[PSA/Article] Full story of Absolem/Havana debacle from sordid beginning to end

As you probably know, Absolem/Havana are new multisig only markets. On Monday this past week, Absolem/Havana was taken offline by Hacks4Crack (aka HacksforWhat). He told us he was able to do it because of an error in our web server configuration. We knew he was the same guy who had taken Middle Earth offline. He said he publicized their vulnerabilities because they wouldn't work with him. So we figured our best course of action was to pay the bug bounty we negotiated with him. He promised us after that he would give us a list of additional vulnerabilities he'd found. We paid 1 bitcoin and he gave us the bug that was bringing the server down as well as several small bugs.

When it came time to negotiate for the additional bug bounties he was asking for I made it clear that as a brand new market we weren't in a position to pay a lot of bitcoin immediately and would prefer to pay more over longer time. As an alternative we offered an equity position in the market in exchange for his long term services as penetration tester. He proposed 7.5% of profits and we agreed. He knew at the time that we were not making money. His fee was to be entirely in the future from his ownership participation in our market. This is a typical arrangement with a startup, where a contractor forgoes immediate payment in exchange for a potentially much bigger upside in the future.

Less than 12 hours later he was again attacking the market as MDParody. He unilaterally backed out of the agreement and started demanding 5 BTC for all the additional work he's done. Under the terms of our agreement he was not due any additional funds until the market was profitable and he understood that. Furthermore, he violated the agreement by making the information public. He started publicizing what he said were security flaws.

At that time we made what in hindsight I admit was a mistake. We didn't want to be associated in any way with a blackmailer and hacker, and since he had no business airing our private communications in public, we didn't admit that any of those bitmessage conversations were ours. They were, and the content confirms the accuracy of everything I've said.

Things escalated out of control when he claimed to have breached our server. He claimed to have access to our database, private keys, and other information that only someone with server access could have. He threatened to give the information to the FBI unless we paid him his extortion demands of 5 BTC. He claimed to have even talked to an FBI agent. Naturally we were extremely concerned until we spent the time to determine that his claims were completely false. If he had any of that information, he would have used it against us by now or at least proved that he had it.

We never gave him server access. In fact in the original discussions with him he said he didn't want passwords or access to the server and we had no intention of giving him access, since all of his work would be on penetration testing.

It's become obvious since then that all he's been doing to bring our server down is running web scripts sending large volumes of messages using our message system. These were not security flaws in our system. If someone was not actively trying to take down our market, they wouldn't be needed. We should have planned for malicious scripts in our design. Now those problems have been fixed. At no time was any vendor or buyer data ever at risk.

Some things he hasn't disclosed in his tell-all story is the nasty tactics he used. He didn't just send hundreds of messages to vendors on our market, he sent obscene messages to all our vendors. He has done untold damage to our relations with our vendors, costing us far more than his 5 BTC extortion demand.

On the security issue he's been going on and on about today and yesterday. Passwords are not unhashed on the server. The way messages on the system are encrypted and decrypted on the server is more complicated than ProbableFire's explanation. I do not want to get into the precise method used to encrypt on our server for security/opsec reasons. ProbableFire is not the developer of the market and wasn't familiar with the details and he admitted as much in his posts.

On the issue of the "shilling" today. I have no defense except that last night I said we were done responding to this issue and wouldn't be responding any further. Every time we were posting in comments it just seemed to inflame the situation. When I saw hacks repeating himself over and over about the supposed clear test passwords I couldn't help myself. Since I didn't want to look stupid after I said I wouldn't be responding to any more of his posts, I used a throwaway and ended up looking more stupid because of that.


In summary, I apologize on behalf of Absolem/Havana. We could certainly have handled a very stressful situation better than we did. Everyone has mistakes they regret. At the end of the day, we still have the same goal which is for a safe multisig-only drugs only market to benefit both buyers and vendors, and if they are successful hopefully we will be as well. If we wanted to scam buyers or vendors, we would have opened a cookie cutter traditional escrow market. Instead we tried to do something different and we hoped better. I'm sorry we made misleading statements about our association with Hacks4Crack. But when it became clear what type of person he was, we didn't want to admit any association with him at all.

We will pay bug bounties in the future to pen testers or others who discover significant bugs or flaws in our code or system design. However, we will only pay for bugs if you communicate with us privately, not through public posts on reddit. And not by bringing down our server and demanding extortion. That approach won't work.

