Silk Road forums
Discussion => Security => Topic started by: Nightcrawler on October 04, 2013, 04:35 pm
-
I just saw something on here that hit me in the head like a brick. I just saw a user post a PGP public key generated with broken software. The default keys generated by this piece of shit software (e.g. PortablePGP) are _so_ weak, they are literally laughable.
pub 1024D/8B8E2001 2013-09-13
uid Zyntaks <>
sub 512g/D303B36C 2013-09-13
A dozen years ago, 512-bit encryption keys were being broken in a few weeks on old, spare computers that people had laying about the office. You can just imagine how long they would last against the resources than an organization like the FBI could bring to bear against them.
Warnings against using this type of software have been repeatedly posted, but they appear to have fallen on deaf ears.
The basic reason why I say "Virtually all of you are doomed" is because almost NO ONE wants to invest the time and effort required to learn how to keep themselves safe. During the crypto wars of the 1990s, I, like the Cypherpunks, believed that people would leap at the chance to embrace the tools that would enable them to escape the Orwellian gaze of the surveillance state.
At that time, the various police agencies were near apoplectic at the prospect of readily available strong encryption making its way into the hands of criminals (and others). They railed at every opportunity -- to anyone who would listen -- that the availability of strong non-backdoored encryption would stop police investigations dead in their tracks.
They were right -- the problem was that neither the general public nor the criminals adopted these tools. Rather than being widely adopted, the efforts of the Cypherpunks were greeted, at best, with a collective yawn. Even here, amongst a community that should have had a strong motivation to adopt these tools, it has not taken place. As proof, I would submit the fact that various vendors have stated that upwards of 80% of even shipping address information was transmitted in the clear (i.e. unencrypted).
Winters86, in his post here about a year ago, said that the biggest fear among police was that people would start learning to use tools like PGP. Despite that, there was (and is) still resistance -- there are still vendors (like RxKing) who say that PGP is a waste of time.
Sadly, what has become apparent to me, is that people are not going to change their habits. They don't want to learn; they want an instant fix -- they want to be spoon-fed, they want security handed to them on a silver platter. I have read endless complaints about how the software is "so complicated". People have said, "Explain it to me like I'm a 5 year old". You can't learn everything overnight. You have to develop a security-oriented mindset, and that takes time, effort, and patience to develop.
People value ease of use so highly, that they're willing to sacrifice their security to get it. People here are more worried about getting their drugs than they are about getting caught.
That's not the way it works and, in a nutshell, that's why the authorities are going to win in the end. Laziness, ignorance, and stupidity are, and will always be, the authorities greatest weapons.
As Friedrich Schiller wrote:
Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain.
Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07 B66B AFC8 CE71 D9AF D2F0
-
Very nice post N C!! Loved it.
The damn thing is. PGP is not that hard, Shit its not hard to learn at all!! I taught a vendor on here last week in 1 hour how to PGP.. Its nothing. Just as simple as making an xbox account or something..
Its just Lazie ness and not willing to learn is all..
-
Well said, but I dont think were all doomed, we just need to learn, its to expensive and time consuming going after buyers or small time vendors, all that effort for what? A buyer who knows nothing about where they got their drugs from, its a no brainer, they wont target buyers and if they do then sobeit, what will be will be, I will use it as a platform to become a stronger person.
PGP was an effort to think about at first with me, just shear laziness and things I had going on at the time, I kind of got it straight off then I just forgot about it, then a few weeks later I was just sitting then it all just clicked into place in my mind and I thought I'm doing this from now on, now I look back and think why didnt I do it from the start, it is so very easy once you understand, kind of like learning to drive, when your young you think it will be really hard and a big effort but after you pass your test and a few years pass your like oh this driving is actually nothing to worry about, I'm rambling,
I didnt know any better in the early, some one already mentioned this and I agree, I really do think that before your allowed to join any black market site you should have to read the do's and dont's before you start, the sites makers should make it abundantly clear before your allowed to purchase or sell but mainly purchase as I think its the buyers that would the most wet behind the ears as it were, I just hope we all try and stick together after the moves to wherever we go, learned a lot here.
-
You're preaching to the choir here on the forums, but right on brother.
