Silk Road forums
Discussion => Security => Topic started by: scripthack on May 07, 2012, 06:49 pm
-
I was thinking of purchasing 5 pills of dmtdoodeelsd's Molly, but the vendor has said 'we don't have a PGP, don't ask..'. Their reviews seem to be all positive, but I've never ordered without using PGP before. Is it safe to order without it? Or should I just leave it..
-
dmtdoodeelsd used to use PGP a month or so ago. I see they provide a link to privnote.com. Why not create a note with your address in and send them the link in the address field when ordering? The note self destructs as soon as they have finished reading it and privnote say they don't keep a log of the IPs used to create the notes. Seems quite secure considering you will be accessing it through TOR anyway and privnote wont know what the note is for ;D
If you are still unsure about using privnote, then read their privacy policy here: https://privnote.com/privacy/
Hopefully that should put your mind at ease.
-
I don't have any specific knowledge of this vendor, but in general, a vendor who doesn't use PGP is not to be trusted. Nor are these external "private" email services.
-
I don't have any specific knowledge of this vendor, but in general, a vendor who doesn't use PGP is not to be trusted. Nor are these external "private" email services.
You're right on both counts. SR admins strictly advise against using privnote. I'd look for another vendor.
-
man PGP is the way here on tor
You can use it for all or only for address of shipment
to be more safely i suggest PGP to you
-
I don't understand why a vendor would not use PGP.
Lazy, and disrespectful to customers.
-
for unimportant messages it's not necessary
but if someone tells to me that it wants to talk with me only
through pgp no problems i use only pgp
-
no PGP, no deal. It's a risk to both you an the vendor.
-
Ahh thats a shame. I was hoping privnote would be an acceptable alternative to PGP. Mainly because I like the look of dmtdoodeelsds Aphet and it would be domestic. It seems more lurking is required as opposed to taking "privacy" websites on face value.
-
If they don't use the basic, freely available tools to protect your privacy, how can you trust them?
-
Well excuse us... we do apologise for the fact we are not computer savvy - we tried to get to grips with PGP a while ago, but it seems like much ado about nothing tbh...
i think the only reason people should use PGP is to send addresses as apparently it is a balls-ache just to open a message which is encrypted... and not just that, the only way anyone who sends their address in the normal way is EVER gonna get caught, is if the whole of silk Roads servers get hacked and the whole website goes down - and if that happens do you think the LEO are gonna be fussed with a few individual consumers psotal addresses..!?!?!?
they want to bring down the administrators of the site, maybe some unlucky vendors, but really, guys, you think you are that important to get followed or tracked or get observation put on you for ordering a few pills or whatever from an underground website , which you have to use TOR for anyway..?!?!!?
it seems to me we will get more customers when i eventually get time to get my head round it all - but until that time, we are not offering PGP atm... but that is not effecting the contstant stream of happy customers we have all round Europe... feel free to order in the original, conventional way, you have notihng to fear except the truth people ... ;-)
increase da peace xx
-
@dmtdoodeelsd
Speaking only for myself, I will always pass up a vendor who isn't willing/able to use PGP. Although I agree with you that it doesn't increase my risk a whole lot. The reason it sketches me out is far more about what it says about the vendor. It says, "I can't take the time to figure out a fairly simple computer problem", or, "I"m too lazy to take two (at most) extra minutes to make your transaction a little more secure".
Either way, it makes me question how careful you are about the rest of your ("you" being any vendor that doesn't/won't use PGP) operation. Considering the nature of what we're buying and selling here, just a little doubt is enough for me to look for someone else, even if it means I'd have to pay a little bit more. And I don't see the argument of, "Well, I have tons of happy customers" as being especially valid. Just because nothing bad has happened yet, don't mean you're not running a really sloppy operation. It just means you have a bunch of customers who care more about getting drugs than being safe.
I'm not one to criticize without offering a solution, so if you'd like, feel free to PM me, and I'll try and help you get set up with PGP.
-
Really? Man, it's not that hard. Hell, if you don't want to learn how to use it, download portable pgp. Couldn't be any easier (although, for a vendor, I wouldn't recommend the program, but for a buyer, it's good enough). At least people would feel some level of security dealing w/ ya.
