Silk Road forums
Discussion => Security => Topic started by: StExo on July 19, 2013, 02:31 am
-
Following my last audit which received much attention, I'm happy to say, by pretty much being bogged with requests every day, I am now conducting a second run through of SilkRoad to find the cracks and errors amongst vendors. I don't expect that I will find anywhere near as many errors and security holes as last time - but you never know, I didn't think I'd fine anything like I did last time!
This time however, I am shaking things up a bit because the last attempt to solve problems was ridiculous and a very drawn-out process for the people who should already know how to cover their own backs. I am not going to be keeping any secrets from anyone this time - so if you fuck up on your security, I am going to name and shame you publicly at the same time I mail you about it and you aren't getting removed til it is fixed, unless it's a risk which could identify you in which case you've got around 6 hours to fix it before it heads to the staff mailbox and once it's solved, you're still being named and shamed for your stupidity.
Vendors who use 1024 bit keys, leave information which is tracable to real clearnet accounts etc - be warned, I am coming after you, and you will be given a public lashing on the matter so don't ignore this warning thinking I will miss you because I won't, I am even giving DPR a run through for what I can gather on him.
This topic is not for the actual audit, I will be doing in very soon in another topic (exactly when I won't release details of), but this topic is only to warn the complacent to get your act together before the public hammer comes down on you because if you jepordise yourself I can't stop you, but I think the moment that crosses to endangering other users then your customers have a right to know. For those vendors last time threatening me when I said I'd reveal their flaws publicly if they don't buck up their act - let's not go through this again, your mail will be published and put at the top of the list because if you're stupid enough to threaten me, you clearly have no regard for security, my work or have any common sense if you know who I am and what I do.
-
You rule +1
-
Hugs to you StExo!!
:)
Chem
O0
-
Come at me bro. Dude if you find any significant shit then give us hell about it. There's no pride in my opinion when it comes to security, so if you look at my shit and see something I fucked up I sure as hell want to know about it.
Maybe give vendors like 36 hours to reply to fix it before you shame them though? because if you don't then depending on what you find and release you might be handing info over to the enemy neatly bundled for analysis.
-
Come at me bro. Dude if you find any significant shit then give us hell about it. There's no pride in my opinion when it comes to security, so if you look at my shit and see something I fucked up I sure as hell want to know about it.
Maybe give vendors like 36 hours to reply to fix it before you shame them though? because if you don't then depending on what you find and release you might be handing info over to the enemy neatly bundled for analysis.
Vendors get 6 hours and that's it - no more no less if it's identifiable. If it's non-identifiable and just plain bad practice (ie, a weak key which LE probably can find with their own crawlers) then you're thrown up automatically til it's fixed. If I'm too hanky-panky about it all, I think some may not take this seriously. Heck, might even start a "Secure Vendor" list for those who have every aspect covered flawlessly.
For identifiable information, obviously SR staff will be contacted and then once they've removed it, then I will list it (I won't mention what it was only it was serious). The reason being because if LE find it, which they probably have, then they'll be watching you already and you're then a risk regardless if you change it and it's a known fact which I can verify myself for SR staff privately that LE crawl the marketplace with some pretty advanced bots.
-
You have to take into consideration time zones man. With great power comes great responsibility. Tobey McGuire taught me that on the set of Spiderman...
;D
-
Your the man StExo! +1
-
Vendors who use 1024 bit keys, leave information which is tracable to real clearnet accounts etc - be warned, I am coming after you, and you will be given a public lashing on the matter so don't ignore this warning thinking I will miss you because I won't, I am even giving DPR a run through for what I can gather on him.
Thanks StExo! I can't tell you how many times I've warned vendors about their 1024 bit key or their gmail address that popped up when I imported their key, yet they're not doing anything about it! :o Glad to see you are taking more serious measures
-
subbing. StExo - i'm liking the cut of your jib :-*
-
I already personally asked astor last time to publicly reveal the names of the vendors that had insecure pgp keys. He didn't want to do it but IMO he should have.
This is in the interest of every buyer to know, it is not something that must remain private.
Btw I would even personally extend the check to buyers themselves; ALL the community should be checked and reprimanded if something is wrong. Security is a must in this place and the weakest link, sadly, is always in humans.
EDIT: Then I don't really understand how people think. The vendors either threatened you after the FAVOR you made them? If I had a security hole in my setup I would like to know it and as fast as possible as to correct it. I wouldn't care minimally if I was ashamed publicly about it; it was my fault and I would have to pay the consequences, but at least now I know how to resolve the problem and what I must do so that I'm secure.
I really cannot get how some people think, I really can't.
-
subbing. StExo - i'm liking the cut of your jib :-*
Second...
sub'd
-
aaaand subbed.
-
StExo, I like you.
-
Come at me bro. Dude if you find any significant shit then give us hell about it. There's no pride in my opinion when it comes to security, so if you look at my shit and see something I fucked up I sure as hell want to know about it.
Maybe give vendors like 36 hours to reply to fix it before you shame them though? because if you don't then depending on what you find and release you might be handing info over to the enemy neatly bundled for analysis.
Vendors get 6 hours and that's it - no more no less if it's identifiable. If it's non-identifiable and just plain bad practice (ie, a weak key which LE probably can find with their own crawlers) then you're thrown up automatically til it's fixed. If I'm too hanky-panky about it all, I think some may not take this seriously. Heck, might even start a "Secure Vendor" list for those who have every aspect covered flawlessly.
For identifiable information, obviously SR staff will be contacted and then once they've removed it, then I will list it (I won't mention what it was only it was serious). The reason being because if LE find it, which they probably have, then they'll be watching you already and you're then a risk regardless if you change it and it's a known fact which I can verify myself for SR staff privately that LE crawl the marketplace with some pretty advanced bots.
Yeah people gotta sleep. But then again time doesn't matter when it's already been archived by several intelligence organisations...
-
I use a fake gmail address in mine.......that address has never been setup or logged in too........why is that a problem?
Vendors who use 1024 bit keys, leave information which is tracable to real clearnet accounts etc - be warned, I am coming after you, and you will be given a public lashing on the matter so don't ignore this warning thinking I will miss you because I won't, I am even giving DPR a run through for what I can gather on him.
Thanks StExo! I can't tell you how many times I've warned vendors about their 1024 bit key or their gmail address that popped up when I imported their key, yet they're not doing anything about it! :o Glad to see you are taking more serious measures
-
Definitely subbed.
+ Karma when I am able.
-
Even though it's fake, I imagine Google would still have some identifiable info. no? IP address, or something.
I use a fake gmail address in mine.......that address has never been setup or logged in too........why is that a problem?
