Silk Road forums
Discussion => Security => Topic started by: Thirty_Rox on November 24, 2012, 07:19 am
-
So, I'm a fairly new vendor, and have 21 transactions so far. My question for other vendors is, how many of your buyers don't use encryption of any kind, and just put their address in the box in plain text? I am shocked that over 75% of the people that have ordered from me thus far have not used encryption of any kind! I just don't understand it! For one thing, PGP is really not that hard to figure out, but to not even use Privnote?! Come on guys!!!
-
I have also noticed this. People should really care more about their security.
-
I encrypt everything except totally harmless messages (I only skip encrypting those to not aggravate the recipient, honestly). But I don't think it's such a bad thing if someone doesn't. With a hidden Tor service, everything is end-to-end encrypted. The only reason to encrypt your address is if you're worried SR isn't really purging it and if the site is ever seized, a record of the order and address will exist somewhere.
Also, depending on how you print out the address, encrypting it may just be incentive for vendors to leave the file sitting around on their hard drive. Most programs work on files, so it's probably going to be saved somewhere at least momentarily (though naturally you'd know better than me -- I'm just a buyer).
Anyway, just my .02 BTC: it's not as insecure as you might think.
-
Most simply dont know how.
SR is a very user friendly, dummies capable site. Its point and click drug buying in an Amazon age.
Direct them to one of the tutorials on SR Forums and I am sure they will see the advantages.
-
Complete fucktards!
I'm only new here and consider myself, maybe, a bit smarter than your average Amazon-jock. Its taken me a few good weeks to get my head around this encryption business. And am still quite weary about making a purchase - yes Tor is secure now, but for how long?
As a vendor, I'd be concerned about MY privacy dealing with some dolt blabbing there order unencrypted. For the sake of the longevity of SR, distance yourself from anyone who doesn't (or won't ) follow the rules.
-
the majority of my orders are not encrypted. I have noticed seasoned users use it and most newbs dont. going with people probably do not know how. Why would you not sell to someone not using pgp though?
-
So, I'm a fairly new vendor, and have 21 transactions so far. My question for other vendors is, how many of your buyers don't use encryption of any kind, and just put their address in the box in plain text? I am shocked that over 75% of the people that have ordered from me thus far have not used encryption of any kind! I just don't understand it! For one thing, PGP is really not that hard to figure out, but to not even use Privnote?! Come on guys!!!
75%! Damn, that's depressing.
But you've done your part: you learned PGP and posted your public key. You might add something to your vendor page about how PGP is more about your buyers' safety than about your safety- maybe link to a couple of threads about how to use it. But if they don't wanna learn it, that's on them.
I've gone apoplectic about vendors who won't use PGP at all, but that's because they won't give buyers a chance to protect themselves. You're giving them that chance. Nothing more you can do.
-
Well, I'll fess up. Guilty as charged. - I'm not a genius, but I'm usually pretty good at shit like this. I must confess, I can't fucking wrap my tired old brain injured, drug addicted brain around it!
I'm Adult ADD-Pi, at least that's the latest name for what's been treated as everything from PTSD, to Clinical depression to Bi-Polar disorder, had a few bad car accidents in the 80's. One where I went through the windshield, so I have to preface my defense with those facts.
That being said, I've got some pretty decent amph right now, and could probably do a little old fashioned "cramming" on the subject.
A few months back I downloaded the BIG package. GPU, , and started by getting my private key, my public key, etc. I read a few "walk through's" on these boards, and I just kept getting stuck on "How do I unencrypt, and how to I send encrypt. - I'm sure it sounds ridiculous to you, since you "get it", but to someone with a slight "learning disability" in other words, slight dumbass brain. I just lock up mentally like an HP Laptop running Vista 4 years ago. (geez what a shitty program and laptop combo that was!)
So if either of you got some "PGP for dummies" tutorials. I'd be willing to give it the old "college try", since I didn't go to college. - Wasn't that important in the 1980. Jobs were everywhere, ecomony was great, gas was under a dollar a gallon, and college wasn't a pre-requisite for most jobs.
Also I was too busy hanging out in lower Manhatten going to punk rock concerts.
I always figured if someone was monitoring your internet activity from a remote location, like LE sitting at a Time Warner office, they could see exactly what my key is, and that of the other person. So it seemed to me like a false sense of security.
You really can see everything that way. I witnessed it when I was installing these new machines with a funny name called FIOS, about 7 years ago. We would monitor traffic and speed from time to time, and that meant bringing up an end user's screen.
I've managed since April to dodge the sellers that insist on PGP. - Though in light of the current "outtages" and SR being in the news more frequently around the globe. I'll give it another shot.
