10% of Silk Road 2.0 user data leak released
[48 Points] None:
[32 Points] gwern:
I had 3 accounts ('gwern', 'chuck10', and 'chuckie11') for scraping. none of them seem to be in that 10%. The 29 Jan 2014 sohhlz vendor dump used the account 'qgn79u7uqqbwyw1g' for its scraping, which is also not in there. So that's 4 misses. I don't see anyone reputable confirming finding their unused accounts in the decrypted 10%; the account /u/throwthisshit3 claims to have found their buyer account but they're just 1 person and who knows, might be SR_doug himself (he uses Reddit, and that account is 4 days old).
From a statistical point of view, he gives no reason any buyer accounts should be missing from his full list, and this 10% is supposed to be a random sample (EDIT: actually, rereading, it looks like the user IDs are monotonically increasing, so it's looks like it's supposedly a dump of all registrations in a specific late time period, so then it wouldn't be surprising that neither 'gwern' nor sohhlz's account are in there, but my 2 others were registered fairly late in 2014 so arguably this is more of a n=2 situation than n=4; I've gone into more detail with this issue on Bitcointalk), so it's straightforward to estimate how much my 4 misses should change my mind by Bayes's theorem: the likelihood ratio is (0.9^4)/1=0.66 or (0.9^2)/1=0.81 so with n=4 my belief in authenticity is not quite halved by my failure to find the 4 buyer accounts whose names I know, or four-fifthed with n=2. Or to work it out the long way, let's say the prior of authenticity is 50-50; then we can set the formula up as:
The result
Or to redo it with the more correct n=2:
Unsurprisingly, it's not a lot of evidence.
(And then that should increase by an amount based on how much you trust throwthisshit3, I suppose.)
[13 Points] lamoustache:
Decrypted SR2 user table dump here
It obviously only includes the published chunks below.
64 02f38bdf9909fbaded6fcbc84fc54432a8a9bf092890312222674b1e95624b1a2f
66 03617629bb8dde7cb6371f1ec434bdf2f180a0d4f4dbe5a6c0fd0eb4ecd397b000
55 02eadd6f661df9df9cb3771f5c915add9296740861dd560571a472898d598e5d8b
21 020679d067642a8d5c5e7faaf9d70a0d23aab66f054f9db4260fe2a089bd870a1a
37 0379e5cf03321910cd30fbad9c06eea2156ac3be2fe50b832f38d53737aafa07bd
58 03a5e00c8f5e2125708efebf8fc167ba3e19e85d30c8f5f602f21a85d16c6d9462
98 03f80875ef0bf403fd26b58fd8d68e4cb464684b03930e6935949af8aae0fa13d7
26 034a36141579419cde14932da392948e46f367f4a0ff487fbd51e279ee6c8ee93b
32 02931f32d06a8c59a9661d07a48d54ada2d2cf6efbc252656e1d86aed3048ba784
45 021e2bd10bfdb89d53ee6e42a5e05ed08ac5f48b6f9a36101aac2da7988d9af8b9
The dump contains 47532 accounts including the following 31 vendor accounts:
cyberzen
hamsteranfetoso
VanillaSky
IllegalFlowers
persianrugsuk
cashco
stoned gooblin
rK_2.0
sheep|shop
Crystalburns
utopic
GaiaRoots
SuperSubRx
Illegal entrepreneur
Nevita
SolutionsForVendors
DRUGZ
LegalEyez
aKid
LaFamilia
aus_muscle
Lauantai
cheaperpharma
kwikeemart
ReconnoiterConscious
Sunline Inc
budbrother2
RaulGallardo
SatoshiShop
medicine420
TheRealChaletla
[10 Points] None:
I care
[8 Points] brand0x:
So let's get this straight ... our leaker:
This one smells like shit, guys.
[10 Points] MLP_is_my_OPSEC:
If anyone is interested, I decrypted the files and more can be read on the Evo forums here http://i25c62nvu4cgeqyz.onion/viewtopic.php?pid=469776
I'm doing this to help those affected by this leak, and bring awareness to what bad OPSEC can lead to. Stay safe everyone!
[6 Points] HarleyDavidsonFXR2:
I hope somebody catches this motherfucker and cuts his fucking head off.
[6 Points] k9atemybuds:
What a dicktard.
