×
all 54 comments
sorted by:
best
topnewcontroversialoldq&a

[–]imakechili 14 points15 points  (20 children)

Good catch. Only thing I'd add is that they're running different Apache versions. I have no doubt due to the fact that they're all running Ubuntu + Apache + Nette and seem to be similarly configured on the Apache side that the owner is the same person. I do have my doubts that they are on the same server though.

Either way this is very bad. Once you get one server, you can have another through some creative detective work. It's a big clue for any investigation. And using cloudflare, an American CDN company, for your black market clearweb proxy? Wow that is bad.

Good work OP.

[–]imakechili 11 points12 points  (12 children)

Even more evidence in the EXIF data.

Unofficial Market Logo EXIF Software Adobe Fireworks CS6 Compression Deflate/Inflate

Official Market Logo EXIF Software Adobe Fireworks CS6 Compression Deflate/Inflate XMP Toolkit Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 Creator Tool Adobe Fireworks CS6 (Windows)

Soo the links are both developers using Bootstrap + Nette + Apache + Ubuntu + Fireworks CS6 etc etc...

Now the only thing feds need to do is yank sheepmarketplace.com and see what's on that server. If the onion site is on there it'll be super obvious. Otherwise it should have some clues.

The fact that I'm posting this here means that it has been thought of already by any competent investigative team. If the info we posted and the guesses we made are accurate, Sheep Owners, I would close up shop right now...

[–]asskeeper[S] 3 points4 points  (4 children)

It seems accurate, party van anyone?

[–]rayne117 5 points6 points  (0 children)

The FBI will send a drone strike to your house and his house in Czech Republic immediately.

[–]magnivea 0 points1 point  (2 children)

The SMP party van isn't as fun as the original party van, either. imakechili and asskeeper, you need to design a new market together. I have some kickass ideas for one. We should build a secure market and charge a 7% fee. You guys 2.5% and I'll take 2%. Joe Swanson's voice LET's DO IT

[–]imakechili 2 points3 points  (1 child)

Unfortunately I'm not willing to get directly involved in something like this in this stage of my life. For me to take that leap would involve my moving to a safe location out of the United States, where I'm currently located. I'm happy to advise, answer questions, and poke the occasional holes to see if eventually we won't get something closer to proper security. :)

[–]magnivea 2 points3 points  (0 children)

Awesome! we're off to find the template, the wonderful template for drugs

[–]1upped 4 points5 points  (1 child)

unless the owner rented servers under a fake name, s/he could just move servers under a new identity, wipe the old ones, fix the security issues and be on his merry way.

[–]imakechili 6 points7 points  (0 children)

If our assumptions our correct, the number of errors made suggest that the owners did not approach this venture correctly.

That alone will lead to their downfall if they do not close first. Who knows what other breadcrumbs there are? Financial links between servers? Perhaps something on the drive that reveals the owners' identities or their propensities for certain security configurations? Who knows....

[–]AStringOfWords 1 point2 points  (2 children)

Even if we know it's in the Czech Republic, do the US security services have enough power there to demand stuff like this?

[–]TrevorWormsley 3 points4 points  (0 children)

implying the NSA would even ask

[–]imakechili 0 points1 point  (0 children)

I think if the NSA is involved, they won't even need to ask.

[–][deleted]  (1 child)

[deleted]

    [–]asskeeper[S] 0 points1 point  (5 children)

    Yes, they're running different Apache versions. So clearnet site and onion are not on same server. And in addition to these security problems, he was using one of these ways to get items:
    1- Remote access to onion site's sql server (that's really bad, if fbi dive into clearnet site's servers, they can connect to onion's database and access ALL data)
    2- An API on onion site for getting list of items (we can not be sure that api is safe)
    either way, he needs to expose onion site's ip address on codes in clearnet site except he has setup tor in clearnet site's server (it looks like thats not possible because clearnet site hosted in a shared hosting) and that's another big trouble.

    [–]P_J 4 points5 points  (1 child)

    Divergent Apache versions could, in theory, be an artefact of virtualisation and thus aren't formally definitive in showing the two production environments don't share the same physical server.

    It's easy - and quite a popular pastime - to poke fun at folks for alleged errors in OpSec nowadays, as if doing so were proof at how simple it must be to avoid such errors. OpSec competence temporally has a fairly high correlation with resource availability: or, to put it more simply, it's a hell of alot easier to pull off and pull off without major errors over time if one has plenty of cash on-hand. That's why one often sees such "errors" early in project timeframes - when cash is tight, corners tend to get cut.

    None of these operations are getting finding from traditional tech VCs, eh? As such, it can be expected most are cash-tight in early project phases... which is a dangerous combination for this sort of business model.

    Those with the proven, battle-tested, hard-won OpSec skills to do these things right are relatively unlikely to actually do them: why take that sort of massive risk when, frankly, there's plenty of other ways to do well financially absent such risk? That's not even counting the temptations of working for The Man - just referencing the "sell shovels to the gold rush frenzied masses" dynamic.

