Security Precautions

[Defcon]

I am very confident that no security breach has occurred on the marketplace, but I am taking measures to ensure everyone's safety regardless.

Private messages on the forum older than seven days will be deleted within the next 12hrs. If you need to save a message, do NOT save it in plaintext. Encrypt everything always.

Private messages, withdraw histories, and finalized/cancelled orders on the marketplace older than 21 days will be deleted within the next 12hrs as well.

As your interim leader, expect many more announcements during the break as I continue to get up to speed on where DPR left off.

Be safe, encrypt everything always, never send anyone your true personal details. Let's try to have a happy holiday.

[whomp]

DO WHAT YOU GOTTA DO !

[DoctorClu]

Good to see your increased presence of late, Defcon. Thank you for the heads-up.

[PeachMary]

In the meantime, this YouTube video is an excellent primer on OPSEC for buyers, sellers and freedom seekers:

OPSEC for Freedom Fighters  (The Grugq - OPSEC: Because Jail is for wuftpd)

CLEARNET     Video:  http://www.youtube.com/watch?v=9XaYdCdwiWU

CLEARNET     Transcript:   http://privacy-pc.com/articles/hackers-guide-to-stay-out-of-jail-opsec-for-freedom-fighters.html

[Strike V]

careful now....

[eightoeight]

thanks for the heads up.

[BioGen]

Defcon..

im here to serve.You need anything IM me through pgp.


KING IS DEAD,LONGLIVE THE KING!!

PLEASE MAKE AN APPREANCE AT THE GREEN CAMEL CHRISTMAS PARTY!!!

BG

[Anything You Need]

I can not wait for more updates  this shit scares the hell out of me Peace and Love do not give up on us yet. We will all survive this trial!

[CaptainWhiteBeard]

I am very confident that no security breach has occurred on the marketplace, but I am taking measures to ensure everyone's safety regardless.

Private messages on the forum older than seven days will be deleted within the next 12hrs. If you need to save a message, do NOT save it in plaintext. Encrypt everything always.

Private messages, withdraw histories, and finalized/cancelled orders on the marketplace older than 21 days will be deleted within the next 12hrs as well.

As your interim leader, expect many more announcements during the break as I continue to get up to speed on where DPR left off.

Be safe, encrypt everything always, never send anyone your true personal details. Let's try to have a happy holiday.

Excellent precautions. So pleased the market place is safe. You should make an appearance in the green camel tonight, will raise morale

[smity1020]

Thank you defcon, have a good holiday!

[Strike V]

Why not wipe all the messages? Everyone can save what they want and then wipe the slate clean.

[SunshineDaydream]

Def's been checking in as promised.

[BioGen]

CAPTAINWHITEBEARD

invite already sent.So glad the real silkroaders are here to stay!

BG
LOVE YOU CAPTAIN = LEGEND

I am very confident that no security breach has occurred on the marketplace, but I am taking measures to ensure everyone's safety regardless.

Private messages on the forum older than seven days will be deleted within the next 12hrs. If you need to save a message, do NOT save it in plaintext. Encrypt everything always.

Private messages, withdraw histories, and finalized/cancelled orders on the marketplace older than 21 days will be deleted within the next 12hrs as well.

As your interim leader, expect many more announcements during the break as I continue to get up to speed on where DPR left off.

Be safe, encrypt everything always, never send anyone your true personal details. Let's try to have a happy holiday.

Excellent precautions. So pleased the market place is safe. You should make an appearance in the green camel tonight, will raise morale

[SunshineDaydream]

I wiped my few saved ones yesterday 

[Defcon]

I'll try to swing by the Camel - thank you for the invite. Do I get a VIP wristband?

Why not wipe all the messages? Everyone can save what they want and then wipe the slate clean.

No private messages have been compromised, and the servers are very secure. If there were any evidence otherwise, I would most certainly wipe way more than just private messages.

I am considering ways of expiring unencrypted messages quicker than encrypted messages, but don't want to commit to that just yet.

