Silk Road forums

Discussion => Security => Topic started by: Decoherent on January 12, 2013, 02:07 am

Title: I believe that mailing addresses have been stolen from SR's database. Here's why
Post by: Decoherent on January 12, 2013, 02:07 am
Edit: It seems that nobody else has had this experience, so maybe this was just a personal prank of some sort. But still, it's pretty strange. Original post below:

Hi all. I registered on this forum in order to post this, with the dual goals of warning other buyers to protect their mailing addresses, and (hopefully) prompting the site's administrators to investigate this potential security breach. I attempted to search the forum for previous discussions of this, but I found nothing.

Basically, I have reason to believe that mailing addresses have been stolen from SR's database at one or more times in the past. Why? Because I occasionally receive credit card offers, at my mailing address, addressed to the name "Silk Road Business". (I am not a "business", btw, just a buyer.) The only possible explanation I can think of is that this is the result of some script kiddie deciding to have some fun.

Now, one might naturally presume that the fault lies with one of the sellers I'd bought from, perhaps due to their selling/giving away mailing addresses, or due to their being hacked. To me, this seems unlikely:

When I first started receiving these offers, I hadn't yet adopted the practice of encrypting my mailing addresses. Up to that point, I'd conducted a total of three problem-free transactions from two reputable vendors: One large purchase from a seller in India, and a couple of small ones from a US-based merchant. I don't see what they would possibly have to gain by leaking their customers' addresses. Nor does it seem likely that they would have been directly targeted by hackers, at least not for mailing addresses. (And besides, Tor makes it extremely difficult to find a seller's IP.)

Some of you might be thinking that the government is somehow involved. But this is not how the government operates. There's plenty of shady government activity taking place, to be sure, but not like this. Let's move on.

So that leaves one final explanation: Silk Road itself was compromised. We all know that SR is a prime target, and while the administrators do a great job of striving to protect everyone, software vulnerabilities do exist. Here is what I think happened: Somebody found an exploit and managed to gain access to SR's underlying database, and made off with whatever mailing addresses happened to be stored at that time. Unable to find a better use for their haul, they decided to have some fun and sign up these addresses for credit card offers. If anybody has a better explanation, I'd love to hear it.

So, that's my story. In closing, I'd like to offer the following remarks:

Administrators: Have you heard of any prior incidents like this? Have there been any investigations of possible security breaches, and any changes made as a result? Are mailing addresses promptly wiped from the database, or are they kept around? Have you considered mandatory use of encryption for mailing addresses, e.g., by requiring each seller to upload a public PGP key?

Buyers: Protect your mailing address! You don't want it being discovered by the bad guys! If you've simply been entering your address into the purchase form, that's bad! Either use the seller's PGP key to encrypt it (this is ideal), or use privnote (not ideal, since you don't know whether privnote is really keeping you safe), or use an external communication channel, like tormail.

Sellers: If you don't provide a PGP key in your profile, then hurry up and get one up there. If you tell your buyers not to use encryption "except for large purchases", then stop it. Don't compromise the safety of your customers for the sake of your laziness. With a proper setup, it take just a couple of seconds to decrypt a message, so there is no excuse for discouraging encryption.

Anyway, thanks for reading. I hope to see some feedback here. Let's all work together to keep everybody safe.
Title: Re: I believe that mailing addresses have been stolen from SR's database. Here's why
Post by: sgurd on January 12, 2013, 02:13 am
Was this supposed to be a joke?  Because I found it hilarious. ;D
Title: Re: I believe that mailing addresses have been stolen from SR's database. Here's why
Post by: SelfSovereignty on January 12, 2013, 02:15 am
All I really have to say is, "it's possible."  I don't see it as terribly likely, but I don't have any more likely answer than your own off hand.
Title: Re: I believe that mailing addresses have been stolen from SR's database. Here's why
Post by: Decoherent on January 12, 2013, 02:20 am
Was this supposed to be a joke?  Because I found it hilarious. ;D

Nope. I couldn't believe my eyes when I first started receiving these offers, so I understand where you're coming from. But I'm not making this up.

