What do the leaders of this community think about all these Dread-approved markets maintaining clearnet domains? : DarkNetMarkets | Torhoo darknet markets
Seeing several of the so-called "top markets" having official clearnet links, seems absolutely fucking crazy to me. I would never use or recommend a market that endorses one.
Do they care about uptime and increasing sales numbers so much, that they're willing to expose all users to the countless vulnerabilities that drove us to TOR in the first place?
We've resorted to using cloudflair to deal with the DDOS problem? Giving up on Nightmare?
We have to assume LE has control of 100% of these clearnet links. Why are we even using TOR and monero?
I'm not going to tag anyone because no one owes me an answer, but I'm dynig to hear what all the legit folks who have worked so hard to keep this thing going for so long have to say about this.
I like to think that if I ran Dread, DNL, or any similar resource, that any market that endorsed a clearnet link would be banished tomorrow.
The risk of this happening is still fairly low and while these solutions aren't ideal, they are the best bet right now. However, we will be providing markets with methods to overcome the attacks and handle them better so this isn't a necessary solution and I have some other things in the works which should improve it until we see the outcome of PoW implementations on the network.
If we are able to improve it enough, I will be requesting that markets shut down these clearnet services.
Anyway, clearnet sites are dangerous. Mods over here always say 'do not get your links from darknetlive or darkfail always verify' but instead we are pushing own rotational mirror sites because someone does not want to put in the work reading some source code, some logs, and testing out stuff.
>> The only true and most likely risk out of any, would be the clearnet site being seized and LE collecting user data through their own proxy mirrors so they can use a MiTM attack.
Again this is false. Anyone requesting the site will 100% have their IP logged. If they are big vendor and stupid enough to only use Tor to protect themselves without proxies or anything else, LE will unmask them eventually have no doubt about that. Has been proven many times cloudflare log all data.
A very recent and real case: Raidforums. They switched to their own controlled cloudflare name servers and logged everyones passwords. How would that be entrapment /u/pharoah ? I am not going to get into the gritty details of law in this case but they can do it for sure it is completely acceptable to do so because you are already accessing an (illegal in their laws) service.
>> The risk of this happening is still fairly low and while these solutions aren't ideal
Might as well use javascript enabled then? The risk is low (ie compromise of the marketplace) but that is what we are preventing by turning it off are we not? Can even enable clearnet logins? Risk of them following small time buyers is small right? /s
Seems bizzare that all of this is allowed, there are better alternatives in terms of I2P which several markets have rightfully adopted. I do not mean to start a discussion about it as I have shit loads of things to do but I can not stand by and watch (poor) advice being given out without fully showcasing the potential and very real pitfalls of such a system.
Truth is if you have to resort to Cloudflare, you should probably reevaluate your admin skills or lack thereof.
Thank you.
The point I was making is that, as long as the links are verifiable there is little risk. I've been against these risks in the past, but this is honestly low risk in the grand scheme of things and anything that can dissuade attacks is a good interim solution right now, because markets will not be able to stand up to it. If you receive a real DoS attack on AlphaBay it would be down and you'd be shit out of luck outside of adding mirrors and trusting in i2p access.
I don't have an issue with it right now providing links are verifiable and these are only considered temporary solutions until I launch everything I've been working on.
You're the only admin that has been negative towards this, sure state your concerns, but you're bordering on FUD with being unmasked by an exit node IP address, which would be completely separated to the accessing of an onion address too.
But I am not the only user? I am the only admin because there is no other alternative for the rest of course they are not going to be vocal about it.
>> you're bordering on FUD with being unmasked by an exit node IP address
I am probably one of the few people to know LE can do that if you they want to target you. Somehow we magically forget all the markets that were found, even AlphaBay no one had shown in 2017 or even to this day how they found the IPs. Mind you it was also frontend-VPN->host so double hop. There also have been quite a few posts and publications of how they can deanonymize Tor. Sure it has improved defenses but it is in no way a 'magic cape'.
I have said it many times Tor alone is not enough and if you are doing anything mildly more than ordering personal amounts, you are putting yourself at risk by not using additional protection. So many people confused and trusting blindly some reddit accounts or someone on here about using Tor only is good enough. Always verify and I have verified it as AlphaBay story is proof opsec works when done correctly and in my mind I have explained what 'correct' in terms of connection means, means adding more than only Tor. In no way that is FUD or bordering on FUD, not a lot of people can give you this perspective Hug.
In either way these are my concerns, I have nothing further to add.
Thank you.
