Silk Road forums
Discussion => Security => Topic started by: Jack N Hoff on June 15, 2013, 07:16 am
-
This isn't the first time I've seen something like this.
PLEASE AVOID USING PGP, UNLESS YOU ARE REALLY ULTRA PARANOID (we are not talking about killing people, or other serious crimes anyways). It seriously robs us of our time!!
IF You are still paranoid, use www.privnote.com
It's safe and 100x faster than the whole PGP thing.
*Again*, WWW.PRIVNOTE.COM is the way to go dear customers.
The vendor's time is obviously more important than the customer's freedom. Use privnote, it's better than PGP?
U wut m8? :o
-
Yes, it is insane. Recently I found a vendor with decent prices who said something like, "If enough people ask I will start using PGP otherwise use privnote".
I requested they use PGP as privnote is unsafe in my view. Privnote defeats the purpose as anyone intercepting the link now has your address UNLESS you send the privnote link encrypted with PGP. :)
They replied that you can't believe everything you read on the forums as people pretend to know what they are talking about. Shame they had good prices.
-
You bring up a good point, Jack. Their few minutes of time and convenience are worth more to them than your freedom.
Fuck 'em.
Boycott vendors like that.
-
Yes, it is insane. Recently I found a vendor with decent prices who said something like, "If enough people ask I will start using PGP otherwise use privnote".
I requested they use PGP as privnote is unsafe in my view. Privnote defeats the purpose as anyone intercepting the link now has your address UNLESS you send the privnote link encrypted with PGP. :)
They replied that you can't believe everything you read on the forums as people pretend to know what they are talking about. Shame they had good prices.
And you are still putting your trust in privnote and what they claim even if you encrypt the address. Encrypting the address doesn't even make sense.
It's vendors that care more about 20 seconds of their time than their customers freedom. :(
-
Yes, it is insane. Recently I found a vendor with decent prices who said something like, "If enough people ask I will start using PGP otherwise use privnote".
I requested they use PGP as privnote is unsafe in my view. Privnote defeats the purpose as anyone intercepting the link now has your address UNLESS you send the privnote link encrypted with PGP. :)
They replied that you can't believe everything you read on the forums as people pretend to know what they are talking about. Shame they had good prices.
And you are still putting your trust in privnote and what they claim even if you encrypt the address. Encrypting the address doesn't even make sense.
It's vendors that care more about 20 seconds of their time than their customers freedom. :(
I was taking the piss. I wouldn't use privnote if you paid me in molly.
If I was to encrypt a privnote address using PGP why would I be using privnote in the first place?
-
Yes, it is insane. Recently I found a vendor with decent prices who said something like, "If enough people ask I will start using PGP otherwise use privnote".
There are a handful of orders that I would have made but didn't because the vendor lacked a PGP key. On two occasions I didn't submit orders because the keys were only 1024 bits. With so many options on the road, there's no reason to reward lazy behavior.
They replied that you can't believe everything you read on the forums as people pretend to know what they are talking about. Shame they had good prices.
They are literally lying to you for their convenience. Fuck 'em.
-
Yes, it is insane. Recently I found a vendor with decent prices who said something like, "If enough people ask I will start using PGP otherwise use privnote".
There are a handful of orders that I would have made but didn't because the vendor lacked a PGP key. On two occasions I didn't submit orders because the keys were only 1024 bits. With so many options on the road, there's no reason to reward lazy behavior.
They replied that you can't believe everything you read on the forums as people pretend to know what they are talking about. Shame they had good prices.
They are literally lying to you for their convenience. Fuck 'em.
Yeah that's what I thought.
-
Consider how carefully vendors like that treat your address / personal info when they copy it off the SR server.
There's a highly sensitive period between when they get it off the server and put it on the package. Comments like that tell you exactly how carefully they regard your info.
-
i FULLY WISH EVERYONE would not even be able to enter an address unless it was encrypted.. Sr should make it where it wont take a clear addy or anything but PGP..
But then u have vendors like SUBS, he doesnt use anything, or just started, hes a great vendor..
-
I have not come across vendors who ask not to use PGP. If that were the case, I'd move on to the next. No, I'm not killing anyone, but if I were locked up in a cage, those thoughts would certainly come easy.
Lesson of the Day: USE PGP FOR SENSITIVE INFORMATION. TOR traffic is easily captured by relays and nodes....
-
Tor protects from signals intelligence GPG protects from communications intelligence.
-
Privnote just seems ludicrously insecure to me. What's to stop an adversary from intercepting your communication, opening your privnote, reading the contents and then creating a new privnote to replace it? You aren't going to know the link is different. Even less sophisticated, what if someone else just opens it? Sure you're going to know it been compromised, but its too late then; your secret has been discovered.
