safe way to verify vendors

If this is breaking the rules let me know, but I think it is a good way to verify vendors with out spreading vendor names around or technically breaking the rules.

First of all people need to understand the concept of a hash. Pretty much, a hash is a cryptographic function that takes a string and turns it into a static string of what seems to be gibberish. For example, the sha-512 hash of Turtle is:

B6C09CEF36E8CDE06D67590907930FB0C02273D394F703F4D81D6334EFCB6915
A4346EB42EA8E4A4E51274C1A617200202886FBB889F313BDD0B2D3F4F0BF9B9

Now if you send someone that hash and they have no idea what it is, it will take them quite a long time to break the hash. Turtle isn't a big word and it isn't salted so it will probably take only a few weeks to brute force crack, but for an email address like

Thisisntavendor@madeup.com

C2576EE9B4727A971E390BCABCC90863D699F9720F7DC65E2C445060C36F2BD4
BD5819F0063905348757744CEA199F90794BDF7C69351CF56817B4DB8CED7669

it will take hundreds or even thousands of years to crack.

But the thing is, if someone has the hash AND the plain text, they can very easily find the hash that corresponds to the plain text.

For example, lets say I just found Thisisntavendor@madeup.com and I want to see if he is legitimate. I would simply take the hash of the vendor, and ask people "HEY PEOPLE, IS :

C2576EE9B4727A971E390BCABCC90863D699F9720F7DC65E2C445060C36F2BD4
BD5819F0063905348757744CEA199F90794BDF7C69351CF56817B4DB8CED7669

Legitimate?!"

Now if the people I am asking don't already know Thisisntavendor@madeup.com they can't figure out who he is by the hash, but if people do have that vendor they could scan an encrypted file they keep of all their vendors and the corresponding hashes for that hash string. If they have the vendor, they can quickly see what vendor the poster is talking about, and give him a reply.

The poster never mentioned a vendor email address, and the poster didn't give a vendor address to anyone who didn't already have it.

I think it would be a good idea to have a thread where people can post the sha-512 hashes of vendors they have and ask if they are legit. No discussion of product list or prices, just Legit or Scam. If someone posts the sha-512 hash of a vendor and no one has that vendor, no one is going to figure out who that vendor is unless they crack the hash sum, and they are not going to crack the hashsum of any vendor with more than 8 characters in his name in a reasonable amount of time (less than dozens to hundreds of years to thousands of years). Even the prefix @safe-mail.net would meet this requirement or www. and .com together, would act as a salt if nothing else.

Of course this system would require everyone to keep their vendor lists and corresponding hash sums of each vendor name in a file for quick searching of hash strings and corresponding vendors. so long as said database is stored on an encrypted partition, or GPG encrypted, it should offer no incriminating evidence. It would actually probably be safer than Undrugged (although I fully support undrugged and trust them) simply because there would be no centralized vendor list, just a centralized hash list.

I have actually talked to the people running undrugged about replacing typing in a vendors name with pasting the sha-512 has of the vendors name. They think it is a good idea and will get people to trust them more, because then people can look up and verify the vendors they have but the people running undrugged can't be accused of running a honeypot and collecting vendor information (which they do not do, but it would put people at ease). Also would make undrugged less of a target for LE and hackers because the database would be a database of hashes, with no contact details what so ever allowed.

 

seems logical. however, I think undrugged would still be the best place to discuss sources (hash format or not)

 

I agree but a lot of people don't trust undrugged. I am not suggesting we turn this into a hashsum source forum, but since there is a thread for scammers, I wonder if it would be against the rules to post hashes of vendor names in it and ask if they are legit or scammers. Obviously wouldn't be allowed to post actual vendor names, but I wonder about hashes of vendor names.

 

Don't do it - posting vendor names would just be too much liability for this site. This forum is PUBLIC. Undrugged is PRIVATE for a reason. Besides, being an informed, smart consumer is half the battle anyway.