[4 Points] NoobyDo:
I'm still not convinced Doug. Try harder.
[5 Points] ChocoJesus:
As others have said, still not 100% sure this is legit until users confirm it.
That said, I'm kind of amazed he's trying to go through with this sale. I imagine there's already a group of people trying to track him down.
[6 Points] alfabi:
Why to use static universal salt? Salt by definition should be random for each password otherwise its not a salt but a key.
[6 Points] totes_meta_bot:
This thread has been linked to from elsewhere on reddit.
If you follow any of the above links, respect the rules of reddit and don't vote or comment. Questions? Abuse? Message me here.
[3 Points] AliveMonster:
mhm, this sr_doug guy gives me the giggles.
His claims of being a SR2 developer are funny, considering SR2 was allegedly hacked at least 3 times and didn't see any actual developments (multi-sig, etc) except for a support panel that leaked browser information and an admin panel where 1/4 of the commands never actually worked.
On the 2nd/3rd hack (they were kind of related), they managed to obtain the private keys to the users deposit addresses hence the reason why Blake changed the deposit addresses. I'm going to assume that they also obtained a full list of the account usernames etc just like the one OP is trying to flog.
Before that happened there were also accounts that somehow managed to obtain a huge number of buyer/vendor account usernames and were randomly PMing them malicious download links. There must have been some sort of vulnerability which allowed a hacker to steal the sites member list (hey mr lead developer why didn't you patch it!?!11one).
In the court of declaration of shenanigans I find the defendant guilty of lying about being a lead developer of SR2.
Here are my theories:
They're a sooper 1337 hax0r that hacked SR2 and stole the private keys to the users deposit addresses thus also gaining access to the user info.
They found a vulnerability which leaked the database of SR2 account usernames which allowed them to mass PM nearly every user on the site a scammy trojan download link.
They're obviously not a SR2 developer (idk why you would admit to being it anyway hehe).
[3 Points] torinterest:
You guys seem to be missing the elephant in the room.
I took the file and sorted it. I then removed everything that wasn't a password, so I have a sorted list of hashed passwords. Here's the file - https://gist.githubusercontent.com/anonymous/6c553f8d30e862bb8835/raw/gistfile1.txt ~47,000 passwords.
I then ran it through a script to identify duplicates. There wasn't a single duplicate password. That doesn't jive with the alleged "single static salt" (which isn't what a salt is). If the same "salt" was used on every password than the same password would create the same password hash. I don't know the password policy of SR but it is exceedingly unlikely that 47,000 users picked unique passwords.
So either this isn't the password OR this guy doesn't know how they were hashed despite being "the lead developer."
[2 Points] II-NataYmleg:
Now the SR2 source code plz :-)
I read it was leaked too?
Which language? PHP? Python? Ruby?
[1 Points] spottedmarley:
decentralize all the drugs!
[1 Points] Oldwisewoman:
So can any1 confirm of this is legit or just a wanker wankin? Or a clever ploy by the fuzz?
[1 Points] DarkNetTarget:
well I'm glad I never set foot in SR2.... After SR1 went down I trusted no other dnm for a while... and SR2 especially.
[1 Points] skytrainwand:
welp, glad I abandoned SR2 at the correct time, not sure if I deleted my account or not but I didn't make any transactions on SR2 anyway and I have different usernames for everything now.
[1 Points] Highlife95:
Definitely salted. I found my account in the list and the hash isn't the same as a simple SHA-1 without salt of my password. That account has been used once and no trade was made. That account should have been inaccessible to anyone who doesn't have database access, so I think it's authentic. This has to be stopped
[1 Points] None:
[removed]
[1 Points] select1on:
I'd like to see the schema. Is would be interesting.
[0 Points] pinkprincess1:
What you're doing is SO wrong guys.
[0 Points] mwthink:
I've always disagreed with Ross' decision to keep copies of his employees' IDs, but this is the exact contingency that keeping IDs would have prevented.
[-15 Points] momslatin_dadsasian:
You are a hero doug, and you are making history. You're also smart, it would be incredibly dumb to not make use of this data and get whatever you can out of this. People can make all moral judgements on you that they want, but I'd bet that if they were in your place, every single one of of the high-horse people would be doing what you're doing, or worse. They're all just unhappy that they aren't in your position.
Hope you make a shit ton of money.
[deleted]