Silk Road forums
Discussion => Silk Road discussion => Topic started by: Limetless on August 17, 2012, 06:21 am
-
If you want to discuss a business proposal with me in length that is fine but if you are going to send me your messages via Privanote then don't even bother fucking contacting me in the first place. Here's why -
1. I do not keep records because it puts my arse on the line, privnote messages get destroyed so as such it's hard for me to keep up with a conversation when we last spoke 5 days ago.
2. Privnote is not secure, even skimming through the forums you will find people saying "OMFG MY PRIVNOTE MESSAGE IS COMING UP AS ALREADY READ!?!?!" Three guesses why that is...
3. Stop being such a lazy fuck-wit and just learn how to use PGP so I can have your encrypted messages on file so I can decrypt them and no have to say "So what was it you wanted again" 5 fucking times because you can't be arsed to answer me straight away.
If you want to do business then get fucking serious about doing business and don't fuck vendors around. We have enough to deal with without having to go over conversations again and again which just turns into some sort of never ending time-waste and thus we never get anything done.
Sort yourselves out and do so sharpish. From now on those that do this I will just ignore because I don't want your business.
That is all.
-
PRIVNOTE BLOWS!
+1 That makes it 360 now.
Guru
It blows, it pisses me off, it's insecure and it makes more drawn-out business discussion impossible. I'm banning people from using it to communicate with me apart from for giving me their addresses.
-
Why anyone would use anything where you don't have complete control over the encryption key is completely beyond me....nuff said...
-
I'm not entirely sure, but it's my impression that pre-encrypting the message that goes into the privnote, plus encrypting the link itself would make it secure.
The only time I would recommend this is when making a deal with a vendor on the side, though. Or if you need a reship, perhaps. In this way, the link can't be sniffed or stolen, and even if it is the message is still indecipherable. Plus, privnote won't have access to the true message contents either. On the other hand, if you need a message to not disappear, this isn't such a great idea.
-
I'm not entirely sure, but it's my impression that pre-encrypting the message that goes into the privnote, plus encrypting the link itself would make it secure.
-snip-
I'm sure that's what the guys thought that used hushmail to deal roids and got busted.
What this provider "says" their server does and what it "actually" does can be two very different things. For all I know their whole site just screams honey pot to me.
But hey, it says "self destruct" rite? That's gotta be safe! Like....Mission Impossible n shit!
-
I'm not entirely sure, but it's my impression that pre-encrypting the message that goes into the privnote, plus encrypting the link itself would make it secure.
-snip-
I'm sure that's what the guys thought that used hushmail to deal roids and got busted.
What this provider "says" their server does and what it "actually" does can be two very different things. For all I know their whole site just screams honey pot to me.
But hey, it says "self destruct" rite? That's gotta be safe! Like....Mission Impossible n shit!
You didn't quite understand what I said. Encrypting the message via PGP means that, even if privnote is storing data, it can't read the true contents. Encrypting the link via PGP means that, barring a compromised receiver, only the intended recipient can even find the link. Also barring any kind of cyber-spying, of course.
-
I'm not entirely sure, but it's my impression that pre-encrypting the message that goes into the privnote, plus encrypting the link itself would make it secure.
-snip-
I'm sure that's what the guys thought that used hushmail to deal roids and got busted.
What this provider "says" their server does and what it "actually" does can be two very different things. For all I know their whole site just screams honey pot to me.
But hey, it says "self destruct" rite? That's gotta be safe! Like....Mission Impossible n shit!
You didn't quite understand what I said. Encrypting the message via PGP means that, even if privnote is storing data, it can't read the true contents. Encrypting the link via PGP means that, barring a compromised receiver, only the intended recipient can even find the link. Also barring any kind of cyber-spying, of course.
Oh okay, gotcha now. Well yeah, PGP is PGP, I just dun see any sense in that approach. Might as well put an unlisted expiring PGP message on pastebin....
-
I would only use privnote because it's the only thing I know that sends me a notification when the message has been read so I know for sure that it has been read - most likely by the recipient.
Are there any other options like this?