[murderface2012]

Props Defcon!!
We will prevail!!
Long live SR!!

[budmart]

Happy Holidays to everyone. See y'all in a week!

[vince]

People need to stop relying on SR for security.

The admins do what they can, but they are not there to fully secure you.  Setup tor correctly, learn to use PGP, and deal with trusted members

[knuckles]

Hopefully all this will minimize any other damage.  Loads of crappy news this month to end the year on a bad note.

[BioGen]

DEFCOM

there are lines racked up waiting.me you and whitebeard!

please pop over CAPTAINWHITEBEARD  is keeping morale high we owe him a lot mate

LOVE SR

BG

[lithonius]

It would be great if the PM the fucktard vendor on the marketplace sent me in plain text with the tracking # for my order, was deleted. I didn't even ask for tracking (never do..) and it was sitting in my inbox plain as day. I really hate that shit, and it was from a TOP vendor on SR too. Very surprised.

Is there a way I can request this to be removed from my buyer profile while the admins are cleaning house on the backend of the marketplace? I can provide my buyer name in a PGP message via the forums to a mod that can assist if that's even possible.

Obviously, if the site was ever compromised by LE, and they read the PM's on my buyer account, the tracking # would give an instant address to my drop location. At least I have that security in place....not using my real address, but still...OPSEC people! ffs..

[InspectorNorse]

Thanks for the update again defcon, see you over at the green camel

[arctic]

I am considering ways of expiring unencrypted messages quicker than encrypted messages, but don't want to commit to that just yet.

It would be great if the author could set an expiration/deletion time. Snapchat-esque. The message deletes itself after the set time.

[InspectorNorse]

I am considering ways of expiring unencrypted messages quicker than encrypted messages, but don't want to commit to that just yet.

It would be great if the author could set an expiration/deletion time. Snapchat-esque. The message deletes itself after the set time.

Pretty sure the old SR market place had that feature, but it would be deleted after about 2 months lol

[CaptainWhiteBeard]

I'll try to swing by the Camel - thank you for the invite. Do I get a VIP wristband?

Why not wipe all the messages? Everyone can save what they want and then wipe the slate clean.

No private messages have been compromised, and the servers are very secure. If there were any evidence otherwise, I would most certainly wipe way more than just private messages.

I am considering ways of expiring unencrypted messages quicker than encrypted messages, but don't want to commit to that just yet.

Thanks Defcom, there is a drink waiting!
You certainly get a VIP wristband but you have to come the main bar and slum it with us normals

[Green-Machine]

Thanks for the update interim leader!

There is one concern on my mind however.....

How do we know that *you* are not compromised? If DPR's account was compromised (which it definitely appears to have been) then we must assume that your account can have legitimately been compromised as well.

You see my logic on this issue yes? Reassurances would be helpful and recommended in this regard.

[Magic Man]

Nice to see someone step up to the helm to guide this ship because it's a rocky course.

[oracle]

Subbed

[PerfectScans]

Nice work Defcon !!

Grab the oars men.

[Strike V]

Subbed

I haven't seen a smiley face from you in awhile.

[lovefortree]

thanks for the update and keeping us safe!!!!!

[amb3r]

Happy holidays and stay safe Defcon.

[Xanaxman]

In Defcon i trust... what choice do i have, godspeed and long live the road, (insert inspirational speech here)....
and furthermore.... Stay safe everyone merry christmas to all!

[supercanuck]

Is this the end or what?
  I want to order some drugs. that's all.

[mAlpha]

I am considering ways of expiring unencrypted messages quicker than encrypted messages, but don't want to commit to that just yet.

It would be great if the author could set an expiration/deletion time. Snapchat-esque. The message deletes itself after the set time.

Pretty sure the old SR market place had that feature, but it would be deleted after about 2 months lol

Even if they were deleted, if the Feds have access to the server they can still recovery everything.

[Lomond]

Subbed

[Fluffhead!]

