Silk Road forums
Support => Feature requests => Topic started by: pine on July 15, 2012, 09:16 pm
-
Ok!
So, lots of us use PGP. We can intuitively guess that not as many people do, as should. Some posts have also got me thinking that many of the people who don't, know they should know better... That is: there is a wee bit of a psychological hurdle for using PGP even for non-newbs.
It's not that they don't care or that they are stupid, it's that they dilly dally because they are not 'prompted' at the appropriate moments. This is similar to how people know they should use secure passwords, but even geeks use terrible passwords for security all the time because although people are smart, they are not necessarily also patient.
Using Encryption is the equivalent of a safety belt when driving. It is extremely easy when you are in the habit of it, but like I said, there is this barrier.
So I would like to propose two things.
1. When you send a message on the Silk Road, there ought to be a line of text between the subject line and text box for your message that reads something like:
"Use PGP encryption to protect your security where possible."
This text should be in red, slightly larger font e.g. if 10pt is the default, then use 11pt for the warning, and in bold. The words 'PGP encryption' could be a hyperlink to a short PGP tutorial for windows/mac etc.
It sounds very simple, blatantly obvious like a red stop light at a junction, but I'm sure that this would have an immediate impact on the number of customers taking their message security seriously.
On a related but separate issue I would also like to see consumers being given visual recognition for using PGP security. e.g. some manner of visual signifier like a badge/tag, similar to how ebay uses colored stars for its users, so everybody knows user X is part of the 'PGP Club' (suggest a little golden lock icon like SSL).
--
2. The next idea is more of a community affair, PGP Club! Woot!
Basically, we have long standing members of the forum volunteer a little of their time to helping those shy doe eyed newbs (so cute!) graduate to being members of the PGP Club (instantaneously transmorphed into those austere greybeards, the cyptroanarchist cyberelite intelligentsia! Yes!).
I think this is not actually just about security and hi-tech geekry, but also identity.
Traditionally, drug dealers and smugglers have had various rites of passage, most famously the Sicilian Mafia involving candles, blood, knives yadayada craziness.
However, all those rites of passage are ethnocentric anachronisms. We need something new that befits the spirit of our collective enterprise.
Today, we live in a globalized world filled with hi-tech gadgetry being the norm. Our business is less like the hierarchical structure of traditional organized crime, and more like that of transnational corporations, composed of many fluid and dynamic relationships, the nature of the business and the people involved flip on a dime. This makes it important for our customers to recognize certain signals (e.g. the infamous shoe tied to a telephone pole in RL being a classic example) or to adopt certain behaviors.
So, it is befitting that PGP is seen as 'cool', 'wicked' by SR customers. It makes it easier to 'plug' them into the market on the fly as it were. I'm trying to say this is broader than SR, that we're cultivating an anonymous e-market of PGP-aware people generally but that it starts in earnest here if it is to start anywhere proper. Remember, anonymity loves company, the larger the set...
Once consumers are able to use PGP fluently, they are able to use PGP forever, it is a cognitive equivalent of a lump sum investment paying compound interest over time. The simple act of knowing how to encrypt and decrypt is a tremendous blow to law enforcement, it creates a resilient consumer base to bounce our market back whenever it will come under attack.
In practice this means some of our geek comrades have to leap from their laurels and repeatedly answer the same questions again, and again, and again in the PGP threads I hope to see.
The message that you're not one of the cool kids unless you join PGP Club has got to get out there. People who don't use PGP need to be bullied (in a friendly big bro/sis way) to join the Hive and new customers who use PGP or want to use it need to be given encouragement, a virtual slap on the back in an altogether more consistent fashion.
Forthwith, pine will be setting up a "PGP Club" in the General Board (to prevent potential escapees overlooking the Security subforum). Here I'll help anybody who wants to learn PGP basics. I also encourage cryptographically inclined SRers join me in that or similar threads.
The principal should be, that if you learn PGP, you pass it on to the next fellow. It's like the rifle quota at Stalingrad, but much more important.
