Posted by: DeepDotWeb
June 3, 2015
Just a few days ago, Mr Nice Guy admin was exposed while conspiring to ddos other markets, After the story started to spread, he requested to conduct an interview where he could tell his side of the story, and i was happy to provide him with the stage to do so, i just asked question and let him answer freely, and you can be the judges:
So whats your side of the story for:
Conspiring with the extortion ddoser to ddos other markets?
Competition has grown tremendously over the last years, at first (you will notice the dates in the conversation) I held out like other markets and refused to pay. I actually did make gains on building up the protection. But I needed more time as I am a single programmer dealing with issues on the site, with individual vendor sand other technical issues. The DDOS guys pushed that work load over the edge, I needed a break.
As a promotional scheme in the beginning we offered no commission, too many vendors to get them to move over and give us a chance. This kind of, to some extent worked, as I do have vendors using the site.But it also meant I only just about break even with running costs. Believe it or not, I have not used reserves from any escrow account and did not plan to. As in the young stage of the site, a “cash run” if a larger or small competitor spread any rumor is a very likely occurrence. In this case it was not a rumor but it very almost caused “a cash” run. I know that allowing a cash run would build trust and the more often I allow my reserves to be drained and that to be seen in clear public will show I am actually not spending, not using customers / vendors funds.
They truly do sit in a small online wallet and larger offline wallet, awaiting to be withdrawn.But having that policy and strictly sticking to that policy has been costly. So if I could only survive with a break from this torment, needed to be sure I had enough funds if they were to continue regardless after I paid them. The only choice I had was to use the opportunity to drum up further sales to support this momentary break in the “whether”. For this reason and only this reason I was not afraid to take on the inevitable withdraw run when the story first broke.Somehow that cash run never really fully happened, sort of a miracle but it is still all sitting there waiting to be withdrawn. So that does not make too much of a difference.
Run the market as a fractional reserve scam and then exit?
This was the one part that hurts me the most! That comment will follow me for a long time to come. But if you understand the circumstances, one’s perspective can easily be changed.You see I am not the most powerful market; I am still small compared to others. If any other market offered them a similar deal, I could be out bid in a split second. As remember my unwillingness to dig into the escrow reserves.So to ensure they would not become some sort of double agent type thing playing the same game with multiple markets.
I had to make it at least seem like there was a strong chance that I am indeed the best to be associated with and talking with other markets would just jeopardize their lucrative future.At face value it looks bad, but in reality it kept my customers escrow funds safe and gave me the time I needed to get stronger.Once the story broke almost instantly I was DDOSed to hell and back. But thanks to that time I had to calmly develop better measures, I could still allow people to withdraw.
What is your take about TRD’s role in all of this?
It would be unfair for me to directly point the finger at them if they are indeed actually heroes of the people. Certain circumstances just seemed to perfect for the real world and gave me a great suspicion that I was played for a fool. I mean for instance I know that the ddos crew bought shellaccounts on TRD. With their consent or without out we will never know. With the incomplete explanation of the hack to expose the ddos guys and us, did not add up, at least not with the information that was presented to me in the way that I understood it.
But after a long discussion with TRD, I believe we are on the road to reconciliation. I believe they will allow me to have the opportunity to explain my actions and I will have the opportunity to understand theirs too.
Before I say more on that subject it is important to give that reconciliation a chance and only then we will be able to draw concrete conclusions.
The parts about you buying some nodes off him or what…?
It is a well known fact they focus on the security / exploit arena. It is plausible that is why the ddos crew choice them, but I cannot rule out more sinister scenarios until further progress has been made in our attempts of reconciliation.
Your general take on these events, the attacks and whats going on and how / by who etc…?
I believe there is opportunity to grow here, to build something out of the ashes of this disaster and come out stronger. They and most others now know they cannot take me for a fool. In fact I think everyone now knows I will fight to the bitter end. Logically scrutinizing and breaking down accusations against me or claims that hurt me, with every resource at my disposition.
However it is of great importance to myself to be perceived as a logical fair person. So sometimes it is better to put away the arsenal and build bridges and collaborate to expand security and methodology.
Did you have the chance to communicate with other market admins regarding the ddos?
