Confessions of a DNM security consultant

Cryptographic proof of the following message can be found at the bottom.

I started working for Absolem/Havana about a week ago as a security consultant. After showing them they had a lot of critical errors in their nginx configuration, server setup and code. I brought these issues to them privately and unlike other operators responded quickly and wanted to fix the issues. They then offered me 7.5% equity in all future profit for my continued services. Everything seemed to be going well. You may have noticed they no longer let you browse the market without logging in, no longer leak nginx in their headers and many other issues I won't go into.

After about a week of working with the developer ProbableFire, I quickly realized he completely ignorant of secure programming and sever administration. For example when I told him he should add some rate limiting configuration to his nginx, he asked for a guide because he had never done it before. He implemented ip based rate limiting and caused his site to DOS and went to sleep. The site DOSd itself for nearly 9 hours. ProbableFire completely misunderstood how Tor worked. I helped him correct it and make it cookie based. Over the week I encountered countless similar issues, proving time after time that this was his first major project and that he had no idea how to properly secure a sever.

Meanwhile Fidel who is the "business" side of the operation asked me to lie to the community saying I should use my reputation under the account /u/hacksforcrack to claim that there had been no security issues, because some vendors were not joining until a proper audit had been done.

Finding an exploit in their PHP code and improper permissions I was able to gain access to their server. The first thing I noticed was that they did not have an onion address assigned for their incoming port SSH connections. I confronted ProbableFire about this and he asked if he should do that, and that is when I decided I no longer wanted equity in a project that was clearly doomed to failure because of operator incompetence.

I started gathering the logs of all incoming SSH connections and times, gathering information about their riseup accounts, copying logs, the database, the onion address keys and even the code.

I notified them that I had done this and that their onion addresses were compromised, that they should pay me 5 BTC for the services I had already provided to this point because I no longer wanted to work for them. They refused.

After days of trying to queitly negotiate with them directly failed. So because I have no other choice I'm notifying the community. These operators are not only incompetent but they are liars. Their system is insecure and they will likely be arrested by DEA/FBI once they gain any popularity. It appears they encourage server side PGP encryption which in their case is not secure. The same goes for their server side implementation of multi-signature escrow.

If they continue to refuse to pay I will eventually leak the database and the IP addresses I have collected to the authorities or here, haven't decided yet. Seems to amount to the same result.

I was recently censored on their forums while they continue to pretend nothing is happening so that is why I posted this here.

It was fun while it lasted.

Game over kiddies, you need to pay up or relaunch under a different name and a different server.

Proof:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Absolem/Havana markets will compensate Hacks4What at a rate of 7.5% of gross profits as renumeration for services provided on an ongoing basis.  This agreement will continue for as long as Hacks4What continues to provide the agreed services which include the following:

Hacks4What will be the technical lead in defending Absolem/Havana from external attacks, directing appropriate defensive stragegies as needed in critical situations.

Hacks4What will act as security consultant; he will keep up to date on the latest threats to hidden services and web servers, alerting Absolem/Havana admins of relevent 0-day exploits, providing recommendations for hardening services and operation.

Hacks4What will provide ongoing pentesting, auditing and alerts to new threats.

Hacks4What will keep all information about Absolem/Havana's systems and business operations strictly confidential and will not report vulnerabilities or attacks to anyone outside of Absolem/Havana's management team.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJVR7fSAAoJEHCQmkxXtiGFfW8IAMFYAF7hvOcDmDFii1CPrDS7
VU0JVP4L36egNpx6GiFmT0HxaOGCLoUkskycZi+PYPOa3/a6jM1rkCELcWsfpfz3
q76awvoG+OlYUAM6eEaIbgJvDgxEEqi1xrITLyOjnkEhfbsFhJ2kYDkFuOhthoEN
+g2zOuOP8leajrrDR8oi65tY11hZ+L6d5OlcGZJyHOLWapzcErZVDaG/w9+0egRw
KGk0zCRnMooP1OeUtf8c9VPCiyJVbQnbJlcs34XNOdyKsa3NWu5lhqx4toEMmcRh
EaR12keFaI2TwZlHv209AlWkyI7GNP4ZO2zV7xABnWP0OPf+mi/jfMCv04xiUHg=
=uukX
-----END PGP SIGNATURE-----

