Silk Road forums

Discussion => Security => Topic started by: QuickSilverHawk on October 04, 2013, 06:34 am

Title: Vendor claimed PGP error, asked for address to be sent via privnote.com?
Post by: QuickSilverHawk on October 04, 2013, 06:34 am
I just realized this happened for an order I made last week (on a buyer account).

A vendor - who I won't name [yet] - PM'd me, saying he had problems decrypting my address.
Requested I send him my address via encrypted message or privnote.com link.
So... I somewhat cranky at the time, but I begrudgingly sent him a PGP Message I pasted onto privnote.com.
Sent the URL over PM. He responded with a little amusement but again said he couldn't decrypt.

This is where things got fishy, at least in hindsight. He said privnote.com is safe "enough", or the like.
So I sent another PM with a privnote.com URL wherein my address had been typed out in plaintext.
Now I normally wouldn't do this but I was worried he'd lose stock if I went through a cancellation/reordering.

Did I potentially compromise some personal information?
Am I being overly paranoid, or is there any chance this vendor behaved suspiciously intentionally?

---

Better question - did this happen to anyone else last week, or a few days ago?
If so, maybe this is something important to discuss.
Title: Re: Vendor claimed PGP error, asked for address to be sent via privnote.com?
Post by: klemmo on October 04, 2013, 06:53 am
Another privnote user? You are not alone:

http://dkn255hz262ypmii.onion/index.php?topic=217164.msg1586172#msg1586172
Title: Re: Vendor claimed PGP error, asked for address to be sent via privnote.com?
Post by: QuickSilverHawk on October 04, 2013, 07:00 am
I don't think I recall any mention of a smashed/backup computer or laptop, but the message sounds eerily similar otherwise.
Title: Re: Vendor claimed PGP error, asked for address to be sent via privnote.com?
Post by: BuprenorFiend on October 05, 2013, 07:37 am
I actually encountered a similar problem (similar to the vendor's problem). The PGP key that I had on my BMR profile was one that k had uploaded over a year ago and no longer had the ability to access. I didn't even realize that the old PGP key was still on my profile until i got two orders with addresses encrypted with it. Initially, I had to ask the buyers who had used that public key to encrypt their addresses to me via PrivNote (I like to get orders processed same-day whenever possible). Luckily, I was able to establish a new key before either buyer had received my original request for privnote encryption, so I had them use that to encrypt instead.

My point:
I wouldn't be suspicious of the vendor. I'm sure that at least a handful of other oldschool BMR vendors encountered the same issue. The only thing I would be concerned about, if I were in your shoes, would be the possibility of LE's increased level of scrutiny on PrivNotes. For example, it crossed my mind that LE may have anticipated a scenario such as this one, and may therefore have been monitoring PrivNote traffic with a heightened sense of alertness. However, it's vendors and higher-ups that LE are more concerned with, so I doubt they'd be foolish enough to think that any "important" busts could come to fruition by harassing small-time buyers.
Title: Re: Vendor claimed PGP error, asked for address to be sent via privnote.com?
Post by: RXMAN on October 05, 2013, 07:46 am
As a vendor, I have had some problems decrypting peoples messages myself, i think it was because they kept confusing me with rxking, and encrypting using his code. When this would happen, I would just request them re-encrypt it or send me a privnote, i dont think it has anything to do with the feds, and from the looks of it privnote might of been more secure because they would of destroyed it where as silkroad keeps the encrypted message, which the nsa is proving to be more then capable of cracking.
Title: Re: Vendor claimed PGP error, asked for address to be sent via privnote.com?
Post by: Nightcrawler on October 05, 2013, 05:44 pm
As a vendor, I have had some problems decrypting peoples messages myself, i think it was because they kept confusing me with rxking, and encrypting using his code. When this would happen, I would just request them re-encrypt it or send me a privnote, i dont think it has anything to do with the feds, and from the looks of it privnote might of been more secure because they would of destroyed it where as silkroad keeps the encrypted message, which the nsa is proving to be more then capable of cracking.

