature of the Road is risky. DPR could go rogue, he could be busted, he could runaway with the millions of BTC sitting in the escrow.
While I do not have any competence in the field of programming, encryption and overall computer things, I fully support this idea and I'm all-in behind it. Thanks for starting something that has great potential, I'll be monitoring this.
-
great idea
-
+1 for you dude! had no idea that you were the one who made Bitwasp. Good luck though dude
-
I tried registering on forums at thelaboratory.org, but the registration form doesn't agree with me about the current year being 2012.
I wanted to make a suggestion about the bitcoin/escrow system, that you keep in mind during the design what happens if the operator needs to hit the kill switch, that is, where the money goes in user/vendor accounts, in the escrowed transactions when the operator hits the kill switch or doesn't notify a dead man's switch after a certain period of time.
-
Thanks for the suggestion Winston, we will look into an option of adding a dead man's switch. If the admin doesn't login and refresh every week all bitcoins in escrow not finalised get returned? It avoids the issue of lots of coin's disappearing in escrow in the unfortunate case of an operator getting busted or picked up for another reason. Sorry about the forum, try 2011 ;)
-
Awesome idea guys, behind you all the way.
The biggest problem I can see with this is actually hosting the site. Someone has to host the site and basically be in control of the whole thing. It should be possible to design an escrow system such that it is impossible for admins to steal bitcoins from peoples accounts/escrow, but the admin is still left with alot of power. I'd need to see a strong explanation and analysis of exactly what the admins are able to do if they really want to before being confident enough to order things this way.
-
Thanks for the suggestion Winston, we will look into an option of adding a dead man's switch. If the admin doesn't login and refresh every week all bitcoins in escrow not finalised get returned? It avoids the issue of lots of coin's disappearing in escrow in the unfortunate case of an operator getting busted or picked up for another reason. Sorry about the forum, try 2011 ;)
No, don't *return* bitcoins in escrow. Release them to the vendor. Surely they should go to the vendor by default since they probably already mailed the product off to the buyers.
-
There is some new interesting security features implemented in Bitwasp such as optional on-the-fly PGP encryption of message in the browser with JS.
Very awesome overall.
A little concerned about javascript use though. As long as your code is open source and reviewed, we would obviously know BitWasp is not malicious in any way.
However, this may encourage some users to universally enable JS on their TorBrowser, I feel that could potentially leave exploits open on other .onion sites.
I guess it comes down to making PGP more convenient versus eliminating opportunities for JS exploits. Either way, I guess laziness and/or ignorance is the weakest link.
-
I wouldn't know what would be fair. I suspect most transactions would be good if vendor strictly marks a transaction as sent after actually sending it. If this could be enforced in some way, the money should go to the vendor by default. Maybe by including in the vendor reputation system a way that buyers could report if the day the package was claimed to be posted was accurate.
I'll try to get registered and offer my input there.
-
Sounds interesting.
Will be watching this space.
-
Exciting, I wish you the best!
-
Yeah, its hard to know how to build trust across multiple sites. We have been looking at distributed anonymous trust mechanisms, PGP web-of-trusts to maintain reputation across different Bitwasp implementation but that goal is currently a good bit down the line.
Unfortunately once admin's have complete control over their own site there is very little means of maintaining the security of escrow payments from the admins themselves. The only other option would be putting trust in a centralized network to ad mister escrow for all Bitwasp instances but that's not really a viable route we want to be going down. Sorry it does make more since to probably release coins to vendor once the item is marked as sent.
We are toying with the idea of integrating Bitwasp with the Electrum network ( https://en.bitcoin.it/wiki/Electrum ). We are still reviewing the resilience of their network to motivated attackers/LE. It would avoid individual operators having to maintain local wallets and block chains while providing more security. If anyone has other ideas or criticism please let us know! I'll stick up a demo site in a few minutes for people to check out and give feedback on it. Please bare in mind its not finished!
CiscoYankerStuck: We have made a concious decision to make JavaScript optional on the site, all functionality works with it disabled. It just allows to offer extra functionality to make the system more usable and safer for new users who have javascript enabled.