So I've fessed up. Anyone got any good pointers??????
The orders can't be encrypted as far as I can see, am I wrong? - I wouldn't want to be called a "fucktard" <- real mature. It seems it's only for the address and or the "messages" feature.
Just because you have "knowledge" that someone else doesn't. Does not make you superior. I've met plenty of people in my life who have PHD's, and I'll visit their house, and they keep bugging me to help them hook up their home theater speakers. - To me, that's crazy! Then again, everybody has their strengths and weaknesses.
From what I've read about security on Tor, even before you get to silk road. Tor is already changing your IP address every so often (or you can manually click the onion every 5 minutes if you're that paranoid.
Also my theory about LE sitting in your local ISP's office, scanning for anyone who uses Tor. In that capacity, they could see every move you make, including, your PGP code, the other guys PGP code. It just seems like a false sense of security. Though it may slow them up. ie; they'll go after the unencrypted ones first, as they're easier.
Also, when I first started out buying last spring, the vendors asking for PGP, were willing to let me go without it, saying it's for your protection, not mine. Lot's of info swirling around about it.
Sometimes it make me leery of not using it. It could be because I'm weary from lack of sleep. Still I understand some people are wary of not using it. (see what I did there?)
For every encryption, there's a hacker out there who sees it as a challenge, and some of them, go to work for LE.
Still open to a good source of tutorials. - Not the one on here. A link to a video would be nice!
-
Most simply dont know how.
SR is a very user friendly, dummies capable site. Its point and click drug buying in an Amazon age.
Direct them to one of the tutorials on SR Forums and I am sure they will see the advantages.
better: enforce it. Can't place order if the address field doesn't contain a valid PGP encrypted string. Easy solution.
It's not as much of a danger as a lot of ppl seem to think though. It should be done in case SR gets compromised. And although I think SR security can always be improved, it's probably far superior to that of most vendors. Once the address is on your machine, it doesn't matter if it came cleartext or encrypted. The biggest vulnerability is a vendor's machine regarding this kind of data. From what I have seen here (no offense to the really security aware vendors - kudos to you) with some vendors, SR would be Fort Knox in comparison.
-
I immediately cancel the order if a buyer sends his information unencrypted. Then I PM him and politely let him know of the dangers associated with such action, and ask if he wants to reorder, to please send by email to one of my nymserver addresses if they really don't know a thing about PGP; these addresses automatically encrypt all the infiormation that gets to me.
I also caution the buyers against using Privnote.
goblin
-
Encryption is for your protection as well as the buyers. Don't make it easy for the LE to find you, dipshits.
If you can't take the time to figure out GPG, how the hell did you even make it here?
-
@jagfug: no worries mate, hopefully this will help you out. You're right, orders themselves can't be encrypted. Just your address on that checkout page. But really, everything you do on Silk Road is encrypted by the Tor network anyway, so when I say the order can't be encrypted all I mean is that you can't encrypt it *more*. It already is encrypted.
Just to be clear, nobody listening in to your connection can tell what you're doing, but anybody who has control of the Silk Road server could see everything. This isn't true all the time, just with Tor hidden services. If you go to google.com or something, it's not encrypted.
I've seen people recommend the program "gpg4usb". I think that's it anyway. I've never looked at it, but it's supposed to be easy. You might give that a try.
Personally, I keep my address in a text file that I then encrypt for each order by typing "gpg -a -e -r {vendor} address.txt". That makes it plain-text readable instead of all funky symbols that don't copy & paste so well, and outputs a file called "address.txt.asc". The contents of that file is what I put as my address.
The whole idea is that there are two keys that are kind of paired to each other, the public and private key pair. The public key you give out to the public, and the private one you never let anyone else see. People use the public key to encrypt stuff, and once something's been encrypted with a public key, only the matching private key can decrypt it.
There's a lot more to it, but for making orders, it's really that simple. Once you use the public key of a key pair, only the private key can decrypt it. Hope that helps some.
-
Try and get buyers to use PGP. It appears daunting, so alot dont bother, but once theyve done it once its second nature
:)
-
I can't believe how easy PGP actually was...
Here's a guide as I would personally write it (for Windows):
Installation and setup:
Download PortablePGP here: http://ppgp.sourceforge.net/usb.html
Start the application and it will ask you whether you have a keypair. You don't if you're reading this, so say you don't
Enter your (fake or real, probably fake) name, e-mail and a comment if you're feeling adventurous.
Enter a strong password, the longer the better, but don't forget it!
Now you have your own "keypair", which is a private and a public key. The public key is for everyone else to know, but the private one must be kept secret AT ALL COSTS.
To send:
Get the recipient's public PGP key and store it in a standard text file anywhere on your computer.