With any luck, someone else will corroborate my account, because I doubt that I'm the only one. Honestly, though, I won't lose any sleep over whether you, or anyone else, believes me. That's your choice. As long as this at least prompts an honest discussion of security practices on Silk Road, then something good will have been accomplished.
Title: Re: I believe that mailing addresses have been stolen from SR's database. Here's why
Post by: Tessellated on January 12, 2013, 02:25 am
Sounds like someone is fucking with you. There does not seem to be any evidence of a leak, it is likely some friend who you told you used silk road. FUD.
Title: Re: I believe that mailing addresses have been stolen from SR's database. Here's why
Post by: astor on January 12, 2013, 02:33 am
Can you show us a photo of one of these credit card offers, naturally with your address blacked out, but with the Silk Road Business part on it?

You can upload it to QicPic

http://xqz3u5drneuzhaeo.onion/users/qicpic/
Title: Re: I believe that mailing addresses have been stolen from SR's database. Here's why
Post by: Decoherent on January 12, 2013, 02:38 am
Sounds like someone is fucking with you. There does not seem to be any evidence of a leak, it is likely some friend who you told you used silk road. FUD.

I hope you're right. I cannot imagine this behavior coming from any of my friends, not in a million years, but if I am the only one who is receiving these things (really?), then I guess it makes sense. Or perhaps one of my vendors' friends has an extremely sick sense of humor (more likely, now that I think about it). If nobody else comes forward with a similar experience, then I rest my case and stand corrected. Apologies for the alarmist post.

Regardless, remember to protect your address, people!
Title: Re: I believe that mailing addresses have been stolen from SR's database. Here's why
Post by: Decoherent on January 12, 2013, 02:43 am
Can you show us a photo of one of these credit card offers, naturally with your address blacked out, but with the Silk Road Business part on it?

You can upload it to QicPic

http://xqz3u5drneuzhaeo.onion/users/qicpic/

Unfortunately, the last one I received was a couple weeks ago, and I tossed it in the recycling, since I hadn't yet decided to post about it here. (Yeah, sounds fishy, but if my intent really were to deceive, I could have just photoshopped something up.)

For what it's worth, I believe they were all American Express offers, for the "Business Gold Rewards Card" or some crap like that. The letter inside the envelope simply began with "Dear Business,". The only instance of "Silk Road Business" was on the address label. Everything inside was completely generic.
Title: Re: I believe that mailing addresses have been stolen from SR's database. Here's why
Post by: nanpa2001 on January 12, 2013, 02:58 am
You should have activated the card. What kind of credit limit were they offering?
Title: Re: I believe that mailing addresses have been stolen from SR's database. Here's why
Post by: Decoherent on January 12, 2013, 03:16 am
You should have activated the card. What kind of credit limit were they offering?

I don't know, but I'd be willing to bet that the interest rate was usurious. Hopefully Experian will soon see that my Silk Road profile possesses a good record of finalizing purchases, and I will start receiving better offers soon.  :D
Title: Re: I believe that mailing addresses have been stolen from SR's database. Here's why
Post by: brutusk on January 12, 2013, 03:44 am
Prank or not, this why all buyers should encrypt their mailing addresses when order.
Title: Re: I believe that mailing addresses have been stolen from SR's database. Here's why
Post by: Nightcrawler on January 12, 2013, 07:07 am
Prank or not, this why all buyers should encrypt their mailing addresses when order.

I don't disagree, but we both know it's not gonna happen.  By all reports, 80-90% of people don't bother to use PGP to encrypt their addresses. I've come to the conclusion it's gonna take a major security breach to get people to clean up their acts.

Nightcrawler <Nightcrawler@SR>
PGP-Key: 4096R/BBF7433B 2012-09-22
Key fingerprint = D870 C6AC CC6E 46B0 E0C7 3955 B8F1 D88E BBF7 433B
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
Title: Re: I believe that mailing addresses have been stolen from SR's database. Here's why
Post by: Decoherent on January 12, 2013, 08:02 am
By all reports, 80-90% of people don't bother to use PGP to encrypt their addresses. I've come to the conclusion it's gonna take a major security breach to get people to clean up their acts.

Exactly. It took (what I assumed to be) a security breach for me to start doing things the right way. I really don't want that to happen to anyone else. While people *should* take responsibility, laziness all too often prevails.

That's why I think a good step forward would be to ensure that addresses are NEVER stored unencrypted in SR's database. As I mentioned, one way to do this would be to have every seller upload a unique public key.  When a buyer submits their address (even if in plaintext), SR's server-side code can then encrypt it using the seller's key, and only store the ciphertext, which the seller can then decrypt locally. This way, even if there is a breach, an attacker would only net a useless collection of encrypted addresses, since the necessary private keys are all maintained individually by the sellers.

