UPDATE: Follow up of this post has been published here
wombat2combat makes unreasonable demands for verification on any thread dealing with t0mcat and DHL but ignores and lets slide almost any other topic.
to see proof of the bias in action you only need to browse through the history of this sub. recent examples:
- DHL market part II - wombat2combat requires verification
- Warning Don't use ServNet Hosting Hacked! Avoid! - no verification required
- Sourcery Market vulnerabilities posted - no verification required
- DHL IP leak original post (removed) - wombat2combat removes post and bans user
- AlphaBay security leak details - no verification required
- Omega Market Hacked - no verification
- [DreamMarket IP address disclosure]() - no verification
This is simple for anybody to verify.
Second part is the type of verification requested. From the DHL thread today:
when a vendor for example can confirm that tomcheck knows the contents of their messages then we can add one of those red warnings for dhl.
if you read the details of the exploit you'll see that it is based on extracting messages from the message ID. the ID suggests that there are probably a million message ID's. to get a message for a specific vendor you would need to request all of the messages
in the advisory tomcheck says:
We setup a script to start at the highest message count and then request the last 50 message ID's
so wombat2combat knows he only took 50 messages as a proof of concept, knows that it is based on requesting the message by id yet set the requirement of proof as being requesting a message for a specific vendor which would require making millions of requests
very clever - I don't think anybody noticed this.
edit: since some people did not understand this explanation I have gone into detail about the flaws within it in my comment here
second is the requirements that were set out in the thread about the leaked DHL server being a real DHL server or not
if you follow the thread from here you will see that wombat2combat progressively alters what his requirements for proof are - until he reaches a point where he is asking for something that is impossible to deliver - millisecond precision on matching times between two servers.
there is a ton of adequate proof in that thread including server fingerprinting (which is the standard way of doing that) but it was ignored
again - a bit less clever, but clever anyway since you can say that you were never given proof
..