Silk Road forums

Discussion => Security => Topic started by: justsomeguy on July 16, 2012, 05:09 am

Title: vendor can't PGP?
Post by: justsomeguy on July 16, 2012, 05:09 am
I'm trying to order from a reputable vendor who says they're having trouble reading my encrypted address.  He said his PGP often doesn't work, and he doesn't know how to fix it.  I'm firmly against sending my address unencrypted or via privnote, but I don't know how to solve this issue.  The vendor and I both have time constraints, and I don't think he's going to put much effort into getting it to work before then.  I've never had any issues with PGP, so I'm not sure how he could fix it anyway.

Is there anything I can do to get my address to him securely?
Title: Re: vendor can't PGP?
Post by: ccxv01 on July 16, 2012, 05:50 am
Not without PGP.

Ask him to send you his private key again and try once more.

To be honest, i'd just use Privnote or just send in plain text.

You're not protecting government secrets - it's just an address.
Title: Re: vendor can't PGP?
Post by: LouisCyphre on July 16, 2012, 05:52 am
I'm trying to order from a reputable vendor who says they're having trouble reading my encrypted address.  He said his PGP often doesn't work, and he doesn't know how to fix it.  I'm firmly against sending my address unencrypted or via privnote, but I don't know how to solve this issue.  The vendor and I both have time constraints, and I don't think he's going to put much effort into getting it to work before then.  I've never had any issues with PGP, so I'm not sure how he could fix it anyway.

Is there anything I can do to get my address to him securely?

There are alternative methods of encrypting the data (e.g. using OpenSSL), but these then leave you with the problem of how to securely transmit the passphrase to decrypt that data.  This problem is exactly what public key cryptography was designed to solve.

If the vendor has an email account that is not completely crap (Hushmail qualifies as crap here) and has a Mac or Linux (or other *nix), then you could encrypt the address with OpenSSL and send the passphrase via an anonymous remailer to their email.  There's still a risk, though, because the passphrase will be sent in the clear.  There are some other variations on this method, but they all place a degree of risk on you.

I suggest you strongly encourage the vendor to log onto the forums and try to solve his current PGP or GPG issues.  Direct him to this thread:

http://dkn255hz262ypmii.onion/index.php?topic=30938.0

Alternatively, you can PM me his username and I'll see if I can work it out.
Title: Re: vendor can't PGP?
Post by: LouisCyphre on July 16, 2012, 05:55 am
Not without PGP.

Ask him to send you his private key again and try once more.

His public key, not his private key.  No one should ever send their private key to anyone else.

To be honest, i'd just use Privnote or just send in plain text.

You're not protecting government secrets - it's just an address.

I wouldn't ver use Privnote for this sort of thing.  It's just plain awful (there are already plenty of threads explaining why).
Title: Re: vendor can't PGP?
Post by: justsomeguy on July 16, 2012, 06:35 am
The vendor says he is computer illiterate, so I'm not sure he could handle OpenSSL.  I think just getting his PGP working would be a challenge.  I've never heard of it "not working sometimes," it's a pretty simple process.  I decrypted the message I sent to him with my password and it worked fine.  I definitely selected his name when encrypting it.  I don't know what else to do.  What could be going wrong?

I know Privnote is not secure at all.  I won't use it or send plaintext.  But I'm getting desperate, and if I can't sort it out very soon, the window of opportunity will be gone and I won't be able to get my product.
Title: Re: vendor can't PGP?
Post by: LouisCyphre on July 16, 2012, 07:14 am
The vendor says he is computer illiterate, so I'm not sure he could handle OpenSSL.  I think just getting his PGP working would be a challenge.  I've never heard of it "not working sometimes," it's a pretty simple process.  I decrypted the message I sent to him with my password and it worked fine.  I definitely selected his name when encrypting it.  I don't know what else to do.  What could be going wrong?

PEBCAK.

I know Privnote is not secure at all.  I won't use it or send plaintext.  But I'm getting desperate, and if I can't sort it out very soon, the window of opportunity will be gone and I won't be able to get my product.

PM me his details and I'll see if I can give him a crash course on getting it to work this time.  Then he can go back to class properly.
Title: Re: vendor can't PGP?
Post by: ccxv01 on July 17, 2012, 12:52 am
Not without PGP.

Ask him to send you his private key again and try once more.

His public key, not his private key.  No one should ever send their private key to anyone else.

Haha typo. I knew that. =D
Title: Re: vendor can't PGP?
Post by: LouisCyphre on July 17, 2012, 01:15 am
The vendor says he is computer illiterate, so I'm not sure he could handle OpenSSL.  I think just getting his PGP working would be a challenge.  I've never heard of it "not working sometimes," it's a pretty simple process.  I decrypted the message I sent to him with my password and it worked fine.  I definitely selected his name when encrypting it.  I don't know what else to do.  What could be going wrong?

When in doubt, blame it on Windows? :-)

Heh.

In this case we get to blame it on IGolder and BCPG.  This is what led to that thing I sent you yesterday.

Both Louis and I are willing to help this guy get himself straightened out.

Yep and I've already been in touch with the vendor.  The plan is to get him to a proper installation and then I'll use that process to determine how best to educate those people (especially vendors) who struggle with the concepts.

That said, some people are just so hopelessly inept with computers that nothing can save them

Unfortunately most of them get themselves elected to public office and set policies on IT and communications.  ;)

perhaps the vendor is one of these.

I don't think he's that bad.  He's just completely inexperienced with it and doesn't know where or how to start.  He was very open to my contacting him and thankful for the offer.  That's a very promising sign because it means he will be open to learning what he needs to learn and really that's always the biggest hurdle.

Frankly, Silk Road is NO place for the computer illiterate.

Agreed and the more so for vendors.