I'm glad to see the silk road will be back soon anyways!
-
I'm am developing this solely because I believe its the best way I personally can fight the war on drugs. I will not be running any live marketplace's on Tor nor will I be assisting anyone else running an illicit tor marketplace. Thankful its not yet illegal to write code/text.
I genuinely hope you're right, and I mean that with all sincerity. But stop and think about what you're doing. You're willfully aiding what may become thousands or tens of thousands of third parties to bypass local, state, and federal laws. You're deliberately enabling people to commit felonies.
That's illegal, my friend, whether the proof is in 0s and 1s or the drugs you put in their hand.
-
I appreciate your concern SelfSovereignty, I am obviously not condoning that anyone uses this technology for breaking the law in the respective countries.
There is a quick demo up on http://bitwaspvma7yjmkr.onion/. Please bear with us, some of the image thumbnails are not resized correctly. All project images are return as base64 encode data steams. This vastly reduces the number of requests made for each page which accounts for the slow speeds on Tor hidden services.
-
make it P2P with no server, run on TOR.
-
Brilliant idea!
I created a user ('blargh') and tried adding a public PGP key to try out the two factor authentication, but I when I pressed "update account" was greeted by a 404 error instead. Not sure how helpful this is as a bug report, but maybe you can see in the logs what went wrong.
-
wow this sounds amazing.. definitely will be watching out for this
-
There is some new interesting security features implemented in Bitwasp such as optional on-the-fly PGP encryption of message in the browser with JS.
Very awesome overall.
A little concerned about javascript use though. As long as your code is open source and reviewed, we would obviously know BitWasp is not malicious in any way.
However, this may encourage some users to universally enable JS on their TorBrowser, I feel that could potentially leave exploits open on other .onion sites.
I guess it comes down to making PGP more convenient versus eliminating opportunities for JS exploits. Either way, I guess laziness and/or ignorance is the weakest link.
Well actually you would not know that. You have no way of verifying what code is actually running on the server. Whoever has access to the server can modify or replace the code with no evidence for anyone who doesn't have root access to the server. Even if it was possible to verify that the code running on the server was the correct open source code, it's still necessary to give the admins the power to intervene in the market to give refunds and the like, to ban scammers, etc, and obviously whoever runs the server has physical access to wherever all the Bitcoins are stored. Even the automatic PGP encryption could give people away if the admins changed the code so that it did not in fact use the PGP keys - thereby obtaining access to all the communication people are having with each other thinking that its all encrypted. You would have to read the page source to notice if this was done on the client side, and you would have no way of knowing if it was done server side.
The upshot of all of this is you either trust the admins or you don't use it. We trust the SR admins in the same way, but lets not kid ourselves that we couldn't all get fucked on if the admins wanted it, or if the admin's were discovered by LE and either caved or failed to destroy everything.
-
It would require writing a basic, stripped-down GUI client as well as the server side code, but that would solve the concerns. There's no real reason we need an entire browser just to make use of Silk Road (or its equivalent). I know browsers and HTML5 and all that junk are somewhat ubiquitous these days, but they include so, so many more things than you need to use SR... java VMs, javascript interpreters, markup language parsers -- a lot of the stuff Firefox does you can't even disable at all, even if it's 10x more complex than you need it to be (more complexity means more chances for exploits).
A devoted client w/o an auto-update feature is about the only guarantee I can think of, personally. It's more code to write and maintain, of course, but it's a way to ensure the user can't be silently robbed or identified without even getting notice that s/he's just been fucked badly.
... I still have no involvement with this, Mr. Policeman :)
-
make it P2P with no server, run on TOR.
Yeah, this is what I was thinking about too, and did some research this morning. We have to learn from the like of Bittorrent and Piratebay who all went through these scaling and single point of failure issues.
I am thinking that SR should not be a website, but rather an application.... so everybody runs a node (probably via Tor just in case) but contributes to keep the content distributed. There are plenty of distributed hash table (DHT) technologies out there. That's why you don't use physical tracker servers for torrents anymore. We can do the same thing here... work out a way for vendors to list their products in a distributed database, and for buyers to see and buy them.
