Silk Road forums
Discussion => Security => Topic started by: metta on August 12, 2012, 05:08 pm
-
Hi everyone,
New here. I read on the wiki that SR encrypts messages as well as the address information sent to a vendor. Is the practice of using PGP for those who are ultra cautious? I'm not too paranoid about things, but I want to minimize my exposure. Any comments would be greatly appreciated ...
Oh, one other thing, what does LE mean?
-
Encryption is rather standard practice. You wouldnt want your address to fall into the hands of LE would you?
-
PGP is vital if you dont want Law Enforcement (LE) to read your messages if they become compromised
Heres a great tut to learn PGP.
http://p3lr4cdm3pv4plyj.onion/guides/kleotxt.html
-
Yeah, there is 2 PGP tutorials in my signature.
-
OK, thanks for the replies and counsel. I suppose whatever encryption method SR uses for addresses and messages isn't secure enough ...
-
Join PGP Club. Link in my Sig.
"Pity the Fool!" -- clinical observation by Mr T on those who don't learn PGP
-
Hi Guru,
Thank you for your detailed response to my query. This is all new to me so I am easily confused ... ;-)
What I was originally referring to was this quote from the SR wiki:
"Receiving address
From the moment you submit your order, to the moment it is displayed to your vendor, the information is fully encrypted and totally unreadable. Then, as soon as your vendor marks your package with the address and confirms shipment, the address is deleted forever and is not retrievable. For the extra cautious, you can encrypt your information yourself with your vendor's public key so that even we at Silk Road would be unable to view it, even if we wanted to. See below for more ways to be safe."
As I read this, SR encrypts one's address sent with an order to the vendor, so I thought perhaps this was protection enough. I've downloaded GPGtools for Mac, but it hasn't been updated for Mountain Lion and some things such as email are not working. There appears to be some other glitches as well . . . either that or I'm just not understanding how it works. I've taken up pine's offer to join the PGP Club and I've exchanged a couple of messages, but not correctly each time.
I'm usually pretty tech savvy, but this PGP thing is confusing for some reason. With pine's patience, though, I expect to finally get it sorted out.
By the way, is there some method to turning on formatting options in this forum?
metta
-
Hi Guru,
Thank you for your detailed response to my query. This is all new to me so I am easily confused ... ;-)
It is ok, you are a sunshine enjoying small friendly lizard visiting the black market Internet after all. :)
What I was originally referring to was this quote from the SR wiki:
"Receiving address
From the moment you submit your order, to the moment it is displayed to your vendor, the information is fully encrypted and totally unreadable. Then, as soon as your vendor marks your package with the address and confirms shipment, the address is deleted forever and is not retrievable. For the extra cautious, you can encrypt your information yourself with your vendor's public key so that even we at Silk Road would be unable to view it, even if we wanted to. See below for more ways to be safe."
As I read this, SR encrypts one's address sent with an order to the vendor, so I thought perhaps this was protection enough.
No it isn't, because (A) this could all be lies (we hope not, but it is possible) and (B) even if it was true LE could hack SR's website and conduct a long term man in the middle attack, basically intercepting as many addresses as possible. Using PGP prevents even SR Staff from knowing what messages say, which is infinitely better than trusting anybody. Trust is in short supply around here, we rely on cryptographic strength as opposed to trust here. Sort of similar to how Bitcoin works by cryptography instead of being backed by a government (trust).
I mean, you want to be in the situation where SR could get completely compromised, but LE has no information on you whatsoever apart from a useless nym which is not associated with your offline identity. Anybody who doesn't avail of such PGP protection is ultimately going to have a greater chance of getting busted.
I've downloaded GPGtools for Mac, but it hasn't been updated for Mountain Lion and some things such as email are not working. There appears to be some other glitches as well . . . either that or I'm just not understanding how it works. I've taken up pine's offer to join the PGP Club and I've exchanges a couple of messages, but not correctly each time.
I'm usually pretty tech savvy, but this PGP thing is confusing for some reason. With pine's patience, though, I expect to finally get it sorted out.
By the way, is there some method to turning on formatting options in this forum?
metta
Noooooooo! No formatting. Formatting bad! O_o
This would require the use of Javascript, which would hypothetically compromise your anonymity using various hacker tricks. You should have Javascript turned off on SR and SRF.
--
Anyway, I forget the exact details of what messages I sent, but get back to me if you've any problems and we'll sort them out.
-
pine and Guru . . . what can I say? Thank you so much for all the time you've spent in explaining things so clearly. I'm a very grateful noob, and one day I hope to be able to help others as you have helped me.
I did download the latest build, and I think I'm starting to get it. The interesting thing is I was trying to get everything to work here on the forum to no avail, but I understand now text has to be copied to TextEdit or some other text app.
Once I figure out the karma system, I will be happy to leave some ...
metta
-
Oops something went wrong. There was a problem creating your key.
-[ActionController gpgController:progressed:total:]: unrecognized selector sent to instance 0x101a274f0
This is the error message I get trying to generate a new key. I can't even get past the first step! I am using a mid 2012 macbook and running Mountain Lion.
Any help would be greatly appreciated!
