Silk Road forums
Discussion => Security => Topic started by: anonypunk on August 19, 2013, 06:25 pm
-
Why won't some new vendors use PGP? It disappoints me highly when vendors do not take the necessary (yet easy to implement) precautions to protect themselves and their buyers. If something as simple as that is not used then how do you think the rest of their "security" is? It can't be safe at all. It's definitely not professional in any way. What gives you guys?
Please have your system security correct before you begin vending.
-
It really would be nice to see everyone using PGP. However, this is a free society and if vendors do not wish to use ny type of encryption in their communications, so be it. It is the customer that needs to make the smart choice to not use vendors that do not care about security. Maybe the lack of business to them will result in them stepping up their game.
-
For customer protection, maybe it would be a good idea to force vendors to show that they are able to install PGP and decrypt the messages.
1. Let them upload their public key
2. Send them some automatic encrypted message with a code
3. To get the vendor status for their account they have to enter the code one time
-
For customer protection, maybe it would be a good idea to force vendors to show that they are able to install PGP and decrypt the messages.
1. Let them upload their public key
2. Send them some automatic encrypted message with a code
3. To get the vendor status for their account they have to enter the code one time
I like that idea. Seriously. I know its a free market and blah blah blah but this is serious fucking business. I just won't use them if they can't be bothered to do something as simple as that.
Oh and Bazille. I'll be using your tutorial today. I've got a question for you but don't want it broadcast in the forums. I assume I can trust you with being discreet when I PM you right?
-
Yes, I understand that some people wouldn't like to announce in public what setup they use etc. I was just trying to avoid answering questions in private which would be better answered in public, so everyone gets the knowledge. Plus I may not be there to answer the messages anyway.
-
There are dealers on clearnet. So being on SR is already pretty good.
I agree that SR just needs to make it obligated to publish a public pgp key...
Then again.. What the hell why would they. The cops are wasting their time.
Unless they are losing money because of non-governments now also make money dealing shit.
-
I don't think its that big of a deal, very few customers actually use PGP. Although it would be nice to have everyone using it if customers are not then its a moot point, if it is to be enforced then all parties should be required to use it otherwise just go with who you are comfortable with
-
Id rather not use it cause its a PITA to copy over a block of text to a txt file then rename it to .asc then decrypt it. And for what, because people are afraid SR is run by cops? Id be more afraid of a nut/cop vendor than any sort of LEA mass sting operation which considering the history of the sight is baseless paranoia. Give me one good reason why PGP is necessary for intra-SR comms.
-
^ I agree. If they have compromised the site to that extent then there is no point in using the site at all.
-
If the majority of buyers used it and demanded it, it would be done. But since the majority of buyers don't use PGP even with vendors that provide it, you can't make vendors implement it. There's little incentive.
We have a strong 4096 bit RSA key for those who want a more secure PGP experience.
-
A few points to add
Anonypunk you make a valid point. - However. (you just knew there'd be a however!)
VHSplayer makes a point more relevant to the true spirit (or truer spirit?-opinion) of The Main Concept of The Silk Road That is, a lot of the libertarian values that I like, anyway. - I like spirited debate on issues, with easy to follow logic, and hopefully not too vast a vocabulary.
What I dislike, is someone feeling so strongly that they feel their idea should be FORCED on others. - It's the whole "Too much regulation" thing with me.
Too many fucking laws. Too many lawyers, the reason for the laws. Well I guess that's a chicken and egg argument there.
Anyway, do you get my point? Another way to make it is to take a look at an old country road, say you used to visit as a kid. Grandma's summer cottage. Whatever. It was a simpler time. Nowadays, you go back to visit, and what used to be a single lane road, with a yellow flashing light, cautioning cross traffic, is now a 3 lane highway, the flashing yellow light is now a big three traffic light across job, complete with an arrow everyone has to wait for, even though 3 cars maybe go down that way in a single afternoon.
Why did that happen?- Well progress, of course, and population. I'm not saying we should return to horse and buggy days. It's just the laws that get passed because of emotions usually have a lot more to do with shit like that.
