OPSEC: Vendors, please take encryption seriously. Sincerely, DNM user

https://www.reddit.com/r/DarkNetMarkets/comments/4gqk3o/warning_alphabay_bug_just_allowed_all_message/

With Alphabay's recent leak of messages I just want to remind vendors that they need to take their customers' privacy seriously and not send tracking unencrypted...that entirely defeats the purpose of me encrypting my address.

Am I the only one who's had tracking sent unencrypted? I doubt it.


Comments


[3 Points] 2cbking:

This goes both ways too. Not just vendors. In fact, from my experience, its usually the customer that controls the level of security (encryption/noencryption) of a conversation. Since the only sensitive information usually being communicated is the customers. Many people still send stuff clear when they shouldnt, but you cant really stop them from doing that after the fact. All you can do is remind them to use pgp encryption when sending over sensitive information.

Or they encrypt the message to you, but never give you a key to encrypt the response. As I said, rarely are the questions being asked or the responses sensitive in nature, its usually public information all over the markets, reddits, forums, etc...But a tracking number is something the vendor might send that is sensitive (again, for the customers privacy) and should be encrypted. So its important for customers to always remember to send your key to the vendor when you send him a message (and preferably with each new email, so they dont have to rummage thru previous communications to find your public key to send a response, since many of us use things like Tails and dont have a keyring where we keep all sorts of public keys for our customers because everything gets wiped every shutdown. And sometimes the customers key is inside the encrypted message, so a vendor has to go through past emails , decrypting the messages looking for the key on the inside, which is inconvient. Make it part of your signature or something, just always send it if you want a response to be encrypted with it).

edit: I realized that the above really mostly applies to emails sent between a vendor and a customer. Some of it still applies to communications sent using the private messaging feature of a market. The customers pgp key should be easier to find as part of his profile. Personally I think it still saves time to include your public key with the encrypted message (with, not inside of) so its right there to use.


[1 Points] InTheDitch:

https://pay.reddit.com/r/DarkNetMarkets/comments/4guz8t/nightowlclinic_compromised_dream/

One of the commenters on this post did and the poor guy got a love letter too. Don't know if they were related but I wouldn't doubt it.