Silk Road forums

Discussion => Security => Topic started by: StExo on June 03, 2013, 02:11 am

Title: [Please Read] Urgent warning to all SilkRoad users
Post by: StExo on June 03, 2013, 02:11 am
Dear all,

Many of you know in recent days I have been crawling SilkRoad as well as having several other key users (SelfSovereignty, astor etc) work with me to extract and analyse the data we managed to crawl. Remember we have access to no special tools, powerful machines or data scraping specialists, just what skills we possess and basic .html downloads from the marketplace.

Having analysed all of the pages now, we have found disturbing results. Here are just some of the problems we uncovered and the tag [FIXED] indicates this particular case/problem has now been addressed as I would not be comfortable posting it until it had.

1. Vendors using their real e-mail address on clearnet e-mail hosts, some of which dating back to 2003 which kind of prove they are their personal accounts, many with names or specific years in them indicating personal details. These e-mails are registered on some other public services and I have found 9 of you on Facebook so far. Those who have been found know who they are and I hope you realise the danger you're in when I send you your profile picture and mention where you live, your telephone number, family etc. All of the Facebook ones have been corrected now, but not all clearnet PGP keys have been fixed.

2. Buyers posting their tracking numbers in their feedback. Big no-no especially when it is still en-route to you! Somebody in particular posted their tracking number in public for a delivery from the US to Australia and when I seen it the feedback was 3 hours ago who had FE'd so it was obviously still days or weeks from arriving. Don't ever post this publicly. [FIXED]

3. A case where a vendor stated where about in the country he was posting from. I searched the suburb of the city he named and in that suburb, it has a population of 1,000-1,200 in a small city. Don't make it so easy for law enforcement to profile you. [FIXED]

4. Weak PGP keys seem to be in use everywhere. Don't use them! Anything below 512-bit keys are not futureproof. 1024 bit [Read end annotation] is the established standard, use that or greater to ensure your security and everyone else who messages you. My key is 4096-bit. Paranoia is probably a good way to describe that, but I am one of the highest value targets on SilkRoad along with some of the larger vendors and SilkRoad staff so I am not taking risks with the safety of myself or fellow users.

[NOTICE OF CORRECTION] - The more knowledgeable members have agreed my assumption that 1024 bit keys are an established standard was too mild as these are not future-proof. Therefore, my recommendation has changed for all users to use a key which is at least 2048 bits and of course I'd still recommend everybody uses 4096 bit if they are given the oppotunity to use it as I personally do. Remember astor has posted a very helpful and easy to use guide for those wanting to learn PGP or find an easier to use program which is a bit more straightforward to use (you can find it at http://32yehzkk7jflf6r2.onion/gpg4usb/).

5. A vendor publicly maintaining a blacklist and published a postcode/ZIP code of the user next to their username. Seriously? [FIXED]

6. A buyer was kind enough to post a photo of the product with a reagent test. However, the file still contained meta-data on the camera type, time/date of the photo being taken and info like that although no GPS data. In addition, there was a small reflection of a face in the photo but it was very vague and many identifiable house features and property in the photo such as car keys (indicating model/brand), a local newspaper, cigarette packet and several magazines which on research, are paid subscriptions to your door and indicate very clearly what line of work they were in, with no obvious method of payment other than by card. [FIXED]

7. Vendor posting they will be on vacation going to a particular city between specific dates. The city was not a huge tourist destination so I can't imagine it being more than 1 or 2 flights a day from the country mentioned. Don't get profiled so easily! [FIXED]

8. A buyer who linked to their forum review message in the description and in their signature, a link to their Facebook account. This needs no further explanation. [FIXED]

These are only some of the things I have found in the past few days and I have no doubt there will be more I haven't spotted or have happened in the past. Remember I am not the only person crawling SilkRoad and with another 5 things I could add to the above list, this is not a threat avoided at all, some users here are still in serious danger of being identified as the worst of them all is not published in the above, but so you know, it took ~6 seconds for me to find who this person was and his full house address and telephone number.

I was going to publish this information in a weeks time but tonight I learned some very sobering bits of information which I cannot discuss and have been sent directly to DPR for his eyes only, or as he replied, "intel". SilkRoad has enemies who are the enemies of freedom and privacy and if we are to overcome the threats to our freedom we have to be responsible and take precautions to avoid landing ourselves in prison.

Vendors - you are some of the worst offenders in the above list. In point 1 where I talk of being able to personally identify you through your Facebook, 4 of those were vendors, 1 of them was a top 3% vendor and I am amazed how you haven't been caught yet. This is not only compromising your own security, but all of your customers and with some of them having 300+ sales, it is not a minor issue, especially seeing as I can imagine at least 1 or 2 of them keeping customer addresses as that seems to go hand in hand with poor awareness.

SILKROAD - GET YOUR ACT TOGETHER. This isn't a game, this is a struggle and we will not prevail when many of you are almost offering yourselves up as bait! I hope this warning is heeded before more people are caught in expressing their freedom.

Your loyal servant,
StExo

NB: Signature removed, formatting is messing up the post for some reason.

Edited 05/06/13: I have added a note of correction to point 4 as some of my knowledgeable colleagues have pointed out my recommendation to use a 1024 bit key was too mild, so my recommendation has changed to 2048 bit keys instead so many thanks to those who have highlighted this to me. If anyone needs help making a new PGP key, wanting to learn how to use PGP or simply find an easy to use program which offers the same security benefits as GnuPG but is much more user-friendly, try Astor's PGP guide here: http://32yehzkk7jflf6r2.onion/gpg4usb/
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: scout on June 03, 2013, 02:22 am
So many good points here again, StExo.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: PsychedelicSphere on June 03, 2013, 02:29 am
+1 for you sir!