The reason I say bordering on FUD is because it would have to be highly targetted and it is definitely still fairly unlikely to say the least.
SWIM even has connections to get domains and SSLs (of all tiers) without fullz, all day long. That's meager compared to the cooperation given to law enforcement. Only people who haven't worked in the industry don't grasp that everything clearnet isn't logged.
Isn't there some vulnerability in regard to identifying market admins? I know you can register domains and get hosting anonymously, but presumably someone's credit card is paying for cloudflare, no? Or are they carding it?
Either way it seems to me like the majority of users are putting their faith in god knows who/what. Maybe I'm old fashioned and paranoid (ok both true), but I only trust a PGP key.
I missed this part, but unless it was on the same server as the market, what is the risk to the market itself? Are there markets offering actual clearnet proxies of the market? Because I'm only referring to link lists here.... maybe I'm out of the loop.
/u/Paris might not have informed you but since day one we have been targetted with all kinds of attacks on the onion. There is no high horsing I am stating the facts which you do not like or maybe do not understand, considering Paris has fought off virtually all attacks on Dread for you.
>> If you receive a real DoS attack on AlphaBay it would be down
You log in every 3 months once and lets not discuss about what for, so do not talk about what you have truly no clue about especially when it comes about AlphaBay. Not once have you reached out and said 'how are you handling the ddos' or gave a crap either way but yes lets not make a shitshow.
Again consult with Paris about this as you indeed seem to be out the loop or read my PMs to him. We juggle several DDoSers, all the time, most high volume hard attacks - introcell attacks, GETs, etc you name it we had (or have) it going against us. One by one we found mitigating solutions for each kind and while it may have less effect against new types of attacks which inevitably will come around, the current ones are covered very well by our firewall. There are always tradeoffs in such mitigations speed is one for example but security and stability are top priorities to us. I would not be caught dead putting up a clearnet site to embarass myself like other admins do.
Even if attacker takes down the Tor network, we have I2P something that we have been successfully pushing since we came back. Instead of saying that is something good or not even good, a viable alternative lets call it, to diversify access your response is 'you blindly trusting in i2p access', kind of evident the attitude towards us or lack thereof that I mentioned. As such I would also point you to take a look at how I2P is structured and why it is better against DDoS.
>> Because I'm only referring to link lists here....
Signed PGP sure there is no issue but you very well know almost no one verifies these. Furthermore when using cloudflare LE can pick and choose they want to run it for a few seconds every X hours or only target exit nodes/IPs located in the US etc. The attack surface is large.
>> I don't have an issue with it right now providing links are verifiable and these are only considered temporary solutions until I launch everything I've been working on.
That is up to you how and what security measures you want or do not want to have on Dread. I do not find these 'temporary' solutions to be adequate, again if one has to resort to Cloudflare, a 3rd party, to resolve issue X or Y, that is like admitting defeat to the DDoSer.
Is all of this Endgame, I2P exactly to prevent and stop these attacks so everything can work in peace? Because you say that but literally on your previous comment on the hellcat post you are like 'I am going to DoS the onions'. Left me speechless when I read that regardless if your intentions were pure about it.
Thank you.
What I am saying is that there is no overall solution and there is and will be attacks that can't be prevented, a lot of the time due to the bottle necks in the network which are beyond our control, you know that too. There are levels to the knowledge of how everything works here and not every market admin is going to be capable of handling the attacks completely, this is why I am insisting that while not ideal and not safe, these options for the markets to provide access, alongside i2p are fine with me for the time being.
I didn't say anything bad regarding i2p too, I wasn't saying that i2p shouldn't be trusted, I was referring to it not being a complete DoS solution in itself, relying on it was probably a better word to use. While it does handle it in a much better way, the majority of users aren't going to adopt i2p on a mass scale. Which is something I want to help change shortly and push for i2p usage.
I know users don't verify PGP links, but they should and they only put themselves at risk by not doing so. It is not your responsibility, nor mine to hand-hold and spoon feed users. We have already spent considerable time doing this in the past to reduce risk to users and while I can and maybe should do more about this, it is not the right time to do so.
Have markets been launching actual clearnet mirrors then too? That's where I'd have serious worry and I will stamp that shit out immediately. I can't read Paris' pm's. We intentionally have no facility for that unless you provide me with the direct link to the conversation.
