Silk Road forums

Discussion => Security => Topic started by: Euphoric on August 04, 2013, 01:48 pm

Title: TOR Secure Messaging System
Post by: Euphoric on August 04, 2013, 01:48 pm
http://sms4tor3vcr2geip.onion/

This seems like a much better alternative to privnote.com to me. Ultimately everyone should just use PGP/GPG but for those who use privnote this seems like a more secure and encrypted alternative....
Title: Re: TOR Secure Messaging System
Post by: comsec on August 04, 2013, 10:50 pm
I thought this was a federal honeypot then checked the bitcoin donation address, whoever runs this is gambling donations away playing Satoshi Dice so I guess not fed agents.

I wouldn't trust this or any other cloud service. Remember Hushmail also claimed they could never read your emails too. If you haven't PGP encrypted before sending assume everybody can read it.
Title: Re: TOR Secure Messaging System
Post by: Euphoric on August 24, 2013, 10:57 pm
I thought this was a federal honeypot then checked the bitcoin donation address, whoever runs this is gambling donations away playing Satoshi Dice so I guess not fed agents.

I wouldn't trust this or any other cloud service. Remember Hushmail also claimed they could never read your emails too. If you haven't PGP encrypted before sending assume everybody can read it.

Agreed, but I just thought it was better than Privnote. People should be using PGP anyways....
Title: Re: TOR Secure Messaging System
Post by: StExo on August 24, 2013, 11:09 pm
I disagree quite strongly on this, we have no idea who runs it. At least with privnote, they have a Europrise certified version (certified.privnote.com), but this site is completely unknown so even if it looks and feels legit, until we can have somebody take a proper look at this, it shouldn't be used to handle anything sensitive.
Title: Re: TOR Secure Messaging System
Post by: Euphoric on August 24, 2013, 11:17 pm
I disagree quite strongly on this, we have no idea who runs it. At least with privnote, they have a Europrise certified version (certified.privnote.com), but this site is completely unknown so even if it looks and feels legit, until we can have somebody take a proper look at this, it shouldn't be used to handle anything sensitive.

i just posted this on a different thread:

Quote
I don't trust privnote.com even though it says the note is destroyed after its read that doesn't mean that the data is physically deleted from the server. It's just like when you delete a file on a computer, the operating system simply no longer shows the file, and it becomes free space. With data recovery software it is still possible to recover that file until it is written over. You have to securely delete a file to actually delete it. Which writes over the space where the file was written on the hard drive. With the tools the government has even a secure deletion isn't even sufficient. I'd day you need to write over the file at least 7 times for it to be un-recoverable. The air force does a 35 pass or writes over their hard drives with random data 35 times.

I've also heard that some three letter agencies say they physically shred their hard drives AFTER doing a 35-pass secure deletion.

So my point is, even though privnote.com claims the note is "destroyed" after its read, the data is still on the server and could easily be recovered!

http://dkn255hz262ypmii.onion/index.php?topic=203553.0

I'm about to start requiring all customers to use PGP for all addresses, even if it causes me to lose business. I'm going to be writing up several complete step-by-step guides on how to use PGP on all operating systems including Windows, Mac OS X, Linux, iOS, and Android.

But in my opinion no one should use Windows for SR. Use Linux, because none of the FreedomHosting iFrame/Javascript hacks that the NSA setup worked on Linux...only Windows users. Thats all they go after is Windows users.
Title: Re: TOR Secure Messaging System
Post by: Kiwikiikii on August 24, 2013, 11:58 pm
I disagree quite strongly on this, we have no idea who runs it. At least with privnote, they have a Europrise certified version (certified.privnote.com), but this site is completely unknown so even if it looks and feels legit, until we can have somebody take a proper look at this, it shouldn't be used to handle anything sensitive.

i just posted this on a different thread:

Quote
I don't trust privnote.com even though it says the note is destroyed after its read that doesn't mean that the data is physically deleted from the server. It's just like when you delete a file on a computer, the operating system simply no longer shows the file, and it becomes free space. With data recovery software it is still possible to recover that file until it is written over. You have to securely delete a file to actually delete it. Which writes over the space where the file was written on the hard drive. With the tools the government has even a secure deletion isn't even sufficient. I'd day you need to write over the file at least 7 times for it to be un-recoverable. The air force does a 35 pass or writes over their hard drives with random data 35 times.

