Silk Road forums

Discussion => Security => Topic started by: saintgabriels on November 20, 2012, 12:34 am

Title: vendor pgp key change-different email??
Post by: saintgabriels on November 20, 2012, 12:34 am
So I placed an order using pgp for my address with a vendor that I've used several times before. He/she messaged me and said
"Hey,
Well, this is embarrassing, but I'm gonna need for you to try again. Not only did I generate new keys, but I also changed computers; and I have managed to fuck things up royally, I guess. So--if you don't mind, can you try with this key? All I need is your shipping info. Thanks again,"

I imported the new key they gave me in the message and the emails do not match up with the previous key. Also, there's no mention of a new key on the vendor's profile or forum thread.
Any reason to be cautious of this?
Should I post the new and old keys for you guys to look at and inspect??
Call me paranoid but it's not like I want my door kicked down any time soon...

EDIT:: the vendor does state on his profile that he has a new key but...it matches neither his old one that I used to place an order less than a month ago with nor the new one he sent me via pm...
Title: Re: vendor pgp key change-different email??
Post by: rangerfire33 on November 20, 2012, 12:46 am
I wouldn't go through with it. Even with a trusted vendor, it isn't worth the risk.
Title: Re: vendor pgp key change-different email??
Post by: ribley on November 20, 2012, 02:26 am
i recently face similar situation, no reason to take that risk, not now.
Title: Re: vendor pgp key change-different email??
Post by: sellmebulk on November 20, 2012, 03:06 am
wait. so you would stop using an old trusted ven just because they changed their pgp key block? Or is there more to this that im missing?
Title: Re: vendor pgp key change-different email??
Post by: saintgabriels on November 20, 2012, 03:17 am
@sellmebulk--no it's not just because they changed their key. It's because 1) their email for their old key and the new one don't match ((for example the old one was vendorname@tormail.org and the new one is vendorname@tormail.net...why would they be using an old, outdated email, like tormail.net that isn't correct anymore for their New pgp key?)), 2) their message just seemed a bit off to me. Didn't seem like the same writing style as previous comms., 3) the key on their profile that they say is the new one isn't the same as what they sent me.
The whole thing is just weird and I'd rather not take the chance of giving my address to someone I don't know, even if I've ordered from them before.
Title: Re: vendor pgp key change-different email??
Post by: sellmebulk on November 20, 2012, 03:22 am
ok cool. Reason being I just changed my key and configured something new. I would freak if that alone would cause people to stop using a ven.
Title: Re: vendor pgp key change-different email??
Post by: Nightcrawler on November 20, 2012, 05:14 am
@sellmebulk--no it's not just because they changed their key. It's because 1) their email for their old key and the new one don't match ((for example the old one was vendorname@tormail.org and the new one is vendorname@tormail.net...why would they be using an old, outdated email, like tormail.net that isn't correct anymore for their New pgp key?)), 

Tormail.net was seized by the Russian registrar in April of this year, thus leading to the Tormail operator's acquisition of the Tormail.org domain. The Tormail operator registered a complaint with ICANN , and eventually succeeded in retrieving their original Tormail.net domain back.  Currently, email sent to both Tormail.net and Tormail.org addresses will be deposited into the same email account.  Vendorname@tormail.net and Vendorname@tormail.org are one and the same.  If you doubt this, setup an arbitrary test account on Tormail, and send an email to both the Tormail.net and Tormail.org addresses. You will find that both emails will be delivered to the same account.

2) their message just seemed a bit off to me. Didn't seem like the same writing style as previous comms., 3) the key on their profile that they say is the new one isn't the same as what they sent me.
The whole thing is just weird and I'd rather not take the chance of giving my address to someone I don't know, even if I've ordered from them before.

That is rather peculiar, to say the least. I would say that discretion would be the better part of valour here.

