Silk Road forums
Discussion => Silk Road discussion => Topic started by: Dread Pirate Roberts on December 01, 2011, 03:32 am
-
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Silk Road now resides at a new, more easily remembered url. Please update your bookmarks and memorize it:
silkroadvb5piz3r.onion
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iQEcBAEBAgAGBQJO1xiJAAoJEAIiQjtnt/olHbgH/RTCzRQ9Xic7/rQ61ZgKXft/
Q55huWKqqcX6IIadLY3T4Jydff//rteB8MfsWJW55IyDclkmRSqAXTdMf1llROZL
khxXocXHmXMk3rd++ecbktiHT/Ux4tmX4GxXmxIRutxUhRnzNwSIxP9wdpiiKF3D
lrgLtm5+zjFTMrC4RMsi/deYap0VZarvinbJQVnvpkdAa3zp2TqBn9B2YX6h8Bok
ZLP1mtQlvTtOAbNmlWTadXeXXdIlfc1Yan14gp00ffvYvfB0TR+TQ8IsIWJRDac8
x008NNE7sG8jwBQjuajSVRChVYkTk5+eiL82B5nPIbjcBWDQzoBH769FVRfisio=
=H1IM
-----END PGP SIGNATURE-----
-
lol it gave me a fright when it disappeared and i was getting 404 errors
-
the new url isn't going to stop phishers. people still are still going to log in through the hidden wiki.
-
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Silk Road now resides at a new, more easily remembered url. Please update your bookmarks and memorize it:
silkroad98uejm4n.onion
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iQEcBAEBAgAGBQJO1usBAAoJEAIiQjtnt/olCgcH/0GkVK2Txd5mdYGYFrnW2gvu
r1R8meflh+tx/wtN3UmVCGjvsb0RIfNFogvKDx0kcWmFf8CA7NqFa/CLV//3rWw9
sn4Z+E0KpUEtN2ucWePuSa7n6S6yO3JRs1d9J4iUOSOPrQAeXIZrJVaUWbdoFn8J
OvDbukM9f60o7Hpfle89yqEsZJFsGAFZKLWl3Koy3ax4zoY424mTbwW+qmcSdsVm
hKfDIG8MTRAstMYfQZiAqlwtuSLRbg1e0IRcZozWrT76AsV1U4xjThS5rsRuZzC2
T6aLQQT2f8354lN9+XUevbvSuVvxvXLu3nanNZpcTECSJFNwLQtoV/qC6d3ZkBc=
=5e9A
-----END PGP SIGNATURE-----
Don't you mean silkroadvb5piz3r.onion
-
Actual "Silk Road" admin account posting the update? yes
Signed post? yes
Signed post checks out against previously published "Silk Road" PGP key? yes
...I was skeptical but that certainly matches all of my "is it valid" criteria.
-
This is way too odd. There's a re-direct on the ianxz6zefk72ulzz.onion adress to silkroadvb5piz3r.onion, and it also differs from the one shown here. Has SR been compromised?
-
i just went to login to the old url and got this
silkroadvb5piz3r.onion
different from the one above. What gives? I'm not logging in for another 24 hrs
-
Are you sure this is the right address? Going to the old address (ianxz6zefk72ulzz) gives us the exact same message, but with a different address (silkroadvb5piz3r.onion, which seems to work) and silkroad98uejm4n.onion doesn't work at all.
The PGP signature seems to be the same too, but as I don't have the SR keys (yet, I'm going to look for them in a minute) I can't verify either message.
-
it's not active for me yet :(
-
Don't you mean silkroadvb5piz3r.onion
I'm wondering about that too. The address posted by Silk Road here doesn't work for me at all.
-
Hello SR,
I am getting info to a redirect of http://silkroadvb5piz3r.onion/. Is this the new URL? the one posted above is timed out. I will await confirmation.
Thanks,
ColdFrost
-
You sure there is'nt an http:// in front of that? getting nothing
-
http://silkroadvb5piz3r.onion/ is the correct address. I have logged in to it several times now...go ahead and log in
-
Yeah, two different urls. This one in the thread doesn't even attempt to load for me. The one from the redirect page tried, but timed-out. I was logged in when it changed, will it have logged me out automatically?
-
more easily remembered url.
and it looks like you forgot it already!
-
I'll defer to whatever "Silk Road" posts and take what mr phisher says with a grain of salt.
-
I'll defer to whatever "Silk Road" posts and take what mr phisher says with a grain of salt.
A strange coincendence is that Mt Gox also updated their website about the exact same time it appears...
Hmmmmm.
-
THE SIGNATURE ON THE REDIRECT PAGE DOES NOT MATCH AGAINST WHAT I HAVE FOR THE SR PUBLIC KEY!
However, like I said earlier, the original post does match what I have.
-
Nobody tell Mr. Dank where the new site is! 8)
-
the link i posted is from the original site redirect. if you want to try it to make sure the link I posted works,
username: red
password: white
-
can someone (admin) please verify that http://silkroadvb5piz3r.onion/index.php/silkroad/home if the official address so we can get back to biz 8)
thnx!
-
Ok I got to the SR login from the redirect, but the one Silk Road posted doesn't do anything. Not gonna actually log-in for awhile though. Not till a mod or some senior members say it's all good.
Edit: was there ever an http for SR? I don't remember it being there. This all seems sketchy...
-
fucking weird. This comes out of nowhere - doesnt really serve a purpose and appears to be totally inconsistent between the redirect and what is posted here.
I am going to have to read up on hidden services URLs... how did he get a personalized hidden service URL? I am not logging in.
-
I took a chance and logged in to the http://silkroadvb5piz3r.onion/index.php/silkroad/home address and it seems all good. all my btc are there, all my orders and stats are there, etc and everything looks like it always did. I even clicked around some products and everything is exactly as itt was
-
Thank god i was connecting to silkroad for 10 h , then i get message that i need to go on this url and works fine for me.
-
was there ever an http for SR? I don't remember it being there. This all seems sketchy...
The http:// shouldn't really matter since if you omit that part, your browser will just assume the HTTP protocol anyway.
Would anyone be kind enough to link me to the SR public key? I'm having some trouble finding it.
-
I'm not saying the newbies are lieing, but I'll be taking the mildly paranoid route and not doing shit til I hear from Silk Road or senior members.
Just because you can login doesn't mean someone didn't phish your password. They could intercept it, record it, and forward it to the site so that you go along without knowing... meanwhile they're seeing if you're using the same password anywhere else...
-
Usually Silk Road provides a longer explanation and it seems kinda weird that he only made the post and hasn't followed up with any replies. I think I'm going to sleep on it and let everyone else figure out what's going on while I sleep :) zzzzzzz
-
Custom URL: Could be an old tactic of requesting something random repeatedly until it matches the non-random thing you want it to look like.
The redirect page: I'm not giving any credentials to anything that isn't verified here by a signed post that actually validates from the real "Silk Road" admin account.
-
...oh dear...what's going on here...
-
This is way too odd. There's a re-direct on the ianxz6zefk72ulzz.onion adress to silkroadvb5piz3r.onion, and it also differs from the one shown here. Has SR been compromised?
Crap, sorry. It's been corrected. That other one is one we have access to as well.
-
Well time to try out it then I guess...
-
This is way too odd. There's a re-direct on the ianxz6zefk72ulzz.onion adress to silkroadvb5piz3r.onion, and it also differs from the one shown here. Has SR been compromised?
Crap, sorry. It's been corrected. That other one is one we have access to as well.
Can you re-sign it? Currently it's showing up as an invalid signature.
-
the signature on the post in the forum is the same signature as the post on the original ianxz6zefk72ulzz.onion/ site, but the message is different. that is why the post on the site doesn't verify and the one in the forum does. but a phisher couldn't have created a redirect page with the same .onion address as the actual store without a few decades of brute forcing the private key to get that address. And they can't spoof the address unless they controlled a majority of TOR nodes (which they don't). the link on the redirect page is legit, and if you want to try it with a log in that isn't yours, PM me and I'll give you one to try.
-
This is way too odd. There's a re-direct on the ianxz6zefk72ulzz.onion adress to silkroadvb5piz3r.onion, and it also differs from the one shown here. Has SR been compromised?
Crap, sorry. It's been corrected. That other one is one we have access to as well.
I'm convinced. Thanks for the confirmation SR. Time to get back to business!
-
the signature on the post in the forum is the same signature as the post on the original ianxz6zefk72ulzz.onion/ site, but the message is different. that is why the post on the site doesn't verify and the one in the forum does. but a phisher couldn't have created a redirect page with the same .onion address as the actual store without a few decades of brute forcing the private key to get that address. And they can't spoof the address unless they controlled a majority of TOR nodes (which they don't). the link on the redirect page is legit, and if you want to try it with a log in that isn't yours, PM me and I'll give you one to try.
This is not going smoothly, resigning now and replacing message on this thread and at ianxz6zefk72ulzz.onion
-
...how did he get a personalized hidden service URL?...
https://github.com/katmagic/Shallot
-
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Silk Road now resides at a new, more easily remembered url. Please update your bookmarks and memorize it:
silkroadvb5piz3r.onion
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iQEcBAEBAgAGBQJO1usBAAoJEAIiQjtnt/olCgcH/0GkVK2Txd5mdYGYFrnW2gvu
r1R8meflh+tx/wtN3UmVCGjvsb0RIfNFogvKDx0kcWmFf8CA7NqFa/CLV//3rWw9
sn4Z+E0KpUEtN2ucWePuSa7n6S6yO3JRs1d9J4iUOSOPrQAeXIZrJVaUWbdoFn8J
OvDbukM9f60o7Hpfle89yqEsZJFsGAFZKLWl3Koy3ax4zoY424mTbwW+qmcSdsVm
hKfDIG8MTRAstMYfQZiAqlwtuSLRbg1e0IRcZozWrT76AsV1U4xjThS5rsRuZzC2
T6aLQQT2f8354lN9+XUevbvSuVvxvXLu3nanNZpcTECSJFNwLQtoV/qC6d3ZkBc=
=5e9A
-----END PGP SIGNATURE-----
...i cant import this pgp key....says its invalid...
-
...i cant import this pgp key....says its invalid...
Thats not a key, it's a message signed by a key.
-
..is this url valid, i get a logon screen ;-
http://silkroadvb5piz3r.onion
?
thanks
:-\
-
yes
-
...doh...ok...didnt read it properly its 4am...i dont have the public key anyway..
-
I am very confused :'(
So whats the legit new address now, or does nobody know yet?
-
replacing message on this thread and at ianxz6zefk72ulzz.onion
Why not leave the old addy pointing at the site for a week or two as well so folks get used to it, and put a notice at the top of the page that the new address is now available.
It's trivial to do - 2 lines of code in the torrc file to point another hidden service address at the same http server, you just need a private key file directory for each one.
You can have 64 different .onion addresses pointing to the same server, if you want.
Edit: Like this
HiddenServiceDir Path/to/hidden/service/secret/key/for/ianxz6zefk72ulzz.onion/
HiddenServicePort 80 127.0.0.1:80
HiddenServiceDir Path/to/hidden/service/secret/key/for/silkroadvb5piz3r.onion/
HiddenServicePort 80 127.0.0.1:80
Both addy's will respond identically, and all your users won't lose their shit wondering what the fuck is going on.
-
ok, both messages are updated and signed now.
The new address is: silkroadvb5piz3r.onion
-
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Silk Road now resides at a new, more easily remembered url. Please update your bookmarks and memorize it:
silkroadvb5piz3r.onion
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iQEcBAEBAgAGBQJO1wAPAAoJEAIiQjtnt/olVUEIAMx16C2fAhSGmTgFxQAs3r2H
P+tr88X4UHFPgO+OmeX8n6ediRC9LnF8XZMSTVH5ai+bDJFqV8Ntans9VOTtOpw/
n858eN34RZtJiPpiTNKaiOEdDbY2BLFeSCJnKJG/ONaU92PHBtjIpbFzVfUccxjy
MsthFsuGHmLAQT1/TG2h8lJSyDxZzQqUX306ojHpgylNd6oMC4paiwpsxU8aZTVl
jSMst/OguTUIWQLvm6m3iBg9sJniNGF4KZKR+erUVSo9VZafmX8oKSnO5cdbsH3m
BqxBsfjpMW573TMwoyDUhPGwoBeVye/jGBiqeR02HZoMVxv9invzPsTG0TFTKVs=
=JYQD
-----END PGP SIGNATURE-----
This edited, but still signed version of the url update post validates against the public key that I have for the "Silk Road" user.
-
....logon ...thanks
-
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Silk Road now resides at a new, more easily remembered url. Please update your bookmarks and memorize it:
silkroadvb5piz3r.onion
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iQEcBAEBAgAGBQJO1wAPAAoJEAIiQjtnt/olVUEIAMx16C2fAhSGmTgFxQAs3r2H
P+tr88X4UHFPgO+OmeX8n6ediRC9LnF8XZMSTVH5ai+bDJFqV8Ntans9VOTtOpw/
n858eN34RZtJiPpiTNKaiOEdDbY2BLFeSCJnKJG/ONaU92PHBtjIpbFzVfUccxjy
MsthFsuGHmLAQT1/TG2h8lJSyDxZzQqUX306ojHpgylNd6oMC4paiwpsxU8aZTVl
jSMst/OguTUIWQLvm6m3iBg9sJniNGF4KZKR+erUVSo9VZafmX8oKSnO5cdbsH3m
BqxBsfjpMW573TMwoyDUhPGwoBeVye/jGBiqeR02HZoMVxv9invzPsTG0TFTKVs=
=JYQD
-----END PGP SIGNATURE-----
Of course, I'd feel better if this redirect signature validated too... maybe its a web-caching thing....
-
Im still getting KEY NOT VALID... can you check that again? I'm not going to any new URL unless i see a signature that matches the PGP key i have for Silk Road.
