Silk Road forums
Discussion => Security => Topic started by: darryl45 on August 19, 2013, 12:40 am
-
is this safe, you have to have java enabled to use, what if le sent you a message, when you open it are you open to tracking with java enabled? then your ip can be exposed?
-
is this safe, you have to have java enabled to use, what if le sent you a message, when you open it are you open to tracking with java enabled? then your ip can be exposed?
It is totally possible.
Your best bet is to ditch Privnote completely and switch to straight PGP when communicating sensitive information between individuals.
-
Privnote is great.
Here's what you do:
1. Write message
2. Encrypt with PGP
3. Paste said PGP message in privnote
4. Create note
5. Paste privnote link and encrypt with PGP
Rinse and repeat a few times for maximum security!!
-
my thoughts were not with the privnote but with somehow a spoof message like they do with paypal then your ip could be exposed . do you use it in tor because it has to have java so i have used it in ie.
just a thought?
-
Privnote is great.
Here's what you do:
1. Write message
2. Encrypt with PGP
3. Paste said PGP message in privnote
4. Create note
5. Paste privnote link and encrypt with PGP
Rinse and repeat a few times for maximum security!!
why use privnote if you already took the time to figure out pgp. and encrypting your pgp message over and over again might help cover up some paranoid. the receiver should then decrypt a couple of times but its worth it right?
-
Privnote is great.
Here's what you do:
1. Write message
2. Encrypt with PGP
3. Paste said PGP message in privnote
4. Create note
5. Paste privnote link and encrypt with PGP
Rinse and repeat a few times for maximum security!!
why use privnote if you already took the time to figure out pgp. and encrypting your pgp message over and over again might help cover up some paranoid. the receiver should then decrypt a couple of times but its worth it right?
:D friend it was a joke.
My point is PGP always. Take no other.
-
I don't use privnote. Even if you encrypt your messages with PGP, why send your PGP message through a clearnet server owned by some random person or company? It's not 'impossible' to break PGP, it just requires a good deal of time and computational power. In fact, I encrypt several bullshit messages for every legitimate message I write just to make it THAT much harder and more of a pain in the ass for whoever would be attempting to crack the encryption(NSA, FBI, DEA, etc.) if SR servers were ever shut down.
I do not discuss business via 3rd party mediums, and I encrypt my encrypted messages. Highest/latest encryption software available - NOT PGP DESKTOP(it blows hard).
Stay Safe.
-
I'm pretty sure PGP IS impossible to crack. It has been suggested that 1024 bit keys are vulnerable to cracking by an adversary with a lot of computing power, but its not a trivial task.
Add another bit and you double the number of possibilities, so a 1025 bit key will be twice as hard to crack. So a 2048 bit key will be 2^1024 times as hard to crack, which is a fucking huge number: 2x2x2x2x...(1024 times)......2x2.
So it is not expected that 2048 bit keys will be cracked any time soon, unless you believe that government agencies have computers 2^1024 times more powerful than those available to us.
Most people here use 4096 bit keys which some might argue is overkill, but why not.
-
Nothing impossible to crack. Only not been known done YET.
Privnote is *NOT* safe because at any time government can seize it and make honeypot and you not know. Use privnote you put security trust into 3rd person hand. This not smart. :o
Use GPG. Take 30 seconds more and keep you 30 years more free!
-
I'm pretty sure PGP IS impossible to crack. It has been suggested that 1024 bit keys are vulnerable to cracking by an adversary with a lot of computing power, but its not a trivial task.
Add another bit and you double the number of possibilities, so a 1025 bit key will be twice as hard to crack. So a 2048 bit key will be 2^1024 times as hard to crack, which is a fucking huge number: 2x2x2x2x...(1024 times)......2x2.
So it is not expected that 2048 bit keys will be cracked any time soon, unless you believe that government agencies have computers 2^1024 times more powerful than those available to us.
Most people here use 4096 bit keys which some might argue is overkill, but why not.
