Interview With “Cannabis Road” Lead Developer

14 minute read

Posted by: DeepDotWeb

May 13, 2014

Update: Cannabis Road Hacked: $100,000 (~200 Bitcoins) Gone

One of the more loved markets currently is the market called “Cannabis Road”, A market dedicated only to cannabis products, no other drugs, no weapons and no carding, but this was not always the case, at the beginning this market was developed by different people than the current ones, developers that were not suitable for running a Dark Net Market and did some serious mistakes, but since than, development team has changed and is now in the hands of fully competent developers and administration, the team running this market is operating under the impression that the mistakes of the past are still haunting them, so the lead developer, Crypto, decided to do an interview to try and clear those misunderstandings – and as far as i think, he have done a good job. He also explained some features i was not aware of (like the fact that they have 3 different types of multisig escrow) and some interesting concepts and plans for the future.

 So here it is:

Cannabis Road Url: http://cannabiskofvl7pa.onion/
Forum: http://forumzxmoorof4ja.onion
Proof Of ID

DeepDotWeb: First let me tell you i love your site, and i think you did a great job there.
Crypto: Thank you! :)

DeepDotWeb: As i understand you wanted to clear some misunderstandings about Cannabis Road?
Crypto: Yes, definitely. I came across a review on your site, which was a reminder that our name, Cannabis Road, hasn’t been able to escape it’ s past. And I wanted to clear things up about the past and the present

DeepDotWeb: Yes, we see that with some markets (see the Evolution interview for example, although from another angle)

DeepDotWeb: First – Who are you and what do you do?
Crypto: I go by the online handle Crypto, I’m a programmer/developer and I was brought into the Cannabis Road project a little over 2 months ago. I was basically brought in to pick up the pieces, left by the original developer and fix that developer’s huge mistakes. And I’m now the lead developer of Cannabis Road. The original developer no longer has any involvement, official or unofficial to Cannabis Road, nor was he ever involved publicly in any way. He never had an online handle, he was exclusively behind the scenes as a developer. He had no experience with the darknet, and had no place developing a market like this.

DeepDotWeb: Can you tell about the history of CR? When it was established, for what purpose, what happened since etc….?
Crypto: Cannabis Road was established back in early February, by Don Cannabis, who is like our Defcon, but he really didn’t have much knowledge relating to the technical aspects of running a market, so he went out and found a few programmers to try and get this thing off the ground. The first programmer ended up scamming him and taking his money, the second programmer ended up doing a similar type of bait and switch by demanding more money and eventually leaving when his increase in fee wasn’t paid. Finally the third developer was brought in, and this is the one that had no darknet experience at all. This developer made textbook newbie mistakes such as directly using GET and POST requests in their database queries, which is a big nono for any experienced developer. He was however, good with layout design. In fact, your article on DeepDotWeb outlines pretty much every mistake this original developer made. And within about 1 week, they had attempted to launch an unfinished market. They wanted to start building up a member base, despite not even being able to process payments at that time. It was a complete disaster, with a market full of security holes, and information leaks.

Within about 7 days, the entire database was dumped and deleted and the original developer was instructed to take down the market so they could fix the problems. This is when people who were actually knowledgable in the field started contacting the people involved in Cannabis Road, such as Don Cannabis, and saying you need a lot of help. It seemed that there were some highly technical people, who liked the idea of Cannabis Road, and thought that a cannabis only market was a great idea and offered their help. Mainly, the first recommendation was to fire the original developer because he obviously had no clue what he was doing. Some of these people included well known users on reddit, but I won’t mention their names.

DeepDotWeb: What kind of developer does it take do develop DeepWeb sites that is different from Clearnet sites?
Crypto: You must, absolutely be always learning new aspects of programming, security, networking, development. New bugs, new vulnerabilities are always being discovered, the most recent big one being HeartBleed. And if you aren’t staying up to date with the types of vulnerabilities, your market is going to suffer at the hands of those who are up to date. In the case of our original developer, he didn’t even know about preventing simple SQL injection.

DeepDotWeb: Oh so the problem was beyond just not being a deepweb skilled developer – but more like… just not being a skilled developer at all.
Crypto: In our case, yes. BUT, had he some knowledge of the deepweb, he wouldn’t have hard coded the server’s IP addresses into the source code for everyone to see…….