Here is the PGP public key i have for the SR Admin account:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.17 (MingW32)
mQENBE2VWMwBCADcoI5qldde46EI80fHSTCS4CuJn1Py4AQjJvpAqFColeAm9xb1
/hb0ZUsG3vwod7uiPJdMlq3+1o3TSv9JlO3DPf7I50owQ9+S1ixXebouTvfpEKSb
dq1IWAu+O4PtlmFEb76MOmjOzoeV8We8kCRFq8ThoK979A1DR09KsaDfSjCITdsU
mQyVaRN0dCaj33V/QAPQybYAjNDEiNd0e1tV22n1dl6z2oVUgfJiuTVI5C0FhSKP
c3odexbKUSVk9tkUWcfnk8+9HF5jGNHnUSjWxMkG1uZUDdWKl4yJqQhBHdYqcz8A
hcJ6xADbFeoYEO6z5NEjXV0KmoDRCi4C7gdfABEBAAG0JFNpbGsgUm9hZCA8c3Rh
ZmZAc2lsa3JvYWRtYXJrZXQub3JnPokBOAQTAQIAIgUCTZVYzAIbDwYLCQgHAwIG
FQgCCQoLBBYCAwECHgECF4AACgkQAiJCO2e3+iVfzwf/dg6wj6an8xehD7tYOjMb
f9/RAKLCq+GMJlROQ7mPoOqUdnTrQ375Ld0MUJFEQUHsmijkDbl7rOLw0IuJHJsx
w9wy5nNANMEMxjspdGvi8HalDrXJC+EiD2xM0gz/XrDmTsHhpAZEgwddygZFuHxW
wxpBHGB2clLf4xYMX5TC7Z8QJLEdXx9DW5mZ1K9XuC+6fkMpUblzoRizmzk1NJ+y
g27mYo4KigysleshF3yyQ62as5apqIfgyYrJ/udwa4JQ8Le6dzB0d3o8mrrDXqHS
uxSdLGNLh1B7lDphdsQxrx1W/468EubG+5PEf2DLqqbUYLDCxS3m4DN46woO/INt
5A==
=kHyk
-----END PGP PUBLIC KEY BLOCK-----
-
Hey paper, did you list Mitonax Mdma, its up now. This is Mysteries.
-
ITS LE!!! EVERYONE RUN!!! SELLERS SEND ALL DRUGS TO ME FOR SAFE KEEPING!!!
-
Paper... yes, that matches the key that I imported for SR from the original marketplace site... I grabbed it during the last outage for just such an occasion.
The redirect is still what I quoted earlier and doesn't validate for me. The edited first post in this thread does validate for me (just rechecked it). I assume this is legit, but I'm going to wait for everything to line up like it should before giving out any information of value.
-
I'm still concerned why Mt Gox changed their website at about the exact same moment...
Was there some window of opportunity both of them took at the same moment?
-
replacing message on this thread and at ianxz6zefk72ulzz.onion
Why not leave the old addy pointing at the site for a week or two as well so folks get used to it, and put a notice at the top of the page that the new address is now available.
It's trivial to do - 2 lines of code in the torrc file to point another hidden service address at the same http server, you just need a private key file directory for each one.
You can have 64 different .onion addresses pointing to the same server, if you want.
I wanted to do that, but it conflicts with the site code :(
-
Im still getting KEY NOT VALID...
You may need to set a (higher) trust level for the SilkRoad key you've already imported into GPG. For what it's worth, the key you posted matches the copy I have on my hard drive from June 19th of this year.
-
Haha Robin , I read Its Le, and shit myself, then read SELLERS SEND ALL DRUGS TO ME FOR SAFE KEEPING!!!
funny as shit.
If you didnt list that orange , i swear i seen it pop up in front of my eyes as if you were logged in paperchasing,
do you have an old key from SR or did he only have one.
Maybe Mtgox is where silk hides his bitcoins. lol Conspiracy theorys. Haha
-
Silk road why is your UID on sr not Silk Road uid 1 and is now a brand new user name and UID ? and were did the old one go ?
-
replacing message on this thread and at ianxz6zefk72ulzz.onion
Why not leave the old addy pointing at the site for a week or two as well so folks get used to it, and put a notice at the top of the page that the new address is now available.
It's trivial to do - 2 lines of code in the torrc file to point another hidden service address at the same http server, you just need a private key file directory for each one.
You can have 64 different .onion addresses pointing to the same server, if you want.
I wanted to do that, but it conflicts with the site code :(
Relative URLs are your good friend.
-
Dear SR Admin,
I am very happy with the speed of the site now. Sorry to be a pain in the ass I know it could possibly be beyond your control at times but please keep it that way. I have been sad for 4 days because I had such a hard time connecting to SR. Wow I think I'm becoming addicted. Customers are wonderful, other sellers are wonderful. Never a problem here! This place took away so much stress from my life - with that said you'll notice I've only been a member for 30 days and only have ten transactions but it's all going so smooth.
-
Holy Shit SR Admin....Re-Do this whole thing! Then Vaporize it! You've got Ur Key Published and juut waaay too much exposed!
-
warweed... are you looking at the "SR Support" account? If you brute-force looking at user #1, its still SR with the same original listings as before (yes, I have some of them memorized).
However, if anything gives it away as being a bogus site, its the listing of btc being at $3... come on now... I'm not that gullible.
-
ok ya'll something funny here, I just ran out of Mitanox's orange earlier today so if its showing as listed then somethings up
Silk Road: IDENTIFY YOURSELF COMRADE
-
ok ya'll something funny here, I just ran out of Mitanox's orange earlier today so if its showing as listed then somethings up
Silk Road: IDENTIFY YOURSELF COMRADE
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Nothing has changed, just the URL. All data, including item quantities should be unaffected.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iQEcBAEBAgAGBQJO1wzKAAoJEAIiQjtnt/olzWIH/j+Lf/jPn4jVc4LzseKHhlEe
2VOTkf9ov50Eg+2xsIrg60mzYo4Ra20OOrgnEH3gqSaGx44D9M5Xx5GHRvsFQqtm
NmcbikRYHcCu00acon8m6UWlJq3sf2rtP6P/0+qoIVycCt6y+Z+Ah+6/kvew8UTe
r/UPJ6xZRSa3Yag5G5ks+lB1Vo3czdw4pcNpwrGXWH/amMU7Pea6lGqBKABd+Y2I
PcWcsR7+S9sLiORpIBRD9MfUjK0kBPs8DPNUWwPWs2yxYsGEf1+KkCwj+63V1hbd
oNGKChxrbueAbhxbuoRy6hP+1KKhiUhcj3SMJrWEQIS3oFbEaIxYkyPMChk/lFk=
=NLzs
-----END PGP SIGNATURE-----
-
so this is legitimate? im afraid to log on if this is a phishing attempt id call it the greatest one ever
-
ummmm Your post returns KEY NOT VALID bro.... ok so lets say your are SR.. tell me the correct answer to this: what was the transfer in BTC i sent you for the out of escrow sales during the site outage? Now if you dont know that, you are a phony, because we both agreed on a number that was not the actual number i sent you... now what is it bro?
Paperchasing
-
its legit, BTC Last price:$3.02100 no worries
The author of the post you're referring to was joking.
I thought it was funny anyway...
I'll wait to see what Paperchasing decides. Let us know bro, the more paranoid of us are waiting for the all clear ;)
-
im sayin *** bullshit *** until SR either posts a message that matches the signature or they can tell me the secret number we agreed on as a alternate authentication tool, either would be fine.
-
I hope you're joking about the BTC price thing. Definitely way too sketched out to login at this point.
Waiting on a response to PaperChasing's post.
-
Why not leave the old addy pointing at the site for a week or two as well so folks get used to it, and put a notice at the top of the page that the new address is now available.
It's trivial to do - 2 lines of code in the torrc file to point another hidden service address at the same http server, you just need a private key file directory for each one.
You can have 64 different .onion addresses pointing to the same server, if you want.
Edit: Like this
HiddenServiceDir Path/to/hidden/service/secret/key/for/ianxz6zefk72ulzz.onion/
HiddenServicePort 80 127.0.0.1:80
HiddenServiceDir Path/to/hidden/service/secret/key/for/silkroadvb5piz3r.onion/
HiddenServicePort 80 127.0.0.1:80
Both addy's will respond identically, and all your users won't lose their shit wondering what the fuck is going on.
I wanted to do that, but it conflicts with the site code :(
I think you need to take a look at this again.
Absolutely no reason in the world that wouldn't work, unless you've hard-coded in the absolute path including the .onion domain, and even if you had done that, a simple grep search/replace with relative paths would take all of 1 minute.
You're freaking out your members for no good reason, and it's time to fire whoever is giving you advice on Tor hidden services.
-
its legit, BTC Last price:$3.02100 no worries
The author of the post you're referring to was joking.
I thought it was funny anyway...
I'll wait to see what Paperchasing decides. Let us know bro, the more paranoid of us are waiting for the all clear ;)
its legit, BTC Last price:$3.02100 no worries
The author of the post you're referring to was joking.
I thought it was funny anyway...
I'll wait to see what Paperchasing decides. Let us know bro, the more paranoid of us are waiting for the all clear ;)
I wasnt joking, seriously havent logged in since i saw that the URL was updated to something i didnt recognize. is the site legit or not are other people using it currently?
-
ITS A TARP!!1
It's a tarp? Sweet; it's gonna rain next week and I hafta cover some shit up. Keep my wood dry. Needed a tarp.
OK ... so ... I am like 50/50 on the legitimacy here ... got a seller account with tons of +++++ feedback and I am a little ... shocked by the abruptness and the 'jump into the cold water' style of this announcement of the URL migration. Haven't logged into the new site yet.
So, SR, thanks for confirming the migration is legit and continuing to re-assure and answer questions. I can think of 4 reasons right now why an abrupt migration makes sense. An easier to remember URL is not one of them. That URL seems still easy to spoof. Can anyone tell me which one of these is correct without looking at the new url? :
silkroadvb5piz3r.onion
silkroadvc5piz3r.onion
Yeah, I can't either.
I can think of 40 reasons why an abrupt migration is concerning, a point of contention. Will the other forum admins please (dig alch, et al.) confirm the abrupt migration and affirm everything is on point. Please.
The best way for a 3rd party to take control of SR would be to export the dB and code migrate and redeploy at a new URL pointing at a content delivery network designed to track and identify, and thenre-assure everyone everything was cool here.
"Hey, what could possibly be wrong? all the same data is right there."
Thanks in advance for holding my hand and the other forum admins here chiming in and affirming the migration.
-
EVEYTHING IS NOT OK!!
obviously your looking thru the old BTC transfers to try and find it... thats useless bro, the number me and SR agreed on is *NOT* the number i actually sent to them on SR...
If you are the real Silk Road Admin please identify yourself, the natives are getting restless, just post the number here or give it to me on the SILC channel.
-
Just because the site looks like normal doesn't mean it wasn't compromised. Paranoia is a good thing at times like these.
-
Yes, I was joking at the surprise of 1btc = $3... though I'm still keeping my skeptical nature about the site. I've created a new account on it for "poking around" purposes.
Paper, I think you need to verify your key checking process. All signed posts by the "Silk Road" admin account in this thread check out as being valid for me... and we have the same keys as verified earlier. You should try checking some of the earlier "Silk Road" posts and verify that your key-checking does indeed work. Maybe my checking is flawed and you're the one true checker... but if that's the case, you should be able to verify that against older, non-edited SR posts.
About your "orange" levels, when I checked it earlier, SR had one of your orange listings left... easily something that could have been a canceled order (just guessing from my pov).
I still wish that the redirect from the original site URL had a signed message that validated, but that worries me far less than any of the previous discrepancies.
-
its legit, BTC Last price:$3.02100 no worries
The author of the post you're referring to was joking.
I thought it was funny anyway...
I'll wait to see what Paperchasing decides. Let us know bro, the more paranoid of us are waiting for the all clear ;)
its legit, BTC Last price:$3.02100 no worries
The author of the post you're referring to was joking.
I thought it was funny anyway...
I'll wait to see what Paperchasing decides. Let us know bro, the more paranoid of us are waiting for the all clear ;)
I wasnt joking, seriously havent logged in since i saw that the URL was updated to something i didnt recognize. is the site legit or not are other people using it currently?
Oh. Yeah, BTC went up to 3 today. I thought you were kidding because of it hitting 3.
I was in the middle of my FIRST transaction (a test transaction to see how long it takes to get from one place to another) when both Mt Gox updated their site and SR changed URLs.
Still no one's suggested why both sites would change at nearly the exact moment...
I've already changed some passwords and am anxiously awaiting Paperchasing or other senior members to give the all clear before I log in. Even though I'm a newbie, I think recommending the same to everyone else is good advice... if you don't have a very good reason to log in, I would most certainly WAIT just a bit longer...
-
Captcha is different too.
I ordered from AAkoven and updated my Feedback today.
The updated feedback is still there but...
I dunno man.
-
Using a new empty account on the new SR, it seems like lots of items are missing, as if it were an old backup. Opiods dropped from 104 earlier today to below 40 items listed.
-
This just added to the main page of the new onion link
Be advised:
This website is experimental. We do not guarantee your anonymity, protection from law enforcement in your jurisdiction, or protection from other users of this service. You and you alone are responsible for the risks associated with entering and using this website.
In particular, because all connections to this site are anonymized, we cannot guard as easily as normal sites against brute-force and phishing attacks against your password. Weak passwords that you have used in the past may not be strong enough on this site. We strongly recommend you use a three-word passphrase, or a 16 character password with letters, number and symbols. Also, make sure you are visiting the authentic Silk Road onion url each time you log-in. If you suspect you ever log in through a phishing site instead, you need to change your password immediately.
-
Yeah, the longer the invalidly signed redirect on the original site sits there, the worse of a feeling I get for various reasons I won't spew here. I also noticed the different captcha pattern. Add in the abruptness of it all... definitely staying on the fence until more of this settles, including Paper validating the signed messages.
-
This just added to the main page of the new onion link
Be advised:
This website is experimental. We do not guarantee your anonymity, protection from law enforcement in your jurisdiction, or protection from other users of this service. You and you alone are responsible for the risks associated with entering and using this website.
In particular, because all connections to this site are anonymized, we cannot guard as easily as normal sites against brute-force and phishing attacks against your password. Weak passwords that you have used in the past may not be strong enough on this site. We strongly recommend you use a three-word passphrase, or a 16 character password with letters, number and symbols. Also, make sure you are visiting the authentic Silk Road onion url each time you log-in. If you suspect you ever log in through a phishing site instead, you need to change your password immediately.
I apologize - I was on the "click here to join" link. I will shut up now.
-
wtf..i did log on but i have nothing there..but still i wanted to buy some shit tonight..but not now.
The bad thing is..there is no official shit from admins at all.