Copy of their key in the situation they try to replace it and pretend this is not happening:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQENBFVHov4BCADmhOLozYVSmxgNP7Y8uMhXJ/fq+Om7UygmfVA08WKGm11YHtju
9e2dD1TPX/xfM0EBjkfZMytt46EygeMiaOhP/TX2fTE+65rElV4iwmx+rM5/zBSq
XRUNDKCi57aIylvkGriF5Zmo/Lr1TCuo8DMwcdOSXuAzjJRBmH+Jhs6Nmb01MpP4
CW49R/4/ObdyVZOPe2MHTxJQjhbfZSwXmSGdDwjItCo3fxNI7ytTf1UjxZ8D8S91
5GBQcjnIN0H14QGcF/KF2PUZofIH3pRV94cET1QmH6xyzIjZ6olT2Vy//o3B7kqM
WryaT4qyAFwy0YN08ukJEF0Jxo5suxecubUXABEBAAG0B0Fic29sZW2JATwEEwEK
ACYFAlVHov4CGwMFCQloGnIFCwkIBwMFFQoJCAsEFgIBAAIeAQIXgAAKCRBwkJpM
V7YhhV33CADKlh+UiAeF22YO01v4bwFVM94XQdgKb+4LzpOHKykT6dgcnv8tBBoy
gZPgyRdS80ihdI6ym0KG0TjnBpTaPVU0Bmsgw0pGYPhogdIbssr4WVcYW8zKaOTJ
1hfv1m5FYX9gumTZ68j61aTLmXfkyr3+PFj70knE88mNzDhh1rYNXs1FcC02VZcW
FuwAPkL2l/lJNOhhIu52ZeJnvH1ZSLnoZRKfy8ywKFFd+lqo4j8Ksu7ttVhx6gT/
V1VueC+mIlpIziV9nLcesarY/IZAIkrgK9DtosCsvnCFCSpyt+7fv6m+JYFERDaU
B5oItWE8h2f2fAdTxx1Zi1eNwcO7Pk0luQENBFVHov4BCADheUDMgHzZx617Roi8
gSGoeBGRkVl7UatLJ67BKiwXPqITEhYD6LHi9gYewWoS3RERpizapkF3cWomE1g2
eG/MKLG+/vQclZ9Ng2yKbEEkehuA2GSy/kFdGSRWWoXiNmoOILStRhTeRdZ+GzOn
e7KZCZ9uqhUdU1kRJ0q5+lOgzYixMxJAfQrnykw9IKzXSTAJ/12MZzFKdtKTiVrA
Wvc80xM+EnHQKfqA5xtHeVB5cmjKVy+US6SbNHA+mf5CCVfCNvI9qGYrcWu10/MT
eEQ2/vaT5TviO7+52s7D+SoijPfgRxDPVwzDzWBVNPFJxvb9dcnHQ/sflIy4BtWD
LGAJABEBAAGJASUEGAEKAA8FAlVHov4CGwwFCQloGnIACgkQcJCaTFe2IYWCDwgA
oUApIAde2dSv5PTmF+UPksKchWAWIjEeKjKgOv9Sh/XKkbbtFtW8kcg116F2XEDc
er7Zvk6+OfVhB/PxwMP1uwqvWNKW2c4qPw+74MbXdXz53WxgaHv4X3s/fchG1cJL
hNjYA5SRwXNGv64wYTeK577fwRI8J7Ry7eDBWO7ZU3Rz+meuvBg0FqRFZlEnradf
/2zJnOpa15PIi3BiD0r2bT9VERGp+/MbQuh0SdYMJFG7je2eFYL++wIn6u/QaAph
CNu9H0uemMgsUPT52rwgM9ciWraeasmIr+Bnxf3Ps8c0CEQR1HHNAI8lbGuYPTC8
TCuxPOruVTR5TRuN8LoxGA==
=+7cW
-----END PGP PUBLIC KEY BLOCK-----

EDIT Here is the transaction they paid me 1 BTC for telling them they needed to add max client body size in their nginx config.

https://blockchain.info/tx/36096306d15f28b63254c309e6133f42002a5281e19eba93d7a17c31b204120a

I hope you tumbled those coins Fidel, otherwise :(


Comments


[27 Points] Firearms_Enthusiast:

Man when the page header reads "stay for the drama", I didn't think it would mean DAILY drama, but it does.


