Silk Road forums
Discussion => Newbie discussion => Topic started by: ScorpiaMuEre on June 06, 2013, 06:23 pm
-
Originally posted by StExo on the security board at http://dkn255hz262ypmii.onion/index.php?topic=167339.0, if you have not read it, go, read it.
Text re-posted for the lazy. After you read it, follow the link above (select, ctrl+c, new tab, right click in address, paste and go) to make sure I'm not lying to you or feeding you bullshit. This is important, it will save your ass from getting arrested. Read it.
Dear all,
Many of you know in recent days I have been crawling SilkRoad as well as having several other key users (SelfSovereignty, astor etc) work with me to extract and analyse the data we managed to crawl. Remember we have access to no special tools, powerful machines or data scraping specialists, just what skills we possess and basic .html downloads from the marketplace.
Having analysed all of the pages now, we have found disturbing results. Here are just some of the problems we uncovered and the tag [FIXED] indicates this particular case/problem has now been addressed as I would not be comfortable posting it until it had.
1. Vendors using their real e-mail address on clearnet e-mail hosts, some of which dating back to 2003 which kind of prove they are their personal accounts, many with names or specific years in them indicating personal details. These e-mails are registered on some other public services and I have found 9 of you on Facebook so far. Those who have been found know who they are and I hope you realise the danger you're in when I send you your profile picture and mention where you live, your telephone number, family etc. All of the Facebook ones have been corrected now, but not all clearnet PGP keys have been fixed.
2. Buyers posting their tracking numbers in their feedback. Big no-no especially when it is still en-route to you! Somebody in particular posted their tracking number in public for a delivery from the US to Australia and when I seen it the feedback was 3 hours ago who had FE'd so it was obviously still days or weeks from arriving. Don't ever post this publicly. [FIXED]
3. A case where a vendor stated where about in the country he was posting from. I searched the suburb of the city he named and in that suburb, it has a population of 1,000-1,200 in a small city. Don't make it so easy for law enforcement to profile you. [FIXED]
4. Weak PGP keys seem to be in use everywhere. Don't use them! Anything below 512-bit keys are not futureproof. 1024 bit [Read end annotation] is the established standard, use that or greater to ensure your security and everyone else who messages you. My key is 4096-bit. Paranoia is probably a good way to describe that, but I am one of the highest value targets on SilkRoad along with some of the larger vendors and SilkRoad staff so I am not taking risks with the safety of myself or fellow users.
[NOTICE OF CORRECTION] - The more knowledgeable members have agreed my assumption that 1024 bit keys are an established standard was too mild as these are not future-proof. Therefore, my recommendation has changed for all users to use a key which is at least 2048 bits and of course I'd still recommend everybody uses 4096 bit if they are given the oppotunity to use it as I personally do. Remember astor has posted a very helpful and easy to use guide for those wanting to learn PGP or find an easier to use program which is a bit more straightforward to use (you can find it at http://32yehzkk7jflf6r2.onion/gpg4usb/).
5. A vendor publicly maintaining a blacklist and published a postcode/ZIP code of the user next to their username. Seriously? [FIXED]
6. A buyer was kind enough to post a photo of the product with a reagent test. However, the file still contained meta-data on the camera type, time/date of the photo being taken and info like that although no GPS data. In addition, there was a small reflection of a face in the photo but it was very vague and many identifiable house features and property in the photo such as car keys (indicating model/brand), a local newspaper, cigarette packet and several magazines which on research, are paid subscriptions to your door and indicate very clearly what line of work they were in, with no obvious method of payment other than by card. [FIXED]
7. Vendor posting they will be on vacation going to a particular city between specific dates. The city was not a huge tourist destination so I can't imagine it being more than 1 or 2 flights a day from the country mentioned. Don't get profiled so easily! [FIXED]
8. A buyer who linked to their forum review message in the description and in their signature, a link to their Facebook account. This needs no further explanation. [FIXED]
These are only some of the things I have found in the past few days and I have no doubt there will be more I haven't spotted or have happened in the past. Remember I am not the only person crawling SilkRoad and with another 5 things I could add to the above list, this is not a threat avoided at all, some users here are still in serious danger of being identified as the worst of them all is not published in the above, but so you know, it took ~6 seconds for me to find who this person was and his full house address and telephone number.
I was going to publish this information in a weeks time but tonight I learned some very sobering bits of information which I cannot discuss and have been sent directly to DPR for his eyes only, or as he replied, "intel". SilkRoad has enemies who are the enemies of freedom and privacy and if we are to overcome the threats to our freedom we have to be responsible and take precautions to avoid landing ourselves in prison.
Vendors - you are some of the worst offenders in the above list. In point 1 where I talk of being able to personally identify you through your Facebook, 4 of those were vendors, 1 of them was a top 3% vendor and I am amazed how you haven't been caught yet. This is not only compromising your own security, but all of your customers and with some of them having 300+ sales, it is not a minor issue, especially seeing as I can imagine at least 1 or 2 of them keeping customer addresses as that seems to go hand in hand with poor awareness.
