Silk Road forums
Discussion => Security => Topic started by: steamboat72 on October 12, 2012, 10:19 pm
-
I'm trying to buy from mrdiesel who has said for the last few weeks that he was going to create a public key or whatever but in the meantime use privnote for messages. After searching here it seems that privnote is not a good idea for including personal information. What should I do? Should I just wait it out and hope he does it? Is there a way to do a one way message or something? I haven't been able to find anything on that. Thanks.
-
Hi Steamboat,
I wouldn't trade with a vendor unless he (and you) use PGP to encrypt sensitive information (such as name and shipping address). If he (or you) don't want to use that then one of you is putting both at risk.
PGP isn't difficult to learn if you're at all computer literate. If you want to learn how to use PGP here's a thread:
GPG (Step-by-Step: Windows Pictorial)
http://dkn255hz262ypmii.onion/index.php?topic=131.0
... and here's another to practice using PGP:
Are you Paralyzed by PGP? Fear no more! Join PGP Club :)
http://dkn255hz262ypmii.onion/index.php?topic=30938.0
-
Buy from a vendor who uses PGP or there soon won't be any that do.
Think. If he doesn't care about your security enough to learn PGP then what else is he slipping on?
wackmanblu: I think the OP knows PGP and wants to use it with a vendor who doesn't. You should PM mr d with that info. Also, not using PGP for an address doesn't put the vendor at risk, only the buyer.
-
I'm trying to buy from mrdiesel who has said for the last few weeks that he was going to create a public key or whatever but in the meantime use privnote for messages. After searching here it seems that privnote is not a good idea for including personal information. What should I do? Should I just wait it out and hope he does it? Is there a way to do a one way message or something? I haven't been able to find anything on that. Thanks.
Nothing like selective enforcement of the rules, is there? I seem to recall that the vendor agreement states that the vendor is required to publish an encryption key so that the purchaser can (at their option) use it to communicate securely with the vendor. So, I find myself wondering: what is the point of incorporating such a rule into the vendor agreement, if Silk Road management simply turns a blind eye to every instance where it is violated?
-
I'm trying to buy from mrdiesel who has said for the last few weeks that he was going to create a public key or whatever but in the meantime use privnote for messages. After searching here it seems that privnote is not a good idea for including personal information. What should I do? Should I just wait it out and hope he does it? Is there a way to do a one way message or something? I haven't been able to find anything on that. Thanks.
Nothing like selective enforcement of the rules, is there? I seem to recall that the vendor agreement states that the vendor is required to publish an encryption key so that the purchaser can (at their option) use it to communicate securely with the vendor. So, I find myself wondering: what is the point of incorporating such a rule into the vendor agreement, if Silk Road management simply turns a blind eye to every instance where it is violated?
I don't think it is in the vendor contract... can you reference that?
-
I'm trying to buy from mrdiesel who has said for the last few weeks that he was going to create a public key or whatever but in the meantime use privnote for messages. After searching here it seems that privnote is not a good idea for including personal information. What should I do? Should I just wait it out and hope he does it? Is there a way to do a one way message or something? I haven't been able to find anything on that. Thanks.
Nothing like selective enforcement of the rules, is there? I seem to recall that the vendor agreement states that the vendor is required to publish an encryption key so that the purchaser can (at their option) use it to communicate securely with the vendor. So, I find myself wondering: what is the point of incorporating such a rule into the vendor agreement, if Silk Road management simply turns a blind eye to every instance where it is violated?
I don't think it is in the vendor contract... can you reference that?
From the text of the vendor contract:
Seller contract
* Client anonymity. You and you alone will have your client's shipping address. This information must be destroyed as soon as it is used to label their package.
* Packaging. Every precaution must be taken to maintain the secrecy of the contents of your client's package. It is your responsibility to stay up-to-date on the latest stealth shipping methods.
* Describe your items accurately and truthfully.
