Quote from: brutusk on December 22, 2012, 09:06 pmQuote from: GlassHouse on December 22, 2012, 02:32 amWhen a vendor deletes a message, does it delete the message on the Buyer's end as well? Doubting that this is reality, but would like to encourage people to delete messages often. We have a lot of Buyers who don't use PGP and want updates. Happy to oblige, but just wonder how we can get the information deleted after that. Are we completely reliant upon the Buyer to delete their messages. To get back to the OP, my understanding (based on a previous post by DPR) is that when a PM is deleted on the road, it stays on the server for four months, you just don't see it in the list. This is for technical reasons. This is why you must insist your buyers use pgp. If the servers should ever be compromised, all of those clear text messages will be exposed to the intruder. I don't recall ever seeing that post by DPR, but that information is damn near priceless. I do find myself wondering precisely what 'technical reasons' could lead to a message retention policy like that. Quote from: brutusk on December 22, 2012, 09:06 pmI will not answer any questions that involve price, shipping info, shipping times or methods, basically anything that is even remotely sensitive, without encryption. There was a thread going here a few months ago from a fellow who had attended (or knew someone who had attended...? not sure) an LE conference. One of the topics that came up was the fact that LE is fucked by encryption. They can't crack it. Even if you email host/ISP/whoever hands over data, if it is encrypted it is useless to LE. You can absolutely put your money on the idea that if LE ever gets their hands on these servers, the only people who are going to be popped are the ones who don't use encryption. I can't believe how many people have sent me names/addresses/etc unencrypted. Hear, hear! I'd give you 1000 Karma points for this, if I could. Where I have a problem with DPR, is their insistence on voluntary adherence to security policy (i.e. use of PGP). While I realize that any such mandatory policies offend their agorist sensibilities, it is nonetheless a truism in the real world that voluntary policies tend not to be followed. The fact that numerous vendors have stated flat-out that 80-90% of the address information they receive is unencrypted underscore this point. Sometimes people _have_ to be forced to do the right thing. Quote from: brutusk on December 22, 2012, 09:06 pmTo be clear, the shipping info in an order is deleted right away. However, if the servers are compromised, all of those unfilled orders with clear text addresses are going right into LE files. Those are the people who will be raided.I value my freedom. Every time I am tempted to take any kind of shortcut in this business, I stop and ask myself, "If I go to prison, will I kick myself for not doing xxx?" The answer is usually YES. Well said. My thoughts keep drifting back to the operators of The Farmers' Market, and also of those caught up in the DEA's Operation Raw Deal (ORD) before that. All of these relied on Hushmail for their security, and that is one of the primary reasons that many of them are sitting in prison right now. Both vendors and buyers alike have to learn enough background to be able to distinguish the snake oil (Hushmail, PortablePGP, iGolder.com, etc.) from the genuine articles. In particular, the operators of The Farmers' Market were told by people who knew them in real life, that their security was shit -- they just chose not to listen. I find myself wondering if they now regret not having taken the advice they were given. Quote from: brutusk on December 22, 2012, 09:06 pmI absolutely insist on pgp. I suggest all vendors do the same, it isn't hard to use and creates a phenomenal layer of security and frustration between you and LE. If a customer doesn't want to take the time to learn how to use pgp, I don't mind passing on their business.Agree, 1000%. That said, I would go further -- I would insist, as a pre-condition for obtaining an account (whether buyer or seller), that a prospective buyer or vendor: 1) Post a PGP key for use with the account; and 2) Demonstrate their proficiency with PGP by correctly answering an encrypted challenge. These would have two effects: first it would compel people to use PGP; and second, it would have the side-effect of virtually eliminating account spoofing/theft. (Provided the server is uncompromised, of course.) NC