I've also heard that some three letter agencies say they physically shred their hard drives AFTER doing a 35-pass secure deletion.

So my point is, even though privnote.com claims the note is "destroyed" after its read, the data is still on the server and could easily be recovered!

http://dkn255hz262ypmii.onion/index.php?topic=203553.0

I'm about to start requiring all customers to use PGP for all addresses, even if it causes me to lose business. I'm going to be writing up several complete step-by-step guides on how to use PGP on all operating systems including Windows, Mac OS X, Linux, iOS, and Android.

But in my opinion no one should use Windows for SR. Use Linux, because none of the FreedomHosting iFrame/Javascript hacks that the NSA setup worked on Linux...only Windows users. Thats all they go after is Windows users.

if u dont trust SR staff then why are you on here. go home.
Title: Re: TOR Secure Messaging System
Post by: Euphoric on August 25, 2013, 04:08 am
I trust SR staff, I think you read my message wrong. My issues were with privnote, freedom hosting, and tormail. I SUGGESTED using SR for all communications, but to use PGP as anyone would agree.
Title: Re: TOR Secure Messaging System
Post by: Psyche on August 25, 2013, 05:05 am
I trust SR staff, I think you read my message wrong. My issues were with privnote, freedom hosting, and tormail. I SUGGESTED using SR for all communications, but to use PGP as anyone would agree.
You should disallow sales to any vendors who do not have "Signed with PGP for unix"(I'm paraphrasing).

Educate them on tails an linux. More important than encryption IMO.
Title: Re: TOR Secure Messaging System
Post by: StExo on August 28, 2013, 09:52 am
if u dont trust SR staff then why are you on here. go home.

I don't trust SR staff at all, they're anonymous and unaccountable which is why buyers use PGP, partially to protect from LE, partially to protect from SR, although I think the consensus is PGP assumes they are the same party and the only person who can be trusted is the seller, where even then steps should be taken to protect yourself as a buyer. Even if LE ran this marketplace, every smart user and vendor could easily continue to trade through it by obfuscating the bitcoin paths, encrypting their information and following good practice under the many different forum topics. Although if we knew LE controlled the marketplace, it would still be very uncomfortable trading here even with those measures.
Title: Re: TOR Secure Messaging System
Post by: StExo on August 28, 2013, 10:02 am
I trust SR staff, I think you read my message wrong. My issues were with privnote, freedom hosting, and tormail. I SUGGESTED using SR for all communications, but to use PGP as anyone would agree.
You should disallow sales to any vendors who do not have "Signed with PGP for unix"(I'm paraphrasing).

Educate them on tails an linux. More important than encryption IMO.

I wouldn't quite say more important, but there is no denying right now the real issue is that malware and exploits are a bigger threat to .onion users these days than LE kicking down your doors and taking your hard drives. Encryption is there very much as a last resort but when done right is pretty fool-proof. Tails/whonix on the other hand are preventative measures mainly to minimize exposure. I would argue you could still, with a pretty high degree of safety, still use Tor Browser Bundle on a windows machine unencrypted as a buyer of SilkRoad with basic PGP knowledge, but this is one of the problems of it being *that* simple, it leaves low hanging fruit for LE to pick easily.

For example, RxKing, refuses to use encryption, something me and astor very strongly disagree to and he (RxKing) is right when he says that right now it hasn't saved anyone, it takes up time etc. But the point of using it is like most measures, we are using it to cover our asses for the rare "what if" events because whatever you say about PGP, there is no denying you are going to be on a list for a long time if they find your address on SilkRoad servers when they seize it, even if they can't nail you for something for several years, it is the slow knife which really kills you. I can sit here, pretty safely knowing if I order something from SilkRoad I don't have much to be worried about as the 2 biggest threats are the customs seizing the package and doing a controlled delivery, or a rogue/honeypot vendor, neither of which we have solid solutions for yet, but at least if the SilkRoad servers are seized, I have very little to worry about at all, I am merely reducing my exposure to risk.
Title: Re: TOR Secure Messaging System
Post by: Nightcrawler on August 28, 2013, 12:50 pm
I trust SR staff, I think you read my message wrong. My issues were with privnote, freedom hosting, and tormail. I SUGGESTED using SR for all communications, but to use PGP as anyone would agree.
You should disallow sales to any vendors who do not have "Signed with PGP for unix"(I'm paraphrasing).