In particular, if you are a vendor, then throw your deluded plaintext users our way to the PGP Club so they can be cool again :)
To the Barricades!
Pine
Link to the Cryptographic Revolution: http://dkn255hz262ypmii.onion/index.php?topic=30938.new#new
-
Thread name is win, speech accompanying it made great points. +1 again.
-
On a related but separate issue I would also like to see consumers being given visual recognition for using PGP security. e.g. some manner of visual signifier like a badge/tag, similar to how ebay uses colored stars for its users, so everybody knows user X is part of the 'PGP Club' (suggest a little golden lock icon like SSL).
That could certainly be a cute little identifier.
2. The next idea is more of a community affair, PGP Club! Woot!
Basically, we have long standing members of the forum volunteer a little of their time to helping those shy doe eyed newbs (so cute!) graduate to being members of the PGP Club (instantaneously transmorphed into those austere greybeards, the cyptroanarchist cyberelite intelligentsia! Yes!).
Well I'm not actually a long standing member, I just no a fair bit about GPG.
So, it is befitting that PGP is seen as 'cool', 'wicked' by SR customers. It makes it easier to 'plug' them into the market on the fly as it were. I'm trying to say this is broader than SR, that we're cultivating an anonymous e-market of PGP-aware people generally but that it starts in earnest here if it is to start anywhere proper. Remember, anonymity loves company, the larger the set...
Yep. I try to encourage people here to make at least two key pairs. One for their SR identity and one for "real life" and general use. The more that even ordinary email is encrypted, the better.
In practice this means some of our geek comrades have to leap from their laurels and repeatedly answer the same questions again, and again, and again in the PGP threads I hope to see.
I kind of suspected this would be the case when I first signed up for this forum. I did not, however, expect the BTC donation just for answering one (fairly obscure) technical question.
The message that you're not one of the cool kids unless you join PGP Club has got to get out there.
I'm one of the cool kids now? Gosh.
People who don't use PGP need to be bullied (in a friendly big bro/sis way) to join the Hive and new customers who use PGP or want to use it need to be given encouragement, a virtual slap on the back in an altogether more consistent fashion.
I'd push that a little further. All those people using keys smaller than 2048-bit in strength also need to be pilloried. I've seen several vendor keys that consisted of a 1024-bit Master/signing key with a 512-bit encryption subkey.
One or two BTC mining rigs repurposed to cracking these 512-bit keys would rip them apart in a very short space of time. Any law enforcement or spook organisation would drool over the thought of vendors using such weak encryption.
Forthwith, pine will be setting up a "PGP Club" in the General Board (to prevent potential escapees overlooking the Security subforum). Here I'll help anybody who wants to learn PGP basics. I also encourage cryptographically inclined SRers join me in that or similar threads.
That's why I commented on the other thread, so I can see the updates in the "show new replies" page.
The principal should be, that if you learn PGP, you pass it on to the next fellow. It's like the rifle quota at Stalingrad, but much more important.
It should be passed on to *at least* one other person, but if it is passed on to more, both within SR and not, then we all gain even more.
In particular, if you are a vendor, then throw your deluded plaintext users our way to the PGP Club so they can be cool again :)
If you are a vendor you should also double-check that you're doing everything properly.
-
In practice this means some of our geek comrades have to leap from their laurels and repeatedly answer the same questions again, and again, and again in the PGP threads I hope to see.
I kind of suspected this would be the case when I first signed up for this forum. I did not, however, expect the BTC donation just for answering one (fairly obscure) technical question.
The message that you're not one of the cool kids unless you join PGP Club has got to get out there.
I'm one of the cool kids now? Gosh.
See Folks!
He is getting money *and* fame. And he did it because he learned how to use PGP! It's like PowerThirst, but for your brain!
-
I don't use PGP. I don't see the point... from my perspective
1. take time to learn how to use pgp
2. encrypt messages/delivery address, taking more time
3. send to vendor who has to decrypt
4. vendor prints out my plain text postal address and adds to the stack of other addresses sitting next to huge pile of drugs and money
5. vendor gets busted, and I still don't get busted because I'm in a different country
If there's some amazing advantage to PGP that I'm missing, please enlighten me.