-
Glad I'm on a Mac using GPG Tools. I'm no expert, but I'm pretty sure that's at least a little better than PGP Key on a Windows platform. Also, I think it's a bit of a stretch to say we're all doomed. Even if we assume the NSA/FBI can easily break any type of PGP encryption, do you really think they're going to sift through thousands if not millions of orders and PM's, cracking every single one to track down people who bought drugs at one time on SR and probably don't even have them anymore?
It is something to think about when we're all migrating to other sites like BMR, however. We certainly need to be as careful as possible, you can never be too safe. I just placed my first order on BMR today and noticed that it says above the address box that PGP encryption will already be used IF the vendor has posted a PGP key. I don't think this is a good idea on BMR's part, because this will make people think they don't need to still encrypt their address themselves. I'm just going to keep encrypting and keeping my Tor bundle updated, I feel fairly safe in that.
-
Glad I'm on a Mac using GPG Tools. I'm no expert, but I'm pretty sure that's at least a little better than PGP Key on a Windows platform. Also, I think it's a bit of a stretch to say we're all doomed. Even if we assume the NSA/FBI can easily break any type of PGP encryption, do you really think they're going to sift through thousands if not millions of orders and PM's, cracking every single one to track down people who bought drugs at one time on SR and probably don't even have them anymore?
It is something to think about when we're all migrating to other sites like BMR, however. We certainly need to be as careful as possible, you can never be too safe. I just placed my first order on BMR today and noticed that it says above the address box that PGP encryption will already be used IF the vendor has posted a PGP key. I don't think this is a good idea on BMR's part, because this will make people think they don't need to still encrypt their address themselves. I'm just going to keep encrypting and keeping my Tor bundle updated, I feel fairly safe in that.
I was engaging in a little hyperbole. The people who are doomed are the ones who failed to use encryption, which by some vendors' accounts, is upwards of 80% of buyers. Of those who did use PGP, most of them should be safe. Of that traffic encrypted with DPR's PGP key (0x67B7FA25). with DPR now in custody and his laptop in the hands of the FBI, I suspect any and all such encrypted traffic will soon be decrypted. It is highly likely that the Feds now possess DPR's private key. Given DPR's lack of security sophistication, I suspect that he will either give up his PGP passphrase, or it will be found using brute-force or a dictionary attack, thus leading to the compromise of all his stored, encrypted traffic.
Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07 B66B AFC8 CE71 D9AF D2F0
-
Glad I'm on a Mac using GPG Tools. I'm no expert, but I'm pretty sure that's at least a little better than PGP Key on a Windows platform. Also, I think it's a bit of a stretch to say we're all doomed. Even if we assume the NSA/FBI can easily break any type of PGP encryption, do you really think they're going to sift through thousands if not millions of orders and PM's, cracking every single one to track down people who bought drugs at one time on SR and probably don't even have them anymore?
It is something to think about when we're all migrating to other sites like BMR, however. We certainly need to be as careful as possible, you can never be too safe. I just placed my first order on BMR today and noticed that it says above the address box that PGP encryption will already be used IF the vendor has posted a PGP key. I don't think this is a good idea on BMR's part, because this will make people think they don't need to still encrypt their address themselves. I'm just going to keep encrypting and keeping my Tor bundle updated, I feel fairly safe in that.
It's basically what you've said. When the FBI are going after drug cartels, who are they going after? The buyers, the sellers? The answer is neither. They are going after the supplier, the head of the chain. In the case of SR, it's the very same thing. No, we're not doomed. PGP or not. Maybe in 10 years, when they have sifted through EVERY piece of unencrypted information from both buyers and sellers AND put together a case of viable evidence against both buyers and sellers? I think not. Too much time, too much money, too much work that even the FBI will find not worth it. We're safer online than we are actually having our packages shipped, in the case they were seized by customs. Also, for the automatic encryption, it doesn't seem like many people have read the information on that. If you encrypt any info in the address/instructions box, that encryption will conflict with the original automatic encryption, leaving it to be a confusing mess that will not work. SO: If it is automatically being encrypted, do not encrypt it a second time! It may screw up your order!