In PortablePGP, click Keyring.
Right next to "Public Keys", click "arrow down" to import the recipient's key.
Select the text file where the recipient's public key is stored.
Now you've successfully imported a public key so that you won't have to repeat the above procedure everytime you send them a message.
Click Encrypt.
Enter your message, whatever it is, just like you normally would.
For "Target", pick the recipient you imported.
For "Sign", choose your own key.
Click Encrypt. (The button with the play icon this time.)
Enter your passphrase.
A new window will pop up which is your encrypted message which is readable only by the recipient and you! You are free to do with this as you wish.
To read:
Click Decrypt.
Paste the encrypted message you have received from the sender.
Click Decrypt. (The button with the play icon again.)
Enter your passphrase.
Done!
-
A lot of people either have no idea beyond clicking stuff on a screen or simply do not care to use PGP thinking fuck you, come after me for my tiny bit of weed.
This is why privacybox.de exists (there's also an .onion page), because you can send your link to somebody who knows nothing about PGP and it will encrypt everything they write to you with your own public key. It's open source software, so not only could SR/DPR incorporate it into the site (he should) but you can buy your own VPS server and run the source yourself. Get an account there and then send it to buyers who can't figure out PGP.
-
an anyone write a step-by-step for a Mac?
I am using GPG Keychain Access | GPGTools (OpenPGP Tools for Apple OS X) and my vendor says it doesnt work.
I can't follow the windows write up because the program it wants me to install is windows
help would be appriciated asap
-
I am using GPG Keychain Access | GPGTools (OpenPGP Tools for Apple OS X) and my vendor says it doesnt work.
It might just be the vendor. I know of at least one vendor who posts a PGP key on his page but clearly does not know how to use it, always says "it doesn't work".
Thing to do is go to PGP Club and exchange some encrypted test messages with other forum members. Then you'll know better whether the problem is at your end or the vendor's. You could start with me if you want, there's a link to my public key in my sig below.
Unfortunately I don't use Mac so I can't walk you through your software, but it sounds like you've got most of it down anyway.
-
an anyone write a step-by-step for a Mac?
I can't follow the windows write up because the program it wants me to install is windows
The same application the guide is for exists for Mac too! I haven't tried it myself, but I'm sure it looks and acts exactly the same on a Mac.
-
an anyone write a step-by-step for a Mac?
I am using GPG Keychain Access | GPGTools (OpenPGP Tools for Apple OS X) and my vendor says it doesnt work.
I can't follow the windows write up because the program it wants me to install is windows
help would be appriciated asap
GPGTools is highly version dependent -- depending on which version of OS X you have, it may or may not work as expected. If you have Leopard (10.5) then you're pretty much out of luck. Your only option then will be using the command-line.
If you have Snow Leopard (10.6), Lion (10.7) or Mountain Lion (10.8), the following instructions should be sufficient to allow you to get up and running.
Download and install GPGTools: http://nightly.gpgtools.org/GPGTools_Installer-trunk.dmg
Once you have installed GPGTools, what you want to do is to go into System Preferences --> Keyboard --> Services.
Scroll down until you find the following entries. Be sure to put a check mark in the boxes to activate each keyboard shortcut.
Keyboard shortcuts:
OpenPGP: Decrypt Selection: Shift-Command-D
OpenPGP: Encrypt Selection: Shift-Command-E
OpenPGP: Import Key from Selection: Shift-Command-I
OpenPGP: Insert My Fingerprint: Shift-Command-F
OpenPGP: Insert My Key: Shift-Command-K
OpenPGP: Sign Selection: Shift-Command-R
OpenPGP: Verify Signature of Selection: Shift-Control-V
Remember, these shortcuts only operate on highlighted or selected text.
To select text within TextEdit, use Command-A to highlight the entire document, or use your mouse to selection the section that you want to verify/sign/encrypt/decrypt. It is highly recommended that you use only plain-text, as opposed to Rich Text (.rtf) format. Use Command-, to bring up Preferences and ensure that the plain text radio button is checked.
Also ensure that the following are UNCHECKED in TextEdit preferences: smart quotes, smart dashes, smart links.
Once your text is highlighted in TextEdit, (by pressing Comand-A) you then encrypt using Shift-Command-E. You will then be presented with a list of keys to encrypt to, that you hve added to your PGP kryring
Other Commands You May Need:
OpenPGP: Decrypt File: Control-Command-D
OpenPGP: Encrypt File: Control-Command-E
OpenPGP: Sign File: Control-Command-S
OpenPGP: Verify Signature of File: Control-Command-V
Naturally, you can change any of these shortcuts to ones of your own choosing, if you wish.
Once you have setup these shortcuts, you can begin using GPG.