Thanks, Defcon.

Keep the ship sailing. Godspeed.

[LoveUnderWill]

I was really worried we were manning a ghost ship. Very glad to see some return to order.

So what is this green camel thing? Sounds like the place to be.

[CaptainWhiteBeard]

I was really worried we were manning a ghost ship. Very glad to see some return to order.

So what is this green camel thing? Sounds like the place to be.

Here mate - http://silkroad5v7dywlc/index.php?topic=5425.1035;topicseen

[ChipDouglas]

This is all playing out as planned.

"Plan Obfuscate"

Keep everyone guessing (especially Leo), and make the transition right at Christmas break.

A few days back I hypothesized that this was all part of an elaborate rouse to pass the torch.

I feel the DPR that started 2.0, is A-OK, and will go quietly into the Christmas night.

Everythings gonna be allright.

Merry Christmas fellow travelers.

~  Chip  ~

[the ice]

Very glad to see Defcon running things now! He actually seems like he is onto it and knows what he is doing. His updates are also very reasurring.

[Baraka]

+1

An absolute fucking must!!! I posted these exact same links on the old forums. They can't be shared enough or watched enough. The Grugq is the shit!

In the meantime, this YouTube video is an excellent primer on OPSEC for buyers, sellers and freedom seekers:

OPSEC for Freedom Fighters  (The Grugq - OPSEC: Because Jail is for wuftpd)

CLEARNET     Video:  http://www.youtube.com/watch?v=9XaYdCdwiWU

CLEARNET     Transcript:   http://privacy-pc.com/articles/hackers-guide-to-stay-out-of-jail-opsec-for-freedom-fighters.html

[Nightcrawler]

+1

An absolute fucking must!!! I posted these exact same links on the old forums. They can't be shared enough or watched enough. The Grugq is the shit!

In the meantime, this YouTube video is an excellent primer on OPSEC for buyers, sellers and freedom seekers:

OPSEC for Freedom Fighters  (The Grugq - OPSEC: Because Jail is for wuftpd)

CLEARNET     Video:  http://www.youtube.com/watch?v=9XaYdCdwiWU

CLEARNET     Transcript:   http://privacy-pc.com/articles/hackers-guide-to-stay-out-of-jail-opsec-for-freedom-fighters.html

The man (Grugq) if a fucking treasure, if there ever was one.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain.  --Friedrich Schiller

[AfricanCanadianBrotha]

Why not wipe all the messages? Everyone can save what they want and then wipe the slate clean.

i agree delete all message and transaction older then 5 -8 days

[AfricanCanadianBrotha]

hey defcon or any one who would know if i had problems with being locked out of account before support pretty much went down will i still get support to get my btc that were in locked account

[lithonius]

Why not wipe all the messages? Everyone can save what they want and then wipe the slate clean.

i agree delete all message and transaction older then 5 -8 days

Wipe transactions older than 5 days? LOL..

[AfricanCanadianBrotha]

Why not wipe all the messages? Everyone can save what they want and then wipe the slate clean.

i agree delete all message and transaction older then 5 -8 days

Wipe transactions older than 5 days? LOL..

well i forget sometimes international shipping can take 14-15 days i guess i didnt think that one out

[the g0dfather]

Thanks defcon, this is what we needed. YOU giving us some legitiment information. again, thanks.

[psilocyberbully]

Why not wipe all the messages? Everyone can save what they want and then wipe the slate clean.

i agree delete all message and transaction older then 5 -8 days

Wipe transactions older than 5 days? LOL..

Or wipe after finalization

[43percenter]

Subbed

Excuse my complete ignorance, but what does this mean?  I even researched it myself and found zilch.   I had somebody respond *subbed* to one of my posts and I wasn't sure whether to take that as a compliment or a "shut the fuck up, motherfucker."    LOL.     

