Silk Road forums

Almost all research chemicals originate in China, most synthetic drugs also originate in China, if not the finished product at least the precursors.

Thing is I honestly don't know or give a whole lot of a shit if they are police, I like the SR community and have been here for a good while now, don't use the marketplace of SR and have no plans to use the marketplace of any other site. I am just commenting on it from what I can gather, and although I agree it is entirely possible they are LE , I just don't see the red herring that you seem to see that makes it so they *obviously* are LE, and my honest opinion is simply that you have nothing but a gut feeling to go off of. That said, LE did run a drug forum once, and it was apparently their knee jerk reaction upon discovering the existing drug forums, so it seems like not much of a stretch that they would do the same in the case of public drug dealing websites. However, this new market is a hidden service (the FBI forum blocked access via Tor and said only scammers use it), they allow messages to be encrypted with GPG (even adding a potentially worthless automatic encryption feature, hopefully nobody relies on it, but I am sure almost everybody will, which sucks, as it is quite possibly completely worthless, but better than nothing I suppose) and they allow anybody to be a vendor. None of those things pop out and say police to me, although having all of those things also doesn't pop out and say not police to me, only potentially not police. Just my two cents .

Honestly regardless of the truthfulness of this particular story, I am a bit disgusted that peoples first reactions are "LIES" instead of "Possible compromise". Especially given that so far everybody commenting on why it is impossible obviously doesn't know what the fuck they are talking about. Professional Penetration Tester is a real job title for white hat hackers, people who would be the ones trying to deanonymize SR by hacking into it (aka: penetrating it) rather than via tracing through Tor (those people would be called Professional Traffic Analysts). Making fun of what he called himself just shows your own stupidity and lack of understanding of the technical community.

I sure hope nobody has compromised SR, but that attitude that it is impenetrable is completely wrong (VERY LITTLE software has been mathematically proven as secure from hackers, and even the software that has been proven to be is only proven to be when a large set of unproven assumptions have been met. Even life critical software is usually not mathematically proven as secure, although it is often crafted with stringent coding standards and intense auditing). Additionally there wouldn't need to be a new exploit for Tor found, strictly speaking an attacker could hack the instance of Tor on SR to obtain its real IP address, or they could hack any of the other available routes to its real IP address, Apache comes to mind. Or it could be from a misconfiguration of something and not require any hacking at all. And there wouldn't even really need to be a new attack on Tor found, there are somewhat practical traffic analysis attacks against Tor that stand various chances of deanonymizing hidden services by themselves.

Anyway that is all I have to say on the matter, I just hate to see people having a default sense of invincibility, it is something that often precedes one being shown that they are incorrect.

usually you can upload with a false extension and upload whatever the hell you want even if the extension you want isn't allowed.

At least I have shipped something international with UPS once and the form required phone number of myself and the recipient. I put fake numbers for both. Package made it through fine although it only had cash in it. Might be best bet to put a real number for both, but not a number associated with either of you obviously, and a cell phone number if possible so it is not tied to an address that does not match where the package is being shipped to.

Sounds like the vendor is just an idiot. I am pretty positive that you often are required or asked to give a phone number when shipping things internationally. Of course it doesn't mean to give your real number.

but what would they have from giving away addresses? they cant know what it is used for. also feds cant start investigating because of some company giving out addresses which they dont know what they are for. its not profitable for them... yet i have not seen anyone got busted for using these companys. and i feel it is needed to be proven before making things up. Im not a professional but as far as i know these companys encrypt the datas and cant even see em themselves. If that wasnt true im quite sure hackers would have already giving out some warnings.

Several scenarios are possible. the feds could hack into SR or otherwise take control of it. The customer sends the vendor his address with a privnote link. Feds intercept the link at the server, get the customers address, make a new privnote message that is identical and forward it on to the vendor. Now the vendor sends drugs to the address and the feds have already identified it, intercept the product and raid the customer. That seems like one of the most likely scenarios. I am still not used to these new javascript based website encryption services, they seem to be a slight improvement over how hushmail was doing things with javascript (in that Hushmail was still sent passwords to asymmetric private keys, afaik privnote is entirely symmetrical with single use keys that are hilariously presumably to be sent through cleartext channels), but I am sure they are full of holes. One hole in particular is that they are constantly sending the javascript app to the client using it and unless the client constantly verifies that it is legitimate they could send a bugged version. There is also the entire "you are presumably to send the symmetric encryption key through a non-encrypted channel" detail, which I find to be a bit hilarious. I mean, asymmetric cryptography is weak to MITM as well but I think not to anywhere near the same extent as something like privnote, especially considering vendors here can post public asymmetric keys publicly and verify them, but you cannot very well post a one time use (or any time use) symmetric key publicly.

And if it was true it would be an easy way to get someone in trouble. Just post his address 20 times a day and watch him getting raided. i believe these speculations have no real ground to it and should be avoided until proven.