 

It would attract unwanted attention here.

 

It wouldn't involve posting vendor names, it would be posting hashes of vendor names.


C2576EE9B4727A971E390BCABCC90863D699F9720F7DC65E2C 445060C36F2BD4
BD5819F0063905348757744CEA199F90794BDF7C69351CF568 17B4DB8CED7669

would look like that. Impossible to turn that back into a vendors name with out a super computer an a great deal of time, but anyone with the vendor name can easily find out that hash is the hash of the vendor name. With out the vendor name, that is as useless as it looks.

I fully understand the concern though, probably a bad idea to do here, but I think it is a creative solution for verification of vendors with out posting vendor names.

 

If this site had liability or not would depend on the interpretation of the Ryan Hiaight Act, which states it is a crime to post links to email addresses or URLs of vendors selling illegal drugs on the internet, and also a crime to host a server with the primary purpose of collecting addresses or URLs, and also a crime to be a part of a group on the internet that serves as its main function the sharing of URLs and Email addresses of those who sell drugs.

A hash isn't a email or URL so I think they would have a hard time to prove any liability.

but regardless I understand this is not a source forum. I just saw this as a good way to verify vendors with out breaking the rules , incriminating the forum or spreadign vendor names. but i agree this prob isnt the place for it.

 

This is also how passwords work by the way. When you have a password on a forum for example, only the hash of the password is stored on the server. That way hackers can't get your password and the admin of the forum can't see your password.

If my password is password for example, the sha-512 hash looks like this:

B109F3BBBC244EB82441917ED06D618B9008DD09B3BEFD1B5E07394C706A8BB9
80B1D7785E5976EC049B46DF5F1326AF5A2EA6D103FD07C95385FFAB0CACBC86

and that is what would be kept on the server. Anyone at the server wouldn't see my password, neither would any hackers. When I go to log in and I type in my password, the server converts my password to that, and then sees if the hash it just made is equal to the hash it has on record. If it is equal, it lets me sign on.

If a hacker was to input that actual hash to try and log on as me it wouldn't work either, because it would take the hash of

B109F3BBBC244EB82441917ED06D618B9008DD09B3BEFD1B5E07394C706A8BB9
80B1D7785E5976EC049B46DF5F1326AF5A2EA6D103FD07C95385FFAB0CACBC86

which is

CFCAB58C6E4B914FDE058C7F6EC8F5F1EF42044415342CFD0AF1D1AC96F9D563
22BAD107D6C7048B188496D136B24D730D3394A5F2C800C4477B00C9EECBE9F3

and that second one wont match the one stored on the server.

My suggestion was to allow a thread here where people can post the hashes of vendor names and ask if they are legit or not, and then others can take the posted hashes, see if the hash matches the hash of the vendors on their list, and if it does they can say Yes Legit or No add to scammers list. If someone doesn't already know the vendor though, they can't realistically get the vendors info out of the hash with out an ungodly amount of time and computing power.

But on second though I do see how this is a can of worms and hipforums isn't the place for it, so I retract that idea I guess and I fully understand that it seems people don't want it here.

I still would like this thread kept open for discussion of the topic, although not posting of hashed vendor names, if that would be possible salmon. Thank you!

Also sorry for three back to back posts lol.

 

If undrugged had worked like this from the beginning, more people would trust it that's for sure.

I don't know if it's a good idea to post (hashes of) legit vendors here but it would definately be a good idea to convert the scammer list to a hashed format. This way if a source turns out to be legit, it won't be leaked (as it happened in the near past).

 

Yeah that is a good application too. If all the sources in the scammer thread are sha-512 hashes, people wanting to see if their source is a scam or not can simply convert it to sha-512 hash and search the scam vendor page for it. Would get around leaking vendor names in the case they are legit, and also would distance the forum from the Ryan Haight act, although since scammers don't technically sell drugs we prob already good with that law.