-
The note self destructs as soon as they have finished reading it and privnote say they don't keep a log of the IPs used to create the notes.
Says who? Oh, Privnote says that, in their privacy policy. Didn't Hushmail, and a million other companies say the same thing?
My opinion is that privnote is a joke and should be considered as giving your address to LE.
There is no way in hell I would use a vendor that doesn't use PGP. If they are that careless I have no time (or bitcoin) for them.
-
PGP is easy...it took me a night to learn it and I'm a digital spastic. :-\
-
Limetless, you cannot possibly be as digitally spasticated as us i mean you offer Money Laundering/Specialist Electronics/Lab Equipment etc... we only provide good old fashioned, high grade intoxicants, no mistaking ....
i tried to download a pgp thing asnd get my head round it, most of them seemed to be free then tried to charge me, i eventally got summat installed for free and generated a key ( i think) and then was blinded by all this technology and put it on the back burner so to speak...
it is something i will try and get my head around again when i get bk but as i explain in previous post, is not somethig integrally necessary within the operation of SR... yes i concede we will get more customers when it is active, but it took so much of my time and seemed like it takes longer to encrypt and decrypt every message (i think - i never got that far!)
it takes us long enough to operate on SR + RW which is the main thing for us...
any ideas or advice from anyone is gratefully received /appreciated...
basically i need some one who has got it running successfully to sit down with me and talk me through it (not literally obviously!) hahah
:-[ :-[ :-[ xxx
-
If you can figure out bitcoins, you can figure out PGP.
If you have windows, get gpg (gpg and pgp are used interchangeably, even though they are stand for different things) for windows at gpg4win.org.
Install it.
Skip the part about installing a certificate.
Follow the prompts for creating your key.
Open up GPA that you just installed (Gnu Privacy Assistant). Click "Export Key." Save this as a text file somewhere like your desktop. This is your public key that you will post for others to use. Others need this to encrypt a message to you. (Copy the entire text content of that file and paste it anywhere you want others to have your key)
When someone sends you a message that is encrypted with your public key (the one from above that you pasted), you open it with GPA.
Click "Clipboard" on GPA.
Copy the entire contents of the encrypted pgp message you received, and paste it into the GPA clipboard.
Click "Decrypt"
Select your key and enter your password.
The message will appear magically as plaintext.
Think of it like this:
A normal mailbox in real life requires a key that you own in order to open it up to get your mail. Only you have the key. Only one key is required to open the box, and the same key locks it.
PGP is like a mailbox with TWO KEY LOCKS, ONE KEY LOCKS IT (public key, unlimited distribution, the whole world can have it), ONE KEY UNLOCKS IT(your key, only you own it. One copy and it's yours). This mailbox, unlike the one you have In Real Life, is always open, for anyone to access. You never lock it. The key that anyone in the world can have, only does one thing, and one thing only: it locks your mailbox.
So, when I get the publicly available key to your mailbox, I write down my message, put it in your mailbox, and use publicly available key to lock the mailbox. The key is now stuck in the mailbox and I can't get it out. It's now sealed up tight. You have to put your key in the other keyslot to open it.
When I read something like that on GPG4WIN's website documentation, it finally clicked how PGP works.
If you're going to be a vendor, it's critical you learn PGP.
Cheers,
Chuck
-
It's not so difficult to use it, it takes only a lil bit of practice
Maybe you can do some test and check your public key like a user
had done some days ago
You''ll learn soon ;)
-
If you can figure out bitcoins, you can figure out PGP.
If you have windows, get gpg (gpg and pgp are used interchangeably, even though they are stand for different things) for windows at gpg4win.org.
Install it.
Skip the part about installing a certificate.
Follow the prompts for creating your key.
Open up GPA that you just installed (Gnu Privacy Assistant). Click "Export Key." Save this as a text file somewhere like your desktop. This is your public key that you will post for others to use. Others need this to encrypt a message to you. (Copy the entire text content of that file and paste it anywhere you want others to have your key)
When someone sends you a message that is encrypted with your public key (the one from above that you pasted), you open it with GPA.
Click "Clipboard" on GPA.
Copy the entire contents of the encrypted pgp message you received, and paste it into the GPA clipboard.