Until now I did not truly understand the importance of collaboration between competitors per say. But in fact we are all facing the same threats; the resources used against us are beyond comprehension. This has taught me that at least on security grounds, collaboration, even amongst competitors, is vital to our continued existence. From this day on I will be more willing to give and accept advice from my peers.
Why didn’t you communicate it the community like most admins did regarding the ddos attacks?
As explain above until the outcome of this scandal, I was a “go it alone” maverick, that has now changed.
What’s your version of the 17yo doxxed kid on Reddit story…?
I truly enjoyed this story, as if you look at my site. With features such as the automatically calculated shipping routes and being the first market ever to be in multiple languages. Just the programming and security measures are overwhelming, let alone the logistics of running and marketing with so many hostile competitors and generally rogue people.
If I could do all of this at 17, I would not be running a market today. I would be the CEO of some massive corporation. But alas no, my experience comes from a long career (several decades long).
A career that treated me well but confronted me with many many challenges. Today with a lot more free time on my hands and nothing much more to do. I use my experience to try and build the best market ever made.
It would be quite a thrill if I did reach the top at some point in time. I made a mistake and tried to use guerrilla tactics. That is one thing that is new to me and I should have known better and stick to being guided by my life’s experiences.
As for that poor kid, yes he was an idiot but most 17 year olds are, so we should let him off the hook. You need to be smart to be in this game and survive, therefore you will need to have the sixth sense that only the challenges of life can bestow on you with age.
Please kids experience the real world before you commit yourself to this world, it will take everything you got to survive here! One mistake and it can be all over!
Do you think it would be possible to gain back the community’s trust? What do you think you could do for that?
As I explained above, I don’t have much to do with my time. This is both a hobby and a challenge, it keeps my mind active. Without this I don’t know what I would do with myself.
I think a better tactic would be to just build up new features and better services and improved security.
I think, the above mentioned and time, will go a long way but I am not
sure if I will ever fully recover from this. In all honesty that is not really the point. I enjoy what I do and as long as the site is used I have a valid reason to keep doing it.
So my point to get across is I am sorry, I have learned my lesson. Just keep using the site and I will keep improving it!
Ps. I think it’s now clear I am of advanced age, but not old enough and I certainly healthy enough not to die any time soon, don’t worry!
You have announced to be the first multilingual market, what can you tell us about this?
I am proud to say that my market can indeed legitimately hold claim to the title of being the first, and currently only, Dark net Market that is available directly in multiple languages.
I would like to take the time to assure you, and anyone reading, that this is no cheap gimmick to cheaply attract patrons; my market is now correctly and coherently, multilingual.
The ‘Mr. Nice Guy Market’ has a lot of content and as such this cannot be, and is not, some cheaply done development that rests upon an online translation tool; I have dipped deeply into my personal finances so as to employ the best (human) translators. These experts are specialists in
multiple languages so as to ensure that I can provide the best possible experience for those of whom English is not the mother tongue, but who still want to purchase products on the dark net from one of the larger markets.
Thus I would like to take this opportunity to extend my personal invitation to all speakers of the French language wherever you may be; to come and browse my market in your native language.
While French is currently the only extra language available I have my translators working hard at this very moment to implement the following languages:
Unfortunately I am sorry to say I have yet to find adequate translators for the following languages:
For ease of use I have combined this feature into the option bar that is present at the bottom left of every page (inclusive of login and register). This allows selecting their preferred language, currency and measuring system from simple drop down lists. Once the options are confirmed, the whole market (including all tool bars and notifications) will be immediately presented with all your aforementioned selections.
Mr. Nice Guy foundation, is this for real or just for the image?
This is entirely real; I started off the foundation as I really want to change things in the drug industry. In my opinion there are two ways of doing this:
1) The legalization of drugs – When drugs are legalized it introduces safe guards that benefit users, suppliers and even governments. I believe a lot of drug related crime is due to the difficulty getting substances, due to their legality, and due to the high prices dealers can force on people.
I like to think that markets like mine help reduce these problems by
providing a simple, secure purchase platform that helps to encourage competition; this in turn can help lower prices while raising quality
2) Helping those who have been negatively affected by drugs – Not every person who uses drugs develops problems (unlike most media outlets wish us to believe), however some do. As such I believe in taking percentage of the profit from drugs donate it to the victims of both direct substance abuse and those indirectly affected by the drug use of.
The Mr. Nice Guy Foundation supports charities for people who became the victims of their own drug abuse. The money is collected through the sale of drugs on this website.