    We're going to see some seriously overdue lessons learned on the structural constraints of FDE in server-side environments, that's one thing for sure. Folks who warned about such things prior to the "Summer of Tor Takedowns" were largely ignored. Now? Not so much ignored, I expect. An example tutorial: http://www.cultureghost.net/viewtopic.php?f=30&t=789

    There's tech - and procedural expertise - to do these projects right... but it's a rare combination of skills and experience to bring that together with management competence, risk appetite, and motivation. Despite what seems like the "easy riches" to be had in such endeavours, I personally don't foresee an explosion of such marketplaces, post-SR. A fragmentation, yes... but that's quite a different dynamic indeed.

    [–]imakechili 1 point2 points  (0 children)

    Good post. You are correct that most qualified engineers in the US are strongly disincentivized from undertaking a project like this due to the risk of sacrificing their freedom, financial stability, reputation, etc.

    I will add though that I personally have hope for open technologies to emerge which provide detailed instructions and supporting configuration options to allow even the untrained to step their toe into some level of operations security... As long as we make it much cheaper and easier to put up a market than to take one down, we should be fairly unstoppable.

    Don't underestimate the qualifications and desperation of many engineers / security professionals trained outside the US... many of these, people have much more practical hardening experience than their US counterparts, are far less risk averse, and are used to towing the line with regards to the US government. These foreign professionals and the organizations that back them have nontrivial capital, and I both expect and hope that the brunt of the risk going forward in handling the operations of these deep marketplaces will be assumed by such foreigners. I think BMR and Sheep are a good interim step towards that, as neither appear to be run by Americans. Even if these operators make mistakes by the time they're caught we will be in a position to move on as a community.

    [–]imakechili 1 point2 points  (2 children)

    You are correct, although if he is smart that API would be to a proxy server insulated from the service.

    I fucking doubt it though.

    [–]imakechili 0 points1 point  (1 child)

    Now that I think about it this seems more likely... doesn't Sheep itself have some sort of API tokens for all its users? What are those for, anyone know?

    [–][deleted] 0 points1 point  (0 children)

    deleted What is this?

    [–]IhateSnitches 0 points1 point  (0 children)

    Ha ha ha ha ha Imakechili and asskeeper you 2 LE officers best mind out that you don't get shot by a hired assassin just like that prick Ross did and got caught for too ie you might both end up dead sooner rather than later and guess what I've just received both if your exact most used IP's from a friend that works on this site so if I was you I'd stop scaremongering but thats what jealous zealous malicious devil LE do ain't it man why do devils like you even exist in this world man please grow eyes in the back of your heads rite where that target is BANG_________________FLATLINE.

    [–]jahwolf 10 points11 points  (3 children)

    Early SR had similar issues, including leaking headers and allowing access to low level index directories.

    [–]GrowMe 2 points3 points  (2 children)

    Interesting, can you go on?

    [–]somanyroads 8 points9 points  (1 child)

    Yes, then SR was closed.

    [–]jahwolf 0 points1 point  (0 children)

    fyi this is in feb 2011 iirc.

    [–]KalYuga 5 points6 points  (5 children)

    In this thread [onion link], they again insist that the site is not their doing: "Its not our project, its probably some fan of us."

    I don't really see any psychologically plausible reason for them to lie about it. It's not like trying to be cunning about its origins is very consistent with the attitude required for being the type of people that would create it.

    [–]Patrick5555 4 points5 points  (3 children)

    it would be funny if blackmarketreloaded was responsible, to paint their competition as incompetent and leaky

    [–]asskeeper[S] 3 points4 points  (2 children)

    it looks like not bmr's job as you see these proofs plus i tested sheepmarketplace.com, they're 100% using nette framework (which was same as smp.onion)
    btw sheepmarketplace.com created in 14 Feb 2013 (2 months before sheep marketplace release announced through bitcointalk)

    [–]Patrick5555 3 points4 points  (0 children)

    Of course it wouldnt look like bmr

    [–][deleted] 0 points1 point  (0 children)

    deleted What is this?

    [–]gwern 1 point2 points  (0 children)

    It's totally not their doing.

    Also, altoid just came across this cool new website called Silk Road, have you ever heard of it?

    [–]dog_on_acid 6 points7 points  (1 child)

    IMO it's always been a bit shady, BMR is well established and much better.

    Also I don't like being called a sheep.

    [–][deleted]  (2 children)

    [removed]

      [–][deleted]  (1 child)

      [removed]

        [–][deleted] 2 points3 points  (1 child)

        deleted What is this?

        [–]GrowMe 0 points1 point  (0 children)

        The owners claim they have fans in czech republic.

        [–]hofmannalbert 2 points3 points  (0 children)

        So did you contact who you think the site's owner is? Cause while exposing him definitely helps raising awareness, helping him fix the issues would be beneficial for everyone. So please everyone, let's work together on building a secure market place!

