Silk Road forums
Discussion => Security => Topic started by: StExo on May 17, 2013, 02:33 am
-
Applying common sense.
I am not going to name the person, but it was not sent to this account but instead to my SR account. But anyway, I received a message earlier supplying their "emergency contact details" of a BUYER in plaintext in a message which they ALSO sent to my tormail address, again in plaintext. Now what did this message contain that has me so concerned? A house address, their real name, their home telephone number, their mobile number and even their e-mail address from a regular clearnet email provider (ie, hotmail, gmail etc) who I wouldn't doubt for a second would reveal their entire e-mail history to law enforcement, not to mention they have their year of birth in the e-mail address itself.
Yes this issue has now been dealt with by SR staff. But please for the love of god people, use some brain cells before sending vendors any kind of information, not to mention such revealing details in plaintext on systems like Tormail which can't be trusted as it is.
-
I once put a vendors PGP in and it came up with a full name and gmail email address (I hope to god it wasn't his real name but it must be said I did not order from him).
-
I once put a vendors PGP in and it came up with a full name and gmail email address (I hope to god it wasn't his real name but it must be said I did not order from him).
It's a sad sight which I've seen on some occasions myself. I usually send a nice message, PGP encrypted of course, telling them to change it, point them to PGP club and Pine, as well as give some recommendations on topping up their security. I'd never order from such a vendor myself, but I think part of the responsibility of SR is looking out for fellow users, even the real morons of the bunch.
-
I once put a vendors PGP in and it came up with a full name and gmail email address (I hope to god it wasn't his real name but it must be said I did not order from him).
It's a sad sight which I've seen on some occasions myself. I usually send a nice message, PGP encrypted of course, telling them to change it, point them to PGP club and Pine, as well as give some recommendations on topping up their security. I'd never order from such a vendor myself, but I think part of the responsibility of SR is looking out for fellow users, even the real morons of the bunch.
Yeah I did tell them but it was worrying. Even more worrying is how many vendors are falling for this phsishing scam; it just should not be happening at vendor level. I cant help but wonder how many vendors leave address details of people who have ordered from them and other such details. SR/TOR/PGP security is only as good as the people using it.
-
Yeah I did tell them but it was worrying. Even more worrying is how many vendors are falling for this phsishing scam; it just should not be happening at vendor level. I cant help but wonder how many vendors leave address details of people who have ordered from them and other such details. SR/TOR/PGP security is only as good as the people using it.
I can answer that for you. A worrying amount of them.
-
I can answer that for you. A worrying amount of them.
This is what bothers me the most about SR. Some of these vendors make it no secret that they keep addresses. No, not outright on their vendor page but when you get an answer to a shipping question with, "Hey, just give me your name and I'll look to see when I sent it out", it causes heart palpitations. Just get rid of my info, please. If I want to come back to you some day, I will. But I don't want cops at my door because you were either too lazy or too ignorant. Fuck.
-
I once put a vendors PGP in and it came up with a full name and gmail email address (I hope to god it wasn't his real name but it must be said I did not order from him).
Same here. I also warned them about it. You gotta look out for the idiots on here because they make it more dangerous for everyone. It just surprises me how many idiots are actually on here. You would think the learning curve required to use this system would scare them off.
And you know what else? The people that do that dumb shit are most certainly not reading the forums and getting this useful info...
-
Hmm the name and e-mail address could've been fake. I use a fake one for my PGP key because it looks more legit and my software bitches about not including it for lookups.
The only thing that worries me is that these vendors are keeping info inside an excel file named "TransactionsSR" or the like on their desktop, passworded by "password."
There's really no way of checking to ensure this doesn't happen. I would think it would be best to remove this for the dealer's POV as well as they can claim less transactions/weight pushed.
-
This seems relevant to this topic.. and just happened to us..
We had a fellow domestic vendor (an international reseller of our product, we suspect) order from us, plain text address/real name... from their vendor account.
We sent their order of course, but also sent them a pretty serious PM explaining that they may want to rethink some of their practices.