Vendors who use 1024 bit keys, leave information which is tracable to real clearnet accounts etc - be warned, I am coming after you, and you will be given a public lashing on the matter so don't ignore this warning thinking I will miss you because I won't, I am even giving DPR a run through for what I can gather on him.
Thanks StExo! I can't tell you how many times I've warned vendors about their 1024 bit key or their gmail address that popped up when I imported their key, yet they're not doing anything about it! :o Glad to see you are taking more serious measures
-
^^ i think what they mean is they just entered a random email address in there "that address has never been setup or logged in too". if it's not even set up there is no address, or if there is it's got FA to do with them
-
I already personally asked astor last time to publicly reveal the names of the vendors that had insecure pgp keys. He didn't want to do it but IMO he should have.
This is in the interest of every buyer to know, it is not something that must remain private.
And they can easily find out on an individual basis. You see a vendor you like, you import their key. In every PGP program you can look at the key properties, which will tell you the key size. If you think the key is weak, don't encrypt your address with it.
Of course LE could be crawling the site already and gathering that intel, but I see no reason to do our enemy's job for them. That's why I didn't release a master file of the keys or a list of vendors with weak keys.
-
I use a fake gmail address in mine.......that address has never been setup or logged in too........why is that a problem?
Vendors who use 1024 bit keys, leave information which is tracable to real clearnet accounts etc - be warned, I am coming after you, and you will be given a public lashing on the matter so don't ignore this warning thinking I will miss you because I won't, I am even giving DPR a run through for what I can gather on him.
Thanks StExo! I can't tell you how many times I've warned vendors about their 1024 bit key or their gmail address that popped up when I imported their key, yet they're not doing anything about it! :o Glad to see you are taking more serious measures
It isn't a problem at all. As long as the address isn't legitimate or used for any other purpose you will be fine as I do manual checks to ensure that doesn't happen. If the address is real but not yours, I won't be best pleased but I'm still going to make a point of it for that persons sake.
So yeah, if it isn't setup or real, you won't have a problem.
-
I already personally asked astor last time to publicly reveal the names of the vendors that had insecure pgp keys. He didn't want to do it but IMO he should have.
This is in the interest of every buyer to know, it is not something that must remain private.
And they can easily find out on an individual basis. You see a vendor you like, you import their key. In every PGP program you can look at the key properties, which will tell you the key size. If you think the key is weak, don't encrypt your address with it.
Of course LE could be crawling the site already and gathering that intel, but I see no reason to do our enemy's job for them. That's why I didn't release a master file of the keys or a list of vendors with weak keys.
I agree with astor, we're not going to make things easy for them, everything we say and release they probably already have, we are trying to keep up with them in respects to warning people before they're caught etc and improve everyone's game. Releasing a list of weak PGP keys will not benefit anyone on the forum, I have backups of everything so if the site went down then maybe I'll release everything so people can continue business as usual - but not yet. I don't feel it is right to make this easier for LE and the whole point of the audit is actually to make LE struggle even more.
-
Subbed. Im in!
-
How do you strengthen your key?
-
You could create a subkey with a larger key size, but the easier way is to just create a new key and increase the key size at that time.
-
Tentatively waiting the results.... This should be interesting.
-
I agree with astor, we're not going to make things easy for them, everything we say and release they probably already have, we are trying to keep up with them in respects to warning people before they're caught etc and improve everyone's game. Releasing a list of weak PGP keys will not benefit anyone on the forum, I have backups of everything so if the site went down then maybe I'll release everything so people can continue business as usual - but not yet. I don't feel it is right to make this easier for LE and the whole point of the audit is actually to make LE struggle even more.
So... first you said that you were going to post publicly the names of the vendors with bad security (as bad keys) and now you say the contrary.
Which one of the two is then?
I was not asking to release the keys, just name the vendors that have bad security (a thing you said you would in your OP) and this includes bad keys.
-
And they can easily find out on an individual basis. You see a vendor you like, you import their key. In every PGP program you can look at the key properties, which will tell you the key size. If you think the key is weak, don't encrypt your address with it.
True. But since you already did it why waste the work?
As you say probably LE already knows this already to begin with, so how can you really make their job easier? On the contrary I think you do the opposite by naming the vendors' names publicly, because in that way they are more interested and more prone (much more than simply saying them privately) to change the key asap and fill the hole in their security so as to not lose clients and money.
Let's be real: it's true what you say about checking the key yourself but how many normal users do you think will do that? I can bet almost none (so nothing will change for the vendor and I can in the same way bet that if one is not secure to begin with he will not care at all about it, or very little, anyway not so much as to be prone to change the key without a strong motivation, as sales lost). If the names are public everybody will know it and the vendor will know this, hence s/he will be almost forced to change the key (nothing moves your ass like lost business if you are a vendor; look at how many threads about higher fees there have been for sometimes differences of only about few dollars).
-
BlackIris, I'm not changing policy at all, you're talking 2 different things. I am publishing a list of vendors with bad keys, not the keys themselves or any revealing information. Anything which could identify them I wait until SR staff or the vendor remove it, then they're being named and shamed and if they lose money over it - I don't feel many of us would care because they're putting users in danger which is unacceptable and neglects their duty to protect their customers as it's no different than dealing in the real world and then your dealer handing over a list of his/her customers.
-
yay for StExo!
you are very good for doing this and everyone (including those caught by it) should be grateful you are spending the time to harden security here.
-
subbing. Thanks StExo
-
BlackIris, I'm not changing policy at all, you're talking 2 different things.
LOL.
No, I wasn't. I never said that I wanted keys displayed, I just mentioned names (as in that I was happy that the names of the vendors who had the bad keys would have been revealed).
It was astor that replying to my post used the term "... a master file of the keys or a list of vendors with weak keys" (because he was referencing to the thread where I asked for the thing and in that thread astor said he was almost temped to release a keyring) in explaining why he didn't reveal that info next time.
Anyway, thank you for the clarification.
-
Next up, buyers who don't use PGP... which is more than 50%. Add in another ~20% who use Privnote and we're looking at about 70% who don't use PGP.
The overly security conscious buyers (those who only do business with 2048+ key strength) can tell the key strength of any vendor and decide from there. But with that many buyers not using PGP, why come after vendors?
What's next? Vendors who don't enforce PGP be used at all times? How can we? We'd lose more than half our business. So instead we protect ourselves in other ways.
Anyway, time to change to 4096bit key strength. In case we miss the new witch hunt for 2048bit key strength vendor name and shame list.
Can all PGP program handle a key that strong?