There are computers working on cracking PGP. And as members have said here many times before:
1024 bit keys will be crackable within the year and 4096 in about 20 years.
It is of coarse crackable, but takes a certain amount of time.
Using a 4096bit key is ineffable.
There are I believe 3 or 4 vendors who use 8000 plus bitkeys
-
I love PGP and think more people should use it more of the time.
But, if you were at the point where classical computers were devoting an entire gigabit to an encryption key (which is pretty ridiculous) then there's no reason the quantum computers wouldn't themselves have register sizes of one gigaqubit, in which case the quantum computer will make as short work of your gigabit encryption key as it would have your 4096-bit key.
And don't think it's impossible: http://esciencenews.com/articles/2013/06/28/large.scale.quantum.chip.validated
However, the more people use PGP the harder it will be for systems like ECHELON to organize/filter/categorize the content that they filter. Many people think ECHELON simply targets 'keywords'. However, based on patents filed by various government agencies you can assume it is *much* more sophisticated than that, for instance rudimentary 'language recognition' patents as well as 'topic classification' patents.
Under construction by contractors with top-secret clearances, the blandly named Utah Data Center is being built for the National Security Agency. A project of immense secrecy, it is the final piece in a complex puzzle assembled over the past decade. Its purpose: to intercept, decipher, analyze, and store vast swaths of the world’s communications as they zap down from satellites and zip through the underground and undersea cables of international, foreign, and domestic networks. The heavily fortified $2 billion center should be up and running in September 2013. Flowing through its servers and routers and stored in near-bottomless databases will be all forms of communication, including the complete contents of private emails, cell phone calls, and Google searches, as well as all sorts of personal data trails—parking receipts, travel itineraries, bookstore purchases, and other digital “pocket litter.” It is, in some measure, the realization of the “total information awareness” program created during the first term of the Bush administration—an effort that was killed by Congress in 2003 after it caused an outcry over its potential for invading Americans’ privacy.
But “this is more than just a data center,” says one senior intelligence official who until recently was involved with the program. The mammoth Bluffdale center will have another important and far more secret role that until now has gone unrevealed. It is also critical, he says, for breaking codes. And code-breaking is crucial, because much of the data that the center will handle—financial information, stock transactions, business deals, foreign military and diplomatic secrets, legal documents, confidential personal communications—will be heavily encrypted. According to another top official also involved with the program, the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the US. The upshot, according to this official: “Everybody’s a target; everybody with communication is a target.”
…
In the process—and for the first time since Watergate and the other scandals of the Nixon administration—the NSA has turned its surveillance apparatus on the US and its citizens. It has established listening posts throughout the nation to collect and sift through billions of email messages and phone calls, whether they originate within the country or overseas. It has created a supercomputer of almost unimaginable speed to look for patterns and unscramble codes. Finally, the agency has begun building a place to store all the trillions of words and thoughts and whispers captured in its electronic net. And, of course, it’s all being done in secret. To those on the inside, the old adage that NSA stands for Never Say Anything applies more than ever.
…
The data stored in Bluffdale will naturally go far beyond the world’s billions of public web pages. The NSA is more interested in the so-called invisible web, also known as the deep web or deepnet—data beyond the reach of the public. This includes password-protected data, US and foreign government communications, and noncommercial file-sharing between trusted peers. “The deep web contains government reports, databases, and other sources of information of high value to DOD and the intelligence community,” according to a 2010 Defense Science Board report. “Alternative tools are needed to find and index data in the deep web … Stealing the classified secrets of a potential adversary is where the [intelligence] community is most comfortable.” With its new Utah Data Center, the NSA will at last have the technical capability to store, and rummage through, all those stolen secrets. The question, of course, is how the agency defines who is, and who is not, “a potential adversary.”
…
According to Binney—who has maintained close contact with agency employees until a few years ago—the taps in the secret rooms dotting the country are actually powered by highly sophisticated software programs that conduct “deep packet inspection,” examining Internet traffic as it passes through the 10-gigabit-per-second cables at the speed of light.