I hope this helps open some vendors eye's up and realize they are in danger of being caught by LE.

~PsychedelicSphere
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: Jenso on June 03, 2013, 02:31 am
+1 for you friend.

J3NSO.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: steadyeddy2 on June 03, 2013, 02:43 am
be careful out there guys!
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: boosties on June 03, 2013, 02:44 am
+1 StExo! good shit. its never good to get complacent. Being preventative keeps you
out of jail!
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: astor on June 03, 2013, 02:47 am
Great job once again, StExo.

Yeah, about half of the real-looking (ie, not fake@fake.com) clearnet email addresses that I tested were valid and working. They could be someone else's email address that the vendor stuck in their PGP key, but for the people using their real email addresses, that's an easy way to get busted.

It's quite surprising how insecure some vendors are, and that's why I've held off on publishing a master list of the keys. Even if I remove the insecure keys, it will be easy to cross-reference the ones in the master file to the list of vendors and figure out which ones are excluded, and therefore insecure. Of course, someone could check them all anyway, but I don't feel like making their job easier.

One thing, though:

4. Weak PGP keys seem to be in use everywhere. Don't use them! Anything below 512-bit keys are not futureproof. 1024 bit is the established standard, use that or greater to ensure your security and everyone else who messages you.

1024 bit keys are considered weak these days. Tor relays use 1024 bit RSA for their identity keys, and the Tor people are going through the head ache of upgrading the relay authentication mechanism to support larger keys. 2048 bits is the minimum now.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: DoctorFate on June 03, 2013, 02:58 am
Wow yeah great read thanks.  I'm glad there are people here that care enough to see something that endangers us and help fix it.

One thing I found a week or so ago was a vendor that matter seemed to be using onion.to links.  Well I can't say for sure if the vendor was getting to SR using onion.to but their vendor profile page has links to other listings that all end in onion.to.  I saw this and reported it right away however the vendor still has the same links in their profile, took their listings down and many users seem to be coming forward with issues that may indicate some problems.

I can't say for sure if this vendor is using onion.to but I thought it was odd that they have been around for almost a year and had these onion.to links posted in their profile.  I didn't order from them because of the onion.to links I saw and I'm glad I did, I hope others read through the SR Wiki and all the stickied threads on the SR forums. 

With the forums and the wiki SR really does make all the information we need available to us, i just wish everyone would read more carefully and speak up if they don't understand.  SR is freaking awesome and there are a tons of us who would do whatever to protect it. 
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: StExo on June 03, 2013, 03:02 am
4. Weak PGP keys seem to be in use everywhere. Don't use them! Anything below 512-bit keys are not futureproof. 1024 bit is the established standard, use that or greater to ensure your security and everyone else who messages you.

1024 bit keys are considered weak these days. Tor relays use 1024 bit RSA for their identity keys, and the Tor people are going through the head ache of upgrading the relay authentication mechanism to support larger keys. 2048 bits is the minimum now.

Gospel.

Unless 0.5 seconds a day is more valuable than years in prison, many people should heed this warning and increase it to 2048 as you say or go the extra mile for 4096.

Apologies I didn't run the most recent list by you astor, it was simply too much of a concern given what has come to light.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: SOUTHPAW on June 03, 2013, 03:05 am
Thank you for this info.

So much to learn and understand!

You people prove that not everyone wants the low hanging fruit to be picked so easily.  :)
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: wraithe on June 03, 2013, 03:07 am
+1 this is fucking quality shit man. thank you
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: Limetless on June 03, 2013, 03:12 am
I saw that twunt with his facebook pro in his signature. That was just funny.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: StExo on June 03, 2013, 03:15 am
I saw that twunt with his facebook pro in his signature. That was just funny.

I thought it just would have been some fool linking to a celebrity profile or some troll page at first and when I seen it was his profile, I just went wide-jawed. Even worse because staff can't remove signatures.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: astor on June 03, 2013, 03:24 am
It's good to know, though. I don't want my personal info in the hands of someone who throws his own around without a second thought.

Really, I should publish a list of only insecure keys to name and shame those vendors, or at least let people know who they shouldn't deal with. ;)
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: Tellemetree on June 03, 2013, 03:28 am
+1 StExo

The people who's asses you saved should be looking at some sort of donation to you for the gift of their own freedom and liberty imho

SR is lucky to have people like you in the community

Cheers - Tel
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: sofish89 on June 03, 2013, 03:36 am
Can someone expalin #1 to me (about the email addresses on clearnet) ? Do you mean to say that if i tell someone my (backup) email address (in case SR is down) that the person who has my email address can find out who i am and even find my facebook??
Can someone clarify this for me in simple language (sorry im not really a tech guy)
So all those vendors who post backup email addresses in their vendor page risk losing their anonymity?
And theres one vendor who has my email address (gave it to him during the ddos attacks), should i be concerned?
Sorry if this is a stupid question, but I'm sure there are others like me and I'd rather someone read my question (and your answers) and hopefully avoid an easily avoidable situation.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: wraithe on June 03, 2013, 03:39 am
Can someone expalin #1 to me (about the email addresses on clearnet) ? Do you mean to say that if i tell someone my (backup) email address (in case SR is down) that the person who has my email address can find out who i am and even find my facebook??
Can someone clarify this for me in simple language (sorry im not really a tech guy)
So all those vendors who post backup email addresses in their vendor page risk losing their anonymity?
And theres one vendor who has my email address (gave it to him during the ddos attacks), should i be concerned?