To encrypt a message to someone using GPG, you first need a copy of the recipient's PGP public key.
Once you have located someone's PGP public key, you should copy and paste it into TextEdit. Save the file to a file; you can file the file, import.asc, for example. This saved file will usually be found in the Documents folder.
Launch GPG Keychain Access from the Applications folder. click on the Import icon in the upper left hand corner. GPG Keychain Access will then prompt you for the name of the file which contains the key to import. It will usually show you a list of files in the Documents folder. Click on the file named import.asc, and click ok. The PGP public key will then be imported into your PGP keyring.
To encrypt a message to a person, the message must be contained in a TextEdit document. Use Command-A to hightlight the entire document. Then use Shift-Command-E to encrypt. GPG will pop-up a list of public keys in your PGP keyring. Each key will have a little checkbox beside it which you can check, to select that particular key. If you were encrypting a message to me, you would put a check in the box beside my PGP key (Guru@SR). When you click on OK, the plaintext (unencrypted) message in TextEdit will be replaced with the encrypted message. You can then copy and paste the encrypted message to enter it into a form on Silk Road, or anywhere else that it needs to go.
To decrypt a message sent to you by other people, you need to copy that message to the clipboard, and paste it into a TextEdit document. Again use Command-A to highlight all the encrypted message. Then use Shift-Command-D to decrypt the message. If the message is encrypted to your PGP public key, you will be prompted to enter your passphrase. Once the correct passphrase has been entered, and you click OK, then the message will be decrypted, and the decrypted text will be placed in the TextEdit document, replacing the encrypted message that was there previously.
Guru (original author)
-
OK...here is my issue...when I put the key into text edit, the save options are
"rich text"
"rich text with attachments"
"web page"
"web archive document"
"open text document"
"word 2007"
"word 2003"
"word 97"
NONE of these will import into the keychain. Any ideas?
every single time the import into keychain fails
code=0
ideas?
-
lol... Hi [REDACTED]! :P
Your problem is that you're missing a single dash at the very beginning. No, it won't import the way it is. Add an extra dash and it works fine -- I think you copied & pasted it slightly wrong. Here, this one works fine; notice the extra dash on the first half of the first line (just click "select" at the top of the box, right-click, "copy", and you're golden):
[REDACTED]
-
no I think it might have been me not copying the whole thing right
I will take full blame!
I ALSO NEEDED TO SAVE THE ENCRYPTION KEY IN THE RIGHT FORMAT ON MY DESKTOP TO IMPORT
I needed to save it as Western (Mac OS roman)
-
Oh, I didn't mean to lay the blame on XXXX -- I was just kind of wondering, "hmm, so what vendor is this anyway? Do I even want this random dude's key?", saw the error, recognized it, fixed it, and got "XXXX... Processed: 1 ... Unchanged: 1." I see him post in the meth thread, so I was just being silly and saying hi to his key.
No worries. I did it once myself -- that's how I recognized the error :)
-
I have tried for two + days to get this GPG things down. I hope I didnt make him mad by all the fumbling. I would really like my first order to go thru.
I would like to thank you and also Nightcrawer who helped me greatly. You have fulfilled your "teach another person" obligation
once my order ships I will jump up and down..once my order arrives there will be no time for jumping...might spill something
-
Just for posterity's sake, ThePhoenix's problem was that he had TextEdit set to rich text mode. You have to put it into plain text mode using the Format menu. You can also set it to use plain text mode by default, in Preferences. Another tip: You can just highlight text (such as public keys) and drag it onto the TextEdit dock icon directly.
-
Just for posterity's sake, ThePhoenix's problem was that he had TextEdit set to rich text mode. You have to put it into plain text mode using the Format menu. You can also set it to use plain text mode by default, in Preferences.
I knew about changing it in Preferences, but I forgot about the Format menu.
Another tip: You can just highlight text (such as public keys) and drag it onto the TextEdit dock icon directly.
That I didn't know... great tip!
Nightcrawler
-
I always see Nightcrawler in threads I post in ! Nightcrawler, I'm going to steal that mac guide you wrote up if you dont mind and include it on my onion for PGP/GPG guides.
When I first logged onto the onion patch I needed a GPG introduction as well, and started to compile all the guides I could find..... Since then I have published a lot of guides on how to install and use different GPG software packages, and have even written tools for testing your encryption, as well as links to secure inbox's and other onion tools.
My onion now receives over 1000 hits a day on people trying to learn how to GPG. Please feel free to forward any of your customers to the following address and have them self educate. I am always trying to add new guides and content, and if you feel I should add something, please message me here, or contact me from my torid , listed in my signature.
my GPG Tutorial onion: http://p3lr4cdm3pv4plyj.onion/
Thanks -
wicked420
-
I always see Nightcrawler in threads I post in ! Nightcrawler, I'm going to steal that mac guide you wrote up if you dont mind and include it on my onion for PGP/GPG guides.
