As you probably know, Absolem/Havana are new multisig only markets. On Monday this past week, Absolem/Havana was taken offline by Hacks4Crack (aka HacksforWhat). He told us he was able to do it because of an error in our web server configuration. We knew he was the same guy who had taken Middle Earth offline. He said he publicized their vulnerabilities because they wouldn't work with him. So we figured our best course of action was to pay the bug bounty we negotiated with him. He promised us after that he would give us a list of additional vulnerabilities he'd found. We paid 1 bitcoin and he gave us the bug that was bringing the server down as well as several small bugs.
When it came time to negotiate for the additional bug bounties he was asking for I made it clear that as a brand new market we weren't in a position to pay a lot of bitcoin immediately and would prefer to pay more over longer time. As an alternative we offered an equity position in the market in exchange for his long term services as penetration tester. He proposed 7.5% of profits and we agreed. He knew at the time that we were not making money. His fee was to be entirely in the future from his ownership participation in our market. This is a typical arrangement with a startup, where a contractor forgoes immediate payment in exchange for a potentially much bigger upside in the future.
Less than 12 hours later he was again attacking the market as MDParody. He unilaterally backed out of the agreement and started demanding 5 BTC for all the additional work he's done. Under the terms of our agreement he was not due any additional funds until the market was profitable and he understood that. Furthermore, he violated the agreement by making the information public. He started publicizing what he said were security flaws.
At that time we made what in hindsight I admit was a mistake. We didn't want to be associated in any way with a blackmailer and hacker, and since he had no business airing our private communications in public, we didn't admit that any of those bitmessage conversations were ours. They were, and the content confirms the accuracy of everything I've said.
Things escalated out of control when he claimed to have breached our server. He claimed to have access to our database, private keys, and other information that only someone with server access could have. He threatened to give the information to the FBI unless we paid him his extortion demands of 5 BTC. He claimed to have even talked to an FBI agent. Naturally we were extremely concerned until we spent the time to determine that his claims were completely false. If he had any of that information, he would have used it against us by now or at least proved that he had it.
We never gave him server access. In fact in the original discussions with him he said he didn't want passwords or access to the server and we had no intention of giving him access, since all of his work would be on penetration testing.
It's become obvious since then that all he's been doing to bring our server down is running web scripts sending large volumes of messages using our message system. These were not security flaws in our system. If someone was not actively trying to take down our market, they wouldn't be needed. We should have planned for malicious scripts in our design. Now those problems have been fixed. At no time was any vendor or buyer data ever at risk.
Some things he hasn't disclosed in his tell-all story is the nasty tactics he used. He didn't just send hundreds of messages to vendors on our market, he sent obscene messages to all our vendors. He has done untold damage to our relations with our vendors, costing us far more than his 5 BTC extortion demand.
On the security issue he's been going on and on about today and yesterday. Passwords are not unhashed on the server. The way messages on the system are encrypted and decrypted on the server is more complicated than ProbableFire's explanation. I do not want to get into the precise method used to encrypt on our server for security/opsec reasons. ProbableFire is not the developer of the market and wasn't familiar with the details and he admitted as much in his posts.
On the issue of the "shilling" today. I have no defense except that last night I said we were done responding to this issue and wouldn't be responding any further. Every time we were posting in comments it just seemed to inflame the situation. When I saw hacks repeating himself over and over about the supposed clear test passwords I couldn't help myself. Since I didn't want to look stupid after I said I wouldn't be responding to any more of his posts, I used a throwaway and ended up looking more stupid because of that.
In summary, I apologize on behalf of Absolem/Havana. We could certainly have handled a very stressful situation better than we did. Everyone has mistakes they regret. At the end of the day, we still have the same goal which is for a safe multisig-only drugs only market to benefit both buyers and vendors, and if they are successful hopefully we will be as well. If we wanted to scam buyers or vendors, we would have opened a cookie cutter traditional escrow market. Instead we tried to do something different and we hoped better. I'm sorry we made misleading statements about our association with Hacks4Crack. But when it became clear what type of person he was, we didn't want to admit any association with him at all.
We will pay bug bounties in the future to pen testers or others who discover significant bugs or flaws in our code or system design. However, we will only pay for bugs if you communicate with us privately, not through public posts on reddit. And not by bringing down our server and demanding extortion. That approach won't work.
Finally, if we try really hard we can see a bright side or two in this week's events. First, we've used the opportunity to add code to prevent the types of attacks he's been making against us. Second, the fact that Hacks4Crack wasn't able do anything but execute web scripts to overwhelm the CPU with threads and requests is reassuring. Whether this week's relentless attack and extortion by Hacks4Crack and our mishandling of some of the repercussions ends Absolem/Havana's chances to accomplish our goals is up to you.
My story hasn't changed this entire time: You are a lying piece of shit scammer who took help from me and tried to scam me.
I asked you for a simple contract with my reddit name, a fingerprint of my key to be signed with your market key.
What did you do? You intentionally put my name wrong, left out my fingerprint and signed with a different key than the one you publicly put on your website. You had no intention of paying me for the work I was doing for you, so I fucking shut you down.
Your best "solution" was to halt all new users signups which essentially is doing the work for me. I ask everyone to send them messages asking for invite codes and give them to me, that way they will be scared to give out invite codes to anyone. They can never open registrations again while I remain unpaid and if they fear giving out invite codes they will be gone once they spend that last BTC they have. My work here would be done without needing another keystroke.
I haven't pulled out the big guns because I don't fucking need them. You are amateurs who can be thwarted with a script I put together in 5 minutes after seeing how poorly you implemented sessions, how poor your code is and how poorly your server is setup.