* Treat your customers with respect. Go above and beyond for them.
* Read the Seller's Guide. Don't skip this step as it includes further information you will held accountable for as a Vendor!
* If you have used this account as a buyer, stop now. You want to use a fresh, clean, account.
* Remember, violating the rules here will result in your Vendor account being banned.
I agree
* Read the Seller's Guide. Don't skip this step as it includes further information you will held accountable for as a Vendor!
So, in other words, the text of the Seller's Guide is incorporated into the vendor contract by way of reference.
From the first paragraphs of the Seller's Guide:
Seller's Guide
Client anonymity
You and you alone will have your client's shipping address. This information must be destroyed as soon as it is used to label their package. When you click "confirm shipment," the address will be deleted forever and irretrievable.
-Never ask your clients for personal information.
-Under no circumstance should you save a copy of your client's address.
-Publish a Public encryption key in your user description on your settings page so your customers can send you their info encrypted if they wish.
The full text of the Seller's Guide:
Seller's Guide
Client anonymity
You and you alone will have your client's shipping address. This information must be destroyed as soon as it is used to label their package. When you click "confirm shipment," the address will be deleted forever and irretrievable.
-Never ask your clients for personal information.
-Under no circumstance should you save a copy of your client's address.
-Publish a Public encryption key in your user description on your settings page so your customers can send you their info encrypted if they wish.
Listing
Choose the category that most specifically matches your listing, as this makes it much easier for your customers to find your listing. Your listing will appear in this, and all parent categories above it, though these pages are cached so it can take up to an hour for your listings to appear
If you think your item could belong in more than one category, choose the one that suits it best and let us know about the ambiguity. We may be able to reorganize the categories in a more clear way.
If your listing doesn't fit in any of the categories, it may be on our restricted items list. See below for details.
NOTICE: Do not create listings that instruct customers to pay outside of escrow, or are used for any purpose other than to list an item to be sold for the listed price using the site checkout system. If you instruct your buyers to pay you in any other way, or to contact you off-site, your seller privileges WILL be revoked. You may provide back up contact methods in case of site failure.
NOTICE: If you are a new vendor, you may not ask your customers to finalize their orders and release payment to you before you ship, a practice known as "finalizing early". If you do this, you will lose your selling priviledges. Once you have completed 35 successful transactions and have been a seller for at least one month, you may ask your customers to finalize early without reprocussion. In no way do we support finalizing early in general and this rule should not be construed as support for finalizing early for more established vendors.
Pricing
You have two options when pricing your listings. They can be priced in constant Bitcoins, or constant US Dollars. If you choose to peg your listings to the dollar, your prices will change dynamically in accordance with the exchange rate between the two currencies. When the Bitcoin appreciates, your prices will fall. When it depreciates, they will rise, so no matter what, you will get the same dollar value for your item. We recommend that you peg your prices to the dollar.
You may also choose whether to set your price before or after commission is added. If you choose "pre-commission pricing", the price you set will be the amount of money you are paid when a transaction is complete, but your customers will see a higher price that includes the commission. If you choose "post-commission pricing", you set the price that your customers pay. When you get paid, the amount you receive will be less than this by the amount of the commission.
Stealth mode
Stealth mode allows you to run your business out of view of the general public. Whether your sales are growing faster than you can expand your infrustructure to keep up, or you just don't want to be in the public eye any more and are happy with the size of your current customer base, stealth mode might by the solution for you. When activated, your listings will no longer appear in public searches, category views, or any pages linked to from the public site. However, your user and item pages will still be available when accessed directly, so your regular customers can still make purchases from you. You may activate stealth mode from your settings page. Note: It can take up to an hour for your listings to go stealth because of caching.
Stealth listings
When listing or editing an item, you may also control its visibility. By checking the box next to stealth listing, you remove the listing from public searches, browsing, and even your user page, so it is only accessible by visiting the item url directly (you can find a link on your account page). This is useful for custom listings meant only for a specific buyer, or for listings you don't want visible on your publicly facing user page.
