Market's Auto-Encrypt Function

Just bored and figured I'd get thoughts from the community. One of my biggest pet peeves with markets is that they offer to auto-encrypt for users. I honestly don't think any market should offer this functionality.

I simply don't think there is ANY good reason for a market to offer auto-encryption. Now the main argument is going to be "it's better than nothing." Well, the thing is, learning to encrypt is fucking easy. If this function isn't offered, then most people are going to fucking learn to encrypt on their own. It reinforces a shitty, terribly habit. Even if Market A is not compromised, a user who begins to rely on auto-encrypt is going to take that shitty, unsafe habit to another market which may not be safe.

My personal belief is that market admins should remove the auto-encrypt function ASAP. Don't let people feel comfortable at all with trusting markets. I cringe at the number of people who use auto-encrypt for one reason or another. Even if the market they use today is safe, what about a market that isn't safe? What if LE opens a honey pot and offers auto-encryption? I just think its not responsible. While I understand the argument that "it's better than nothing", I don't think its in the best interest of hte community personally. I don't think markets should contribute to very unsafe habits.

Just my personal opinion. Unfortunately it seems to be the norm. I wish markets would say fuck that and remove that feature and let's not make it the fucking norm. If the markets out there right now would remove this right now, then future markets would not feel that they have to offer it.

Here's the thing. What is the whole purpose of fucking encrypting sensitive information when you make an order? TO FUCKING PROTECT THAT INFORMATION FROM THE GOD DAMN MARKET!!! When you rely on auto-encrypt, then fuck it, why even fucking use PGP? Seriously, there is no god damned point to encrypting your shit (aside from perhaps a compromised vendor's account). If this is going to be the status quo, then we might as well just fucking plain text everything. Here's my address guys, fuck opsec.

Source: I'm a fed. I know this shit.


Comments


[19 Points] 90210BitchTits:

They leave auto-encryption because little babies are bartards are to lazy to figure it out. Once they want to buy something and they can't figure out PGP they get turned off buy the whole idea and just go pick up some shwag from Jamarcus on the block. It's not up to the markets to keep people safe. It's up to the individual to keep themselves safe.

Should markets hand out free test kits to customers just for signing up? It's not AB responsibility to make sure Vendor A is selling pure safe stuff. Sure, if its proven the vendor is selling dangerous shit as something else, then ban them. But its ultimately up to the individual to test their own shit to keep themselves safe.

Get it?


[2 Points] honestlyimeanreally:

Look at it from the market perspective: more features mean more users and therefore profit.

The feature doesn't have to be good or practical, after all.

Personally, I agree with you of course; it doesn't make sense from a security perspective to trust the website with your sensitive information like that...


[2 Points] gritty_city:

I understand where you are coming from and agree to a certain extent. I believe that if they were to remove the market encryption feature like you describe, they should add some sort of feature to direct the users to a step by step tutorial for how to properly use PGP and make it a "rule" (regardless whether or not it is enforced, or enforceable). Maybe also add a link to some info describing why it is so important to encrypt communications on the market, or really anywhere on the interwebz. Hell, even privnote would be better than encription provided by the markets.

I think the people that do not use PGP are the ones that rush into making purchases without doing proper research to cover their own ass and don't take a minute to ponder on what they are truly doing and the implications in today's digital era.

People keep falling back on "low hanging fruit" as some sort of protection for the intelligent/thorough users, but in reality, any type of attention on this stuff by third parties is no bueno for anyone.


[1 Points] Potatos500:

AB's "encrypt with PGP" isn't auto encrypt right?


[1 Points] dnvendorthrowaway:

While I agree with you on all points, the fact is all humans are fucking bartards at the root of it.

The only way our devices and networks will be safe is when it gets built in. I guess that is the point of the markets building auto-encrypt in.

Once again, I agree with every word you've said, but people have tried to order off reddit and every other type of stupid shit.

Mo betta scrambled bits, man. They may not do it themselves. Then its to late.

And if you ain't assuming the market will be compromised some day, you ain't thinking.


[1 Points] sam8404:

I remember before learning pgp I was worried it would be difficult, but it's the easiest thing in the world. I cant believe people would rather risk their safety than take 5-10 mins to learn basic pgp. Shockingly, I've seen a lot of vendors on AB who tell people to use the auto encrypt.


[1 Points] None:

Encryption is easy for you. Not everyone has the same aptitudes in the same areas. The real warning should be if things like encryption and software installation/configuration intimidate you to the point where you won't learn to use necessary tools then stay the fuck off the darknet.


[1 Points] None:

It's easy for folks who are computer savvy. It's fucking Chinese for people who aren't. And those that aren't savvy are also the ones who don't truly understand why it is so important, so won't bother learning it as they don't understand why they should.

Having auto encryption is great because it doesn't matter how many guides you write, how simple you make it, or how easy it is, some folks simply will not bother to do it themselves


[1 Points] SirDrug:

Low hanging fruit.


[1 Points] Rayn211:

Anyone who uses auto encrypt has shit opsec, but it's better than clear text I guess


[1 Points] thecoolbrian:

Plot twist all the markets used client side javascript to encrypt messages and the government tricked us into blocking it.


[1 Points] TradeRouteTeam:

When we built our market it was without any kind of auto-encrypt because it was the rational thing to do in order to push people into doing their offline PGP encryption. We ask users to encrypt sensitive information in lots of places of our marketplace so it is very hard to not read at least one of those warnings, but still half of our users do not encrypt their addresses.

Looking into the database and seeing hundreds of unencrypted addresses looked so damn wrong, obviously this was the worst option as even the smallest data breach would be critical. So there were two options we could think of:

-Do not allow unencrypted addresess, this would lead to people to faking pgp messages and including their plain text address inside (we have seen this happen in other markets). Or they would just leave and go to another market who auto-encrypts addresses or just doesn't care at all. So it would be the same risk for them in the end.

-Auto-encrypt, we finally decided that as long as the market doesn't get compromised it will be 100% safe. We implemented automatic encryption for addresses and didn't advertise it a lot, so we don't give a false sense of security. This should still push users into encrypting their information while keeping the rest moderately safe.

If there's a better solution I'm all ears. Regards!


[1 Points] onetoomanydude:

You still have to have your PGP on the site for it to work....and only you have that password, right?


[1 Points] None:

You are making a huge assumption that if they disabled auto encrypt people would learn to use real PGP. I think most of those people would just use clear text if they couldn't auto encrypt.


[1 Points] GenericMike5885:

ALWAYS manually encrypt


[1 Points] aaatttppp:

A-FUCKING-GREED


[1 Points] AutoModerator:

If you wonder why you get a warning when clicking in the password fields on DNMs, then please read this.

Please read the DNM bible next time before posting your questions and post these type of questions on /r/DarkNetMarketsNoobs next time.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.