I tried readnotify.com but if remote images are not allowed by the recipient, it won't notify while the message can be read.
-
2. Privnote is not secure, even skimming through the forums you will find people saying "OMFG MY PRIVNOTE MESSAGE IS COMING UP AS ALREADY READ!?!?!" Three guesses why that is....
No need for any 3 guesses, because there's just one way for that to happen: SR admins peeks users' inbox.
Privnote is secure, however the way you've to send the link is the problem.
-
2. Privnote is not secure, even skimming through the forums you will find people saying "OMFG MY PRIVNOTE MESSAGE IS COMING UP AS ALREADY READ!?!?!" Three guesses why that is....
No need for any 3 guesses, because there's just one way for that to happen: SR admins peeks users' inbox.
Privnote is secure, however the way you've to send the link is the problem.
So you don't think it's because LE peek privnote?
-
No, because that's impossible. Actually if you check Privnote source you'll notice it is all done at client side by Javascript, the key (that part after the #) is never transmitted to their server so not even themselves know it.
-
No, because that's impossible. Actually if you check Privnote source you'll notice it is all done at client side by Javascript, the key (that part after the #) is never transmitted to their server so not even themselves know it.
So why has it been read when I have sent the link encrypted then?
-
No, because that's impossible. Actually if you check Privnote source you'll notice it is all done at client side by Javascript, the key (that part after the #) is never transmitted to their server so not even themselves know it.
So why has it been read when I have sent the link encrypted then?
This topic always makes me wonder one thing... namely, "What kind of retarded system allows LE a backdoor but doesn't disguise that fact?". And apparently the answer is privnote.
-
No, because that's impossible. Actually if you check Privnote source you'll notice it is all done at client side by Javascript, the key (that part after the #) is never transmitted to their server so not even themselves know it.
So why has it been read when I have sent the link encrypted then?
The system burns the note once someone opens it, so it could be you checking if everything is ok before sending it.
There's no way for privnote to have a backdoor because the Javascript part is wide open, unless they brutte-force the key inside, but if they do so, why burn the note? They could simply brutte-force it, read it and keep it there.
-
No, because that's impossible. Actually if you check Privnote source you'll notice it is all done at client side by Javascript, the key (that part after the #) is never transmitted to their server so not even themselves know it.
So why has it been read when I have sent the link encrypted then?
The system burns the note once someone opens it, so it could be you checking if everything is ok before sending it.
There's no way for privnote to have a backdoor because the Javascript part is wide open, unless they brutte-force the key inside, but if they do so, why burn the note? They could simply brutte-force it, read it and keep it there.
No that isn't possible, I create the link, copied it and then encrypted it with my key and it came up as read by the receiver. It also had quite sensitive information about delivery locations too to IRL customers so we had the location.
Sorry mate but despite what you say there isn't another explanation apart from it being backdoored. Nobody outside of the site could have read it.
-
No, because that's impossible. Actually if you check Privnote source you'll notice it is all done at client side by Javascript, the key (that part after the #) is never transmitted to their server so not even themselves know it.
So why has it been read when I have sent the link encrypted then?
The system burns the note once someone opens it, so it could be you checking if everything is ok before sending it.
There's no way for privnote to have a backdoor because the Javascript part is wide open, unless they brutte-force the key inside, but if they do so, why burn the note? They could simply brutte-force it, read it and keep it there.
No that isn't possible, I create the link, copied it and then encrypted it with my key and it came up as read by the receiver. It also had quite sensitive information about delivery locations too to IRL customers so we had the location.
Sorry mate but despite what you say there isn't another explanation apart from it being backdoored. Nobody outside of the site could have read it.
Just one more reason I recommend encrypting the message that goes into the privnote.
Or not using it, apparently. I think I like that idea more, now.
-
No trust for those fuckers here.
There's a good reason to use PGP. If you want something done right, do it yourself.
-
Yeah I mean if that happened to me quite clearly they are back-doored. Never using privnote again, what annoys me most is people try and talk shop through privnote and it makes it impossible to keep up when you send one privnote and then another one 5 days later when you have forgotten what they wanted in the first place. So yeah basically a security nightmare and a fucking ballache to have extended communication as well.