[charas]

^subscribing to the thread, its then easy to find replies by using 'show new replies to your posts' on top left of the screen.
C

[giancarlo]

I love these security measures!  I assume this wipes out our buyer stats for all those transactions over 21 days though?  Small price to pay but just curious.

[Kooch]

subbed please.

[rptl2k4]

DO WHAT YOU GOTTA DO !

This made me laugh so hard for some reason

[baller69]

Thanks Def...  SO are the reports about DPR true? 

 I hate conspiracy like this... LE deploying their 2 favorite tactics: Fear and lies

It's like V for Vendetta and it may just end the same way.   Please stay safe everyone.

[greenfields1]

NOT GOOD! 

. “Libertas, Inigo and Synergy (aka, SSBD) have been arrested,” user vytvy wrote in the thread "Stay The Fuck Away From Silk Road." "They were likely found because they handed over their dox to DPR1, aka Ulbricht. All three of them are irresponsible and jeopardized the safety of EVERYONE here by continuing to promote a black market when their 'boss' is incarcerated. It is absolutely shocking that their hubris and greed allowed them to take such a risk. They literally handed over their real life identities to Ulbricht then went on to create/support SR2, despite knowing full well that they were COMPROMISED. That's right. Libertas, Inigo and Synergy KNEW THEY WERE COMPROMISED the day SR1 was taken down.”

[Defcon]

Thanks Def...  SO are the reports about DPR true? 

Which reports? Which DPR?

[Whatthefuck420]

DEFCON he's talking about some fake link some guy posted below.... Im guessing. THANKS FOR ALL YOUR HARD WORK DEFCON. MERRY CHRISTMAS.      ( title of his link said : Silk Road owner shot down in gun battle << FAKE)

[AfricanCanadianBrotha]

DEFCON he's talking about some fake link some guy posted below.... Im guessing. THANKS FOR ALL YOUR HARD WORK DEFCON. MERRY CHRISTMAS.      ( title of his link said : Silk Road owner shot down in gun battle << FAKE)

lol any one who believed that article is  fucking stupid in the first place and also it is a joke u can tell for sure towards the end and if ur smart enough towards the beaning

[ChipDouglas]

I wiped all PM's and also went though my posts. Removed those meth rants where I tell just a little bit more than I should

[El Jefe]

Thanks for the update
do what has to be done and we will return stornger than ever

[Meerkovo]

Thanks Def...  SO are the reports about DPR true? 

Which reports? Which DPR?

Defcon, just pondering a thought, in the event an admin/mod arrested/compromised, etc,....they are coerced into cooperating, where does that leave site security, I mean, can they give away server locations and what not?


M

[Sunnyvale]

Thanks Def...  SO are the reports about DPR true? 

Which reports? Which DPR?

Defcon, just pondering a thought, in the event an admin/mod arrested/compromised, etc,....they are coerced into cooperating, where does that leave site security, I mean, can they give away server locations and what not?


M

I second that pondering thought

[5hydroxytryptophan]

It would be great if the PM the fucktard vendor on the marketplace sent me in plain text with the tracking # for my order, was deleted. I didn't even ask for tracking (never do..) and it was sitting in my inbox plain as day. I really hate that shit, and it was from a TOP vendor on SR too. Very surprised.

Is there a way I can request this to be removed from my buyer profile while the admins are cleaning house on the backend of the marketplace? I can provide my buyer name in a PGP message via the forums to a mod that can assist if that's even possible.

Obviously, if the site was ever compromised by LE, and they read the PM's on my buyer account, the tracking # would give an instant address to my drop location. At least I have that security in place....not using my real address, but still...OPSEC people! ffs..

Defcon, I second that motion to erase all the PMs on the marketplace; I had a similar situation occur.  Seems some vendors disregard good OPSEC and are bothered by using PGP. 

[aussieoutlaw]

All messages are still there why talk shit

[mbeki]

subbed

[MisterSister]

Subbed

Excuse my complete ignorance, but what does this mean?  I even researched it myself and found zilch.   I had somebody respond *subbed* to one of my posts and I wasn't sure whether to take that as a compliment or a "shut the fuck up, motherfucker."    LOL.   

