Silk Road forums
Discussion => Newbie discussion => Topic started by: xlr8r on June 24, 2013, 06:48 am
-
http://cannabiscorner.net/guide-to-the-silk-road-part-1-getting-started/
This site covers everything from the ordering process through to PGP encryption, well worth a look
-
bump
-
well worth the look..thanks
-
Thanks for posting this.
-
Good post.
-
Cheers! :P
-
helped with some ?'s
thanks
-
Thanks
-
Truly appreciate the info.. I will test this and report back to add confirmation for others!
-
Pretty straightforward. My only issue is they recommend the Hanewin JavaScript app to encrypt your address. So you're outsourcing your security to that site and trusting that it doesn't steal your address. They wouldn't be able to link your address to a specific purchase, but I'm not comfortable (potentially) adding my address to some database they could be collecting.
-
Will hopefully using this (the pgp part) today! thanks :D
-
No worries at all guys, it helped me so hopefully it can help you to :)
-
Just what I needed!
-
Good read - great work 8)
-
Cheers guys
-
http://cannabiscorner.net/guide-to-the-silk-road-part-1-getting-started/
This site covers everything from the ordering process through to PGP encryption, well worth a look
-
cheers
-
Noice
-
Thanks!
-
Thanks!!
I need!
Cheers ;)
-
Very Nice :)
Thanks for helping support the community and everyone's security.
-
Awesome link, wish I had come across this about two weeks ago. Would have saved me a whole lot of time getting started. Thanks for posting this
-
Pretty straightforward. My only issue is they recommend the Hanewin JavaScript app to encrypt your address. So you're outsourcing your security to that site and trusting that it doesn't steal your address. They wouldn't be able to link your address to a specific purchase, but I'm not comfortable (potentially) adding my address to some database they could be collecting.
I agree with astor on this. And they could potentially link your purchase to you if your vendor/DPR knowingly or unknowingly saved your encrypted address somewhere in combination with information on the item(s) you ordered. If the feds got hold of the this data and this Hanewin service (either forced by feds or because they want to) log both your encrypted and clear text message in some sort of database, they could just look it up and link everything to the address you used.
Another thing that could happen would be that the feds would find the SR server, and instead of taking it down on the spot they would be using a man in the middle attack to monitor the network traffic coming in, capturing the network packets and going right to Hanewin to see if you happened to use it. :o
I would suggest following astor's instruction from his signature:
http://32yehzkk7jflf6r2.onion/gpg4usb/
Or better yet, just get the command line tool from gpg4win and make sure the hash matches up, if you know how to. I might write a post about this later when I have more free time on my hands because I would just hate to see this community get hurt because we don't teach everyone -- no matter what kind of computer skills and knowledge they possess -- how to successfully survive in the long term on here.
I take what I said above back, after testing the HaneWIN service and making sure it doesn't log your information, I am certain it is -- at the moment -- as secure as any other method of encrypting your message (short of encrypting it by hand ;))
-
would someone please try this out for me...thanks
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.20 (MingW32)
mQENBFHJpOMBCADR32MW8fubzCk7aeZ0HygBasjpT94eoCoyELtCuF4thlbci04K
p9DWcPIyA9K5U2blZ5HwDNKjJwV2rZ0Up7Ywlr2TLmdkRWDRGLKU2LGKUcJWplDr
WFsMV0mQYkSwyH5PF0Jcia5dsVJu51dSImX/T8OuSMirHLTodeFL7v8R86s/8yhc
AkBAisFNShrVD0/Hj3EWGJJep5i9Dmim1sS6Zbop75GHbj7avYGbOUW3nmzWrkkf