 

by googling the hashes in this thread, i get links to this page.

If vendor hashes were clearly displayed, one could likely find a name to match the hash somewhere within google.

 

ah yeah true

 

Ive been able to locate legit sources before based on altered/shortened versions of thier names found on other sites, then followed up by a few minutes of googling to locate the full address.

 

brute forcing is getting better and better, if you know what youre doing i dont think it would take TO long to hack.

 

I don't see this happening with hashes.

It would take extremely long to "hack" if used carefully (like hash chains to make it much harder).

 

unfortunately, i do. I was able to locate this thread by googling the hashes found on the first page. in places like the google forums and other less-moderated areas of the net, it would not be difficult to find a post associating a hash with the email address.

 

Maybe it's just me being blunt but I still don't get it
Are you saying that if people started discussing hashed vendors on public forums then someone would inevitably leak enough information and others can figure the vendor out?

 

he means if someone posts on a forum that whoever = hash-whatever

and people talk about hash-whatever here

if people google hash-whatever they might be able to find whoever by searching for the hash/

 

take the "canadian source" of research chemicals for example. He is referenced all over these forums, and even a beginner can locate the vendor with less than 5 minutes in google.

ps: if you consider this to be posting a source, then hash posting would be just as guilty

 

I agree, but I am not so sure what you just posted would violate the no sources rule. It depends on how conservative the rule is. Regardless I see your point and don't think this is a place to post hashes of vendors. I do think the concept could be applied in good ways though. If undrugged had started with hashes I am sure they would be WAY more trusted, it is a shame no one thought of the idea before undrugged launched.
Another way it is sort of applicable is it isn't in violation of the Ryan Haight law which pretty much makes sharing sources illegal in itself for Americans:



__________________

(f) Offenses Involving Dispensing of Controlled Substances by Means of the Internet- Section 401 of the Controlled Substances Act (21 U.S.C. 841) is amended by adding at the end the following:

`(g) Offenses Involving Dispensing of Controlled Substances by Means of the Internet- (1) It shall be unlawful for any person to knowingly or intentionally--

`(A) deliver, distribute, or dispense a controlled substance by means of the Internet, except as authorized by this title; or

`(B) aid or abet (as such terms are used in section 2 of title 18, United States Code) any activity described in subparagraph (A) that is not authorized by this title.
__________________________

`(2) Examples of activities that violate paragraph (1) include, but are not limited to, knowingly or intentionally--

`(A) delivering, distributing, or dispensing a controlled substance by means of the Internet by an online pharmacy that is not validly registered with a modification authorizing such activity as required by section 303(f) (unless exempt from such registration);

`(B) writing a prescription for a controlled substance for the purpose of delivery, distribution, or dispensation by means of the Internet in violation of section 309(e);

`(C) serving as an agent, intermediary, or other entity that causes the Internet to be used to bring together a buyer and seller to engage in the dispensing of a controlled substance in a manner not authorized by sections 303(f) or 309(e);

`(D) offering to fill a prescription for a controlled substance based solely on a consumer's completion of an online medical questionnaire; and

`(E) making a material false, fictitious, or fraudulent statement or representation in the submission to the Attorney General under section 311
___________________________________________

`(3)(A) This subsection does not apply to--

`(i) the delivery, distribution, or dispensation of controlled substances by nonpractitioners to the extent authorized by their registration under this title;

`(ii) the placement on the Internet of material that merely advocates the use of a controlled substance or includes pricing information without attempting to propose or facilitate an actual transaction involving a controlled substance; or

`(iii) except as provided in subparagraph (B), any activity that is limited to--

`(I) the provision of a telecommunications service, or of an Internet access service or Internet information location tool (as those terms are defined in section 231 of the Communications Act of 1934 (47 U.S.C. 231)); or

`(II) the transmission, storage, retrieval, hosting, formatting, or translation (or any combination thereof) of a communication, without selection or alteration of the content of the communication, except that deletion of a particular communication or material made by another person in a manner consistent with section 230(c) of the Communications Act of 1934 (47 U.S.C. 230(c)) shall not constitute such selection or alteration of the content of the communication.