For messaging use tormail or something. No need for the software to implement that.
For feedback and reputation also use a web of trust which is hosted in the same distributed database.
Lasly, there are new options becoming available to handle the payment and escrow side of things. Open Transactions is a good candidate offering 3 way contracts which would allow a trusted third party (as identified by the previously mentioned web of trust) to act as the escrow arbiter and "Resolution Center". Even for a fee. I think the latest bitcoin protocol might have something like this built in already even too. Not sure, but at some point it definitely was on the roadmap.
With a system like this there are no scaling issues. No single operator to shut down. All the advantages of peer to peer and distributed systems. Hey, that's why bitcoin is P2P too.
-
... I think the kind of setup torrent swarms use would be worse. Well, "limited in some ways it isn't currently," I guess is what I really mean. You'd also run into issues with patterns in the network traffic I'd think. Might even be trivial to tell who's buying illegal things and who isn't. One of the reasons Tor protects users is that there are so many people connecting to web sites it's not really possible to analyze the traffic in the network and see who's connecting to what. You don't have to be able to read the data to recognize certain unmistakable patterns. Break the centralized-server scheme though, and you lose the protection of everyone else whose traffic is so similar.
-
... I think the kind of setup torrent swarms use would be worse. Well, "limited in some ways it isn't currently," I guess is what I really mean. You'd also run into issues with patterns in the network traffic I'd think. Might even be trivial to tell who's buying illegal things and who isn't. One of the reasons Tor protects users is that there are so many people connecting to web sites it's not really possible to analyze the traffic in the network and see who's connecting to what. You don't have to be able to read the data to recognize certain unmistakable patterns. Break the centralized-server scheme though, and you lose the protection of everyone else whose traffic is so similar.
I dunno man, there's some pretty cool software out there like Osiris.
Clear web link: https://en.wikipedia.org/wiki/Osiris_%28Serverless_Portal_System%29
The security section seems pretty cool:
The system is anonymous. It's not possible to make an association between a user and his IP address, hence you cannot trace the person who created a content.
Even with physical access to an Osiris installation it is impossible to trace the actual user without knowing his password.
2048-bit digital keys guarantee the authenticity of content (digitally signed in order to prevent counterfeiting) and the confidentiality of private messages (encrypted between the sender and recipient).
To prevent the ISP from intercepting traffic, connections and data transfer to a portal (called alignment), Osiris uses random ports which are cloaked during handshake and encrypted point-to-point via 256-bit AES.
The P2P distribution allows content to be present in multiple copies as a guarantee of survival in case of hardware failure or nodes off-line.
As the portals are saved locally, you can read the contents even if you work off-line.
Now I'm not saying "let's use Osiris". First off it's not open source (yet). They are working on it. But point is that there are some pretty fucking amazing software and decentralized hosting options out there. This was the first thing I came across after less than 10 mins of googling.
DW
-
dingowombat, I just independently came across Osiris. It looks like a pretty great idea. Unfortunately it is not yet release or open source. Once it gets released I would definatly look at forking it to work on Tor hidden services. It currently uses a central osiris server for bootstraping and eveyone can see other IP's on the network although not necessarily know which user they are.
It should be relatively straightforward to modify Osiris to bootstrap through the Tor network and then use Tor hidden service private keys for user identification similarly to how Torchat works. Osiris looks to have a nice reputation system built in. If we got a through p2p marketplace running it would truly be unstoppable!
Unfortuantly that goal is down the line as the system currently unreleased and it looks like a huge amount of development to redo. We just have to do what we can at the moment and more Tor marketplaces seems to be best solution for resiliance at the moment. I really appreciate all the feedback and interest guys. It really provides motivation to get this finished of and released.
Just to reitereate the code is NOT yet ready to be used on a live marketplace, there is still some core features to be implemented and lots of testing to be done.
dsynth
-
Just to reitereate the code is NOT yet ready to be used on a live marketplace, there is still some core features to be implemented and lots of testing to be done.
I agree. But I did think there are some good ideas and that there is merit to p2p type systems. However on the other hand your project is probably the logical next step.
