Silk Road forums
Discussion => Security => Topic started by: top44 on May 13, 2013, 10:23 am
-
so i have placed an order with a high rated vendor, one of bestselling products on SR, but he prefers to use privnote instead of PGP. he has no PGP key at all. But I have read only good for him on forum and feedback pages. Seller said it was ok to use SR as it is, and privnote was not mandatory, so i went for it without any encryption
i have doubts about anything out of SR, i have only used PGP till now. So i just used the address without encryption , and placed the order.
What are the dangers of not using PGP ? after all there are no clues like shipping address or so, left on my account after placing an order, neither on vendors account. Isnt SR safe enough by itself?
For me, if "everything can be watched", i think then the same danger that i am being watched at SR placing an order, the same or even bigger danger is someone watching me writing the message at privnote, and its out of SR, so i trusted SR in its pure form.
I would like your opinions whether i did bullshit or no .. :(
-
It should be safe to use just SR as it is, because it is a onion address, so all data is encrypted.
A good thing you did not use privnote.
Other sellers wont even help you and do not sell if you have used privnote.
It is ignorance of the vendor.
He should learn gpg.
SR should be safe, but I think all agency's have Silkroad high on their list.
To make a copy of the last tornode and replace it with a evil webserver.
Man in the middle attacks.
Like hide my ass, privnote can be demanded to reveal their info, and they will, they all do.
And why did you take top44 as a nickname, it's is the Honda of the cars.
A nickname like Haze or even a PP (powerplant) are the equivalent of a Cadillac and a Ford.
But as you wish , Honda it is.
You may call me ""skunk"" , my shower has no warm water for over one week now.
And Skunk is to be compared with a dodge, to stay in the car comparison.
Meaningless bla, bla, just kiddin', my answer is serious though!
-
Vendors who don't have PGP are something I'd avoid like the plague, it shows they're either too lazy or don't know how to use it, either of which are traits of people I don't want to be working with. If he insists Privnote, then you yourself should insist PGP.
To answer your question, SilkRoad deletes your address yes, but I don't know how they delete it whether with a single pass, multiple passes etc so it is possible that the information could be forensically recovered. Either way, you will be relying on SilkRoad to protect you and I think the philosophy of most users on this forum is that you should take measures to protect yourself and not leave it in the hands on the marketplace which could well be a honeypot for all we know (although it's highly unlikely, you can never be too careful).
-
privnote can be demanded to reveal their info, and they will, they all do.
like a deleted message or a message with only an address that they have no idea who made the message or who it got sent to?
so privnote is going to see an address like this
debrah hoppie
13121 University Drive
Fort Meyers, FL 33907
then they will contact law enforcement because they saw an address? an encrypted address that they claim they dont have access to? one they claim to delete after it is read? one that isnt tied to silk road in any way? an address that they dont know who sent or why they sent it or who they sent it to?
yeah, and i have a chip implant that i got as a child that tells police when i do drugs. my dealer also reports my address, license tag and drug purchases to police and the police serve ice cream on the corner.
barney is real.
-
thanks for replies , they are of much help,
I think the seller is "lazy" to use PGP just to manage the orders more fast. I got my order from processed to transit in less than 10 minutes! i know it is just a button, but all i am saying is he is not loses time, sends order immediately, he is well known for the super fast shipping.
As for privnote, i insist since its out of silkroad , i trust silkroad as it is, when i have not to use PGP i will use SR form with no encryption, but very few sellers dont have PGP key
-
unless the vendor lives right next door to a mailbox to drop stuff off in 10 mins is pretty quick...
still though, sounds like great service.. I do like a nice fast 'in transit' :)
-
unless the vendor lives right next door to a mailbox to drop stuff off in 10 mins is pretty quick...
still though, sounds like great service.. I do like a nice fast 'in transit' :)
A lot of vendors hit "in transit" when they've printed off the labels, sorted the postage and packed it all so it's ready to be taken to the mailbox and then deliver them in one go for small vendors or spread them across several hours and mailboxes if they're a more organised operation. The worst vending I've seen was he hit the button for in transit on the 21st of a particular month and when he finally sent the tracking code, it shown it wasn't actually dispatched until the 24th, so I haven't ordered from that vendor again because I'm way too anal about being accurate. Anyone who has worked with me before will know just how much I check and double check everything.
-
privnote can be demanded to reveal their info, and they will, they all do.
like a deleted message or a message with only an address that they have no idea who made the message or who it got sent to?
so privnote is going to see an address like this
debrah hoppie
13121 University Drive
Fort Meyers, FL 33907
then they will contact law enforcement because they saw an address? an encrypted address that they claim they dont have access to? one they claim to delete after it is read? one that isnt tied to silk road in any way? an address that they dont know who sent or why they sent it or who they sent it to?
yeah, and i have a chip implant that i got as a child that tells police when i do drugs. my dealer also reports my address, license tag and drug purchases to police and the police serve ice cream on the corner.
barney is real.
I get and understand that Barney is real, but some of that other stuff seems a bit far fetched....
