Silk Road forums
Discussion => Security => Topic started by: BillHampton on June 18, 2011, 05:14 pm
-
If and when SR's servers get captured, the authorities will inevitably resurrect it as a honeypot of sorts in order to catch buyers and sellers.
I was wondering if there's some way we can tell that Silk is still in charge around here. I'd imagine it would put a lot of people's minds at ease. I'm fairly certain that the place has not been seized but it would be really nice if there was a way to know for sure.....
-
If it was publicly known what it was, wouldn't the authorities do whatever you're implying to make themselves look legit?
I understand what you're saying, but I see no way to implement it without them knowing too.
-
Your logic is flawed because they would still not be able to bust sellers, only buyers who didn't use GPG encryption when sending their addresses. I still don't know why Silk isnt using GPG signatures so everyone can confirm it's him though.
-
KISS security.
This forum is not the way
to enlightenment.
-
He really should be using GPG signatures...
-
I dunno, you might try saving some static elements that are part of the source code for the site, certain objects that aren't dynamic, and record their hash values. A copy by LE would have altered MD5/SHA/Etc. values probably.
-
GPG signatures were already made to solve this problem
-
but in fact, it may be too late already.
best thing would be if Silkroad could let his key sign with the key of someone that is really trusted, and there should be a lot of opportunities. The only question is how this person can determine if SR is LE or not. however, I imagine, SR may know some people from the scene that can vouch for him in some way and sign his key.
He then should proceed with signing everything he writes with his key in order to make this trustable.
Really no big deal, but a great advantage - if LE would gain much by SR being a honeypot, I'd believe it was I think.
but considering that SR is not a very valuable honeypot, I don't thinks so.
afaik the most of the places that were honeypots were much more obvious to most people (LEOnidas, lol)
just my five cents,
Greets, M
-
It doesnt matter if is a honeypot, the worse that can happen is they muscle you into confessing that the package was yours. By then word gets around with enough evidence to back it and their honeypot is no more.
Just dont open the package for a few days and dont sign for it and honeypots be damned.
-
Your logic is flawed because they would still not be able to bust sellers, only buyers who didn't use GPG encryption when sending their addresses. I still don't know why Silk isnt using GPG signatures so everyone can confirm it's him though.
how does that help? you use a public key the seller will need to decrypt the address, won't the feds have the same public key?
-
from what I understand, you use your private key to decrypt messages. you send your message with your public key. Can someone back me up here?
-
from what I understand, you use your private key to decrypt messages. you send your message with your public key. Can someone back me up here?
Actually: you send a msg with someone *else's* public key, unless you are sending a msg to yourself. And your private key is so that you can decipher the msgs someone *else* sends with your public key. Weird and beautiful.
-
Podperson shut the fuck up fed you have been nonstop trying to get people to stop using GPG from the first time I saw your pseudonym.
Also, you will know when the feds are here by looking for user names like
LEONIDAS (Law enforcement officer national institute of drug abuse strategy)
Master Splinter (Splinters infiltrate the opposing group)
Feddy Kruger
Police Officer
Member Of Law Enforcement
Law enforcements biggest weakness is their inability to not make cute sounding names that totally blow their cover
My nym is a joke
-
lol yeah NARCturnall haha ;)
No, he is right. They always failed in terms of names, but this always was just something some people could laugh about after all the shit hit the fan.
But still, this is of course no way to be safe. Signed messages are the way to go, and it has to spread that you can do more with PGP than just encrypt messages but also sign stuff.
Greets, M
-
While it would be helpful and reassuring if SR signed important messages and announcements with a signature, I think it's unnecessary. If SR is truly compromised. It's not unlikely that the admin could be compelled to cooperate and provide his private key and passcode to law enforcement.
I believe it's safest to act under the presumption that SR is already compromised, and to never trust SR with sensitive information such as buyers' addresses. Messages going through the SR system should be encrypted at all times.
-
From reading all the threads on the old SR forum, it appears the real trouble is getting a noob to believe in the power of PGP in the face of all the *other* kind of security that is being compromised in the BTC arena. Most of which is because of insecure peripheral vendors, weak passwords, multiple site passwords being used or "fake outs" like the hidden wiki page change.
I feel very confident that LE cannot, at any level, break a 4096 bit PGP encrypt key. Even when Hushmail cooperates with the DEA, the DEA cannot read PGP encrypted mail sent between Hushmail accounts. But maybe someone could give a link to a page that is highly definitive on this subject? I don't think my personal opinion is worth much in this case. HA!
-
I believe it's safest to act under the presumption that SR is already compromised, and to never trust SR with sensitive information such as buyers' addresses. Messages going through the SR system should be encrypted at all times.
precisely!
-
Here's an interesting article on the topic of passphrases:
Cheap GPUs are rendering strong passwords useless
http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125
And here are a couple of pages I've found useful in creating strong(er) passphrases:
GRC's Password Haystacks
https://www.grc.com/%5Chaystack.htm
GRC Ultra High Security Password Generator
https://www.grc.com/passwords.htm
If they obtain your private key, it's only a matter of time until they can use it; *how much* time is up to you.
-
Let's face it: the weak link is the seller. As a buyer, I don't need *his* address, but he needs one from me. I use xpud on a stick just for this, tor for browsing, gpg for the transmission of the landing zone...and then just hope my luck holds. I find I put too much emphasis on the stuff I personally find interesting, and not enough on basic common sense.