some require the use of java script which can reveal your ip.  the OP was talking about using email address that you used for Facebook or 5 years ago to sign up for midgetlovers.com instead of making a new one with a non java mail host
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: sofish89 on June 03, 2013, 03:42 am
Do any of the following use javascript: gmail, yahoo, tormail, rocketmail, hotmail
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: StExo on June 03, 2013, 03:53 am
Do any of the following use javascript: gmail, yahoo, tormail, rocketmail, hotmail

Tormail.org is the best bet right now.

But I was talking about for example jimmy1980@hotmail.com (not a real email, just an example) who had their name and year of birth int he e-mail address. I took that e-mail and searched Facebook and in several cases found a real profile attached to it or people have publicly put on other forums around the internet that e-mail. Javascript is also another vunerability so as I said, use tormail with a fresh address you've never used for anything else and keep the e-mail and PGP key solely for SilkRoad business on an encrypted bootable system or drive.

The key should link up to a tormail address only and that tormail address should only ever be used for business purposes of SilkRoad, nothing else - ever.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: scout on June 03, 2013, 03:54 am
Stickying this thread for 7 days.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: StExo on June 03, 2013, 03:54 am
+1 StExo
The people who's asses you saved should be looking at some sort of donation to you for the gift of their own freedom and liberty imho
SR is lucky to have people like you in the community
Cheers - Tel

Many thanks, I just want to do my part. If you have donations or anyone else for that matter, put them in your nearest charity box for me as there are people in this world far less fortunate than I am.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: wraithe on June 03, 2013, 03:56 am
+1 StExo
The people who's asses you saved should be looking at some sort of donation to you for the gift of their own freedom and liberty imho
SR is lucky to have people like you in the community
Cheers - Tel

Many thanks, I just want to do my part. If you have donations or anyone else for that matter, put them in your nearest charity box for me as there are people in this world far less fortunate than I am.

most charities arent looking out for the users of SR. lol  most can barely get above a C grade.  U easily saved 1 person from jail.  I would bet good money on that

gratz on the sticky too
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: StExo on June 03, 2013, 04:01 am
most charities arent looking out for the users of SR. lol  most can barely get above a C grade.  U easily saved 1 person from jail.  I would bet good money on that

gratz on the sticky too

I mean local homeless charities, childrens charities etc, the ones our government has failed in their duty to protect, not just SilkRoad related.


Stickying this thread for 7 days.

Woohoo, I got a sticky. I've lost my sticky virginity (that just sounds even worse compounded). Thanks Scout!
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: touchthesky on June 03, 2013, 04:12 am
+1 to you stexo

would love to be a help if ever required mate.

love people doing things selflessly for the greater good of the community

would +2 you if I could
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: astor on June 03, 2013, 04:37 am
It's not just that you can find someone on Facebook. People with Gmail addresses are probably accessing those accounts over clearnet. So LE goes to Google and says, give us the IP addresses that were connecting to this account. Then they go to the ISP and say, give us the name of the subscriber with this IP address. Boom, you're busted.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: dabdiego on June 03, 2013, 08:35 am
Awesome thread. +1 for the extremely urgent topic you have brought to attention. I would like to this most of this is common sense, but the results of your search obviously show otherwise.

1 question: In using GPG Keychain for my Mac, When I create a new key it prompts me for the name, email etc. When this happens, my Mac pulls up the default information on the computer. This is information I obviously don't want any peering eyes to have access to. I obviously change both of these to a a fake name and my tormail email address, but I want to be sure the "suggested" data isn't encoded or written anywhere I might not be thinking to look. Perhaps this is paranoia, but before I post my public key I'd like to be sure that I am not revealing anything I don't want to.

Thanks in advance to whoever can help.

Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: StExo on June 03, 2013, 10:01 am
Awesome thread. +1 for the extremely urgent topic you have brought to attention. I would like to this most of this is common sense, but the results of your search obviously show otherwise.

1 question: In using GPG Keychain for my Mac, When I create a new key it prompts me for the name, email etc. When this happens, my Mac pulls up the default information on the computer. This is information I obviously don't want any peering eyes to have access to. I obviously change both of these to a a fake name and my tormail email address, but I want to be sure the "suggested" data isn't encoded or written anywhere I might not be thinking to look. Perhaps this is paranoia, but before I post my public key I'd like to be sure that I am not revealing anything I don't want to.

Thanks in advance to whoever can help.

Give astor/pine a message for this one, that's outside my expertise I'm afraid but if I had to guess, I wouldn't imagine so.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: abby on June 03, 2013, 12:47 pm
during the attacks the other month, some people created vendor contact lists here and on reddit.  On some of those lists I saw what looked to be legitimate clearnet email addresses.  The vendors who were using a clearnet email should do some digging and contact those posters to have them removed.  It might be shutting the door after the horse has bolted but reducing the ongoing risk is still a worthwhile thing.

most charities arent looking out for the users of SR. lol  most can barely get above a C grade.  U easily saved 1 person from jail.  I would bet good money on that

gratz on the sticky too

I mean local homeless charities, childrens charities etc, the ones our government has failed in their duty to protect, not just SilkRoad related.