I hope the administrators consider implementing and mandating such a system. Inconvenient? Maybe. But how much risk are we willing to take for the sake of convenience?
Title: Re: I believe that mailing addresses have been stolen from SR's database. Here's why
Post by: astor on January 12, 2013, 08:07 am
There's a weird disconnect here. Honestly, you write too intelligently to be someone who didn't encrypt their address.
Title: Re: I believe that mailing addresses have been stolen from SR's database. Here's why
Post by: Decoherent on January 12, 2013, 08:26 am
I done got on SR and ordered a bunch of drugs what made my brain not all dumb like, that's why.
Title: Re: I believe that mailing addresses have been stolen from SR's database. Here's why
Post by: bynter on January 12, 2013, 08:45 am
There's a weird disconnect here. Honestly, you write too intelligently to be someone who didn't encrypt their address.
I didn't find his messages coherent at all. If anything, I would say that they were..... decoherent. (Sorry, I just couldn't resist :P )
Title: Re: I believe that mailing addresses have been stolen from SR's database. Here's why
Post by: slysamuel0109 on January 12, 2013, 08:54 am
I done got on SR and ordered a bunch of drugs what made my brain not all dumb like, that's why.

Say what now?  ???
Title: Re: I believe that mailing addresses have been stolen from SR's database. Here's why
Post by: astor on January 12, 2013, 09:18 am
I done got on SR and ordered a bunch of drugs what made my brain not all dumb like, that's why.

LOL.

You smoked a breakthrough dose of DMT. As your eyes adjusted to the kaleidoscopic fractals, Phil Zimmerman's face appeared, and he said,

Let me tell you about the 6 bits of reality...

1 Bit: You ask me for a PGP key, and I give you a raccoon.

2 Bits: You ask me for a PGP key, but it turns out I don't really exist. Where I was originally standing, a QR code rests on the ground.

3 Bits: You awake as a PGP key. You start screaming only to have entropy fly from your lips. The world is in sepia.

4 Bits: Why are we speaking German? A mime cries softly as he cradles a prime. Your grandfather stares at you as the prime falls apart into the Fibonacci sequence.  You look down only to see me with exponents for eyes, I am singing the song that gives birth to the universe.

5 Bits: You ask for a PGP key, I give you a PGP key. You raise it to your lips and take a bite. Your eye twitches involuntarily. Across the street a father of three falls down the stairs. You swallow and look down at the PGP key in your hands. There are children at the top of the stairs. A zero shifts uneasily under the one. The children are crying now.  I give you a PGP key.  You are on your knees. You plead with me to go across the street. I hear only children's laughter. I give you a PGP key. You are screaming as you fall down the stairs. I am your child. You cannot see anything. You factor the PGP key. The concrete rushes up to meet you.  You awake with a start in your own bed. Your eye twitches involuntarily. I give you a PGP key. As you kill me, I do not make a sound. I give you a PGP key.

6 Bits: You ask me for a PGP key. My attempt to reciprocate is cut brutally short as my body experiences a sudden lack of electrons. Across a variety of hidden dimensions you are dismayed. John Lennon hands me an apple, but it slips through my fingers. I am reborn as an ocelot. You disapprove. A crack echoes through the universe in defiance of conventional physics as cosmological background noise shifts from randomness to a perfect A Flat. Children everywhere stop what they are doing and hum along in perfect pitch with the background radiation. Birds fall from the sky as the sun engulfs the earth. You hesitate momentarily before allowing yourself to assume the locus of all knowledge. Entropy crumbles as you peruse the information contained within the universe. A small library in Phoenix ceases to exist. You stumble under the weight of everythingness, Your mouth opens up to cry out, and collapses around your body before blinking you out of the spatial plane. You exist only within the fourth dimension. The fountainhead of all knowledge rolls along the ground and collides with a small dog. My head tastes sideways as spacetime is reestablished, you blink back into the corporeal world disoriented, only for me to hand you a PGP key as my body collapses under the strain of reconstitution. The universe has reasserted itself. A particular small dog eats primes for the rest of its natural life. You die in a freak accident moments later, and your soul works at the returns desk for the Phoenix library. You disapprove. Your disapproval sends ripples through the inter-dimensional void between life and death. A small child begins to cry as he walks toward the stairway where his father stands. You look at the child and realize that he is you, and you are me.