Abbreviated form of "subscribed."  In other words, when you "sub" in a thread, you can always see the updated posts in your subscribed threads.

[giancarlo]

What bothers me most about this whole deleting of PM's on SR2.0 thing is that, first I think it's a FANTASTIC idea, but more importantly, we have been SCREAMING what an absolute OPSEC issue this has been from day 1 in the Security forum.  The fact no one has been able to delete messages from day 1 is basically criminal (no pun intended).  I now struggle to understand what the delay was to ever flip the switch on such a basic site function.  I want to believe it was simply a low priority feature that was being worked on but look back on all th threads on this subject and I think it was a difficult argument, to put it lightly, to say this wasn't an absolutely critical feature that should have been addressed well before the new site went live.  Things that makes you go hmmmmmm.

[TheWeeMan]

My view would be that its a sitting duck. A database full of incriminating evidence between buyers and vendors just waiting to be comprimissed at any point :O am I being paranoid???

[bigheadsquirt]

I have often questioned whether this is safe or not too. Good thread, once a transaction is finalized with success, then all info is not needed even encrypted messages sent thur site right? I am not techie, just simply staitng the obvious that, and all info could be used theoretically against vendor or buyer possibly?? No Lawyer either just a dumb ass but that my two cents..

[ARCH]

Private messages on the forum older than seven days will be deleted within the next 12hrs. If you need to save a message, do NOT save it in plaintext. Encrypt everything always.

Private messages, withdraw histories, and finalized/cancelled orders on the marketplace older than 21 days will be deleted within the next 12hrs as well.

Nothing  yet.
Why DEF?

[bigheadsquirt]

Yes i have to agree, Please V , However non-important this thread may seem to Admin, and or Mods, Does the Communities Voice Not Matter. I thought we are all part of this together. Please address these issues, i for 1 and many others think that leaving these communications on the site, with NO Delet Feature available is very concerning. I know you all are very busy, but please i have started to wonder if this issue will continue to be avoided until it is too late. i just hope to see some of you actually addressing our issues and concerns and not just ignoring us. I know you posted on this subject recently and i did read this thread, however i saw nothing about orders that are considered successful, on both buyer and vendor end. Also i notice i have to ask my vendors to PGP ALL Communication now, because the first time i did not, he sends over info that i payed for in cleartext, what an idiot. I will not mention  any names, however i will say he has sold alot of thes type items to a 150 or more buyers and i am not sure if he sent it plaintext to us all???. I have discontinued use of these products because even though they are legit, they also could lead to locations of every buyer, who uses these items. I will send a more detailed private message if asked by a Admin to elaborate. I just do not want to put out sensitve info on forums that can be used against any of us.

[ChemCat]

Personally, i believe that it would be better if it was mandatory to use PGP...if people cannot take 1 hour to learn to use PGP then they should not be here...for their safety...Listen..how many of you remember all of the people that simply refused to use or at least learn PGP..then we never seen them again..in my own opinion all msg's here on the forums as well as Every msg on the main site (marketplace) should be encrypted by the users..not by the server..ya know??  Safety people..safety... i'd like to see you All around here for a long time...and not end up like the proverbial "Hanging Fruit"  ya know?

Hugs 


Chem


 

[ChemCat]

being able to delete your msg's from your inbox should be a feature...i agree...

what other features are ya'll lookin for?  I ask this because it would be nice to hear your input....let's keep this tidy...and not all willy nilly...Please 


Hugs 


Chem

 

[V]

Regarding deletion of messages:

Already, you are able to delete all posts/PMs you make within the walls of the forums.

In terms of deleting messages on the actual market site, I'd suggest keeping an eye out for the new feature announcement which will be published at around the time the market re-opens.

V

[Euphoria]

That's good news I'm glad that everythings finally coming around. I'm excited for the announcement, could the btc add. generator be coming as well?