I actually borrowed it from Guru, and he doesn't seem to have objected.
When I first logged onto the onion patch I needed a GPG introduction as well, and started to compile all the guides I could find..... Since then I have published a lot of guides on how to install and use different GPG software packages, and have even written tools for testing your encryption, as well as links to secure inbox's and other onion tools.
My onion now receives over 1000 hits a day on people trying to learn how to GPG. Please feel free to forward any of your customers to the following address and have them self educate. I am always trying to add new guides and content, and if you feel I should add something, please message me here, or contact me from my torid , listed in my signature.
my GPG Tutorial onion: http://p3lr4cdm3pv4plyj.onion/
Thanks -
wicked420
Sweet! Anything you can do to help people educate themselves is worthwhile, IMO.
Nightcrawler
-
My onion now receives over 1000 hits a day on people trying to learn how to GPG. Please feel free to forward any of your customers to the following address and have them self educate. I am always trying to add new guides and content, and if you feel I should add something, please message me here, or contact me from my torid , listed in my signature.
my GPG Tutorial onion: http://p3lr4cdm3pv4plyj.onion/
Thanks -
wicked420
Oh wow. 1000 hits a day? Do you get the word out anywhere other than SR?
I'm just wondering what that says about how many new people are showing up to SR on a daily basis -- word of mouth and the way awareness spreads and all that is exponential, I assume, but I didn't realize it was at that level already. If about half of those 1000 represent the small portion of people new to SR looking to learn about encryption... taking into account that many or most won't care or won't find your particular source... I mean that could possibly mean tens of thousands of new SR users a day, or even more? Goddamn. That's a lot of people.
-
Took me an entire morning to work out PGP.
It was well worth it IMO....
-
i don't know why people don't use PGP.
Its either they don't know how to, or they are just lazy which leads to the feds knocking on your door.
-
My onion now receives over 1000 hits a day on people trying to learn how to GPG. Please feel free to forward any of your customers to the following address and have them self educate. I am always trying to add new guides and content, and if you feel I should add something, please message me here, or contact me from my torid , listed in my signature.
my GPG Tutorial onion: http://p3lr4cdm3pv4plyj.onion/
Thanks -
wicked420
Oh wow. 1000 hits a day? Do you get the word out anywhere other than SR?
I'm just wondering what that says about how many new people are showing up to SR on a daily basis -- word of mouth and the way awareness spreads and all that is exponential, I assume, but I didn't realize it was at that level already. If about half of those 1000 represent the small portion of people new to SR looking to learn about encryption... taking into account that many or most won't care or won't find your particular source... I mean that could possibly mean tens of thousands of new SR users a day, or even more? Goddamn. That's a lot of people.
From what I can tell, I log very very little in my web server configuration, but it appears that somewhere along the line my onion was put on the hidden wiki, and that is the main source of my traffic. Once it got on the hidden wiki, and all of its mirrors, it got really big. These forums are my next largest referral base, with SR itself being 4th or 5th in my referrals. TorDir and Torlinks seem to be pretty popular as well. The referrals from SR come from vendors linking my onion in their profile asking customers to learn how to GPG. In fact, my onion got a lot busier than I was expecting and I'm going to have to move the content to a new server to handle the traffic! (the onion is down currently due to bandwidth issues) .
So all that being said, Help me Help you! let me know what tools/information you think I should add to my onion, and I'll work on it ASAP
Thanks,
wicked420
-
PGP looks confusing at first, but take time to work it, so simple..
:)
-
Only 1 in 10 of my buyers uses encryption for the address. This is disturbing as there's plenty of warnings about not sending the address in plaintext.
Either they are LE and they don't care if their address is in plaintext or they don't want to bother with PGP despite the risks.
-
I'll totally admit it. I sent an order without encrypting my address. You can call me an idiot but in my own defense it was something totally legal (I figure if it's some kind of honeypot situation the vendor would get my address anyway. that's why I only use "trusted vendors"). Plus not to mention I don't do anything "harder" than weed. I know how to use GPG but honestly I was really tired and on a wiped machine and said "fuck it".
I did kind of freak out about it for a few minutes, but knowing the little I know about tor, and what I've read on the site, it's not going to be the end of the world. I'm not going to do it again,so please someone reassure me...