-
hi hi
as a vendor i figured i'd chime in:
many of the keys i've received from buyers include their REAL name and email address. not smart, however i feel there is a bit of a disconnect on "how" to set up PGP for our purposes properly.
my public key is and has always been 4096bit - the highest available for my PGP app. you ALWAYS want the highest number. it doesnt cost anything extra so why not use it? also the "email" address you put in there DOES NOT HAVE TO BE LEGIT!!!!!
people dont realize this. mine is Miss@Bli.ss -- that's not anywhere remotely 'real' i dont even think .ss is a top level domain lol
PGP key does not give a shit about what your email is. just that it includes a @ and a . (and i'm not even sure those 2 characters are required for all PGP apps)
it's incredibly difficult for a vendor to keep track of public keys when they DONT have your SR name attached to it. on your PGP key your "real name" should be your SR username....
for example: i dont remember who "john smith - jsmith@gmail.com" is - but i do know who my buyers are since their names are on SR.... it makes replying encrypted MUCH easier if you DO NOT HAVE YOUR REAL INFO ATTACHED AND INSTEAD USE YOUR SR NAME!!!!! it's much safer too!
always think ahead and assume EVERYONE is a cop!!!! if you take the proper precautions it doesnt matter if they are LE or not! no one - not even the NSA - can catch you if you conduct yourself correctly
stay safe everyone!
xoxo
-mb
-
If anyone wants me to start hunting and naming buyers, go ahead, send me their details but I can assure you, your unpopularity will blow through the stratosphere. If they had publicly accessible information then sure I would give them a little pick through too, but that is 1 person and vendors are a much more valuable target, I doubt LE cares much about the buyers to be quite fair because it isn't worth the hassle, but snag a bit vendor and you've got a lot of names possibly. I know a lot of buyers don't use PGP, I am a vendor myself do not forget that - but I can only protect people when they want to be protected when vendors on the other hand handle that information and it isn't their information to be handling insecurely.
For as secure a buyer is, they are only protected against MITM attacks to some extent and from a server seizure - but if the vendor is busted then that's a whole new ball game as PGP doesn't protect them against vendors who will give LE details or co-operate which I suspect some vendors here may do since I've noticed the rise of people who have never sold drugs in their life except across the internet and I imagine these are the sort who would squeal as soon as LE lay a hand on them. It's a sad reality.
But to all vendors criticising my methods above - if you are properly safe and take the right measure - why worry? I'm a damn vendor myself, I know people use unregistered gmail addresses etc on their PGP (although it's unnecersary), I manually check all flagged details so this isn't a dry and cut bot job to ensure we get accurate results and don't potentially effect a vendors status by wrongly accusing them of lax security.
-
@ Missbliss - Yeah, exactly, that's another thing. Buyers that submit public keys that have no relation to their SR buyer name makes it hard for vendors to figure out who the key belongs to. So if we ask for it again and again, please don't take offense. Plus we delete keys after finalization. So next time you order, supply the key again.
@StExo - alright brother, as long as you understand that the super majority of buyers don't use PGP, then it's all good. But since so few buyers use PGP, why not just make a tutorial to show them how to detect weak PGP keys instead of naming and shaming vendors? Once a vendor gets shamed, it might stick in the minds of buyers and rumors might get started.
You could even send those vendors info on how to be more secure as they might not know how. And leave it at that. PGP isn't the end all in security by any means. I'm sure some vendors hold names and address wrongly thinking it might be some leverage in negotiations with LE if arrested. Or they may even hold them in case a buyer changes feedback and/or tries feedback blackmail. Since the buyer could come back under another name, the vendor might not want to get burned twice. PGP doesn't mean anything then. The smart vendors get rid of everything as soon as possible - no body, no crime type of thinking.
I get what you're trying to do, I just think there's other ways to go about it without having to name and shame. Many of the vendors that have been busted so far are those who also deal IRL. If they get raided and there's a bunch of already labelled envelopes with or without product in it, what good was even 1million bit PGP at that point?
Plus you're putting a bulls-eye on those vendors for all manner of attack, especially from scammers who will use it as an invite to attempt scams.
Just think about it. Something like this should be taken to the Vendor section. There, we as vendors can all help out those vendors who may not know how or even that they were weak and perhaps even mentor them until they figure it all out. Plus for vendors with a lot of listings, they will need time to change and update all their listings. 6 hours isn't nearly enough time. Consider that too.
-
just sub'n, for now...
-
Cimicon-Rep makes some good points. I'm just a buyer, small-time at that, but there do seem to be some valid concerns he raises.
-
StExo: Improving Silk Road one PGP key at a time! I am curious to see what you have for us!
-
i dont think it would be a problem. i do the same thing and already talked to stexo about it he said it was fine as long as it wasnt my actual email ;D
-
I love this idea just because in the end it will help us all here on the Road and we need measures like this to be taken to continue to stay ahead of the curve. We are all part of the fight for our liberties here against the opposing powers that be, they leave no stone unturned so neither should we.
-
@Cimicon Rep, you raise some excellent points, however I will have to respectfully disagree about the issue of vendors' weak keys being addressed in the Vendor section.
I have personally warned several vendors about their weak keys. They have aways responded with a "thanks for the warning" message, but have yet to actually strengthen their key. :o Because of this, I think stonger measures are needed and I fully support StExo's initiative
-
Striking a balance between StExo's and Cimicon's points, it should be a multi-step process before going public.
A 6 hour grace period before being publicly shamed is a bit on the outlandish side. Busy vendors having to deal with the slowness of TOR, frequent logouts, customer communications, order management, etc. cannot accomplish changing their key from a weak <=1024bit (DSA) non-RSA key to a strong 2048 to 4096bit RSA/RSA key on both their profile page and listings in 6 hours.
The process should be within reason and with consideration that no one is forced to do business with a vendor with a weak key and that most buyers don't even bother with PGP to begin with.
So the steps should be:
1. Warn the vendor who has a weak key that it needs to be changed. Included an excerpt about how the old weak Non-RSA 1024 bit and lesser keys were cracked in some many months using some many computing cores. Include a link to PGP Software like PGP4USB that uses the more secure RSA/RSA encryption. Link also to a quick start tutorial and let them know that this program, like many others, are capable of importing their old key. Something which will make their transition smoother and less time consuming. A list of programs would be considerate.
Give them 1 week to respond with a COMMITMENT to address the matter. If they refuse* or fail to COMMIT, the by all means, as was said, "name and shame."
*If they refuse with a reason, consider posting their reason so buyers can properly assess the risk of doing business with the vendor.
2. If they COMMIT to improving their PGP security, give them another week to implement the change. Monitor their progress. The first step should be to change the key on their profile. A move that technically is sufficient enough since those most concerned about security will know where to look for a key of that sort. If a vendor asks for help, give it to them. You're obligated since you're "strongly encouraging" them to use stronger encryption. As long as there is evidence of progress, continue to encourage them to complete their implementation.