The software, created by a company called Narus that’s now part of Boeing, is controlled remotely from NSA headquarters at Fort Meade in Maryland and searches US sources for target addresses, locations, countries, and phone numbers, as well as watch-listed names, keywords, and phrases in email. Any communication that arouses suspicion, especially those to or from the million or so people on agency watch lists, are automatically copied or recorded and then transmitted to the NSA.
The scope of surveillance expands from there, Binney says. Once a name is entered into the Narus database, all phone calls and other communications to and from that person are automatically routed to the NSA’s recorders. “Anybody you want, route to a recorder,” Binney says. “If your number’s in there? Routed and gets recorded.” He adds, “The Narus device allows you to take it all.” And when Bluffdale is completed, whatever is collected will be routed there for storage and analysis.
According to Binney, one of the deepest secrets of the Stellar Wind program—again, never confirmed until now—was that the NSA gained warrantless access to AT&T’s vast trove of domestic and international billing records, detailed information about who called whom in the US and around the world. As of 2007, AT&T had more than 2.8 trillion records housed in a database at its Florham Park, New Jersey, complex.
Verizon was also part of the program, Binney says, and that greatly expanded the volume of calls subject to the agency’s domestic eavesdropping. “That multiplies the call rate by at least a factor of five,” he says. “So you’re over a billion and a half calls a day.” (Spokespeople for Verizon and AT&T said their companies would not comment on matters of national security.)
After he left the NSA, Binney suggested a system for monitoring people’s communications according to how closely they are connected to an initial target. The further away from the target—say you’re just an acquaintance of a friend of the target—the less the surveillance. But the agency rejected the idea, and, given the massive new storage facility in Utah, Binney suspects that it now simply collects everything. “The whole idea was, how do you manage 20 terabytes of intercept a minute?” he says. “The way we proposed was to distinguish between things you want and things you don’t want.” Instead, he adds, “they’re storing everything they gather.” And the agency is gathering as much as it can.
Once the communications are intercepted and stored, the data-mining begins. “You can watch everybody all the time with data- mining,” Binney says. Everything a person does becomes charted on a graph, “financial transactions or travel or anything,” he says. Thus, as data like bookstore receipts, bank statements, and commuter toll records flow in, the NSA is able to paint a more and more detailed picture of someone’s life.
The NSA also has the ability to eavesdrop on phone calls directly and in real time. According to Adrienne J. Kinne, who worked both before and after 9/11 as a voice interceptor at the NSA facility in Georgia, in the wake of the World Trade Center attacks “basically all rules were thrown out the window, and they would use any excuse to justify a waiver to spy on Americans.” Even journalists calling home from overseas were included. “A lot of time you could tell they were calling their families,” she says, “incredibly intimate, personal conversations.” Kinne found the act of eavesdropping on innocent fellow citizens personally distressing. “It’s almost like going through and finding somebody’s diary,” she says.
…
Sitting in a restaurant not far from NSA headquarters, the place where he spent nearly 40 years of his life, Binney held his thumb and forefinger close together. “We are, like, that far from a turnkey totalitarian state,” he says.
…
Meanwhile, over in Building 5300, the NSA succeeded in building an even faster supercomputer. “They made a big breakthrough,” says another former senior intelligence official, who helped oversee the program. The NSA’s machine was likely similar to the unclassified Jaguar, but it was much faster out of the gate, modified specifically for cryptanalysis and targeted against one or more specific algorithms, like the AES. In other words, they were moving from the research and development phase to actually attacking extremely difficult encryption systems. The code-breaking effort was up and running.
The breakthrough was enormous, says the former official, and soon afterward the agency pulled the shade down tight on the project, even within the intelligence community and Congress. “Only the chairman and vice chairman and the two staff directors of each intelligence committee were told about it,” he says. The reason?
“They were thinking that this computing breakthrough was going to give them the ability to crack current public encryption.”