It's always good to just challenge all our concepts, especially when we need to stay ahead of the curve for something such as an illicit market place. I'd say that in 2 years from now you'll see projects which build on a lot of these technologies - eg. limited p2p across Tor, using better reputation systems, and better escrow and transactional concepts.
Thanks for everything you're doing though. It's all good and well to speculate and theorize, but you've actually got something running already. Execution is 99% of every idea.
-
Great idea! will be following
-
The first attack is on people who configure their Bittorrent application to proxy their tracker traffic through Tor. These people are hoping to keep their IP address secret from somebody looking over the list of peers at the tracker. The problem is that several popular Bittorrent clients (the authors call out uTorrent in particular, and I think Vuze does it too) just ignore their socks proxy setting in this case. Choosing to ignore the proxy setting is understandable, since modern tracker designs use the UDP protocol for communication, and socks proxies such as Tor only support the TCP protocol -- so the developers of these applications had a choice between "make it work even when the user sets a proxy that can't be used" and "make it mysteriously fail and frustrate the user". The result is that the Bittorrent applications made a different security decision than some of their users expected, and now it's biting the users.
The attack is actually worse than that: apparently in some cases uTorrent, BitSpirit, and libTorrent simply write your IP address directly into the information they send to the tracker and/or to other peers. Tor is doing its job: Tor is _anonymously_ sending your IP address to the tracker or peer. Nobody knows where you're sending your IP address from. But that probably isn't what you wanted your Bittorrent client to send.
That was the first attack. The second attack builds on the first one to go after Bittorrent users that proxy the rest of their Bittorrent traffic over Tor also: it aims to let an attacking peer (as opposed to tracker) identify you. It turns out that the Bittorrent protocol, at least as implemented by these popular Bittorrent applications, picks a random port to listen on, and it tells that random port to the tracker as well as to each peer it interacts with. Because of the first attack above, the tracker learns both your real IP address and also the random port your client chose. So if your uTorrent client picks 50344 as its port, and then anonymously (via Tor) talks to some other peer, that other peer can go to the tracker, look for everybody who published to the tracker listing port 50344 (with high probability there's only one), and voila, the other peer learns your real IP address.
- from https://blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea
They describe a third attack that involves analyzing traffic patterns at exit nodes, which doesn't apply in this case of course. I don't really understand how Tor circuit selection is made and how the possible options are tracked and reported to clients well enough to know if the above applies to directory mirrors in the Tor network in any way... don't those have to be reachable by their IP and kept "tracked" somewhere though, basically like a tracker?
If everyone was semi-server, semi-client, then wouldn't everyone have to have a hidden service with 2 guards? Which would mean the Tor network would have to provide 2N guards for N site browsers, wouldn't it? That just doesn't seem at all feasible...
... I can't think straight; this is silly. Why am I even talking about this; I'd be hard pressed to tie my shoes properly right now. That's it, I hit my wall -- time to crash and come back when I'm not a basket case that's been awake too many days...
-
I have all of the hardware in place and would be interested to host a market. I'll PM you and we can sort out what else needs be fixing before we go live.
