Silk Road forums

Discussion => Security => Topic started by: olderfart on August 21, 2012, 10:54 pm

Title: Alternative to Privnote
Post by: olderfart on August 21, 2012, 10:54 pm
Let me start by saying that I am a well known person on the board and this is an alt account. I am using this account for reasons that I will not go into!

privnote is not secure and lots of people complain about it.

How about an alternative to privnote.

http://stwor3xcyasbopim.onion/

Simply put in the vendors pgp key and the message and it will encrypt it and give you back the encrypted text.
You can download the code that does this from the page itself.

As some one will note, this is a security risk as it could be that the server captures the information and provides the unencrypted text with vendor key to the owner. (aka: me)
I wish there was a way I could prove what is running is what is in the tarball but there does not seem to be any full proof way that can not be faked.

It stores no information beyond a copy of the public key in it's key ring and that gets wiped from time to time.

All I can give you is my word.
Title: Re: Alternative to Privnote
Post by: DrGonzoII on August 21, 2012, 11:26 pm
I am sorry but since, as you pointed out yourself, there is no way to verify what this program is doing. It is not a heck of a lot safer than privnote. the only difference is that if a fourth party intercepts the message, they will not be able to read it without the vendors pgp key.

but at least with privnote, if a fourth party intercepts the message, it would be deleted, and you would know that it was intercepted. not that I am in anyway advocating its use.

And although I can understand some of your reasons for using a schill account to post this, I must say, its not really helping your case
Title: Re: Alternative to Privnote
Post by: olderfart on August 21, 2012, 11:37 pm
DrGonzoII, the difference is that the vendor is not asked to go to a site that could compromise the vendors safety.

This simple encrypts it and displays the encrypted text for the person to copy and paste.

As to me pointing out the fact that there is just no way to verify it, I did so as full disclosure.

It is also why I posted the source code, anyone can grab a copy, set up a VPS with a tor or clear net address and offer the service.
Title: Re: Alternative to Privnote
Post by: pine on August 22, 2012, 12:33 am
DrGonzoII, the difference is that the vendor is not asked to go to a site that could compromise the vendors safety.

This simple encrypts it and displays the encrypted text for the person to copy and paste.

As to me pointing out the fact that there is just no way to verify it, I did so as full disclosure.

It is also why I posted the source code, anyone can grab a copy, set up a VPS with a tor or clear net address and offer the service.

What on earth are you talking about? Just because it is a hidden service and not clearnet does not make it much safer to use! I mean you're giving plaintext/public key pairs to a 3rd party.

That is a php script. By definition it is server side. Commonsense translation: You have to trust a 3rd party. 3rd party = Bad.

There is no, and can be no, evidence that this is not a malicious script stealing plaintext in a simple 'alongside'' side channel attack. The provision of the source code could simply be a ruse to beguiled the naive, because even if it is clean of exploitation, it does not follow that the script on the server side is the same code.

Other people could indeed use the non-exploitative version of the code on their servers. Guess what. I wouldn't trust them either.

From here on out, a new acronym that will almost certainly come in handy on these forums for future use:

JFUP   -   'jey eff up'

Just Fucking Use PGP.

And none of that "but some users don't/can't use PGP" rubbish. I have a ten year old family member who knows how to encrypt and decrypt text. It literally took less than 30 minutes for him to become fluent with encryption, signing et al. He is no supergenius either, albeit he's still a bright kid for a ten year old. You don't need to be smart to learn PGP (although you're smart if you know you need to be using it!), you just need to not be lazy, have adept computer skills coupling with a certain amount of persistence when things don't work as expected when you're starting out.

Finally, if a vendor is not using PGP, don't walk, run.

I am starting to believe that people who don't want to learn PGP are the same people who treat computers as rather complex washing machines or other household electronics. They ain't. You have to experiment with stuff when you use computers. If you aren't willing to explore and make mistakes, then SR is the wrong place for you full stop and you belong to Generation Dinosaur. This is not an age thing, this is a mind-set thing, because I know plenty of older grey/white haired people who have no problems using computers for all sorts of things. I'm talking about those people who think they need to acquire a 40 dollar tome sized operating manual from Barnes & Noble for an operating system. There is a manual for the operating system. It is called the operating system. The same goes for computer programming. After you learn the very basics , you learn by doing. You can read the heavy books later to learn extra technical features and caveats. Otherwise a snappy tutorial online is enough. I mean I love reading and I have a lot of books, but Jesus H Christ you don't pickup the fucking dictionary to compose a sentence unless you're fucking Christopher Hitchens (RIP) or something.

And those people learning languages from books! Get out of here! What the fuck man! :D
Title: Re: Alternative to Privnote
Post by: pine on August 22, 2012, 12:40 am
Alternative to mtgix

mtgix is scam and lots of people complain about it.

How about an alternative to mtgix

http://mtgix26yeahopxyi.onion/

Simply send your money there.

As some one will note, this is a security risk as it could be they will steal your money again.

XD
Title: Re: Alternative to Privnote
Post by: Carbonic on August 22, 2012, 12:59 am
Quote
From here on out, a new acronym that will almost certainly come in handy on these forums for future use:

JFUP   -   'jey eff up'

Just Fucking Use PGP.

Thank you. PGP is guaranteed security. PGP has no shady third party that dances around with promises of "self-destruction" and such. PGP takes much less time to learn to use functionally then the time you'll spend worrying about which alternative is the most secure, or why your note says that it's already been read.

Olderfart, I appreciate you attempting to provide a service to those in search of it, that's very kind of you, but I think people need to Just Fucking Use PGP.
Title: Re: Alternative to Privnote
Post by: bubbajoe99 on August 22, 2012, 01:42 am
Once you learn to use PGP it's extremely easy and nothing is more secure. I'd agree with just fucking use PGP.
Title: Re: Alternative to Privnote
Post by: dkmonk on August 22, 2012, 01:45 am
With PGP being easy to use I don't see what the fuss is about and people not understanding.
Title: Re: Alternative to Privnote
Post by: BigEasy on August 22, 2012, 02:21 am
JFUP   -   'jey eff up'

Just Fucking Use PGP.


Ahh wisdom....

Why the hell you would trust your freedom to some unknown when you could J F U P ! ! !

It's really not that hard to use, nothing like was in '93.
Title: Re: Alternative to Privnote
Post by: DrGonzoII on August 22, 2012, 02:23 am
I agree as well with pine

and this is the exact type of laziness that brought down the Farmers Market
everyone should consider that before they think about using ANY type of alternative to PGP

to quote the late great Doctor "Anything worth doing, is worth doing right"
Title: Re: Alternative to Privnote
Post by: HowardRoarke on August 22, 2012, 07:34 am
Let me start by saying that I am a well known person on the board and this is an alt account. I am using this account for reasons that I will not go into!

if you are not willing to extend trust to others, ie your name, why should they give it to you?
Or is it because, no you arent well known, you are using this account because no other exists...
Seriously why the fuck would anyone trust YOU to be the 3rd party, because you say so on an anonymous website... brilliant
Title: Re: Alternative to Privnote
Post by: k1k1 on August 22, 2012, 07:46 am
Alternative to Linux

Linux kernel is bloated and lots of people complain about its security.

How about an alternative to Linux.

Windows 8

Simply spend your money there.

As some one will note, this is a security risk as it could be they will send your private keys to Mircosoft.

haha you made me laugh :D