If it smells like a pig and yells like a pig....

It's been a few weeks since I've logged onto here or any markets, but I haven't seen any discussion of this. GlassWerkz private site was inaccessible for me for the last three days and still is. I just checked their Agora page and it says they are getting a new site (unclear if new URL, but I believe so) for their direct sales store. They are also getting a new PGP key and advise not to encrypt with the old key.

So yeah, changing URL's and changing PGP key are both red flags. Obviously if they can no longer decrypt messages to old key, they have been compromised, period. People don't "lose their password" in these circumstances. Changing URL's at the same time they change the key is not comforting either.

So I would love to hear a good explanation for all this, but changing PGP keys is a giant red flag in my book.


Comments


[6 Points] xxdnmthrowaway420xx:

If you read carefully they signed a message with their old key saying they were moving to a new 4096-bit key. I verified it was signed with their old private key, so they didn't lose access to it, they intentionally moved to a new key.

I was a bit concerned too as I was looking to order just before they posted the new key, so since the direct site was down I ordered on Agora, encrypting with their old key (this was on Monday 8/3). Order showed up like clockwork on 8/6 with no issues. Quality was better than the last batch I got from them, and it weighed a good bit heavy too.

I've seen a good number of other vendors change PGP keys in the past (usually to a higher-bit key like GW did) and it really is only cause for concern if they are unable to produce a message signed by the old key. As for the direct site I'm not sure what is going on, but securing a hidden service is non-trivial, so I'm not surprised it's taking a while.

One other possibility would be the old direct site was hacked, so while GW still has access to the old PGP keys they may have been compromised. That's a bit of a disconcerting thought, though if they were properly disposing of order info it shouldn't be an issue. Still enough to make me a bit uncomfortable though...


[2 Points] None:

Wow that's good info man thanks! Soo overpriced IMO but it had caught my fancy in the past!


[2 Points] cipherfestival:

Have they posted the new key in a message signed with the old key? That's the responsible way to change to a new key, proving at least that whoever is under the account still controls the old key.


[2 Points] None:

[deleted]