There are a worrying number of vendors who can't be bothered to learn PGP. I'll be honest, Ive used some of them and just sent my Addy plaintext. Privnote just seems a total waste of time. I guess I should boycott these lazy vendors. Its not that difficult to use PGP for fucks sake.
-
Found one and only one vendor with something I wanted, and who would sell to me. He didn't want to use PGP, said it's no biggie, "it's more trouble than it's worth."
Never so fast did I lose interest in a vendor. Even if he wises up and decides to start using it, I can see it because he realized fewer people wanted to buy from him - NOT because he realizes how important it is. If he's this lazy/careless/stupid in this department, who knows where else in his operation he finds things more trouble than they are worth.
-
If you must be secretive(no need at all) with sending me your address and you believe all those morons in the forum ---- I ONLY USE privnote.com. You can use it for your address. Part of the reason my operation runs so fast is because I don't have to waste extra time trying to read secretive messages or use that stupid time wasting pgp. Don't be the one slowing the packaging and shipping down with your privnote last second after my time cut off time with a long message for me to read and respond to. I am very busy!
Privnote is safe, fast, and easy. And totally not needed. BUT if you feel you need to..then use it. I don't care. But don't use it to send me a question..A big waste of time. You are too paranoid and stupid... Go to another vendor or jump off a building.
-
He's absolutely right about this part:
Go to another vendor
-
Also, this should be a red flag about his own operational security:
You are too paranoid and stupid
No one has ever regretted being too secure, but stories of arrests are littered with people who wished they had done more.
-
Don't you know Astor? We're just morons on the forum. :P
-
Anyone have any info on getting pgp to work in Windows 8? pgp4usb installs fine and pretends it works, but won't actually generate a key. Gnupg admits that it doesn't work in Windows 8. I've been using iGolder, but that's going away and I'd be much happier with a real pgp installation on my computer. Any advice would be appreciated.
-
One of the biggest and oldest vendors, DarkExpresso randomly took his down and never brought it back up...
-
I'm new and have only bought a few times, but in general the prices seem more than sufficient to off-set 20-or-so seconds of a vendor's time. They should have to work to keep their reviews and feedback.
And that stupid, "too paranoid" and "not killing people--we are all fucking felons and in the same boat with some of the weight that is pushed and received.
-
I refused to buy from a vendor just a week ago, he had very good prices, but no PGP-Key. Wrote him a pm, but he ignored it. One of my favourite domestic vendors uses a 1024 bit key, I wonder if thats a real security risk? I feel like asking him to change his key, but he would probably ignore me :P
-
1024 bit key will probably be crackable within 5 years, and by that I mean that a computer cluster might be able to crack them in a few months.
It's probably too much effort for an SR vendor, but 1024 bit keys are still considered weak.
-
1024 bit key will probably be crackable within 5 years, and by that I mean that a computer cluster might be able to crack them in a few months.
It's probably too much effort for an SR vendor, but 1024 bit keys are still considered weak.
thanks for the answer. I also don't think that LE will put that much effort for the adress of a drug user, but better safe than sorry, right? ^^
-
This isn't the first time I've seen something like this.
PLEASE AVOID USING PGP, UNLESS YOU ARE REALLY ULTRA PARANOID (we are not talking about killing people, or other serious crimes anyways). It seriously robs us of our time!!
IF You are still paranoid, use www.privnote.com
It's safe and 100x faster than the whole PGP thing.
*Again*, WWW.PRIVNOTE.COM is the way to go dear customers.
The vendor's time is obviously more important than the customer's freedom. Use privnote, it's better than PGP?
U wut m8? :o
If a vendor isn't intelligent enough to grasp the very simple PGP system, I am not stupid enough to deal with them. Competition exists for a reason. PGP is built on open source code, I have no idea about what privnote does, but I'm guessing it's software is not open source considering it's a web service. Fuck that.
-
Anyone have any info on getting pgp to work in Windows 8? pgp4usb installs fine and pretends it works, but won't actually generate a key. Gnupg admits that it doesn't work in Windows 8. I've been using iGolder, but that's going away and I'd be much happier with a real pgp installation on my computer. Any advice would be appreciated.
I like portable PGP. it has both a windows executable, and a .jar version (Which means you can run it from any OS capable of running Java Runtime environment (anything consuer level).
It also means you can carry it on a thumbstick if you want to. It goes both ways.