DeepDotWeb: Ok, And after he was gone what happened?
Crypto: So after he was fired, I was contacted by Don Cannabis, out of the blue and offered a position to develop at Cannabis Road, this was about 1 month after the original market take down. I had demonstrated at least some knowledge about operating in the deepweb, and they were looking at new developers to pick up the pieces. I wasn’t the only one who was contacted but, the smartest people on the deepweb, are smart enough to stay away from developing and administrating a market.

DeepDotWeb: And than it was completed in another month. and went smooth from there?
Crypto: Yes, I started developing 14 hours a day. I completely rewrote the code from the ground up. The only original code I kept was the layout itself, because I think it looks really good, But other than that, it was a complete rewrite.

DeepDotWeb: So, what interesting features does the market offer?
Crypto: Initially we wanted to offer multisignature payments only, because I was under the understanding that all markets were heading towards this model. Unfortunately, your average darknet market user, does not have the patients or at times competence to deal with it. So we decided to build a hybrid system. We were the first market, before Evolution to offer both traditional escrow and multisignature escrow.

Crypto: But then we realized even further, that multisignature escrow has multiple ways it can be implemented. There are easier ways which offer less protection for the users involved, and more complicated ways, which offer the most protection. And we couldn’t decide which one to use.

DeepDotWeb: So what did you end up with?
Crypto: So we decided to 3 different options of completing a multisignature payment. These options are offered as a choice to the users involved. I can go through each one briefly.

DeepDotWeb: sure!
Crypto: We like to call it 3 levels of multisignature, because each one is more technical than the last.

All three levels start off the same, asking for public keys of the buyer, vendor and market to create the shared (multisignature) address. The buyer sends funds to the shared address. Once the buyer is happy, the buyer agrees to finalize the order, this is where the 3 levels are offered.

Once the buyer agrees to finalize, the market will ask the vendor for their private key, that is part of the keypair with their public key used to generate the shared address. Then the market supplies it’s private key as the second key and the funds are withdrawn to the seller. We call this the private key method. And some of our users are perfectly comfortable with this, but others argue it could give the market the chance to steal their funds. Which is why we offer these next 2 levels as well.

The second level, is what we call “Sign and return”: This is the same method offered by BlackBank and Hydra, in which the raw transaction is created, and constructed in a very simple, automated style, which allows for easy copy and paste into your Bitcoin client, adding your private key, and executing the command “signrawtransaction”. This adds the vendor’s signature to the transaction, then the vendor returns the partially signed (because it still requires a second signature) to the market, the market adds it signature and will broadcast the transaction on behalf of the vendor.

The final level, we call Broadcast: This is where the market adds it’s signature first, and constructs the transaction in an easy copy and paste format for the vendor to add their own second signature. Instead of returning the transaction which has 2 signatures added to it, the vendors at this point have the fully unlocked transaction, in which they are able to broadcast it themselves from their own Bitcoin client by executing the command “sendrawtransaction” – This is the method offered by TheMarketPlace and I believe Evolution. This gives the users the most feeling of security that the market never has the fully completed transaction in their hands but is also the most complicated for your average user.

Our biggest challenge has been keeping everyone happy, and I feel that offering all the options people want and giving THEM the choice is the way to go. We haven’t finished the new tutorial yet, but we do have someone working on it.

DeepDotWeb: So, in light of the past events what can you tell about the security measures that keeps users data safe now? (auto pgp, encryption etc….)
Crypto: Well, one of the main things that the original developer failed to do was hash passwords. We do that now. You mention auto pgp. This is one that we have received criticism for, but we do have an on-site feature which does allow on-site PGP encryption for when users send messages for between each other, and one for encrypting their addresses when checking out their orders. I would like to point out that we mention in big red letters, that the use of this feature is for convenience only, and it is recommended for you to be PGP encrypting your personal information on your own computer, preferrably while offline.  And related to PGP, we REQUIRE addresses to be PGP encrypted, otherwise the order will NOT process under any circumstances.

DeepDotWeb: What is the current size of CR in terms of users , how many listings etc…? (if you want to tell us)
Crypto: Our official launch, we like to say was April 20th, although we were in prelaunch for about 2-3 weeks before that. In that time we have about 435 listings, and we’ll be hitting 10,000 users by the end of May. Not bad for around 1 month. I have been blown away by the reception we have had from the darknet community.

DeepDotWeb: Yes it was pretty welcoming – And i can tell you why
Crypto: Please do.