-
yes that is very quick service - btw having a mailbox near your home in a town , is not unusual :D It shows how the vendor does what is in his hands to satisfy the customer, at least at this first step of ordering, which is one of the most important when choosing whom to buy from
and lol at captcha at this post is "FKYEEA" ahahah its about the customer service :D
-
I think a private note is a very bad idea, also non encrypted address are are bad move. you need to look after your own safety on silkroad because if the vendor account gets hacked your address is available to the hacker with your order. If this happens to be the cops then your pretty much done for. If your comms and your address are encrypted and something bad happens you have nothing to worry about other than losing your gear maybe.
Safety is no1 and if you are willing to put your safety in the hands of some1 you don't know and have never met when you have no need to then you are responsible for your own actions when the cops kick your door in.
Also vendor who rush orders out at the last min and get them to the post box near their house are asking to get caught and get you caught. This is a huge weakness for vendors. all a cop needs to do is get you to rush an order out then find out the area it came from and man the area next time they get you to rush an order out. it may take them a few time's to spot them but they can work it down and genrely the vendor will drop at the box's in the area with no camera's near them. This is an easy way to narrow it down and bust the vendor and the buyer.
A vendor who thinks about security wont ever rush orders through like this because they don't want to leave any trace, You never know what customer is a copper so you can never be to careful.
-
The thing is it leaves the exit node unencrypted, allowing LE, who may be watching the exit node, to see your data. I don't get why PGP use would be so difficult for someone who is smart enough to sell drugs. Who knows what privnote does with the notes? Do they destroy them? Do they look for keywords?
-
I guess the question is, do you want to get raided after SR is hacked into by the police (they already have hacked into half a dozen CP hidden services), do you want to get raided after SR is hacked into by the police (since privnote is entirely weak to MITM) OR after privnote flags you as suspicious, or do you want to not get raided because nobody can crack GPG?
-
I guess the question is, do you want to get raided after SR is hacked into by the police (they already have hacked into half a dozen CP hidden services), do you want to get raided after SR is hacked into by the police (since privnote is entirely weak to MITM) OR after privnote flags you as suspicious, or do you want to not get raided because nobody can crack GPG?
True but how do we know the vendors delete our information? It seems the most likely occurrence would be a vendor getting caught for doing some on the side shit.
The thing about CP is that it's not encrypted at all most of the time, and I bet some of the pictures have EXIF data.
-
I guess the question is, do you want to get raided after SR is hacked into by the police (they already have hacked into half a dozen CP hidden services), do you want to get raided after SR is hacked into by the police (since privnote is entirely weak to MITM) OR after privnote flags you as suspicious, or do you want to not get raided because nobody can crack GPG?
True but how do we know the vendors delete our information? It seems the most likely occurrence would be a vendor getting caught for doing some on the side shit.
The thing about CP is that it's not encrypted at all most of the time, and I bet some of the pictures have EXIF data.
CP is completely irrelevant to this conversation, the point I was making is simply that feds can sometimes hack into hidden services. You have three options:
1. Trust the security of the server and trust the operators of the server (The server is almost certainly weak to being penetrated in some way, humans are failable)
2. Trust the security of privnote and the operators of privnote (privnote is very weak to MITM, the operators could use bugged javascript etc)
3. Trust the mathematics of RSA, which have been subjected to vigorous peer review and determined to be secure
take your pick but I personally will be going with 3.
The vendor storing your information or not is completely irrelevant to the security of how you transfer your information to the vendor. If you want to be really secure use fake ID boxes or other boxes that cannot be linked to you, and switch them up periodically or especially if you think a vendor was busted.
-
privnote can be demanded to reveal their info, and they will, they all do.
like a deleted message or a message with only an address that they have no idea who made the message or who it got sent to?
so privnote is going to see an address like this
debrah hoppie
13121 University Drive
Fort Meyers, FL 33907
then they will contact law enforcement because they saw an address? an encrypted address that they claim they dont have access to? one they claim to delete after it is read? one that isnt tied to silk road in any way? an address that they dont know who sent or why they sent it or who they sent it to?
yeah, and i have a chip implant that i got as a child that tells police when i do drugs. my dealer also reports my address, license tag and drug purchases to police and the police serve ice cream on the corner.
barney is real.
you must be tripping balls.
-
if SR comes down and/or dealer gets busted, in any case i am less "criminal" to buy, rather than to sell.
other sites that lead to busts are other sites! SR is number 1.
If they can bring down SR why dont they do so? DOS attacks like the last, is the only way they can?
I fell less comfortable writing all these in a forum (that can be found through search machine, and every opinion is publicly accessible, many times feeding even the media in cases of busts etc)
from buying in SR without encryption.
If SR gets down, i am sure DPR will not betray us, and possibly he has allready taken care of protecting our privacy in a worst case scenario.
"1. Trust the security of the server and trust the operators of the server (The server is almost certainly weak to being penetrated in some way, humans are failable)
2. Trust the security of privnote and the operators of privnote (privnote is very weak to MITM, the operators could use bugged javascript etc)"
this is what my thread is about. i had only options 1 and 2. and chose to trust security of SR server instead of privnote's.
In the end, the answer to why use PGP, is that in case SR is busted, or vendor is busted, the LE would be able to decrypt all addresses from customers, even if they have been deleted?
I think that vendor cannot save the order details (adress), only if he has a reason, he can do it whenever he wants. But in digital form, is it saved anywhere else than SR? and SR deletes it or not? i mean, i am sure i am not able to see it anywhere, but does SR keeps a log of all the inputs in the order form when placing an order?