Wpsf81p8GVkNvke4I6L1EYLRfdRNIsBFZYCxJ/tzeWE5W8xxk2/KkvJPpY/QHILk
D0jxJQWhxKlOrXj/5Tsqcyo88PG6Dv/EI8wvABEBAAG0H2pjdzMxNCA8amFjZXdh
dGVyczE3QGdtYWlsLmNvbT6JATkEEwECACMFAlHJpOMCGwMHCwkIBwMCAQYVCAIJ
CgsEFgIDAQIeAQIXgAAKCRCz5iV6QF1h0slaCADFFIYZXkLcBEdCth2f1L3FPrsI
DNLdWqGtcoNXMOsVLgYqujuYw22LiJQd8W44F/WSg73iV7bzyQqf4WSj28fIBrRF
pPYydTCUG2HMQoqfuPw5VVKEbkTWnTv0B2NY5gsOOn9YGBx6ZBAaIVCNpp30UGI7
STvfNf9Q+1NeYXEz/a+iQnVunFfNPBFP6l3LJqMnqxq82xbabsV7PaDgWzzJUNDP
8V7x5+zAJLP+k87nYM9T6W26lshLQdaHEbRwnp0Z2wsBEJMOCa+y8VnnQfhA5MAL
VpRrHMnHZsB/FV0Lagfl0XUl7RfpE0rge6zrlJrotPqOuoVTVIsz+2GUJizQuQEN
BFHJpOMBCAC85vbcRK6O4KHAydlCEXDAs84O3OrJHVvEL7rXZXTpr39Sog4EL/Zz
qMeMtwLbkO2J4Az30EkOgIZv9cRHE8EamOfa71fphYiVuLLH5QUFcqVPQ3ydjFNb
5eZyFA+ikbHXELJwBxsd6sGFUCb1qUS2snzD52RsydsPaNn7u1pEjfuHoICgpUY3
A/I/y/FkZYt00YjwsD/XBBJxayTY40rHoqqFbeBTtNBTHINElX/MQI7cHNWwiWW0
gB3atq0Js5M9g0zE+RmbA0RSgBiW7dI1aD9kSpKLk3fsoheiQF5PbNxQQb5uJ3LO
osfHKZ0+YSBqD5SbClIrJiCfQQoOMQzHABEBAAGJAR8EGAECAAkFAlHJpOMCGwwA
CgkQs+YlekBdYdIolQgAxAVXlMS87AAcotrgxvQzA2tmsMnPW5LJa+ajrRSbyuDi
YmGqLam5ShHhg3Ac6/nRb2rY6rtbyISlK7JfssjNtgAm1ypSuAatG3WPjNb5xZjt
ApazrGWHkIS59pb9xXsfKN4ZOaGCWSDXR4UKjiA2GxCpVztF+f2ADw4aWaNFQyVZ
DuZK/Mp8KZa5bQcPH61dZPLCMywrOxXCET9A1LHpsC7S4nmZ0jfLTBZm+Ws/zLAy
I/px0axWBWAhhxVvHM13g+q2HAVkN7wiA2khf0rxmoKn+5xf3dTv0+JYf6PORA/8
Gb4DVPnaQ+YvEqpWAFcMz2zK/4JWW77WAgNuj2kcog==
=1Foa
-----END PGP PUBLIC KEY BLOCK-----
-
Outstanding work. Any clue on a bit coin seller for Europe... the option mentioned in this post is only for US and a couple other countries, none of which use EUR as their currency...
-
thx
-
would someone please try this out for me...thanks
<PGP key>
I sent you a private message encrypted with your public key.
-
Thank you very much!
-
Very helpful thank you ;D
It was interesting to see the other Black Market websites listed. BMR is the only other one I would ever trust, I have seen a few on Hidden Wiki before but thought they were always scams never knew others really existed.
Thanks for the info, all newbies should read this.
-
Awesome.
-
Again guys thank you, i wish i came across it when i first joined, however i am slightly concerned about the posts relating to PGP security and the hanewin site, how can i be more secure? And if i use PGP from this site, by using the recipients public key, arent i ensuring that only THEY can read my message?
-
Wanna get it to the top again so more ppl can read it :)
-
Thank you !
-
God damn it.
-
Thanks so much! Super useful!
-
All good :)
-
hOW MUCH HAS IT GROWN?
-
could have used this while I was stumbling through the process
-
Exactly, i feel it is essential reading for any noob
-
Again guys thank you, i wish i came across it when i first joined, however i am slightly concerned about the posts relating to PGP security and the hanewin site, how can i be more secure? And if i use PGP from this site, by using the recipients public key, arent i ensuring that only THEY can read my message?
I decided to take a look at this Hanewin site. It looks as though it's all purely JavaScript and no packets get sent to the server (confirmed with Wireshark), so if you have used it you can probably sleep without worrying about anyone having logged your messages.
So, in order to answer your question more directly:
Yes, by using that page you are ensuring only the person(s) with the private key that corresponds to the public key will be able to decrypt your message. And the only risk it poses is that the owner of the site could decide to make his JavaScript application log everything you're encrypting, for whatever reason (cooperation with feds, blackmail etc). I doubt that will ever happen, and to be honest you probably run about the same risk of having the OpenGPG source code compromised without anyone noticing; in which case things could also go very bad. In short: I'd be OK with using the service Hanewin provides at the moment.