-
Yeah there is clearly something wrong. There was no valid reason to change the url, and that's not something you just do because you feel like it. There was no announcement or anything. Also why is the SR admin leaving everyone in the dark? Posting single sentences every half hour? Hopefully, we can get this resolved but I am not logging in until I see something positive. :-\
-
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
My signed messages check out, paperchasing is confused (see my pm paperchasing), nothing is different about the database. In regards to variety's solution, it does not work. I thought of that. All of the links on the site are generated by our framework to have absolute paths, including the domain, so multiple domains would not work. In retrospect, I should have announced this change before doing it, but I found out that tor nodes have been blocking the old address causing terrible connection issues and I didn't want to wait to apply this fix. There isn't much more validation that can be done beyond controlling the official Silk Road private key, and the private key corresponding to the old URL, which I have demonstrated. I understand if you want to give it some time to make sure everything is ok, but there is no need to panic. Sorry for all of this trouble.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iQEcBAEBAgAGBQJO1xdWAAoJEAIiQjtnt/ol1M0IAMSh+jcTVqiM6Yq6KULUVCVs
3YWhBDuQJTvQagaioFjzoXv6519xcpBLhymt5xmEEVaU1mvMKj8mflpI7bvcKUGf
8ErjrJlarbnCNfj/zV1QdbUOODLVAU4w1Qv2Ke3LJ4M+ysu4AcIOxbL/3MIPVWfv
zYSiQrBIpvSOm4yS/wlrfvA+vQHYV4FChIgX+dnfzSKRuTxNNS0Wk341Wt+cpWBh
StuSAkA1OMr82ht4RgvnC/JxMYvvJ+uLah74QkGZDbXY3YebJs1FQWW+G8Cp+1m7
+LWz/aaAMaCpWqJ/T9zefCBI4YnClk5202N6l1gDei8OeLzDe7oCYDaiAu2zahQ=
=x34r
-----END PGP SIGNATURE-----
-
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
My signed messages check out, paperchasing is confused (see my pm paperchasing), nothing is different about the database. In regards to variety's solution, it does not work. I thought of that. All of the links on the site are generated by our framework to have absolute paths, including the domain, so multiple domains would not work. In retrospect, I should have announced this change before doing it, but I found out that tor nodes have been blocking the old address causing terrible connection issues and I didn't want to wait to apply this fix. There isn't much more validation that can be done beyond controlling the official Silk Road private key, and the private key corresponding to the old URL, which I have demonstrated. I understand if you want to give it some time to make sure everything is ok, but there is no need to panic. Sorry for all of this trouble.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iQEcBAEBAgAGBQJO1xdWAAoJEAIiQjtnt/ol1M0IAMSh+jcTVqiM6Yq6KULUVCVs
3YWhBDuQJTvQagaioFjzoXv6519xcpBLhymt5xmEEVaU1mvMKj8mflpI7bvcKUGf
8ErjrJlarbnCNfj/zV1QdbUOODLVAU4w1Qv2Ke3LJ4M+ysu4AcIOxbL/3MIPVWfv
zYSiQrBIpvSOm4yS/wlrfvA+vQHYV4FChIgX+dnfzSKRuTxNNS0Wk341Wt+cpWBh
StuSAkA1OMr82ht4RgvnC/JxMYvvJ+uLah74QkGZDbXY3YebJs1FQWW+G8Cp+1m7
+LWz/aaAMaCpWqJ/T9zefCBI4YnClk5202N6l1gDei8OeLzDe7oCYDaiAu2zahQ=
=x34r
-----END PGP SIGNATURE-----
Can't they just block the new address just as well?
-
SR just want to be sure you are aware that the post you made on the original site URL does NOT verify with your public key and no one is able to verify that message with your public key. It is not helping the situation.
*** Edit: The message has been updated and now verifies. Move along, nothing to see here ***
-
Thank you SR, I did not see your PM until right now. I dont know why my PGP is not verifing your messages, but everyone is super glad i had another way to verify cause alot of people are having PGP verification trouble too besides me.
*************** THIS IS LEGIT - THE POSTER IS THE REAL SR ADMIN *******************
-
yea your signature says invalid, its not working for me, however i logged in to the site and it looks fine, But im still very skeptical Im going to wait this out
-
I'm not going to quote any posts from the past. - I advice all new people to this thread to read the entire 7 pages.
-
Just created a new account and signed in and I am 100% sure the SR dB inventory is not the same as it was 2 hours ago, across at least 5 categories.
SR - why is that? Did you use an older version of the dB for the migration? I mean, I can understand why that might be necessary technologically, but can you just confirm that? The inventory is not the same as it was 120m ago. I am completely sure of that. 100%.
-
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
My signed messages check out, paperchasing is confused (see my pm paperchasing), nothing is different about the database. In regards to variety's solution, it does not work. I thought of that. All of the links on the site are generated by our framework to have absolute paths, including the domain, so multiple domains would not work. In retrospect, I should have announced this change before doing it, but I found out that tor nodes have been blocking the old address causing terrible connection issues and I didn't want to wait to apply this fix. There isn't much more validation that can be done beyond controlling the official Silk Road private key, and the private key corresponding to the old URL, which I have demonstrated. I understand if you want to give it some time to make sure everything is ok, but there is no need to panic. Sorry for all of this trouble.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iQEcBAEBAgAGBQJO1xdWAAoJEAIiQjtnt/ol1M0IAMSh+jcTVqiM6Yq6KULUVCVs
3YWhBDuQJTvQagaioFjzoXv6519xcpBLhymt5xmEEVaU1mvMKj8mflpI7bvcKUGf
8ErjrJlarbnCNfj/zV1QdbUOODLVAU4w1Qv2Ke3LJ4M+ysu4AcIOxbL/3MIPVWfv
zYSiQrBIpvSOm4yS/wlrfvA+vQHYV4FChIgX+dnfzSKRuTxNNS0Wk341Wt+cpWBh
StuSAkA1OMr82ht4RgvnC/JxMYvvJ+uLah74QkGZDbXY3YebJs1FQWW+G8Cp+1m7
+LWz/aaAMaCpWqJ/T9zefCBI4YnClk5202N6l1gDei8OeLzDe7oCYDaiAu2zahQ=
=x34r
-----END PGP SIGNATURE-----
Can't they just block the new address just as well?
yes, but this works for now and we'll come up with a more permanent solution (hopefully)
-
Everyone who's getting "invalid" results when checking the signed messages here needs to try validating some known to be correct messages. Google other sites and do some practice runs to make sure you're checking the right things and getting results that match the known results. This is kinda like hard drive backup... if you haven't done a practice run or two when its not an emergency, you don't really know if you're doing it right when it is an emergency.
Also, the redirect has changed and it now validates for me as well. Happy day... I'm still not logging in with an account I value until I absolutely have to though.
-
Exodusultima, have you set your location on the new account? This would explain why your number of listings has changed.
-
...I dont know why my PGP is not verifing your messages, but everyone is super glad i had another way to verify cause alot of people are having PGP verification trouble too besides me.
If you have an old copy of SilkRoad's key already on your keyring -- say, from months ago -- then temporarily set trust on that key to ultimate and recheck the signed messages. They do verify.
-
Exodusultima, have you set your location on the new account? This would explain why your number of listings has changed.
mRNA, good call. that seems closer. now I can see my own seller listings ... heh.
wow, I've been a part of huge dB and website migrations before, but this is a whole new level of intensity. URL change: car crash style.
-
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
OK someone in chat suggested that I post a PGP signed message that so that everyone knows im the real paperchasing
and that this shit is legit
** THIS IS LEGIT, THE POSTER AUTHENTICATED HIMSELF TO ME PRIVATLY AND ITS DEFINITLY SR ADMIN **
(thank goodness, you scared us good there bro)
Paperchasing
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQGcBAEBAgAGBQJO1xziAAoJEMLo5gqMhrTX7k8L/1kroS1Flp+r+UChDnAAX4R8
SkqWrpAFqCsn2mBKCd0wXhToH4Iwc/6mndvr0D9TQh4+D1LBxgU1tNj+FG5+KLah
NfzOxoOBA1AWfPZ0siBljJ78TSd21c5cwQcwWF8fL59nk8cU1BYZCujWBLxz9w7G
FymSzaoIUDwbST9L8D4VY4fMDySZbf7AaxDpq0HiFWIkQ6UGAT+Q2Mz85X0wgz5W
HWv/OE+jAC4a389XOOhkacg80Rgpf+3WW1mUy0bLZ7BgnPDK5cvP2ZN8K4mxycOd
xNUYJf4PjTgK8saFcIp50d3vopsCiPo2GlOJYjxIenrfEW9MqWBFHN7F3fZBelIN
dYxpsuM3YsyPgfRydZhg4NpzGXUNbhvy2xwF7bfGho4exVsZCG1bGOgi24tV+6Qc
XgrnV7Kn4J2shuaaMei3Q7cNUGlNoMNSQcqOxh9cbk4AIdmBW0+fEYlHXucViJ03
7aj14flqBYxTAORHk/2IJuUeropEeyZV+cFFYbJwtg==
=sWL5
-----END PGP SIGNATURE-----
-
I'm unable to access ianxz6zefk72ulzz.onion and can access but don't yet trust silkroadvb5piz3r.onion.
Why is the ian* address not still up with a signed message?
For that matter, given that we have effectively a shared secret, couldn't we do some kind of challenge-response type validation that the site we're talking to already knows our password, without having to give it? (This would be more complicated if you're doing the right thing and using salted hashes of passwords, not just storing the actual pass, but still.)
-
I'm not buying it. I'm calling bullshit. And I was just logging on to make a purchase. Not now. I'll wait.
-
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have verified Paperchasing's message as valid, and can confirm that he is legit.
I'm signing this message just so that we can have a chain of verifications.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJO13THAAoJEEzsCuWkmOemWMMH/29O3vjC6WVPCEYBedStuz0C
fKd6gySbo3McSOdwwXHZobIS92c0iorLO0lbfUZiBYT0jSXC7UoF15ChPEb42WEH
Xxk00eWP1MThmFcOxCWnmqc1n6juZedwjFC42xgrusxPIUuJDhEcrIk7UPFpjwjc
82NOucU/FTlLJrpTYNG1jcIr/6DXg5AZyolRVEX0efjSiJwj9Tdh0RheLxlhukH+
i5gayoQhBW0PA9PrD7uKnLC8oYPdHJ+7pBp7xD0LZ3epk/fvF/dYQj/4JkX2eDVY
tFVpIUgl722q+Z9RohG/ZSOBtM0rKXKx5tBcfoRzG4WF7DqVHr4iRZzTM0vLzYg=
=ICW1
-----END PGP SIGNATURE-----
-
I'm not buying it. I'm calling bullshit. And I was just logging on to make a purchase. Not now. I'll wait.
It's like someone stuck a stick in a beehive and now we're buzzing. Time will tell wazzup. Something is off, but it could just be a poorly executed migration.
-
I can confirm Paperchasing's post as legit, which in turn validates Silk Road's message.
It's a web of trust all the way down!
I don't trust none of y'all motherfuckers ;)
-
I found out that tor nodes have been blocking the old address causing terrible connection issues and I didn't want to wait to apply this fix.
That 's not possible.
"It's not possible for a node to differentiate between proxy and hidden-service traffic for relay purposes."
http://archives.seul.org/or/talk/Aug-2008/msg00377.html
It's not possible for any node to block traffic for a specific hidden service address as no node is aware that it is carrying traffic for a specific hidden service address, or the whole system wouldn't be anonymous.
Your problem is your guard nodes are not set up in a fashion suitable for a hidden service serving at the volume you are. The URL change will help in the very short term, as the new guard nodes will be fresh, but will be adding clients at a rapid clip, and the 'blocking' problem will arise again.
You are throwing the wrong solution at the wrong problem, and executing it poorly as well.
Criticism accepted, couldn't agree more. I've sent you a pm regarding the guard node issue.
-
I'm unable to access ianxz6zefk72ulzz.onion and can access but don't yet trust silkroadvb5piz3r.onion.
Why is the ian* address not still up with a signed message?
For that matter, given that we have effectively a shared secret, couldn't we do some kind of challenge-response type validation that the site we're talking to already knows our password, without having to give it? (This would be more complicated if you're doing the right thing and using salted hashes of passwords, not just storing the actual pass, but still.)
It's because that is the exact reason for the change as noted by SR Admin. Tor exit nodes are blocking that link so its hard to connect to. With that being said I've had no problem connecting with the new link and I love it. I feel comfortable now that Paper PGP cosigned for Admin. Back to business
-
I went ahead and logged in.
If it matters to anyone still hiding during the Great Clusterfuck of November 2011, the transaction I started just BEFORE Mt Gox and SR changed has made it successfully.
-
Once I see some legit sales info posted on the forum I'll believe it. I've already lost too much money from being phished to fuck around.
-
Everything I know to check and have the ability to check points to everything being legit. Signed posts in this thread, signed message at the old address and validated messages from the actual admin account here.
I didn't have Paper's public key before this went down so I have no readily available trusted way of validating his post.
You shouldn't trust me or any of these motherfuckers... but if you didn't import the needed public keys before this incident happened, then what you can validate is extremely limited indeed and I'd advise that you wait until someone else you have keys for or otherwise do trust (friend/dealer/admin/etc) weighs in. Also... once you're convinced that all is well, find and import the public keys that would have made a difference so you have them ahead of time next time.
As for the exit node commentary, that exactly fits what I was seeing empirically. When I had a lengthy problem getting to SR, I found that tor's "New Identity" would often cure it where patient retries did not.
Overall, my gut says its all good. If something is amiss, there are indeed some deep shenanigans going on that are beyond my ability to expose.
With that said, I'm officially in the "convinced-but-skeptical" camp and will only use my account of value at a later date when I need to. Until then I'll cruise the marketplace with my spiffy new account and keep testing that gravity points down and that I'm not in some SR version of the Matrix where everything only looks legit.
-
I'm unable to access ianxz6zefk72ulzz.onion and can access but don't yet trust silkroadvb5piz3r.onion.
Why is the ian* address not still up with a signed message?
For that matter, given that we have effectively a shared secret, couldn't we do some kind of challenge-response type validation that the site we're talking to already knows our password, without having to give it? (This would be more complicated if you're doing the right thing and using salted hashes of passwords, not just storing the actual pass, but still.)