-
I'm pretty sure PGP IS impossible to crack. It has been suggested that 1024 bit keys are vulnerable to cracking by an adversary with a lot of computing power, but its not a trivial task.
Add another bit and you double the number of possibilities, so a 1025 bit key will be twice as hard to crack. So a 2048 bit key will be 2^1024 times as hard to crack, which is a fucking huge number: 2x2x2x2x...(1024 times)......2x2.
So it is not expected that 2048 bit keys will be cracked any time soon, unless you believe that government agencies have computers 2^1024 times more powerful than those available to us.
Most people here use 4096 bit keys which some might argue is overkill, but why not.
Adding a bit only doubles key space with symmetric algorithms, with RSA it adds only (x-1 bit primes) - (x - 2 bit primes) where x is the bit strength of the key.
-
use this http://sms4tor3vcr2geip.onion/
-
private note is safer then pgp because with private note while that information could be more readable then pgp, what it is being used for will never be known. it's browser based, and it's not stored on your computer. regardless of how you configure your virtual machines and computer set up someone could always go through it and find your keys. with private note, that's great you somehow can read the messages being submitted, but you cannot connect that to a certain computer.
even if you didn't use tor with private note, your computer being seized means they won't be able to read the notes you submitted. with pgp, they could if they had to or got the password from you.
-
use this http://sms4tor3vcr2geip.onion/
I personally dont encrpyt shit unless the vendor is that paranoid but they never care because its my information, not theirs, and its so ridiculous to even have threads about this stuff, but this is the best idea in my opinion if you wanted to just keep it simple, its privnote but can only be accessed through tor. I dont think anyone really knows about this site though, but for a newbie who wants to just place an order, they should first not even read any threads because every single topic is about police, security, and crap, but after they do, use this site to place an order.
http://sms4tor3vcr2geip.onion/
i think im gonna post it on the newbie section to make it easier, i wish these forums just were eliminated. my first 10 orders i always used PGP AND PRIVNOTE bc everyone said so, but id say the last 250 orders i just right my real name and address, my orders are small maybe thats why im not nervous but what do people think they are watching our computer screen right now? (whoever "they" is) and where are they? outside? some central pentagon security place. some people get so mad that i think PGP GPG and privnote are all a joke who cares im the one taking the "risk" (no risk)
http://sms4tor3vcr2geip.onion/ small post*
-
Yeah and you might as well leave javascript enabled as well because it isn't like the police ever used javascript based exploits to deliver attack code to people viewing hidden services, for the entire life of Tor! well, other than the first time they did it.
If you want your address sitting in plaintext on a server that can be compromised, that is your own risk to take. You want to be low hanging fruit go ahead it makes it better for everyone else because the police will target you first and if enough people are insecure like you they wont try to do more sophisticated attacks because the return on investment will be small. Just like they didn't try to pwn people using Linux or bother to use a zero day to bust the people going to freedom hosting. But at the end of the day you are taking a major risk that you don't need to take. And it is totally possible that some day that risk is going to end up with your address and what you have ordered logged in a police database. I am more happy that they just have uncrackable ciphertext, but go ahead let them get your address and orders as soon as they seize the server or penetrate it remotely.
-
use this http://sms4tor3vcr2geip.onion/
I personally dont encrpyt shit unless the vendor is that paranoid but they never care because its my information, not theirs, and its so ridiculous to even have threads about this stuff
I laughed pretty hard at this one. Good luck!
-
I'm pretty sure PGP IS impossible to crack. It has been suggested that 1024 bit keys are vulnerable to cracking by an adversary with a lot of computing power, but its not a trivial task.
Add another bit and you double the number of possibilities, so a 1025 bit key will be twice as hard to crack. So a 2048 bit key will be 2^1024 times as hard to crack, which is a fucking huge number: 2x2x2x2x...(1024 times)......2x2.
