This is an archived post. You won't be able to vote or comment.

all 29 comments

[–]the_avid 15 points16 points  (25 children)

I was doing the Drugslist security audit. I messaged the mods here this week that it looks like DL wasn't coming back. I'll tell the story from the beginning. Just a note, I usually reveal nothing about who I work for or what I do, but I think the circumstances here are different and users are owed an explanation.

I did my first post on Drugslist on the 26th of January. The site was very insecure - ridiculously insecure. Some of the main methods had some security where things were being filtered, but anything outside of core functions was just passing user input directly into database queries. From a security perspective this is like shooting fish in a barrel. It is literally the equivalent of giving anybody direct access to run whatever query they want on your database.

After that post the Drugslist reaction for the first 48 hours or so was that very weird denial and the iconic 'Drugslist: An official statement' thread. With the horrible reaction from users to those threads, I think they saw that their time was over unless they did something drastic. They reached out to me via a vendor they know well, as that vendor and I had gotten to know each other reasonably well. He asked if I would be interested in clearing the air and then helping them with a security audit, I said that I would listen to what they have to say.

After the vendor got back to Drugslist and said I would speak to them, they sent me a message here on reddit titled 'help us'. I can't see the exact date of the message, but it was likely 2-3 days after the 'official statement' thread. The first confusing thing was this message was coming from 'admin', not the horrible out-of-touch developers who were defending Drugslist in the reddit threads. Despite the writing being the same I decided to just ignore this and get on with what they wanted done. The admin apologized on behalf of the other messages sent by 'the others'.

I wrote a very long reply. The main point was that they didn't need a pen test, what they needed was a full security audit. If you aren't familiar with how security work is done: a pen test is what is used to simulate hack attacks but they are done to test your security procedure and auditing. First step is to have secure coding practices, developer training in how to implement features securely, a secure architecture etc. and only after that would you engage 2-3 people to act as hackers and attempt to break it. The best analogy for the difference between a pentest and an audit is that an audit is 'open', where you can see everything and a pentest is 'dark, where you can't see everything. It is like handing a painter a brush to paint a room - the pentester would paint the room blindfolded while the auditor would go out and paint the entire room with his eyes open. The pentester is never going to cover the room properly. He told me they didn't have much money available since the site had only made $200 or so to date, but they could pay me something upfront and then a share of revenue and finally pay out the rest later.

In my response I gave him all the bad news. First, my time isn't cheap (not to brag but there is so much work in the industry at the moment that you can pick and choose your work and only have to work a few days a month). The second problem is that I don't do 'half' jobs, where I endorse a site or 'approve' it for audit without the entire site actually being audited and all the changes being carried out (this is what caused the delays later). The third problem was because of timing I just happen to be in the middle of 3 other contract jobs at the moment and was getting a lot of requests after the posts I did on reddit to help other sites and do other work. The last point from me was that I wouldn't be able to tell them just how much work there was until I spent at least a day or two looking at their code, and the sooner that happens the sooner I can tell them how much work was involved.

We came to an arrangement where I would audit the site. Here is where I made my first mistake, I only spent 30 minutes looking at the code since I was being rushed into giving them a full quote on what it would take to secure the site. I thought I was being safe by saying a week, but it was only hours later that I realized that this was a gross underestimate when I went through the code. There were parts of the code that were ok, but there were other parts that essential had to be rewritten. There was no central module where security was being implemented - it was all spread out amongst all the files.

Here is the opening section of the first report I sent:

Code structure: PHP control and tempalte files: 45 PHP library files: 20 Lines of code: approx 12,000

I told them that the new plan would have to be to break the audit into 3 parts. First part was an initial audit of quick fixes. These were bugs that were an immediate danger and could be exploited easily by anybody with enough persistance to find them (would take a hacker around 30-60 minutes). Also as part of this first report, instead of explaining every single fix I would write up a few more documents. One document each on how to identify and fix SQL Injection, XSS, CSRF, securing the webserver, encoding issues and how to implement double-entry accounting (the site at the time was storing balances as a single digit field that was overwritten - the golden rule in accounting applications dealing with money is that you never UPDATE or DELETE records, you only ever add to them - this is the foundation of double-entry accounting).