[17 Points] ShulginsCat:

Confessions of a DNM security consultant

Coming soon on HBO


[15 Points] ProbableFire:

Glad I caught this post now so that I can respond to it. I am going to lay out a few points that will hopefully help everyone realize that this guy is lying.

First of all, I am not the server administrator, nor am I the developer. I will not pretend to understand webservers or the very complex sides of TOR, because I do not. I am just the market admin. I come up with ideas, the developer turns those ideas into code. If we had actually been in contact as he says we have, he would have known that.

Now, let me tell you what really happened. First, hacks4what came to us with a vulnerability from our market that made it possible for hacks4what to DOS us. He told us what we did wrong and we paid him 1BTC for helping us. Later, he came to us saying he had gotten into our server, that we had been SSHing into our server incorrectly, and that he had our IPs. All he has been doing is DDoSing us (possibly with the help of /u/mdparody), trying to overload the hidden service. We have responded to each attack by adding defenses. Operations have been improving with each attack he attempts. He later said that if we do not send him 5BTC, he would take what he had found to the FBI.

Later, when we asked for actual proof, he refused to provide it. He could have sent one of our IPs, he could have sent the private onion key, he could have sent our database structure, but he sent nothing. Any of those proofs would have guaranteed him the 5BTC, but again he gave nothing. (Side note: we do take the correct precautions when SSHing into our server, so the fact he had stated he had our IPs was another red flag). When we refused to give him 5BTC, he said he had talked to Christopher Tarbell at the FBI, saying that Mr Tarbell was interested in what he had to offer. After the success of Silk Road, Christopher Tarbell works in the private sector now. At this point we knew without a doubt that this kid had nothing.

It seems that after he tried to extort us for 5BTC using false information, he got mad and posted this. To make himself look credible, he created a PGP key named Absolem and signed a message stating he is our security consultant, when in fact, he isn't. That signed message doesn't prove anything but the fact that you know how to use PGP. The link to our actual PGP key can be found at /r/havanamarket/wiki/pgp.

Don't believe what this guy says when he says he is doing this to "help the community." He is only doing it to extort markets into giving him money. He even says it in a comment below:

I have been sitting on this information for days and trying to negotiate with them quietly. However that has failed, so I'm hoping this post forces their hand.

Edit: I just took a look at "Absolem's PGP key." It looks like the one he says is ours was created on May 4th, while our actual PGP key was created on April 13th. We haven't switched anything, this has been our key the whole time.


[11 Points] None:

[deleted]


[5 Points] sobulbous:

Paging /u/OrvilleRedenbacher


[5 Points] heyfreshhhhh:

You sound like a wannabe extortionist and a snitch.

Havana may be insecure as fuck and people shouldn't use insecure DNMs, but you are a piece of shit.


[4 Points] alwayslookingformore:

I love how a large portion of the comments to this are the 2 hacks accounts arguing with themselves


[6 Points] hacks4what:

Down for unscheduled maintenance, interesting. But they really should be switching their onion addresses and servers if they want to continue operating.


[4 Points] BlackBananas:

I love the drama in this subreddit


[3 Points] None:

[deleted]


[3 Points] None:

http://www.reddit.com/r/DarkNetMarkets/comments/354let/complaintwarning_havana_market_fud/

Another guy talks about the market


[2 Points] maniahck:

You are the guy who also tested East India Company?


[2 Points] None:

If the claimed 1 BTC transaction is true, the admins of havana have a whole lot of bitcoin. You can follow one of the addresses backwards in an unobscured chain to a wallet that has held 24000 bitcoin.

https://blockchain.info/address/1AZv4ZFr8cdZVRkxfVYpYsdDk8Ey6T7exR


[1 Points] haxforcrack:

Here is the transaction they paid me 1 BTC for telling them they needed to add max client body size in their nginx config.

https://blockchain.info/tx/36096306d15f28b63254c309e6133f42002a5281e19eba93d7a17c31b204120a

I hope you tumbled those coins Fidel, otherwise :(


[1 Points] SnickerEater:

i haven't even heard about this market


[1 Points] high_dragonfly:

Your just begging for a subpoena


[0 Points] None:

[deleted]


[0 Points] noonehear:

OP is wanna be haxzorz. He saw no CAPTCHA on messaging an exploited. A moron could figure that out.

OP IS TARDO.