Click "Decrypt"
Select your key and enter your password.
The message will appear magically as plaintext.
Think of it like this:
A normal mailbox in real life requires a key that you own in order to open it up to get your mail. Only you have the key. Only one key is required to open the box, and the same key locks it.
PGP is like a mailbox with TWO KEY LOCKS, ONE KEY LOCKS IT (public key, unlimited distribution, the whole world can have it), ONE KEY UNLOCKS IT(your key, only you own it. One copy and it's yours). This mailbox, unlike the one you have In Real Life, is always open, for anyone to access. You never lock it. The key that anyone in the world can have, only does one thing, and one thing only: it locks your mailbox.
So, when I get the publicly available key to your mailbox, I write down my message, put it in your mailbox, and use publicly available key to lock the mailbox. The key is now stuck in the mailbox and I can't get it out. It's now sealed up tight. You have to put your key in the other keyslot to open it.
When I read something like that on GPG4WIN's website documentation, it finally clicked how PGP works.
If you're going to be a vendor, it's critical you learn PGP.
Cheers,
Chuck
Spot on, only thing I'd say is that make sure you click to install GPA on the installer because it doesn't automatically do it. After that, follow the above and you are right as pie.
-
Here's a great link:
http://p3lr4cdm3pv4plyj.onion/guides/shepj.html
pgp seems important to me.
starrynight
-
Here is the video that helped me:
http://www.youtube.com/watch?v=Wp7PwCV9Tvg&feature=related
But I am naturally understanding of softwares and internet stuff plus I got certified for networking through CompTIA in December of 09
-
thank you Chuck and Limetless for the detailed idiots proof guide, i will have a go at this as soon as i have worked out any difference procedure for a mac (haha yes mac user = c*nt!).?
like i say i did manage to install GPG Keychain access, i have jus generated my secret key, not sure what to do with it now..? how do i generate public key? which one do i post on my profile..? (public i am assuming) in your walk through guise the public key is the 1st one generated..?
but when i generated it it said 'generate key pair' - so i am assuming it is a public and private keys, then how do i separate them..??
hang on , after trying to generate each key it asks me to enter passphrase (which i do , obv something different to other passwords - in case anyone is judging my 'sloppy operation' @banjo!!)
it then comes up with error box says:-
'Send keys failed!
Code = 0'
but then the key is listed in the list as a secret key...??
oh dear.. struggling..? :( :( :(
-
When you generated your keypair, you generated a Public and Private key. This keypair is stored in one file, and you generally don't need to mess with that file.
There is an option to export your key. When you export your key, it will only (normally) export your public key. Export the key to a location where you can find it, then open it with a text editor, copy the entire contents of that file, and paste it on your vendor page.
It will look something like this, and will ALWAYS start the same e.g., with "BEGIN PGP PUBLIC KEY BLOCK" in the header, and end the same "end public key blah blah". Don't publish your private key, it will say at the top, "private key" or something like that.
