Silk Road forums
Discussion => Security => Topic started by: homersimpson on July 01, 2012, 04:32 pm
-
Occasionally I find a good deal on SR but the vendor has stated that they are having problems with their public keys.
Is this a dangerous thing to do?
I've done it twice before
Thanks
-
Well that would depend on the type of product being sold. If tormail or the Silk Road messaging system is used, then communication stays within the TOR network and is already encrypted pretty securely. So security wise, I would consider that acceptable.
However, GPG is a nice extra layer of security. It also helps in making sure that you're dealing with the same seller in every message (which useful if you were to change the channel of communication). When a seller doesn't know how to use this relatively simple piece of software, it does not make him look very professional. I'd be a bit more wary, but especially for low cost/low risk types of product, it would not be a show stopper for me.
-
No.
-
If a vendor cannot get GPG correct, MOVE ON QUICKLY!!!!
PK
-
I think it's important for both vendors and buyers alike to get into the habit of using encryption. As you said, it provides a very valuable extra layer of protection.
Guru
I agree with Guru here, You should remember that with e-mail the message is stored plain text on the e-mail server and anyone with admin access to the box can read the e-mail. I am not saying anyone is or does, only that they can. The same is true for messages set through SR or the SR forums. The SR forums store the message in a database and the message is clear text inside that database. By encrypting your message, you can me assured that only the intended recipient will be able to decode it. It is a layer of protection that, if given the choice, I would used every time!
-
you must first walk before you can run, and you must first crawl before you can walk. if a seller is selling before they have spent the 15 minutes getting pgp up and running, i cannot help but wonder what other shortcuts they have taken. it is easy to become lulled into a sense of complacency on sr just as it is in life, and if you wait until things are going sideways to put in the effort it is too late. run away, homer, run away
-
As a thought experiment, consider having surgery done by someone who comes in and asks you if you don't mind if they skip scrubbing in and gloving up today because the sink pedal is jamming or the gloves are the wrong size and they are super late already.
Those things are a little tricky and take a small amount of extra time, but they are done for good reason and mutual protection.
It might work out OK. I mean, it's a hospital, it's *pretty* clean... right?
Surely it'll be fine. Except when it's not and it goes really badly.
In other words, no, I don't/wouldn't.
-
Thanks for all your answers and yeah I agree 100% now you've all put it into perspective.
Considering I've done it twice is there anything I can do to prevent those 2 times from creeping back up on me?
Should I use a new account for SR? Or just use a key from now on and hope those 2 times don't creep up on me?
Thanks! :)
-
Thanks for all your answers and yeah I agree 100% now you've all put it into perspective.
Considering I've done it twice is there anything I can do to prevent those 2 times from creeping back up on me?
Should I use a new account for SR? Or just use a key from now on and hope those 2 times don't creep up on me?
Thanks! :)
If you kept all communication in the TOR network, and you did not get busted for those two orders, then I don't foresee any trouble.
If you are still uncomfortable with the situation, you could consider making a new SR account (it's free ;) ). That will cause you to lose your buyer stats.
Of course you should always take the regular precautions: accessing the deep web from an encrypted USB drive or virtual machine.
-
what about https://privnote.com?? would you guys trust this service?
their privacy policy seems solid. https://privnote.com/privacy/
let me know what you think.
-
what about https://privnote.com?? would you guys trust this service?
their privacy policy seems solid. https://privnote.com/privacy/
let me know what you think.
Didn't know the service, but I read their website.
Short answer: I would definitely not use it for any Silk Road related activities
From what I understand, this is how it functions: You write a private message on that website, and you get a secret URL. You give that URL to a person, and then he can read the message one time, and then the message self destructs.
This is why I would not use it:
1. The privacy offered is only as trustworthy as the owner of the site. They say they can't and won't read messages, but we can't be sure. I figure it's not too hard to program it in such a way that they can read all messages entered. (With GnuPG, this is not the case. There you encrypt the data yourself, and only the owner of the right private key can decrypt it. Without the right key, it is impossible, purely because of the mathematics of encryption)
2. You still need to get the secret URL to the other person. That URL is the key to the message, if it gets intercepted, the message is no longer secret. So how are you going to get that URL to the other person? Sending the URL through email is just as secure as directly emailing the secret info. Faxing the URL is just as secure as directly faxing the secret data. Regardless of the method used, you might just as well deliver the secret message directly.
It's a niche product. GPG is better in many cases, but a situation might arise in which this has some kind of advantage.
-
One further comment I'd like to make after reading Guru's (excellent) post.
There are many situation in which one would want privacy.
- Corporate secrets
- A journalist who wants to keep a great scoop secret until it's published
- A professor who wants to keep the questions on an exam secret
- etc.
These are all situations in which no law-breaking is involved, and you don't have to fear court orders. Services like privnote can be used for such things.
However, distributing drugs through the internet is a whole different story. Here, their promises are no longer acceptable. Don't use their service. Either just send the plain text inside of the tor network, or, (even better) send the GnuPG encrypted text inside the TOR network.
-
Not just no, but "hell fucking no"
-
Ok it is settled then. NO PRIVNOTE! GPG it is.