Silk Road forums

Discussion => Newbie discussion => Topic started by: 2NCeppa on August 06, 2013, 08:59 am

Title: SR IS VULNERABLE. PLEASE GET DPR ON THIS IMMEDIATELY.
Post by: 2NCeppa on August 06, 2013, 08:59 am
This is a selfless act of me wanting to help get fellow SR users out of cumulative millenia of prison sentences.

Something that I personally considered for a long time, was doing very basic (frankly, very easy) catcha recognition on the SR main page, and automating login attempts.

Tormail's servers have been compromised, and it's safe to assume the FBI has all info on the TorMail servers. In an ideal world, this would mean SHA512 hashed, salted passwords. But we ALL know how frequently server admins skimp on password security. It doesn't make a difference to them as long as they don't get raided.

It is VERY PROBABLE that the FBI is currently brute-force password hashing, and seeing what passwords they can crack. They have very good computer scientists. They will use Markov chain probabilistic password guessing, as well as known data sets of leaked passwords. They also certainly have massive computational resources available to them.

Probably at least 75% of SR users with a tormail reused their "deep web" password between the two sites. Many will have also recycled their username. The FBI possesses these hash tables (assuming they don't have the plaintext), and it's safe to assume they're working on cracking as many passwords as they can by the minute.  SR has a PATHETIC, even laughable captcha, so the FBI can begin automating login attempts. Of course they can easily access the account of any user who reused their username and password between the sites. They will likely end up with a nice bank of a couple thousand "other" passwords, and being brute-forcing login attempts to vendor accounts using this bank of passwords from us, the deep web users.

Honestly, in the best possible case (salted and hashed passwords), they'll still EASILY get 100+ accounts compromised IMO. Anyone with any personal information in their messages, or with private transaction history has a lot to lose.

This is scary. I'd prefer SR be taken down until SR has some protection against automated login attempts.
Title: Re: SR IS VULNERABLE. PLEASE GET DPR ON THIS IMMEDIATELY.
Post by: BTC4Cash on August 06, 2013, 09:06 am
The warning has been out for a while now and lots have mentioned to change any and all passwords that we in multi use.

If people have not done it already THEY SHOULD DO IT NOW!

BTC4Cash
Title: Re: SR IS VULNERABLE. PLEASE GET DPR ON THIS IMMEDIATELY.
Post by: xxdionysusxx on August 06, 2013, 09:09 am
Why not just increase the difficulty of the cpatcha then?