Here's my public key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.17 (MingW32)
mQENBE+vvHoBCADOQQwgIiBs9dNEy0MVn9gFLYYLWvHFOv0QLd+red48zwHJugFG
XLK1SLIxftEF7h2Y9MkYTaTZaibzb1e01rmNS982ADQJSNGuiMpj7zIBjHppMWAi
aLgUfesGyGWzxSCiWq2Uph6MjhlD4qGNl7gYe7s32QZOYWALlqHau7oSP0BBMcCc
Nunjg0L1JuJ3NJo36VtctUFEr2PJ/EmHRdKlN+zzN1gT8OMGKpFANoWPDfreD450
kFUGmcIrJOVC0F3fwbQb01p61++t2gzSfBitM1URcNfAJb8rmWkzs25Kzb89rpFS
ZvLmriTSzv8N1+i4tHjBd+s3P8HY4zwkuN4TABEBAAG0KFRoZSBOb3J3ZWlnYW4g
PHRoZW5vcndlaWdhbkB0b3JtYWlsLm9yZz6JATgEEwECACIFAk+vvHoCGwMGCwkI
BwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEG1q2eVW8wvOIagIALXLUOnLX4xtROkC
2ajc/gz0B/D1Mbnx1WjejjZ1Qfrg5y1AIIQ79nKAdUmKByBzJ6oX5bHozY6+aD6H
iru775II6Ps2V0QuEqC22P6Y82G8vvAtV9R+PPXqpgxzTXrmamxx+RwHkHrlqvn0
nP8pwWtNY1z2OnhlXSZp2XcxZTG1eBt6vAiCNTtDx2c5NMWLbJle4AwpFg3BBwxT
6o8zRdXm+yAZq+B6BNvuXYeh82L+8c6WUzizrWSXiDUDn2cCOFGUCkPkqz1zPk94
xZb+fTqgL2FNijHw8HQLKC7ZXnY757UCoAtgOE5lMwpnXmnq5iHyNJ4Ny2e0dNb1
Z0N089y5AQ0ET6+8egEIALecp/wy1bBRDpTz8i35VdspmnGLm4w60IM9jyw7YOf1
1Bb2rQV2GqLV8RbcmMvilnAWLA54SJVOHIVhLsnYCyOrB0qvuvYC+KG1h+17m3Bt
SJgh+cL3PtSo7c6VhSROQRNzvZHDOeWWKo4LECOEQrM6RAzTWy4FFGtqG9xgyLJu
xQOqgvt3VUvNc8MwPJ23iOd7zkSID+tCgZ3hDcG/FiGLCM8odRbbxGpEihe0abWK
sNElH/w9WL/QMM9todjlf+7Cd6/aZh5FZMvgcC283Kkrna1Pssuftv4ve41jtlFu
MGs21QlSk1h48g0hSoFFj6b2o15y78ZvdFMnX9qmcsEAEQEAAYkBHwQYAQIACQUC
T6+8egIbDAAKCRBtatnlVvMLziAbB/9Dpg6TkzscFrAUJ1n1bcpf0gpaIRI0g1OM
TZjobHKwUX11+JWCQm95kV8DTYHRIEFutm//hAmd+UOW/gbRRiu+Oi4ntWF8SdKC
mnGGYTvfXe2VOJZWV9rP216sOscSfjZtRbABncG+pFOsFp/MxfPAuA8BUEx8eVD1
L6mTu+wMedDbKqUhX+zV0EZri19ZxpYhIgZsdYtZajUSv/q3ys2DL97/Vnl0rroD
l+B6+zmOLM7B2QhSammt7mZQ6O1BrXaPl1/ITr9lY2w+mx4G8QcFMHCLnxSNxBfw
z+G03db4naqTkdqx5F3//dLbcEk1/CaxELBkndO9gpZBpcACUS0G
=bBzc
-----END PGP PUBLIC KEY BLOCK-----
If someone wants to send me a message, they encrypt it with that key, then I can decrypt it with my private key that only I have.
Cheers,
-
i will have a go at this as soon as i have worked out any difference procedure for a mac
I'm at work, and don't have a Mac handy, but when I get home I'll install GPG and write up a step by step guide for you
-
I use SR, TrueCrypt, and some other sophisticated security stuff and also think PGP is a ball-ache to use. I have no doubt i could learn to use it but it has always seemed completely redundant on SR to me. To be frank the whole PGP thing is a clumsy, poorly designed and user unfriendly piece of kit. If they have your address from the order form then that is the least of your worries. seeing as how the end result of this security is the address being physically printed in plain English on a piece of paper.
-
thank you Chuck and Limetless for the detailed idiots proof guide, i will have a go at this as soon as i have worked out any difference procedure for a mac (haha yes mac user = c*nt!).?
like i say i did manage to install GPG Keychain access, i have jus generated my secret key, not sure what to do with it now..? how do i generate public key? which one do i post on my profile..? (public i am assuming) in your walk through guise the public key is the 1st one generated..?
but when i generated it it said 'generate key pair' - so i am assuming it is a public and private keys, then how do i separate them..??
hang on , after trying to generate each key it asks me to enter passphrase (which i do , obv something different to other passwords - in case anyone is judging my 'sloppy operation' @banjo!!)
it then comes up with error box says:-
'Send keys failed!
