This is an archived post. You won't be able to vote or comment.

all 70 comments

[–][deleted] 105 points106 points  (8 children)

TO ALL OF YOU WITH PROPER OPSEC/SIGSEC, WE SALUTE YOU. TO THOSE THAT DON'T, WE THANK YOU FOR YOUR SACRIFICE.

Bravo. Fucking bravo.

[–][deleted] 35 points36 points  (0 children)

That line made me smile. Probably one of the best "over and out" lines I've seen yet from any vendor or group. Bravo indeed.

[–]labsuit 28 points29 points  (2 children)

I like how you didn't just call them dumb fucks like most would have... very admirable. Yes, they fucked up, but try and empathize with the fact that these people namely Ulbricht, Benthall and others we don't know have their lives ruined and are completely at the mercy of our oppressors. Ulbricht, who with his mistakes, was still an honest idealist and believed fully in what he was trying to accomplish. And Benthall, regardless of his ignorant indulgences still ACTUALLY donated his own 1000 coins and executed a successful operation to return lost coins to customers.

It's a shame how we followed them through the battles yet ridicule them in thier misfortune. We are of the same brotherhood, the same code and should learn from--as Bungee54 said--their sacrifices.

Godspeed, Bungee Team.

[–]everybodygetweird 4 points5 points  (0 children)

Honestly dude, I'm good on any 'brotherhood' that orders the torture and murder of their own employee or blatantly steals from all of their own customers. What part of our 'code' is it that allows such behavior? Isn't this the exact shit the dark markets were meant to help us avoid? Ross wasn't an 'honest idealist', and Blake gets exactly zero credit for helping to pay back money that HE stole. It's time we all took off our rose colored glasses and get real- they were in it for the money, not the ideology. They don't deserve life sentences for running a market, but they weren't saints either.
Ross proved that he's no better than LE. I'd rather be oppressed than murdered any day.

[–][deleted] 4 points5 points  (3 children)

reminded me of a beer commercial lol

[–]will-UPVOTE-for-BEER 0 points1 point  (1 child)

Somebody say BEER? I like beer. Maybe we can talk.

[–]tomestat 0 points1 point  (0 children)

Beer you can still buy...

[–]somejohnguy 8 points9 points  (22 children)

Eek, SQL injection is super easy to predict and fairly simple enough properly negate. Why in the hell is a DNM even online if theres even an ounce of thought concerning the possibility of injection? U guys need some more geeks on ur team.... Damn that's terrible to heat.

[–]anoyli 9 points10 points  (6 children)

Every time I read "there was an SQL injection" I think - damn, in 2014? Really? I don't know of the really advanced SQL injection methods, but doesn't every major web framework have inbuilt sanitation in their query methods to prevent it?

[–][deleted] 4 points5 points  (4 children)

Yes. SQL injection as a real method of hacking was dying out in 2011. I can't see how things like that could possibly affect modern frameworks.

SQL injection is how they were teaching about the most most most basic of basic of basic ways to "hack" in a college setting.

[–][deleted] 3 points4 points  (1 child)

Feds have a lot of very skilled people in technology with more information then many people. Sometimes taking down the biggest thing is by doing the smallest.

[–]Insipid_Pedantry 1 point2 points  (0 children)

Yeah and they also have virtually unlimited resources and computing power at their disposal...it's just terrifying what they are going to do as they escalate their operations, thinking about that old Nixon line that if the President does it that means it's NOT illegal.

[–]sharpshooter789 2 points3 points  (0 children)

I think all of the markets use their own custom framework. I'm guessing most of the work is done by no more than a handful of people.

[–][deleted] 1 point2 points  (0 children)

I can't see how things like that could possibly affect modern frameworks.

Drupal had a sql injection vulnerability exposed in October. Drupal is a pile shit, but it shows how these exploits can still exist.

I'm sure LE aren't the kind of people to share the exploits they find with the software maintainers, who knows the level of control they can have over sites.