TOR traffic is already encrypted, is it not?
Plus it wouldn't be too difficult for SR to implement, there are javascript implementations of PGP around. The text fields could automatically be encrypted/decrypted...
-
I don't use PGP. I don't see the point... from my perspective
What the.. I don`t even..
-
If there's some amazing advantage to PGP that I'm missing, please enlighten me.
I get what you mean. Loads of buyers and vendors don't use PGP and the pay off is rather slim.
TOR traffic is already encrypted, is it not?
I don't think so. Ironically adding an SSL layer makes individual user traffic theoretically possible to isolate. (or something)
-
I don't use PGP. I don't see the point... from my perspective
1. take time to learn how to use pgp
2. encrypt messages/delivery address, taking more time
3. send to vendor who has to decrypt
4. vendor prints out my plain text postal address and adds to the stack of other addresses sitting next to huge pile of drugs and money
5. vendor gets busted, and I still don't get busted because I'm in a different country
Cops in vendor's country don't bother bringing a case against you because it's not worth the effort, but they do trade the information to cops in your country in exchage for favours. Either that or the cops in both countries find a way to spin it into "an international conspiracy" and we might see you in thirty years.
If there's some amazing advantage to PGP that I'm missing, please enlighten me.
A long and robust history of code quality control with both PGP and GPG, although GPG probably has the edge these days since the code can be inspected by anyone and is frequently reviewed. It provides extremely strong encryption to anyone and everyone. It provides a mechanism to verify the author of a message and prevent impersonation (digital signatures). It can be used for the protection of any message based communication (you can use it outside of SR).
The security built into SR is essentially a black box; we don't know what it is really capable of or whether there are any vulnerabilities. Vendors and buyers using GPG are protecting themselves against that possibility, even if it is a slim one.
TOR traffic is already encrypted, is it not?
Yes, but it was never intended to be the complete solution to all circumstances. If it was then Jacob Appelbaum wouldn't have a GPG key.
Plus it wouldn't be too difficult for SR to implement, there are javascript implementations of PGP around. The text fields could automatically be encrypted/decrypted...
A javascript implementation might meet your security requirements, but it doesn't meet mine. By the way, if you check the code on SR you'll notice that there isn't any javascript on the site. This is not an accident. In order to prevent the sort of vulnerabilities that extensive use of javascript often leads to these functions would have to be moved server side, at which point a great deal of the advantage is lost. Any OpenPGP implementation which leaves private keys or passphrases or both in the hands of a third party (e.g. a server), or is able to be used in that way, is inherently flawed.
-
Okay, as spoken in the Security Forum, I'm new here, and I don't know how this community is feeling about newbies (got negative Karma for posting in the "Introduce Yourself"-Sticky oO), but I think, you won't have any success if you wouldn't try. And because i am in a really geeky mood right now, I really want to take part in this project, although I'm more on the "learning-side" right now. Once i took enough to know what I'm doing, i want to give even more, to help ppl get the cool Cyberanarchist-Status.
So if this is not the thing ppl want on this Forum, give me another -1. But if i'm just too pessimistic (thx to other forums): Hi my Name is Rockbob, and I'm addicted to Bits.
Greetz,
Rockbob
-
Hi-
Agree with all points made thus far. I feel SR needs to facilitate the use of PGP in all ways possible. I started a thread in this forum as well concerning a way to add a public key field to buyers/vendors profiles (instead of just writeups in sellers - buyers need a way to get their keys out there too!) as well as adding a public key to anyone on the forum... I've heard from some that use SMF that there is a way to enable a PGP field in the backend so, say I want to find your public key to encrypt a PM, I can do it easily without having to ask you for it first...
Pushing PGP is a big deal. The stronger the encryption, and the more it is used, the harder a target SR becomes. As more and more people find out about this place, we become a bigger and bigger target. Short of cutting off new users, we need to try to harden ourselves more and more. Or this whole thing will blow up...
-
I like this post. It's a useful idea and it contains a clever bit of psychology. I support this.
