[OPSEC/Computer] Vendor Pilzhof uses Android

The German shrooms vendor Pilzhof on Nucleus uses Android. You can see that on this PGP key, which was created by APG v1.1.1 - an Android app.

I have asked him about this, and he claims that he uses dedicated hardware and an anon sim card. Obviously, that doesnt convince me. I would not buy from this vendor - even though he (apparently) has a good product and sweet prices.

Thoughts?


Comments


[4 Points] Vendor_BBMC:

Android is basically a flavor of linux, and open-source. It isn't inherently unsafe like Apple hardware.

Most vendors have a few android phones. However, its unusual to use it to access onion sites. I don't think there is an up-to-date version of orbot.

I certainly hope he's using an android that he never makes calls from. Android phones are for bitcoin wallets, and encrypted messengers The US and UK governments have managed to suppress modern consumer encryption on PCs, which is why some people are still using 25-years old Pretty Good Protection.

Obviously, Apple is in the US government's pocket in return for paying less tax than I do, but android phones with P2P encryption slipped through the net, and are well-rated by privacy groups.

If your vendor is using TOR and PGP on a tiny hideable linux device with its own untraceable 3G internet connection, it shouldn't compromise YOUR safety. If you're a Panicky Prudence, he probably won't miss your business anyhow. Let a better customer get that last bag of good drugs, ordered while the vendor is in the post office.


[4 Points] sapiophile:

This is stupid. Sure, having it on an "anonymous" Android phone is better than a phone in their name, but that's only a part of the problem with using an inherently insecure platform like Android for "secure" communications. The much bigger one is that a system like Android is entirely susceptible to covert malware (as inserted on the authority of an LE warrant, using the secret baseband chip drivers that every smartphone has) or just already-existing backdoors (in those same secret parts of the code). Sure, it's nice that LE won't know who's phone it is, but they'll sure be grateful for the un-encrypted copies of your shipping info, etc. that they can easily read off of the pwned device.

Fuck this vendor, and fuck them hard.


[2 Points] Deafcunt:

Only a matter of time before he's compromised, I would stay away.


[2 Points] diOpAnonMu:

The vendor might be thorough and doing this: https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy Which looks safe. The vendor might also just be using the cheapest phone at his local store from his bedroom. He's got one thing going for him, it's a pain to use APG to store things IME so he's probably not going to be able to turn on you if he gets busted.


[1 Points] PaPaDooDoo:

Use no-emit-version to block the version number in your gpg key


[1 Points] we1kmhv:

Nothing inherently bad about Android. AOSP, APG, Orbot is pretty much everything that a vendor needs and all of this is open source. Personally I think it'd be a pain in the ass to use, but let him worry about that.