Silk Road forums

Discussion => Security => Topic started by: mariposa62 on June 18, 2013, 05:10 pm

Title: Vendor doesn't use encryption. Problem?
Post by: mariposa62 on June 18, 2013, 05:10 pm
I was going to place an order with a reputable vendor (subsrgood) but he doesn't have PGP set up.  How do I get my shipping info to him?  Type it in to the box in plain text?  Send it privnote?

If everyone if typing it into the box and feels like that is secure, why are we using PGP in the 1st place?  Should I use a vendor that doesn't have PGP set up?  This guy has spectacular product and customer service reviews and I am very tempted.
Title: Re: Vendor doesn't use encryption. Problem?
Post by: astor on June 18, 2013, 05:23 pm
I was going to place an order with a reputable vendor (subsrgood) but he doesn't have PGP set up.  How do I get my shipping info to him?  Type it in to the box in plain text?  Send it privnote?

Ask him to create a PGP key. If he says no, fuck em. There are enough competing vendors for most products that you don't have to reward someone who doesn't take your security seriously.

Quote
If everyone if typing it into the box and feels like that is secure, why are we using PGP in the 1st place?

Most people don't use PGP. I've heard different numbers from different vendors, but it seems like in general about 80% of people don't encrypt their addresses. Not everyone that buys on the market is on this forum. Probably the people on this forum are more engaged and willing to learn, and the people who post in this Security section are the most security conscious, so you're getting a biased view of the security of the average SR user. Some don't even use Tor. They point a regular browser at onion.to and access the site that way. Some of them "Like" the fake Silk Road Facebook page. Some of them talk about their drug purchases on reddit, while openly admitting they are accessing it over clearnet. It's pretty clear that a certain percentage of SR users are complete idiots. As one vendor told me, "I'm amazed they managed to find a hidden service."

Quote
Should I use a vendor that doesn't have PGP set up?  This guy has spectacular product and customer service reviews and I am very tempted.

You're free to do what you want, but I have backed out of orders because there was no PGP key.

Title: Re: Vendor doesn't use encryption. Problem?
Post by: Tessellated on June 18, 2013, 05:29 pm
A vendor who does not accept PGP is demonstration a lack of care towards your safety. Do you think such a vendor will do a good job on stealth?
Title: Re: Vendor doesn't use encryption. Problem?
Post by: Rastaman Vibration on June 18, 2013, 07:27 pm
I've heard different numbers from different vendors, but it seems like in general about 80% of people don't encrypt their addresses.


:o Holy shit!!! Wtf? ???

I can't believe how lax people can be about their safety. SMH

Your freedom is at stake here, people! This is serious!
Title: Re: Vendor doesn't use encryption. Problem?
Post by: luxxiaxx on June 18, 2013, 07:51 pm
In general, I've got to say that in my opinion vendors who don't offer the option of pgp encryption to their potential customers are causing themselves a significantly bigger problem than they possibly could cause you or any individual buyer. Although there are some excellent & completely trustworthy vendors who don't use pgp at all - God knows why - my personal opinion is that when a seller doesn't take the standard, expected safety measure of taking 20 minutes to learn the basics of pgp, it doesn't necessarily mean that you should write off the seller completely, but it definitely does mean that you should look into their reputation on the forums with extra scrutiny. If you ultimately decide you want to proceed with ordering from such a vendor, your best option to protect your anonymity is to send your mailing address via privnote.com . There's no reason that I know of at least for buyers to send their address in plain text rather than through a privnote url address.
Regarding the vendor you're specifically talking about - subsrus - I actually placed an order from them a couple of weeks ago after reading pages & pages of buyers raving about the quality of the h that seller recently started offering. I sent them my mailing address using privnote, of course, & the entire transaction went as well as I could have asked for from any vendor. They're one of those few vendors on SR who have stellar reputations, & unless you don't trust privnote with you address they are definitely worth ordering from. If you're not comfortable using privnote, that's definitely reason to message the vendor if you feel so inclined.
Title: Re: Vendor doesn't use encryption. Problem?
Post by: mariposa62 on June 18, 2013, 08:16 pm
Thanks for the quick replies.  The product reviews on this vendor, subsrgood, are unbelievable.  Just makes me nervous as hell when the accepted security is bypassed.  Not sure what I'm going to do here.  May try one small order on privnote.  There are many, many reviews out there that rave about his product, stealth, customer service, etc.  Just this one thing bugs me.