Code = 0'
but then the key is listed in the list as a secret key...??
oh dear.. struggling..? :( :( :(
Your best bet is to have a virtual machine installed through parallels. Mac is for the simplest of people so I'm sure you would guess they provide many programs that allow you to do EXACTLY what you want them to do.
My suggestion if you are still struggling is to get a buddy round who knows his way around a computer and get him to install parallels for you. All the stuff you need is readily available on torrents (ubuntu, parallels) etc...
Thanks
Dank
-
if i recall this "bosshogg" vendor doesn't use pgp either. i sure as hell don't trust any vendor that doesn't use it, I spent hours myself trying to figure it out (and posted several threads lol), and i'm just an occassional user. for a vendor to not use pgp, he or she would have to be out of their mind IMO.
-
if i recall this "bosshogg" vendor doesn't use pgp either.
Yes. As stated in his profile, he hates it. That, and the fact that he's constantly joking and took something like 18 pages in his own thread to even mention what products he offers makes me unwilling to touch him with a 10 foot pole.
If a vendor doesn't want to use PGP, that's up to them. But I know I speak for more than myself when I say they're losing business because of it.
-
I don't think you should be able to sell on this site without having a public key
with that said BossHogg1 is a reliable vendor (i have done business with him before)
The problem exists when servers and/or sellers computers get compromised by LEO
and massive lists of purchase information is gathered
and remember folks.. as soon as LEO has your private key === GAME OVER
-
thank you Chuck and Limetless for the detailed idiots proof guide, i will have a go at this as soon as i have worked out any difference procedure for a mac (haha yes mac user = c*nt!).?
like i say i did manage to install GPG Keychain access, i have jus generated my secret key, not sure what to do with it now..? how do i generate public key? which one do i post on my profile..? (public i am assuming) in your walk through guise the public key is the 1st one generated..?
but when i generated it it said 'generate key pair' - so i am assuming it is a public and private keys, then how do i separate them..??
hang on , after trying to generate each key it asks me to enter passphrase (which i do , obv something different to other passwords - in case anyone is judging my 'sloppy operation' @banjo!!)
it then comes up with error box says:-
'Send keys failed!
Code = 0'
but then the key is listed in the list as a secret key...??
oh dear.. struggling..? :( :( :(
dude, if you installed GPG keychain Access and generated a key, just open a blank document in textedit, right click, and at the bottom of the menu there should be an option for "OpenPGP: Insert my key" click that and your public key will appear. copy/paste into your SR profile.
when someone sends you an encrypted message, just copy/paste it into a text edit document, highlight all, right click and choose the option under "services" for "decrypt". type in your password and BAM, you'll see the message.
i think there's a thread on the forums that is a much more detailed tutorial on PGP for mac osx that you should search for.
it ain't rocket science, bro; you CAN do this.
-
8) 8) 8) 8) 8)
thanx to everyone who has written anything useful in my finally getting my head round all this pgp stuff - now i finally have it working 100% (big thanx to Lim for helping me test) now i am out of the dark ages and ready wiling and able to deal with PGP encrypted orders...
Sorry about the wait everyone, its not (just) that i'm lazy, i'm also bloody busy!!!
any test orders of any of our products are more then welcome guys n gals ;-) x
increase the peace y'all...
;) ;) ;) ;)
-
big thanx to Lim for helping me test
No worries mate, glad to have helped. :)
-
::) ::) ::)
would you believe it... not a single order or enquiry PGP based..!!!
i was kinda hoping we'd be flooded by now , hahaahh
im wondering is there anyway i can let the whole world know we have PGP now..>? I think the fact we didn't know how to use it before means we lost alot of potential customers... :( :( :(
-
::) ::) ::)
would you believe it... not a single order or enquiry PGP based..!!!
i was kinda hoping we'd be flooded by now , hahaahh
im wondering is there anyway i can let the whole world know we have PGP now..>? I think the fact we didn't know how to use it before means we lost alot of potential customers... :( :( :(
People who want to use PGP will look on your profile page for the public key (hopefully you've posted it there). You could also post it to each product listing page for more visibility. And people who don't want / care to use PGP... well, you can't make them. It's your choice to reject their orders, though - it potentially exposes you since there's buyers' unencrypted addresses floating around. Who knows who can see them?