DPR has the last word on policy here, and it is DPR's stated policy that while PGP is recommended, it is NOT required. Unless and until DPR changes their mind, this is not going to change. 

Educate them on tails an linux. More important than encryption IMO.

Anonymity is the primary defense mechanism here, everything else is secondary. The best way to think of PGP/GPG is as an insurance policy -- it is there to protect you, when the shit hits the fan. About a year ago, there was a user by the name of Winters86. He claimed to come from a family of LEOs, and he claims to have seen an internal document/report that talks about Silk Road. Here is what he had to say:

Quote
4
Security / Australian LE Report on BC/SR
« on: August 26, 2012, 01:11 am »

Hello all,

I come from a family of LEO's, Not just uniformed officers, but upper echelon personnel in multiple agencies both state and federal. I can't be more specific than that unfortunately. Recently, I gained access to an internal confidential report distributed to several Australia LE agencies and a few international anti-narcotic bodies regarding possible methods of combating illegal activities involving BC. Of course SR was a main feature of said report.

I was told not to share any of the information, however I feel this report should be made available to the SR community because it contained methods through which LEO intend to begin to infiltrate and if possible start serious interdiction of the quote 'blatant and continually growing narcotic trade SR supports'. Now I can't post the report openly for everyone, because It could lead to serious consequences for myself and members of my family, I will however share the relevant points made and share an altered version of the report with a few members of the community whom I have already discussed this with and who have agreed to help get the information out there, because I know this one post won't be enough.

So here are the nuts and bolts of the report, spread the information as far and wide as possible friends:

1. PGP is terrifying them, every new user who learns it and helps others learn, closes a possible loophole they where planning to exploit.
2. User ignorance of the technology being used (Tor, PGP etc) is the their single best hope for any kind of serious action against the SR community.
3. Narcotic trade historically involves exploitation and violence. Users working together as a community for a greater good and towards the same goals has made all previous interdiction training basically obsolete. In other words, every user who helps newcomers learn how to be safe and secure especially through the use of PGP for all transactions and communication is a nail in LEO's coffin.
4. A total lack of violence and exploitation is very much working in our favor. So in other words, the idea of a community working together to protect the new and vulnerable has been identified as a huge obstacle for any kind of serious attempt to stop SR.
5. Their morale regarding fighting SR and BC is very low at the moment, mainly because very few LEO have the capacity to comprehend how the whole system works, but unfortunately, recent media coverage demands some kind of action, so they are going to have to show the public they are doing SOMETHING to combat SR, they just aren't sure what yet.

So there you have it my friends, Think of it like we are involved in an Insurrection and they are trying to pacify our homeland. History dictates that a determined and unified local populace will always defeat an invading enemy, regardless of strength through slowly sapping that enemies very will to continue the fight. We have the upper hand, there are just a few things we need to do to win the war and if you have read this post, you will see what those things are.

Go forth and educate yourself and anyone who needs it. Lean PGP, use it, teach others, encourage the spirit of community and helping others and victory shall be ours.
Be safe and smart friends.

http://dkn255hz262ypmii.onion/index.php?topic=38319.msg431562#msg431562

Note especially points 1 & 2. PGP is terrifying them, and every user who uses Tor/PGP closes a loophole they were trying to exploit.

Encryption makes their jobs harder, thus their fear of it.  I well remember the Crypto Wars back in the 1990s... every police agency you could name was warning about the dangers of non-backdoored crypto. Their worst nightmare (then, and now) would be to have mass adoption of PGP -- then-FBI Director Louis Freeh was quoted as saying that this would bring online investigations to a halt.

The two biggest assets that law enforcement have are user ignorance followed by user apathy.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB8F1D88EBBF7433B      (MIT clearnet keyserver)
PGP Key: https://keys.indymedia.org/pks/lookup?op=get&search=0xB8F1D88EBBF7433B    (IndyMedia https: clearnet keyserver)
PGP Key: http://qtt2yl5jocgrk7nu.onion/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia .onion keyserver)
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090     (Silk Road Forums PGP Key Link)
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07  B66B AFC8 CE71 D9AF D2F0