Agora Availability / Downtime FAQ

Don't worry, Agora isn't down right now... but for the first time ever, the admins posted a decent sized FAQ on the forums addressing the regular downtime. In light of the recent "ELI5: Why is Agora always down?" post, I thought I'd re-post it here in case people don't read the forums:


Since you have all recently had to tolerate certain problems with the market availability, we want to address some of your concerns. We don't intend to defend the mediocre availability of the market up to this point, and we still assure you that we are frantically working on making the situation much better, but this is just an explanation about why the problems have appeared in the first place, since many of these questions seem to pop up every now and then.

Our primary goal is to stay hidden from LE agencies and secure from hackers. We implement much more security measures than many others, which causes problems with availability.

"What could go wrong so often? I never see my local electronics webshop being down that much..."

Our setup is not simply a regular web server with extra Tor daemon running on it. We had to implement other levels of protection on top of that, including proxy VPN connections, constant changing of servers, additional software which is not found on any normal web server which handles intrusion detection. History has shown that Tor, even though it might be a work of art, has flaws, potential vulnerabilities, and what is worse, open research problems (like traffic confirmation attacks), which is basically another term for known vulnerabilities which could realistically be implemented by a properly motivated attacker. For the level of security that we are aiming at, it is simply not enough to rely just on Tor for providing the anonymity and security.

Moreover, there is little public research about this topic. Try to find guides for setting up a local electronics webshop and you will find thousands. Have you seen a proper guide for setting up an anonymous market with original research into risk assessment etc.? We have for example found numerous problems with Tor software which haven't been found in any of their docs, and that is still considering the fact that among the anonymity software we use, Tor is one of the best-documented ones.

This does not mean so much that it is impossible to make the market run more stable than we have done up until this point, it just means that we need additional time to make the proper research and setup the system in a way that is also stable. We feel that this is a much better approach than fix the availability first, and then figure out the way to make it secure, because by the time we would do that, it might be too late, and not too late in a way that we get a few users that go to other markets due to bugs, but in a way that we shall find ourselves in jail before that happens...

"Why don't you just buy 100+ extra servers and be done with it?"

While achieving simple horizontal scalability for a web service is not an easy task in itself, it is especially difficult when it has to be done securely. Servers need to sync, and that has to be done securely as well. There is too much risk of anybody sniffing any part of the traffic and figuring out what the servers are doing, if it is not done completely securely. Apart from that, just simply installing a server in a secure way is not a 10-minute thing. The more servers we have, the more setup time we need to spend on them, and if they are too many, we will end up with putting all the time into setting up servers, setting up all the encryption and and anti-hacking gimmicks and not have any time developing the actual market. This is not something that we feel secure with outsourcing either, do you really want some random dude setting up a server which will hold your bitcoins and protect them from the countless threats out there?

"Why don't you just get 100+ more professional developers that could do all this in a week."

We cannot just go to a software company and tell them hey, we need help with this illegal ass darknet market which has millions on it, which facilitates drug trade and money laundering, please help us develop it. Neither can we just give access to our servers or software to random people from the internet who, while claiming to have proper skills, could easily be just looking for easily stolen bitcoins, or worse yet working for LE or having been converted by LE.

"Why don't other markets have as much problems?"

First of all you should compare with markets of a similar size. Running a small website securely is much easier than running a market of a size of Agora. Secondly, we don't have exact information of course, but it seems that others don't implement nearly as much security measures as we do. The measures that we do implement, we do so in the best known way to us, and we are no amateurs when it comes to this technology. Keep in mind that we are one of the few markets that haven't been hacked in any way ever since the very start, and we haven't lost a single one of your bitcoins. We feel that the level of security that we have been aiming at from the very start is one of the top ones among the contemporary darknet markets.

"Isn't this too much security?"

We don't know exactly how much security is needed. As you can imagine, the world's top authorities don't exactly tell us what methods they have of capturing sites like this. Even after big public busts only a limited amount of information is required. We have to gather all the pieces of information from busts, hacking forums, rumors, keep an eye on the recent research and deduce from all that how the current technology might be susceptible to which realistic attack vectors, and based on all this somehow establish an accurate threat model. So in order to have a chance to stay here for any substantial amount of time, we have to always be on the safe side and implement as much security as we can.

"We just can't conduct business this way!"

Then you should probably not be selling illegal substances. We are getting paid to provide a very specific service, and as we see it, the main nature of that service is anonymity and security of your money and your information. It is NEVER going to be as stable as a similar legal marketplace. Even when we fix our current issues there are still going to be situations when the market will be offline, where there will be problems, etc. In the exact same way that you can't insure your street-corner drug enterprise, the main difference being that on the street you have to risk dealing with LE directly, and here you shift most of that risk to us and accept getting hit with some market downtime or bugs caused by our security protocols.


Comments


[26 Points] blackhand25:

This is very appreciated.


[16 Points] Throwaway_concept:

They're very good points and it just goes to show that people shouldn't bitch about Agora. Sure, it's downtime is the most of any market up, but at the same time i feel it has the best security. Everyone may rush to Evo to have it be taken down or hacked. It seems that Agora's main goal isn't to have the most customers or vendors, but to provide the most security so those two things will happen on their own. I honestly think Agora is the most trustworthy market that is open.


[10 Points] None:

everytime agora goes down, i just think that they're fixing/adding new security measures, so i dont care if agora goes down. it helps us.


[3 Points] YouLikeBarney:

Can I get a forum link?


[3 Points] dastampmasta:

This is understandable.

I stand by Agora.. And while they are down quite often its still very usable. Maybe its just the times a day I operate but I never have issues when i log on around 7am.

Its in everyones best interest to have the highest level of security and it sounds like they are doing things right.

And thats very true that in this cutthroat game its not like you can just interview programmers and hire a team. You cant trust anyone with your own freedom but yourself


[2 Points] SacredGeometry25:

Than you! :)


[1 Points] og_by_monsanto:

...the main difference being that on the street you have to risk dealing with LE directly, and here you shift most of that risk to us...

Yes but users also have a financial risk associated with you directly


[1 Points] justWorkGoddamn:

Kinda off topic, but have any of these "hacked markets" actually shown any proof of them being hacked. Other than the money being gone and them saying that's what happened?


[1 Points] creamynebula:

Thank you very much for writing this, it makes me think way better than Agora and more understanding of its downtimes.


[1 Points] None:

Agora has become the "new silk road" because of that invitation only thing. Its a damn pyramid scheme but it works, too well actually.


[1 Points] None:

lol nailed it: "We cannot just go to a software company and tell them hey, we need help with this illegal ass darknet market which has millions on it, which facilitates drug trade and money laundering, please help us develop it."

No reason to be greedy.


[-6 Points] None:

Mark my words: Agora is going to being SR1+Sheep+CR X 2.

If you're dealing with a trusted vendor, you need to deal with them on bitmessage or FE because this false sense of security is trend with these markets. Agora is going to hit its peak around December, I will count on it getting "hacked" around that time too.