So it is not expected that 2048 bit keys will be cracked any time soon, unless you believe that government agencies have computers 2^1024 times more powerful than those available to us.
Most people here use 4096 bit keys which some might argue is overkill, but why not.
There are computers working on cracking PGP. And as members have said here many times before:
1024 bit keys will be crackable within the year and 4096 in about 20 years.
It is of coarse crackable, but takes a certain amount of time.
Using a 4096bit key is ineffable.
There are I believe 3 or 4 vendors who use 8000 plus bitkeys
Yep true
But consider the future and supercomputers, and a network of combined computers.
Some Japanese showed who they cracked a 930 bit key in 148 days with 96 or 98 quadcore computers.
So I think there is no valid reason not to take the 4096 bit key.
The keys could be revealed, if someone has access to your computer.
The agencys have to do afford to see from who the key is, if there is no ipaddress attached.
Just a pity that your computer sends far to much info along with every connection it's making.
The cpu (has a IDnumber) in cobination with your ram (brand , gb's etc) your hdd, the browser you are using, O.S. , and we have to assume that this info has been stored, next to your ip-address.
So even when you are not sending your IP, you still are sending other info.
Enough to get your ipaddress from a database.
That said.
We should never count on the encryption of just the tornetwork alone.
Your real home-address should be given in a 4096 bit gpg encrypted message always.
No matter if you leave your address on Silkroad itself, or when u are using privnote.
You should use the gpg4usb, store your private key on your usb-stick too.
Use always a usb port at the front of your pc, so you can remove your gpg, incl the private-key.
So no acces is possible.
Sites like privnote have the attention of the agency's.
Their reason for excistence is to get the info, what is not available to others.
If you are using privnote, you have most likely something to hide.
Even when you are using the tornetwork, you should not be counting on the encryption on datatraffic , of the .onion-sites alone. Use GPG4usb and remove the usb after use. Thats why a usb-port at the front should be used. A port at the back can be forgotten, so leaving your usb for the hacker.
A 4096 bit key, should keep your writings and files safe for many, many years.
Leave the default 5 years as a ultimate before the key will expire.
-
PGP IS GOOD, BUT NOT FAST TO BE USED
it have to be something like " select and crypt" or "select and decrypt"
with few click of a mouse
-
private note is safer then pgp because with private note while that information could be more readable then pgp, what it is being used for will never be known. it's browser based, and it's not stored on your computer. regardless of how you configure your virtual machines and computer set up someone could always go through it and find your keys. with private note, that's great you somehow can read the messages being submitted, but you cannot connect that to a certain computer.
even if you didn't use tor with private note, your computer being seized means they won't be able to read the notes you submitted. with pgp, they could if they had to or got the password from you.
lol and you just lost any and all credibility you had..
derp.
privnote > PGP/GPG.
no thanks.. people like you get in trouble on a regular basis i bet.
PGP or GTFO.
use this http://sms4tor3vcr2geip.onion/
+1 for your Avatar. :)
+1 to Praetorian for being a fackin' boss.
pewpew.
/thumbs
-
private note is safer then pgp because with private note while that information could be more readable then pgp, what it is being used for will never be known. it's browser based, and it's not stored on your computer. regardless of how you configure your virtual machines and computer set up someone could always go through it and find your keys. with private note, that's great you somehow can read the messages being submitted, but you cannot connect that to a certain computer.
even if you didn't use tor with private note, your computer being seized means they won't be able to read the notes you submitted. with pgp, they could if they had to or got the password from you.
lol and you just lost any and all credibility you had..
derp.
privnote > PGP/GPG.
no thanks.. people like you get in trouble on a regular basis i bet.
PGP or GTFO.
use this http://sms4tor3vcr2geip.onion/
+1 for your Avatar. :)
+1 to Praetorian for being a fackin' boss.
pewpew.