-
I'll totally admit it. I sent an order without encrypting my address. You can call me an idiot but in my own defense it was something totally legal (I figure if it's some kind of honeypot situation the vendor would get my address anyway. that's why I only use "trusted vendors"). Plus not to mention I don't do anything "harder" than weed. I know how to use GPG but honestly I was really tired and on a wiped machine and said "fuck it".
I did kind of freak out about it for a few minutes, but knowing the little I know about tor, and what I've read on the site, it's not going to be the end of the world. I'm not going to do it again,so please someone reassure me...
It's totally fine. End-to-end encrypted means from your computer to the destination is basically 100% safe. The real reason to encrypt with PGP is very simple, and is ONLY because of these (at least to my knowledge):
1. you think Silk Road may get seized someday and are worried transactions will be recoverable somehow, either from "purged" records or b/c the purchase is still processing.
2. if your vendor got arrested before processing your order and they use his account, well, there's your address right there asking for illegal drugs.
3. you think SR is a honeypot and don't want your address going down on the records.
That's it, and that's all.
-
I'll totally admit it. I sent an order without encrypting my address. You can call me an idiot but in my own defense it was something totally legal (I figure if it's some kind of honeypot situation the vendor would get my address anyway. that's why I only use "trusted vendors"). Plus not to mention I don't do anything "harder" than weed. I know how to use GPG but honestly I was really tired and on a wiped machine and said "fuck it".
I did kind of freak out about it for a few minutes, but knowing the little I know about tor, and what I've read on the site, it's not going to be the end of the world. I'm not going to do it again,so please someone reassure me...
It's totally fine. End-to-end encrypted means from your computer to the destination is basically 100% safe. The real reason to encrypt with PGP is very simple, and is ONLY because of these (at least to my knowledge):
1. you think Silk Road may get seized someday and are worried transactions will be recoverable somehow, either from "purged" records or b/c the purchase is still processing.
2. if your vendor got arrested before processing your order and they use his account, well, there's your address right there asking for illegal drugs.
3. you think SR is a honeypot and don't want your address going down on the records.
That's it, and that's all.
Thank you very much sir/mam. That eases my mind a bit. I'll do it in the future just in case because it doesn't hurt. Maybe a lot of vendors just don't care/don't understand, but in MANY of their profile pages they claim it's optional. I would NEVER use a vendor that doesn't provide a public key because that just screams "I don't know WTF I'm doing or couldn't care if you live or die."
At least this site provides noobs with a reason to learn more about security. I know a little bit but it has inspired me to learn everything I can about tor/networking and all that jazz.
-
All I know is that if I get another privnote instead of PGP im gonna scream. I will not enable java and risk MY security for your stupidity. Posted to my vendor page that I will not accept it and I suggest other vendors follow suit so people will stop being lazy and using the point and click web version of PGP.
-
Buyers not encrypting their addresses are crazy! It is a risk which can be eliminated with the simple use of PGP. There are numerous threads on the Forum containing guides on how to use PGP, and plenty of experienced members only too willing to help you should you need it. In most cases, buyers/sellers are just too lazy to take the time to learn and are prepared to "risk it", putting it in the "too hard" basket. IMO, too many people seem to think using SR safely and securely is just a matter of using Tor! Please, set some time aside to browse through the Forum and read up on the methods used to protect yourself and remain anonymous. Your safety is PARAMOUNT, above all else!
-
is it because people dont give a fuck about protecting their fake name and drop box address ?
-
Buyers not encrypting their addresses are crazy! It is a risk which can be eliminated with the simple use of PGP. There are numerous threads on the Forum containing guides on how to use PGP, and plenty of experienced members only too willing to help you should you need it. In most cases, buyers/sellers are just too lazy to take the time to learn and are prepared to "risk it", putting it in the "too hard" basket. IMO, too many people seem to think using SR safely and securely is just a matter of using Tor! Please, set some time aside to browse through the Forum and read up on the methods used to protect yourself and remain anonymous. Your safety is PARAMOUNT, above all else!
Wadozo is so correct! I thought I had an issue and he responded with speed and helpfulness all-around. Use the knowledge that is here!
Of 10 orders, 7 or 70% of the address were sent to me in the clear. BAD BAD BAD!
Luv,
Party Girl
PS: Sending love out to Wadozo for personally working with me to prove where the problem was!
-
Like I said, I always encrypt my address and messages, and I agree that it's best to encrypt... but I can't help but feel as though people don't actually understand how the Tor network works, or what end-to-end encryption actually does... ???
Well, it doesn't really matter. It's good advice, regardless, right :)
-
Buyers not encrypting their addresses are crazy! It is a risk which can be eliminated with the simple use of PGP. There are numerous threads on the Forum containing guides on how to use PGP, and plenty of experienced members only too willing to help you should you need it. In most cases, buyers/sellers are just too lazy to take the time to learn and are prepared to "risk it", putting it in the "too hard" basket. IMO, too many people seem to think using SR safely and securely is just a matter of using Tor! Please, set some time aside to browse through the Forum and read up on the methods used to protect yourself and remain anonymous. Your safety is PARAMOUNT, above all else!