Another vendor or group of vendors bullying vendors into implementing increased security is the wrong approach and wrong precedent to set. If DPR is not concerned, it may indicate that it's not as critical an issue as it's being made out to be. And since more than half of buyers do not use any form of encryption, it seems all the more outlandish that one would opt to engage a bullying approach.
Additionally, since the unencrypted addresses, Privnote linked addresses, and PGP encrypted addresses all sit on SR's servers, wouldn't one so concerned about buyer security rather address the security of the server(s) all this information resides on? If SR were ever compromised, more than 50% of buyers at any one time would have their clear text address readily readable along with what and how much of whatever is being bought.
Not to get too far off point, but it just feels a bit off to go after vendors in this way. Has a slippery slope feel to it when you rub the idea between proverbial fingers.
-
i invite you to pentest me. here is my vendor page: http://silkroadvb5piz3r.onion/silkroad/user/98da200440
-
I use a fake gmail address in mine.......that address has never been setup or logged in too........why is that a problem?
Vendors who use 1024 bit keys, leave information which is tracable to real clearnet accounts etc - be warned, I am coming after you, and you will be given a public lashing on the matter so don't ignore this warning thinking I will miss you because I won't, I am even giving DPR a run through for what I can gather on him.
Thanks StExo! I can't tell you how many times I've warned vendors about their 1024 bit key or their gmail address that popped up when I imported their key, yet they're not doing anything about it! :o Glad to see you are taking more serious measures
It isn't a problem at all. As long as the address isn't legitimate or used for any other purpose you will be fine as I do manual checks to ensure that doesn't happen. If the address is real but not yours, I won't be best pleased but I'm still going to make a point of it for that persons sake.
So yeah, if it isn't setup or real, you won't have a problem.
I concur, it is not a vulnerability in terms of security, yet it is a point of entry for scams/LE surveillance. It doesn't put the vendor at risk, but anyone believing they could reach the vendor.
If someone sets up that address, he could fish whatever coms to that address. He also knows whom it supposedly belongs to and it's intended usage. You shouldn't underestimate that threat.
My 2 satoshis.
Peace out
Jason
-
got to watch this all unfold
-
Sub'd.
-
I had no idea audits happened. Great idea and I am very impressed but as much as you secure the shop, you gota secure the shopping mall first.
Obviously nobody can go into too much detail about SR's server status, flow of btc mixer and btcs sent from user to user rather than withdrawals.
From what i've experienced the bigger or more regular buyers will use pgp same with vendors but for your average g of k or ten of weed people dont bother and dont care. What ever you think about those people they are customers in the old shopping mall that the shops arent going to miss out on.
Audit away that is important and great, but the larger danger is how long does SR hold any information? If I vendor with pgp gets raided and is prompted to give up a password then LE could hijack a vendors account. If he's looking at 25years+ he may well help them with pgp to bust some of his larger customers.
In conclusion maybe an SR Security Team could be set up with a private part on the forum who can look into covering every single angle. PGP is a great start but I am sure there are many more, eventually we could even search for vendors by their security rating which is established by audits over the course of the year..
Either way crack on lads and lasses, great idea.
-
Backend server information will not be revealed publicly for a myriad of reasons.
However, a small team would be nice but the problem is assessing credentials then once you nail past basic principles there are several theories and schools of thought on which angle of security is the most important. A valid point raised above I am aware of is how many buyers choose not to use PGP, but this point is almost irrelavent on my side since chances are, a buyer not using PGP is probably missing a lot of other points too on their security of which I can do nothing about but the general consensus is that forum users are more secure on average than non-forum users. This tilt of more secure users on the forum means they are probably more concerned at the level of security their vendor uses and therefore this would be a more useful endeavour to them.
I do talk to DPR on various matters, all of which are kept private for obvious reasons, but rest assured some of the points you've made are already being looked into and reworked to better improve the security of the site in general. Let us not forget though, at the end of the day, the biggest security problem of SilkRoad, is vendors with poor security.
-
Yes make sense and I am sure DPR spends the majority of his day accesing week points in his security, how else would he/she sleep at night.
The issue I worry about with pgp is even if my vendors good as gold, he may just get fucked by LE at the wrong time, computer on order sheet open and in the UK not giving LE access to all appropriate passwords and keys is an offence in itself. If facing a harsh harsh sentence then he may go ahead and give them the access to the account or the address of the last couple orders.. whatever.
It is just as important to cover your tracks on the ground as well, drop houses, trusted people if you have distribution channels. So you are right really pgp first, then drop house. Then no matter what happens to the vendor it still cant catch up with you.
I imagine the police are still a bit behind on having the man power to go after a list of addresses who are all gona claim to know nothing unless the vendor gives up or tries flipping someone above him.
Its the where did this key of mandy come from thats important to them not where is it being split of into g's halfs, ozs.. but who knows a bust is a bust and I getting too far away from the point.
Back to the audit and good luck!
-
Cheers to StExo for this. If LE is going to try and take us down, it will probably be similar to the recent Secret Service infiltration the the carders forum. It will be a multistage multi-agency effort. That was a several year endeavor and the members are being charged with the RICO act. A ship that is not tightly run will eventually sink.
-
+1 for your work...
8)
-onion-
-
Yes make sense and I am sure DPR spends the majority of his day accesing week points in his security, how else would he/she sleep at night.
The issue I worry about with pgp is even if my vendors good as gold, he may just get fucked by LE at the wrong time, computer on order sheet open and in the UK not giving LE access to all appropriate passwords and keys is an offence in itself. If facing a harsh harsh sentence then he may go ahead and give them the access to the account or the address of the last couple orders.. whatever.
It is just as important to cover your tracks on the ground as well, drop houses, trusted people if you have distribution channels. So you are right really pgp first, then drop house. Then no matter what happens to the vendor it still cant catch up with you.
I imagine the police are still a bit behind on having the man power to go after a list of addresses who are all gona claim to know nothing unless the vendor gives up or tries flipping someone above him.
Its the where did this key of mandy come from thats important to them not where is it being split of into g's halfs, ozs.. but who knows a bust is a bust and I getting too far away from the point.
Back to the audit and good luck!
This is 100%. And the idea of a security team that does audits and works with vendors to help improve their security is a splendid idea.
-
The overly security conscious buyers (those who only do business with 2048+ key strength) can tell the key strength of any vendor and decide from there. But with that many buyers not using PGP, why come after vendors?
Vendors with substandard public keys (less than 2048) don't have much motivation to create a more secure key. It's only those security conscious buyers you talk about that are affected by the vendors' substandard keys and it is those buyers whose personal info is put in danger. Buyers who don't use PGP have a right to be ignorant but vendors need to support the security conscious buyers by providing the means of achieving the desired security. Vendors who fail to do so need to be publicly called out. I for one think StExo is providing a valuable service and I support his effort.