DeepDotWeb: Because you (or the admins) were honest about the issues – Apologized and took the market down, to come back when all was fixed – While most other admins did the exact opposite when they were hacked, Especially at the time when it happened when 4 markets were getting hacked every week.
Crypto: Unfortunately for those markets, they all served as great learning tools for myself.

DeepDotWeb: Do you feel that people are still trying to discredit CR because of what happened?
Crypto: Yes, every now and then, we come across people who bring up the past about Cannabis Road, and I’d like to post a review from your website:

moonerbase: CannabisRoad was hacked and forced to close after 2 days! Now it comes back with fixed some things but not all. This idiot isn’t fit to be running a market and it should have warning sign to tell people of danger.

Crypto: I felt like this was an attack directly against me – “This idiot isn’t fit to be running a market”. Which is why I wanted to have this interview with you. To first clarify, that I’m not the original developer. He is NO LONGER involved in ANY WAY with Cannabis Road!

DeepDotWeb: So what interesting features are planned for the future of CR ?
Crypto: We plan on implementing the vendor directory API under development by El Presidente, so that people are able to identify vendors on our market with established vendors on other markets and view their stats and verify their PGP keys all from our market. I feel that market segregation is hurting our cause, and the cause of the other markets as well. We should all work together, and by implementing these stats, we are saying, that we recognize other market’s right to exist and prosper.

DeepDotWeb: You are also on Grams i assume?
Crypto: Not yet, but we’ve been contacted by them, and plan to get on Grams soon.

Crypto: Another thing I want to mention Is that since our launch, we held a 4/20 raffle with EastCoastCollective, who is our most popular vendor and he gave away 3 prizes. (1) One ounce (2) Half ounce (3) Quarter ounce
Crypto: This month we are featuring AngelEyes, who will be giving away, I believe the same prizes And now, because of the success of these raffles, we will be featuring a new vendor every month in a raffle that will be giving away FREE cannabis to those who enter it.

DeepDotWeb: What are the vendor bonds / fees / FE policy / Scammers status on CR?
Crypto: Vendor bonds are 0.5 BTC for unestablished (new) vendors. If a vendor comes to us from another market, and has at least 20 finalized sales with unique feedbacks, we usually will waive the bond. Especially if it’s on a big market like Agora or SR 2

Crypto: FE policy is on a case by case basis, but there is no restrictions for established vendors to finalize early. But if we suspect something is off, we may temporarily revoke your ability to finalize early until some of your orders have finalized, but this is rare. We have had a few scammers since our launch, this mostly happened before we implemented vendor bonds, and hasn’t happened since. Commissions are 4%

Crypto: We had about 2-3 scammers, but they were stopped before any significant money was scammed

DeepDotWeb: Did you experienced any new hacking attempts since the relaunch?
Crypto: We’ve experienced a few new hacking attempts, and were threatened by a few people directly on the Hub to pay extortion fees or else suffer the consequences. I take every threat very seriously and consulted with a few colleagues of mine about the threats and I am happy to say that none of the attempts were successful, and we had refused to pay the extortion fees. But I want to clarify, that I don’t believe we are inpenetrable, nobody is perfect, and I want to be humble in that, I will always take every threat, or report of security flaws in our market VERY seriously and investigate it immediately. Also, we do offer bug bounties, so if you discover any security vulnerability, you can contact me and we assess the bug bounty on a case by case basis and the person reporting it will be compensated.

DeepDotWeb:  Also i can only *assume* that from all the current DNM’s CR is the lowest priority market in LE eyes, your thoughts about that?
Crypto: I really hope that is the case. Cannabis really doesn’t need to be illegal, and already 2 states in the United States have legalized it for recreational use. We’re hoping that LE will consider us low priority, but we never let our guards down, just in case.

DeepDotWeb: Anything else we did not mention that you would like to add?
Crypto: Our mission statement – We believe that prohibition against cannabis is inhumane. There are people serving life sentences for simple possession of cannabis in the United States. In Japan, your first possession offense for cannabis could land you 5 years in jail. But cannabis is a plant that has so many useful uses, such as medicine, paper, clothing, fuel, nutrition and we really want to see this prohibiton against cannabis end. We want to educate the public, as much as possible about why cannabis is not the “reefer madness” drug that it was made out to be. Not a single person has ever overdosed on marijuana that has been documented.

DeepDotWeb: Thank you for your time, and i hope you will succeed with CR!

Updated: 2014-05-13