It's because that is the exact reason for the change as noted by SR Admin. Tor exit nodes are blocking that link so its hard to connect to. With that being said I've had no problem connecting with the new link and I love it. I feel comfortable now that Paper PGP cosigned for Admin. Back to business
Exit nodes have no involvement in hidden services (or if they do, it is in their capacity of regular relays not exit nodes).
-
Listen ya'll this dude gave me the correct number AND the story with it... now im tellin ya it was a number that had a decimal point in it and that would making guessing it infinitesimally impossible.
-> THIS IS LEGIT, THE POSTER IS THE REAL SR ADMIN. CASE CLOSED. <-
Paperchasing
-
Back in Biz Sounds good. As a precaution I changed my passwords, and moved my $ to a different wallet. Amazing all the cool stuff I have learned this week. Look forward to getting to know everyone.
Peace,
ColdFrost
-
The site is alot faster now. Whatever you did, good job!
-
Listen ya'll this dude gave me the correct number AND the story with it... now im tellin ya it was a number that had a decimal point in it and that would making guessing it infinitesimally impossible.
-> THIS IS LEGIT, THE POSTER IS THE REAL SR ADMIN. CASE CLOSED. <-
Paperchasing
With all due respect good sir, just because someone says "yeah he's with me, he's ok" doesn't really mean alot. If it does at a place like this, you're doing it wrong. With all due respect.
-
You're right. I shouldn't have posted that it's being blocked. Because I am not an expert like the Staff. - I see that it is the guard issue and the staff will handle it. :) I need to keep my mouth shut, but I just wanted to try and help because there is a whole thread dedicated to customers having connection issues. I believe the Admin was getting tired of people having connection issues thus the change.
-
...
Overall, my gut says its all good. If something is amiss, there are indeed some deep shenanigans going on that are beyond my ability to expose.
With that said, I'm officially in the "convinced-but-skeptical" camp and will only use my account of value at a later date when I need to. Until then I'll cruise the marketplace with my spiffy new account and keep testing that gravity points down and that I'm not in some SR version of the Matrix where everything only looks legit.
This is wisdom.
convinced-but-skeptical = trust but verify.
SR is not only an interesting market experiment, but an interesting social construct. This message thread is the hive mind deciding whether everything is OK or not.
If I was Lt. General Busteveryone of Homeland Security, and I compromised SR to the point where I could move the whole dB and site URL ... I wouldn't. Why would you, tactically? That would be nonsense, a mistake.
-
I'm trying it with an old log in. Just to check shit out.
-
Everything looks legit but seriously, what the fuck do I know? I've been phished before so I'm the wrong guy to be taken advice from.
-
Listen ya'll this dude gave me the correct number AND the story with it... now im tellin ya it was a number that had a decimal point in it and that would making guessing it infinitesimally impossible.
-> THIS IS LEGIT, THE POSTER IS THE REAL SR ADMIN. CASE CLOSED. <-
Paperchasing
With all due respect good sir, just because someone says "yeah he's with me, he's ok" doesn't really mean alot. If it does at a place like this, you're doing it wrong. With all due respect.
Ok pumpkinyeti, fair enough... However, heres the facts: a long time ago SR Admin and I agreed on a secret number that only the two of us knew in the case we needed some other type of authentication tool besides PGP or whatever. Whoever responded to my request for the secret number knew the correct answer *and* all the shit we talked about surrounding that discussion. Now I can say that I'm 100% certain that this is the real SR Admin posting here and its as simple as that. I didn't say hes with me, I said this person knows the answer to something secret we agreed upon that only the REAL SR Admin would know, and that to me makes this person the real SR Admin.
Paperchasing
-
Everything looks legit but seriously, what the fuck do I know? I've been phished before so I'm the wrong guy to be taken advice from.
Just so we may avoid it in the future, what happened? If you can say?
To stay on topic... thanks to everyone helping us through this birthing process tonite...
-
If it makes you feel any better. I previously had Paperchasing's public key and his signature verifies to me. I believe it is him.
-
It was a situation a little bit like this. When I first signed up I just cruised around and checked things out and then one day I was going to make a purchase and SR was down and someone posted a new URL for SR in the forum. I placed my order around midnight. Came back the next day and my order had been cancelled and my bitcoins were returned to my account and my account on SR was empty.
Thus, why I'm a bit freaked about a new URL.
-
I think we could all use a nice fluffy kitten and some deep breaths :P
I think it is good advice to open another account if skeptical still. I trust paperchasing and am grateful for two people for verifying the signature.
Also thanks SR for being so responsive and helping calm everyone's frenzy quickly.
The comment about the hive mentality was a very interesting concept and I had never really imagined it that way. Very awesome to be involved in such a complex behavior occurring between so many anonymous thought processes of varying experience.
Sorry to hear about your unfortunate experience tcob, hope you those fuckers didnt get very much from you. Understandable for you to be concerned, and probably best to just sit tight for a day while some others test it out probably to be really safe...
-
Well this was a lot of fun. When I saw it, I immediately checked the message on the frontpage...which didn't verify. Jumped into SILC, it was going 100 miles a minute in there. :P
Considering that the message is now signed by SR's PGP key, and also independently confirmed by Paperchasing, I do trust that the URL change was authentic...it was just really bad thinking on SR's part not to give us a heads up.
-
It's legit. Unless someone managed to copy my original SR BitCoin wallet ...
-
It's definetly SR, you would all be wise however considering if this had been a compromise and you use one password with multiple sites you strongly reconsider this practice, there are applications like password safe to keep track of them and have them all randomly generated for you. There are a lot of people who use the same password in multiple places and and if this had been an attack that opens you to losing more than one account i.e. your mtgox password is the same as your SR, or SR the same as tormail.net etc etc...
-
it would have been nice for silk to post that a change was coming, then make the change, instead of making a change, then posting an incorrectly signed message, and causing this nightmare. pgp signing messages is very BASIC security. informing your THOUSANDS of customers that a change is coming is BASIC customer service. get your head out of your ass Silk and get your shit together. It's not like you're doing this as a hobby for free or anything, you're making MONEY at it!
-
This is just one of the times I'm glad I have an empty dummy account.
-
Just wondering why the keys dont validate unless trust level is set to ultimate. Neither papers and silkroads validate unless i do this. Is it safe to have trust set so high for these keys? Ive never had to change trust settings before.
-
Just wondering why the keys dont validate unless trust level is set to ultimate. Neither papers and silkroads validate unless i do this. Is it safe to have trust set so high for these keys? Ive never had to change trust settings before.
I read through this entire thread and that's something that makes me curious also.
-
I logged onto the new URL this morning, placed an order, and then came here to discover the brouhaha. Site sure is faster now.
-
I logged in with an old test account and didn't see a lot of listings, including anything from Paperchasing. Someone posted to check which country your account is set to, and I changed it to the US and now everything is back. Initially the site seemed faster then I couldn't connect for 10 minutes repeatedly trying with new identities. Now it's back.
As everyone agrees, this change was handled in a really bad way. You couldn't have fucked it up more.
-
This is going to get a little bit technical. I'm a noob on the forum (and just executed my first successful purchase recently), but I do have significant expertise in the areas I'm going to discuss.
Obviously I'm not going to prove that statement, because I like keeping my anonymity, but other experts should be able to tell from what I say.
tl;dr, here are four points of advice I STRONGLY suggest the community adopts:
1. Sign each others' keys once you have some proof that it belongs to the person it's claimed by, and do so at the appropriate level of validation. This helps build a "Web of Trust", where while I may not know for sure that e.g. Holland is really PGP 4654CBBA, I *do* know reasonably that LexieSadie is PGP A7C82017. So if LexieSadie can prove to themselves that Holland's key is legit, there's a chain - I trust LexieSadie a little bit, she trusts Holland, therefore I can trust Holland.
This goes for sellers, buyers, and Silk Road admin. SIGN EACH OTHERS' KEYS — but ONLY when you have proof that they belong to the entity claimed. (E.g. proof for Silk Road admin could be that the key was the one used at the launch of site, has been consistently used in communication w/ sellers, etc.)
2. SELLERS: Include a small message printout in your envelopes, signed with the PGP key you posted on your seller account. It doesn't need to say anything substantive, but it MUST include the current date (e.g. "Thanks! Shipped 1 Dec 2011").
It doesn't give anything of value away if it's compromised by the feds (having a signature only tells them what ID it was signed with, not the full info of the key). But it DOES definitively prove to your recipient that the person who packed the envelope is the person who owns that key.
If they get a slip with an implausibly old ship date, that's a red flag for compromise.
3. SR Admin: There must be a PGP signed statement of the current legit URL, along with your PGP key with all current signatures, on SR's front page AT ALL TIMES, as well as on ALL former URLs. The key ID itself MUST NOT CHANGE, but more signatures = more trustworthy, if it's signed by someone that a user themselves has validated.
Merely putting a message on there saying "be sure you have the right URL", without any way to *prove* it's the right URL, is useless.
4. NEVER EVER EVER EVER set a key's trust to 'ultimate' unless it's YOURS. Set it to 'marginal' if you have some evidence that they're who they say they are AND are trustworthy themselves; set it to 'full' if you know for sure they're who they are and that you would trust keys that they sign. PGP has two separate things for this:
TRUST (unknown, never, marginal, full, ultimate) dictates whether you trust OTHER keys that this key has signed. Hopefully you only do this if you've personally validated it. (Remember that PGP trust propagates, so if you trust A and A trusts B [whom you've never heard of], it'll figure out how much you should trust B)
SIGNATURES (0/uncategorized, 1/casual, 2/personal, 3/high) tell to others how much YOU have validated that the key belongs to who it says it belongs to. - see http://aperiodic.net/phil/pgp/policy.html
-
Now for the details...
Have you ever MET "Silk Road"? No. All you know is that you have *a* public key whose name part says "Silk Road", which was used to sign the OP of this thread. Maybe, like me, you got that public key from earlier in the thread when some other anonymous user posted "a" public key.
But unless you have some way to definitively prove that that key belongs to the entity you call "Silk Road", it could just be anyone.
Here's a demonstration:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
mQENBE7XgZMBCADPcZOWleapwp5JX+CiDR5+1cWq5Xf/RgwBH7tU2jjVkjpiiXCs
nYcoeqUJ5IWfrBf+U6XKXRyA9jmHxmz/FoZq+yTIXxOq/09RvFBMpyBqiZYZ4CFb
vq6YCis9izml0tW7JRrlevCevvGJnP++YTw/tNh1sw043W48fA05ubNQO6m8Ei+I
Dh7wLiGPKQ8i/lVwThjkEyPdkODrlp94hm9OS6xqvS89Geirm+f4b33lTMNmux9X
PFSvekmV2y/ysRd1kOXwN647iyTAX1V5SG5fEPaAOl324etDaNI+uM76xcFAxTy1
7DXhhjHAi79Ekz9FtTITg3gcmsKwzMOxswiFABEBAAG0JFNpbGsgUm9hZCA8c3Rh
ZmZAc2lsa3JvYWRtYXJrZXQub3JnPokBOAQTAQIAIgUCTteBkwIbLwYLCQgHAwIG
FQgCCQoLBBYCAwECHgECF4AACgkQRmK/fh2St5aO0wf/RG1GGDwv1PzbKTQT03O1
Wz4cZOZE4llXrL99Bj8EcrrsrakY/Djks+IsMin1YW1S1ggPwUy7WN0zZU2NkVoE
Lwm4NcSmn2T/vbo+qsp/frsQ4G6EyzNnUsTerWsv/yaAje05+0Y9etvRIBi2Dve1
IKTac0v2nAqQyicrZCLBFx+FrPUJuK9lbKyTqjEnSpqM8qVSVGbQAbnbzpg3AGXi
11SmZup5L0uFiGp1Hq8EEJxIJAyj5mMbsVpEhaimPR9qeMui6vXxsiahF8rKWehf
8/U909cqNylfq2uA8tK9MWMQsIZAbvCz+yIcjetmWXBZHIRjJGioEO59Sl0ujgU1
v7kBDQRO14GTAQgAwsYFQAtmPWAs3+8wOFeTWg6YUycniOK1Htdj18rKvTD7+1A9
XiZTElsvITUbPENIwSam+VAMruM1TOUFd1MsFNrmycfmxOXA271o3eqW3a2J1Irl
3zH78sE1UV5v9oY0snOSSscHa70B2AB93XYZu6rthR1K67lRJqISrGKQQaPYm+Zl
wZFTwp2VANn/h/8mZszhP5t72e6GnmyG9ULhjtd/zKKqljkKMzJqE8x/LiX1RYfn
NrfsAqJJ+bMwUgHPbeADRs17KRxilP2NF9v69H0GcjBre8bxVDp1qsFoTRUHi5cl
qRNWusApR4kazq4D3XGwIfotvsDnOytQeogdKwARAQABiQI+BBgBAgAJBQJO14GT
AhsuASkJEEZiv34dkreWwF0gBBkBAgAGBQJO14GTAAoJEI/OqxbZnNhTDKcIALlf
2lqJWEWRKHg4lJqKZlnnRaIzjlLASnjKJh/CCGamZU/mnumHOgvq2KphonTvq2Pa
WkLiELCoRVyd9HTQpyTtVkKHf6Ryp5Yg8jLCbAX+/EfM486O8Y0jkgQCS9G1Dv2d
t13MgnN4qlDaJyLutEDcLXZEXUFRZI4X29GFQo9CWLd/0LZhamycY7eotLhTXIzU
urOUf2RbhP8dOhy+2k2OI5rceH6FqT+A1GpCmygoFHbxeKNNumIdE7wK6lGfssOj
ZlmqdZGF41QR6ere0wGdH/MLSsZHekuGAWm/6pUF12vYw8SjKqz+gkc4FXGmV+Dp
3UDm2f1R4NGIMnoBqTaq5wf7ByOqRmxbXn2Phr3jvuOb3jH0HAE6zNTifSh17WYW
EZdPiKJkw+ZG0+FpZyPK2x1fXH6jjgglq2Ht4Vo8Xw73PKhvbKU6RNe0aCTkn19H
QFB/j/G0MJ4gCpLpPQ8XWeINC2LfA+kVYAqcdmoDrlw4bzbvPRFR5zp71V/9iSBI
klAidBeEuRxAs3VUzm1gUVnZRykr92PCxnACWH1z/8hOTg0P3N7INO21fsOcxAr3
TioFdjcC/rDTFMWphrnIclj1b0WDPEdksTWs+9VNuWlFMK1Pf6NUVyT41235+4mN
/mJDd/ynvxqgtIw9Un0jD57q2L+FAbjP8skxMzOPxBPYeg==
=/fjb
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
lol silk road moved to http://phish.u.com. Everything's ok, see, this message is signed with a "Silk Road" GPG key!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
iQEcBAEBAgAGBQJO14JIAAoJEI/OqxbZnNhTGSoIAIwnluim3pr9sLESRu0KXQtc
aWAblAP0OJY9vuyAWT9Wo0R0E2dcgRpvKugJf252a8o3ISCmBp7TSnn1pcICHIq2
mQfdM3HtacrM7CclAYRcBYABYbwBAKpCu/OVznifQicVzHT8gRgRhQqnkwMgOUAR
AlzK7zJDT1t/OaU9cxRByDYHAOn4SeYGgvnG1FX5rQii5apqbZMtqg28jByQ2ene
Xy58D5XxHYg9orAlM++TlwQ/7mp8N/CVZYFKCV4lSq5PSUuw1WXbYToIeKs/g4xZ
tKJ8OaArhG6FWU+p7pwlpjWxbf3OzEp6F9+sB9LsKlpNZZCo+TqfbfRKfhJNUvo=
=DtdP
-----END PGP SIGNATURE-----
... and that's why you need validation. A key is just a key. You have to have some other means of proving whom it belongs to. (Note that I didn't bother faking the creation date on that key, or any of a number of other things that I could have done to very closely mimic key ID # 67B7FA25, but I'm lazy. Trust me, I could do it. The only thing I can't do is make a new key with the exact same ID and fingerprint, or replicate others' signatures.)