+1 for that..  That's probably one of the kindest things I've read on SR.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: jackofspades on June 03, 2013, 12:55 pm
Awesome thread. Thank you to anyone who worked toward getting this info compiled especially you StExo.

+1 OP and keep up the hard work, fellow community members!
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: HEATFan on June 03, 2013, 01:30 pm
That's quite some work you've done there StExo and team. Bravo.

It really blows my mind how some people choose to vend on here without knowing... well, shit. Some of the stuff you posted in the OP was just so ridiculous I have a hard time believe it is true. I cannot believe some people can be so stupid.

Honestly, I think the retarded vendors who are doing these stupid things need to be warned first and then if nothing has been done after 48 hours, publicly shamed. Not only do they put themselves at risk but also every single person who buys from them. Its unacceptable, honestly. I hope that you'll monitor their situations and if they don't soon take your advice I think you need to post their vendor names here so we know who to avoid. Much love and thanks a bunch for the time you've spent improving the security of this community.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: StExo on June 03, 2013, 02:09 pm
That's quite some work you've done there StExo and team. Bravo.

It really blows my mind how some people choose to vend on here without knowing... well, shit. Some of the stuff you posted in the OP was just so ridiculous I have a hard time believe it is true. I cannot believe some people can be so stupid.

Honestly, I think the retarded vendors who are doing these stupid things need to be warned first and then if nothing has been done after 48 hours, publicly shamed. Not only do they put themselves at risk but also every single person who buys from them. Its unacceptable, honestly. I hope that you'll monitor their situations and if they don't soon take your advice I think you need to post their vendor names here so we know who to avoid. Much love and thanks a bunch for the time you've spent improving the security of this community.

Most vendors took note and changed it straight away, usually within hours of me messaging them. 1 or 2 took a little but eventually removed or changed the information concerned. Those who I could connect to a facebook profile, I sent them their profile picture as a reminder of how vulnerable they are given that I have no special tool whereas LE can come down on you like a pile of shit, that gave some of them a shock and rightly so, some of the accounts, both facebook and vendor/buyer account, are now deactivated.

There is also more going on behind the scenes but I'm not allowed to release those bits of information, but that is for everyone's security anyway. But vendors who do not comply with my friendly messages are reported to staff and if it's out of the staffs power (ie, weak keys so they've broken no particular rule) then I will begin the name and shame.

Remember folks, but extremely cautious using any information from Reddit unless a well known and trusted member/mod/DPR has signed the message using their PGP key. I will strive to maintain my backups in the other thread so keep that and my keys in your bookmarks since lets face it, I could change the information on there anytime I want, but who is more likely to keep their integrity, me or a complete stranger on Reddit. A game of calculated risk.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: abitpeckish on June 03, 2013, 02:16 pm
+1billion. Thanks to all doing such a crucial service to the SR community. It blows my mind how vendors could possibly allow themselves to make such boneheaded mistakes. *shudder*
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: SealTeam6 on June 03, 2013, 02:36 pm
stexo we need to be best friends.  It really is time everyone steps their game up on here!
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: astor on June 03, 2013, 06:07 pm
Great stuff!
quick question regarding weak pgp keys- (obviously i can choose the size of my key when i generate it)- however is there a way to determine the size of SOMEBODY else's key when import their public key- or is this a non-issue in the fact that say even a 512 key is complex enough now, but not 'future proof'
any thought would be appreciated and many thanks StExo!
vw

It depends on the PGP program. In GPG4USB you can right click on a key and select "Show Key Details". I have a screen shot of it in my tutorial: http://32yehzkk7jflf6r2.onion/gpg4usb  , the last image in the tutorial. It shows key size, expiration date, algorithms, key ID and fingerprint.

You can probably do something like that in most PGP programs.

Also, 512 bit keys are not safe. 700-something bit keys have already been cracked.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: BlackIris on June 03, 2013, 06:26 pm
It's good to know, though. I don't want my personal info in the hands of someone who throws his own around without a second thought.

Really, I should publish a list of only insecure keys to name and shame those vendors, or at least let people know who they shouldn't deal with. ;)

Yep, you should, at last in PM if one asks you. I think buyers deserves to know this. I for once would surely like to know. But I understand that this could compromise the security of said vendors, so it is sort of a lose lose situation.

EDIT: Naturally +1 for the OP, almost forgot.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: VersacePandaEgg on June 03, 2013, 06:37 pm
+1 StExo

You're really doing your work around here and it is very much appreciated! Thanks
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: Tyrion Lannister on June 03, 2013, 06:47 pm
You're the number one StExo, great post.

Maybe i'm optimistic, but i can't help thinking that if theses guys were not caught, maybe the guys after SR aren't any good, and we should be ok.

+1 to you.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: a10101 on June 03, 2013, 10:56 pm
Thanks StExo. This type of security audit is good for the whole community.

I guess LE isn't looking too carefully. Amazing that this level of carelessness is being shown here. Watch your asses, people. StExo won't always be there looking our for you.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: ShamelessHarvey on June 04, 2013, 06:53 pm
Holy crap. You are the fucking man.

The granular detail you went into, very fucking impressive.

Whenever I get to full member status I will +1 you :-)
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: 5 on June 04, 2013, 07:26 pm
 I want to apologize I know all this stuff is in here but still having a little concern an im not the super wiz when it comes to all this. thank you in advance for understanding community.