-
nah dont think it would be a good idea to trust a third party site with your encryption,why take a chance?
-
Trusting the site to do PGP is indeed a bad idea. I'm glad others have checked with wireshark that nothing goes over the wire. But what if they change the site one day? What if LE compels them to, after seeing that they're used by new SR people a lot? It's a bad idea.
Learn to use PGP properly, and stay safe folks.
-
nah dont think it would be a good idea to trust a third party site with your encryption,why take a chance?
You are taking an equal chance trusting the software you are using. For all you know, the source code for OpenGPG could have been compromised (would be far from the first time that happened to an open source project) leaving some serious back doors open. This would be far more serious than the potential logging of your address, they could even log the exact products you're ordering. Even more likely to happen is that you download the binary from some mirror server, and this mirror has been compromised and the binary modified (this is why you should always check that the hashes match up) to do nasty things.
In the end, you're always trusting a third party unless you're writing the software yourself or encrypting the message by hand (which would take forever). :-\
-
Trusting the site to do PGP is indeed a bad idea. I'm glad others have checked with wireshark that nothing goes over the wire. But what if they change the site one day? What if LE compels them to, after seeing that they're used by new SR people a lot? It's a bad idea.
Learn to use PGP properly, and stay safe folks.
Indeed, this is a risk you run. And to be honest I think we should have our own customized version of OpenGPG (or better yet, written from scratch) to ensure nothing bad goes on. If we kept it really light on features, there would be no need to ever update or change it and once enough people have looked over the code it could be verified and kept as the final version. This, in combination with hash checks to make sure the code is unmodified would be the most reliable thing I can think of because you could spread the hash all over the web. If the feds or hackers compromised this server they could change the hash on this site, but they'd have to hack the entire internet to change all the hashes around (or at least the majority of them). Should there EVER be an update, the only one who could issue it would be DPR and he would have to sign it using his public key.
If anyone is interested in this I'm up for writing this software, it would be in either C or C++. I would need plenty people to scrutinize the code though, because otherwise everyone would have to trust me and that could be a disaster (I buy drugs off the internet, after all!). So if you have a lot of experience with C/C++, and would like to help out, please let me know. If you come up with any good reason why this is a terrible idea, please also let me know.
EDIT:
I forgot to add that the source would obviously have to be scrutinized again before the DPR signed version becomes final, in case his private key or he himself gets compromised. And the software would obviously be open source so anyone can look it over and ask questions that need to be asked to ensure everyone's safety.
-
Straight up i dont understand all of the computer jargon you guys are using, the only way i know how to use pgp is through hanewin, and im only encrypting my address so i should be fine yeah???
-
pgpgpgpgpgpgp
-
pgp is the way, yo 8) keep it secret, keep it real mah silky peers
-
Let me know guys plz
-
Good article, thanks.
-
No worries man, all newbies should check it out
-
Straight up i dont understand all of the computer jargon you guys are using, the only way i know how to use pgp is through hanewin, and im only encrypting my address so i should be fine yeah???
Yes, you'll be fine! But I do think we should get our own version at some point, and it could also be made a lot easier than it is right now for the simple needs of our community. I think I might start working on it later today and post it (including the source code) when I'm done, then people can decide whether they want to use it or not.
EDIT:
Quoted the wrong message by mistake. 8)
-
That was actually really helpful thanks so much
-
No worries bro all good :)
-
Bumping this fine shit to the top once more, it guided me through my first orders with ease!
-
Bump to the newbies
-
Bump again
-
i read the stuff from the link and most is good to know... some useless, but in all... good job bro
-
bump
-
BUMP
-
BUMP
-
Bump again, just want as many newbies to read this as possible
-
Just never FE... thats all you gotta do
-
Thats it man
-
Wanna bump again
-
bump
-
Thanks for the post. If only everyone would take time to educate themselves, put their irons in the fire and fight the good fight. Education is key.
-
Very well written
-
thanks - GREAT READ!
-
Thanks for the post. If only everyone would take time to educate themselves, put their irons in the fire and fight the good fight. Education is key.
Well Said
-
bump
-
What are your thoughts on terabithias h? I only bought 1 stamp and express delivered it, so i don't expect it to be a priority with all the other orders she has to process. Just wanna know if you've tried it and if it's good. You seem to be knowledgable of the good vendors on silk road which is why i am asking you directly. Thanks man. Btw. Bought it early friday morning, so hope it goes into transit today(fingers-crossed).
-
baktodatop!!!!!!!
-
Thank You!
-
bounce!