-
The overly security conscious buyers (those who only do business with 2048+ key strength) can tell the key strength of any vendor and decide from there. But with that many buyers not using PGP, why come after vendors?
Vendors with substandard public keys (less than 2048) don't have much motivation to create a more secure key. It's only those security conscious buyers you talk about that are affected by the vendors' substandard keys and it is those buyers whose personal info is put in danger. Buyers who don't use PGP have a right to be ignorant but vendors need to support the security conscious buyers by providing the means of achieving the desired security. Vendors who fail to do so need to be publicly called out. I for one think StExo is providing a valuable service and I support his effort.
The simple rebuttal to this would be that since a buyer can determine if the vendor is using a "weak" key with relative ease (by simply analyzing the key in a PGP program), the buyer can decide whether or not to do business with the vendor. The risk tolerance in the hands of the buyer. Therefore, all that needs to be done is to show the security conscious buyers how to determine the key strength.
But if they are really that risk averse and security conscious, those buyers would already know how to determine key strength (which really is a simple matter). All of which makes this effort wholly unnecessary and makes one question "why" a vendor would want to bully and "out" vendors using keys under a certain threshold of what is arguably (and demonstrably to an extent) construed as "weak."
You almost make it sound as if you have *no* choice but to do business with the vendor(s) that have "weak" keys. It's basically the same sort of argument that one posits against early finalization and how SR admins should actively disallow it to "protect" buyers. As if a buyer has *no* choice at all but to finalize early.
This is a free market. Emphasis on *free.*
BTW, we use a 4096bit RSA/RSA key. In case you were wondering. And we don't ask or impose FE on any of our patrons. We're firm believers in the escrow system.
-
subbing- Excellent StExo!
-
The simple rebuttal to this would be that since a buyer can determine if the vendor is using a "weak" key with relative ease (by simply analyzing the key in a PGP program), the buyer can decide whether or not to do business with the vendor. The risk tolerance in the hands of the buyer. Therefore, all that needs to be done is to show the security conscious buyers how to determine the key strength.
But if they are really that risk averse and security conscious, those buyers would already know how to determine key strength (which really is a simple matter). All of which makes this effort wholly unnecessary and makes one question "why" a vendor would want to bully and "out" vendors using keys under a certain threshold of what is arguably (and demonstrably to an extent) construed as "weak."
You almost make it sound as if you have *no* choice but to do business with the vendor(s) that have "weak" keys. It's basically the same sort of argument that one posits against early finalization and how SR admins should actively disallow it to "protect" buyers. As if a buyer has *no* choice at all but to finalize early.
This is a free market. Emphasis on *free.*
BTW, we use a 4096bit RSA/RSA key. In case you were wondering. And we don't ask or impose FE on any of our patrons. We're firm believers in the escrow system.
PGP key strength is only one factor - I've been made aware of 3 vendors already using 512 bit keys which are easily breakable. On top of that, vendors are leaving metadata in images, links to real e-mails (how many I can't be sure just yet), reflections or identifying information in pictures, badly chosen PGP programs etc. These are issues many people simply do not spot when they're browsing through products and vendors. I am on a mission to crucify those vendors who disregard good advice or secure practices because quite simply it isn't their information to mishandle, even if the buyer doesn't encrypt their address as most people simply do not have the time, resources or money to full check out vendors like I can - don't think this project is coming cheap to me.
This is a free market yes, but we are offering people a better choice. 2048 bit keys pass as secure yes, but I am saying 4096 is better although I am not going to make a big deal if that is it, I will just mention it and they won't be shamed for that simply because that isn't a problem, SR staff have a 2048 bit key. Fast forward 20 years when it is breakable though, do you want historical crimes against your name? I am in this for those who don't know enough to properly protect themselves, not for vendors and I've already made a few enemies but that doesn't bother me. Some of the top 1-5% guys are going to get hammered though quite soon.
-
subbing
-
The simple rebuttal to this would be that since a buyer can determine if the vendor is using a "weak" key with relative ease (by simply analyzing the key in a PGP program), the buyer can decide whether or not to do business with the vendor. The risk tolerance in the hands of the buyer. Therefore, all that needs to be done is to show the security conscious buyers how to determine the key strength.
But if they are really that risk averse and security conscious, those buyers would already know how to determine key strength (which really is a simple matter). All of which makes this effort wholly unnecessary and makes one question "why" a vendor would want to bully and "out" vendors using keys under a certain threshold of what is arguably (and demonstrably to an extent) construed as "weak."
You almost make it sound as if you have *no* choice but to do business with the vendor(s) that have "weak" keys. It's basically the same sort of argument that one posits against early finalization and how SR admins should actively disallow it to "protect" buyers. As if a buyer has *no* choice at all but to finalize early.
This is a free market. Emphasis on *free.*
BTW, we use a 4096bit RSA/RSA key. In case you were wondering. And we don't ask or impose FE on any of our patrons. We're firm believers in the escrow system.
PGP key strength is only one factor - I've been made aware of 3 vendors already using 512 bit keys which are easily breakable. On top of that, vendors are leaving metadata in images, links to real e-mails (how many I can't be sure just yet), reflections or identifying information in pictures, badly chosen PGP programs etc. These are issues many people simply do not spot when they're browsing through products and vendors. I am on a mission to crucify those vendors who disregard good advice or secure practices because quite simply it isn't their information to mishandle, even if the buyer doesn't encrypt their address as most people simply do not have the time, resources or money to full check out vendors like I can - don't think this project is coming cheap to me.
This is a free market yes, but we are offering people a better choice. 2048 bit keys pass as secure yes, but I am saying 4096 is better although I am not going to make a big deal if that is it, I will just mention it and they won't be shamed for that simply because that isn't a problem, SR staff have a 2048 bit key. Fast forward 20 years when it is breakable though, do you want historical crimes against your name? I am in this for those who don't know enough to properly protect themselves, not for vendors and I've already made a few enemies but that doesn't bother me. Some of the top 1-5% guys are going to get hammered though quite soon.
At first I was like, "hey yeah good idea" until I read and considered the arguments against what you're doing.
Seems to go against the Libertarian principles of personal responsibility and personal freedom this site is founded on. You're acting like a "state" by trying to enforce what you think is best in the name of "protecting the people."
The state's act of "protecting the people" from certain chemicals and plants is exactly why we are all here. And now you're bringing that same mentality that persecuted you on the outside, inside here.
