Silk Road forums
Discussion => Security => Topic started by: hopdub on July 25, 2013, 05:28 pm
-
I don't use privnote, but I know a lot of people do. If LE ever subpoenaed them for their data, they would be able to flag quite a bit of addresses. I don't really think they would or even could without solid cause. I realize many people use it for other things and business addresses and what not, but still....kinda makes you wonder.
Learn PGP people. There is no reason to give your address to a third party. You might as well just send it through SR.
-
I was about to start a new thread on the same subject, here's the post I wrote:
At the moment privnote.com seems to be down, and buyers are likely to turn to other sites offering the same service.
If one of those "new" services turns out to be a LE honeypot, any vendor that visits the honeypot to retrieve a delivery address without using Tor (or similar) would be trivial for LE to track down.
I'm sure others have pointed out the risks associated with using privnote.com, but now that buyers might start using a multitude of unfamiliar but similar sites I think the opportunity for LE to launch a dragnet honeypot attack is big enough to start a separate thread.
Vendors: Do you accept these services as a valid way for buyers to give their addresses? Are you sure you are following best practice when opening those links?
-
I am glad it is down.
PGP is easy to learn, but using privnote instead makes things worse not better. Pleased just send as plain text if you cannot figure PGP. The only thing that privnote accomplishes is sharing the information with privnote.
If you use PGP then only the vendor can read it.
If you send plain text then only Silk Road and the vendor can read it.
If you send by privnote then privnote, Silk Road and the vendor can read it.
Privnote saves information and surrenders it to law enforcement on request.
-
I have never seen privnote down so that would worry me a little bit if you ever have used privnote before...maybe they could get a subpoena and sift through all the "destroyed" notes and random addresses. Even if the code is written to destroy the notes, the data must be saved somewhere or is at least retrievable by someone with technical skills.
-
I am in agreement with you all. I think that if a vendor really cares or the privacy of thir buyers then they would make it a requirement to order from them. PGP is dam good privacy. I read somewhere that it took a government operative all of 6 months to hack into one PGP encrypted message
-
I am in agreement with you all. I think that if a vendor really cares or the privacy of thir buyers then they would make it a requirement to order from them. PGP is dam good privacy. I read somewhere that it took a government operative all of 6 months to hack into one PGP encrypted message
As far as I know nobody has ever demonstrated the cracking of a strong PGP message. Not in 6 months, not ever.
-
Use http://sms4tor3vcr2geip.onion instead.
Modzi
-
Use http://sms4tor3vcr2geip.onion instead.
Modzi
Well, it's OK in that it doesn't require javascript, and it is a hidden service so it would be much harder to track down its servers. But still, it's the same as privnote otherwise. Why trust all these services instead of doing it yourself (i.e., pgp)?
-
Use http://sms4tor3vcr2geip.onion instead.
Modzi
Well, it's OK in that it doesn't require javascript, and it is a hidden service so it would be much harder to track down its servers. But still, it's the same as privnote otherwise. Why trust all these services instead of doing it yourself (i.e., pgp)?
No. That is not a good thing that it doesn't require javascript. The javascript on Privnote encrypts the contents *before* (client-side) sending them off to the server. This means that if there is no javascript for encrypting client-side, you are sending plaintext to the third party and *hoping* that they encrypt it for you and throw away the key.
Just use PGP.
-
PRIVNOTE IS NOT DOWN....
Here is a link
https://certified.privnote.com/
-
why did the link change? i though you could access it using just privnote.com in the past? weird.
-
Why anyone would use that service in the first place is beyond me, If you are a vendor and endorse it I'm not saying you should be busted but when you do I'll make no shame in *Nelson Muntz voice, shouting HAHA
Only reason I can imagine to use is to give customers a false sense of security in buying from me and that's just scummy
-
Why anyone would use that service in the first place is beyond me, If you are a vendor and endorse it I'm not saying you should be busted but when you do I'll make no shame in *Nelson Muntz voice, shouting HAHA
Only reason I can imagine to use is to give customers a false sense of security in buying from me and that's just scummy
This post just shows how you understand VERY LITTLE.
-
why did the link change? i though you could access it using just privnote.com in the past? weird.
I don't think it's the same site. At the bottom of certified.privnote.com it says "Certified Privnote is an EuroPriSe certified version of Privnote" with a link to privnote.com (sans the certified).
-
No ...
I don't think it's the same site. At the bottom of certified.privnote.com it says "Certified Privnote is an EuroPriSe certified version of Privnote" with a link to privnote.com (sans the certified).
It is the SAME site. And for people that do not understand Privnote...read here before you past anymore paranoid opinions and not facts.
For completeness, this is what happens when you view a note in Privnote:
1.The server extracts the NoteID from the URL
2.The server hashes the NoteID and gets the HashedNoteID. This is the same HashedNoteID used when generating the note, since the NoteID used to make the hash is the same in both cases
The server retrieves the note from the database using HashedNoteID as the database primary key and decrypts its contents using NoteID as the encryption key
3.The server shows the page with the decrypted note
4.The server permanently deletes the note from the database, keeping only a record of the HashedNoteID, the time when it was read, and the IP address where it was read from, to show it when someone tries to see the note again
If someone with access to the database would like to read the note she would be unable because she doesn't have the key to decrypt it (NoteID), only the database primary key (HashedNoteID). The HashedNoteID cannot be used to "go back" to the NoteID because hashes are "one-way". So the only person who can actually decrypt (and thus see) the note is the one who has the original NoteID or, in other words, the one who has the link to the note.
These are facts people.
-
No ...
I don't think it's the same site. At the bottom of certified.privnote.com it says "Certified Privnote is an EuroPriSe certified version of Privnote" with a link to privnote.com (sans the certified).
It is the SAME site. And for people that do not understand Privnote...read here before you past anymore paranoid opinions and not facts.
They are not hosted on the same IP address, one is down but the other is online, and it even says on certified.privnote.com that it's a different ("certified") version of the regular privnote. They are two different sites. I'm guessing they are both run by the same entity though.
-
I never said they are on the same IP address. When I used the word "site" I meant same company, same thing.
-
I never said they are on the same IP address. When I used the word "site" I meant same company, same thing.
Sorry, I meant different sites as in different servers (or virtual hosts or whatever) with different backends to store the notes.
-
I just placed an order without using PGP or privnote, because the vendors PGP key isn't working so he said use privnote or send address clearly over. Well privnote is down so I just send it clearly over. I'm not really worried though cuz it's a domestic order and SR has their own version of privnote built in, so no need to worry too much.
-
I just placed an order without using PGP or privnote, because the vendors PGP key isn't working so he said use privnote or send address clearly over. Well privnote is down so I just send it clearly over. I'm not really worried though cuz it's a domestic order and SR has their own version of privnote built in, so no need to worry too much.
PGP, Doesn't simply not work ??? ???
Who is this POS vendor as they are clearly lying, take my advice dude and never use privinote in the first place, If you ever have to go to resolution you are screwed since all communication on your side is non extant
-
PGP, Doesn't simply not work ??? ???
Who is this POS vendor as they are clearly lying, take my advice dude and never use privinote in the first place, If you ever have to go to resolution you are screwed since all communication on your side is non extant
Once again...bad information!!!
This guy...along with 99% of other buyers...ONLY use privnote for there address at check out. That is never needed for anything to do with resolution.
Plus if you just use a top vendor and are domestic...you will never need resolution...I have never had anything go to resolution in 1.5 years.