-
I refused to buy from a vendor just a week ago, he had very good prices, but no PGP-Key. Wrote him a pm, but he ignored it. One of my favourite domestic vendors uses a 1024 bit key, I wonder if thats a real security risk? I feel like asking him to change his key, but he would probably ignore me :P
Scratch that. gpg4usb ftw
-
If you must be secretive(no need at all) with sending me your address and you believe all those morons in the forum ---- I ONLY USE privnote.com. You can use it for your address. Part of the reason my operation runs so fast is because I don't have to waste extra time trying to read secretive messages or use that stupid time wasting pgp. Don't be the one slowing the packaging and shipping down with your privnote last second after my time cut off time with a long message for me to read and respond to. I am very busy!
Privnote is safe, fast, and easy. And totally not needed. BUT if you feel you need to..then use it. I don't care. But don't use it to send me a question..A big waste of time. You are too paranoid and stupid... Go to another vendor or jump off a building.
Huh!
Seriously?
Looks like someone I know of.
Are you trying to pick a fight JACK?
-
Yeah, but what if someone hacks the computer of a vendor? Come on. Saying "it's not really necessary" is just a silly thing to say. Unless every vendor is a network security specialist and knows how to avoid social engineering, then it is definitely necessary.
-
its really not necc. if SRs server was not i think there would be larger issues. sure it cant hurt though. addys get auto encrypted in the box....and i gotz faith in dat nigga dread, its something bout his name yo.
You want to put your trust in something that is certainly hackable (SR server) instead of in something that the greatest mathematicians in the world think is essentially uncrackable without a quantum computer (4,096 bit RSA)?
-
Consider it a litmus test for intelligence and security-consciousness, then: if a vendor tells you they refuse to learn or use PGP, they're doing you a favor in letting you know they're not that bright, and that they have a fucked up sense of priorities.
On the other hand, I'd love to see what would happen if Mr. Please-Avoid-PGP gets caught:
>> Yes, your Honor, I get it, but c'mon. Are you kidding me? Do you really expect anyone to read the whole "Controlled Substances Act" thing? Who has time for that? And it's not like international drug trafficking is a serious crime or anything."
its really not necc. if SRs server was not i think there would be larger issues. sure it cant hurt though. addys get auto encrypted in the box....and i gotz faith in dat nigga dread, its something bout his name yo.
It's not just that the SR server might get hacked. DPR employs a team (however small) of admins to work on the site. A far more likely scenario would involve their log in credentials being intercepted or stolen, or one of them being identified and arrested and forced to turn over that information. My rule-of-thumb: as with the clearnet, assume that all your posts and PMs are public.
-
Right, I mean if a vendor won't allow you to use PGP in placing your order or doesn't have a public key posted, it means they either don't understand security thoroughly, or they don't care much about your security. The would be a red flag in my opinion. Sure it can take a few practice tries to figure out PGP, but anyone who can figure out how to download tor and find SR can figure out PGP too.
-
Anyone have any info on getting pgp to work in Windows 8? pgp4usb installs fine and pretends it works, but won't actually generate a key. Gnupg admits that it doesn't work in Windows 8. I've been using iGolder, but that's going away and I'd be much happier with a real pgp installation on my computer. Any advice would be appreciated.
Gpg4win works on Windows 8 (I tried it in a VM), but it is not portable if that's what you want.
-
Another reason for vendors to have PGP keys is that it's their proof of identity in a pseudonymous community. There was a case where a vendor's market and forum accounts were hacked. He had to create a new forum account to inform his customers about it, and the mods requested that he sign a statement with his PGP key. There are a variety of situations where a vendor would want to prove his identity, and a PGP key is the best way do it.
-
Having pgp doesn't ensure your security..as far as I'm concerned. If they seize your computer they will be able to make the connection with the keys on your keyring. Unless you destroy the harddrive/flashdrive pronto while being raided?
-
To decrypt the messages (as buyer addresses etc.) they will need the password for the key and assuming the person isn't an idiot to have an easily crackable one and/or to put it somewhere that can be find easily, nobody even having the key can decrypt the messages.
So even assuming that LE can find the vendor secret key (and this is already difficult in itself - i.e. almost impossible, again if one isn't an idiot - since you should use Tails or a Whonix VM etc. with an encrypted persistent volume & co. if you want to store data) this alone will not suffice for them to be able to decrypt messages.
-
Having pgp doesn't ensure your security..as far as I'm concerned. If they seize your computer they will be able to make the connection with the keys on your keyring. Unless you destroy the harddrive/flashdrive pronto while being raided?