All that stuff you listed as breaches of security is stuff that would mostly only affect the vendor if the vendor gets caught. Not the buyers. LEO won't really give a crap about the buyers that might be discovered as that would require mufti-jurisdictional cooperation between LEOs across state and country borders. That being the case, your "mission" should be to educate vendors privately. If the vendors you approach ignore you, oh well. At least no one is forced to do business with them.
If your mission was truly altruistic, you'd do like your other thread and just make am itemized list of things for the security minded buyer to look out for and leave it at that.
As was said, no one is forced to do business with any vendor. It's a personal choice, just like FE'ing and not using PGP is.
But since you stated that you're also a vendor, it also looks like you're trying to take out or diminish the competition by making a public list of vendors who don't meet an arbitrary security protocol in order to direct sales your way - promoting yourself as the most security conscious vendor. You doing this has conflict of interest written all over it.
For an example of true altruism, look at Astor's, Pine's and kmfkewm's posts. That's how you educate the public. That's altruism. And that's Libertarianism at its finest.
-
For an example of true altruism, look at Astor's, Pine's and kmfkewm's posts. That's how you educate the public. That's altruism. And that's Libertarianism at its finest.
QFT. If anyone is interested in learning more about security issues or improving their own security, I cannot recommend highly enough that you spend some time reading aster's, pine's, and kmfkewm's posts.
-
The state's act of "protecting the people" from certain chemicals and plants is exactly why we are all here. And now you're bringing that same mentality that persecuted you on the outside, inside here.
If the state and government only listed the dangers in drugs (real or pretended) so that everybody would know about them and that's it there would be no problems, because the ultimate choice would still be on the user and the information would serve, on the contrary, to do a real choice in one sense or the other (if you don't know what you are choosing there's not choice, so a real free choice comes only by knowing, not by not knowing). By naming vendors with bad security is not that you are forcing people to not use them or stop people from using them, you are only making people know.
Sorry but the two things have nothing in common one with the other. From whence knowledge has become the enemy of truth and not the contrary?
-
The state's act of "protecting the people" from certain chemicals and plants is exactly why we are all here. And now you're bringing that same mentality that persecuted you on the outside, inside here.
If the state and government only listed the dangers in drugs (real or pretended) so that everybody would know about them and that's it there would be no problems, because the ultimate choice would still be on the user and the information would serve, on the contrary, to do a real choice in one sense or the other (if you don't know what you are choosing there's not choice, so a real free choice comes only by knowing, not by not knowing). By naming vendors with bad security is not that you are forcing people to not use them or stop people from using them. Hell, probably only about 10% of all people that use the main site enter the forums.
Sorry but the two things have nothing in common one with the other. From whence knowledge has become the enemy of truth and not the contrary?
BenJesuit's analogy is actually on point. In fact, your illustration lends to it.
Let's use your example of educating people on the effects of certain drugs, counter-indications, and so on. Great. The information is out there. And there are harm reduction sites galore on the net.
So then, in like manner, why not simply make a list of various security related concerns along with methods and software needed discern them that buyers need in order to look out for themselves when considering a vendor to do business with? It's a much simpler to do and actually empowers buyers with not just knowledge but invariably the tools to acquire said knowledge under a variety of conditions including analyzing the risk of new vendors that wouldn't necessarily be on a list.
Wouldn't you rather have the tools to figure things out on your own and determine if a vendor is compatible with your personal level of risk tolerance?
You have to question the motivation of someone who is going through each vendor's profiles, keys and listings to make a list which essentially bullies vendors via threat of negative publicity into compliance with a standard they may or may not care to employ or agree with for various reasons. All the while knowing that not only do the majority of buyer not use PGP, but also don't read the forums or care about this issue. From an objective observer's point of view, with nothing to gain or lose by this, it seems as a major advertising campaign on the part of StExo who sells tailor made security and laundering consultations.
-
uhm buyer security is important.^ vendors defiantly need to have up to date security measures. I wouldn't want to trust my freedom to the hands of an amateur there is a very big difference in the states regulating the use public shaming is not the same as arrests. hell I doubt it will really even hurt to many peoples business's. Leo would also have interest in large buyers and importers, so vendors should take steps to not keep any records of their customers data. is there any way to automate that on the buyer side?
-
BenJesuit's analogy is actually on point. In fact, your illustration lends to it.
I'm sorry, but no. They are not the same thing. While I understand what you are saying they are still not the same thing. An analogy to be valid must posses similar parameters to make a comparison, and in this case the parameters are different.
You have to question the motivation of someone who is going through each vendor's profiles, keys and listings to make a list which essentially bullies vendors via threat of negative publicity into compliance with a standard they may or may not care to employ or agree with for various reasons. All the while knowing that not only do the majority of buyer not use PGP, but also don't read the forums or care about this issue. From an objective observer's point of view, with nothing to gain or lose by this, it seems as a major advertising campaign on the part of StExo who sells tailor made security and laundering consultations.
It can also be, but still the analogy with what the government does with drugs has nothing to do with sharing knowledge of who the vendors with bad security are. No matter what, StExo is not forcing a buyer to do something one way or another and he provides only knowledge on the users; if then that knowledge sharing has some second end on the part of the one providing it this doesn't change the fact that it is just knowledge and it's not the same thing as telling users what they should do with their money (and in analogy with the state vs drugs, with their life) and making a forced choice for them (this last is the missing parameter in the analogy).
-
I am pointing out vendors which I believe are insecure. If I post a name I believe is insecure, that is open to challenge from the likes of astor who I consider a good friend. Everything I post is open to be challenged and I will accept other opinions on the matter as to what is or isn't secure practice, there is no perfect set of guidelines on it but the best we can do is debate it by bringing what I believe to be bad practice to the front stage.
I am not forcing anyone to do anything, other than pointing out things which in my own belief and knowledge constitute insecure practice. I am not an idealist I just have to do the best I can with what I have and if people find it helpful so be it, if they want to completely ignore me, that is also their choice which I have no right in telling them otherwise. If however I list a vendor here with insecure practice and it dissuades a buyer from using them as they feel insecure, I am sure they would thank me for that at least if I managed to point out something they didn't realise. Let us not forget I am working off publicly-available information and I will note what I feel is the "problem" in the security of each vendor and therefore people can make their own conclusions so this is not a witch hunt, rather observations in my judgement and I will put the result to you for your own interpretation. But for all the libertarianism crap now being said about my actions, I couldn't care less, I am not a libertarian and if you feel my actions somehow violate a vendors right to whatever, then does that not infringe upon my right to make observations and let people make their own conclusion - it works both ways.
-
At first I was like, "hey yeah good idea" until I read and considered the arguments against what you're doing.