RxKing is one of the biggest critics of PGP use here on Silk Road. In fact he steadfastly refuses to use it, and tells people who want to use PGP to go elsewhere -- he doesn't have a PGP key.

You are placing too much faith in Privnote's alleged destruction of messages, and too little faith in PGP's ability to protect message traffic. Respected cryptographers like Bruce Schneier have stated that the mathematics behind the encryption algorithms used in software like PGP is valid. Edward Snowden, the NSA leaker, has used PGP to correspond with journalists -- that's a pretty good vote of confidence in it, I'd say.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07  B66B AFC8 CE71 D9AF D2F0




Title: Re: Vendor claimed PGP error, asked for address to be sent via privnote.com?
Post by: QuickSilverHawk on October 06, 2013, 04:25 am
I've always been highly skeptical of privnote.com, somewhat inexplicably.

As a vendor, if I was unable to decrypt someone's address, I would cancel the order, message the customer stating why (PGP error), and would ask they try resubmitting their order.
I felt more comfortable that way - though, there was one time a customer expressed mild displeasure at this practice and asked for me to message/notify him first as he preferred to resend his address via privnote.com. That was just the one customer, and I respected his preference in that regard from that point on.

But otherwise, yeah... something about privnote.com has always made me feel uncomfortable. Hence why I'd go through (make the buyer go through) the cancellation/reordering "hassle".
Title: Re: Vendor claimed PGP error, asked for address to be sent via privnote.com?
Post by: Dalmata on October 06, 2013, 05:17 am
I've always been highly skeptical of privnote.com, somewhat inexplicably.
*****
But otherwise, yeah... something about privnote.com has always made me feel uncomfortable. Hence why I'd go through (make the buyer go through) the cancellation/reordering "hassle".
This thread might explain why you felt uncomfortable and skeptical re: privnote.

http://dkn255hz262ypmii.onion/index.php?topic=24799.0
Title: Re: Vendor claimed PGP error, asked for address to be sent via privnote.com?
Post by: Tessellated on October 06, 2013, 06:15 am
Since multiple people are reporting similar messages I would assume you gave your address to the cops. Clean house, wipe the hard drive you connect to SR with.
Title: Re: Vendor claimed PGP error, asked for address to be sent via privnote.com?
Post by: QuickSilverHawk on October 06, 2013, 09:08 pm
Swell. I was planning to smash my HD, get a new computer anyway.

If it helps any, the vendor's name was QualityPharmDelivery.
Title: Re: Vendor claimed PGP error, asked for address to be sent via privnote.com?
Post by: JohnTheBaptist on October 06, 2013, 11:24 pm
Swell. I was planning to smash my HD, get a new computer anyway.

If it helps any, the vendor's name was QualityPharmDelivery.
Don't worry about it, good things happen to good people, and your certainly a good person.
Title: Re: Vendor claimed PGP error, asked for address to be sent via privnote.com?
Post by: Tessellated on October 07, 2013, 05:54 pm
Don't worry about it, good things happen to good people, and your certainly a good person.

Bad things happen to good people. Didn't John The Baptist get his head cut off because some crazy bitch demanded it?
Title: Re: Vendor claimed PGP error, asked for address to be sent via privnote.com?
Post by: klemmo on October 07, 2013, 07:50 pm
Don't worry about it, good things happen to good people, and your certainly a good person.

Bad things happen to good people. Didn't John The Baptist get his head cut off because some crazy bitch demanded it?

+1

My last karma point?
Title: Re: Vendor claimed PGP error, asked for address to be sent via privnote.com?
Post by: flyspray on October 09, 2013, 01:20 pm
Im not a computer wiz so have to be able to know what to rely on and what should be ignored. I heard from several different sources with varying credibility that privnote was not really safe and it shouldnt be used. Like pgp is meant to be much safer. This is obviously just a general thing and says nothing about the particular vendor, their reliability should be judged separately to privnotes.

My two cents worth.