Silk Road forums
Discussion => Shipping => Topic started by: ChillyP on January 09, 2012, 11:01 pm
-
The other day I came across a program called sendIT, which basically calculates your postage and prints out a USPS label. It could be very handy, especially because it integrates such features like DCN. You don't actually have to buy postage through it either, you can simply add stamps accordingly with the label it spits out. There's even a shipping discount.
*However*, it does connect to USPS to determine shipping costs and whatever else. Perhaps it creates a record of the package. It follows that if LE knew they ordered a package from you, and you used this service, they could potentially go into a USPS database and track down the IP/MAC address that sendIT used to communicate with USPS when it created the label.
At a glance it might seem more trouble/risk than it's worth, but I'm not a computer security expert and was curious if these was some way to mitigate the risks here. If you used an otherwise sterile computer to run sendIT from an encrypted partition, and only did so on, say, random unsecured wireless networks, could this be viable? Or could it be configured to use Tor perhaps? That may send up red flags by itself, but I don't know...anyone know?
It would be really cool if there was a way to make this viable, because you'd never have to go inside a post office.
-
If it's just connecting to the USPS to determine rates, then I doubt that it's creating a record of a package in some USPS database somewhere - particularly if you're not printing postage and transmitting any payment information. You (or someone you know, if this isn't your thing) could sniff your network traffic to potentially see (assuming it's unencrypted) exactly what's being sent to the post office and determine if it's querying some public API or not.
I seem to recall back in the day (like mid-90s) that there was a URL you could go to on the USPS website that had a form on it that you could type an address into and it would give you a properly-formatted address label with barcode that you could then print on an envelope - obviously, the PO would have no way of knowing if I was actually sending a package, just that I did a query for a given address. I suspect that sendIT is doing something similar, and if you were doing everything over an unsecured wireless network or somewhere else that isn't your house, you'd probably be fine. I wouldn't do it over Tor, though, for the same reason that you don't check the status of your DCNs via Tor.