[–]somejohnguy 0 points1 point  (0 children)

Yes, the majority do. On top of that, SQL databases are controlled by permissions. If the account used to execute queries from the website against the database have rights capable of returning data such as we've been hearing, then these Admins seriously need some better employees.

[–][deleted] 1 point2 points  (3 children)

Obligatory XKCD

SQL.Execute("SELECT * FROM UserAccounts WHERE NAME LIKE " + usernamefield.txt)

[–]xkcd_transcriber 3 points4 points  (1 child)

Image

Title: Exploits of a Mom

Title-text: Her daughter is named Help I'm trapped in a driver's license factory.

Comic Explanation

Stats: This comic has been referenced 410 times, representing 1.0296% of referenced xkcds.


xkcd.com | xkcd sub | Problems/Bugs? | Statistics | Stop Replying | Delete

[–]sharpshooter789 -1 points0 points  (0 children)

This isn't even the correct xkcd explanation.

[–]sharpshooter789 -1 points0 points  (0 children)

That's hilarious.

[–]ethly 2 points3 points  (2 children)

I thought an SQL injection would considered hacking, thus illegal and a prohibited method of obtaining evidence.

[–]sharpshooter789 4 points5 points  (1 child)

Ha

[–]Insipid_Pedantry 0 points1 point  (0 children)

Depends whether their ultimate endgame was ... remember this was largely a PR move.

[–]UTF64 1 point2 points  (7 children)

I am also not sure how the SQL injection would lead to the feds acquiring the server's IP?

[–]pumpbreaks 0 points1 point  (6 children)

Images are stored on the server

[–]UTF64 1 point2 points  (5 children)

Yeah, so? When some data is injected on the server, such as an image, the server will not request that image itself. It is injected as part of the output, and visitors will request it. Visitors are using tor, thus they will be pretty much save.

I repeat my question: How would an SQL injection help the feds acquire the server's IP?

[–]TheLunaLem 1 point2 points  (2 children)

They inserted an image which is stored in the fbi server. When the affected server tries to get the image it sends a request to de fbi server, revealing the IP.

[–]UTF64 0 points1 point  (0 children)

I do not see why the affected server would retrieve this image. An SQL injection just injects some text in the database, that when echo'd out will produce HTML containing an image which would then be requested by the visitor. If the webserver actually executes images injected in its database then this would have to be programmed on purpose by the developer, and this would be a massive flaw. It's not like SR was rehosting user-submitted images, was it?

[–]TTSDA -1 points0 points  (0 children)

I don't understand this either.

[–]pumpbreaks -2 points-1 points  (0 children)

Chill dude someone smarter needs to

[–]toyouteam_PR 5 points6 points  (0 children)

Good to know you guys are safe, we've a lot of respect for the B54 team.

[–][deleted]  (1 child)

[removed]

    [–]AutoModerator[M] 0 points1 point  (0 children)

    Due to Reddit wide rules on doxxing, we do not accept pastebin links. Please use an alternative like paste2.org if necessary.

    I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

    [–]Deafcunt 6 points7 points  (2 children)

    Thanks for the update.

    [–]m_me_ur_drugs 1 point2 points  (1 child)

    Upvote because your name made me laugh

    [–]Deafcunt 2 points3 points  (0 children)

    :)

    [–]GeorgeForemanGrillz 4 points5 points  (0 children)

    "OPSEC" "SQL Injection"

    :-(

    [–]Verzero 2 points3 points  (0 children)

    Glad to see you guys are okay. Thanks for being open about the situation. You guys have one of the best site design out there :D

    [–]signmeupplease 2 points3 points  (0 children)

    Much respect to the Bungee54 team!

    [–]Trippynessdotcom 1 point2 points  (0 children)

    This is wonderful to see and good on the war on drugs. keep up the good work Bungee54 and god help us all :)

    [–]Gavingen0 1 point2 points  (0 children)

    This is beautiful.. you did the right thing. This was basically just rubbing it in LE's face! Cheers!