I would suggest a few potential remedies:
1. Sellers: if you have had previous (long-term) GPG exchange with "the real Silk Road", such that you're 100% convinced the owner of that key is the admin of ianxz6zefk72ulzz.onion, validate that key and SIGN IT with the key you use for customers.
Likewise, Silk Road, sign the keys of registered sellers you know are legit.
This way, noobs like me who only know a couple sellers' GPG keys, and know them as legit because we actually got our shit IRL, but weren't around in the early days to get SR's pubkey from a legit source (sorry, this isn't a legit source), can then in turn trust that key.
Since we don't want to expose these keys to public key servers, the exchange has to happen manually.
Here's an example.
This is LexieSadie's PGP key as published on her last listings:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
mQENBE5u9HcBCADU/e5i+tdp8iohkmb9WSc41A2tR5sE4RwO7gMi3J0oEulzyojB
4ClJV9/N/ob8j/DhNw77b1iSIl2QrRvrgS2MrTPBB58ocFfp1tezgFaJ1FLLRAYY
C3Xra4h/XNLYdQD4wbprUPxZNjS323Rw4os3ZNc4EI+CFDAYnbZcKOGh2CISzIq2
IsWZf7Bdwf7dPGYDrVsGu5hjm6EoLzCtMBj/0/OWOb9XzoKq9JJXOCK/VG0Z/fwF
UB8SqRc9avGm7RdKMqM+T9iqyIhxCmtBcbGirpYtfjr8hpMMauJllheqHlHjSWr8
5wxdZIZQYi/SP5XVl68G2tRnctM9aeVdiEn1ABEBAAG0GUxleGlTYWRpZSA8ZmFr
ZUBmYWtlLmNvbT6JATgEEwECACIFAk5u9HcCGwMGCwkIBwMCBhUIAgkKCwQWAgMB
Ah4BAheAAAoJEOftwSKnyCAXEukH/Rwe4ESfRI7awzOkrgIMNVJoueOprhzuek8I
7YxaXPm4ChkVE/wY7yoqUFk6fkZehPyUAcILQmwfSpdwiApSgkUfH9FahdOHoK0U
aSM2xsUuiifAJJN0nin/ftOjZdtugRmfks/hSa+QUbwsGDVPFJRXMRQUyVTeYxam
YCAHg8gNuHUnCEAfgine4ZiO0un5aAOkxExmQKe5uLzAQazC7WH5/odKmr+d7IM9
wSEKnFZQmgLcl9URfhlkWWFFLNOV55aOwlwtl8JDrkQjujn6rHH5+Zisu70Wg6hH
8zsNt9pPYZXpYP2/ZSEPLwV4chI0rfavnidQEIr9u//1Tn/8NgK5AQ0ETm70dwEI
AN2AGonXB+y4lmedPaTNoYHtDTTgJfl9zVaYrUH5+fWMoOcKiV4tbgK9RYgKClQX
ioLN9gIEhpmSPR9LIgELfIWbPO9sM1tvvcEMOtGBjv4Ndlh3m7c1RX6nbiYLjGss
1AR7l0kp40X0rrgplTOQ8q3AhsYd2LBigueiWiYhdFjrjdc0K7r0hUJvcEAWom3L
TgxJna7Uq0KnxoSTQEH8jmsyqlccKaNIfJjbNgJicbDg8uA8qlS8xTql7yjlA777
YPzH/GeqQ9wl+nY65pinq2TqK4ZEynS9bPMSXlOSw5JGZQws+pd4PsYEk6ix/ONM
j5AYpWlq/Q/+CR+pJaXPGycAEQEAAYkBHwQYAQIACQUCTm70dwIbDAAKCRDn7cEi
p8ggF2CLCACS0JE12FWRVfRXq4ii1SRdea5nBeUJZrWK55F5/pFEBPUoWczZa/ra
YfT7vQXimnO7YG2C1QxzwB5wB2kur7teMvQo/D2gzRf3G/bByAqMU2ClKrEYBAj+
WF6sWtULbRzb7sECKWs1UWgX019PtE/bdzsABWAnxEC1wX+czMAAl3JrI3Rd/hTh
1+mVVn18gDnt2mcOMBpHHTKZE2gXy0vzIo8iPpwlrIh05CvMgSCoE33MdbG33RU8
+c7zOw3lrdTJ8So/2O36+0vSypbCzuJVAa2DpDkrRoiok8QQx8963durh51ibtT4
ABbV3I/AtoBqLi+89AkoeI0XtMM09cY1
=nQB4
-----END PGP PUBLIC KEY BLOCK-----
Now, I've had a successful transaction with LexieSadie, encrypted to that, so I have *weak* confirmation that the above key represents the actual human who handled my weed so brilliantly.
Why "weak"? Simple: someone else could run a phishing site, replace all PGP keys with fake ones (like I faked SR above), and then just run a silent MITM attack where they pass any messages back and forth.
But hey, it's something. Since "LexieSadie" isn't a human per se, it's a pseudonym that a human (or group) uses to do business, there's only so much you can do to validate that.
So, I went into GPG Keychain Access, and signed her key with that of the buyer account I used with LexieSadie. I set the verification level to 'casual', given the above.
Here's the revised key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
mQENBE5u9HcBCADU/e5i+tdp8iohkmb9WSc41A2tR5sE4RwO7gMi3J0oEulzyojB
4ClJV9/N/ob8j/DhNw77b1iSIl2QrRvrgS2MrTPBB58ocFfp1tezgFaJ1FLLRAYY
C3Xra4h/XNLYdQD4wbprUPxZNjS323Rw4os3ZNc4EI+CFDAYnbZcKOGh2CISzIq2
IsWZf7Bdwf7dPGYDrVsGu5hjm6EoLzCtMBj/0/OWOb9XzoKq9JJXOCK/VG0Z/fwF
UB8SqRc9avGm7RdKMqM+T9iqyIhxCmtBcbGirpYtfjr8hpMMauJllheqHlHjSWr8
5wxdZIZQYi/SP5XVl68G2tRnctM9aeVdiEn1ABEBAAG0GUxleGlTYWRpZSA8ZmFr
ZUBmYWtlLmNvbT6JATgEEwECACIFAk5u9HcCGwMGCwkIBwMCBhUIAgkKCwQWAgMB
Ah4BAheAAAoJEOftwSKnyCAXEukH/Rwe4ESfRI7awzOkrgIMNVJoueOprhzuek8I
7YxaXPm4ChkVE/wY7yoqUFk6fkZehPyUAcILQmwfSpdwiApSgkUfH9FahdOHoK0U
aSM2xsUuiifAJJN0nin/ftOjZdtugRmfks/hSa+QUbwsGDVPFJRXMRQUyVTeYxam
YCAHg8gNuHUnCEAfgine4ZiO0un5aAOkxExmQKe5uLzAQazC7WH5/odKmr+d7IM9
wSEKnFZQmgLcl9URfhlkWWFFLNOV55aOwlwtl8JDrkQjujn6rHH5+Zisu70Wg6hH
8zsNt9pPYZXpYP2/ZSEPLwV4chI0rfavnidQEIr9u//1Tn/8NgKJAhwEEgECAAYF
Ak7XhWAACgkQBXxJQf+3Q3dvmw//d5dGDojxkgG+RARncr02BNUBNKs+JiOg1syq
tXSBnpPuNVvGtJVfX9A1PErpHLUTL58mPDXW27gqvZ4/QW2g+quNqlD/jwYdocoo
Eyk7FqIqyf32kSaSCKnUrSbnFzYQrYsZL9gZyBdkcOULroFkN7b2Mv+MXm2/I7yi
uBsw8Usf7Z2H0WropX5fY/BCrPAGZU0R+m/kJJFxkG2DKfXoE5xRPBzV9Tzm/xgz
avvD7RJ6PPpBKgy1G9nQa6Brhs0KGb+r1unXexz5Fo85srlJX9A0eCqqiIFfiwtK
P8GBjFqjovqb3E6y7fLtyfMlP3dwQ+GT2GZ6lHMeKX32Xt0XmGO7z/JCjQI325wt
EpN9naSmJw4JbTrtM6t8oaru0/bIOhH5tgm26VZIGulefT4KSayumtDfVUu2Ffri
+31CpLfAZ46yL0rINn2K9NonosBrGqiPzxy/BuiwOrGYsU77hsw8ju2T/cHoFXnX
uKqhSXst894l4b3q6ydEXnJXWl7vqMkiQvRDdh/Dq2o/0QIQNoOACAp8WEwo1axo
OYRBFEDybW9LjQSXHc/j2GrjWSeVcrA2TDmsJ5JR1ZAd4i11iLB53bqGL864zeii
QitLK1H6TSsgcyBTTPP0QHRhM7FFg8tn5PkFJJv9D3bhH88OiX2qXAGb4WsaMflK
iDNZ0L+5AQ0ETm70dwEIAN2AGonXB+y4lmedPaTNoYHtDTTgJfl9zVaYrUH5+fWM
oOcKiV4tbgK9RYgKClQXioLN9gIEhpmSPR9LIgELfIWbPO9sM1tvvcEMOtGBjv4N
dlh3m7c1RX6nbiYLjGss1AR7l0kp40X0rrgplTOQ8q3AhsYd2LBigueiWiYhdFjr
jdc0K7r0hUJvcEAWom3LTgxJna7Uq0KnxoSTQEH8jmsyqlccKaNIfJjbNgJicbDg
8uA8qlS8xTql7yjlA777YPzH/GeqQ9wl+nY65pinq2TqK4ZEynS9bPMSXlOSw5JG
ZQws+pd4PsYEk6ix/ONMj5AYpWlq/Q/+CR+pJaXPGycAEQEAAYkBHwQYAQIACQUC
Tm70dwIbDAAKCRDn7cEip8ggF2CLCACS0JE12FWRVfRXq4ii1SRdea5nBeUJZrWK
55F5/pFEBPUoWczZa/raYfT7vQXimnO7YG2C1QxzwB5wB2kur7teMvQo/D2gzRf3
G/bByAqMU2ClKrEYBAj+WF6sWtULbRzb7sECKWs1UWgX019PtE/bdzsABWAnxEC1
wX+czMAAl3JrI3Rd/hTh1+mVVn18gDnt2mcOMBpHHTKZE2gXy0vzIo8iPpwlrIh0
5CvMgSCoE33MdbG33RU8+c7zOw3lrdTJ8So/2O36+0vSypbCzuJVAa2DpDkrRoio
k8QQx8963durh51ibtT4ABbV3I/AtoBqLi+89AkoeI0XtMM09cY1
=ex2Z
-----END PGP PUBLIC KEY BLOCK-----
Try importing it. You'll see that it is indeed the same key as the previous one, it just has a new signature for the primary UserID.
LexieSadie could also sign *my* public key as someone she has successfully completed as a transaction with. I could then use that revised public key in new communications with sellers, who'd see definitive proof that the person they know as LexieSadie has some trust in me, and use that as part of their decisionmaking for whether to trust me as a buyer.
I should underscore here that you should NOT "early sign" a key. You should only do it when you have some level of proof that the person is who they say they are.
2. So, what's the maximum amount of proof that a given PGP key is "real"? This is a question of what the likely attack scenarios are. Let's go through them.
SR Admin:
a) Site has an SQL injection exploit or similar vulnerability that allowed an attacker to completely dump its database, allowing them to put up a new hidden service (say, silkroadvb5piz3r.onion) with all that info intact.
Limitation: they would not have access to SR's private PGP keys, unless they're a total idiot and storing them on the server rather than somewhere independent and safe.
b) Site has a MITM attack, aka the usual phishing method. Attacker puts up a new hidden service (say, silkroadtherealthign.onion). Since they don't have the DB, what they do is just proxy all requests to the real site. This adds a delay, but since we're dealing with Tor, delays are not suspicious. The phisher's site could then steal all transparent info (eg passwords) and all database info (by scraping what users see).
Limitations: same as above, plus the added delay.
c) SR has been compromised IRL by the police, who have forced them to hand over their PGP private keys and passwords, database, hidden service ID/secret keys, etc, in return for more lenient sentencing and the ability to get lots of info about drug smugglers (aka all you lovely sellers). They continue operating the site exactly as usual. They can sign with SR's PGP key and do everything else they did.
Limitations: unless they have SR's active cooperation, they might make mistakes replicating their writing style. Also, if there were any out-of-band secrets passed that they *didn't* manage to capture (ie they weren't on whatever machines they compromised, and SR the human didn't blab about them), then they wouldn't know those secrets.
Ways to prove the PGP is legit against a & b: post a signed message on the front page of every legit SR URL ever (current and previous), saying "The correct SR URL is blahblahblah.onion". Also list SR's public key with all current signatures. The key will change regularly as new signatures are added, but its ID, fingerprint, etc core properties will not change.