In terms of being paid for the work, I ended up charging them half my usual rate and fixed the price at 6 days of work, which was only enough for the original report. I felt that I couldn't back out now since I made a commitment, even if it was based on a 30 minute look at the code. I also figured that with the site getting fixed that users would start coming back, the site would have revenue and I could take a share of that (which likely still wouldn't come close to making up for the amount of time I would have to invest).

The other part of the initial proposal from DL that I rejected was they wanted me to write a post on reddit saying the site was ok. I understood this to mean writing a post when the audit was done, but they understood it as right now. I obviously wasn't going to do that, and I said it was out of the question. I only understood much later why this was so important (they needed the revenue).

I worked flat out to produce all of this content - it was all original content and all aimed and tailored for Drugslist. When combined into the report it was 30 pages long, all nicely formatted and all very easy to follow. I hand them this document and in the interim continue onto the full report. The plan was they would implement all of those changes, learn from the docs (the feedback was that it was 'extremely useful') and they would send me back the latest copy of the code and I would confirm that the changes had been made.

We never got to that last step. 2 days after sending that report DL started treating it as the audit - which was never the case. There was a lot more to do. Their response to the quick fixes report was to ask me to now do a post on reddit saying the site was ok. I said that I can't, since I don't have the code yet and I haven't confirmed it. Every second message at this time involved trying to press me into writing a post on redddit (it wasn't pressure, it was asked politely). They agreed they would have it back to me in days, so based on this I told the moderators that I would do a first initial post (saying that the first changes had been implemented).

I waited and waited and still no code for confirmation, so I kept waiting. Then I get a message "feel free to post your update at any time". I couldn't believe it, at this stage I made it clear that first I would only be reporting the initial changes and audit, and second that i'm not going to do it without confirming the code. At this stage there was no doubt that a lot of changes had been made, but I could only test this with known bugs against the live site. There were a lot of critical bugs in critical pages that hadn't been changed. My request was being ignored.

One other thing that is important to know during this time. Drugslist seemed despondent at times and wanted to throw everything away and give up. I had to convince him on no less than 3 occasions to stick with it and that everything would be ok. It was easy: get his developers to continue making the changes I requested, I would confirm them, then I would do the first report about changes being made. There was a big opportunity for a new market at that time since everybody else was having problems.

Also at this time I became busier with real life work. One contract that I had subcontracted out wasn't going well so I had to step back into it and take over. Another contract had lead to a second round of work. So for a period of a week I was working on two fulltime contracts plus the Drugslist work. Drugslist had been silent on my request for a week so I decided to check in on the forum. I found a ton of vendors complaining about not getting responses from Drugslist and enquiring about what was happening with the audit. The mistake I made was covering for Drugslist here instead of telling users that I was waiting on them still:

http://drugslisvdknitqd.onion/forum/viewtopic.php?id=110

[–]the_avid 11 points12 points  (18 children)

continued

I regret covering for them then. I regretted it within minutes of posting which is why I sent followups to some of the users there saying I really had no idea what was going on, I was more hoping that things would get resolved rather than knowing they would:

as I mentioned in another comment i'm genuinely as intrigued as everybody else here as to why there are support issues.

My heart sunk when I looked at the drugslist user on the site and noticed that they hadn't logged in since the 24th of Feb (this was the 27th of Feb, IIRC). They still haven't logged in since that date. I had put in around 14 fulltime days by this point, and had been paid for the equivalent of what I charge for 1.5 days of work. Worse, the Drugslist work was cutting into other work for long-term clients that paid me and I was getting stuck behind in those deals (i'm never late or flakey on work but I was now for the first time in my career, which wasn't good for me - I have no doubt this has costed me other work and parts of my reputation).

Never heard from Drugslist again. I sent a message every 2 days from that time until only 3 days ago:

to drugslist sent 3 days ago you've got a real opportunity here, nobody is going back to SR and the replacement - agora, has been down for nearly 5 days. you should be aggressively promoting the market to vendors and users to use - the entire industry is up for grabs to whoever wants to take it.

to drugslist sent 5 days ago ETA on getting the content on the site and a new update on the code? i'll do a post on reddit as soon as the content is up

to drugslist sent 8 days ago -----BEGIN PGP MESSAGE----- Version: GnuPG v1 Comment: GPGTools - https://gpgtools.org (encrypted message - asking for the latest)

email on the 1st of March, encrypted but said something like:

You need to get the content up, also don't have the code

asking me to do a post despite not having the code to confirm (last message I ever got I think:

from drugslist send 19 days ago theavid,

Thank you! We'd appreciate if you could make a post about it at your convenience. Thank you again and we look forward to it.