Mariposa
Title: Re: Vendor doesn't use encryption. Problem?
Post by: KevinMitnick on June 18, 2013, 08:29 pm
FYI, there are websites on the clearnet that offer to "encrypt via PGP" your plain text. This is NOT what you'd want.
Online PGP encryption tools should be avoided at all costs.

KM
Title: Re: Vendor doesn't use encryption. Problem?
Post by: ☼LightOfPi☼ on June 18, 2013, 09:02 pm
I've heard different numbers from different vendors, but it seems like in general about 80% of people don't encrypt their addresses.


:o Holy shit!!! Wtf? ???

I can't believe how lax people can be about their safety. SMH

Your freedom is at stake here, people! This is serious!

Sadly, as a vendor, I can confirm this. I even have it on my sellers profile that they should encrypt their address for their own safety but most of the people don't do it.
Title: Re: Vendor doesn't use encryption. Problem?
Post by: ecstasydude on June 18, 2013, 09:03 pm
I was going to place an order with a reputable vendor (subsrgood) but he doesn't have PGP set up.  How do I get my shipping info to him?  Type it in to the box in plain text?  Send it privnote?

If everyone if typing it into the box and feels like that is secure, why are we using PGP in the 1st place?  Should I use a vendor that doesn't have PGP set up?  This guy has spectacular product and customer service reviews and I am very tempted.

If your vendor is not using a PGP.... means he does not care about your safety.
Would you order from a person who doesnt use PGP?

There is also Privnote for those busy vendors.

If he cant do that, then don't order.

Title: Re: Vendor doesn't use encryption. Problem?
Post by: crystal on June 18, 2013, 09:16 pm

Ask him to create a PGP key. If he says no, fuck em. There are enough competing vendors for most products that you don't have to reward someone who doesn't take your security seriously.


That's what I would do. Or I would not even bother writing to that vendor and search to see if another vendor with a strong enough PGP key has the stuff I'd like to order... The more people avoiding non-PGP vendors, the more vendors will use PGP/GPG imo...

Regarding your 80% astor, that's impressive... but well, browsing SR it appears that many vendors don't have any public key so yeah, I guess that the percentage of unencrypted addresses might be pretty impressive...

Title: Re: Vendor doesn't use encryption. Problem?
Post by: cabinman01 on June 18, 2013, 09:41 pm
I believe that using PGP to encrypt your personal info is vital to purchasing securely on SR.  Any vendor who does not use PGP is not someone I would buy from(purely my opinion).  Use your best judgement mate.
Title: Re: Vendor doesn't use encryption. Problem?
Post by: hojo on July 07, 2013, 11:20 pm
I personally dont give a shit to be using pgp. I've ordered over 30 times on here and never had an issue. Subsrgood is my favorite vendor of all and i dont think it's fair to say he doesn't give a shit about his customers just because he doesn't use it. It's a judgement call for him and also for you if you want to order from him. The things he does for his repeat customers puts him at the top of my list. Some of the things he's done for me go above and beyond the call of duty for a vendor and make me consider him a friend for helping me out. That's just my humble opinion. Take it for whatever you wish.
Title: Re: Vendor doesn't use encryption. Problem?
Post by: gingerballs on July 08, 2013, 08:33 am
it's still poor judgment. what does it hurt to use PGP?

it's okay though.. people who don't take the precaution distract and get eaten by zombies, while the ones who put more effort into protecting their identity get away  8)

Title: Re: Vendor doesn't use encryption. Problem?
Post by: spunjtom on July 08, 2013, 11:51 am
If you are a suitably intelligent person you can learn PGP in less than a day.  Some people pick up the basics and are encrypting and decrypting in less than an hour.  The hurdle is just not that high, and PGP provides a lot of peace of mind for the buyer.  Why doesn't this vendor just do it?
Title: Re: Vendor doesn't use encryption. Problem?
Post by: zxydwx3 on July 08, 2013, 01:05 pm
I definitely wouldn't use a vendor that didn't take keeping my address private seriously.

I'm stunned to hear the talk of 80% of people sending their shipping info in the clear. I feel reasonably confident sending regular messages on SR, but info that might identify me, or the vendor, absolutely must be encrypted. No exceptions, for any reasons. I couldn't deal with the shitty results of having LE realize I like to get high.

It's so simple to use PGP that there's no excuse for not doing. Most of the tutorials are shit though. Simpler process than most instructions make harder than it needs to be.
Title: Re: Vendor doesn't use encryption. Problem?
Post by: MrVidalia on July 09, 2013, 12:43 am
FYI, there are websites on the clearnet that offer to "encrypt via PGP" your plain text. This is NOT what you'd want.
Online PGP encryption tools should be avoided at all costs.