:o I have a mac and did the gpgtools several month ago..Im just a small personal buyer but still paranoid(what is personal to me might not be to fed guild lines) . I used a fake account gmail address. I think it made me sync it to my computer gmail as a 2nd email cant remember but its there..... that I dont use of course....never ..I usually just order an sit back till receiver tells me to come over an hang out.(code word for its here)....

I seen this post an wondering does my email show to vendor if I dont sign before I send encrypted address? Thats what im scared of. if they dont erase it an get busted. Then a nice clearnet gmail address will be traceable back to ip address it came from.

I just set up an tormail account. I did not have to sync anything an seems to be working just by clicking on new key. it is importing keys,encrypting an all that. So I tried another method. I just used any random email without signing up for it a fake fake account an put .org at end an this key seems to work.

can anyone help....ive been going though fourms an other people seem not to like mac w/ gpg but work great for me until I realized an ip could be discovered if it shows on other person computer.

any comments would be greatly appreciated. thanks community an STExo +1,000000 :)
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: flwrchlds9 on June 04, 2013, 10:29 pm
Great thread!!! +100

1 question: In using GPG Keychain for my Mac, When I create a new key it prompts me for the name, email etc. When this happens, my Mac pulls up the default information on the computer. This is information I obviously don't want any peering eyes to have access to. I obviously change both of these to a a fake name and my tormail email address, but I want to be sure the "suggested" data isn't encoded or written anywhere I might not be thinking to look. Perhaps this is paranoia, but before I post my public key I'd like to be sure that I am not revealing anything I don't want to.

Thanks in advance to whoever can help.

You should not use a computer that you have used for personal things to vend with, especially not one where you have correct owner info entered in it or you personally bought from the mac store with your credit card.

I guess LE isn't looking too carefully. Amazing that this level of carelessness is being shown here. Watch your asses, people. StExo won't always be there looking our for you.

These investigations go on for many months, sometimes years + before action. do not assume it has not been noticed because doors not kicked in.

even on low level. recent read in US there was a city that bought from street level dealers all over city for 6 months then swooped in and arrested everybody from 6 months of buys.

investigation into LR started years ago most likely before that big bust.

do not fall into false sense of security!!!   :o
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: StExo on June 05, 2013, 01:03 am
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

News article: http://weirderweb.com/2013/06/04/the-biggest-danger-to-some-silk-road-users-are-themselves/

Published a few hours ago and talks about this thread guys. I think he's hit the nail on the head with this.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (MingW32)

iQIcBAEBAgAGBQJRro5qAAoJEO0W4z0WMXVaflwP/iac3bEg21CsF3jwWjBXd6j5
eQPHnxvAZ7/34OhB1n9S8Li68ASJriAeeZkejBVcnnxvAj2NBfCSebXf3CNtkVxG
B3znqKSa5TwtHCss9zja5bBAjK7khgKrU8PZAEedLdfzoF8HTqvpZ+t2YyYha5ot
dhAY5vVSMW/DUFXquXU2Ecn5GyuiHW30Wwho86hyO4iTgpBpb8GtbowCqDKjYFVY
aQj2CrGRTn4DkGpLQZp7F3NCD8qm/2rZf274lRKxbkxFVOMZ/29yHA6RG3kHRDE/
Nvp87bwQ0jIywdPhzBmfXLnmnXdUXWgNM5elPePh1262tvKgIr7xy8M4OQWMos9D
cKmAIxEjdUjnTojL2VHhMA37nOHcESVclZr3SjXqP1Aui+auE30IvxFKWnUusixJ
P4FlZeEZyexnp8DrKnN49SWxrkySKHpgohZXf3rBpvidyvha+pJoxW8R3L8+auxK
QHpYH2kHpCsSoWUjG9aRU6VyocS1Ba0Ejgp01O0kP1L0Y2+KZQtKARVUCZllFGXI
D9TH3c9R9EguhrWVIx7/wv4ZsUXX7jga4McXa5TTNHICZ8D+icHI0QggEgW9TwkM
AZc+i/nvnIRN1gy+l/4Q+sn/tkpB7EQTkZtoXln8NYP0W7Te9oBr1C9D6OVrmYKz
M+jXG9omCOAByocK6+F/iQIcBAEBAgAGBQJRro5qAAoJEPu9CfR0ll5pflwQAI6m
ZQroqikwA7R/W8+IQMmvuMRA5FIh/UEJpG4GIrCH3D0uDhctHHco4DkumYf8vpJb
nOVjf87zJhHw7k7hRYQRrqHRqbv8U1rC4nEG/ySKP7FwsjlstlNLGywtkjTABU24
CUpEzMkLhif0uN+CuT2xTXpuen0+ItrhVUfXk2vk1fk+WTHoYjpKEBMwIiYSUVCZ
EYYRwssIB2IB36BlvhZ+CbW9ebGF39SW+JWAD6UitqMfXu9dkAhx46wfofk6BWHD
e74KqGnmp8ZWOj7FighVz8o2SxASXwlaiLsy/CpPqLYhV/8TZcC4S4DycZR8R+bv
A3kvRASxFvm/Phb5z4uPk10oYKdjd8qDGA4yVWOzToglO2ImdYmuEhj25/lGbtLH
8sjG5WaDySHIKX11wyA2wO0r2rP+8Tg1e7kY/ROYrUYYq2y1sQmZjcWHLqGMey2m
33hCyfi23Dihz9KSJ401K7L/2e5asSvbztYP+Iah1jxeSXneHydZcA58rPYrv37E
gRDDI2vQVSIaKAzVKafQ0tglz6byPzKpBcifHxf2B1nbcQIbuB1W9GGiCYTO5WFW
fuExCxftLApEmBVcuOyOR8WGtEHETQr7ghKneTIzEY2Mos243n4vMsC3GO3eiTHx
YilN06YTSD+5T2SslSxiFEbZB7P2WcC7h1xJpVO6
=Y5ug
-----END PGP SIGNATURE-----
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: iLoveTaffy on June 05, 2013, 01:13 am
That's quite some work you've done there StExo and team. Bravo.