Postage
You have total freedom when it comes to your postage options. You can call them what you want and price them as you wish, but please be succinct with names like "International", "Priority", "Express", etc. You should create a little section on your user page explaining your shipping options and policies. Give your customers as much info as possible, including estimated shipping times.
Escrow Hedging
Unfortunately, the Bitcoin exchange rate isn't as stable as we would all like it to be, and can fluctuate wildly in a matter of hours, let alone the days or weeks it takes for a package to arrive. Because of this, there is a real danger that the Bitcoins being held in your escrow account will lose value by the time your customers finalize their orders. So, we've given you the option to hedge the future payments you are expecting from escrow such that the dollar value of the payment doesn't change as the Bitcoin exchange rate changes.
For example, someone purchases one of your 10 btc listings. The dollar value of the order when purchased is $100. Now, a week later when the transaction is finalized, those 10 btc are no longer worth $100, they're worth $50! Because you hedged the escrow, you won't get paid 10 btc, you'll get 20 btc equaling the original value of $100. Of course, the opposite is also true. If Bitcoins appreciate in value while your payment is in escrow, you'll get fewer Bitcoins, but they will still equal the original dollar value.
The option to turn off or on escrow hedging can be found on your "settings" page. While it is on, the payments for any orders placed with you will be hedged. Payments for orders placed while it is off will not be hedged, but any hedged orders still not finalized will remain hedged.
On your account page, your escrow balances are split up between hedged and unhedged orders. All orders are hedged as soon as they are placed and unhedged as soon as you are paid.
You can expect a loss of about 4% of your normal payment when using the escrow hedging feature. This is due to the fact that, both when hedging and unhedging, you will lose the bid-ask spread between the available orders that can be used to fill your hedging order.
If you need the most up-to-date USD/BTC exchange rate, we recommend mtgoxlive.com.
Auto-withdraw
To minimize the time between when Bitcoins are credited to your account and when you are able to convert them to your currency of choice, and therefore minimizing your exposure to exchange rate fluctuations, we provide an auto-withdrawal feature. Every time a payment comes into your account your entire balance will automatically be withdrawn to three Bitcoin addresses of your choice. This feature can be enabled on your settings page.
A note of caution: it is possible for an adversary to discover your auto-withdrawal address by looking for a transaction in the block-chain around the time they finalize a transaction with you for an amount similar to what they paid you (adjusted for exchange rate fluctuations if hedging). To help obscure your withdrawals, you must enter three withdrawal addresses. Your withdrawal will then be made in 3 random sized chunks to these three addresses with a small, random delay in-between them. These addresses can all be on the same wallet or exchange account so you don't have to keep track of multiple wallets. This will help them blend in to all of the other transactions, but you should change your withdrawal addresses regularly so that an adversary can't see any patterns over multiple transactions.
Pro-tip: set your auto-withdrawal addresses to deposit addresses at an exchange site and keep an open sell order there that is below the market rate, so as soon as the funds are confirmed there, they will be converted into your currency of choice.
Description
You must describe your listings accurately and truthfully. If you do not, it will be reflected in your feedback ratings and you will lose business. We have zero tolerance for any kind of scamming or cheating and have taken many precautions to guard against it.
Images
Some cameras record information about you in an image's meta-data such as GPS location. If you link to an image in your listing, be sure to remove ALL meta-data from the file that could reveal details about your identity.
Packaging
Every precaution must be taken to maintain the secrecy of the contents of your client's package. Creatively disguise it such that a postal inspector might ignore it if it was searched or accidentally came open.
Ship USPS if within the United States. They must obtain a search warrant to open any packages.
If the contents of the package have an odor or can be detected by canine or electronic sniffers, you MUST vacuum seal the package. Do not use odor masking agents such as coffee because dogs are trained to sniff for these too. Check that the vacuum sealed bag is holding tight around its contents, otherwise there is probably a leak.