-
Its great to see all the interest everyone! We will try and get a functional beta release out soon. Just want to say once more that we would really appreciate any developers who would like to contribute to this project. If any vendor would like to trail our system once finished and/or get custom work done and provide us feedback, I can be contacted at dsynth@tormail.org
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)
mQINBFCeuOEBEAD3tfsecwKGrchw9n649yfYT/32MoJ1voqTRnSstjAjAwA0y68M
o1eg0rVe+m5bAPPPzPOXo9TaM7fscwLUOETmg9J7e1oTQJ3drkSFPFTFUsyvO7KN
xUnQMO9jmrqRBHkEzVHwgD/QGoYyFU8rdxR3GqAqk3Ri35q5U+Iz8Fu69aAdWjhl
/WlpohR5w/m/ez+CswId/FqX3okEYJ0yGCeybRJb9aFcfF7NhnN3zxylDflMS8NT
vxeCLZnJ2kAN2kfJQ7epZ5Gyxele3+E6Py3cJoahccPTT296pZI0MVyzE5JqHHhC
/ydb3c2DWzaSA3/vUa1/BrGj39EkPKSSdtW2dujnlWDpn7am19G4SHwVP/TgyM3X
eL6iqMbLhjRN5QJKmQqbDprGtyvONCSi6X3hP7bd0pmrd4nUje16kw1Qf/iJV7qt
lHOPlIveySfm6YCnOukQnWI8ie+j8z8cXcn2S0pSAzYHlP/fQyO7sKNLtfmUD7yk
DXUdmrBn2PkHcWGh6PMzZ1hYQm/maqcUsyX1VtQudctVCF8d+ueRsOgJPvhos/CW
W9iRqAMkNXO+YJNjf7k/pRfYAs7j3hIhZAE2URVE+qeJ/jfso5e9w31EkectJX0q
fiNZ4TeB2QUJ/eUfNHpucC4TlGsGv2bViDzSmR5uSPqw/qdIFvyOl8HexQARAQAB
tBtkc3ludGggPGRzeW50aEB0b3JtYWlsLm9yZz6JAjgEEwECACIFAlCeuOECGwMG
CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJELFNk8nKuAk5sqoP/24/pKelR8p3
57Wc+UtizMrdc+mYqq87EWw0UmQJv/qvoZMWiM3mZ4F4jMad7U/W1sW6+Akqg/pd
SA9GopRkewK35YdcRZO8zHzP9/a+Ud2GMIifBs38/cvanamLcaqPLGHCqxbFmSMj
G4CrWVXMxzFbflFlVJ0XsMj51pCKCWndUs6J/8HWMX+RBwqwxM4GsPznrWfzuKbQ
rexRuVOrwJ6ESQDzsN3ASBQ1+PeQ6+ZWAFMwowJbGuzbUtwsPLbA4Ja+HDiOoWq7
jgIqNvnDySh99MP0yrtXACxEjmv1WwNItI/KP+sWxrNwiWHQyJn18OJA5vrzFwsr
DAfSckYzUNjq9cR9R8SkpzW4lYBIgQjPPRnugE6yRMcCyWYKG8aRZk6EmVK5E0vE
PpzYPCTl1sfG6YbFWte7u/TtyAUf4IkdXKNcXQ1WRfAwTrHlvJg/2mi+27udizQ7
FLfWsiYS5BtegdC/zJOHr6dvsaRuI2l8u/msxmv8mcV9nx9RXEJCKZVe3jX/IsEM
cZ8AkaBPXw59fllaOUU9EX9CCT1Fm32jxZ957Pt6mlpPymhMo4HPtGIQQwN5JuuB
d6deRqFHkZPaFeeJAYr5Hoc3JySYdFjTgzBiW4jgjUzIx0Rskkj7EsXtx56t+IhH
E/WmHHrfq27ObjEvraBgxBecKMg4eQRnuQINBFCeuOEBEADH75h5H8mDIXy368mR
hVk1kMfnm80NtpJ3W0T++4yLlGmxpPilM7fkx0QAaN+ZmTANwcukhJE/BPq1YTgr
NpHFCz6holasSw65CAbw+P0PKmxaQhJinRrJJQRvR54dnU5ekVMqhUYtT8Csf5+F
vO6nirY9VLXFyV9YnKf1g2W10GSNTHT2Z26EX21Iftfk2DZCHRf1nkfkMebZn4Xs
YBAR7n4yZ4B5TAq+blQ4Hud5AD5qxXn7ZSoADthNpMVH+b+HfhCag3bhE5Ygv1Nf
4RRDB0v0GXOHJORnHLvt6wFEFuuT1GgipLBj2/PtYu5lhHYXABzt48SkecFC6YAt
05s/pKHgUUH54NLGDPmxWXiVUiv26V2M3rWQz6rIlmsDF9hUQHczfIZOy6Tv1fGq
oW+6iXtkKr2ZRe1/pYUSBsYAKdH04SdZpLyuNdfltdZC0ij/hmd8RCrzaEW4ed4M
F9/dQJlV/qdZyX7ereWhr4DjfEdF01IGH63CuLF2No2L2ZiubJs7Dh1lrXPst2Te
4oDG/uIUKCC8i6Dm+QaPQMXYiDZN60ArnyRCSSYXtxUWXiEqAL2VAKVDlyFQYzmZ
NLs/eqp/r7WYeZHEXzIZYECx979W1WUx8sO2It2/3dk8/0FNUc+HTSXbCTGTpzLj
i30J9i6OR7xkjiSEKigRawnVQQARAQABiQIfBBgBAgAJBQJQnrjhAhsMAAoJELFN