Old man Jenkins was coming home around sunset one fall evening, and inadvertently forgot to put his headlamps on when he should have, made the turn without signaling and T-boned some high school senior on her way home from reading to the people at the old age home.
A lot of info there, right? - Well, some distraught family member, full of grief, understandably so, wanted "Something to be done"- "Something should be done about that" - Why the Government should DO something about that!
Am I making sense to everyone? - Too many Goddamn laws, all because it made someone feel better. Or made a politician look better because he got the lights put up at the intersection. - Yeah, with taxpayers money. No proof that it would've made old man Jenkins turn his headlamps on sooner, nor remember to use his signal, but by golly, we DID something about it !
Then I get that icky feeling along the same lines of the benefit of the few, outweighing the benefit of the many.
Or, "We need to do it FOR THE CHILDREN" - I know - I'm way far away from an encryption conversation at this point.
Just to bring it all back to VHSplayers pointing out that this is a free society and if vendors do not wish to use encryption in their communications, so be it.
I, myself, JUST started learning to use it. I'm not a vendor, but shit, I've done well over 100 orders and about $6500. in purchases. Not a lot, but no slouch, and not one of those orders did I use PGP. Am I proud of the fact? - No, but I did used to act cocky about it. This was of course before the President using the NSA to spy on journalists, and the IRS to harass those he felt politically threatened by.
And this NSA shit is not going away. The leading headline (I just checked) in like 20 news outlets is "Obama's post vacation blues - The NSA spying on Americans- and the violence (mess that his admin made) in Egypt" - as if were supposed to feel sorry for this guy who takes more vacations than any president! Coming home to "What a drag, man, can't people just get over it"
OK, I've officially lost it. -
The problem I have in forums, is I grew up in a large family where you were told to 'shut up' when you started rambling. I'm self 'shutting up'.
Cheers!
jagfug
PS - What nags me, and I don't know the technicalities, this is more of a simpletons common sense, so it might be flawed. - Everyone lists their public keys on one of these threads, right? - Well aren't these keys kind of like the 'ink that reveals the invisible ink' of your message? Right? Your public key, unlocks whatever message someone sends to you encrypted with it? SO, if some nefarious characters, like, I don't know, Diane Feinstein's a scary enough example, want to read your emails. Can't she or one of her lackeys just have already copied your public key? Now what good did that whole rigamarole of PGP do for you, besides provide a false sense of security.
Please tell me what I'm missing, because it can't be that simply flawed. - I finally learned this thing, I WANT it to work!
[edited to remove one of the 0's from the amt of orders I claimed to have done - 1000 in my dreams!]
-
Jagfug. I'm an anarchist by my very nature so believe me I understand what mean with regards to too many rules and laws. I wasn't aware that so many buyers don't use pgp...it just seems silly to not use it if it's an extra layer of security. I am not an expert on security in any way and I know that the address portion of the message is deleted after the order is marked in transit. If the vendor gets busted b/c he sells to a narc in real life and they come in he's got the computer open and his account is open. All that anyone would have to do is scroll through the list of orders and there your address is for the cops to see. I guess of course if that happened then they'd already have access to his pgp so it wouldn't matter would it? Fuck me. It's just personal preference really and it seems to make logical sense to use PGP. It's late and I'm too tired. Sorry if that seems jumbled at all. Tripped all day then did a booster of the ILFs magical MDA so my brain is a mess.
-
You could've fooled me! In fact, you seemed very coherent. Also, I didn't mean to come off as playing the protagonist either. To me this was a lively discussion of a very important and timely subject, and isn't it nice that we can all get our points across without resorting to name calling, and partisanship.
I know that goes on with other threads, but I'm really looking in the direction of DC with respect to the latter point.
Hell! If anything, my post seemed a bit 'boring social studies teacher dissertation' in hindsight, to me. LoL.
As far as philosophies go. I can't be just one. I'm mostly a Conservative (please, not the checkered pants repub), neocon maybe is better, a big chunk of Libertarian, somewhat of an anarchist when it comes to some things. Even a liberal, if you can believe? Personally, I feel the need to have the ability to call up any of those philosophies, anytime I see fit! To be pigeonholed into any one of those is just too monolithic and linear for the reality that is today.