    [–]sklurgh 1 point2 points  (4 children)

    I thought I'd try verifying a signed message for the first time. Took me a few minutes to fix the formatting and I finally got this

    gpg: Signature made Sat 08 Nov 2014 04:51:42 PM UTC using RSA key ID 9DEF3E14 gpg: BAD signature from "Bungee54 CRM (Bungee54 Customer Relations Management)"

    Is the bad signature anything to worry about or did I just screw something up while fixing Bungee's formatting?

    Edit: mistake was on my end, everything checks out

    [–]sklurgh 1 point2 points  (0 children)

    You are correct I just checked that myself. Somehow I glanced over the pastebin link and was going strictly off of this post. Thank you

    [–]cindelle2 0 points1 point  (1 child)

    like to see some feedback on this one...

    [–]sklurgh 0 points1 point  (0 children)

    Before anyone gets too nervous it's very possible it's just a formatting issue on my end as I had to clean it up myself. I may have deleted a space or something of the like. Reddit formatting is funny. I've tried a few times making slight changes and can't get a good signature though. I'd like to see someone else give it a shot too.

    [–]twigburst 1 point2 points  (1 child)

    If they don't stop after this they are insane.

    [–]Gavingen0 8 points9 points  (0 children)

    or amazing..

    [–]helohe 1 point2 points  (0 children)

    injecting <img src="http://some-fbi-domain.com/image.jpg"> would not help them get the ip

    [–]sqrewball 2 points3 points  (11 children)

    We suspect police did insert <img src="http://some-fbi-domain.com/image.jpg"> via an SQL injection into the site and is how they got the IP and the IP of many other sites.

    who cares to explain this in laymans terms?

    [–][deleted] 6 points7 points  (3 children)

    I'm really skeptical that this was a real issue. This problem is so well-known it is probably taught in middle school.

    In SQL you run queries to get the data you need. So the login page might run a query that gets the account associated with a username. That query would normally look something like this:

    "SELECT * from USERS WHERE NAME = 'sqrewball'"

    That would pull up your account and they would check your password to let you login. But you type in your username, so they have to get that from a form on the page. That results in a query like this:

    "SELECT * from USERS WHERE NAME = ' + username.txt + "'"

    Basically, it just inserts what you typed into the query. If you type in your username, everything is fine. But you can type anything you want into the field, including commands that might let you access the whole system. Nowadays, people sanitize their inputs so this can't happen.

    He is theorizing that the FBI used that technique to insert an image into the site that would report an IP. What would happen is that when that page loaded, it would try to load a page from some FBI server. That FBI server would log the requesting IP of the DNM server.

    It is possible that this happened, and it would certainly work if they were vulnerable to SQL injection. But if this really happened, these guys are RANK amateurs and have no business running a DNM site. It is a ludicrous mistake to make.

    The main reason I believe this is BS is that if a DNM site was subject to SQL injection, someone other than the FBI would have found it and exploited it before now.

    [–]sqrewball 0 points1 point  (0 children)

    What would happen is that when that page loaded, it would try to load a page from some FBI server. That FBI server would log the requesting IP of the DNM server.

    That was the missing piece for me. I get it now.

    [–]sharpshooter789 -1 points0 points  (1 child)

    But wouldn't the FBI just get a Tor IP? A properly configured server should only allow Tor traffic and should drop all other data.

    [–][deleted] 0 points1 point  (0 children)

    This was my question as well, but I assumed it was dumb.

    [–]vreenpin 0 points1 point  (0 children)

    there's a handful of US vendors selling MDMA pills domestic. Most are expensive but Unlimited from EVO has em for 9 a pop in his intro sale.... Respect for a fast and perfect transaction brah!

    [–]bigmacmicmac 0 points1 point  (0 children)

    Complete class.

    [–]Verzero 0 points1 point  (0 children)

    Update?

    reddit gold

    In Summation

    Want to say thanks to %(recipient)s for this comment? Give them a month of reddit gold.

    By purchasing Reddit Gold, you agree to the Reddit User Agreement.

    • make my gift anonymous
    • include a message

    Please select a payment method.

    Give gold often? Consider buying creddits to use, they're 40% cheaper if purchased in a set of 12.

    Would you like to learn more about giving gold?