-
I don't disagree that privnote is a shitty way to keep track of conversations, but back on the code, here it is:
https://privnote.com/static-1741/js/pack.js
you can check it... no backdoors there as far as I can tell.
-
There's no way for HUSHMAIL to have a backdoor because the JAVA part is wide open, unless they brutte-force the key inside
this is also true but plenty of my friends are in jail because of hushmail
Yeah like I said there there might not be any way but it doesn't explain how that thing occurred for me. I'm the first to admit I know fuck all about coding, java, javascript or whatever-fucking-Trevor but what I said happened to me did happen so clearly there was some sort of foul play. If any of you tech-savvy cunts could explain it that would be lovely but as far as I am concerned privnote is more bent than Spaghetti Junction.
-
There's no way for HUSHMAIL to have a backdoor because the JAVA part is wide open, unless they brutte-force the key inside
this is also true but plenty of my friends are in jail because of hushmail
Yeah like I said there there might not be any way but it doesn't explain how that thing occurred for me. I'm the first to admit I know fuck all about coding, java, javascript or whatever-fucking-Trevor but what I said happened to me did happen so clearly there was some sort of foul play. If any of you tech-savvy cunts could explain it that would be lovely but as far as I am concerned privnote is more bent than Spaghetti Junction.
It is possible to access the note with the improper decryption key. From there, a brute-forcing attempt could be made.
-
JAVA and JAVASCRIPT are totally different, despite the unfortunate name choice by Netscape they are nothing alike.
JAVA is a full featured coding language, a piece of shit as the JVM makes it dead slow - reason why Steve Jobs kept it out of iPhone: either you're a coder or aren't, code C or go stuck your objects pack up your ass.
JAVASCRIPT is a web oriented client-side scripting language, well limited and mostly secure. The worse to be expected from it is XSS (Cross-Site Scripting, use a script at one site to cast requests to another), but no OS operations or connections on its own (Java and Flash do connect on their own, that's what makes them unsafe).
Back on privnote, a privnote URL is formed as https://www.privnote.com/n/<MESSAGE ID>/#<KEY>
The "#" symbol means an anchor link, not sent to the server by your browser, unlike if it was a "?" which stands for a var. This means in the server log will appear:
[ DATE ] - IP - GET /n/<MESSAGE ID> Browser, etc...
and NOT
[ DATE ] - IP - GET /n/<MESSAGE ID>/#<KEY>
The key part can be brutte-forced and taken it uses a fixed length it narrows the possibilities, as it is AES the brutte-force will rely in the message size. A simple "hello" will be cracked in seconds, a huge text will take days, years, eternity...
-
2. Privnote is not secure, even skimming through the forums you will find people saying "OMFG MY PRIVNOTE MESSAGE IS COMING UP AS ALREADY READ!?!?!" Three guesses why that is...
Also quite possible, even probable that these idiots opened the privnote and destroyed it before sending it to you while trying to proofread their bullshit message.
-
2. Privnote is not secure, even skimming through the forums you will find people saying "OMFG MY PRIVNOTE MESSAGE IS COMING UP AS ALREADY READ!?!?!" Three guesses why that is...
Also quite possible, even probable that these idiots opened the privnote and destroyed it before sending it to you while trying to proofread their bullshit message.
I sent it to them and I didn't open my own link.
-
Maybe messages they tried to read twice? Possible that something gets read, then the person finds the link again and thinks for some reason it is a different message and tries to re-open it? It seems like there are other explanations than LE is all over privnote. I'm not saying it's impossible, just that it isn't necessarily the case.
-
If you copy the the privnote, to where you want it to go, then its still in the browser and you copy it somewhere to check it or whatever, it will come up already read to the original recipient.
-
So, I just created a note with a 2,000 word text, and this is the key: #tsliwxwzckcnervs
I would use this type of security for.....nothing. An unsalted 16 letter key, no special characters, no numbers nothing. That and the "promise" by some unknown entity that your data is destroyed once it's read.
