Silk Road forums

Original BitWasp:  https://github.com/Bit-Wasp/BitWasp

The fork called Amped Market: https://github.com/ampedup/AmpedMarket

i'm interested in the concept of a blind market, where the market admins don't know what products are being sold. (This reduces their liability as well.) They only know that buyer1 sent 3 BTC to vendor2 for product <hash3>, or something along those lines. If the market were compromised, LE would only see a series of anonymous transactions for unknown products. The only ones they could deduce would be transactions that they were personally involved in as buyers or sellers.

Now we have the exact opposite. Instead of hiding buyer stats from the admins, they are publicly exposed.

KMF, what is the ETA on that decentralized market?

I won't be participating in this. Going forward, I'll simply finalize without leaving a review.

I also object to my buyer stats being retroactively exposed on past purchases without my knowledge or consent.

Ah yeah I read about Eleusis some, was before my time but he is famous and should certainly be included in the history of the scene as well. JFL, was that the poisonous non-consumables site?

Yep, if he wasn't the first online seller of grey market drugs, he was certainly the biggest in the early days. Got busted in 2001, I believe.

https://en.wikipedia.org/wiki/JLF

Eleusis was busted even earlier though, around 1998, so he may have been the first notable bust of an RC supplier. What I find interesting is that he was not a chemist, but learned how to synthesize I wide variety of drugs, including MDMA and RCs. Starkly different from the 37 pages of fail in the the DrDeepWood thread.

Blog: A dynamic message referenced by a long term public identifier string, only you can modify the message and anyone with its identifier string can download it, this would be a spot where people could list products if they wanted to

PM: A fixed message referenced by an ephemeral shared secret identifier string, Alice tags a message for Bob with a secret one time use identifier shared between Alice and Bob, and this allows Bob's client to obtain the message after it arrives at a PKS.

Group PM: The same as regular PM, but instead of tagging a message with an identifier for Bob, Alice tags it with identifiers for Bob and Carol, and encrypts it so both of them can decrypt it.

Forum: The organization of group PM's into a forum like visual structure, which takes place client side, with each user being the admin of their own perspective of a forum, which itself is crafted using the collection of group PM's as its' threads. So when you gain access to a group PM discussing Astor's blog, you can move it to the subforum vendor reviews, which exists entirely client side on your own system, and when you gain access to another group PM discussing the same thing you can merge it into the original group PM, and replies are compartmentalized such that if you respond to a post from the original group PM it only goes to people in the original group PM, and the same for the secondary group PM, but it gives you the impression of a single thread of messages and of participating on a regular forum on which you are the only admin.

Can't wait to see it.

I gotta say that this whole Silk Road thing may not be worth the trouble. I just got my bitcoin back from vendor planetexpress because i didn't FE but apparently he got away with about 30K. Now greenovendoor has my bitcoin and I have a strong feeling that theres nothing in the mail on the way to my house. When I get my bitcoin back this time I may try a new site like Black Market Reloaded or Atlantis. May be the same crap over there, but this here is insane!! I basically just keep my coins in escrow and never get any product!!! Been trying to get some good herb for going on 3 weeks now!!!!!

It is getting bad and the admins need to take a more proactive approach at identifying and stopping scammers. When a vendor can scam $30K in a couple of weeks, the $500 vendor bond is useless at stopping them. SR is simply too big and has too many clueless newbs, so it's a wonderland for scammers. SR users are being ripped off for tens of thousands, perhaps hundreds of thousands of dollars every month. Legit vendors should be pissed about that too, because that's money that could have gone to them.

They can't rely on users reporting scamming vendors and then waiting another week for the evidence to accumulate. They say they can't just ban vendors without solid evidence, but there is a middle ground. They can sandbox sketchy vendors. Block them from withdrawing BTC. Also, it's pretty easy to write a few algorithms to detect potential scammers early. Here are some suggestions:

1. If the average time between marking an order in transit and finalizing drops below 24 hours (or a similar time frame) within any 24 hour period, flag the account for manual review by the admins, and block BTC withdrawals.

2. If the average time between marking an order in transit and buyers finalizing drops more than half a standard deviation from the vendor's overall average, flag the account and block BTC withdrawals.

FE is how all these scammers operate and it's easy to detect. DPR wrote a fairly sophisticated formula for calculating commission, using Euler's constant, and he has algorithms to detect mass BTC withdrawals. I have a hard time believing he can't write a few simple formulas to detect mass FEs and sandbox the accounts. Again, we're not talking about banning them outright, but they can be sandboxed until more evidence is gathered.

There is no excuse for this. As I've said before, the new feedback system is pointless when they do nothing about scammers for weeks anyway. Aggressive identification and sandboxing of sketchy / scamming vendors should be their top priority.

People are still asking me about my GPG4USB tutorial. It was originally hosted on FH so obviously that is gone now. I will probably put it on a hidden service sometime in the future, but I'm not ready for that now. So, I figured I'd post the text here, which should be enough to get people setup.

If you want the screenshots, I found some clearnet mirrors of it. I have nothing to do with these sites.

http://befree.blogs.se/2013/06/07/gpg4usb-tutorial-16098773/

http://hacksociety.net/Thread-Tutorial-GPG4USB-Tutorial-Safe-way-to-encrypt-plain-text-in-emails-communication-etc

And if you don't want to visit clearnet sites, here is the text.

================


GPG4USB Tutorial

PGP Basics

A lot of people are confused by public key cryptography. A common mistake is to encrypt messages to other people by using your own public key. That is wrong. Here's how PGP works.