-
I'm still not convinced it's worth the effort.
The vendor still has to decrypt your delivery address in order to send the package. You have no control over that information.
If SR itself gets busted, and it turns out that SR has stored my address (for the 1-2 days it takes before the vendor gets to it), and whatever country the SR server happens to be in has such a well funded law enforcement agency that they decide to make up a list of all the buyers in all the different countries, and then send that list to the LEOs in each country, and then there's additional evidence that the amount I'm ordering is more than what the LEOs of my country are already aware of what is happening elsewhere (I'm ordering a gram of whatever every now and then), and they investigate me, and successfully prosecute me, then yes, I will regret not using encryption.
-
I'm still not convinced it's worth the effort.
It's your life and your choice, but I do hope you don't become a vendor.
-
I'm still not convinced it's worth the effort.
It's your life and your choice, but I do hope you don't become a vendor.
Yup, no one sane will trust a non-PGP vendor. There`s a reason the SR wiki points it out and explains it in detail. 'You should be using PGP for all communications to sellers who specify it in their profile pages (basically all of them). Optionally, you can also PGP your name and address when placing an order for a product.' as stated in the wiki.
-
That's a good point..
In theory, the buyer doesn't really need their own cert, since the vendors replies will be mostly inane, unidentifiable stuff. (eg please FE early, will refund blah blah).
The vendor however, receives highly sensitive info, fake name, dropoff address so the buyer should be encouraged (for their own sake) to get familiar with using the vendor cert.
-
I'm still not convinced it's worth the effort.
It's your life and your choice, but I do hope you don't become a vendor.
Yup, no one sane will trust a non-PGP vendor. There`s a reason the SR wiki points it out and explains it in detail. 'You should be using PGP for all communications to sellers who specify it in their profile pages (basically all of them). Optionally, you can also PGP your name and address when placing an order for a product.' as stated in the wiki.
I'd go further. I wouldn't trust a vendor that used a key with less than 2048-bit strength, that uses old-style key structure (signing and encrypting included in the master key with no subkeys), only supported SHA1 hashes and only used symmetric ciphers that predated AES. I also wouldn't trust anyone using BCPG (which includes everyone using IGolder) and Portable PGP 1.0.6 and earlier (I'm not yet sure about 1.0.7, but it is built with Java so being able to exploit the Java VM means being able to compromise the whole program).
Oh, I also wouldn't trust any vendor stupid enough to post their secret key on their vendor page (I have seen this).
-
Hello every one ,
Oh man i feel so confused , I am hoping you kind people can help me , i have openpgp created working with thunderbird tormail, and ff TOR browser. I feel so close to getting this , then something comes up and i am lost again. Everyone has been posting there public key but how do i see what my public key is?
also how do i take some ones PGP key and decrypt it ?
please can any one help me i have spent the last 3 hours setting up Thunderbird to work through TOR as it incorporates open pgp through engima.
Kind regards
RP
-
Hello every one ,
Oh man i feel so confused , I am hoping you kind people can help me , i have openpgp created working with thunderbird tormail, and ff TOR browser. I feel so close to getting this , then something comes up and i am lost again. Everyone has been posting there public key but how do i see what my public key is?
also how do i take some ones PGP key and decrypt it ?
please can any one help me i have spent the last 3 hours setting up Thunderbird to work through TOR as it incorporates open pgp through engima.
A good place to start practicing would be the PGP Club thread, though that won't help with Enigmail, it will be good for use here or on Silk Road itself.
-
Ok, so I'm using GPG4win, but heres my issue. When I encrypt a txt document It creates a new document with the same name but with the tag of ".txt.asc".
How do I get actual text that I can copy and paste, instead of this unopenable document?
-
Ok, so I'm using GPG4win, but heres my issue. When I encrypt a txt document It creates a new document with the same name but with the tag of ".txt.asc".
How do I get actual text that I can copy and paste, instead of this unopenable document?
You need to use the GPA's clipboard instead. And you're in the wrong thread!
-
Thanks for the help. Sorry to jam up this thread.