Seems to go against the Libertarian principles of personal responsibility and personal freedom this site is founded on. You're acting like a "state" by trying to enforce what you think is best in the name of "protecting the people."
He may be acting *in a manner* that you have come to expect from a "state", but he's acting *as* an individual. Which unravels the majority of what you say below pretty much from the start.
The state's act of "protecting the people" from certain chemicals and plants is exactly why we are all here. And now you're bringing that same mentality that persecuted you on the outside, inside here.
This mentality you speak of is not inherently wrong, wrong-headed, bad, or impossible. You're trying to apply pure ideology to arrive at a real-life label of "persecution" here, and it just plain fails.
All that stuff you listed as breaches of security is stuff that would mostly only affect the vendor if the vendor gets caught. Not the buyers. LEO won't really give a crap about the buyers that might be discovered as that would require mufti-jurisdictional cooperation between LEOs across state and country borders. That being the case, your "mission" should be to educate vendors privately.
I've seen this "LE doesn't give a crap about buyers" mantra before, and I don't think it flies. While this is *generally* true, it is *also* true that any LEO with half a brain knows chances of finding "interesting" buyers are MUCH higher than a random sampling. Especially if those buyers are correctly utilizing encryption. Which puts us right back into a compromised vendor account and PGP key being a potential shitstorm for anyone who has ever transacted with him or her.
If the vendors you approach ignore you, oh well. At least no one is forced to do business with them.
This is the extreme "free market" bullshit that dogmatic libertarians push ad nauseum. Funnily enough, I got yelled at for a much more benign but roughly similar take on stupid people doing stupid things in the "twitter" thread. Essentially what you are saying here is that if a vendor decides to ignore the fact that he or she is potentially endangering all his or her customers then, that's just fine because...free market! Which is clearly bullshit.
If your mission was truly altruistic, you'd do like your other thread and just make am itemized list of things for the security minded buyer to look out for and leave it at that.
He already did that. This is the next step. All gardens need some tending now and then, otherwise they become a danger to themselves. Would you rather cut down a few trees and trim some underbrush, or would you rather the forces of "the market" just burn everything?
As was said, no one is forced to do business with any vendor. It's a personal choice, just like FE'ing and not using PGP is.
You're completely glossing over the fact that what you're talking about here is *hiding* information from buyers that could ultimately speak to what happens to their lives in the near future.
But since you stated that you're also a vendor, it also looks like you're trying to take out or diminish the competition by making a public list of vendors who don't meet an arbitrary security protocol in order to direct sales your way - promoting yourself as the most security conscious vendor. You doing this has conflict of interest written all over it.
What competition? Who else is selling the services StExo is? Conflict of interest is only a problem if the party being protected says it is, and it appears to me that StExo's "client" here is the buyer. As a buyer, I have a hard time believing most other buyers wouldn't find StExo's data extremely beneficial to their decision making.
For an example of true altruism, look at Astor's, Pine's and kmfkewm's posts. That's how you educate the public. That's altruism. And that's Libertarianism at its finest.
Libertarianism is just another -ism, and as such has limits of both utility and moral value. Which you have clearly demonstrated with what appears *to me* to be an attempt to migrate the discussion away from StExo's deeds and toward seeding a fuzzy, mostly speculative suspicion of his possible motives.
-
Sub'd
Everyone needs to pay attention to this, the last audit exposed some very concerning weaknesses in individuals security.
I hope you find a lot less issues this time StExo but I suspect you will still find plenty.
-
I am pointing out vendors which I believe are insecure. If I post a name I believe is insecure, that is open to challenge from the likes of astor who I consider a good friend. Everything I post is open to be challenged and I will accept other opinions on the matter as to what is or isn't secure practice, there is no perfect set of guidelines on it but the best we can do is debate it by bringing what I believe to be bad practice to the front stage.
I am not forcing anyone to do anything, other than pointing out things which in my own belief and knowledge constitute insecure practice. I am not an idealist I just have to do the best I can with what I have and if people find it helpful so be it, if they want to completely ignore me, that is also their choice which I have no right in telling them otherwise. If however I list a vendor here with insecure practice and it dissuades a buyer from using them as they feel insecure, I am sure they would thank me for that at least if I managed to point out something they didn't realise. Let us not forget I am working off publicly-available information and I will note what I feel is the "problem" in the security of each vendor and therefore people can make their own conclusions so this is not a witch hunt, rather observations in my judgement and I will put the result to you for your own interpretation. But for all the libertarianism crap now being said about my actions, I couldn't care less, I am not a libertarian and if you feel my actions somehow violate a vendors right to whatever, then does that not infringe upon my right to make observations and let people make their own conclusion - it works both ways.
Though, it is an interesting question... why? Why expend all this energy? For the thanks?
Why not just give everyone the tools and advice they need to figure it out for themselves? You know, like all the other security experts on this site do and have done which has been a tremendous help to vendors and buyers alike. They never needed to resort to calling out anyone to get their point across. They know that those most interested will expend the necessary time required to understand and implement whatever it is they are recommending or stating.
You last question about going both ways I'm not sure it does. What you're doing is not merely stating an opinion.
Watch this. All hypothetical-------------------------
*Vendor A is a pretty decent vendor. Has an excellent rating. Plenty of repeat business. But uses a 1024bit key. However, 70% of his buyers use clear text or Privnote for their addresses.
*Vendor B is a vendor setting up for an exit scam. Has an excellent rating. Uses a 4096bit key. Most of his customer use PGP because he sells things that require quite a bit of stealth.
*Vendor C was pinched by DEA agents. Uses a 4096 bit, expiring key, has best in class stealth. Good rating. Requires all his customers use PGP.
Your audit list:
Vendor A - insecure. Risky. Uses 1024bit PGP & Java based PGP program on Windows OS. Possible connection to clearweb activities detected.
Vendor B - excellent security. 4096bit key. No connections to clear web activities found.
Vendor C - max security. 4096bit key. No connections to clear web activities found. Requires PGP only.
Vendor A - losses some business as a result of your audit and becomes a target for scammers. But has other security measure in place to protect himself and his clientele and used clearweb activity cleverly for the purpose of misdirection (which you fell for with your audit parameters).
Vendor B - gains business and increased trust making his exit scam more profitable than he first imagined. He winked at your list.
Vendor C gains the trust of the most security conscious buyers. They trust him to the point of doing some serious bulk business thanks to your list. Uh oh.
See what I'm getting at? Your list could end up being nothing more than a bunch of false positives and mislead some to think they are dealing with a more security conscious vendor when in fact they could be dealing with a con-artist who would only benefit from the confidence in them your list could generate.
Forget all the Libertarianismistamism talk (which is does sort of make sense. The personal responsibility angle at least).