Wadozo is so correct! I thought I had an issue and he responded with speed and helpfulness all-around. Use the knowledge that is here!
Of 10 orders, 7 or 70% of the address were sent to me in the clear. BAD BAD BAD!
Luv,
Party Girl
PS: Sending love out to Wadozo for personally working with me to prove where the problem was!
Thanks Party Girl. Right back at you. ;D
pbody88, people may use a fake name and drop box address, however, if your address is not sent encrypted and is intercepted by LE, written in plain text, they would only have to set up surveillance on the drop box address to catch you, regardless of your fake name. This is hypothetically speaking of course.
-
I worry about sending any private message without PGP encryption, let alone my address. One vendor even messaged me back saying, "you don't have to encrypt EVERY message you send me" haha. You guys like to live on the edge
-
It's totally fine. End-to-end encrypted means from your computer to the destination is basically 100% safe. The real reason to encrypt with PGP is very simple, and is ONLY because of these (at least to my knowledge):
1. you think Silk Road may get seized someday and are worried transactions will be recoverable somehow, either from "purged" records or b/c the purchase is still processing.
2. if your vendor got arrested before processing your order and they use his account, well, there's your address right there asking for illegal drugs.
3. you think SR is a honeypot and don't want your address going down on the records.
That's it, and that's all.
This.
I get adding another layer of security but don't really understand the derision I see from some folks. We all are trusting the vendors themselves with our info (whether it is faked or real), having faith that LEO aren't watching transactions on SR doesn't seem too far of a stretch from that.
-
same here. ive been a vendor here for over 8 months and have done several hundred transactions. Most of them, easily 80%, use NO encryption! The remainer: 15% use privnote and just 5% of my customers to date use full GPG encryption. i'm absolutely bewildered. :o
-
Most of them, easily 80%, use NO encryption! The remainer: 15% use privnote and just 5% of my customers to date use full GPG encryption.
You're kidding me
-
nope..... most clear text while the others are too lazy to pgp so they send me privnote which i now refuse to go through at all..... vendors i suggest you start taking a stand against privnote as well so we can get people on board with some real security.....
-
You're kidding me
[/quote]
Not even a little bit. Incredibly too, many of them are seasoned users (over 8 mos with over 100 prior transactions) so it's not just the newbies. ???
-
These statistics are quite depressing, even with all the forum tutorials, the onion I've linked several times, etc. Please feel free to add a link to my GPG/PGP encryption tutorials in your item postings or seller profile page.
I've got tutorials and testing mechanisms so the users can self educate, install, and test their configuration!
GPG4Win/GPA/KLEO, GPG4USB, and a couple of macosX guides are all posted at :
http://p3lr4cdm3pv4plyj.onion/
Let me know if I can help out in any way to assist the vendors help educate the buyers. DEMAND PGP and refer them to me for any support. I feel it should be required, regardless of tor's encryption mechanism. any temporary storage of cleartext addresses is dangerous.
If you feel there should be an additional guide, or some additional comments listed on my page, please let me know!
thanks
-
The vendor irishdan is one of the top benzo sellers, he's been here for a while and still doesn't use pgp. I just don't understand how people can keep on sending their personal information unencrypted.
-
Bugs the shit out of me that buyers don't use PGP.
I don't give a fuck if you're comfortable with the risk, it endangers ME.
The point of PGP encrypting the order is that we don't have to trust whether SR has been compromised. Which is the way I like. Trusting no one.
Because if SR does get compromised then all these cleartext orders are seen, the packages can get intercepted, dusted for fingerprints and DNA swabbed.
Solution? Fuck if I know. SR Client software?
-
Trusting no one.
.....
Solution? Fuck if I know. SR Client software?
That's true. Trust no 1.
And SR client software is the thing I've been urging be developed super fast: an open source anonymous market. Bitwasp is a start but we've got to put the pedal to the metal; come on all you genius programmers out there, get going!
-
I am a newbie but I figured PGP out in no time. Cuz Im smart like that! And it's not astrophysics. Still waiting on my BTCs tho :( Wanna buy something sooo bad!) :'(
-
It's totally fine. End-to-end encrypted means from your computer to the destination is basically 100% safe. The real reason to encrypt with PGP is very simple, and is ONLY because of these (at least to my knowledge):
1. you think Silk Road may get seized someday and are worried transactions will be recoverable somehow, either from "purged" records or b/c the purchase is still processing.