Ways to protect against c: If compromise is suspected, someone who has an out-of-band secret (eg communicated via some other Tor service the feds didn't know about and/or weren't able to get records of) can challenge the SR admin to decrypt a PGP message signed with that as a symmetric key.
For example, suppose SR and I had chatted on another Tor service. They validated with the same PGP key as now, and said eg "My granduncle has a mole on his left eyelid." I note down this information privately and date it.
Now suppose sometime later, I suspect SR has been fully compromised and is now actually the feds. The feds don't know this secret, since it wasn't in any of the logs they got, and SR didn't mention it to them.
What I can do is post the following challenge publicly:
"If you are the real SR: remember the conversation we had? Decrypt this message using the key "[relative]-[distinguishing mark]-[location]", no spaces." (I.e. "granduncle-mole-lefteyelid")
I create a signed message like so (gpg -a --clearsign -s -u FFB74377):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Whoever decrypted this was Silk Road as of 2010-4-23.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
iQIcBAEBAgAGBQJO1468AAoJEDuHYd3NEX2Ndt0P/j2uRzBJsl6nzCR1iOp3dcP7
AHqpGfyARTdG2DPQ80zWxCI7NDH+rTFO2mBn7Mkg0iuewBv0nJVHNLVAKk6L8tHX
8J0xUXm6zB9GdM175euPWBsn3Sv8CgBVf3hfOo9ZWLblwJa/a+Ll6/hB+Ft11lqu
JolFYcdOiQZwHuMyruMLDWBkrgiibxDAPUJC2AyIs9dBFJHZPVm/GiorNLIFQXHV
mQqg+kxdrZfhqnfdEUTdwTQ87dUQI+hA+ozKaPoVmIUKx8/j3TXlsPt8bEV783aA
rFJUkFlZZK2AZoiFDgMCOHODOiEu/AQKa3kfJg1AbcMPuW/UDABXdV/GBBdvVryf
yhlCx6SWuTGBWLdDLOvZHrjqnn54BuTZ71jnq0ErqdLoej6K/GomLnmwzKqXMVvF
SsUz4/HVIPbKzLh4iqFX9Ql5ZQj1XrFo8kjHV8HDoN1AeHx7CmUwNWOGLN4fSAr/
xhvwSUhwX9B8jSCNQsIQ5CjgY2zgiIvwdJn6ZWHkOxr0fIciwLcrpZWBebFSmWKS
wP9fqsF7suGHqDX+GVaDZUspfBE/IBxVGEqwyDq/W8OP/VgQw0GMBL0k4DOO3Mvu
AmATrIKzHK7L0aXw54n7C3+kbzC8gVEc9hxOb65cE0a+pXC+tLywUdpCNMu5em6r
vHuMC6yHRA+qWtE3r0FT
=uWwr
-----END PGP SIGNATURE-----
This message itself can be proven legit by anyone who trusts key FFB74377.
I don't post *that* message, of course. Instead, I post this (generated using gpg -a -c, then entering "granduncle-mole-lefteyelid" as the passphrase, and the above signed statement as the plaintext):
-----BEGIN PGP MESSAGE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
jA0EAwMCoM7npvatKoykyem2SM6OkS/82kN2cfn9ZCsSSPA9SRY90RBLDoCtt/5D
UTMVL99VukoZU21qsUhZmfX4I0BlF4WcYwy/C3H/tAfJ2piVUumkPVqO8vLtitF1
L+5Ce5ahK6NQAT/a2IaFUjW7Me80goHnaTBrSxS0rWOlRjqUKH/U1I75VuySlkIR
R7Aa8jVLB8h2+8ugG7ke+tN85KQI84tQYF59DIQP8qj9rcuZKAGy3FMv/YFK3rpH
uo+t6vlxNhgc8v7zg7c+xDDior1v5KXvDXsUs5ztun0RtXtm20uBNkDfeBC/aqIE
5v0v6n4iA7ZuMbxKi5gfT1oqiTHKHPOqTJTuRyJmc6hxj95a8KH1Ij7e5Aa5fELM
leYn6oP1tBM8M+Vt1a7gBamnVVX9MLovGxsvNeqpai6ro002bjDLcEVBpaGva6r6
D0pR22IeFLIklnmypjlamt4Itu70R/VptTovVKk8wtYK3YBglQAeX2iEPf1gxx0P
G2p5ti2kaXZp7ZX4iDi2qvg5n621/ELBmUrmDKCfxBAZg8fFi2F7ENDzcruDjgfs
kStZp2shZXpMG84awFPyXvE8mg5+l7xl87l34NC20uSnYa8bNv566LfQswsoWdHm
xIHc3EcFN8lCKl2PhurXeQvy3vvEVEeNh95noxU4+mZBLR0CFaqjxI/aClvW12RC
7sA9lUlDmH8V8YAFBsVefR2D/pf5NQ/dSI+w9NqKbO9XHqRUh0AShzgIJe+gpMtk
djd6tY08LLidtZ33t0QigJ5E37U0o6sE2mcZYvcVb9VLRfTg4G6Rc+prc4jcKrRA
PIpnKK1uB6jL7RIi0R4z59AIIuLd1ujzkzEbM+T6X7gfT8MkQhp2I//8GcJvqCrb
t6du3tMd6WzW7KLyDRBGLyIe6d3xGvZ6F79rfGUw7uVuVmt7ffyjVmB6L/PYmpSj
RF2sPEsuBoliZGSeZuEPwqKu4pEJPwiKzxqfn+8DETBCBxP0vJvcBNb4v65k9aQX
rnzPu/mmbwA+Lbd4mQyO2A==
=u5NU
-----END PGP MESSAGE-----
Now, whoever can decrypt that block knows the passphrase. Since the passphrase is based (hopefully) on a secret that only I and SR share, that proves that they are in fact SR (as of the date I received the secret). They can prove this easily by decrypting it and posting the previous, clearsigned statement. Try it for yourself.
Sellers:
a) Cops or phishers are performing a MITM attack. They post their own PGP key, pretending it's the seller's. When the buyer sends them their info, they decrypt it and send it to the real seller (with a new key pretending to be the buyer, just like mine above pretending to be SR), and vice versa. In other words, they just MITM the PGP conversation.
Limitation: they don't actually have the seller nailed IRL; they only have either compromised their SR account or the SR site itself. So they can't control what the seller does IRL.
b) Cops have completely compromised the seller IRL. They continue operating their business as usual to get more info before prosecutions. They have the seller's real PGP key and secret, samples of their packaging, everything.
Limitations: they may not have access to the seller's supply chain (unless the seller ratted 'em out), so once they run out of the seller's stockpile, they'll have to start using product they get from elsewhere, and buyers might notice this. They might not replicate the seller's communication style well (this is more subjective). And the same thing as above about secrets.
There's an easy, definitive defense against (a): the seller includes a small message printout in their package, signed with the PGP key you posted on their seller account. It doesn't need to say anything substantive, but it MUST include the current date (e.g. "Thanks! Shipped 1 Dec 2011"). This proves that the person who packed the product (who is the "real" seller when it comes down to it) owns the PGP key that was published.
If they get a slip with an implausibly old ship date, that's a red flag for compromise.
*Weak* (non-definitive) proof that the seller owns the PGP key is receiving product without that slip. This only proves that the message encoded to that PGP key got to the seller and was acted on — it doesn't rule out a MITM attack like in (a).
(b) can only be defended against by being (subjectively) suspicious of a change in product or communication style, or using the shared-secret method above.
Buyers:
This one is hard, in that the only thing you get from buyers is payment. You have no way to prove that they're a real buyer and not a cop, that they actually received the envelope you sent (vs it going to some police warehouse and the buyer pretending it's all good), etc.
There are however a couple methods.
a) Successfully receiving payment from a buyer proves only that they are able to pay. This is a weak proof of their identity, but it's at least something.
b) Sellers can include a UNIQUE serial number slip on the inside of each package. Buyer then sends you signed a message saying "I received a package with serial number 12381238". This proves at least that they have some control over the receipt of the package, and that the package was not intercepted en route by the postal inspectors and then sent on its way. It doesn't prove that the buyer themselves isn't a cop, of course.
To be really secure, this requires using packaging that's truly tamper-evident AND hard for the PIs to duplicate. That's relatively difficult; you have to have some source of bags or stickers that the PIs don't.
This is a moderate proof of their identity.
I'm not sure how to authenticate the identity of a buyer any better than that.
So there you go: an expert's advice for how to really prove you're you when we're all anonymous.
Do with it what you will.
-
Now for the details...
Just wondering why the keys dont validate unless trust level is set to ultimate. Neither papers and silkroads validate unless i do this. Is it safe to have trust set so high for these keys? Ive never had to change trust settings before.
Simple: have you ever MET "Silk Road"? No. All you know is that you have *a* public key whose name part says "Silk Road", which was used to sign the OP of this thread. Maybe, like me, you got that public key from earlier in the thread when some other anonymous user posted "a" public key.
But unless you have some way to definitively prove that that key belongs to the entity you call "Silk Road", it could just be anyone.
Thats part of what this product (http://dkn255hz262ypmii.onion/index.php?topic=5599.0) aims to do is provide a collection of keys from highly trusted/reputable vendors as well as SR all signed and with their trust level raised for this sort of reason you describe.
-
My 2c:
This is almost certainly not LE. Think about it, there are so many jurisdictional issues. Sellers and buyers are located all over the world. Who knows where the servers are located. No LE organization in the world would go through the trouble to re-route the site and build evidence against sellers and buyers from tons of different jurisdictions. If they could compromise the site enough to redirect it and collect evidence, they surely could just shut the site down, and it's way more likely they would do that. Plus, drug enforcement resources are being used to stop kilo-weight movers, not people who send gram-weights through the mail. ALSO, is talking about drugs and sending money through a website against the law? Nope. Is it probable cause? Eh, not really. You won't get in trouble unless cops LEGALLY find drugs in your possession. Plus do you think a jury of your peers will have ANY IDEA what the fuck a prosecutor is talking about when they try to explain Tor and PGP and all that? If sellers and buyers use common sense about their stashes, receiving addresses, encryption, etc, LE should never be an issue.
As far as phishing goes, correct me if I'm wrong but most phishers want to stay low-key. Changing the URL is certainly not low-key. For this to be phishing, the phishers would have needed to compromise the SR account here, the entire site code and all associated security. Then what? What's their plan? Get people to trust the site again and eventually suck all the BTC out of everyone's account? If you're worried about this, keep your BTC in an instawallet and don't let them sit in SR for too long. But really, what would happen if this was a massive phishing attack and everyone here lost their BTC? The price of a BTC would TANK immediately and those phishers would be left with pennies. Not worth the effort.
IMO it's way more important to be paranoid about not revealing your personal information and general IRL drug possession issues.
Common things are common. Uncommon things are uncommon. Occam's razor. Think horses not zebras. Buy some benzos. Have a drink.
-
This is almost certainly not LE. Think about it, there are so many jurisdictional issues. Sellers and buyers are located all over the world. Who knows where the servers are located. No LE organization in the world would go through the trouble to re-route the site and build evidence against sellers and buyers from tons of different jurisdictions.
Not true.
a) US LE could compromise it and only bother acting on targets in their jurisdiction
b) int'l LE collaborates all the time on this, within cooperating countries at least
If they could compromise the site enough to redirect it and collect evidence, they surely could just shut the site down, and it's way more likely they would do that.
Not if they have any modicum of intelligence. If you shut a darknet site down, a new one pops up instead.
No, what you do is you compromise it and keep everything running like normal for long enough until you're ready to make a big, simultaneous bust with plenty of evidence. Example: that's what happened to a certain well-known carder forum.
Plus, drug enforcement resources are being used to stop kilo-weight movers, not people who send gram-weights through the mail.
Depends. Sellers of grams are likely to either store kilos or have a supplier who does. That's how it always goes. They're happy to bust anyone who could lead to a larger bust.
ALSO, is talking about drugs and sending money through a website against the law? Nope. Is it probable cause? Eh, not really.
Talking about it in the hypothetical? Not illegal. Arranging an actual sale? TOTALLY ILLEGAL and definitely probable cause. So is admission of guilt (eg saying you have bought/sold x). Getting a search warrant (assuming they could track you down, which is the only hard part, and it's been discussed how they could do that w/ fake buys) would be trivial.
You won't get in trouble unless cops LEGALLY find drugs in your possession.
That's why they get search warrants. Probable cause is how they get one. Saying you sell drugs = probable cause.
Plus do you think a jury of your peers will have ANY IDEA what the fuck a prosecutor is talking about when they try to explain Tor and PGP and all that?
When juries don't understand something, they almost always side with authority. Consider the outcome ratio of pure cop-said/citizen-said cases. Cops ALWAYS win those.
-
Everyone is sketching out now, and me.
-
Not true.
a) US LE could compromise it and only bother acting on targets in their jurisdiction
b) int'l LE collaborates all the time on this, within cooperating countries at least
Sure, but not on this scale. US and Mexico, or US and Colombia will cooperate, but for the US to cooperate with all the involved countries here? That would be a logistical nightmare. Maybe this isn't the best argument, though.
Not if they have any modicum of intelligence. If you shut a darknet site down, a new one pops up instead.
No, what you do is you compromise it and keep everything running like normal for long enough until you're ready to make a big, simultaneous bust with plenty of evidence. Example: that's what happened to a certain well-known carder forum.
My argument here isn't that shutting us down would be most intelligent, I'm arguing that it is most likely. Those senators a while back told the DEA to "shut it down." Shutting us down would appease the higher ups and would cost tens of thousands of dollars versus the tens of millions it would cost to run an intricate sting with evidence collection and simultaneous busts.
Depends. Sellers of grams are likely to either store kilos or have a supplier who does. That's how it always goes. They're happy to bust anyone who could lead to a larger bust.
True, most large busts start low, but your argument can be made for ANY drug exchange anywhere. The half gram of coke I can get at the street corner must have gotten there from some large smuggling operation. Does that mean the DEA is busting me or my dealer on the corner? Nope.
Talking about it in the hypothetical? Not illegal. Arranging an actual sale? TOTALLY ILLEGAL and definitely probable cause. So is admission of guilt (eg saying you have bought/sold x). Getting a search warrant (assuming they could track you down, which is the only hard part, and it's been discussed how they could do that w/ fake buys) would be trivial.
