Silk Road forums
Discussion => Security => Topic started by: spoonstar100 on October 10, 2012, 11:23 am
-
I always assumed that it was absolutely necessary to use encryption on your sensitive details such as name and address. However one vendor seems to think it is a waste of time and a false security measure as silkroad apparently encrypts and then deletes all data sent through it, whereas any PGP encrypted message sent to a vendor may not be deleted and therefore is less safe.
"I fucking hate PGP - Please do not use PGP or privnote..! Addresses are automatically encrypted and deleted
through the SR system. However, if you want your address decrypted, copied and pasted into my documents,
and not automatically deleted after use - please feel free to continue relying on false security..."
The vendor is 'revenantchild' here is a link to his page.
http://silkroadvb5piz3r.onion/index.php/silkroad/user/e4f447f64a
I'd just like to know if anyone else has an opinion on this as I've googled it to no avail.
Cheers.
-
'revenantchild' Supplies a public key at the bottom of their vendor page anyway so personally I'd just go right ahead and use encryption anyway.
-
'revenantchild' Supplies a public key at the bottom of their vendor page anyway so personally I'd just go right ahead and use encryption anyway.
I know but I've come across a couple of vendors who don't provide a public key yet they have high ratings etc. This is why i ask.
-
The encryption used by SR only offers any benefit at all if the server is not running when it is seized. This is unlikely, so using GPG is pretty much a must.
-
I always assumed that it was absolutely necessary to use encryption on your sensitive details such as name and address.
You assumed correctly.
However one vendor seems to think it is a waste of time and a false security measure as silkroad apparently encrypts and then deletes all data sent through it, whereas any PGP encrypted message sent to a vendor may not be deleted and therefore is less safe.
"I fucking hate PGP - Please do not use PGP or privnote..! Addresses are automatically encrypted and deleted
through the SR system. However, if you want your address decrypted, copied and pasted into my documents,
and not automatically deleted after use - please feel free to continue relying on false security..."
The vendor is 'revenantchild' here is a link to his page.
http://silkroadvb5piz3r.onion/index.php/silkroad/user/e4f447f64a
I'd just like to know if anyone else has an opinion on this as I've googled it to no avail.
Cheers.
This vendor is not only an idiot, but a grossly negligent idiot.
I consider it negligent for any vendor to recommend that their buyers NOT use PGP, but resort to inferior services such as Privnote. However, this vendor goes much, much further than that. It is nothing less than gross negligence to ask that their buyers not make use of either PGP or Privnote. Even their PGP key uses the old key format, abandoned more than 2 years before the key was generated, so it would appear that the vendor couldn't even be bothered to use up to date encryption software, let alone use it properly.
My advice? Don't just walk away, RUN!
-
We second Nightcrawler.
RUN RUN RUN !
See we make our customers encrypt their stuff otherwise we cancel their orders.
(at least if they order the 2nd time without it).
-
My advice? Don't just walk away, RUN!
Spot on.
PGP is not only Pretty Good Privacy its a pretty good way to ensure years down the track you don't get a knock at your door by a bored pig asking about the gram of Charlie you ordered and were silly enough not to encrypt your address.
Assume everything you type into a box will one day end up in the hands of someone you dont want. We don't know the kind of resources the authorities will have in years to come. We don't know how far they'll be willing to go to prosecute. When your freedom is at stake, the precautionary principle is well and truly justified.
Paranoid...maybe! It's entirely your choice...A buyer not using PGP is silly. A seller not using PGP is suicide. I would not hand over any information (encrypted or not) to someone who refuses to understand elementary basics of cryptography. If a seller is not using PGP, I'd simply make the assumption (right or wrong) that my address is not safe in their hands.
The only thing you are in control of is the information you have encrypted using a password. The only thing tying you to a purchase is your address...treat it like your baby and never lend it to people you don't or can't trust.
/rant
And more importantly PEACE!
-
Using PGP only helps you so much. Yeah, if the server is busted, you personal details are safe. However, what if your vendor gets busted? How do you know he hasnt just saved your unencrypted details on his computer? Unfortunately, there is no way to mitigate the latter threat.
-
Using PGP only helps you so much. Yeah, if the server is busted, you personal details are safe. However, what if your vendor gets busted? How do you know he hasnt just saved your unencrypted details on his computer? Unfortunately, there is no way to mitigate the latter threat.
Except getting packs to fake ID boxes and switching them up every now and then, or in the event that you learn of a vendor you have used being compromised.
-
Spoonstar,
The vendor is deceiving you into thinking that SR deletes everything and that Darknet "just keeps everything encrypted"
I would find another source of whatever it is that your wanting and learn PGP to send your name and shipping address securely, directly to the one guy who knows a password at the other end of the communication, not just anyone who looks at his screen, or hacks his account (LE).
-
Cheers for the replies guys. Think I'll give that vendor a miss then.
-
Whether you use PGP or not; you are relying on the vendor to treat your address carefully. Once decrypted, he/she will copy paste it to somewhere to print it, and then hopefully destroy it. There's no way to avoid this as you want drugs sent to the address! However, using PGP ensures that no one but the vendor can read your address. If SR were to be compromised or your communication to be intercepted in any way, PGP encryption ensures your address is safe. I'm not sure how this can be described as "a false sense of security"?
PGP might not protect you against a careless or compromised vendor, but it takes so little effort to learn and use, why not avail yourself of the slight extra protection it affords?
In any case, since you are relying so heavily on the discretion of a vendor in disposing properly of your address, a vendor who is so scornful about PGP is a big red flag. Whatever other security and encryption measures are in place, using PGP ensures that only the intended recipient can read your address. Given that the real world address is definitely the weak link in the whole SR process, anything that adds, however slightly, to its security is vital.
Don't bother replying as I've got my hands over my ears going "LALALALALALALALALALALALALALALALALALALA!"
-
Stupidity is one thing.
Ignorance is another.
If any of you had taken the time to read my profile without ignoring certain statements, you would have noticed that I said YOU ARE WELCOME TO USE PGP if you want to rely on false security. No-one is forcing you to use or not to use pgp.
Don't bother replying, as I seldom visit the forums.
I get less bored at my granny's tea party.
Ahh good old pure fucking stupidity! How refreshing. Really though the fact that you are not qualified to give security advice is made extremely clear in this post! Every single credible security professional in the entire world disagrees with you that using GPG is false security. So you really have you work cut out for you to prove the entire information security field wrong :).
-
Of course - you are all right.
I have removed that from my page and I bow to your superiority...
I will try my best to be as sanctimonious as all of you.
(Sorry about the five syllable word)
-
Just for the record - I do destroy all records of names and addresses when buyers use pgp or privnote. I treat everyone with the the respect they deserve. I also approach them with a suggestion or advice before flying off the handle and calling them idiots and such.
-
2048 bit PGP keys will be resistant to brute force attacks for a few decades, so the only sense in which PGP is "false" security is that you would turn over your clients' info when you got a knock on the door. Thanks for the heads up, at least.