You assume that merely having your address go through privnote would be enough to get you raided. This is highly unlikely, although an address found from privnote may be note worthy it is certainly not enough by itself to warrant much. However, the real risk is that the attacker will take over SR server and do massive MITMing of privnote links in order to enumerate the addresses of all the customers using privnote. Considering protecting from an attacker who pwns the server is the goal of using asymmetric cryptography, it seems like a good indication that you should not use privnote as a replacement for asymmetric cryptography if privnote cannot protect from such an attacker.

Hushmail clearly stated in their tos that illegal use is forbidden and will be investigated. the one who overreads this its his own fault.

Prior to Hushmail handing over many DVDs worth of E-mails to the DEA, they had no such warning. They acted like they were invincible and were a proper implementation of and replacement for traditional user controlled asymmetric cryptography. Only after Raw Deal did they point out that they cannot actually protect from law enforcement level attackers. This is a common trend actually, you could look at the hidemyass VPN service as well (several VPNs have fallen into the same pattern actually). These services all offer weak protections that were never really intended to stand up against strong attackers, however they need to market their shit so they make really big claims or imply that they can offer strong security or anonymity. When the house of cards comes tumbling down, usually at the hands of law enforcement, these companies shrug their shoulders and call their users idiots for thinking that their company could really withstand law enforcement level attackers.

Anyway i will keep using privnote. i feel its even safer than pgp. because like i stated in another thread - if someone other than the seller reads these information, then the seller cant read it anymore. so u can know for sure there is something wrong and prepare for it. Something u cant know using pgp i think
If such companys have success with their services it would be dumb to give out addresses or whatever as it would kill their reputation in one day and nobody would use it anymore. I cant believe these rumors, im sorry.

Privnote is certainly not safer than properly used GPG. As I pointed out, an attacker who pwns SR server will intercept the privnote link, read it, copy the message, make a new privnote link to the copy of the message, and let that message get through to the vendor. Nobody can tell that the real message has been intercepted and read by an unintended party. Additionally, you cannot know shit with privnote either, all you can do is have faith in a company. There is no law of mathematics that says privnote must destroy their messages after they are read once. You sound like you may be somewhat interested in the Vanish network, it stores messages for some period of time and then makes them impossible to decrypt at a later date (of course you should additionally encrypt these messages with GPG yourself, Vanish is mostly theoretically useful for protecting from laws regarding encryption keys in countries like the UK). I have not looked at it for quite a while now, last I checked it fell victim (at least theoretically) to a Sybil attack , but they had plans to fix it up I think. Anyway I just throw that out there as something to look into.

Anyway you just need to look at farmers market to see that people kept using Hushmail even after it was known that they will at the drop of a dime hand over as much information to law enforcement as is requested. There are always idiots willing to have faith in the promises of a company, even after the company has been debunked. VPNs turn on their users on a regular basis but they don't go out of business for doing so. The simple fact of the matter is, we have a decade of experience pointing to the fact that companies break under little pressure, the laws of mathematics and well thought out security policy do not buckle to anything.

At the end of the day feds cant raid everyone for uploading their address to a site. and as your house should be clear of all illegal things nothing can happen to you anyway. as long as u r not hording drugs in your house u should be safe. If they ask u - never forget anybody can use ur address as a drop, u dont know anything. They have to prove it was you ordering. if ur not a pussy giving it all away urself there is nothing to be worry about in my opinion.

As I already pointed out, the feds / police will not use the address by itself as proof of anything. They may use it as an intelligence lead in itself, something leading them to watch the address perhaps looking for other signs of illegal activity. The more worrying thing is that they will intercept the link to the privnote post as it goes through SR server and MITM attack. When they see the customer place an order with the vendor, and then send the vendor the privnote link, that will be enough to use the address the privnote link posts to as evidence of a drug law offense. Also it is quite likely they will do a controlled delivery, and history has shown us that if you accept a package and open it , that is usually enough for them to prove that you ordered it in court.

most of the drugs getting sold here are self-use drugs not meant for selling. this fact makes it very unprofitable for feds to go after these addresses. one special officer costs more an hour than the average package that gets send from here.

Seems to me that you are merely justifying to yourself the fact that you are too lazy to figure out how to use proper security measures. Either that or you are trying to lead others astray. The fact of the matter is that drugs are still illegal and ordering drugs via the mail is a federal offense. The feds probably do not care about the person ordering personal use cocaine from this site, but in the event that they obtain proof such a thing has happened, it is quite likely they will forward this intelligence on to your local police department. And they are likely to try to arrest you. Most people in prison over drug charges are there over personal use amounts.

Anyway its late and i might be wrong with some points as i didnt thought them all through. just my 2 cents dont take it to serious

Don't worry, I wont.