        [–]1upped 9 points10 points  (4 children)

        I hope you messaged Sheep Support, instead of possibly just publicly giving away the owner of this market.

        [–]rayne117 37 points38 points  (3 children)

        If some dude on reddit can do it, the federales HAVE done it already.

        [–]imakechili 5 points6 points  (1 child)

        Yep. Step one I would do in an investigation like this is capture a shitload of traffic to and from the site using all sorts of features and sniff for clues. I'm certain the feds are aware of the name Sheep Marketplace and have already done this. I'm sure they're at a much later phase of their attack, either through some vulnerability that was found or in working their good ol' undercovers.

        [–]entreprenr30 -1 points0 points  (0 children)

        if this is in the czech republic, i don't really believe the feds would care much further. i know the united states meddles around in the world, but they don't want to make everything their problem. my guess is, they'll just hand the investigation over to the local government and be done with it.

        [–]urrlll 0 points1 point  (0 children)

        No. If some dude can do it the federals can do it.
        It doesn't mean they have done it already.
        But with the help of this guy, sure they can now.
        That's the definition of irresponsible disclosure.

        [–]sightl3ssSmoke meth, hail Satan 3 points4 points  (2 children)

        All this proves is that both sites may be located in the same country. It's possible that a friend or random other Czech Sheep user decided to make a clearnet website...unless I'm missing something?

        All you've done is assume that because his comments are in Czech that the .onion site is hosted in the Czech Republic without any proof of that.

        [–]g0_west 1 point2 points  (0 children)

        What I was thinking is I would want to leave comments in (for obvious reasons), but wouldn't want them giving away any information about my location, so I would run my comments through Google Translate into some random language to cover my self a little bit (and maybe throw them off the scent). Maybe he did that.
        Maybe he does just suck though.

        [–]imakechili 0 points1 point  (0 children)

        Regardless it's trivial to approximate the location of hidden services given sufficient network resources (for the government).

        [–]Litecoin_MessiahMessiah[M] 5 points6 points  (1 child)

        Found 14 domains hosted on the same web server as 185.2.42.79.

        ax2.old-cans.com

        csl.old-cans.com

        dll2u.com

        epspark.com

        fontpark.net

        gallmini.com

        katua.me

        lamourparty.com

        old-cans.com

        sheepmarketplace.com

        www.fontpark.net

        www.mmorpg.cz

        www.nfix.cz

        www.old-cans.com

        edit: i think hosted on http://snekweb.cz/uvod/,

        this is a shared host, i doubt they can run a hidden service without root/ssh access or without alerting the owner of the server.

        [–]asskeeper[S] 2 points3 points  (0 children)

        They're using shared hosting for promoting sheepmarketplace on clearnet, hidden service are not in same server or any other shared hosting

        [–][deleted] 1 point2 points  (0 children)

        deleted What is this?

        [–][deleted] 1 point2 points  (0 children)

        I'm in awe of people who are this good at computers. I've no idea what you did, but to do this kind of sleuthing is seriously impressive to me. Nice work!

        [–]WalterWhite121 3 points4 points  (0 children)

        Eh, I don't buy it. It seems way too simple; nothing's ever that simple. Could be someone clever attempting to steer people in the wrong direction. If SMP truly was responsible for the site, they would've pulled it by now, moved server locations, etc.

        [–]blazergt8000 0 points1 point  (0 children)

        Hey has anyone actually checked the actual marketplace, where he explicitly states, he has nothing to do with the clearnet site, must be a fan.

        [–]vgrichina 0 points1 point  (1 child)

        Important thing however is that in Czech Republic drugs aren't as big deal for law enforcement – http://en.wikipedia.org/wiki/Drug_liberalization#Czech_Republic

        [–]gwern 0 points1 point  (0 children)

        On December 14, 2009, the Czech Republic adopted a new law that took effect on January 1, 2010, and allows a person to possess up to 15 grams of marijuana or 1.5 grams of heroin without facing criminal charges.

        So basically, 95% of transactions on Sheep are still illegal... On top of the whole foreigners-using-the-site thing.

        [–]aquatic_ape 0 points1 point  (0 children)

        dear, asskeeper

        where can i sign up for your online course?

        love, a_a

        [–]IhateSnitches 0 points1 point  (1 child)

        ASSKEEPER and IMAKECHILI are LE Officers so BEWARE IF YOU SPEAK TO THESE 2 DEVILS OK one of them has actually wrote he tried to attack the SM servers with a virus and all they've spoke about is SM demise do not be led astray by these 2 LE Officers ok please if you know them in real life or know of them or even where they live I think you know what needs to be done to these 2 scum of this earth DEAD EM I SAY ha ha ha ha haaa.

        [–]asskeeper[S] 0 points1 point  (0 children)

        sheepmarketplace's owner pls go

        [–]rex-usb 0 points1 point  (0 children)

        full DOX here

        https://dl.dropboxusercontent.com/u/182368464/2013-11-03-sheepmarketplace-doxxing.maff

        opened in Firefox + MAFF addon for firefox