In an instant the universe makes sense. You open the note in your hand it says,

Please, encrypt your address.


Title: Re: I believe that mailing addresses have been stolen from SR's database. Here's why
Post by: Decoherent on January 12, 2013, 09:36 am
Epic. I like you already, astor  :D
Title: Re: I believe that mailing addresses have been stolen from SR's database. Here's why
Post by: Nightcrawler on January 12, 2013, 05:19 pm
I done got on SR and ordered a bunch of drugs what made my brain not all dumb like, that's why.

LOL.

You smoked a breakthrough dose of DMT. As your eyes adjusted to the kaleidoscopic fractals, Phil Zimmerman's face appeared, and he said,

Let me tell you about the 6 bits of reality...

1 Bit: You ask me for a PGP key, and I give you a raccoon.

2 Bits: You ask me for a PGP key, but it turns out I don't really exist. Where I was originally standing, a QR code rests on the ground.

3 Bits: You awake as a PGP key. You start screaming only to have entropy fly from your lips. The world is in sepia.

4 Bits: Why are we speaking German? A mime cries softly as he cradles a prime. Your grandfather stares at you as the prime falls apart into the Fibonacci sequence.  You look down only to see me with exponents for eyes, I am singing the song that gives birth to the universe.

5 Bits: You ask for a PGP key, I give you a PGP key. You raise it to your lips and take a bite. Your eye twitches involuntarily. Across the street a father of three falls down the stairs. You swallow and look down at the PGP key in your hands. There are children at the top of the stairs. A zero shifts uneasily under the one. The children are crying now.  I give you a PGP key.  You are on your knees. You plead with me to go across the street. I hear only children's laughter. I give you a PGP key. You are screaming as you fall down the stairs. I am your child. You cannot see anything. You factor the PGP key. The concrete rushes up to meet you.  You awake with a start in your own bed. Your eye twitches involuntarily. I give you a PGP key. As you kill me, I do not make a sound. I give you a PGP key.

6 Bits: You ask me for a PGP key. My attempt to reciprocate is cut brutally short as my body experiences a sudden lack of electrons. Across a variety of hidden dimensions you are dismayed. John Lennon hands me an apple, but it slips through my fingers. I am reborn as an ocelot. You disapprove. A crack echoes through the universe in defiance of conventional physics as cosmological background noise shifts from randomness to a perfect A Flat. Children everywhere stop what they are doing and hum along in perfect pitch with the background radiation. Birds fall from the sky as the sun engulfs the earth. You hesitate momentarily before allowing yourself to assume the locus of all knowledge. Entropy crumbles as you peruse the information contained within the universe. A small library in Phoenix ceases to exist. You stumble under the weight of everythingness, Your mouth opens up to cry out, and collapses around your body before blinking you out of the spatial plane. You exist only within the fourth dimension. The fountainhead of all knowledge rolls along the ground and collides with a small dog. My head tastes sideways as spacetime is reestablished, you blink back into the corporeal world disoriented, only for me to hand you a PGP key as my body collapses under the strain of reconstitution. The universe has reasserted itself. A particular small dog eats primes for the rest of its natural life. You die in a freak accident moments later, and your soul works at the returns desk for the Phoenix library. You disapprove. Your disapproval sends ripples through the inter-dimensional void between life and death. A small child begins to cry as he walks toward the stairway where his father stands. You look at the child and realize that he is you, and you are me.

In an instant the universe makes sense. You open the note in your hand it says,

Please, encrypt your address.

Fuck me!  I want some of what you're on.

Nightcrawler <Nightcrawler@SR>
PGP-Key: 4096R/BBF7433B 2012-09-22
Key fingerprint = D870 C6AC CC6E 46B0 E0C7 3955 B8F1 D88E BBF7 433B
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
Title: Re: I believe that mailing addresses have been stolen from SR's database. Here's why
Post by: SorryMario on January 12, 2013, 09:53 pm
That's why I think a good step forward would be to ensure that addresses are NEVER stored unencrypted in SR's database. As I mentioned, one way to do this would be to have every seller upload a unique public key.  When a buyer submits their address (even if in plaintext), SR's server-side code can then encrypt it using the seller's key, and only store the ciphertext, which the seller can then decrypt locally. This way, even if there is a breach, an attacker would only net a useless collection of encrypted addresses, since the necessary private keys are all maintained individually by the sellers.