-
Glad I'm on a Mac using GPG Tools. I'm no expert, but I'm pretty sure that's at least a little better than PGP Key on a Windows platform. Also, I think it's a bit of a stretch to say we're all doomed. Even if we assume the NSA/FBI can easily break any type of PGP encryption, do you really think they're going to sift through thousands if not millions of orders and PM's, cracking every single one to track down people who bought drugs at one time on SR and probably don't even have them anymore?
It is something to think about when we're all migrating to other sites like BMR, however. We certainly need to be as careful as possible, you can never be too safe. I just placed my first order on BMR today and noticed that it says above the address box that PGP encryption will already be used IF the vendor has posted a PGP key. I don't think this is a good idea on BMR's part, because this will make people think they don't need to still encrypt their address themselves. I'm just going to keep encrypting and keeping my Tor bundle updated, I feel fairly safe in that.
It's basically what you've said. When the FBI are going after drug cartels, who are they going after? The buyers, the sellers? The answer is neither. They are going after the supplier, the head of the chain. In the case of SR, it's the very same thing. No, we're not doomed. PGP or not. Maybe in 10 years, when they have sifted through EVERY piece of unencrypted information from both buyers and sellers AND put together a case of viable evidence against both buyers and sellers? I think not. Too much time, too much money, too much work that even the FBI will find not worth it. We're safer online than we are actually having our packages shipped, in the case they were seized by customs. Also, for the automatic encryption, it doesn't seem like many people have read the information on that. If you encrypt any info in the address/instructions box, that encryption will conflict with the original automatic encryption, leaving it to be a confusing mess that will not work. SO: If it is automatically being encrypted, do not encrypt it a second time! It may screw up your order!
Well the address box we sent our info in was encrypted automatically right? so ur saying we shouldnt have used pgp?
-
Glad I'm on a Mac using GPG Tools. I'm no expert, but I'm pretty sure that's at least a little better than PGP Key on a Windows platform. Also, I think it's a bit of a stretch to say we're all doomed. Even if we assume the NSA/FBI can easily break any type of PGP encryption, do you really think they're going to sift through thousands if not millions of orders and PM's, cracking every single one to track down people who bought drugs at one time on SR and probably don't even have them anymore?
It is something to think about when we're all migrating to other sites like BMR, however. We certainly need to be as careful as possible, you can never be too safe. I just placed my first order on BMR today and noticed that it says above the address box that PGP encryption will already be used IF the vendor has posted a PGP key. I don't think this is a good idea on BMR's part, because this will make people think they don't need to still encrypt their address themselves. I'm just going to keep encrypting and keeping my Tor bundle updated, I feel fairly safe in that.
It's basically what you've said. When the FBI are going after drug cartels, who are they going after? The buyers, the sellers? The answer is neither. They are going after the supplier, the head of the chain. In the case of SR, it's the very same thing. No, we're not doomed. PGP or not. Maybe in 10 years, when they have sifted through EVERY piece of unencrypted information from both buyers and sellers AND put together a case of viable evidence against both buyers and sellers? I think not. Too much time, too much money, too much work that even the FBI will find not worth it. We're safer online than we are actually having our packages shipped, in the case they were seized by customs. Also, for the automatic encryption, it doesn't seem like many people have read the information on that. If you encrypt any info in the address/instructions box, that encryption will conflict with the original automatic encryption, leaving it to be a confusing mess that will not work. SO: If it is automatically being encrypted, do not encrypt it a second time! It may screw up your order!
This is bullshit!
The way encrytion works:
(message) -- encryption 1 -> (|e1| 90rjfn93hrfbeh |/e1|) -- encrytption 2 (auto) -> |e2| 387g4t[gbqi893ghwo |/e2|
Decryption:
(|e2| 387g4t[gbqi893ghwo |/e2|) -- decryption 2 -> (|e1| 90rjfn93hrfbeh |/e1|) -- decryption 1 -> message
(|e2| 387g4t[gbqi893ghwo |/e2|) -- decryption 1 -> "can't decrypt!"
(|e1| 90rjfn93hrfbeh |/e1|) -- decryption 2 -> "can't decrypt!"
Now that silkroads automatic encryption |e2| probably is compromised it provide a very nessesary layer of security to have this extra layer of encryption on any sensitive information you've sendt here on silkroad!