KM

To drive the point further one popular "secure" email service was compelled by the government to send a compromised/backdoor Java applet (the software that encrypts your message) to users so that the government could access the un-encrypted messages. This is how one of the drugs selling site Pharmers Market was investigated and shut down. I believe Hush Mail is the name of the untrustworthy email provider.
Title: Re: Vendor doesn't use encryption. Problem?
Post by: stenr on July 09, 2013, 01:24 am
If a vendor doesn't use encryption I automatically assume they are either too retarded to use it (and therefore shouldn't even be on silkroad let alone selling drugs to people on it) OR they just don't care about their customers safety. You could still order from them but for me personally it's just too lazy/pathetic for a vendor to not use PGP.

I'll also add that I've ignored at least two vendors I would've normally purchased from because they refused to use encryption.
Title: Re: Vendor doesn't use encryption. Problem?
Post by: flashlight5 on July 09, 2013, 11:51 am
that vendor should get a warning.

freedom is great, but he is mainly putting other people in danger. i suggest a change in policy here. vendor must provide at least xxx bit encryption.

Title: Re: Vendor doesn't use encryption. Problem?
Post by: thebakertrio on July 09, 2013, 12:22 pm
vendor does not use encryption, i do not use vendor
Title: Re: Vendor doesn't use encryption. Problem?
Post by: Herujuana on July 09, 2013, 12:41 pm
The bottom line is this:

Why go to all the trouble learning how to get onto SR, use tor, buy bitcoins anonymously, and then screw it all up with a half-assed job of sending your address in plain text? IF something does go wrong, do you really want to be in some LE little black book of buyers?
Title: Re: Vendor doesn't use encryption. Problem?
Post by: Real_Drugs on July 09, 2013, 01:58 pm
People are simply too lazy. Vendors have no excuse not to use PGP.
Title: Re: Vendor doesn't use encryption. Problem?
Post by: spunjtom on July 09, 2013, 02:19 pm
The bottom line is this:

Why go to all the trouble learning how to get onto SR, use tor, buy bitcoins anonymously, and then screw it all up with a half-assed job of sending your address in plain text? IF something does go wrong, do you really want to be in some LE little black book of buyers?

^this
Title: Re: Vendor doesn't use encryption. Problem?
Post by: Nightcrawler on July 10, 2013, 10:07 am
that vendor should get a warning.

freedom is great, but he is mainly putting other people in danger. i suggest a change in policy here. vendor must provide at least xxx bit encryption.

Not going to happen, ever. Quite some time ago, DPR and I had an exchange on this very issue, and DPR reiterated their stance that use of PGP on the part of vendors is completely voluntary. DPR is philosophically opposed to the notion of requiring/forcing vendors to use PGP -- I get the impression that it offends his agorist sensibilities.  Hell is going to freeze-over before I see this changing.

Nightcrawler
Title: Re: Vendor doesn't use encryption. Problem?
Post by: spunjtom on July 10, 2013, 12:23 pm
that vendor should get a warning.

freedom is great, but he is mainly putting other people in danger. i suggest a change in policy here. vendor must provide at least xxx bit encryption.

Not going to happen, ever. Quite some time ago, DPR and I had an exchange on this very issue, and DPR reiterated their stance that use of PGP on the part of vendors is completely voluntary. DPR is philosophically opposed to the notion of requiring/forcing vendors to use PGP -- I get the impression that it offends his agorist sensibilities.  Hell is going to freeze-over before I see this changing.

Nightcrawler

And when the predator thins the herd it is the slow, the weak, the sick that are the first meal.  Unfortunately this means not only bad vendors but buyers who patronize bad vendors.
Title: Re: Vendor doesn't use encryption. Problem?
Post by: tbart on July 10, 2013, 02:56 pm
A vendor who does not accept PGP is demonstration a lack of care towards your safety. Do you think such a vendor will do a good job on stealth?

+1, plus all that vendor is telling me is he doesn't value his own security seriously - how far away is he from a bust??? and if he's busted, and they find your transaction info in his computer guess who popo will be visiting next??

here's a link to a SR vendor that just got popped and like i said in another thread, he (AfterHOUR) had to still had the shipping details on sales that were enroute so he could check delivery etc
http://dkn255hz262ypmii.onion/index.php?topic=182030.0
Title: Re: Vendor doesn't use encryption. Problem?
Post by: Oompaloompa on July 10, 2013, 05:17 pm
I wouldn't use a vendor who doesn't support pgp, infact a few times I've messaged vendors telling them this and asking them to set it up. Some have & I've subsequently dealt with them, some haven't and I avoid them, even where they're cheaper than others.