Make sure the exterior of the package raises no suspicion. Look as professional as possible. The idea here is blend in as much as possible with the rest of the mail stream which is mostly "business reply mail." Please print your labels, as hand written labels can be a give away.
Protect the contents of your package. If your item is brittle (such as pills) it needs to be sent in padded packaging (such as a bubble mailer). Do not send pills or any bulky items in envelopes. Envelopes get flattened in automated sorting machines and their contents get crushed.
Do not reveal the details of the packaging you use. You can be tracked this way.
Customer service
As an independent seller, we expect the highest levels of customer service from you. Go above and beyond for your clients and you will be rewarded with superior feedback and repeat purchases. Reputation is everything here and the best way to cultivate it is to treat your customers with respect and courtesy.
Restricted items
Do not list anything who's purpose is to harm or defraud, such as stolen items or info, stolen credit cards, counterfeit currency, personal info, assassinations, and weapons of any kind.
Do not list anything related to pedophilia.
Practically speaking, there are many powerful adversaries of Silk Road and if we are to survive, we must not take them all on at once. Additionally, if you try to please everyone, you will wind up pleasing no one. So certain things are restricted just so we don't scare too many off.
On a moral level, we take the high road, pun intended ;). Those who seek to control the behavior of their neighbors through force are immoral. Silk Road exists to circumvent that force and provide a safe-haven where civilized people can come together in peace for mutual benefit. To allow listings of items designed to defraud or harm innocent people would be to stoop to the level of the very people we are standing up to.
If you are unsure about a listing, just drop us a line and we'll let you know.
Buyer statistics
When a new customer buys one of your items, you will have a chance to see some statistics of their past purchases. We give you this limited data so you can make better judgements about who you can trust to do business with. A buyer who has been a member of Silk Road for a while, has many purchases, and doesn't have a high refund or auto-finalize rate is a great buyer and most likely deserves your trust. Other buyers won't have a track record yet, and it's up to you if you want to give them the benefit of the doubt and help them get started establishing their reputations. Working with buyers who have no record or a bad record can be a great way to establish yourself as a seller. Once you have a reputation of your own, you can afford to be more picky.
Accounts
We strongly encourage you to create a separate account for making purchases. If you do not, it is possible for an adversary to find out your mailing address. If you buy something from them, and provide an address, they know that the address belongs to you and can see from your feedback how much you are selling and what you are selling.
Cash advance
From your account page, you may accept advance payments on your orders that are currently in escrow. You'll see four numbers and a form field in a “cash advance” control panel. The first number is your limit. If your total outstanding advance payments meet or exceed this limit, you may not accept any more cash advances. The next number is the total of your advances currently outstanding. The third number is the difference between the first two, the total still available to you. The fourth number is the current fee for taking a cash advance. When you put the amount you want advanced to you in the input field and click go, that amount is immediately credited to your available account balance. This credit comes from the expected payments of your most recent transactions. When those transactions are eventually finalized, your account is not credited for them because you have already been paid. If a full or partial refund is issued for one of the transactions, your account is debited by the amount you were advanced plus the fee (or a prorated amount in the case of a partial refund).
For example, you sell a 20 btc item and then a 10 btc item. Your account page tells you that you have a 15 btc cash advance limit and the fee is currently 10%. You need all 15 btc, so you enter in 15 and click go. First, you are advanced 9 btc from the most recent 10 btc sale (10 btc minus the 10% fee). Then you are given a partial advance from the previous sale: 6 btc for a total of 15 btc. Let's say the 20 btc sale goes off without a hitch and the buyer finalizes the order. At that point, you would be paid 20 btc minus the 6 you were advanced, minus 10% of 6 (0.60 btc) for the fee, for a total of 13.4 btc. Next, let's say the 10 btc sale goes to resolution and you give your customer a 100% refund. In this case, you've already been advanced 9 btc and need to pay the 10% fee for a total of 10 btc, the original price. Therefore, 10 btc will be subtracted from your available account balance. If this causes your account to go negative, then any future deposits or payments will go toward reducing that negative balance.