[offmyr0ck3r]

i hope the delete messages feature is added

[vince]

Would it be possible to ingrate a feature that automatically encrypts unencrypted messages with the receivers PGP key?

[holog1n]

Personally, i believe that it would be better if it was mandatory to use PGP...if people cannot take 1 hour to learn to use PGP then they should not be here...for their safety...Listen..how many of you remember all of the people that simply refused to use or at least learn PGP..then we never seen them again..in my own opinion all msg's here on the forums as well as Every msg on the main site (marketplace) should be encrypted by the users..not by the server..ya know??  Safety people..safety... i'd like to see you All around here for a long time...and not end up like the proverbial "Hanging Fruit"  ya know?

Hugs 


Chem


 

^This, Wise words as always my bro

[V]

Would it be possible to ingrate a feature that automatically encrypts unencrypted messages with the receivers PGP key?

This is possible, but it's something that smart markets avoid doing.

The reasons are many, but I'll highlight a couple of them for you here:

1) In order for the servers to encrypt your messages, they need to be able to 'read' them in plain text first. That doesn't mean staff would be able to read them, but you have to understand that in order for the server to encrypt the message, it would have to be sent at some point unencrypted. Now, let's say LE managed to take control of the market and altered the code... nobody would be any the wiser, but they could well tweak things so that server-encrypted messages could be scraped, read and saved.
In a nutshell: Trusting the server with encryption is, ultimately, trusting a 3rd party to handle your plaintext securely

2) Even though this feature would probably only be a 'just in case' measure, the fact that it existed would cause certain users to get lazy. And when you get lazy in one area of your security, you'll begin to get lazier in others - imagine getting used to the idea that the server will encrypt your messages, then sending plaintext over other markets' message systems out of habit, where this encryption doesn't exist.
In a nutshell: It forms bad habits and makes your security lazy

I completely agree that encryption should be more than just encouraged. But server-side encryption is not the responsible way forward

V

[Nightcrawler]

Would it be possible to ingrate a feature that automatically encrypts unencrypted messages with the receivers PGP key?

This is possible, but it's something that smart markets avoid doing.

The reasons are many, but I'll highlight a couple of them for you here:

1) In order for the servers to encrypt your messages, they need to be able to 'read' them in plain text first. That doesn't mean staff would be able to read them, but you have to understand that in order for the server to encrypt the message, it would have to be sent at some point unencrypted. Now, let's say LE managed to take control of the market and altered the code... nobody would be any the wiser, but they could well tweak things so that server-encrypted messages could be scraped, read and saved.
In a nutshell: Trusting the server with encryption is, ultimately, trusting a 3rd party to handle your plaintext securely

2) Even though this feature would probably only be a 'just in case' measure, the fact that it existed would cause certain users to get lazy. And when you get lazy in one area of your security, you'll begin to get lazier in others - imagine getting used to the idea that the server will encrypt your messages, then sending plaintext over other markets' message systems out of habit, where this encryption doesn't exist.
In a nutshell: It forms bad habits and makes your security lazy

I completely agree that encryption should be more than just encouraged. But server-side encryption is not the responsible way forward

V

Excellent points.  I had a run-in with the original DPR, over the voluntary nature of PGP encryption. I had hoped, when SR2 was established, that this would change, but lo and behold, DPR2 also stated that use of PGP, while encouraged, was once again, NOT mandatory.  I think that the time is finally ripe for a change, is it not?

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain.      --Friedrich Schiller

[StringerBell]

Maybe learning pgp should be more encouraged on the marketplace with a direct link to a dummy instruction both on the message system and when inserting address after ordering?

Some creative thinking on handling the issue/fact that many customers who just want to score drugs don't even now what pgp are.

What should be mandatory thou is a pgp key from vendors.

[Nightcrawler]

Maybe learning pgp should be more encouraged on the marketplace with a direct link to a dummy instruction both on the message system and when inserting address after ordering?