It's just not worth the risk.

I don't know why some vendors don't use pgp, for some I suppose they're starting out and don't understand how important it is. Typically they don't mention it on their pages & don't appear to have thought about it. That's where its important for us buyers to demand it and let them know they're losing business by not offering us the option to encrypt our personal details.

What's a little more worrying is a few vendors who've specifically made the decision not to use pgp for whatever reason:
Quote
We will not be using PGP only orders made without PGP will be processed Thank you from
persianrugsuk

or those who spread mis-information and doubt about pgp like this moron:
Quote

pgp should not used any more
NO EXCEPTIONS ITS unsafe and can be cracked.

www.theregister.co.uk/2012/12/20/elcomsoft_tool_decrypts_pgp/
UK4420, who either intentionally or inadvertently misunderstands the article.

What's also concerning - but a lot less obvious - is vendors with weak encryption in their public key. Most vendors I see have 2048-bit keys. That is the absolute minimum strength which should be used by anyone.

Basically the higher the xxxx-bit number the stronger the encryption of that vendors key (which you'll use to encrypt your personal details). I use 4096 encryption, it doesn't cost any more, doesn't take any longer to encrypt a message and isn't any more difficult to use or set up. It does take a little longer to create your key, but you only do that once anyway & its not significant.

I really don't see why more people (vendors especially) don't use stronger encryption. They may just be using the default settings on their encryption tool, though I have seen a few vendors with even weaker encryption, like 1024 or less. I will never deal with those guys as it is possible (with enough computing power) to break that weak encryption.

Encryption can be broken, but it takes a lot of time and computing power. The stronger the encryption the harder it is to break & the longer it will take. For example in 2009 768-bit encryption was broken by some security researchers. Since then there's not been a lot of press about what it is possible to break and not. The available computing power which could be used, both average home computer power & that available to NSA, etc has however increased dramatically since 2009.
I don't know if it is feasible, cost-effective or timely to break 1024 or 2048 encryption but the more time goes by the more easily breakable these encryption strengths become (as computing power advances).

****http://www.keylength.com/en/compare/ ****  gives a range of estimates of when certain encryption strengths should theoretically be breakable by. Obviously there's a lot of variables and a lot of variation in estimates but at least one indicates 2048 could be breakable between 2010 & 2020. That's too close for comfort for me, especially as I don't expect NSA/DEA/CIA/ETC to disclose too much about their capabilities to the folk drawing up the estimates.

4096 should take a few quadrillion years to break (with the same computing power) so I'm comfortable about messages vendors encrypt using my public key, but I just wish more would use similar strong encryption for their public keys.

Don't assume that just because a vendor offers PGP that its safe or effective encryption. Check out the strength of their keys and make up your own mind if you consider it effective to safeguard your information.

Apologies for the rambling digression, hopefully at least some will find it useful.
Title: Re: Vendor doesn't use encryption. Problem?
Post by: tbart on July 10, 2013, 05:54 pm
i'm for the most part, computer illiterate, but if i read in the article at www.theregister.co.uk/2012/12/20/elcomsoft_tool_decrypts_pgp/    or interpreted it correctly, what they're saying they can pull up easily is the password to open your pgp or gpg4usb program, which stays in RAM in hibernation, but wipes if the computer is turned completely off - is that correct?

i've always turned my computer off at a power strip after computer is shutdown but do that, not for security reasons (power consumption on my damn ups (a high end APC) still draws 190 watts, even when off).

but back to question - is what i understood in the article correct? -

if so, then the only concerns are if someone came into possession of my computer and the password

i've put the gpg4usb software and any docs, records etc on a flash drive that only comes out for use and is put away when not
Title: Re: Vendor doesn't use encryption. Problem?
Post by: Oompaloompa on July 10, 2013, 06:09 pm
Basically it says if you're so lazy you store your pgp encryption password on your computer rather than just typing it in each time AND someone has access to your computer (AND a few other technical things are also true) then they can recover your password.

Its got nothing to do with computer security holes or flaws in encryption but rather individual laziness and stupidity.
To draw an analogy its like saying you shouldn't use PGP because if you write your password on a post-it note & stick it to your screen then someone who knows how to read can access your PGP.

Basically just remember your password and don't save it on your machine.