Arranging a sale/admitting guilt is NOT illegal unless there are physical drugs involved. Walk into your local police station (with no drugs on you or in your home) and tell them you bought a quarter ounce of weed a week ago. Then tell them you smoked some and sold some to a few friends. I bet you they'll laugh in your face and tell you to leave.
When juries don't understand something, they almost always side with authority. Consider the outcome ratio of pure cop-said/citizen-said cases. Cops ALWAYS win those.
Not true at all. The burden of proof lies with the prosecution. It's a pretty successful defense strategy to muddle details and confuse the jury. If the jury is confused about the technical details it's easier to plant some reasonable doubt, i.e. DNA evidence is sometimes called into question because defense attorneys poke holes in the technical and statistical issues that really aren't there to begin with.
-
I'd just like to elaborate, my entire argument here is that the biggest risk lies with the physical drugs. If people do a good job of keeping their location anonymous and their drugs secure there should be no huge issues. Following all security measures including encryption should keep your location anonymous regardless of if LE was running the site or not.
-
Talking about it in the hypothetical? Not illegal. Arranging an actual sale? TOTALLY ILLEGAL and definitely probable cause. So is admission of guilt (eg saying you have bought/sold x). Getting a search warrant (assuming they could track you down, which is the only hard part, and it's been discussed how they could do that w/ fake buys) would be trivial.
Arranging a sale/admitting guilt is NOT illegal unless there are physical drugs involved. Walk into your local police station (with no drugs on you or in your home) and tell them you bought a quarter ounce of weed a week ago. Then tell them you smoked some and sold some to a few friends. I bet you they'll laugh in your face and tell you to leave.
Everyone read this or go to: hxxp://www.erowid.org/ask/ask.php?ID=3055
Everything below is from Erowid.
Q: I was told that conspiracy charges for drug offenses don't require anyone do anything, that just talking about buying or selling illegal drugs is enough to be a crime. I had read before that the laws required both talking about doing something and then someone actually had to do some little piece of the plan before it was a crime. Which is it?
A: Unfortunately the current US federal controlled substances laws are a kafkaesque nightmare. There is something which is often referred to as "the drug exception to the Constitution" or "the drug exception to common sense". In this case, there is a "drug exception" to the normal requirements for a conspiracy conviction.
Under US federal law, most conspiracy crimes require both an agreement between two or more people and some sort of action intended to work towards completing the plan by any of the people involved with the plan. For instance the law banning "Conspiracy to commit an offense or defraud the United States" (18 U.S.C. § 371) states that it is a crime:
If two or more persons conspire either to commit any offense against the United States, or to defraud the United States, or any agency thereof in any manner or for any purpose, and one or more of such persons do any act to effect the object of the conspiracy...
And this is what is commonly thought of as the requirements for a conspiracy conviction.
However, in the case of crimes involving controlled substances, the law is different and removes the "any act to effect the object" language: (21 U.S.C. § 846)
Any person who attempts or conspires to commit any offense defined in this subchapter shall be subject to the same penalties as those prescribed for the offense, the commission of which was the object of the attempt or conspiracy.
This makes simply talking about committing a drug crime (for instance talking about buying cannabis or talking about growing cannabis) potentially criminal. Although it is important to note that a prosecutor has to prove that an actual conspiracy or "agreement" had taken place, if two people agree to possess/distribute/manufacture a controlled substance, then they are guilty under this statute. The implication that the individual is as guilty and punishable for talking about buying cannabis as they are for actually buying it can certainly seem chilling.
The immediate reaction of most who hear this is disbelief. A typical response might be "That can't be Constitutional, I have a right to talk about whatever I want to talk about so long as I don't actually do anything else."
But, unfortunately, there have been several challenges to this law and the Supreme Court of the United states ruled unanimously in 1994 in the case United States v. Shabani, 513 U.S. 10 (1994) that the federal law was enforceable as it was written. A lower court, the more civil-rights-oriented US Ninth Circuit of the West Coast, had ruled that there had to be some actual activity beyond talking before a felony had been committed.
Justice O'Connor, writing for the unanimous Supreme Court stated it very clearly:
What the Ninth Circuit failed to recognize we now make explicit: In order to establish a violation of 21 U.S.C. § 846, the Government need not prove the commission of any overt acts in furtherance of the conspiracy. ( US vs Shabani, 1994 http://supct.law.cornell.edu/supct/html/93-981.ZS.html )
The following are additional references to cases where the law was challenged in a number of ways: "void for vagueness" (laws in the US can be invalid if they are very vague about exactly what action would be criminal, although this protection has largely been eliminated by Supreme Court decisions), right to freedom of speech, right to assemble and associate, and protections against criminalizing status. All constitutional challenges have so far failed.
U.S. v. Pulido, C.A.7 (Ill.) 1995, 69 F.3d 192 : Found that the drug conspiracy statute did not violate the First Amendment's protection of speech and thought because criminal agreement itself is an action (actus reus).
U. S. v. Cooper, C.A.5 (La.) 1979, 606 F.2d 96, certiorari denied 100 S.Ct. 685, 444 U.S. 1024, 62 L.Ed.2d 657: Found that the section in question did not place impermissible restrictions on freedoms of association and expression under the First Amendment.
U. S. v. Cooper, C.A.5 (La.) 1979, 606 F.2d 96, certiorari denied 100 S.Ct. 685, 444 U.S. 1024, 62 L.Ed.2d 657 : Found that the law provided adequate notice under common law that any agreement to purchase and distribute totally prohibited substances such as heroin would be a violation of the law and does not violate the Fifth Amendment's requirement of due process.
U. S. v. Hayes, C.A.5 (Tex.) 1979, 595 F.2d 258, rehearing denied 598 F.2d 620, certiorari denied 100 S.Ct. 138, 444 U.S. 866, 62 L.Ed.2d 89 : Found that the law was not unconstritutionally vague and convicted a pharmacist of conspiracy to distribute a controlled substance.
U. S. v. Umentum, E.D.Wis.1975, 401 F.Supp. 746, affirmed 547 F.2d 987, certiorari denied 97 S.Ct. 1677, 430 U.S. 983, 52 L.Ed.2d 376 : Found that this law did not violate the First Amendment. It also denied the theory that this law could violate the protection against 'crimes of status' which protects individuals from being prosecuted for simply being an alcoholic or a drug addict. This law requires the act of agreement or planning and thus does not punish for status alone.
U. S. v. Amidzich, E.D.Wis.1975, 396 F.Supp. 1140: Found that this law does not impermissibly infringe on the First Amendment's protection of collective conversation.
U. S. v. Sanchez, N.D.Tex.1973, 380 F.Supp. 1260, affirmed 508 F.2d 388, certiorari denied 96 S.Ct. 45, 423 U.S. 827, 46 L.Ed.2d 44 : Also found the law constitutional and denied the defendent's challenge.
The main thing that concerns civil libertarians about this type of law is not that it, by itself, endangers the freedom of the people but that it is one of many laws which have been passed and found Constitutional which produce a society in which everyone is at constant risk of committing a felony. Idle conversations about going to the park and trying to buy cannabis, although they will never be prosecuted, could be technically illegal.
This law is one of many which brings into sharp relief the question of what constitutes criminal activity. Not only are there laws against consensual activities but laws which ban agreeing to engage in a consensual act as an adult. Should a democratic society allow such a broad definition of felonious action that it justifies universal surveillance (the panopticon)? What effects does it have on a society over the long term of creating a pervasive sense that arbitrary and disproportionate enforcement are the norm?
Hope that answers your question,
earth
[/quote]
-
Does the patriot act just over ride all laws that protect us anyways? I tried reading it but got crosseyed bored...would love your take on it
-
Patriot act allows them to walk all over the constitution with shit covered boots.
-
Can't connect to the new site now anyway, so I guess it's not more stable ;)
-
Can't connect to the new site now anyway, so I guess it's not more stable ;)
probably something wrong at your end, or isp..as i have just authenticated..
-
Can't connect to the new site now anyway, so I guess it's not more stable ;)
probably something wrong at your end, or isp..as i have just authenticated..
Perhaps so, however I can (obviously) access the forums, and also the old SR URL, so Tor is obviously working fine. It just won't let me on the new url.
-
..i posted a new thread to this effect..
-
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Guys calm down. silkroadvb5piz3r.onion is the new address.
It's all good, though I realize SR just threw stone in the water and all us fishies are just swimming around scared. Wait for the ripples to subside. All is good.
Peace,
DigitalAlch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJO1+oCAAoJEOs5nLuOI///LbkIAIyC7KfGQdJVcTv2FHW2NgHx
aH86+qw8CeHHrRFa0Ux2riV8f3ok4W2b6vW/vp/wzuahh4hQkw/pOtFX0U8JVaYY
5K2qGpDGP8jtdbwVcK6rgVBjAX9NJPcl1DPWKCV1h/d4naiGSKl1TGpe2Yx+QmA+
LCTnIAQae2MTfApYjNwSCJk3z+Z4jqv38Lr1g3er+xLDwCdDrDIFij1NNdFmeXKi
qqAGDKFO0ddrEyBEoVCjAQNXD9V4esNGG1D7BqVDyGwuSvCe6HAXDULaUT5O6D5y
QQ0fPxnmdjLjZPX4TEyOjNAOPSMDrdoqVsu8wWOUDl76qWSvvnxd2Jp2PyKlCBs=
=cwGN
-----END PGP SIGNATURE-----
Signed for validity.
-
so its all good thank fuck. ;D
-
Having major issues with new URL as well... I was having those same issues with the old URL recently as well... It seems there is a way to block this site or something and so I have to keep jumping "Identities" in TOR. Sometimes I have to jump identities up to 10 times before I can connect to this site... It's pretty jacked up.
-
And just some added info, it's clearly not my TOR client because these forums, other sites on the TOR network/domains, and regular websites like Google all show up fine from my TOR browser... It's just the SR domains for some reason.
-
Everyone read this or go to: hxxp://www.erowid.org/ask/ask.php?ID=3055
Erowid is such an awesome site.
But I was pointing out something much more basic than that crazy-shit federal conspiracy statute: CONFESSION.
If you say "I bought a kilo of weed last week and smoked most of it" publicly, that is
a) admissible in court as evidence that you did what you said
b) probable cause to get a search warrant for your home to find the rest
Freedom of speech doesn't mean you get to be a total fucking idiot.
There are three basic things that protect us here:
1. web of trust authentication, so we know we're dealing with someone who is reasonably likely to uphold their end of a deal
2. for sellers, mailing in ways that make it hard to find them even if the cops make a series of purchases from them (e.g. using random unmonitored drops, being careful about fingerprints, etc)
3. for buyers, the plausible deniability that any random schmuck might have mailed drugs to your house, planning to just steal them from your mailbox or as a joke or who knows what but they can't prove you had any part of it; and the plausible deniability of Tor that makes it very hard to tell what your IP or physical address is in the first place without the postal inspectors getting lucky and intercepting an actual package
But that's about it. Technically, telling a cop "I smoked an eighth of my own weed yesterday" is all they need to arrest and prosecute you for possession. It's a "confession against interest".
Which is why you don't say shit like that in ways that can be traced back to you. Duh.
-
So before I transfer coins over to SR and make a purchase what's the consensus? This is the first time I've been on today. Is it safe. Are there actual transactions taking place?
-
DrBenway, do not do that stupid shit, man. Don't quote the WHOLE twelve-mile long message just to add your stupid +1 at the bottom.
Jesus.
-
Site connectivity seemed just as shitty during the day (US time) today as it has been during the last week. This evening (now that Europe is asleep) it seems better. How much is TOR and how much of this can be attributed to the performance of the host server(s) with the undoubtedly increasing traffic? It seems clear from SR's posts that while he (they) have thought this all out fairly well they may not have the where with all to deal with the steadily increasing traffic (which is going to continue to rocket).
-
DrBenway, do not do that stupid shit, man. Don't quote the WHOLE twelve-mile long message just to add your stupid +1 at the bottom.
Jesus.
It's a huge thread and I thought his post contained very important information in a way that was accessible, and wanted to increase the chance people would read it. Maybe it can be incorporated into the wiki or something.
-
DrBenway, do not do that stupid shit, man. Don't quote the WHOLE twelve-mile long message just to add your stupid +1 at the bottom.
Jesus.
It's a huge thread and I thought his post contained very important information in a way that was accessible, and wanted to increase the chance people would read it. Maybe it can be incorporated into the wiki or something.
Contact ChronicPain and request an account so you can add the information to the wiki.
Please delete your "+1" post and put it into the wiki. Nobody is going to read that information just because you quoted it.
-
1. Sign each others' keys once you have some proof that it belongs to the person it's claimed by
Useless in an anonymous environment. Accounts can be sold and keys transferred with zero accountability.
Not so, as I explained in the more detailed post.
Any random signature is of course useless. If you see a key from someone that says it's signed by foobar, and you don't know wtf foobar is, that means nothing.
However, if you see a key signed by someone *you* have transacted with enough to know that they are legit, that raises the trustworthiness of that key being whom it represents.
Sure, any seller here could transfer their identity to some other human. But that doesn't matter, so long as they are functionally the same. Just treat all accounts as potentially representing groups of people.
2. SELLERS: Include a small message printout in your envelopes, signed with the PGP key you posted on your seller account.
How does this help? The contents of the package matching the contents of your order confirm the vendor. Since the vendor is anonymous and his/her account can be sold or transferred at any time, adding the key adds nothing useful.
Wrong, again as I explained in detail. Adding a *unique signature* (not the public key) inside the package proves that they are the entity you signed to on SR, and that it wasn't MITM'd short of total IRL compromise.
(Editing previous post — I should have said this does have to be a UNIQUE signature per package, to prevent someone capturing it through purchase and doing a replay attack. So for instance, the signed message should say the date of shipment.)
3. SR Admin: There must be a PGP signed statement of the current legit URL, along with your PGP key with all current signatures, on SR's front page AT ALL TIMES, as well as on ALL former URLs.
This just gives a phisher a more legit looking site. All he has to do is create several keys under a variety of names (one of which is "SilkRoad") then he can add all the "trust" he wants. It's a chicken-and-egg problem. The only appropriate solution is to find the URL from a source you believe to be reputable and bookmark and/or memorize it. Publishing keys on the main page doesn't help.