-DL

email about a week before that:

btw I can't find where you added the new security page? I suggest to place it both in the footer (as 'security') and in the header (probably next to 'support').

We also need to talk about and design a new accounting system. I've got a schema I drafted based on double-entry accounting. You should never DELETE or UPDATE on fields that are finance related but always only insert new records. I'll explain this better in that section of the documents I send back.

The other todo is to get the latest snapshot of your code - do you think you could arrange that? Zipping it all up (I don't need forum or mail) and then PGP'ing is fine

I messaged the mods here days ago telling them that they might want to add a warning to the site in the sidebar, since the DL admin hadn't logged into his own site since the 24th of Feb and hadn't replied to what was now 8 messages from me.

to /r/DarkNetMarkets/ sent 3 days ago admin of drugslist has been inactive - can't get him to reply to emails or messages. he hasn't logged into his own site since the 28th of Feb. I think you should warn users before > anyone pays a vendor fee or bond - i think the site is done. I don't think he'll come back, just a suspicion.

I don't blame them for not adding a warning since it is a big step to make especially if it was some temporary problem. But the users on the forum were (rightfully) very restless.

With hindsight now it is clearer to me what the expectations from Drugslist were. They wanted me to do a little bit of work and then "sign off" on the site within a few days. Bring the users back, bring the revenue back and then pay me from that. I should have trusted my gut instinct right away and seen that this is what they were doing. Most of what they promised to pay me, even at the reduced rate I charged and even with it being locked in at 3 days of charged work maxed was going to come from site profits - site profits that were never going to be big enough to pay all of these outstanding debts.

I am immensely sorry to anybody who has money locked up in the site. Especially to those who trusted the site because I said i'm working on its security. I have no direct access to the servers and can't administer anything - if I did I would immediately withdrawal any funds remaining and distribute them. I have a feeling there is nothing there, though. I think the last of the little funding they had was spent. I'm going to do whatever I can to help those who have money locked up either retrieve it somehow or work out a way to fund the missing funds. If you have money locked up in Drugslist please message me with the amount and I will begin to collate what is owed. I will have to by default become the bankruptcy administrator.

I've written off what i've lost and what I wasn't paid (or won't be paid). It also interrupted my other work, and for some stupid reason I agreed to work for Drugslist exclusively which meant I couldn't help the other market admins that approach me to help them on their sites. I emailed and messaged Drugslist telling them I am calling off that agreement (it had a 7 days notice period). I also sent them one large 'urgent' message 2 days ago that if they didn't respond within 3 days I would be writing this comment (edit: on that note I have started some work with another market just on an ad hoc basis, which I hope will turn into something long-term since I am a big fan of the market and people - more on this later. In the interim I won't be making any comments about that market just to keep conflicts clear.). Having someone post this as a comment prompted me writing this sooner but it would have happen one way or another this weekend.

I hope people understand that I did a ton of free work at my own cost and at the cost of other work not with the expectation of earning money, but to help the users of Drugslist who I sympathize with. I really hope you all understand my point of view, I could have easily just taken the money and said the site was ok but chose not to as I didn't want to compromise my reputation.

We'll try and figure out a way of extracting locked up funds. If the Drugslist administrator is reading this, please speak up and help these people who trusted you - pay them what they are owed (don't worry about me, I don't care to get paid).

edit in terms of users and vendors getting in touch with owed funds, please email me on theavid at safe-mail.net my key is here. We will attempt to collate the total amounts owing, where it is stuck and then figure out how to distribute any funds that can be recovered.

edit 2: last contacts from Drugslist:

  • email: 13th Feb
  • reddit post: 5th Feb
  • reddit pm: 19 days ago
  • drugslist website last login: 28th Feb
  • drugslist forum: 14+ days

edit 3: there is another part of this story that I didn't go into which turned out to be totally crazy, and that is former moderator /u/Gabralkhan and his involvement in a shakedown as part of the drugslist security audit. that is worthy of its own separate post.