As in the past, if I have to DoS an onion to take control of a situation and provide some protection for users, then I will. Just the same as in the past where there was DoS attacks being performed between markets attacking each other and also hitting Dread. It isn't something I'd want to do and further harm the network, but I'll never let anyone bully services with having a one up on each other, due to the threat of a DoS attack, it is as simple as that. Taking these vendor shops offline where users are unsuspectingly accessing valid links to their go-to vendor and having their funds stolen is something that no one should have an issue with.
I would say I2P Link Lists are safer than clearnet alone, and that could force people to adopt it and keep them safer.
thank you
much love, you dick suckin pricks. mumma raised a bitch, congratulations
you felt threatened by a better UI...weak sauce.
P.S i actually like Alphabay but the truth hurts eh the community saw this.
So this chicken ass, non-stop bragging about his chicken firewall and fighting literally with everyone here and spammed all over dread about his chicken shit until ddoser diginity got insulted very hard, so hard...
so fucking pissed that he decided to write love letters to market admins
Very obvious, most of the DDoS affected market admins are solid gentlemens, mitigate DDoS like a gentlemen.
Unfortunately, ungrateful chicken ass start shitting all over dread again to brag his chicken shit again
All we want is chicken ass to ST*U, or just leave, run your own forum, shit wherever you like.
You started all these shitshow, you bring it back home
Shift+Del Alphabay, that is what he want
Thank you.
he bullied them off dread. i dont disrespect desnake and alphabay but everyone knows what he did
the odd post from his sidekicks wont help
you know what made me laugh? when bohemia went down the other day and someone posted sayin they thought desnake had taken them down lmao. thats the general vibe right now if you didnt know
i wish alpha all the best but you cant change whats happened
>> they thought desnake had taken them down lmao
No one can stop people from going full retard. Believe what you wish the same DDoS attacks have been here long before we came back and that is a fact which reinforces what I have been saying - same groups running markets rinse and repeat, in this case dark0de and the two pax romana ones. We also have helped to improve Endgame as well as provided full I2P tutorial and guide to Dread admins long time ago so to say things like that makes zero sense. Admins just need to get to work read logs, experiment and they can overcome almost any type of attack.
Thank you.
As much as I wish Archetyp would continue a presense here for their users, I agree on this, because they dropped off due to your postings, rather than handling their PR.
there have been a million shit markets in-between the odd good one, like Torrez and White house (even though there were a few stung with WHM)
what youre doin at alpha i respect. i enjoy loggin on to dread and seeing how well youve managed the mis-haps. i enjoy knowing your market will be up when im running out of smoke but know its no problem to get on alpha and order more.
i like that you reply too
i just think you didnt need to do what you did to get where you are. maybe im oldskool
i have a feeling you might bring stability to a much fractured scene... so all the best
You appear to be unable to refute my statements, only offering weird non-arguments. Perhaps it is true?
As for being bullied off dread you seem to speak of archtyp as if they are run by disabled children in middle school? Not that it matters archetype is inconsequential at this point doing nothing more than spouting incoherent nonsense with alt accounts.
I wish archetyp all the best but you cant change what has happened.
Thank you,
Amades.
thanks
be careful there big boy your boss doesn't like you using that sort of language. read the employee handbook alphabay is above that type of shit talk
I see these measures as being something that will be temporary anyway.
Also allow the saltiness, but I wrote up a big ass post about the dangers of CW, giving exampes such as RaidForums where the domain got seized and DNS changed, and got fuck all response for it.
Why you cherrypicking Hug?
What can you do about it? Excellent question, let me give you a start (made a thread about this stuff in-depth but this is it in summary):
1. Force markets that do engage in this shit to at least provide SIGNED links on their "rotators" (*cough* *cough* Abacus) so that when LE does seize the domain, those of us that do verify links know that they have been hijacked from the getgo. (Case study: Raid forums)
2. T2D's side-panel thingy with the text 'visit market' instantly links you to the Clearweb domain, and this changed from one day to the next without warning which should be a huge no-no.
3. Make it clear that Clearweb 'link lists' are frowned upon. Your initial comment makes it sound like its not a big deal but afterwards you clarified that you are against it and discourage them.
2 - I'll raise that with T2D today.
3 - Understandable, I probably worded things wrongly because I was focusing more on the reasonings that I am leaving things be rather than the wider issues to worry about with them.
There's also InfinityProject pairing up with markets and pushing the Clearweb sites and nobody is condemning them.
(Abacus links still not signed btw...) This whole market scene has become a circus and even though I know you cant publicly agree, I am sure you are thinking the same. mr_white is turning in his metaphorical grave.
It's not entrapment, just like running a honeypot isn't entrapment (see Hansa, see definition of entrapment).