Just give people the tools they need to add to their tool chest which should also included other metrics besides PGP strength to evaluate a vendor. PGP isn't the end all be all. It's not even a really good indication of security. It's more a peace of mind thing because at some point, that PGP is converted to clear text. And we know from case law that a vendor can be forced to give up that key. In the US anyway. And there's no proof whatsoever that a vendor actually deleted everything before that 5AM raid on his location.
Anyway, last I'll say on it. Via Con Dios. ;)
Oh yeah, and come have an audit of us. We've got a tight ship going. 4096 bit key. No links to clearweb activities (cause there ain't none of that). If you spot something, give us a poke so we can plug the whole.
-
Your audit list:
Vendor A - insecure. Risky. Uses 1024bit PGP & Java based PGP program on Windows OS. Possible connection to clearweb activities detected.
Vendor B - excellent security. 4096bit key. No connections to clear web activities found.
Vendor C - max security. 4096bit key. No connections to clear web activities found. Requires PGP only.
See what I'm getting at? Your list could end up being nothing more than a bunch of false positives and mislead some to think they are dealing with a more security conscious vendor when in fact they could be dealing with a con-artist who would only benefit from the confidence in them your list could generate.
A security audit like this has to be understood for what it is. It is not a statement about a vendor's product quality, customer service, reliability, or anything else. It's only a statement about their technological security. Of course a PGP signed statement isn't 100% proof that Alice wrote the message, only that someone in possession of Alice's private key wrote the message, which could be a DEA agent. A vendor could even be an DEA agent the whole time. We may not have a way to find that out and it isn't part of the security audit.
-
@cimicon how did vendor C get pinched in the first place, if they were the most careful of the bunch? :)
hypothetically, by your own admission they followed all the proper online security protocol to the max. that would also lead to the assumption they followed proper security protocol in real life too. which means the DEA could never get their key or passwords EVEN IF they were busted and computer seized etc. so the argument is kinda moot.
the general idea here is, i think, to shed light on who COULD be more of a risky vendor to give your information to. and then to get them to fix that so they are no longer risky to deal with.
it would seem to me that this is more an argument over "how" to inform a vendor of their bad practices: whether that should be done publicly almost immediately after finding out, or privately and given time to adjust.
i know no one likes to be publicly shamed... but it's only a few simple things a vendor need to always take into consideration and then you're golden, and no need to worry of shaming. personally, i'm not worried as i'm OCD about my own security.
bottom line though - at the end of the day - most of my buyers type plain text address. even though i explicitly say that's not wise to do in both my profile and item listings. still happens. whatever. it's not MY info they're putting out there in plain text. it's their own! and they can do that if they so wish. i'll still ship to them. can draw a horse to water, but ya cant make em drink!!
xoxo
-mb
-
I thought that all the vendors with less than optimal security had been privately warned after the last review. So anyone who makes it on to this list are vendors who know their security is less than optimal and have taken no steps (and remember in some cases it's about spending 5 minutes to create a new key) to rectify it.
or have I remembered wrongly?
-
subbed!
-
fuck the police!!
-
fuck the police!!
Random yet true
-
THE HUNT IS ON
So you are all aware, today (25/7/13) I am starting the run through and trust me, in the first 30 minutes, vendors have collectively put somewhere in the region of 300 buyers at risk, and I am only just touching the surface. Top 1-3% vendors, you are not in the clear, some of the highest rated vendors are the worst offenders. All vendors concerned will be messaged once the thorough scan is complete.
-
thanks stexo
-
what about a buyer audit??
-
what about a buyer audit??
And how do you propose that would work?
-
Honestly, no idea! My bad, THAT was the idea, how to put it into practice unfortunately wasnt part of the thought.
-
Honestly, no idea! My bad, THAT was the idea, how to put it into practice unfortunately wasnt part of the thought.
:)
I don't think there's much that can be done about buyers being unsafe. Which is why it's even more important for the vendors to practice and encourage safety and security. It protects buyers from themselves and vendors from buyers.
-
Cant wait for it Stexo, Absolutely Brilliant. Go get Them
-
@cimicon how did vendor C get pinched in the first place, if they were the most careful of the bunch? :)
hypothetically, by your own admission they followed all the proper online security protocol to the max. that would also lead to the assumption they followed proper security protocol in real life too. which means the DEA could never get their key or passwords EVEN IF they were busted and computer seized etc. so the argument is kinda moot.
Unfortunately, case law has demonstrated that one can be compelled to divulge a key. And D/As can and do offer lighter sentences or offer deals to become an informant in exchange for client information. Happens is all sorts of illegal businesses with client lists.
How did Vendor C get pinched? I dunno. Someone ratted on someone who ratted someone else. Vendors are mostly middle men. Without enough degrees of separation from the product, the risk is ever present no matter how careful one thinks they are. 0 degrees of separation from the product... well... you get the idea. Possession... 9/10th's and all that it implies.
the general idea here is, i think, to shed light on who COULD be more of a risky vendor to give your information to. and then to get them to fix that so they are no longer risky to deal with.
Yeah, synthetically, theoretically. But not necessarily actually. And it might have the unintended consequence of lulling some buyers who adhere to it and the idea behind it into a false sense of security or think that a certain arbitrary "standard" equals security.
it would seem to me that this is more an argument over "how" to inform a vendor of their bad practices: whether that should be done publicly almost immediately after finding out, or privately and given time to adjust.
i know no one likes to be publicly shamed... but it's only a few simple things a vendor need to always take into consideration and then you're golden, and no need to worry of shaming. personally, i'm not worried as i'm OCD about my own security.
True, true. But some things might not be so simple for a vendor to implement. I like P. Rex's idea of a time frame and committing to it and best of all HELPING a vendor who wants to up their OPSEC. Naming and shaming has a "fuck you, you suck, haha" vibe to it.
bottom line though - at the end of the day - most of my buyers type plain text address. even though i explicitly say that's not wise to do in both my profile and item listings. still happens. whatever. it's not MY info they're putting out there in plain text. it's their own! and they can do that if they so wish. i'll still ship to them. can draw a horse to water, but ya cant make em drink!!
xoxo
-mb
So true. And every now and then you'll see an uptick in PGP use, then buyers go back to plain text and Privnote. I've seen a few PGP using buyers get indignant or feel "sketched out" if you ask for their public key. Go figure.
I feel bad for the vendors who have been here vending for a long time, issue free, who might get stung by this rep wise. We're willing to help them out with good advice for free. Vendors should help one another out like being a part of a brotherhood and sisterhood. They sometimes say, no buyers no SR. Not true considering what's being sold - build it and they will come because they are looking for it and can't easily find it. So it really comes down to... no vendors, no SR.
Best wishes and good luck to StExo.