To prove that I do in fact make the donations promised, I make sure to list all details of every donation I make. These details can be found the bottom of the donation page where you can see the receiver, their BTC address and Transaction ID. Not many people take this seriously, for obvious reasons. So donations, as you would expect, have been minuscule. However to get the ball rolling I donated 5 coins to tor server.net recently as a start. (More info on our site)
Anything you want to say for a last word?
This market has taken a lot of man power and funding to get it this far. Everything has been thought through with a team of professionals; from the design and functionality, to high tech safety features and my personal policies. I have a team of translators working around the clock to implement new languages. These are just a few of the people working behind the scenes to provide the best experiences for my users.
Recently I have moved to implement a great many features, to name a few these include; a problem resolution center, a referral system with which any user can make money, my multi-linguistic customization service and of course my foundation. I aim to make my market an inspiration for others in the dark net world due to its high functionality, ease of use, good service and even its ethical approach to drug sales.
I admit we have had some poor publicity in the past and I do apologize for this; however I am committed to work hard on my market until the time comes that I can fully gain the trust of all dark net users. For me, as I hope it is for you, it is clear I will be here for a long time to come.
To help convince vendors and customers, our exit scam conversation was a tactical incentive to some thugs and nothing more.
All vendors which can prove with PGP signature their identity, which have more than 100 trades with a rating 97% + on any other market can have FE option immediately! So they can withdraw
Only put the money you need for a certain trade onto your account and do the trade as fast as possible once you have added the bitcoins to your account. As soon as your product is on the way you cannot lose anything at that point.
If you have money left over on your account please withdraw it to an offline wallet and add it back when you need to do another trade.
I will finish of the multisig which anyone will be able to use if they don’t trust this market. (Don’t be lazy; use it once it’s finished to be secure.)
These are good tips for usage on any market. As markets, so far, have only been busted or exit scammed! So like this you can reduce your risk to a minimal.
And you can always be more optimistic, in knowing if you would make1000 good trades and loose out in one. That is still a good statistic, there is risk in everything in life.
But I still hope even that single theoretical lose is never with us!
My First Community Contribution
Tor has a lot of latency the pipe sizes are decent but the latency is caused by the cpu overhead of the constant encryption decryption. So due to this latency the attack was not really over whelming my bandwidth but
instead maxed out my file descriptor slots. All decent programmers will understand this.
Now tor has a single pipe in so the data coming in was not an issue but the failed connections due to no more descriptor identifiers available was a very big issue.
So my solution was to patch tor it’s self to pretend that the connection
was successful. I would then receive the http header and allow it directly to sit in the lib event out going buffer. Once the header was complete I would examine it for a time slice code. If the code was correct I would
allow the connection to the http server. If it was not present or not correct it would server a file (preloaded) directly with out created any local connection meaning not consuming a descriptor slot. The time slice code was generated once a minute and downloaded to the tor firewall server. Meaning trying to ddos the time slice code generation was also futile.
Some linux enthusiast my say why not just increase your max descriptor count per process but remember in that case you only solving the dropped connection problem but your web server will now be even moreover whelmed and fast-cgi amd mysql are actually not all the fast. So that is not a solution at all. That is how I build up my initial defense, I have a lot more to come. But all the other sites can now implement this concept if they have the skill and they will be soon be vastly more tolerant of ddos attacks.
If a similar method was build into a special hidden service type, inside the core of the tor nodes, it could theoretically prevent ddos attacks all over the tor network. But that is just speculation at this point.
One possible idea off the top of my head would be to periodically update a time slice code on the directory servers that can serve a default tor captcha page if that hidden service was registered for ddos protection.
This might even have the capacity to screw with government attacks, if that don’t already have sophisticated captcha OCR tools but governments are usually behind the game in those types of tools.
One recognized methods they use, is it what I call the Christmas tree effect (not sure if it has an official term). Turn ddos on and check loads on the various intercepts around the world, turn off and check load reduction.
This would take a lot of intercepts but we know the us government puts them in every country in the world.
With a ddos prevention at the directory node, this would render those tool useless, for now!
But for ever more against less sophisticated third world countries, so programming it would still be worth while.
I will shortly open a new forum section for dark net service security, so all peers from all markets are welcome to exchange ideas and info.