I hope the administrators consider implementing and mandating such a system. Inconvenient? Maybe.
Sure sounds crazy inconvenient for the administrator who would have to code all of that functionality into the system as well as maintain everyone's up-to-date keys in a database.
But how much risk are we willing to take for the sake of convenience?
A guy who risked on his own security for the sake of convenience and didn't encrypt his address when submitting an online order for drugs... now asks how much "we" are willing to risk by not having SR create an encrypted version of any plaintext we might send to their servers? A better idea: don't ever send your unencrypted location / identity data to SR in the first place! Once you've done that it doesn't matter if they encrypt it or not because the cleartext version is probably still floating around somewhere. ::)
Title: Re: I believe that mailing addresses have been stolen from SR's database. Here's why
Post by: biteme on January 13, 2013, 12:57 am
Isn't it possible that one of the vendors sold your address to a company which then was contracted to send junk mail for American Express? Perhaps the Indian company that you bought a large order from, which might assume that you intend to re-sell the goods on SR? There are a ton of Indian companies who operate web sites selling pharmaceuticals semi-legitimately (maybe even legally under Indian law) and I would not put it past one of them to try and make a little extra money on the side by selling their customer databases to internet marketers. Some idiots may think that selling on SR is just as legal as selling on their own web site (and it may be for THEM) so they might not understand a buyer's desire to have their personal data kept confidential. It's one reason why I would be hesitant to make purchases from vendors outside my own country.
Title: Re: I believe that mailing addresses have been stolen from SR's database. Here's why
Post by: Decoherent on January 13, 2013, 02:33 am
Sure sounds crazy inconvenient for the administrator who would have to code all of that functionality into the system as well as maintain everyone's up-to-date keys in a database.

I'll let the administrators speak for themselves. I was only sharing an idea. But since you brought it up, coding up the functionality could be as simple as adding one additional database column, one form for sellers to upload the key, and a few additional lines of code to encrypt submitted mailing addresses. Or it could be a much more difficult change to make. We can only guess.

A guy who risked on his own security for the sake of convenience and didn't encrypt his address when submitting an online order for drugs... now asks how much "we" are willing to risk by not having SR create an encrypted version of any plaintext we might send to their servers? A better idea: don't ever send your unencrypted location / identity data to SR in the first place! Once you've done that it doesn't matter if they encrypt it or not because the cleartext version is probably still floating around somewhere. ::)

I agree. It was incredibly stupid of me not to encrypt my address, and I blame nobody but myself for the consequences. But still, human nature dictates that people are going to do stupid things, and while it may be fair to say that they deserve whatever happens, I don't see the harm in discussing potential ways of increasing the inherent safety of Silk Road, especially if such measures might involve a minimum of headaches, and especially when a lapse of judgment can lead to life imprisonment. Presumably, that's why SR has its own bitcoin tumbler, even though people can and should clean their own funds. Again, I'm not making any demands, nor do I claim to have all the answers; I'm just interested in having a constructive conversation about keeping this community safe.

Isn't it possible that one of the vendors sold your address to a company which then was contracted to send junk mail for American Express? Perhaps the Indian company that you bought a large order from, which might assume that you intend to re-sell the goods on SR? There are a ton of Indian companies who operate web sites selling pharmaceuticals semi-legitimately (maybe even legally under Indian law) and I would not put it past one of them to try and make a little extra money on the side by selling their customer databases to internet marketers. Some idiots may think that selling on SR is just as legal as selling on their own web site (and it may be for THEM) so they might not understand a buyer's desire to have their personal data kept confidential. It's one reason why I would be hesitant to make purchases from vendors outside my own country.

Good thinking. That's certainly possible, and sounds to me like the most plausible explanation so far. This was a fairly popular vendor with a good reputation, and he was always courteous and professional with me, so I assumed that he would be above this sort of behavior. (Although, on the other hand, his packaging SUCKED.) But as I've already shown, I have a history of naivety and poor judgment. :) I don't have any proof of wrongdoing, so I don't want to name any names, but I will definitely avoid this vendor in the future, just to play it safe.
Title: Re: I believe that mailing addresses have been stolen from SR's database. Here's why
Post by: whowhatwhere on January 15, 2013, 12:21 am
I done got on SR and ordered a bunch of drugs what made my brain not all dumb like, that's why.