It really blows my mind how some people choose to vend on here without knowing... well, shit. Some of the stuff you posted in the OP was just so ridiculous I have a hard time believe it is true. I cannot believe some people can be so stupid.

Honestly, I think the retarded vendors who are doing these stupid things need to be warned first and then if nothing has been done after 48 hours, publicly shamed. Not only do they put themselves at risk but also every single person who buys from them. Its unacceptable, honestly. I hope that you'll monitor their situations and if they don't soon take your advice I think you need to post their vendor names here so we know who to avoid. Much love and thanks a bunch for the time you've spent improving the security of this community.

Most vendors took note and changed it straight away, usually within hours of me messaging them. 1 or 2 took a little but eventually removed or changed the information concerned. Those who I could connect to a facebook profile, I sent them their profile picture as a reminder of how vulnerable they are given that I have no special tool whereas LE can come down on you like a pile of shit, that gave some of them a shock and rightly so, some of the accounts, both facebook and vendor/buyer account, are now deactivated.

There is also more going on behind the scenes but I'm not allowed to release those bits of information, but that is for everyone's security anyway. But vendors who do not comply with my friendly messages are reported to staff and if it's out of the staffs power (ie, weak keys so they've broken no particular rule) then I will begin the name and shame.

Remember folks, but extremely cautious using any information from Reddit unless a well known and trusted member/mod/DPR has signed the message using their PGP key. I will strive to maintain my backups in the other thread so keep that and my keys in your bookmarks since lets face it, I could change the information on there anytime I want, but who is more likely to keep their integrity, me or a complete stranger on Reddit. A game of calculated risk.

I see no risk whatsoever. I trust nearly every "trusted" member on here more than a single random user on Reddit.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: kmfkewm on June 05, 2013, 12:24 pm
Quote
4. Weak PGP keys seem to be in use everywhere. Don't use them! Anything below 512-bit keys are not futureproof. 1024 bit is the established standard, use that or greater to ensure your security and everyone else who messages you. My key is 4096-bit. Paranoia is probably a good way to describe that, but I am one of the highest value targets on SilkRoad along with some of the larger vendors and SilkRoad staff so I am not taking risks with the safety of myself or fellow users.

Anything below 512 is already breakable today with minimal resources. 1,024 bit keys are not future proof and will probably be breakable in the near future.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: StExo on June 05, 2013, 01:56 pm
Quote
4. Weak PGP keys seem to be in use everywhere. Don't use them! Anything below 512-bit keys are not futureproof. 1024 bit is the established standard, use that or greater to ensure your security and everyone else who messages you. My key is 4096-bit. Paranoia is probably a good way to describe that, but I am one of the highest value targets on SilkRoad along with some of the larger vendors and SilkRoad staff so I am not taking risks with the safety of myself or fellow users.

Anything below 512 is already breakable today with minimal resources. 1,024 bit keys are not future proof and will probably be breakable in the near future.


Thanks kmfkewm. I've added a notice of correction to the above post making changes to my recommendation and added a link in to Astor's GPG4USB guide for those who need a bit of guidance.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: Vatican on June 05, 2013, 02:46 pm
+1 to you sir.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: meatwad on June 05, 2013, 05:04 pm
+1 StExo - I just found your onion site earlier today, that's quite an impressive listing of vendor pages that you have accumulated.  Thank you for taking YOUR time and effort to try to help all users of the site.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: Naloxone on June 05, 2013, 05:19 pm
+1
Great post! Thanks. Always be vigilant about privacy.

Also I know it might seem like I'm being cheeky but really I'm just curious. Why is it that you're a major target? Is it the money laundering advice you're giving?

Thanks.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: WeBeWeedGirls on June 05, 2013, 06:59 pm
Thanks for this guys! We pass all these tests and have passed on the relevant bits to our customers. Thanks for raising the standard, we are coming along for the ride!

WBWG x
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: StExo on June 05, 2013, 10:13 pm
+1
Great post! Thanks. Always be vigilant about privacy.

Also I know it might seem like I'm being cheeky but really I'm just curious. Why is it that you're a major target? Is it the money laundering advice you're giving?

Thanks.

So far to my knowledge no British user or vendor has yet been convicted and attributed to SR so I guess now the US has nabbed a few buyers and Aus have got the first vendor, the UK is probably getting fed intel from both other countries and I am pretty sure they make customer accounts to speak to the launderers around here, trying to find out tactics. I rejected about 60-70% of people who come to me for full consultations and instead give some helpful tips because I'm reluctant to give out huge detailed plans to people who don't have any apparent need for it. Some vendors here are cashing out between £500,000 and £1,000,000 a year so of course they need top quality advice and to suit the high consultation fee price I guarantee the advice I offer each client is unique and is something you're not going to find with a Google search for many years or decades, plus refunds if they're not happy with no questions asked, but nobody has ever asked me for a refund.