Some creative thinking on handling the issue/fact that many customers who just want to score drugs don't even now what pgp are.

What should be mandatory thou is a pgp key from vendors.

I'm sorry, I think there's been enough pussyfooting around. The rule needs to be simple: if you want to do business here, you encrypt. If you don't want to encrypt, you don't do business here.

I remember DPR1 & DPR2... and how they clung to their Libertarian ideals... they didn't want to force anyone to learn to use encryption -- it should be voluntary. Only those big old nasty state entities ever forced people to do things, and we don't wanna be like them.  So, they remained true to their ideals, and look where it got them. I'd bet my last currency unit that, when the Feds finally got their hands on the server data, that they practically fell over laughing at these fucking fools, whose unrealistic policies led to the vast bulk of the data being in the clear.

I'll bet even the FBI were surprised (not to mention pleased) at just how much of it was unencrypted. I'll bet they simply could not believe their luck!

What in the name of God is it going to take to get those in authority here to realize that voluntary approaches simply DO NOT WORK!?  Even after the bust in October, when it was revealed that the server was seized, with reams of unencrypted data on it, we still see less than a 50% adoption of encryption. Sure, that's an improvement over the 10-20% adoption on the original, but it's still no where near acceptable.

It may offend some people's Libertarian sensibilities, but sometimes PEOPLE HAVE TO BE FORCED TO TO DO THE RIGHT THING.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain.      --Friedrich Schiller

[Lief]

I sincerely hope that if there's anyone left here who's too stupid to spend an evening learning how to encrypt their address when ordering narcotics through the mail then they leave the darkweb markets for good right now.

We don't know the full extent of the feds' investigations into SR1 let alone SR2.

If they're only just getting around to rounding up and arresting admins, who knows who or what might be next.

There's been a lot of suggestion that there's at least one undercover agent operating at a high level within the SR hierarchy - for all we know with admin access to this day.

We simply don't know and treating the market as compromised and not sending your address unencrypted is the only way to proceed, if indeed you truly feel you must use the market at all.

As a dearly departed relative of mine used to say:

When you ASSUME you make an ASS out of U and ME.

Don't assume anything's safe. And learn PGP for fuck's sake.

[Kooch]

+1 NightCrawler. But how could it be required?

[Nightcrawler]

+1 NightCrawler. But how could it be required?

I suppose one could have a script trawling though the message and address databases looking for plaintext. I think that Defcon or V has already hinted at something similar.  I think that failure to encrypt should be dealt with with a 3-strikes rule: warning on the first offense, temp ban on the second, and loss of buyer/vendor privileges on the third.

Harsh? You bet -- but I think it's necessary. Before the bust in October, no hidden service was ever seized, with the sole exception of Tormail, and that was only because the hosting provider was taken down.  Prior to that, server seizure was only a remote possibility, so no one really took it seriously, except for security geeks like yours truly. Now we're staring reality in the face, and that reality is that millions of unencrypted documents are in the hands of the opposition. Only complete and utter fools would ever allow laxity in security to ever let this happen again. If users won't comply voluntarily, and there is little evidence that they will, then they will just have to be made to comply or get the fuck out.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain.  --Friedrich Schiller

[Cornelius23]

… that reality is that millions of unencrypted documents are in the hands of the opposition. …

Millions? As in at least two million? Where did they come from?

[Nightcrawler]

… that reality is that millions of unencrypted documents are in the hands of the opposition. …

Millions? As in at least two million? Where did they come from?

Actually the figure was just over 1.2 million. That came from an affidavit.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain.      --Friedrich Schiller

[James Frazer]

Actually the figure was just over 1.2 million. That came from an affidavit.

+1 (Not specifically for what you said, but just to encourage you to keep contributing your words of wisdom. TBH there's little else here that's worth reading.)

[Cornelius23]

… that reality is that millions of unencrypted documents are in the hands of the opposition. …

Millions? As in at least two million? Where did they come from?