The security of privnote itself is about good enough for some school kids to exchange cheat sheets for school tests, that's about it. So you'd have to PGP your message, for what? A message read notification.
You'd basically sacrifice any and all means of message management. As Lim keeps repeating, how are you gonna have any meaningful conversation this way???
As a matter of fact, if anything, you might even prompt people to do stupid shit like printing messages out for use at a later time or whatever. If you can use PGP already to send a PGP'ed message then using Privnote makes no sense whatsoever.
Of course people are always hyped about "I wanna know if it was read" but ask yourself this, what good is a "message read" notification if the other party still simply doesn't answer? What is the real benefit? If they dun answer they dun answer, and whether you know if they read your message or not might "feel" different, but factually it doesn't make a change in your situation, namely, no answer.
Privnote ranges from useless to outright dangerous on here.
Just my 2 cents...
-
Well... I'm convinced, I am having a hard time with it, but I will keep trying to make it work I am missing a step, and will take the time to figure it out.
-
https://privnote.com/n/fypcawznxiktxvhk/#cxdhzvdeevmisozw
-
Well... I'm convinced, I am having a hard time with it, but I will keep trying to make it work I am missing a step, and will take the time to figure it out.
Hydro, What are you having a hard time with? If it's privnote, I don't understand, it's pretty straightforward. If its PGP, there are plenty of resources on here to help you. What is the problem you are having I could possibly help you.
-
So, I just created a note with a 2,000 word text, and this is the key: #tsliwxwzckcnervs
I would use this type of security for.....nothing. An unsalted 16 letter key, no special characters, no numbers nothing. That and the "promise" by some unknown entity that your data is destroyed once it's read.
The "trick" at AES isn't to figure out the key, the key is pretty much simple, but you need to test them one by one, that's where the text length makes difference. Not much anyway, privnote security isn't designed to last much longer.
Shannon,
Surely, nothing against PGP and surely is much better than 1000 privnotes. That was just to not mix up Java and Javascript, they aren't the same at all.
-
There are vendors that dont use pgp,i asked one about this and they said they 'moved between computers alot' and 'could make a temporary one just for me.' i couldnt believe the bullshit. just screamed Scam/LE.
if anyone wants to know the vendors name. PM me.
-
I don't disagree that privnote is a shitty way to keep track of conversations, but back on the code, here it is:
https://privnote.com/static-1741/js/pack.js
you can check it... no backdoors there as far as I can tell.
I don't think you must be familiar with how the Hushmail exploit worked. Guru has a good description of the process if you search his posts. Actually here it is quoted in full:
Those comments you quoted above from the SR Wiki remind me of noting so much as some of the comments with respect to security, made by Hushmail, reproduced below. Just in case you were not aware, Hushmail is a so-called privacy-oriented email service with its HQ located in Vancouver, BC, Canada.
Hushmail's FAQ, archived at the Internet Wayback Machine as of February 15, 2001
http://web.archive.org/web/20010215014607/http://www.hushmail.com/about_hushmail/faq/#gq33
34. Does HushMail have a "back door" that can be accessed by government agencies?
No. Email, which includes attachments, sent between Hush users is completely encrypted.
35. What if my message is subpoenaed?
Hush will answer valid, court-issued subpoenas. However, if the mail is fully encrypted, the subpoenaed version will not resemble the original text version.
On or about April 3, 2002, Hush revised their FAQ to make their claims even more explicit:
http://web.archive.org/web/20020403213419/http://www.hushmail.com/about_hushmail/faq/#messagesubponaed
Does HushMail have a "back door" that can be accessed by government agencies?
No. Email, which includes attachments, sent between Hush users is completely encrypted.
What if my message is subpoenaed?
Hush, like any company or individual, is legally bound to respond to court-issued subpoenas. However, because not even Hush can access the encryption keys of individual users, in the case of a subpoena Hush would only be able to provide the encrypted (coded) version of the transmitted email.