Or if you encrypt your hard drive. Having GPG most certainly doesn't ensure your security though. Hell, not using GPG doesn't even ensure that you will be compromised. If you don't use GPG to send your address over SR then your security is dependent on the server never being seized while it is in a vulnerable state (ie: booted on), everybody who has legitimate access to the server being honest and non-malicious, and the server never being penetrated by malicious hackers. Now, the server is almost always on so if it is seized then you are pretty fucked. Tor is better than nothing anonymity for servers, but everybody knows that hidden services are not the most anonymous things in the world. Not to mention there is always the risk that the server will leak its IP address etc. We are pretty positive at this point that DPR is legitimate currently, and we hope that the people he picked to have access to the server are legitimate, but people can of course turn to the enemy if they are compromised, and it is not unheard of for undercovers to infiltrate criminal groups at a high level (ie: master splynter gained legitimate administrative access to a carder forum). As far as hackability goes, well at least 99.9999999% of software is hackable, and the software running SR is no different.
On the other hand, if you use GPG then your security is dependent on extremely large composite numbers being difficult to factor into primes, and essentially all mathematicians believe that extremely large composite numbers are extremely difficult to factor into primes.
So it is up to you if you want your security to rely on the anonymity of Tor hidden services (which is undoubtedly less than the anonymity of regular Tor clients), the security of the server (which is undoubtedly not perfectly secure), and the benevolence of the people with administrative access to the server (which is indeterminable), or if you want your security to rely on something that mathematicians hold to be fact (ie: that it is very hard to factor a very large composite number into primes).
-
I'm a moron for using pgp? Probably! Even a moron can learn how to use pgp!
Maybe this vendor pays for his supply by bank transfer. Maybe even by credit card, after all it's even quicker, saves him his precious time!
Bottom line is, SR or not, dealing with narcotics is a delicate matter. If you're messing around with narcotics, (stay away from drugs people, they're bad!) your general priority is not getting busted or getting linked to someone who got busted. That's why in real life your customers or dealers shouldn't really know where you live. In real life you should use a different name. You should also wear unremarkable clothing (that means no gold chain, might be hard for some).
Not going to get into this too much but in real life a smart dealer or customer goes the extra mile to be discreet. Our practices after all aren't appreciated by a lot of people, not just LE.
That is why I don't understand why someone wouldn't use pgp. Computers are so much better at storing information than humans. If you were to sell to someone at a party and this person got busted an hour later, and was compelled to describe who sold it to them, there's always a chance that person can't be as helpful as LE would like. Computers rarely get it wrong though.
Internet is becoming a part of society. Nowadays, posting on a forum is almost the same as going to a bar and having a random conversation with a stranger. You are also accountable for things you say on the internet. Dealing drugs on the streets or on the Road should therefore require the same amount of discretion.
The Silk Road and computer software/technology allow us to further this discretion. MAKE THE MOST OF IT.
To the vendor who was quoted : Sorry mate but most people here want to go the extra mile to stay out of prison and they should. I'm sure you're doing fine though and I wish you the best of luck.
Random Off-topic Fact : If you think you're being followed, or you are following someone, on foot of course, remember : anyone can change their clothes in a few seconds without even carrying a bag - changing your shoes however! Not so easy.
-
You should also wear unremarkable clothing (that means no gold chain, might be hard for some)
Can I hang a gold chain around my computer monitor?
-
You should also wear unremarkable clothing (that means no gold chain, might be hard for some)
Can I hang a gold chain around my computer monitor?
Only if your CD drive has gold grills.
-
Anyone have any info on getting pgp to work in Windows 8? pgp4usb installs fine and pretends it works, but won't actually generate a key. Gnupg admits that it doesn't work in Windows 8. I've been using iGolder, but that's going away and I'd be much happier with a real pgp installation on my computer. Any advice would be appreciated.
Gpg4win works on Windows 8 (I tried it in a VM), but it is not portable if that's what you want.
Thanks! I think I tried that some time ago, but I'll work harder at it and see how it goes. I couldn't hate Windows 8 more, and rue the day that I bought a laptop with it installed.
-
If they are too lazy to use PGP it makes you wonder what else they cut corners on. PGP should be mandatory. No PGP=No order. How can you feel safe using a sketchy third party clearnet site like privnote for your personal info.
-
pgp? privnote? I found a vendor asking for my address in clear text!!! :o
the fuck!?!?!?
a while ago I read something about vendors rules and report if they not follow, I was dreaming or there is something like that?
probably it's a scammer too :'(
-
probably it's a scammer too :'(
Maybe he's just the kind of dealer who texts you "i've got your dope come to this address, here is my social security number gimme yours"