k8nKuAk5adAP/0a6to5LGbF5dkSgwjsp+Eo9Xth215PaRoqAvpvIu3FggCYMQTQJ
J7AmAk4SZQpKERNCsOW0XQv82ebd55mqsl8dsfrBLoa507V0KM2ED9X5KLnI5WTC
zOfhPi7uHD8p2GJdElLpRL/gTlFdaTmlmFeM458G40Dt8ob43Hh82Tvf1kmvUMiG
5NBJ4KPRPfTZp7otBfAte+BUdAalqB7jSkTNydVW546OP3mwFgKXTD9/f4mbjE9V
wdh14z4p+iZg4joMkl4ZRT/M2KGB5++QnL7+FxuFZpMCKd/7eR7/+EB0wETgTBVV
Xw1r8Fbf82LGgH82mmqqipCyxqawFSo8XhvLZ+JPflGlFHKUDiVHsnXmnTfBUz+L
A+UVSYbm7ALPmcczVM1/Y31rkDWmahJS9xH0pMZE9UEi+5btM5PhUYzH9xRJUSMU
hHDhMm2czf+0p6ggIQaVEUchL2dhUmjM0a6Zesq2sqs65ErJFis/4nV5WnY25k/U
K1JC98E2Tb9K8+NInF94dSfzHaVeJhsHBnTKTcPYrTs767FWUp3WWMwyqh44R0GF
DGq+1aGbkeGpwoMEC+UcaiKFXoNi6wX8cBlErUYKCiLR9cAYDIw2394L6gTu1/xU
s+4usJYtDUkC/G5y0Fyjwl6Tq6IX2D9zfoJF0u0US1TpVdYqtCHEyK4a
=f+6u
-----END PGP PUBLIC KEY BLOCK-----
-
looks like a promising project, will definitely be keeping an eye on this
-
I have been made aware of BitWasp independently of this post.
I have begun to watch the project on my own, and now with the addition of this post will begin to investigate even further.
-
PS - your forums and even demo site are impossible to sign up for.
20 letter impossible to read captchas. I only try twice before I think "Do I need to waste another moment on this?"
-
I made an account on BMR and it looks awful
-
I appreciate your concern SelfSovereignty, I am obviously not condoning that anyone uses this technology for breaking the law in the respective countries.
There is a quick demo up on http://bitwaspvma7yjmkr.onion/. Please bear with us, some of the image thumbnails are not resized correctly. All project images are return as base64 encode data steams. This vastly reduces the number of requests made for each page which accounts for the slow speeds on Tor hidden services.
Registration was simple and quick, navigation even in this early stage is very adequate. I conclude, nice begining dsynth.
I have no code skills, but am always intrested in alternatives. Thanks for your group's work.
Bikerbum
-
Sorry for the captcha problems. We have a demo admin account on the demo site and unfortunatly a user decided to set the captcha length to > 20 and login timeout limit to 3 minutes. This should be fixed now.
Also for thelaboratory.org the captcha is currently set with the year as '2011'. Please try that if you are having issues registering and I'll get it fixed ASAP
dsynth
-
I made an account on BMR and it looks awful
Yeah it does look like shit, but it is working. I have ordered from BMR and from Silkroad and will order from BitWasp when ready.
I'm a non denominational buyer when it comes to goodies. Who has it, has it. I don't give a shit what it looks like as long as it works.
These sites don't give a shit whether one buyer orders from them or not, there will always be plenty of buyers. Get your goods where you can.