SILKROAD - GET YOUR ACT TOGETHER. This isn't a game, this is a struggle and we will not prevail when many of you are almost offering yourselves up as bait! I hope this warning is heeded before more people are caught in expressing their freedom.
Your loyal servant,
StExo
NB: Signature removed, formatting is messing up the post for some reason.
Edited 05/06/13: I have added a note of correction to point 4 as some of my knowledgeable colleagues have pointed out my recommendation to use a 1024 bit key was too mild, so my recommendation has changed to 2048 bit keys instead so many thanks to those who have highlighted this to me. If anyone needs help making a new PGP key, wanting to learn how to use PGP or simply find an easy to use program which offers the same security benefits as GnuPG but is much more user-friendly, try Astor's PGP guide here: http://32yehzkk7jflf6r2.onion/gpg4usb/ « Last Edit: June 05, 2013, 01:54 pm by StExo »
(http://dkn255hz262ypmii.onion/index.php?action=helpadmin;help=see_member_ip) "Vi veri veniversum vivus vici"
Questions about money laundering? Just ask!
Email: StExo@tormail.org (Use PGP & include your public key)
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg1100830#msg1100830
My Hidden Service: http://5uvrgtrgtwkkxsgw.onion/
-
Wow thats all pretty disturbing
-
Bumped up so others read it...
(Although I hope he realises that not all forum members are trying to be anonymous... as not everyone is participating in illegal activity.)
-
Bumped up so others read it...
(Although I hope he realises that not all forum members are trying to be anonymous... as not everyone is participating in illegal activity.)
Not trying to be anonymous? Why would you want to be associated with an illegal drug market?
-
Some people are just here for the experience to say they've been here. BEING here isn't illegal.
Good idea reposting this here.
-
Definitely worth a bookmark. This is how sites like euphoricknowledge.com went down, let's not let irresponsibility destroy a useful protocol.
-
Thought this was going to be something about a hole in SR's security, glad to see it's just all retarded fucks taking the heat away from those who actually value their freedom.
-
Thought this was going to be something about a hole in SR's security, glad to see it's just all retarded fucks taking the heat away from those who actually value their freedom.
AGREED
-
Learning, learning and more learning, yew need a break... lol
-
That is just incredible work by the OP. Very well written and somewhat frightening. Every time I come to the forum I more and more impressed with the majority of the people here and the lengths at which they go to keep SR alive. Major props! If I could give Karma, I'd certainly do so. THANKS!
-
if SR users can identify that much info LEO must be in deeper
-
Today there was a news story in Oz about some kid who apparently died after taking some synthetic hallucinogen he ordered through the web. Seems he jumped off a building, allegedly in the belief that he could fly (vision of uniformed police officer showing reporter how easy it is to get these devilish drugs on SR).
Given that every single TV news report showed the SR website and most mentioned it by name is a bit of a worry as it will only attract more inexperienced teens, overprotective parents and fanatical crusaders to these pages. The point I am trying to make is that anyone using SR should make protecting their anonymity their highest priority, especially in light of the increased scrutiny.
Kudos to the OP and StExo!
-
Great Thread, Always more to learn. I'm very grateful for the SR community!
-
A big reminder to everyone to be very safe and don't do anything stupid if you value your freedom. We have to play their game if we don't want to get caught
-
Everyone should use GPG ALWAYS. If you don't how it works, go learn and come back when you are ready. Also stronger keys (4096 bits) should be preferred.
-
Seems like you cannot be careful enough on here. A lot of reading & homework to do before making a purchase!
-
BUMP!
This should be read by all users of SR. Anything you use or post on SR should be completely unrelated to your actual life. It's insane to think that decent vendors can be identified all the way to their facebook...
-
Thank you for this, I had to stop posting on the forums a long time ago because I realized that I was giving more information than I should. I am going to post again because I received some very good samples and these vendors deserve to be reviewed. Hopefully I will be more careful this time
-
Thought this was going to be something about a hole in SR's security, glad to see it's just all retarded fucks taking the heat away from those who actually value their freedom.
AGREED
My thoughts exactly
-
Wow, it's troubling how careless some people can be. I guess paranoia can be a good thing, it will keep you safe...
-
Not trying to be anonymous? Why would you want to be associated with an illegal drug market?
I'm a drugs researcher, especially interested in drug policy and how drug markets are changing in increasingly digitally connected societies. I find SR fascinating - and I'm interesting in understanding the changes it is making to drug markets more broadly and how it is changing the practices of buying and selling, e.g. the effects of having vendor rating systems, the globalisation of drug markets, etc.