2. if your vendor got arrested before processing your order and they use his account, well, there's your address right there asking for illegal drugs.
3. you think SR is a honeypot and don't want your address going down on the records.
That's it, and that's all.
All those scenarios are *very* possible. In fact if silkroad is ever compromised its almost certain they will allow it to continue to operate for some time while they gather info. This has been the standard tactic for LE in the past. That's why its so foolish not to take the simple step of using PGP for any sensitive info.
-
The messages are stored on a server, most likely a database, until they're deleted/viewed. That means that there are a number of enemies.
1) Law Enforcement / Government - seizing the server - all unencrypted information upon seizure is easily read; every order "in processing" becomes open information to the Govt.
2) Hacker finds a vulnerability and finds access to messages - The Site goes through random modifications and outages, and may wind up with a programming vulnerability. Hacker finds this, and has access to the server, and your information.
3) Yourself - You use a shitty password, or you signed up for a phishing site using the same login information - now anyone who knows that password can read all of your messages
4) Silk Road itself - while I've never had a personal problem with the service or the staff (they've been 100% helpful to me) - they still can have access to your personal information, and there is no need for the site/service to see your information.
And here are things we really dont know, as just random users of the service: (and we really shouldnt know)
1) Who the admins are, and how many of them have access to our information? and will they EVER be abusive with out information?
2) How close any government/law enforcement is to actually being able to seize servers
3) How secure the coding is of all the different processes included in SR.
4) Where the servers are located, physically, and what kind of laws and regulations might be placed upon the server if seized.
etc etc etc - the list of things to worry about goes on and on and on
eliminate as much stress as you can, and just encrypt your communications about any incriminating/personal behavior!
PLEASE! BE SAFE!
-
I'm not a SR vendor yet but I do sell in other venues. I simply setup a form that made it easy for people to encrypt. Most people simply can't wrap their heads around encryption. You can see my form here: http://medicineman.6te.net/ and to modify it simply change the keyid and pubkey variables to match yours.
-mm
-
I'm not a SR vendor yet but I do sell in other venues. I simply setup a form that made it easy for people to encrypt. Most people simply can't wrap their heads around encryption. You can see my form here: http://medicineman.6te.net/ and to modify it simply change the keyid and pubkey variables to match yours.
-mm
BE CAREFUL - That link he posted is a clearnet post - and it might have all sorts of things on it. (Dont use other services to actually encrypt messages, if you're going to do that, stick to privnote) keep in mind... trust no one. (expecially clearnet services)
-
They will go after the low hanging fruit, too. No reason to waste time trying to decrypt PGP messages when so many buyers post their details in plaintext.
And some of them have over 100 transactions totaling hundreds of BTC. Nice paper trail.
-
I actually want to use pgp! I have made topics asking for help on using agp(I'm on android) yet I can't seem to find any help other than I'm an "idiot" for using android. ::)
Anybody care to assist me on how agp works? Or atleast point me in the right direction. Thanks
-
I actually want to use pgp! I have made topics asking for help on using agp(I'm on android) yet I can't seem to find any help other than I'm an "idiot" for using android. ::)
Anybody care to assist me on how agp works? Or atleast point me in the right direction. Thanks
Do you recall the scandal over CarrierIQ? I think that was it. Apparently all major carriers were using it, and allegedly some were even collecting every key press the device registered. As I think I've said, I'm not an encryption expert, but I know my way around computers and Linux. Android is a modified Linux kernel with a GUI and a lot of support libraries on top of it (that's the Android part). My phone is rooted and I don't have anything on it that seemed suspicious to me. The fucking thing still sends phantom data uploads to God knows where at random hours of the day and night. Sometimes over 100mb at once.
Now I don't know just what the *fuck* someone could be collecting that's over 100mb then another 40mb two hours later, but a goddamn video of me using the thing wouldn't be much bigger. I can't even identify the process that's responsible for it either. Though I admit, I only spent a few hours poking around before I said "fuck it, if they want my girlfriend's sex videos that badly, they can have 'em."
Do yourself a favor and use a computer. Android is more transparent than an iPhone, but it's still collecting usage data and it's still partly designed to lock you out of the phone so your carrier controls it and not you. If you didn't know how much they may (or may not) monitor, you're not an idiot. Just unfortunate not to know.
If you did know and you still use it, I don't think you're an idiot. Personally I'd suggest that you get a good night's sleep tonight, and then go to the police station and arrest yourself in the morning to save them the trouble though.
Oh, by the way, it's APG, not AGP. I made that mistake myself at first actually.
-
Ok so pretty much even by using apg I'm still not fully protected because of the nature of android or just using a cell in general, right? Shit.