Finally, if we try really hard we can see a bright side or two in this week's events. First, we've used the opportunity to add code to prevent the types of attacks he's been making against us. Second, the fact that Hacks4Crack wasn't able do anything but execute web scripts to overwhelm the CPU with threads and requests is reassuring. Whether this week's relentless attack and extortion by Hacks4Crack and our mishandling of some of the repercussions ends Absolem/Havana's chances to accomplish our goals is up to you.


Comments


[20 Points] hacksforcrack:

My story hasn't changed this entire time: You are a lying piece of shit scammer who took help from me and tried to scam me.

I asked you for a simple contract with my reddit name, a fingerprint of my key to be signed with your market key.

What did you do? You intentionally put my name wrong, left out my fingerprint and signed with a different key than the one you publicly put on your website. You had no intention of paying me for the work I was doing for you, so I fucking shut you down.

Your best "solution" was to halt all new users signups which essentially is doing the work for me. I ask everyone to send them messages asking for invite codes and give them to me, that way they will be scared to give out invite codes to anyone. They can never open registrations again while I remain unpaid and if they fear giving out invite codes they will be gone once they spend that last BTC they have. My work here would be done without needing another keystroke.

I haven't pulled out the big guns because I don't fucking need them. You are amateurs who can be thwarted with a script I put together in 5 minutes after seeing how poorly you implemented sessions, how poor your code is and how poorly your server is setup.


[21 Points] None:

[deleted]


[18 Points] throwaway802dot11:

The best thing you guys can probably do is get the fuck off redit and shut the fuck up about all this and go make sure your site is secure/runs smoothly. Stop digging yourselves in a deeper hole. Your market just needs to run for longer with no problems and you guys coming online here isn't helping your cause.


[14 Points] tuscanleatherbrk:

Absolem/Havana was a good idea, but any potential has been eliminated with the handling of this situation.


[13 Points] _Colorado_:

The fact that you are even making a post about 5 BTC as a fucking market is ridiculous. 5 BTC is less than $1,250. If that is causing you a financial burden then there is no hope for you.


[11 Points] RosyPalm:

Good fucking god. If you're stepping all over your own dicks just trying to deal with /u/hacksforcrack, what are you imbeciles going to do when the full force of LE is being directed at you?

You are not cut out for a life of crime.


[6 Points] Furd-Terguson:

"he sent obscene messages to all our vendors."

Dem dik pics tho.


[4 Points] hacksforcrack:

504 Gateway Time-out nginx

Your error pages still leak your server name, I told you how to fix this.


[4 Points] FE-FU:

You're like the Bill Clinton of DNM owners. "I did not have relations with that security consultant!" That is until someone pulled out the blue dress with your shill stains all over it. No one wants to jump aboard your sinking ship to Havana anymore. Time to close shop and save what little money you have left.


[2 Points] None:

At this point how can anyone believe anything you say? You have very clearly been shilling more than just today and you are constantly lying.

We will pay bug bounties in the future to pen testers or others who discover significant bugs or flaws in our code or system design.

With what money exactly? You admit in your post you have none.

The way messages on the system are encrypted and decrypted on the server is more complicated than ProbableFire's explanation.

But he said you used the password of the user, he is either completely wrong or your system is completely fucking stupid. No amount of complication would make that a good system.

First, we've used the opportunity to add code to prevent the types of attacks he's been making against us.

But you didn't really prevent it did you? You just turned your site invite only to hide.

wasn't able do anything but execute web scripts to overwhelm the CPU with threads and requests

How exactly do you know that is all he did? Why was that so easy to do, is he right that your code is bad?

He has done untold damage to our relations with our vendors, costing us far more than his 5 BTC extortion demand.

Maybe you should have paid for his services then, instead of trying to scam him. 5 BTC is not very much money, if you cant afford that how are you going to afford servers in the next few months?

Why did you fumble his name in the contract and deliberately use the wrong key to sign the contract? Did you ever have any intention of giving him equity? From what I can piece together of this clusterfuck, you tried to scam him, he noticed then came at you for revenge.

And finally to assume he doesn't have more on you because he hasn't used it yet is quite naive, he has been letting you punch yourself in the face for a fucking week.

Why would he need to release information that could land people in jail when you are doing a fine job of shitting your own bed?