It helps because the phisher's spoofed key and sigs won't check out against the key you already have, and won't be signed by the vendors / clients you trust. While it can be spoofed in name (like I did earlier in the thread), it can't be crypto-spoofed, so you'll know it's fake because it's not the one you previously knew.
4. NEVER EVER EVER EVER set a key's trust to 'ultimate' unless it's YOURS. Set it to 'marginal' if you have key belongs to who it says it belongs to. - see http://aperiodic.net/phil/pgp/policy.html
Completely correct in a non-anonymous keyed system. In an anonymous system key trust is useless since there is no truly known entity backing the key.
Dood, read the detailed version. I was very specific about how you can have partial confirmation that the entity is who they say they are (functionally speaking).
-
Moved discussion of my PGP signing suggestions to a top post: http://dkn255hz262ypmii.onion/index.php?topic=6296.0
-
Ok, so after reading this thread, I am in the convinced-but-skeptical camp that the new site is legit. What I am NOT convinced of, however, is that SR knows WTF they're doing. My faith that this whole thing is being operated properly has REALLY been shaken. If they can manage to botch a URI change this horribly, WHAT ELSE ARE THEY FUCKING UP ON?
I was planning to transfer some cash to my BTC broker today and make a SR order tomorrow, but I'm very seriously considering hanging on to that cash to take it to my IRL supplier instead. Which kinda sucks, 'cause it has proven way more convenient and faster for me to buy via SR. But I'm less than thrilled by the prospect of conducting my illegal transactions via a total bullshit amateur operation run by idiots.
There is no PGP signature for competence. Competence can only be validated by one's actions - a test that SR has most definitely failed by my books.
-
While public key cryptography cannot eliminate the risk of SR being compromised IRL, it seems much more likely that just the server would be compromised, in which case gpg signatures will prevent us from being fooled. So it may not eliminate risk but it reduces it.
-
Anyone have an idea what is going on? The old URL still works as a pointer for me, but the "new" URL wont load. It didnt load when I tried ~7 hours ago either.
-
if (hypothetically) SR was compromised and the new url was a phishing page, wouldn't that cause huge tidal waves by now? I mean everyone of the staff team would post tons of warnings, and it would spread over every possible channel. (Unless the new url hasn't been noticed yet, but this is barely possible).
That's why I think the new url is legit.
But I get a "not valid" too when I try to verify the signed pgp message from the old url. And I must admit that this makes me lift my eyebrows =) but isn't that just because the SR-Staff uses a normal (anonymous) public key that isn't verified on a trusted official key server?
(When I encrypt messages for other SR-users I always get a message like "this key isn't verified. are you sure this key belongs to this person?" but probably I'm wrong and this has nothing to do with the problem)
I hope things will be clear soon.
Enjoy the weekend ;)
-
It's always tempting to fall into the paranoid camp, fuck, but I'm saying it's legit...there's a lot of gamble and trust that goes on here anyway...I know people don't come near this place, are still convinced it's some big LE/mafia ripoff/bust, etc...
Not me. It can't be LE, or it'd be damned entrapment. So that leaves only bad guys or SR itself just moving sites...like it says. And all the pgp keys check out.
I'm cool with it.
-
...I get a "not valid" too when I try to verify the signed pgp message from the old url...but isn't that just because the SR-Staff uses a normal (anonymous) public key that isn't verified on a trusted official key server?...
That key's being on a key server (in it's present state) wouldn't solve the "not valid" messages *or* indicate that the key is trustworthy.
Since there are no signatures on the key -- as is normal here -- from people whose keys you have and that you've indicated to GPG that you trust, it's telling you that it doesn't have a way to evaluate how trustworthy the key signing the message is. It's not saying "invalid" so much as it is "unable to validate".
The only way to avoid the "not valid" messages, if they bother you -- other than a web-of-trust with signed keys (which is the proper way) -- is to ***TEMPORARILY*** indicate to GPG that you fully trust the copy of the key that you have. If you do that, the "not valid" message will go away ***BUT*** all you've really accomplished is to get GPG to quit bugging you about something it's intended to bug you about.
-
This is probably better moved to the security forum... but continuing the security lessons, my approach is to get the important keys (SR, sellers I trust, etc.) from their personal pages on the SR marketplace site itself, well before shit like this happens. I then sign the key, but sign it "local only". What this means is "you're not validating that user's key for others to rely on, but it will still be treated as a valid key on your local system." So, when I sign it this way, I'm essentially declaring for myself that I trust the source of this key enough for my own purposes. The whole 'web of trust' thing is great and I might contribute to that someday... but until then, I don't trust any of you fuckers enough to do that.... no offense.
-
This is probably better moved to the security forum... but continuing the security lessons, my approach is to get the important keys (SR, sellers I trust, etc.) from their personal pages on the SR marketplace site itself, well before shit like this happens. I then sign the key, but sign it "local only". What this means is "you're not validating that user's key for others to rely on, but it will still be treated as a valid key on your local system." So, when I sign it this way, I'm essentially declaring for myself that I trust the source of this key enough for my own purposes. The whole 'web of trust' thing is great and I might contribute to that someday... but until then, I don't trust any of you fuckers enough to do that.... no offense.
Exactly...I think some people don't quite understand the validation process. *I* validated the SR public key a while back, check it with the periodic announcements, and that's the only validation I expect to have or need. It's not going to mean all that much, except to say that yeah, it's the same key he had a while back....
It's a little late in the game to be getting all flustered about the reliability of SR's pgp key...he has to protect his own privacy as well as we do. More than we do.
This site is never going to be comfortable for the paranoid. It's a roll of the dice, that me and a lot of us are alright with. The rewards are worth it. Eventually it'll probably come to a bad ending....unless, of course, the western world simply gets tired of the futility of the 'war on drugs...' If that happens, Silk Road will be seen as visionary.
Until that day, we just have to roll with the punches, and be pragmatic about the whole thing. If the oldtimers on here who I trust say they are o.k. with something, and my limited knowledge of TOR and PGP tell me it's o.k....then it's O.K.
-
Sure, any seller here could transfer their identity to some other human. But that doesn't matter, so long as they are functionally the same.
There's the fundamental flaw: "as long as they are functionally the same." Let's say your highly trusted vendor gets busted IRL and turns over his key to LE as part of a plea deal. The trust property is instantly inverted and no one who communicates with the vendor would know. What causes the system to fall apart is the anonymity. You have no way, EVER, in an anonymous system to know that a key that was once considered trustworthy is *still* trustworthy.
That's not a problem with anonymity or any of the security properties of what I suggested. That's a problem with life. :-P
IRL the same thing happens. Someone gets busted, turned, and is back on the street dealing same as before... except now they're a snitch. A SR IRL bust would be a little bit easier, because the cops wouldn't need as much day-to-day cooperation from the busted seller; they could just take over business operations.
But I did give specific ways to *partially* be able to protect against what you're talking about, IRL compromise. The stuff you quoted wasn't it (that's for protecting against some form of man-in-the-middle [MITM] attack), which makes me think you didn't read my post very carefully. ;-)
It's impossible to *fully* protect against IRL compromise (ie where the seller is still performing 100% the same, chatting in the forums, everything as normal), because in that situation, your former friend is now your adversary, but their identity and behavior is still identical.
My suggested partial protections are against a more realistic IRL bust where they don't really have day-to-day use of the busted person (or enough cooperation that they'll admit to whatever random secrets someone uses as a challenge), they just have their PGP keys and physical stash.
tl;dr: No seriously, read the detailed post more carefully. I thought of this. :-P
-
1. Sign each others' keys once you have some proof that it belongs to the person it's claimed by, and do so at the appropriate level of validation. This helps build a "Web of Trust".
Great post!
How does one get the fact that they can vouch for a key out to the rest of the web though?
I have used a keyserver in the past but it seems as though that would compromise the anonymity of the site if we were to use a non SR-orientated site to upload/download key data from.
-
How does one get the fact that they can vouch for a key out to the rest of the web though?
Manually. You sign the public key in "ok to export" mode (non-local), then send it back to the owner. Then they just import it, now with your signature (and whoever else's), and use the new version in their postings.
-
oh! that's actually very easy sounding!
wouldn't that potentially reveal who had been buying/selling to whom though?
-
Why is SR really slow to connect too? For the past few days it's taken me an hour to log on? I refresh and refresh and refresh and all i get is time outs. Then i get a connection and the login times out. I have restarted valia and i get the same.
i thought this new url was suppose to make it faster??
Frustrating.
-
The connection has timed out
The server at silkroadvb5piz3r.onion is taking too long to respond.
:'(
-
I was able to get on earlier this week but not anymore.
-
I click on 'new identity' on the vidalia button once or twice if needed...then open 3 or 4 tabs at once, just for drill, and usually I get on in a reasonable amount of time.
-
But that's about it. Technically, telling a cop "I smoked an eighth of my own weed yesterday" is all they need to arrest and prosecute you for possession. It's a "confession against interest".
Strictly speaking, it is likely to be admissible as a party declaration. Walking into a police station and saying "I am part of a conspiracy to commit murder, and my co-conspirator Bill has purchased the gun we plan to use," would likely be admissible at Bill's trial as a statement against interest.
-
I click on 'new identity' on the vidalia button once or twice if needed...then open 3 or 4 tabs at once, just for drill, and usually I get on in a reasonable amount of time.
- i assure you thats not always the fix, its like trying to start a car, kick...push...fuel...key..battery....bollocks..
- the solution isn't a new identity, its resolving the fault {cause and effect}
-
I click on 'new identity' on the vidalia button once or twice if needed...then open 3 or 4 tabs at once, just for drill, and usually I get on in a reasonable amount of time.
- i assure you thats not always the fix, its like trying to start a car, kick...push...fuel...key..battery....bollocks..
- the solution isn't a new identity, its resolving the fault {cause and effect}
Getting a new identity often helps when, for example, the rendezvous point you were using has gone offline but that has not been discovered by the Tor network, or any other circumstance where redoing the initial Tor hidden service connection procedure would solve the issue (see http://www.torproject.org/docs/hidden-services.html.en for details).
-
I click on 'new identity' on the vidalia button once or twice if needed...then open 3 or 4 tabs at once, just for drill, and usually I get on in a reasonable amount of time.
That worked, thanks!
-
oh! that's actually very easy sounding!
wouldn't that potentially reveal who had been buying/selling to whom though?
It would imply that there's some reason you have good reason to believe they are who they claim to be, and one reason for that would be because you've done some business with them.
But so what? Someone ties your SR handle / key to a seller, vaguely. Doesn't prove much from a legal standpoint (very circumstantial) and hopefully you'll trash that identity at the first sign of problems anyway.
The utility is mainly if you trust A and a trusts B, to indicate to you that B is probably legit. Signatures of people you don't know (and nobody whom you know knows) are not useful.
-
Signatures of people you don't know (and nobody whom you know knows) are not useful.
The issue here is that the only signatures that could be considered valid would be either IRL people you have met or sellers.
Since sellers aren't supposed to buy from other sellers with their seller accounts they can't sign each others keys.
Doesn't this undermine the concept at play here?
-
Signatures of people you don't know (and nobody whom you know knows) are not useful.
The issue here is that the only signatures that could be considered valid would be either IRL people you have met or sellers.
Since sellers aren't supposed to buy from other sellers with their seller accounts they can't sign each others keys.
Doesn't this undermine the concept at play here?
To the extent that's true, yes.
However:
a) It's not true that the only kinds of relationships that have formed trust are exclusively buyer<->seller. It's entirely possible that buyers might come to know and trust each other, etc etc.
b) You can acquire trust in one way, and display it in another. For example, if a seller has bought from another seller, as a separate buyer identity, they can still sign the other seller's key with their seller identity. All they need to do is wait a little bit to make sure that the other seller doesn't know which buyer account is theirs. Their two identities can stay separated, and they can use the trust others have in their public (seller) identity to encourage trust in another seller's public identity.
-
This topic should be stickied...
just saying is all :)
-
Hi,
I haven't checked SR in a while and I can't seem to login at the new domain - I am almost certain I am using the correct password. Is there any way I can check that my account has not be hacked or attempt to recover it?
Edit: ignore this, it is working now but the user ids appear to have changed. Why is this?
-
There seems to be about 3-4 "new" url's.I am still getting onto silkroad via wiki,then click the green url and that sendsme straight to signing in,the only thing that has changed for me is that you don't get all that writing on the screen now.It's just a simple log in.
-
Memorize or bookmark the 'silkroadvb5piz3r' url (see what I did there? Purely from memory). Anything else is probably phishing for your login details to rip you off later or cause some kind of chaotic havoc you don't want.
You should probably change all of your passwords or better yet, start all over with a completely different handle and password and only ever type the url mentioned in this thread in by hand or use a bookmark from when you typed it in by hand. If you don't, you're greatly increasing the chance that you'll be ripped off somehow/someway.
Also, can we lock this thread now? There's nothing new about the onion url at this point.
-
There seems to be about 3-4 "new" url's.I am still getting onto silkroad via wiki,then click the green url and that sendsme straight to signing in,the only thing that has changed for me is that you don't get all that writing on the screen now.It's just a simple log in.
My god, do not ever access SR through the wiki. It's always compromised by phishing sites. Just bloody bookmark it!
-
that was funny ;D
-
So I downloaded Tor, and quickly found the hidden wiki. From there, I followed a link on to the silkroad website (Big mistake, I know)
t
I tried to register an account, and a message told me to 'send a sum of 20BC to [long ass bitcoin address] to confirm your payment.
I immediately smelt a rat, and will no longer be accessing silkroad using the wiki..
I found this link through a bit of google browsing.
http://silkroadvb5piz3r.onion/
Just to be clear, this is the current, uncompramised link to silkroad?
(Apologies for bad grammar, English is not my first language :D)
-
Try reading the OP genius.
-
the new url isn't going to stop phishers. people still are still going to log in through the hidden wiki.
True, but its a good preventative measure.
-
Try reading the OP genius.
How about fuck you?
Pretty much 90% of the posts on the first page were people questioning the reliability of the OP.
-
Try reading the OP genius.
How about fuck you?
Pretty much 90% of the posts on the first page were people questioning the reliability of the OP.
It's pretty obvious that the OP is accurate at this point. Don't be a dick for no reason champ
-
Guys, even goddamn WIKIPEDIA has the right url listed on their page. Why is this thread still alive?