Bikerbum
-
Sounds awesome, dsynth! Keep up the great work!
I'm no code monkey, but I do share a general wariness of using JavaScript that CiscoYankeeStucker already brought up.
Since there are things like the Tor Browser bundle, I don't see why there couldn't be an add-on that could handle the same duty more securely, though that would sort of defeat the purpose of having a stand-alone platform-independent system. But I agree with an earlier commenter that was saying that browsers are too bloated. I've become so disappointed with FireFox lately. Though, most of the problem is probably that I usually have hundreds of tabs open at any given time--in the 700s at the moment. But that's a separate issue.
And Lynx really isn't an option...
---SPCH
-
JavaScript is generally quite and is nowhere near as dangerous as java or flash. Anyways as I outlined above JavaScript will be optional, the marketplace will work completely with it disabled, we will just be able to provide some nice features for users with it in enabled such on on-the-fly PGP. Our goal is to lower the barrier of entity for both buyers send sellers, this is really the next direction in side stepping the war on drugs and I see a day when ever will just know they can get whatever the like safely and securily online.
-
I made an account on BMR and it looks awful
Yeah it does look like shit, but it is working. I have ordered from BMR and from Silkroad and will order from BitWasp when ready.
I'm a non denominational buyer when it comes to goodies. Who has it, has it. I don't give a shit what it looks like as long as it works.
These sites don't give a shit whether one buyer orders from them or not, there will always be plenty of buyers. Get your goods where you can.
Bikerbum
+1, exactly!
-
Just registered and it looks good, will be keeping up to date with happenings.
-
How do we know you're not LE creating a masterplan to put us all in jail, and run off with all our bitcoin during scheduled maintaince? ::)
-
How do we know you're not LE creating a masterplan to put us all in jail, and run off with all our bitcoin during scheduled maintaince? ::)
how did you know that SR wasn't when you joined?
-
How do we know you're not LE creating a masterplan to put us all in jail, and run off with all our bitcoin during scheduled maintaince? ::)
how did you know that SR wasn't when you joined?
Research. Personal anecdotal information from friends also, at first I didn't believe such a thing could exist. Checked out the community forums, seen the mass of people. Would be difficult for LE to set up such a system and the word would have gotten out very quickly that it wasn't legitiment.
-
You mean a similar site like this
BMR: http://5onwnspjvuk7cwvk.onion
-
The project is good, but:
* isn't the fucking engine one should care about but the admin. If we start to have scammers as admins, the trust will die.
* it uses CodeIgniter, just like SR and we're seeing the results: Keep surface webs shit for surface webs. What next? A Joomla component? If not VERY, EXTREMELY well coded the first time any CI component tries to send an email, sends the server real IP with it. CI wasn't meant or thought to work at deepweb, just like most of other OS engines.
* the admin requires skills to create a market like this, if he can't even code to save his ass he probably will try to open a market at a VPS or some cloud system with his personal details attached and with secondary unknown admins able to access the system.
-
interesting will follow
-
The feature list is very good, but why there is no user's pid among them?
I mean that pid that is needed to make a purchase or withdraw/send money - if account is compromised, attacker can do nothing without it.
I would like to do an effort, but just not a PHP guy :)
-
SILK ROAD WILL PREVAIL!!! HAVE NO FEAR!
-
Any chance DPR will release the source for SE?
-
I made an account on BMR and it looks awful
Yeah it does look like shit, but it is working. I have ordered from BMR and from Silkroad and will order from BitWasp when ready.
I'm a non denominational buyer when it comes to goodies. Who has it, has it. I don't give a shit what it looks like as long as it works.
These sites don't give a shit whether one buyer orders from them or not, there will always be plenty of buyers. Get your goods where you can.
Bikerbum
+1, exactly!
EXACTLY!, Homer
Bikerbum
-
Agree with the previous post - you can't requite javascript or you are wide open to security problems. While on the fly encryption is nice it isn't secure as using pgp. I won't use privnote because it requires js - no one has the time to go check all the code, especially if it is compressed/obfuscated.
People have to take responsibility for their own security - handing it off to a third party only assures they don't know what is happening.