[3 Points] QLDGreat:

This market is very slick looking, and your multisig implementation is truly revolutionary. It's a real shame that you've completely ruined all of your potential and credibility with your security issues and lack of professionalism from a PR standpoint.

You spent all your money gaming GPUs to calculate flashy vanity URLs and bounties for coming up with fancy names rather than focussing on the most important things. If you'd kept your mouths shut and focussed on security you could've been huge. Nobody would've cared what your site looked like if your payment system was truly slick and trustless. People would have flocked there, eventually.

One thing I've noticed about DNMs is that there are always only 2 big ones. A few months ago it was Agora and Evolution, before that Agora and SR2, before that SR2 and Sheep, before that SR2 and BRM, before that SR1 and BMR. You had the opportunity to become the major competitor to Agora and make millions, but you've blown it. Blackbank will almost certainly take that place.

After Evo shut down we all talked about how we wouldn't let it happen again. We wouldn't put our trust into another large market that mainly utilized centralised escrow and offered only half-baked multisig. But now I think we'll be saying the same things again in ~12 months. Rinse and repeat. A damn shame.


[3 Points] sharpshooter789:

I do not want to get into the precise method used to encrypt on our server for security/opsec reasons.

I find this comment troublesome since you are relying on security through obscurity and this does not work. It actually makes things less secure.

Here is an article from Bruce Schneier. He is one of the leading experts when it comes to cryptography. I'll include a quote from the first paragraph.

A basic rule of cryptography is to use published, public, algorithms and protocols. This principle was first stated in 1883 by Auguste Kerckhoffs: in a well-designed cryptographic system, only the key needs to be secret; there should be no secrecy in the algorithm. Modern cryptographers have embraced this principle, calling anything else "security by obscurity." Any system that tries to keep its algorithms secret for security reasons is quickly dismissed by the community, and referred to as "snake oil" or even worse. This is true for cryptography, but the general relationship between secrecy and security is more complicated than Kerckhoffs' Principle indicates.


[2 Points] 101dnm:

ya lost kid, time to bow out of the game.


[2 Points] Spa__ce:

Even if hacks was totally baseless in his attacks your handeling of it nailed your coffin shut like 3 threads ago.


[1 Points] pe3knuckl3r:

well isn't this place just a big poopstick waiting to happen.

all fail havana!


[1 Points] hacksforcrack:

Yo fam, you realize http://absolem6indyslug.onion/account/orders/ is now 500'ing? And your forums are down again :)

Jist give a man his food fam, easy init?


[1 Points] Jay-__:

Read it to

I do not want to get into the precise method used to encrypt on our server for security/opsec reasons.

and stopped there. Security through obscurity won't work, ffs.


[0 Points] HelpFromtheAbove:

tfl dfr


[0 Points] ugghhhhhhadadadad:

Dude just stop it already, your talking to this troll is just giving credit to his words. You know what guilty people do when they are accused of something? The defend themselves. Face it, you computer nerds suck at PR, just shutup and ignore.

edot" im going to stay away from havana not because of this troll but because of how you guys handled the situation, like a bunch of 20 somethings with no life experience.


[0 Points] BrodhiRoundhouseKick:

Is there a TOO LONG DIDNT READ?

All I really want to know is if Castro is genetically linked to Hitler. I thnk I'e enjoy Cuba (screw it we got tech is Castro linked to Hitler, Kennedy, or Putin?)


[0 Points] gary_oaks_bud_garden:

I'm lovin the links, I'm lovin the proof, fidel. Keep it up, you'll run your own market into the ground in no time.

Seriously man, markets have to stand on their own legs. Fancy PR campaigns aren't going to make you successful. There are a lot of dummies here but I'd wager, especially on this sub, that the average person here is way more intelligent and insiteful than the masses who shop at Amazon/eBay/Walmart or whatever.

Your BS marketing doesn't work here. You literally would've been better off if you just disappeared and never posted again. You know why people trust Agora so much? Why they trust BB so much? But why a lot of people here were shitting on Evo before they exit scammed? Because Agora and BB don't have market shills here. Evo did though, and that was a HUGE red flag to people.

I'm sorry if you seriously believed in what you were doing, but it's over, your shilling has broken the trust of the market to me, and I won't tell others what to do, but if they want to avoid another Evo, they should do the same.


[0 Points] youtakesally:

How aren't this amateur crybabies on the wall of shame? That people like this engage in criminal activity makes me cringe.