Why are you still using PHP / Mysql

Hi there,

I'm not a DNM customer, vendor or developer, I've ordered from DNM one time that's all, but like a lot of you I like to read this sub and enjoy dramas.

Out of the darknet I'm developer, and I don't understand why are you still using PHP/ Mysql architecture for the markets.

Why any markets are developed with ruby or python, why databases are not mongodb or other ? Why guys are still using Apache?

These languages / db don't fix all back doors, are not 100% safe whenever you don't follow basic security patterns, but at less they are no SQL injection, no .htaccess bypass and other classic attacks.

I'm not in the "dark game" (sorry for that) so I don't know how markets are done and don't know how hackers do, but when I'm reading threads about hacked market and see sometimes that is an SQL injection who allowed hacker to get part of database I imagine a guy only running a python sqlmap.py --risk 3 --level 5 and wait for message saying injection pattern is found.

In my immaculate spirit I think markets are super secure with a lot of cryptic patterns, server-side security and lot of high level stuff, but sometimes I feel that markets are not and are developed by relatively mediocre developers.

So what ? I'm wrong, markets are secured, or markets are not and that it ?


Comments


[8 Points] NelsonHaaHaaa:

Seems to me like you just wanted to drop same fancy stuff names you have heard about. A fool with a tool is still a fool. If the developer isn't aware of the risks for a website it doesn't make any difference if he is using PHP, Python or Fortran. There are several PHP-libraries that ease the access to databases and at the same time increase the security of your web-app / prevent SQL-injection. So it is the nescience of the developers that makes the markets vulnerable. Seems like the skilled developers can get well payed jobs outside the darknet.


[5 Points] swapmonster7268:

Cause their noobs and don't want to read the reference material. Actually, PHP can be done correct if you read the reference material carefully.


[1 Points] None:

In my immaculate spirit I think markets are super secure with a lot of cryptic patterns, server-side security and lot of high level stuff

Pffft, your expert opinion would be wrong, bitwasp ftw!


[1 Points] select1on:

Thats pretty much what I do when market comes online.


[1 Points] None:

Just learned how to hack a darknet market from this post. Thanks!


[1 Points] ThrowawayTehGay:

I get the feeling that most admins do not have strong backgrounds in hardening linux web hosts. Real security skills are built over a lifetime through equal parts diligent study and on-the-job experience. The type of people who are capable of utilizing the right technologies in the most secure way are so valuable within the IT community that they have no need/desire to participate in illegal markets. They already make a fortune from their skillset.

Having said that, anyone's who really interested in creating a secure hosted market should spend months studying the literature and then create a baited clearnet site and see how long you can keep it from getting owned. By the time you even think about launching a hidden service, you should have at least a year of experiencing hosting a clearnet service.


[1 Points] None:

I always thought node.js would be a good candidate for a market. Since you are only enabling the minimum functionality you need, you wouldn't be subject to the huge attack surface of something like Apache.

A simple node site wouldn't have much to attack.


[1 Points] Kazaa99:

PHP, MySQL and Apache is one of the best choices if your not a noob programmer or don't know what you are doing.

The performance is a lot better for most usages, and my personally experience is that ruby or python are a fools choice, mainly used by nerds who like to be different and write a lot of statements with the words "foo" and "bar" and find this cool for some reason.

I have tried working with a lot of these new platforms and those fancy languages , and it always ends up having some issues i need to find a fix for.

Basically just use a linux platform you have some understanding of, or can read yourself to. Use the basic apache installation and add the security addons that do a lot of extra security work for you (like suhosin, etc..). Keep everything updated!! Always..

Are you concerned about MySQL injections, use parameters with MySQLi to make sure everything is properly escaped..

Do this and you will have a server + website that don't get hacked, like the millions of pages out there running this configuration without being hacked.

We don't know how most of the markets get hacked or why Agora is so slow and off-line all the time, but its probably more due to bad coders and coding, and not because they use PHP instead of Python.


[1 Points] goodluck_7proxies:

Let's see, one can choose meme languages that have been around for less than a decade or tried and proven technologies whose vulnerabilities and drawbacks are well-researched, documented, and understood and use pretty standard and well known techniques to mitigate them.

This is the bare minimum for operating a DNM, and most admins don't even know what portknocking is. SSH ports open everywhere


[1 Points] Chaosmannus:

Lets use NoSQL on small and structured data. Very smart, you should make your own market, please be our hero.


[0 Points] None:

they are horribly insecure. see my post history.