The limit and fee are both self-adjusting according to a few simple parameters. The limit is governed by how much recent business you've done, and how much money you are expected to be paid from escrow. The fee is determined by the supply of and demand for the funds available for cash advances.
Things to avoid
Below is a short list of specific things you should avoid. It is by no means exhaustive, but taking any one of these actions could get your seller priviledges revoked:
Directing your customers to pay outside the escrow system or in currencies other than Bitcoin
Leaving fake feedback for yourself from a dummy buyer account
Threatening your customer, even if it is a veiled threat
Saving customer addresses
Claiming to have sent an order when you haven't
Final note
Regardless of your motivations, you are a revolutionary. Your actions are bringing satisfaction to those that have been oppressed for far too long. Take pride in what you do and stand tall.
If you have any questions or concerns at all, we are here to support you. Please also send any suggestions for improving this guide via the "Vendor Support" link below :)
-
Buy from a vendor who uses PGP or there soon won't be any that do.
Think. If he doesn't care about your security enough to learn PGP then what else is he slipping on?
wackmanblu: I think the OP knows PGP and wants to use it with a vendor who doesn't. You should PM mr d with that info. Also, not using PGP for an address doesn't put the vendor at risk, only the buyer.
Yeah I get the impression that the OP knows PGP already too, but if they were expressing doubts about using it then this should say "hey mofo, PGP keeps us all safe - as soon as we let a bunch of kids start screwing up with security then we're all doomed"
-
I just saw a new pill vendor pop up who advertises requiring FE, wanting addresses via privnote, and not knowing how to use PGP. That and they had to beg for the money to open a vendor account.
WTF. I hope buyers are careful when choosing a vendor and do their research first!
A new vendor wanting customers to FE early, is in violation of the terms of the Seller's Agreement. From the Seller Agreement, that I previously posted:
NOTICE: If you are a new vendor, you may not ask your customers to finalize their orders and release payment to you before you ship, a practice known as "finalizing early". If you do this, you will lose your selling priviledges. Once you have completed 35 successful transactions and have been a seller for at least one month, you may ask your customers to finalize early without reprocussion. In no way do we support finalizing early in general and this rule should not be construed as support for finalizing early for more established vendors.
Time to 'name and shame' them. New vendors cannot require FE, they must remain in escrow. Not providing a PGP public key, is also in violation of the terms of the Vendor Agreement, although the enforcement thereof appears to be lax in the extreme.
Not using PGP and promoting the use of unsafe sites like Privnote are definitely warning signs for the wary to stay away. Furthermore, one has to wonder how they'll come up with the money for packaging equipment like vacuum sealers and the like. Sounds either like a scammer or someone starting on a shoestring -- not good either way.
-
Nightcrawler: That was a good refresher, but the contract states you must read the guide, not follow it. Very different.
-
Nightcrawler: That was a good refresher, but the contract states you must read the guide, not follow it. Very different.
I disagree -- this is so much hair-splitting. You would be correct, if it _only_ said, "Read the Seller's Guide." However, it goes on to further stipulate some provisos:
"... Don't skip this step as it includes further information you will held accountable for as a Vendor!" and
"Remember, violating the rules here will result in your Vendor account being banned."
I would argue that the first and second provisos serve so as to incorporate the terms outlined in the Seller's Guide into the vendor contract.
If DPR's intent was not to have these rules followed, but only READ, then why did they incorporate following language such as the following into the Seller's Guide?