So, Silk Road is an topic I am often asked to speak about publicly. All I can really do is embrace public association with this site. I know, very much unlike most other people here! Although, there is nothing stopping me from having an alter-ego ;)
-
nice work
bad results :-\
-
Visited an old thread. I think this deserves a monthly bump just to keep it fresh in everyone's minds.
Watch your P's and Q's,
for
here be dragons...
-
It's great some of these opportunities were identified and dealt with. I've noticed clearnet e-mail addresses in several vendor public keys as mentioned in item #1.
-
Today there was a news story in Oz about some kid who apparently died after taking some synthetic hallucinogen he ordered through the web. Seems he jumped off a building, allegedly in the belief that he could fly...
Anyone who trips hard without an experienced sitter is a Darwin Award candidate.
-
As with any internet site, you're going to have a few folks who don't understand or realize the consequences of being caught -- even if he/she is only a small time buyer. Even a month in prison with hardened criminals should make anyone shiver, especially if you live in a country with a less than admirable prison/judicial system or harsh penalties for these kinds [drugs, fake IDs, credit fraud, other illicits] of illegal activities.. Low hanging fruit can be useful though as a buffer for those who take this site and all associated dealings seriously.
As for vendors, top rated vendors at that, having these kind of gaping security flaws -- that is truly disturbing; all associated customers of said vendor could be equally screwed if that person was caught and had contact's addresses, btc wallet addresses, unsecured emails, and real names/home addresses out in the open...
At least some people take action to help save others hinds.
We should all be thankful!
-
Today there was a news story in Oz about some kid who apparently died after taking some synthetic hallucinogen he ordered through the web. Seems he jumped off a building, allegedly in the belief that he could fly...
Anyone who trips hard without an experienced sitter is a Darwin Award candidate.
I've never used/needed a sitter, but then again, I stick to the naturals: Psilocin/Psilocybin, LSD, and Mescaline! ;)
-
Wow thats all pretty disturbing
+1 - definitely big thanks SteXo - i'm definitely not computer savvy, but luckily paranoia kept me from making any of those mistakes - doesn't mean i wouldn't have, if i hadn't seen your post.
thanks again
-
Bump...thank you for the info.
-
SINCE MOST NEWBIES ARE GOING TO spend a lot of time in this forum, might be a good idea to sticky it here as well
-
SINCE MOST NEWBIES ARE GOING TO spend a lot of time in this forum, might be a good idea to sticky it here as well
I second this.
-
Today there was a news story in Oz about some kid who apparently died after taking some synthetic hallucinogen he ordered through the web. Seems he jumped off a building, allegedly in the belief that he could fly...
Anyone who trips hard without an experienced sitter is a Darwin Award candidate.
I've never used/needed a sitter, but then again, I stick to the naturals: Psilocin/Psilocybin, LSD, and Mescaline! ;)
It's not about the drugs, it's about the dose. I've done normal and strong doses of shrooms and LSD, and I've been able to handle the trip and be out and about in public without being a danger to anyone or myself. Still "aware" of reality if you like.
But I've also taken utterly mad bastard lock-him-in-a-loony-bin amounts. At that stage reality utterly dissolves, you plunge into the madness and if you think something is true it simply is. Great fun, but not safe.
-
that's scary news. Thanks
-
Today there was a news story in Oz about some kid who apparently died after taking some synthetic hallucinogen he ordered through the web. Seems he jumped off a building, allegedly in the belief that he could fly...
Anyone who trips hard without an experienced sitter is a Darwin Award candidate.
I've never used/needed a sitter, but then again, I stick to the naturals: Psilocin/Psilocybin, LSD, and Mescaline! ;)
It's not about the drugs, it's about the dose. I've done normal and strong doses of shrooms and LSD, and I've been able to handle the trip and be out and about in public without being a danger to anyone or myself. Still "aware" of reality if you like.
But I've also taken utterly mad bastard lock-him-in-a-loony-bin amounts. At that stage reality utterly dissolves, you plunge into the madness and if you think something is true it simply is. Great fun, but not safe.
I'd agree that is all relative to the dose.
But it also comes down to neuro-chemistry, strength of self, and emotional secureness. I've done doses where I've experienced the classic shamanistic death/rebirth process (4+ grams of P. cyanescens to name one), but I believe those journeys are best used as a once-in-a-lifetime experience. There seems no need to go farther as I find it beyond the realm of human understanding and competence; but I digress.
First timers should use a sitter, if possible, just in case they have a negative response. It would be quite a pity to have one's first psychedelic experience scare one out of further exploration.
-
Bumped up so others read it...
(Although I hope he realises that not all forum members are trying to be anonymous... as not everyone is participating in illegal activity.)
Not trying to be anonymous? Why would you want to be associated with an illegal drug market?
Ask the psychoactive specialist spanish doc on this thread, who's name is publicly spread : http://dkn255hz262ypmii.onion/index.php?topic=147607.45