Nightcrawler

Title: Re: vendor pgp key change-different email??
Post by: jack2324 on November 20, 2012, 05:17 am
I frequently change my PGP and email (usually every few months) but as a buyer it's fine.  For a seller you have to put more trust in them.  I wouldn't be overly worried, but be careful.
Title: Re: vendor pgp key change-different email??
Post by: saintgabriels on November 20, 2012, 06:58 am
weird timing - the day before yesterday, i updated my GPGTools installation which, due to a flaw in the code that night, caused me to be unable to encrypt or decrypt anything.  somehow, i also managed to delete my passcode for that key and in a panic revoked the key completely. 

so, i went ahead and created a new key along with a clearer tormail address (people were typing "captainmal" instead of "captmal" ... so i switched to "captainmal" to prevent any confusion).

anyway, changed my key and my email address.  everyone has been understanding about it.

this is just to say that a vendor changing their key and email isn't always a sign of something sinister.
Aah, okay, maybe that's what happened... That's true, change doesn't always mean something bad.

Quote from: jack2324
I wouldn't be overly worried, but be careful.
Like I said...i like the fact that my door currently has hinges attached... Can't be too careful.


Quote from: Nightcrawler
Tormail.net was seized by the Russian registrar in April of this year, thus leading to the Tormail operator's acquisition of the Tormail.org domain. The Tormail operator registered a complaint with ICANN , and eventually succeeded in retrieving their original Tormail.net domain back.  Currently, email sent to both Tormail.net and Tormail.org addresses will be deposited into the same email account.  Vendorname@tormail.net and Vendorname@tormail.org are one and the same.  If you doubt this, setup an arbitrary test account on Tormail, and send an email to both the Tormail.net and Tormail.org addresses. You will find that both emails will be delivered to the same account.
_________________________________________---
That is rather peculiar, to say the least. I would say that discretion would be the better part of valour here.

Yeah, i'm not trying to be paranoid or anything just curious and careful about how all this went about. Any ways to know in the key if it actually does belong to the vendor or like...decode it and inspect it?
((it's well into ambien time, i apologize because I know I'm not making any sense))

Thanks for all the help thus far!! I appreciate it.
Title: Re: vendor pgp key change-different email??
Post by: strangemagic on November 20, 2012, 07:00 am
ok cool. Reason being I just changed my key and configured something new. I would freak if that alone would cause people to stop using a ven.

When you change your key, do you provide a signed message (signed with the old key) stating your intention to switch to using the new key? At least then your buyers would know it's still you, especially when there's so much paranoia going around.
Title: Re: vendor pgp key change-different email??
Post by: saintgabriels on November 20, 2012, 07:32 am
ok cool. Reason being I just changed my key and configured something new. I would freak if that alone would cause people to stop using a ven.

When you change your key, do you provide a signed message (signed with the old key) stating your intention to switch to using the new key? At least then your buyers would know it's still you, especially when there's so much paranoia going around.

That seems like a generally good practice. I hate coming across as paranoid-especially with all the crazy threads and conspiracies going around since SR went down...

This whole deal and all of your great responses will just teach me more about what I need to know and how to protect myself. :)
Title: Re: vendor pgp key change-different email??
Post by: sellmebulk on November 20, 2012, 07:53 am
ok cool. Reason being I just changed my key and configured something new. I would freak if that alone would cause people to stop using a ven.

When you change your key, do you provide a signed message (signed with the old key) stating your intention to switch to using the new key? At least then your buyers would know it's still you, especially when there's so much paranoia going around.

Thats a good point and/or practice. No I have never thought of doing that. Im pretty consistant with my language and offers/behavior with my clients. I hope they can see that and not get sketched. Def will start doing that next time I want to change it. But I have a good setup now, should be secure for a while. I def understand being cautious. But some people are way paranoid. Personally I dont think LE is hijacking and setting up accounts to bust buyers. Thats working backwards. Im more cautious of the buyer than vendor. The situation that started this thread though was sketch and I would have done the same thing.