Security is easy - don't connect any networks. Everything else is a tradeoff.
-
I don't ever see DPR releasing his code and that is quite understandable. He has put a lot of work into being one of the first to develop this area and is making quite a substantial amount of money as a result. It cannot be expected for him to completely undercut himself by letting anyone set up a silk road clone.
It could also be potentially quite a security risk for him to just publish all his source code for such a major website. It would be heavily audited and any error in his code could be found and exploited with devastating consequences.
I would love to see the silk road continue to thrive and harbor a great community, but in planning for the future I believe we needed a wider more distributed ecosystem.
electiccrazyman: I totally agree with all your points, JS can be a security issue, on the fly encryption is not as secure and people do need to take responsibility for their own security. The problem is as this becomes more mainstream not everyone will be techies and able to secure themselves effectively. In my opinion it is far better to encrypt on the fly for a naive user with optional javascript than potential leave their address/personal information in plain text and at the mercy of LEO's etc. We will NEVER add any feature to the project that requires javascript, it will always only be optional improvements. So thats where we are coming from, understandable?
Thanks for the comment's anyways.
Ciao,
dsynth
-
+1 to the project I hope it goes along smoothly.
I found this http://blog.kangasbros.fi/?p=85 it may help in the integration of bitcoin with the site.
-
Well, if we're on the way of showing projects, here's mine:
http://5utcwt4fgq2baipo.onion/
It's unfinished and I'm sorry if you can't enter at anytime, that's exactly my issue: infrastructure to complete and put it to run.
-
Well, if we're on the way of showing projects, here's mine:
http://5utcwt4fgq2baipo.onion/
It's unfinished and I'm sorry if you can't enter at anytime, that's exactly my issue: infrastructure to complete and put it to run.
Looks good DaMan. Are you going to be releasing the source code for your site?
-
It's far from completion and I really don't quite like to use open source within deepweb. An audit by the wrong person, a hole found and there you go.
But still, I'll see, I'll do it in my free time and see where it goes.
-
Very nice work DaMan. Your site is looking quite well and functional. I wish you the best of luck with it. I understand the reluctance to publish source code. But especially for new software that is not widely, in my view it is better to get it audited early and patched than to wait until an attacker gets lucky and exploits a vulnerability on a large instance in the wild.
I wish you every success in your future ventures.
dsynth
-
Well, if we're on the way of showing projects, here's mine:
http://5utcwt4fgq2baipo.onion/
It's unfinished and I'm sorry if you can't enter at anytime, that's exactly my issue: infrastructure to complete and put it to run.
Registration is smooth and the site looks good. Nice to see other alternatives.
Glad to finally see some possible alternatives finally to compete. Now that's capitalism.
Bikerbum
-
Interesting. Will definitely be keeping an eye on this.
It can't hurt to have competition, and if nothing else a reliable secondary option if something happens to your primary option as we've seen in the past few days.
The reports I'm getting from black market reloaded were very erratic, at best, but it's also that is just because people are being biased towards silk road. I did have a quick scan around the site and it didn't seem as easy to use.
The site above from DaMan has a nice layout but in the past few days I've disabled javascript in tor browser (since the silk road black) so I can't use the site properly. I'm wondering if that will effect my use of the silk road, the old drop down menu on the left looked like javascript. I may have to rethink this decision in the near future.
I'm also 50/50 about the project being open source (referring back to dsynths now)... as has been mentioned the deepweb operates differently, and especially if you're operating a web-site which is illegal. Using the Silk Road is a bit like a game of poker in terms of evading LE. The most important think you can't give your opponent is information and by making it open source that's exactly what you're giving them... But the upside of open source software is obvious to everyone.
-
handing it over to the next dpr till infinity works too
-
Well, if we're on the way of showing projects, here's mine:
http://5utcwt4fgq2baipo.onion/
It's unfinished and I'm sorry if you can't enter at anytime, that's exactly my issue: infrastructure to complete and put it to run.
Link doesn't work for me...
-
http://5utcwt4fgq2baipo.onion/
Link not working for me either.