Silk Road forums

Hello SR community,
im interrested in some products to buy, but im a beginner. it seemed simple from the start but the more i read into PGP and such the more confused i become. so far i can tell, i can buy bitcoins directly from bitcoinnordic.com and as soon as i pay up they will be deposited into my sr account.
my first question regarding this, am i right about this method?

It's not a good idea to mention your exchange, or the fact that you're sending direct to an SR address. If you're buying coins under your real identity and you don't send them through a mixing service, that's a security threat. All bitcoin transactions are recorded in the block chain. If someone can identify that bitcoin address as belonging to an SR account, they can link it back to you.

If you haven't transferred coins to your SR account yet, you should send them through a mixing service. If you have already transferred coins to your SR account, I suggest you delete this thread.

secondly, where the hell do i find my own PGP key??
i am using GnuPG as far i know, and i doesnt know how to receive nor send messages properly. could you guys test me out?
heres my pgp key (I BELIEVE)

gpg: key A8100891: public key "synthex <synthex@tormail.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)


Your key is valid.

But if you're on Windows and still confused by PGP, read my tutorial: http://32yehzkk7jflf6r2.onion/gpg4usb/

Astor thanks for the great guide...

I am curious, what is generally the common usage for the e-mail of a key on SR?   I know it is subjective to risk, but is it more common to use username@username.com or an actual Tor account that you set up for "alternative" SR type communications.

I see some vendors use username@username, and last page or so makes perfect sense that you at least want to use something recognizable...  Do people use their tor mail address' often, doesn't seem like a huge risk outside of the fact you really should limit peoples knowledge of any permanent accounts (even if separated from your real identity).

But then again we are all communicating with SR forum accounts lol.  I would assume risk of monitoring a tor mail account is probably the same as a SR forum account.  I suppose also to avoid spam and scammers harassing you via tor mail.

Hi peeweed,

PGP was created for privacy, not necessarily anonymity. The common use case is for people who are not trying to hide their identity, so providing an email address isn't a problem for them. In fact, it's extremely useful because most PGP messages are transmitted over email. You would want the email in the PGP key to match the email address you're sending to.

For us it's different. Most PGP messages are posted to forms on SR or in forum posts. You don't have to provide a valid email. Most people will probably ignore it, but it can be useful, for example when the SR server goes down. If your vendor provided a valid email address, you can contact them out of band, and vice versa. I think it's generally a good idea to register a TorMail address and use that in your PGP key.

I've imported a lot of PGP keys and the majority of people use what I assume is a valid TorMail address.

Quote from: astor on December 27, 2012, 04:18 am

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

BlarghRawr, you are the wind beneath my wings.

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJQ28vgAAoJENAcophwbuIH/OsP/2U5x4S6Q9acOCcgxLdFK+Zz
BuvoX1NPggBjzdKS2j5oH9BYSyfr88GZeZqH8McZGM+epSWwv8tvwo1uVny96atZ
hcVlcUMYQwUKVuC5uYpyRRHewRKiuhPGgxOBWixHKTi8sS5TVAV2CH3s7YECV4AR
ZXnir2Rb2gl51Mk5mPUWuBKfK9bM8FJlKV2C8/6pGHz+OeOdB+6DVihVqyhg6GM7
GLcyG3zCdi6Ga/O009XmIolu7I3Do2s9+yetqHxKgz+sfWEf8nrFdBiq1X0rjmu1
+3qLN/3Kghw6lEVAHrl8thU8CsAARIqcM8SMzBbWUblisOapzJrR/rzOUhxgLa1t
dUwS9hpM637yj9zkkO0bjHXbzidoNH7TDJJrbavoPOmfG3fiSCugt3BuyZhFSNOj
1wr8IGqFgh/0rOfUaLbgMggC8VoVjAPFBDY0cf5LjLXnBWekz5IUDCJ3/G8vXehk
kFAPOYWpGcCErVHE71z91BJsp4FYhlL7tR+tvMuScbfo6zMD1tEzgVcerN81b6Xm
lxfBWGhfHRVZFI2vpF7xOsjJY/n8zad3cPGz2by674nACTaFG/6iwglwtjSQsHco
6TMciCm+nEtKJAg4KYnD8+aUwtV+oiYgAzwkAK3O5sKpMtG5OOd837CFkqP4c6Nl
R5toIExVuvr2Mu5oycCu
=FPVZ
-----END PGP SIGNATURE-----

Key ID: 706EE207
Status: Key NOT valid
User Name: astor <astorx@tormail.org>
Description: Uncertain signature by astor <astorx@tormail.org>

... It's literally a button on the fucking clipboard. It just says "verify", and all I needed was to have your key. I assume GPG4WIN is the problem, but if you could check your message yourself(or if someone else could also check it), that would be helpful.

gpg: Signature made Wed 27 Dec 2012 [REDACTED 4TimeZone] using RSA key ID 706EE207
gpg: Good signature from "astor <astorx@tormail.org>"



Oh! We have a winner kids. Now try to verify my sig with GPG4USB following my tutorial.


Edit: the time on the signature should be 04:17:36 UTC if my calculations are right.

EDIT: None of these security measures are worth a damn if you tell people about them. Once LE finds out about your setup (they will if you talk about it), you're fucked because they'll simply come prepared.

I feel the same way about encrypted hidden volumes. If everyone starts using them, then LE can assume you have one, even when you honestly supply the password to the only volume and it is clean. In certain regimes, it will guarantee a rubber hose treatment rather than prevent one.

But we don't run the server so we're not giving up secrets. We're just shooting the breeze because security shit is fun.

Also, having the device off when LE arrives isn't 100% safe, either. Some data can be recovered from ram up to something like 2 minutes after it loses power(with corruption)

Scrambling the RAM on shut down protects you from cold boot attacks.

I've also heard of just pouring glue or plastic materials around the RAM sticks so it takes too long to extract. Not every security problem needs a math solution.

Oh, I don't know if the server does it or anything, it was just an idea of how to keep "the key" secure from LE-intervention, caused by seeing what you said. I am, however, going to go suggest it to DPR because that shit is bawlin'.

LOL, actually I don't know if that's possible. The encryption key has to be accessible for the server to continue doing en/decryption, like for all the database reads/writes. I'm not aware of a way to protect an encryption key from an adversary who has physical control of the device. You can trigger a dead man's switch for emergency shut down and scramble the RAM in the process, hopefully before the adversary can extract the key, but the only 100% safe defense against a physical adversary is to have the device off when they arrive.

SR automatically encrypts information in the checkout section an everywhere else I'm reasonably sure. You only have to worry if the site or your vendor is compromised which as we have seen recently is possible.

I'm 100% sure the SR server uses full disk encryption, but as you said, that doesn't matter if the server gets pwned and LE steals the encryption key from RAM. This is why you should PGP encrypt your address.

I remember when 10 strips cost $40 and sheets were like $175. Supply dropped drastically after William Leonard Pickard got busted in 2000, and prices went way up. I haven't tried the LSD on SR, but the reviews indicate that you can get a good trip (actual visuals) off a single hit of most of the stuff sold there, which is better than the street acid I've done. I usually had to eat half of a $40 ten strip to get visuals.