They reacted by becoming defensive and then (incorrectly) using PGP to try to prove some kind of point. Of course we couldn't read it.. because it wasn't encrypted for us, lol ::)
Come on people 8)
-
Squirrel hit it right on the nose. A vendor privacy protocol is needed. BADLY. This issue is so vital that all current SR vendors should be bombarded with this protocol, and all future vendors should have to read through it before they can actually start selling product. Common sense that's so simple, it's retarded. :o :P
This is what bothers me the most about SR. Some of these vendors make it no secret that they keep addresses. No, not outright on their vendor page but when you get an answer to a shipping question with, "Hey, just give me your name and I'll look to see when I sent it out", it causes heart palpitations. Just get rid of my info, please. If I want to come back to you some day, I will. But I don't want cops at my door because you were either too lazy or too ignorant. Fuck.
-
I once reminded a vendor that they had posted their PRIVATE pgp key on their profile page :o
-
I must confess that the first time I've entered the SR and contacted a vendor (I entered the SR explicitly to buy the listing in there at the time) I idiotically sent him/her a clearnet e-mail as a contact.
In my defense that e-mail was anyway not linked even remotely to myself but still it was a complete idiocy on my part and a bad mistake; I was searching around for something specific and when I found the listing I just contacted the vendor without looking first at these forums or the wiki or informing myself etc. and hence committing a grave mistake.
I have no problems admitting my mistake and from that time I've read everything about security here and I have setup everything correctly. I think that when a vendor sees something like that s/he should inform the buyer about the risk s/he is taking and to please correct them for the good of all the community here (nobody can know about everything and everybody must start from beginning in some field).
I write this so that newcomers as myself can understand from the stupid errors we commit when we are new to the system and learn how to overcome them.
-
I must confess that the first time I've entered the SR and contacted a vendor (I entered the SR explicitly to buy the listing in there at the time) I idiotically sent him/her a clearnet e-mail as a contact.
In my defense that e-mail was anyway not linked even remotely to myself but still it was a complete idiocy on my part and a bad mistake; I was searching around for something specific and when I found the listing I just contacted the vendor without looking first at these forums or the wiki or informing myself etc. and hence committing a grave mistake.
I have no problems admitting my mistake and from that time I've read everything about security here and I have setup everything correctly. I think that when a vendor sees something like that s/he should inform the buyer about the risk s/he is taking and to please correct them for the good of all the community here (nobody can know about everything and everybody must start from beginning in some field).
I write this so that newcomers as myself can understand from the stupid errors we commit when we are new to the system and learn how to overcome them.
This is an incident where you learn from your mistakes because we do all make small slip ups from time to time (hell, I've accidentally signed off an encrypted message with my real first name once, that spooked me even though I trust the person isn't a cop given their SR reputation) and whilst we'd like it if they didn't happen, truthfully we'll never have a flawless system since we humans are the biggest security risk in the whole process. However, for vendors to be making such trivial errors is extremely concerning. I didn't even dream of becoming a vendor until I had made at least a few orders from other vendors and learned the full amount of required information on operating PGP and general tips to ensure safe vending and only after then did I open a vendor account on a fresh account. Buying with your vendors account is completely suicidal unless you know the other vendor very well and have worked with them before. The only other vendor I partially trust is one I work reshipping for and also change his bitcoins into cash.
-
This is the stuff that makes me break out in a cold sweat! I can put in as much time and effort as I like at this end but a lazy vendor will get me hovered up when they do eventually do down. Arghh I've set myself off again - need to go clean the house again.
-
The Black Market Reloaded has a couple of great practices concerning these things:
1) You just can not use your vendor account to buy anything. I think it should be the same here.
2) PGP is mandatory for a vendor account, and all the sensitive information during a purchase process is encrypted. You can't see the buyers address without decrypting.
3) When the order is marked as "sent", even the encrypted information is removed from the server, and you have no way to retrieve it.
BMR has other differences to SR too, and not all of them are for the better. For example, user feedback is left with usernames, and from there it is very easy for everyone to see the users purchase history. I would not be comfortable with that as a buyer.
I would sleep so much better at night knowing my encrypted message self destructed.
Then I'd worry if they copy and pasted it into a mailing label printing program, and destroyed that as well :/
-
This is the stuff that makes me break out in a cold sweat! I can put in as much time and effort as I like at this end but a lazy vendor will get me hovered up when they do eventually do down. Arghh I've set myself off again - need to go clean the house again.
+1 for reminding me of ro jaws and the ABC warriors! Used to love 2000AD best comic ever