So, as you can see the claims Hush were making were pretty damn specific, even explicit. They damn-near guaranteed their users that, if the government came a-callin', the WORST that could happen would be that the Feds would get their hands on securely-encrypted emails.
Needless to say, that isn't what happened, not by a longshot. Far from turning over encrypted emails, Hushmail turned over to the DEA in excess of 100,000 DECRYPTED emails on an unspecified number of customers.
Users flocked to Hushmail based on several factors:
1) Hush promised security. After all, Hush was located in Canada, and moreover, boasted servers in such faraway places as Ireland and Anguilla (known as a tax haven.)
People thought these overseas server locations put Hush's servers out of the reach of the long arm of the American authorities.
2) Hush benefitted from the enormous goodwill attached to the PGP brand, not to mention its reputation for robust security. In addition, they also had Phil Zimmermann's endorsement (Phil is the original PGP developer.)
3) Finally, perhaps the trump card in Hush's deck, was the fact that their system boasted unsurpassed ease-of-use. To use Hushmail, you didn't NEED to know ANYTHING about encryption in general, or PGP in particular. The system transparently encrypted (and decrypted) email sent from one Hush user to another. From the users' perspective, it was secure, it was easy to use, and it didn't cost an arm and a leg to subscribe.
Is it any wonder that, given all these advantages, that American illegal steroid manufacturers/traffickers, not to mention their Chinese bulk steroid powder suppliers, made Hushmail their email provider of choice?
What none of these people realized was that Hush was breaking one of the cardinal rules of public key encryption -- that is, the separation of public and private key-pairs. As their system was setup, Hush stored both the public and private halves of the PGP keypair for you. Hush touted the fact that your private key was protected by your passphrase, and that without your passphrase, your email was secure.
Well that turned out not to be. Hush used a Java applet to carry out both encryption and decryption on the user's machine. Hush already had both halves of the users' PGP key-pairs; all they needed to totally compromise the users' security was their passphrase.
Every time you login to a Hushmail account, you get a message to the effect that a copy of the Hush Java applet is being downloaded, and that this may take up to 3 minutes. Regular users, that is users not named in a subpoena, got the regular Java applet, and remained secure. Users named in a subpoena, got a poisoned Java applet modified so as to capture the user's passphrase and convey it along to Hush. With the user's passphrase, and the private half of their PGP key, it was a trivial matter to decrypt all their email.
A DEA spokesman actually boasted to an American media outlet that the DEA had obtained in excess of 100,000 decrypted emails. To the best of my understanding, prosecutions arising from Operation Raw Deal in 2007 were still proceeding as late as 2011.
If you learn nothing else from this, please remember that promises made by third parties are, for the most part, meaningless, worthless,even.
You need to take your security into your own hands. That is why PGP is _so_ important. A great many people trusted Hushmail and got burned as a result.
What happened is that 'persons of interest' were given different code to everybody else. This is how LE managed to obtain the passphrases of their suspects.
Similarly with Privnote , just because that JavaScript does 1 thing now, does not mean it won't do something else in future for specific users.
There *are* exploits using JavaScript which can deanonymize you on the Tor network. Just because you cannot access the hard drive using JavaScript alone, does not mean it is a non-issue. Seeing as requests from exit Tor nodes are trivial to spot, that makes a possible exploit from Privnote something to be taken seriously.
Finally, just because we may not work out how precisely this exploit is to take place (for all we know, it already has been used), does not mean we should stick up for anybody using that service.
In my eyes, anybody using Privnote is a potential LE agent until shown otherwise.
Secondly, anybody using Privnote, even if they are not a LE agent, must have a single digit intelligence quotient, and so you shouldn't do business with them anyway.
Thirdly, anybody suggesting Privnote may be an appropriate idea for *anybody* is somebody with a highly suspicious suggestion, so to be perfectly forthright that includes yourself.
Hushmail was known to be insecure and suspect long before factual evidence arrived. In the black market, you rely on your intuition as much as your logic, people who don't get cocky, overconfidently believing they're criminal supergeniuses, and those people should be avoided like the fucking plague.
-
^
Amen to that
+1