Silk Road forums

Discussion => Security => Topic started by: Hungry ghost on October 03, 2013, 09:35 pm

Title: Migrating safely using pgp
Post by: Hungry ghost on October 03, 2013, 09:35 pm
Like many other users of SR I have been contacting vendors i use who have a forum account (checking history to be reasonably sure it's them.) to ask them what market they plan to migrate to.
     Obviously since these forums may be totally LE pwned this is a somewhat risky endeavour.
     I am trying to work out how to use PGP (I was lucky enough to have  most vendors keys I use saved offline, I periodically deleted but it happened at a good time) to do this securely.
      However I am thinking in circles and ending up in "which cup holds the poison" like dilemmas
    Example 1: a vendor who never used PGP, and therefore is responsible for an address of mine being in the seized server unencrypted, when asked, tells me URL of his new account. It's probably him, unless I want to go totally tinfoil and assume LE honeypot. (I am about as small time as possible, never made much more than £50 purchases).
Example 2: browsing one of the other markets I come across a vendor I use. Looks same, selling same product, low value listing and displaying same PGP key. I have sent him a message encrypted to said key on new site; if he replys then we're good to go right? However little concerned about continuity…seems if compromised on SR bad idea to reopen shop under same name elsewhere. But seems insurmountable, if vendors and buyers want to continue relationship.
     Example 3: I message vendor who I have PGP key of, but in clear text asking him intentions. I should really continue conversation to his old key, and send him mine encrypted with his right? He talked about sending me his new site and key soon. This would only be secure if I send my key  encrypted to his old key and he sends new key encrypted to mine?
      I am basically looking to start thread on how to use PGP to migrate securely to new sites, clearly this is only secure when I already have old key of vendor?
     Or is it better for both vendors and buyers to just start afresh. (U wasn't planning to transfer SR identity to new site but obviously if not very careful I will do this inadvertently. I managed to cope with funding new vendors on SR as a newb without getting ripped off (well maybe once). I don't have pressing needs. Maybe I'm better to just start new. (Except example 2 at least I know it's him, but could buy without revealing previous relationship).
Title: Re: Migrating safely using pgp
Post by: Hungry ghost on October 03, 2013, 09:40 pm
Correction to example one: I am responsible. Tbh not that worried as I am smallest fish possible and address only tangentially connected to me.
Title: Re: Migrating safely using pgp
Post by: Happyman on October 03, 2013, 09:55 pm
is this guy for real? please verify

http://6zyze2mkwyla7jwe.onion/silkroad/backup/

Libertas suck your mum you traitor
Title: Re: Migrating safely using pgp
Post by: Hungry ghost on October 03, 2013, 10:16 pm
Problem is I mostly used PGP to encrypt addy but don't think bothered giving mine out after first few times. Not sure how I can prove identity on back up site if that's what you mean. If you are asking if back up guy is for real how would I know? Probably. Wishing I had used PGP more sophisticatedly as identity proof rather than just encrypt addy.
Title: Re: Migrating safely using pgp
Post by: This_is_not_SOCA on October 04, 2013, 12:49 am
I'll have a go at answering this but I'm a little unsure of the questions so bear with me

Every PGP user has at least one key-pair consisting of a private key, which they must keep secret, and a public key which you can give to other people. I will talk only about public keys from now on.

To prove that someone else is who they say they are, they do not need your key - but you need theirs. There are two ways to do this:

1) You send them a message encrypted using a key that you know to be theirs. The only person who could decrypt and read this message is the owner of key (because they will own the corresponding private bit of their keypair). that way you have some assurance that teh remote recipient is the owner of the key.

2) They send you a message and they sign it using their key. The message is not encrypted but it's contents must have been created and signed by the owner of the key (again their private key is used to actually sign it).

They main thing is that you have a copy of their public key which you know is theirs. There in lies the problem. If somebody just gives you a key then how do you know? That is one of the reasons that StExo has archived all of the vendor public keys over in the Silkroad Discussion forum - these are all keys that have been posted for a number of months and used by several people so have earned some trust.

You only need to give them your key if you want to prove who you are when you send a message or if you want them to send you stuff encrypted to you that only you can read.

Hopefully that makes sense and is what you are getting at.

stay safe
Title: Re: Migrating safely using pgp
Post by: Hungry ghost on October 04, 2013, 07:39 am
Yes, thanks. I had by chance the keys of a number of vendors I used saved. (Stupidly I used to delete them, thinking that having a lot of drug vendors keys would harm plausible deniability in event of interception of letter. After all I could always get them off SR......oh)
      I knew it all already really , I was just  over thinking it. Either I have their old key and they can decrypt a message to it. Or not. Any other situation I'm just going to have to use judgement.
        Dammit. Wish I had made sure more vendors had MY key then I could have used it to prove my ID. Like many people I understood PGP enough to exchange basic messages but we never really established the whole web of trust thing properly.
        Thanks for clarifying.

      Trouble is, not sure all vendors I use are keeping old key. They are messaging from their forum account and pointing to new account on new site. I think theres a conflict between wanting to keep identity from SR, and worrying that SR identity may have inadvertently  revealed something, that is unresolvable. Still, its simple. If they can decrypt message sent to old key its them.....everything else is guesswork.

     One thing to take from this is PGP is vital. Despite what some people are saying. I remember thinking DPR had a shaky grip on it from some of his forum posts. The whiole business makes you wonder what mistakes you might have made when new, or years ago. Thing is, I bought small amounts ofdrugs. DPR was masterminding SR. I wish he'd been more careful the poor bastard. They are going to crucify him.