That's just me.
Yeah, long day of meh, and even longer of looking for the 30 10mg Valium that were stolen from my home the other day. So why am I looking for them, if I know they've been stolen?- See? I sounded pretty good in the last paragraph, but broke my cardinal rule!- Knowing when to SHAAADDDAAAAAPPPPP!!!!
Goodnight!
jagfug
PS I always see your name and have been meaning to tell you anonypunk is a cool fucking name. - I also find VHSplayer strangely appealing, but I'm dating myself. (just ask my left hand!) - Ooh that was unfortunate. :P
-
Id rather not use it cause its a PITA to copy over a block of text to a txt file then rename it to .asc then decrypt it.
Use GPG4USB or so, then you can decrypt it right in the editor without saving it to a file.
-
Hey Guys,
So I would say I'm a fairly new vendor, and I have used PGP from the start. I feel like it's just one more safeguard that makes it that much harder if LE ever got control. I don't require customers to use it (it's really for the buyers protection), but I encourage it.
-
Just gave +1 Karma to a few of you all.
"Personally, I feel the need to have the ability to call up any of those philosophies, anytime I see fit! To be pigeonholed into any one of those is just too monolithic and linear for the reality that is today." I agree wholeheartedly with the ideal. Was just saying that my nature is "No Gods. No Masters". I really don't feel the need for any system of control whatsoever. I realize the repercussions of that but know I can make it on my own. Others maybe not so well but that is nature's course. The week die off eventually either way. The utopian view I have is possible but highly unlikely to work at this level of human development.
-
For customer protection, maybe it would be a good idea to force vendors to show that they are able to install PGP and decrypt the messages.
1. Let them upload their public key
2. Send them some automatic encrypted message with a code
3. To get the vendor status for their account they have to enter the code one time
This has been suggested many times already. That said, it's never going to happen, not on here, anyway. I had a discussion some months back and DPR stated that, while he encouraged vendors to use PGP, he would never require a vendor to use PGP.
Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (MIT clearnet keyserver)
PGP Key: https://keys.indymedia.org/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia https: clearnet keyserver)
PGP Key: http://qtt2yl5jocgrk7nu.onion/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia .onion keyserver)
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090 (Silk Road Forums PGP Key Link)
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07 B66B AFC8 CE71 D9AF D2F0
-
[snip]
PS - What nags me, and I don't know the technicalities, this is more of a simpletons common sense, so it might be flawed. - Everyone lists their public keys on one of these threads, right? - Well aren't these keys kind of like the 'ink that reveals the invisible ink' of your message? Right? Your public key, unlocks whatever message someone sends to you encrypted with it? SO, if some nefarious characters, like, I don't know, Diane Feinstein's a scary enough example, want to read your emails. Can't she or one of her lackeys just have already copied your public key? Now what good did that whole rigamarole of PGP do for you, besides provide a false sense of security.
Please tell me what I'm missing, because it can't be that simply flawed. - I finally learned this thing, I WANT it to work!
[edited to remove one of the 0's from the amt of orders I claimed to have done - 1000 in my dreams!]
FYI... Your public key is what other people use to encrypt messages to you. Your private key is what you use to decrypt messages encrypted with the corresponding public key. The security of the system is predicated on this separation of keys. FWIW, the idea of public key encryption was originally developed by Ellis & Cocks, at the UK GCHQ, Britain's NSA equivalent. The British considered this idea so important that they immediately classified it. It was later independently re-discovered by Whitfield Diffie and Martin Hellman, who published it in 1976, about half a dozen years after Ellis & Cocks originally submitted their proposal to GCHQ.
You can think of PGP as a box which can be locked that you can freely give out to anyone you like; you are the only one that has the key to open these boxes, once they are locked.
Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (MIT clearnet keyserver)
PGP Key: https://keys.indymedia.org/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia https: clearnet keyserver)
PGP Key: http://qtt2yl5jocgrk7nu.onion/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia .onion keyserver)
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090 (Silk Road Forums PGP Key Link)
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07 B66B AFC8 CE71 D9AF D2F0