You create a pair of keys that are mathematically related to each other, one is public and the other is private. Never share your private key with anyone. Give your public key to your friends. Collect public keys from your friends. Use their public keys to encrypt messages to them. They use your public key to encrypt messages to you. You use your private key to decrypt messages.

PGP is the name of the encryption protocol. GnuPG (GPG) is the name of a program that performs PGP operations. It's like the difference between DOC, a word processor file format, and Word, a propram that creates DOC files. GPG started as a Linux program, but several ports have been made to Windows. GPG4Win is a popular one, but GPG4USB is better. This tutorial shows you how to use GPG4USB.

GPG4USB

Download GPG4USB from the web site [http://gpg4usb.cpunk.de/download.html] and extract the ZIP archive. GPG4USB is designed to be portable, no installation required. You can copy it onto an encrypted USB thumb drive, for example. Launch the program by double clicking on start_windows.exe.

It will ask you to Choose a Language. Then you should see this screen.

At the top is a toolbar for the most common PGP operations, including Encrypt, Decrypt, Sign, and Verify. There's also a place to write messages, and a panel on the right that shows the keys you have imported. At this stage, we see only the developer's key that is distributed with the program.

We don't have a PGP key pair, so we will generate a new one. Select Keys -> Manage Keys.

The Key Management window is where you can import and export keys, but for now select Key -> Generate Key.

Fill out your name and email address. If you want to stay anonymous, don't use your real name or an email address linked to your real identity. This information is viewable by anyone who imports your public key. You can set an expiration date or select Never Expire. There's debate about whether it's better to let a key expire or not, but most keys are set to never expire.

Important: increase the Key Size from the default 2048 bits to 4096 bits. Also, set a strong password, which is used to symmetrically encrypt your private key. If someone steals your private key, a strong password will be the only thing preventing them from decrypting your messages.

It may take several minutes to generate the key pair. The program collects entropy from your computer, so doing random things speeds the process along. You can browse the web or mash on your keyboard.

When it's done, you'll see your key listed in the Key Management window. You can close the window and return to the main interface.

Next you want to import public keys from your friends. Select Import Key from the toolbar. You have several options: import from a file, the clipboard, or a key server. If you want to stay anonymous, you should never publish your keys to or download other people's keys from a key server. The easiest option is to import from the clipboard. Highlight a public key in an email or forum post, right click and select "copy" to put it in your clipboard.

Important: make sure you highlight the entire beginning and ending lines, with all five dashes on either side of the text:

-----BEGIN PGP PUBLIC KEY BLOCK-----

-----END PGP PUBLIC KEY BLOCK-----

A common mistake is to miss the first or last dash when highlighting. PGP programs won't recognize a public key block without all the dashes.

After copying a public key to the clipboard and selecting Import Key -> From Clipboard, you'll see some details about the key. Click OK to finish importing.

To copy your public key, so you can give it to other people, open the Key Management window and check the box next to your key, then select "Export to Clipboard". You can paste your public key into emails, forum posts, etc. Remember to include the beginning and ending lines with all five dashes. You can also choose "Export to File" and it will create an ASCII armored text file (*.asc). This is a regular text file that can be viewed with any text editor.

Now let's encrypt a message.

Write your message in the text area, then select recipients by checking the boxes next to their keys. In this case, I've selected the GPG4USB developer key. It's common practice to include yourself as a recipient, so you can decrypt the message later if you need to.

Click Encrypt in the toolbar. The plain text will be transformed into an encrypted PGP message.

To send this message, copy the entire block, with the beginning and ending lines, and paste it into an email, forum post, etc.

To decrypt a message, paste it into the text area and click Decrypt. GPG4USB should automatically detect the key that it was encrypted to and use it to decrypt the message. You will have to enter the password for your private key.

Another common procedure is to sign a plaintext message so that others can verify you really wrote it. To do that, write a message and check the box next to your key, then select Sign in the toolbar. The opposite of this is to verify someone else's signature. Copy the entire signed message block into the text area and click Verify.

Lastly, it's a good idea to back up your private key. If you lose it, you won't be able to decrypt messages and they will effectively be lost forever. Right click on your key in the right panel and select "Show Key Details". You'll see the dialog above. Click "Export Private Key" and save the file in a secure location.

I never considered this... but of course they'd do that, wouldn't they.  Otherwise half the darknet would be broken links.  Astor makes an excellent point though: Tor replaces SSL on the darknet, more or less, and it's assumed you're using it (which is why the site doesn't use SSL).  Without SSL or Tor, everything you transmit is not only in plaintext, it's also guaranteed to be visible to whoever runs (or controls) the .onion.to site you go through.

Including all the messages you exchange with other people.  Everything they say is plaintext and visible as well, even PMs.

That's kind of mean; you should point that out to people at least 

Well yeah, that's why the Atlantis admins were fucking retarded for posting onion.to links to their site on clearnet, like in that reddit AMA.

Remember that Atlantis phishing proxy that sniffed account credentials? onion.to could do the same thing, and that was the officially admin-approved way of accessing Atlantis.

All of these third party services like onion.to, onion.sh, tor2web.org, Privnote, SMS4Tor, etc., should be abandoned because they increase your attack surface, forcing you to trust in the good will of third parties that you know nothing about.

All good points, which I hadn't considered.  I only started using tor2web a little while ago.  Naturally I don't recycle passwords, but i hadn't considered the PM thing.  I'll certainly only do PMs over Tor from now on.

Fortunately I don't think I've had any non-PGP encrypted sensitive discussions over PM.

FYI, onion.to and tor2web.org are different things.