`(B) The exceptions under subclauses (I) and (II) of subparagraph (A)(iii) shall not apply to a person acting in concert with a person who violates paragraph (1).


`(2)(A) Except as authorized by this title, it shall be unlawful for any person by means of the Internet to knowingly advertise the sale or distribution of, or to offer to sell, distribute, or dispense, a controlled substance.


`(B) Examples of activities that violate subparagraph (A) include, but are not limited to, knowingly or intentionally causing the placement on the Internet of an advertisement that refers to or directs prospective buyers to Internet sellers of controlled substances who are not registered with a modification under section 303(f).

`(C) Subparagraph (A) does not apply to material that either--

`(i) merely advertises the distribution of controlled substances by nonpractitioners to the extent authorized by their registration under this title; or

`(ii) merely advocates the use of a controlled substance or includes pricing information without attempting to facilitate an actual transaction involving a controlled substance.'.



`(50) The term `Internet' means collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected worldwide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocol to such protocol, to communicate information of all kinds by wire or radio.

`(51) The term `deliver, distribute, or dispense by means of the Internet' refers, respectively, to any delivery, distribution, or dispensing of a controlled substance that is caused or facilitated by means of the Internet.


__________________________________
here is the aiding and abetting law they mentioned:

Whoever commits an offense against the United States or aids, abets, counsels, commands, induces or procures its commission, is punishable as a principal.

___________________



now here is this one again:

Remember, this is not illegal so long as the people running it are NOT WORKING IN CONCERT with people violating the rest of the act:

`(I) the provision of a telecommunications service, or of an Internet access service or Internet information location tool (as those terms are defined in section 231 of the Communications Act of 1934 (47 U.S.C. 231))



section 231 of the Communications Act of 1934 (47 U.S.C. 231)) :


Internet information location tool = "a service that refers or links users to an online location on the World Wide Web. Such term includes directories, indices, references, pointers, and hypertext links."


so if there was a website set up that had the front of being a rainbow table for cracking hashes, and let users submit the rainbow table data, then if hashes were posted on forums of vendors the people posting the hashes wouldn't technically be breaking the law, and so long as they can't prove the people operating the wiki-rainbow-table are working with vendors or customers, they can't get in trouble for running their service.


then to get around

`(B) Examples of activities that violate subparagraph (A) include, but are not limited to, knowingly or intentionally causing the placement on the Internet of an advertisement that refers to or directs prospective buyers to Internet sellers of controlled substances who are not registered with a modification under section 303(f).

They would I think have a hard time to say that a hash of a vendors name, that can't be brute forced with out millions of years, is directing people to vendors.


the central rainbow table could be hosted in Panama or some other not USA country, where it would violate no laws. People in USA could then post hashes of vendors instead of the actual vendors contact info, and they would have a much stronger case in court against this law than if they just posted the contact info. And the law specifically says that it isn't illegal to discuss product prices and quality etc, just to direct people to them or refer to them. Well, posting a hash isn't refering to anyone and it would be hard to say it is technically directing people to them either.

They could try and say posting the hash is in a way directing people the vendor, but they don't have directing defined very well. It would need to be decided in court and probably could get all the way to the supreme court. Is it directing people to internet drug sellers just by saying there are internet drug sellers out there? I don't think a court would buy that. They say directing to mean posting contact information, but it is true they would try to very liberally interpret the term in court but anyways it would give people a much better case.

Because just giving a person a hash is worthless unless they already know the vendor. And outside of USA it isn't illegal to have a big ass database of hashes and their corresponding vendor contact information. It is just illegal for an american to give someone a vendors contact information....but.....I really think they would have a very difficult time to say it is illegal to give a person a hash of a vendors contact information.