LOL.

You smoked a breakthrough dose of DMT. As your eyes adjusted to the kaleidoscopic fractals, Phil Zimmerman's face appeared, and he said,

Let me tell you about the 6 bits of reality...

1 Bit: You ask me for a PGP key, and I give you a raccoon.

2 Bits: You ask me for a PGP key, but it turns out I don't really exist. Where I was originally standing, a QR code rests on the ground.

3 Bits: You awake as a PGP key. You start screaming only to have entropy fly from your lips. The world is in sepia.

4 Bits: Why are we speaking German? A mime cries softly as he cradles a prime. Your grandfather stares at you as the prime falls apart into the Fibonacci sequence.  You look down only to see me with exponents for eyes, I am singing the song that gives birth to the universe.

5 Bits: You ask for a PGP key, I give you a PGP key. You raise it to your lips and take a bite. Your eye twitches involuntarily. Across the street a father of three falls down the stairs. You swallow and look down at the PGP key in your hands. There are children at the top of the stairs. A zero shifts uneasily under the one. The children are crying now.  I give you a PGP key.  You are on your knees. You plead with me to go across the street. I hear only children's laughter. I give you a PGP key. You are screaming as you fall down the stairs. I am your child. You cannot see anything. You factor the PGP key. The concrete rushes up to meet you.  You awake with a start in your own bed. Your eye twitches involuntarily. I give you a PGP key. As you kill me, I do not make a sound. I give you a PGP key.

6 Bits: You ask me for a PGP key. My attempt to reciprocate is cut brutally short as my body experiences a sudden lack of electrons. Across a variety of hidden dimensions you are dismayed. John Lennon hands me an apple, but it slips through my fingers. I am reborn as an ocelot. You disapprove. A crack echoes through the universe in defiance of conventional physics as cosmological background noise shifts from randomness to a perfect A Flat. Children everywhere stop what they are doing and hum along in perfect pitch with the background radiation. Birds fall from the sky as the sun engulfs the earth. You hesitate momentarily before allowing yourself to assume the locus of all knowledge. Entropy crumbles as you peruse the information contained within the universe. A small library in Phoenix ceases to exist. You stumble under the weight of everythingness, Your mouth opens up to cry out, and collapses around your body before blinking you out of the spatial plane. You exist only within the fourth dimension. The fountainhead of all knowledge rolls along the ground and collides with a small dog. My head tastes sideways as spacetime is reestablished, you blink back into the corporeal world disoriented, only for me to hand you a PGP key as my body collapses under the strain of reconstitution. The universe has reasserted itself. A particular small dog eats primes for the rest of its natural life. You die in a freak accident moments later, and your soul works at the returns desk for the Phoenix library. You disapprove. Your disapproval sends ripples through the inter-dimensional void between life and death. A small child begins to cry as he walks toward the stairway where his father stands. You look at the child and realize that he is you, and you are me.

In an instant the universe makes sense. You open the note in your hand it says,

Please, encrypt your address.

Fuck me!  I want some of what you're on.

Nightcrawler <Nightcrawler@SR>
PGP-Key: 4096R/BBF7433B 2012-09-22
Key fingerprint = D870 C6AC CC6E 46B0 E0C7 3955 B8F1 D88E BBF7 433B
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
Holy crap, I second this.
Title: Re: I believe that mailing addresses have been stolen from SR's database. Here's why
Post by: 1100101 on January 15, 2013, 12:35 am
Prank or not, this why all buyers should encrypt their mailing addresses when order.

I don't disagree, but we both know it's not gonna happen.  By all reports, 80-90% of people don't bother to use PGP to encrypt their addresses. I've come to the conclusion it's gonna take a major security breach to get people to clean up their acts.

Nightcrawler <Nightcrawler@SR>
PGP-Key: 4096R/BBF7433B 2012-09-22
Key fingerprint = D870 C6AC CC6E 46B0 E0C7 3955 B8F1 D88E BBF7 433B
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090

Wow, 80% - 90%?!?! That's insane.  I'm pretty adamant on letting people do as they choose, etc, etc ... but encrypting your info using PGP should be a requirement.