-
Hi Zissou,
I never had that problem—generating keys always went smoothly. I have a new Air and Mountain Lion and GPGtools. If you're using the same software, you might want to download it again since I read on the GPGtools' forum there were some glitches and they just did a new build. They also said they would have a Mountain Lion compatible release in the next few weeks, however, you only need that for the Mail app to work like it should.
Use the Uninstall app first just in case you have a corrupt file. There is an invisible folder in your User folder named .gnupg that for some reason is not deleted when you do the uninstall, so if you have an app that makes invisible files/folders visible, trash that folder. There's an app called Onyx that is a free maintenance app for OSX which allows you to change the visibility, but there are several other utility apps that can do this. Then do a reinstall.
I'm sure you thought of this, but just in case, when you generate your new key for SR use an alias since this name shows up in your public key. I'm sure the more experienced members here can provide better counsel on getting you up and running, but don't hesitate to message me if you think I can help.
metta
-
OK, thanks for the replies and counsel. I suppose whatever encryption method SR uses for addresses and messages isn't secure enough ...
I think what the problem is, is you are getting confused between the encryption provided by Tor and that provided by PGP/GPG.
While data is encrypted as it traverses the nodes in the Tor network, when it reaches its ultimate destination, whether that be an .onion address (like Silk Road or the Silk Road Forums) or whether it be a Tor exit node, the data has to be in the clear -- i.e. unencrypted. If it were not, you wouldn't be able to read what I'm writing to you right now. It's not at all that the encryption provided by the Tor network isn't robust or secure, it's just that it only provides protection to data in transit to its final destination.
PGP/GPG, on the other hand, is used to encrypt sensitive information, such as one's address sent to a vendor on Silk Road, or even one's PMs to other Silk Road users, whether on Silk Road proper or here on the Forums. The use of PGP in this case, is to restrict access to the data to only a few people at most.
If you pay attention to the tech news, you can hardly miss the rash of site break-ins that have taken place over the last few years. Vandals have made off with enormous amounts of personal information that was left unencrypted on any number of servers. The reason that I, Pine, Louis and a host of other people recommend the use of PGP/GPG, is to protect people's information in the case that either the SR Forum, SR proper, or your email provider is ever breached.
If Tormail is ever breached, I won't be shitting bricks like some people, because I know damn well that my emails are encrypted -- I've made sure of that.
NOBODY reads my email, but me.
Guru
i read a couple of the, but it was an accident. <3
-
Hi Zissou,
I never had that problem—generating keys always went smoothly. I have a new Air and Mountain Lion and GPGtools. If you're using the same software, you might want to download it again since I read on the GPGtools' forum there were some glitches and they just did a new build. They also said they would have a Mountain Lion compatible release in the next few weeks, however, you only need that for the Mail app to work like it should.
Use the Uninstall app first just in case you have a corrupt file. There is an invisible folder in your User folder named .gnupg that for some reason is not deleted when you do the uninstall, so if you have an app that makes invisible files/folders visible, trash that folder. There's an app called Onyx that is a free maintenance app for OSX which allows you to change the visibility, but there are several other utility apps that can do this. Then do a reinstall.
I'm sure you thought of this, but just in case, when you generate your new key for SR use an alias since this name shows up in your public key. I'm sure the more experienced members here can provide better counsel on getting you up and running, but don't hesitate to message me if you think I can help.
metta
I'm having trouble finding my User folder and the folder named .gnupg that is invisible. I am still new to Mac.
Oops something went wrong. There was a problem creating your key.
-[ActionController gpgController:progressed:total:]: unrecognized selector sent to instance 0x101a274f0
This is the error message I get trying to generate a new key. I can't even get past the first step! I am using a mid 2012 macbook and running Mountain Lion.
Any help would be greatly appreciated!
Are you running the latest nightly build? You can get it at: https://nightly.gpgtools.org/GPGTools_Installer-latest.dmg
Remember Mountain Lion is new, and has added security features such as sandboxing, so it should come as no surprise that there are going to be a few issues, at least at first.
If installing the nightly build doesn't help, then get back to us, and we'll walk you through using the command line. While some people regard using the command line as a pain, it is the one common denominator between all platforms, whether they be Windows, Linux or Mac OS X.
Guru
I have installed the new nightly version, but still got the same error message. When I tried uninstalling, GPG keychain access is still running on my toolbar. I'm guessing I have to find that .gnupg folder and delete that after the Uninstall. Then try reinstalling. Where can i find the .gnupg folder?
-
I have installed the new nightly version, but still got the same error message. When I tried uninstalling, GPG keychain access is still running on my toolbar. I'm guessing I have to find that .gnupg folder and delete that after the Uninstall. Then try reinstalling. Where can i find the .gnupg folder?
Hi Zissou!
It is a hidden folder (google if you don't know how to unhide them) in your home directory e.g. on windows it would be something like C:\users\username or just ~username. Same thing with Linux, it will be in your home directory there too /home/username or ~username, so it should be something similar for Macintosh. Note that sometimes this stuff gets hidden away in a folder for application data in this general region, so make sure you hunt around or do a search for it with the search for hidden files option toggled on.
-
i use gpg keychain. :D