edit 4: something else to add: for those looking to start a marketplace or already have, and for those looking to evaluate the stability of a marketplace. You can't get away with building a marketplace on the cheap. It is simply impossible. It is another area where the 80/20 rule applies: you can build 80% of the features of what a marketplace should look like with only 20% of the funds and work, but that last 20% of the work that takes you from being Cantina to being a stable marketplace is what takes the most time and effort. Anybody can go to freelancer.com or whatever and pay somebody in Bangladesh to build a site (cough Cantina) but it will never survive. As an admin, you need $50k+ to build a site. You also need the right network of people, access to the right server hosting (cough not bitcoinwebhosting.net in the USA) and the funds to pay the best people and to run your site for a year or more before you see revenue. As market users, you should demand knowing that a site is well funded, have them sign a message from a wallet demonstrating the financial capacity to not only build a site, but to keep it running through low revenue periods. These markets that are coming online with 1% commissions, no vendor bonds, being built overnight on a budget simply won't survive - don't trust them. You simply cannot have a well implemented market with only 1% commission and $5k or $10k spent - it is impossible. I should have seen this much sooner with Drugslist - that they were depending on new revenue as a result of being given the security all-clear to pay the people using the site and working for them.

edit 5 this is from a DL forum thread:

Before we every shut down the site we would give our customers at least 30 days notice so they would have time to remove their bitcoin, finish transactions etc. We are very vocal and responsive to our user's needs and if we're doing something wrong, we fix it.
We've put in a number of safe guards to alert users in the event of an abandon-ship scenario. But, we have automatic withdrawals for vendors, multi-sig escrow, and lastly encourage buyers to not keep extra funds on our site.

so much for that!

[–]sheapmarket 2 points3 points  (10 children)

[–]Gabralkhan 0 points1 point  (0 children)

Suspicious about what?

Now I'm an average user and not anymore a mod....and the debate that lead to that was fueled by /u/the_avid mainly with private conversation i had with him on security idea...

Now i'm still here but i don't see the point of this...i don't participate anymore, I'm not a mod, so whatever you supiscion or anything i don't care at all really...

[–]pronger 0 points1 point  (1 child)

Respect the effort, but did you really expect it to end any other way?

[–]fuckyallbbblaster212 0 points1 point  (1 child)

Dude lrn some street smarts, the DL guy acted like a fucking kid which means he was one, theres so many fucking stupid people out there if you dont pick up quick like on first glance that they are retarded then they will use and mislead you until you are broken and feeling as stupid as them.

they didnt teach you streetsmarts in college or whatever cubicle shit job youve worked over the years but learn to read people the retarded are a dangerous type and they are everywhere

[–]the_avid 0 points1 point  (0 children)

I got paid mostly upfront

[–]CDRCRDS -1 points0 points  (0 children)

Can you post a selfie and your name so I can believe its really you?

Ty

[–]Gabralkhan -2 points-1 points  (1 child)

Why the fuck my name is again throwed in the problems with /u/drugslist , now you have your problems with that deal with it.

If i remember well it ended with me accused of some "mixed interest" and partiality and so on...so I'm not even mod or nothing here and prefered to go on other forums and sites...

You did you fucking audit with him i don't know what I'm concerned by your story man, at some point deal yourself with your things.

you violently pushed me out of there and i went out, what the fucking problem now? I haven't even posted for days here, I'm just lurking...

[–]aft3rm4th 3 points4 points  (2 children)

I've missed you avid, much love.

[–]wxzy 0 points1 point  (0 children)

group hugz

[–]LongLiveThe_King 3 points4 points  (0 children)

DL administration is apparently "missing" and I heard that DogeRoad was confirmed a scam a little while ago, am I wrong about that?

[–][deleted] 0 points1 point  (0 children)

You are doing this community a service by testing these sites out. I personally appreciate the information you passed on, I am sorry you lost that money.

[–]AgoraMarket 0 points1 point  (0 children)

on that note I have started some work with another market just on an ad hoc basis, which I hope will turn into something long-term since I am a big fan of the market and people - more on this later.

I know you won't comment either way, but I really hope you're talking about Agora, because it's a decent community and they could use the help - especially regarding DOS protection.

[–]TheHotCoco 0 points1 point  (0 children)

I'm thinking around the end of Feb I stopped seeing 'mods' in the forums.

reddit gold

In Summation

Want to say thanks to %(recipient)s for this comment? Give them a month of reddit gold.

By purchasing Reddit Gold, you agree to the Reddit User Agreement.

  • make my gift anonymous
  • include a message

Please select a payment method.

Give gold often? Consider buying creddits to use, they're 40% cheaper if purchased in a set of 12.

Would you like to learn more about giving gold?