Anyway, yes, so I enable many vendors here to disguise their proceeds and continue doing business as well as knocking a fair amount off their tax bills so it doesn't eat into their margins. And lets not forget, what do I need to help vendors make their cash clean? Information, and a fair bit of it at that to tailor each plan to their circumstances and I'm very sure LE would love to get their hands on all the information I have access to. For note, I don't actually keep a vendors information, it is stored online somewhere in the world in the strongest grade encryption (cascading) I could manage and in the event I'm compromised, if any of my USB sticks, CD's or laptops are damaged then that information is no longer accessible and the place the encrypted "box" is kept will securely erase it after 7 days of not accessing it. On top of that they know what city I am in, even if it is a huge city. I'm pretty high profile on the forum too and my security posts have probably made this place less of a field day for them. Then they know I run a drugs operation outside of SilkRoad too and also do consulting for other criminal gangs.

So if I was caught, I'd be the perfect pin-up for them to splatter on the media saying they got somebody on SilkRoad. Well, DPR would be their biggest target, then the admins/mods who have privileged access and knowledge, but after them it's the people here who enable laundering activities and would have access to sensitive information that they're going to head hunt - there's me straight away wanted, and Limetless, probably SuperTrips and FrankMatthews would probably join me and Lim in that top spot as well as a few other 1% guys or anyone who moves a large supply of products.

Yeah. In short - I'm the big juicy target they want not because I'm doing damage (I bet they wouldn't tell the papers how much I give to charity!) but because if they can make a big list of crimes I've done, it looks good on them and another tick-box capture.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: Naloxone on June 06, 2013, 07:38 am
Thanks for the reply! I like how you always reply to everyone with a detailed answer.

I bet the charities are pleased! Keep up the good work.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: iLoveTaffy on June 06, 2013, 07:57 am
+1
Great post! Thanks. Always be vigilant about privacy.

Also I know it might seem like I'm being cheeky but really I'm just curious. Why is it that you're a major target? Is it the money laundering advice you're giving?

Thanks.

So far to my knowledge no British user or vendor has yet been convicted and attributed to SR so I guess now the US has nabbed a few buyers and Aus have got the first vendor, the UK is probably getting fed intel from both other countries and I am pretty sure they make customer accounts to speak to the launderers around here, trying to find out tactics. I rejected about 60-70% of people who come to me for full consultations and instead give some helpful tips because I'm reluctant to give out huge detailed plans to people who don't have any apparent need for it. Some vendors here are cashing out between £500,000 and £1,000,000 a year so of course they need top quality advice and to suit the high consultation fee price I guarantee the advice I offer each client is unique and is something you're not going to find with a Google search for many years or decades, plus refunds if they're not happy with no questions asked, but nobody has ever asked me for a refund.

Anyway, yes, so I enable many vendors here to disguise their proceeds and continue doing business as well as knocking a fair amount off their tax bills so it doesn't eat into their margins. And lets not forget, what do I need to help vendors make their cash clean? Information, and a fair bit of it at that to tailor each plan to their circumstances and I'm very sure LE would love to get their hands on all the information I have access to. For note, I don't actually keep a vendors information, it is stored online somewhere in the world in the strongest grade encryption (cascading) I could manage and in the event I'm compromised, if any of my USB sticks, CD's or laptops are damaged then that information is no longer accessible and the place the encrypted "box" is kept will securely erase it after 7 days of not accessing it. On top of that they know what city I am in, even if it is a huge city. I'm pretty high profile on the forum too and my security posts have probably made this place less of a field day for them. Then they know I run a drugs operation outside of SilkRoad too and also do consulting for other criminal gangs.

So if I was caught, I'd be the perfect pin-up for them to splatter on the media saying they got somebody on SilkRoad. Well, DPR would be their biggest target, then the admins/mods who have privileged access and knowledge, but after them it's the people here who enable laundering activities and would have access to sensitive information that they're going to head hunt - there's me straight away wanted, and Limetless, probably SuperTrips and FrankMatthews would probably join me and Lim in that top spot as well as a few other 1% guys or anyone who moves a large supply of products.

Yeah. In short - I'm the big juicy target they want not because I'm doing damage (I bet they wouldn't tell the papers how much I give to charity!) but because if they can make a big list of crimes I've done, it looks good on them and another tick-box capture.

Well, now I know who to contact in case I ever decide to start selling my own synthesized drugs for money laundering advice... How much do you charge? (Obviously do not need help right now, but an estimated price might be good for the future). :P
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: abitpeckish on June 06, 2013, 12:52 pm
Well, now I know who to contact in case I ever decide to start selling my own synthesized drugs for money laundering advice... How much do you charge? (Obviously do not need help right now, but an estimated price might be good for the future). :P

His site is pretty clear about his services and what they cost.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: StExo on June 06, 2013, 01:00 pm
Well, now I know who to contact in case I ever decide to start selling my own synthesized drugs for money laundering advice... How much do you charge? (Obviously do not need help right now, but an estimated price might be good for the future). :P

His site is pretty clear about his services and what they cost.

Yep - not cheap that's for sure, but if you want to avoid detection then that's the price needed. It filters out people who are just doing it "to know" so those who do need the money laundered will get advice straight away. I also have to regularly turn down requests, even ones paying very handsome sums because there is no obvious reason how they are making their money and it could be LE which wouldn't surprise me at all since they tried that in the past.