Things to avoid
Below is a short list of specific things you should avoid. It is by no means exhaustive, but taking any one of these actions could get your seller priviledges revoked:
Directing your customers to pay outside the escrow system or in currencies other than Bitcoin
Leaving fake feedback for yourself from a dummy buyer account
Threatening your customer, even if it is a veiled threat
Saving customer addresses
Claiming to have sent an order when you haven't
I suppose that the only way to clear this is up is to take it up with DPR themselves.
-
TBH I only read the thread title, and to that I say no PGP = no sale PERIOD, !
-
Time to 'name and shame' them. New vendors cannot require FE, they must remain in escrow. Not providing a PGP public key, is also in violation of the terms of the Vendor Agreement, although the enforcement thereof appears to be lax in the extreme.
Not using PGP and promoting the use of unsafe sites like Privnote are definitely warning signs for the wary to stay away. Furthermore, one has to wonder how they'll come up with the money for packaging equipment like vacuum sealers and the like. Sounds either like a scammer or someone starting on a shoestring -- not good either way.
That's my feeling as well. Apparently people have already requested / been sent "samples" from that vendor ... and the vendor says he/she will "learn PGP tonight or tomorrow" ...
Yikes. Worrisome.
I've got 'em straightened-out. I walked 'em through GPG4USB, and they now have a key posted on their vendor page. They should now be able to both send and receive PGP-encrypted traffic.
-
There are many vendors using privatenote and because it is easy but not secure. I do sympathize with vendors as using PGP seems you need to be a full time teacher as it is one of the most common steps for newbs. make purchase then try to learn PGP everyone is in a rush i think it is because they just didn't order enough last time . SO they just need to order more to give them more time to learn.. I DO NOT PURCHASE FROM VENDORS THAT WONT USE PGP>>>TO LAZY TO USE IT TO LAZY TO PACK MY GOODS IMO!
-
Nightcrawler: That was a good refresher, but the contract states you must read the guide, not follow it. Very different.
I disagree -- this is so much hair-splitting. You would be correct, if it _only_ said, "Read the Seller's Guide." However, it goes on to further stipulate some provisos:
"... Don't skip this step as it includes further information you will held accountable for as a Vendor!" and
"Remember, violating the rules here will result in your Vendor account being banned."
I would argue that the first and second provisos serve so as to incorporate the terms outlined in the Seller's Guide into the vendor contract.
If DPR's intent was not to have these rules followed, but only READ, then why did they incorporate following language such as the following into the Seller's Guide?
Things to avoid
Below is a short list of specific things you should avoid. It is by no means exhaustive, but taking any one of these actions could get your seller priviledges revoked:
Directing your customers to pay outside the escrow system or in currencies other than Bitcoin
Leaving fake feedback for yourself from a dummy buyer account
Threatening your customer, even if it is a veiled threat
Saving customer addresses
Claiming to have sent an order when you haven't
I suppose that the only way to clear this is up is to take it up with DPR themselves.
It is pretty clear to me. I think you are having to stretch things to make them fit your perspective.
Want to play 'guess DPR's intent'? I am guessing that you can do anything you want here as long as it doesn't make a victim out of someone else. I don't think receiving only non-PGP encrypted orders makes anyone a victim, so it is OK as far as the rules go. Now if the market likes using PGP, then if you can't work with PGP you aren't going to get business. That is the way it should be. We don't need (or have) rules here to protect you from yourself.
-
I guess the answer to this lies in how highly do you value your privacy?
Fwiw, I would not order.
-
The strength of SR lies in it's anonymity. If more and more people here aren't anonymous at any step in the game then this weakens the whole.
All it takes is some kid from a wealthy family in Florida to be traced back to a dealer who used privnote, Now were rockin' the boat without any reason, more bad press, more "victims" - none of that is necessary if we all used PGP which is really quite simple to use, once you've grasped the concept.
-
Sorry this isn't clear in the contract/guide. It might be due for a revision. PGP is encouraged, but not required. As part of your contract, you are required to read the seller's guide. some parts of the guide outline actions you can take that will get your seller status revoked.