Actually the figure was just over 1.2 million. That came from an affidavit.

Thanks for the clarification, although I think that figure was for the overall number of PMs (approximately 1,217,218) both encrypted and unencrypted. Not that any number of unencrypted messages is a good thing, of course.

[Nightcrawler]

… that reality is that millions of unencrypted documents are in the hands of the opposition. …

Millions? As in at least two million? Where did they come from?

Actually the figure was just over 1.2 million. That came from an affidavit.

Thanks for the clarification, although I think that figure was for the overall number of PMs (approximately 1,217,218) both encrypted and unencrypted. Not that any number of unencrypted messages is a good thing, of course.

You're right of course, I couldn't find the affidavit to check the exact figure, and naturally not all of the PMs would have been unencrypted. That said, figures I had seen quoted on SR1 by various vendors were that upwards of 80-90% of even address data was unencrypted. Even if you take the lower figure (80%) that still means that about  973,000 PMs would have been in the clear -- a massive haul by anyone's standards. This dwarfs, by almost an order of magnitude, even the Hushmail haul of 100,000 decrypted emails obtained by the DEA during Operation Raw Deal in 2007.

Add all this in with the other database information the got their hands on, plus what they could glean from the Forums, and they've got a pretty good damn picture of what is going on.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain.  --Friedrich Schiller

[Cornelius23]

Thanks again.

I sometimes feel that I'm not always effectively hiding my diagnosis of Obsessive Compulsive Disorder

[flwrchlds9]

Never trust security to 3rd party.

Auto encrypt = BAD
Enforce encrypted message = GOOD

Would it be possible to ingrate a feature that automatically encrypts unencrypted messages with the receivers PGP key?

This is possible, but it's something that smart markets avoid doing.

The reasons are many, but I'll highlight a couple of them for you here:

1) In order for the servers to encrypt your messages, they need to be able to 'read' them in plain text first. That doesn't mean staff would be able to read them, but you have to understand that in order for the server to encrypt the message, it would have to be sent at some point unencrypted. Now, let's say LE managed to take control of the market and altered the code... nobody would be any the wiser, but they could well tweak things so that server-encrypted messages could be scraped, read and saved.
In a nutshell: Trusting the server with encryption is, ultimately, trusting a 3rd party to handle your plaintext securely

2) Even though this feature would probably only be a 'just in case' measure, the fact that it existed would cause certain users to get lazy. And when you get lazy in one area of your security, you'll begin to get lazier in others - imagine getting used to the idea that the server will encrypt your messages, then sending plaintext over other markets' message systems out of habit, where this encryption doesn't exist.
In a nutshell: It forms bad habits and makes your security lazy

I completely agree that encryption should be more than just encouraged. But server-side encryption is not the responsible way forward

V

[PEN15]

V makes the point very well with regards to server-side encryption. If LE compromise the server 1 single hook in the code is all that would be required to collect unencrypted addresses. You could do it client-side using JavaScript which would prevent your details ever being sent unencrypted to the server, but again if the server gets compromised there's nothing to stop them injecting .js which could potentially result in them having means to identify you. The only way to be completely safe is to get off your lazy ass and learn how to do it properly.

The quick and dirty solution therefore is:

if(!strpos($address,'BEGIN PGP MESSAGE')||!strpos($address,'END PGP MESSAGE')){die('You did not correctly encrypt your address. We are saving you from yourself!');}

[DrAdamCarl]

Subbed

Excuse my complete ignorance, but what does this mean?  I even researched it myself and found zilch.   I had somebody respond *subbed* to one of my posts and I wasn't sure whether to take that as a compliment or a "shut the fuck up, motherfucker."    LOL.   

It is short for "subscribed". meaning they have subscribed to the the thread so they may recieve notifications of new posts. so it makes it easier to read the threads you find most intresting by going to "show new replies to your posts"

[EL PACINO]

Just thought about it, it takes a lot to keep the city going. Thank god you are doing well. Chapeau Defcn!