Although I advertise on my site, SilkRoad still does get it's cut too, we won't work outside of the system.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: Centrum on June 06, 2013, 01:10 pm
bump makes me hope I'm not being stupid giving away anything I don't know about on here.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: original hermit on June 06, 2013, 01:32 pm
fantastic post!!!!
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: happertand on June 06, 2013, 01:55 pm
Unbelievable! Nice post, appreciated.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: happyhippy on June 07, 2013, 09:18 pm
THIS is a great post .

Thank you
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: NSN959 on June 08, 2013, 01:52 am
Thank you! Great links at StExo's site, as well.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: StExo on June 08, 2013, 03:42 am
Many thanks to all the kind comments from everybody. However, can they please stay within this topic and not be addressed to my inbox unless it is business related or something which can't be posted publicly as I currently have a huge backlog to work through here, on the marketplace and my e-mail on top of my consulting and enterprise.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: foxen624 on July 09, 2013, 07:12 pm
SR is a very easy place to get comfortable, and it does seem like an excellent idea to keep reminders like this in view of everyone to hopefully keep the IMPORTANCE of security on the mind of all SR members at all times.  Although some of the things you found...  linking to own FB acct? Really?  Using own clearnet email (probably on a server that sends everything straight on to the nsa...  hmmmm...   

But I've no right to criticize.  I tend to err on the side of borderline paranoia.. always have as I have 4 computers, each used only for it's specific purpose or related purposes, various types of extra layers of security on each...  but as I read your OP, it occurred to me that my PGP key may not be at the highest security level possible...  it might, not sure but checking on that soon as I post this and updating it if necessary.. Thanks for that reminder to keep on top of EVERYTHING... 
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: MarcelKetman on July 09, 2013, 09:24 pm
Jesus Christ some of the stupidity on show there has blown my mind. Good work mate. Some people should be very very grateful to you.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: fbny71 on July 10, 2013, 02:20 pm
Thanks for your work, I'll +1 your karma when I can.

I'm in the process of switching completely to TAILS and only communicating sensitive info with PGP. You really can't be too careful.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: tbart on July 10, 2013, 02:48 pm
well looks like one of the SR vendors just got busted in Germany - german users are reporting this is "AFTERHOUR" - unfortunately all the news articles are in german

got to thinking about this topic last night, and the OP did us all a great service in posting this thread, but with all the security in the world, if the vendor kept any kind of data on a shipment, and it would seem likely he/she does, at least until it's delivered and he's gotten his funds released and his feedback, that if he gets busted, then it's likely those customers he still has the shipping info on will get busted as well - even international, i guarantee the local popo will share any appropriate info with the customer's local popo

SORRY, forgot to post the link to the thread  http://dkn255hz262ypmii.onion/index.php?topic=182030.0

Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: Oompaloompa on July 10, 2013, 05:31 pm
Excellent work StExo,

There's a few real howlers in that list, I was going to say I'm amazed anyone selling on SR could be so blind to security but sadly I can all too easily believe it The number of buyers failing to use pgp, vendors not offering it & vendors using 1024 strength encryption is just insane.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: Sasscrotch on July 10, 2013, 11:14 pm
Wow... this whole thread has got me on edge and I haven't been nearly as careless as some of these so-called vendors.  Just goes to show being a newbie is ok so long as you're a paranoid and precautions one.  Ffs, just want to smoke ma herb, right?!?

Even though I am not a vendor, I'm taking every precaution listed here.  Going from 2k key gen encryption to the recommended 4k, using tails or a VPN, and most importantly only dealing with discrete vendors. 

And not that I support any of the racial bs... but statistically speaking, it's just too gd easy to go to prison in this country if you're of the non-white persuasion.  Check the department of justice stats if you don't believe meh!

Weed's great but I love my freedom too much.  And above that I love my asshole.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: windmillz on July 11, 2013, 05:41 pm
Very well said! I am so happy to see every one here in this commmunity helping to cover each others backs! Long live the SR!
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: thelorax on July 13, 2013, 10:17 pm
so this is a thing..

and so is this..

hummmm??

http://dkn255hz262ypmii.onion/index.php?topic=184055.msg1335510#msg1335510

wonder whos behind ^^^^???

stupid kids
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: psykhe on July 14, 2013, 05:23 pm
Thank you for the hard work you've put into this, StExo.

Do you have any updates you can share? I'm quite concerned by some of your implications regarding knowledge you're currently unable to share due to the severity of it.

Thanks again and keep up the great work, you're a true asset to the community.
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: BlueGiraffe on July 14, 2013, 08:01 pm
+1000

Nice work dude!

BG
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: /I_Surf_Worm_Holes on July 14, 2013, 09:27 pm
Appears to be good work and intel, therefore I too say thanks.  Furthermore, Thanks for Caring!!!
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: psykhe on July 16, 2013, 10:25 am
Shamelessly bumping this, because it hasn't received the attention it deserves and I (along with many others) would love further updates from StExo :)
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: fbny71 on July 16, 2013, 11:58 am
For real! This is an issue that not only affects the particular vendors and buyers conducting business with a dangerous disregard for security, rather the SR community as a whole.

Shamelessly bumping this, because it hasn't received the attention it deserves and I (along with many others) would love further updates from StExo :)
Title: Re: [Please Read] Urgent warning to all SilkRoad users
Post by: Hendrix99 on July 16, 2013, 10:49 pm
Wow great sobering read StExo...
+1 to good sir