/thumbs
would of been nice if you actually read the post, but I expect nothing less from the arrogance of silk road users
-
private note is safer then pgp because with private note while that information could be more readable then pgp, what it is being used for will never be known. it's browser based, and it's not stored on your computer. regardless of how you configure your virtual machines and computer set up someone could always go through it and find your keys. with private note, that's great you somehow can read the messages being submitted, but you cannot connect that to a certain computer.
even if you didn't use tor with private note, your computer being seized means they won't be able to read the notes you submitted. with pgp, they could if they had to or got the password from you.
lol and you just lost any and all credibility you had..
derp.
privnote > PGP/GPG.
no thanks.. people like you get in trouble on a regular basis i bet.
PGP or GTFO.
use this http://sms4tor3vcr2geip.onion/
+1 for your Avatar. :)
+1 to Praetorian for being a fackin' boss.
pewpew.
/thumbs
would of been nice if you actually read the post, but I expect nothing less from the arrogance of silk road users
far from arrogant and i read the post..
there are plenty of people on here
who do not use PGP nor think it's "that unsafe".
so when someone makes smart ass comments like..
"privnote is safer than pgp" some kids read that shit
and think it's true.. so protect yourself or kixrox.
/thumbs
-
I don't trust privnote.com even though it says the note is destroyed after its read that doesn't mean that the data is physically deleted from the server. It's just like when you delete a file on a computer, the operating system simply no longer shows the file, and it becomes free space. With data recovery software it is still possible to recover that file until it is written over. You have to securely delete a file to actually delete it. Which writes over the space where the file was written on the hard drive. With the tools the government has even a secure deletion isn't even sufficient. I'd day you need to write over the file at least 7 times for it to be un-recoverable. The air force does a 35 pass or writes over their hard drives with random data 35 times.
I've also heard that some three letter agencies say they physically shred their hard drives AFTER doing a 35-pass secure deletion.
So my point is, even though privnote.com claims the note is "destroyed" after its read, the data is still on the server and could easily be recovered!
-
Just pgp.
Don't use anything else. I don't get why people treat pgp as if it's extremely complicated. I have my order encrypted within 5 seconds after I C/P the vendors key. It takes 1 command from the command line, and if you get it wrong, it aids you in the proper syntax.
-
I don't trust privnote.com even though it says the note is destroyed after its read that doesn't mean that the data is physically deleted from the server. It's just like when you delete a file on a computer, the operating system simply no longer shows the file, and it becomes free space. With data recovery software it is still possible to recover that file until it is written over. You have to securely delete a file to actually delete it. Which writes over the space where the file was written on the hard drive. With the tools the government has even a secure deletion isn't even sufficient. I'd day you need to write over the file at least 7 times for it to be un-recoverable. The air force does a 35 pass or writes over their hard drives with random data 35 times.
I've also heard that some three letter agencies say they physically shred their hard drives AFTER doing a 35-pass secure deletion.
So my point is, even though privnote.com claims the note is "destroyed" after its read, the data is still on the server and could easily be recovered!
super good info.
thank you.
/thumbs
-
I don't trust privnote.com even though it says the note is destroyed after its read that doesn't mean that the data is physically deleted from the server. It's just like when you delete a file on a computer, the operating system simply no longer shows the file, and it becomes free space. With data recovery software it is still possible to recover that file until it is written over. You have to securely delete a file to actually delete it. Which writes over the space where the file was written on the hard drive. With the tools the government has even a secure deletion isn't even sufficient. I'd day you need to write over the file at least 7 times for it to be un-recoverable. The air force does a 35 pass or writes over their hard drives with random data 35 times.
I've also heard that some three letter agencies say they physically shred their hard drives AFTER doing a 35-pass secure deletion.
So my point is, even though privnote.com claims the note is "destroyed" after its read, the data is still on the server and could easily be recovered!
and what happens if it gets recovered?
-
I don't trust privnote.com even though it says the note is destroyed after its read that doesn't mean that the data is physically deleted from the server. It's just like when you delete a file on a computer, the operating system simply no longer shows the file, and it becomes free space. With data recovery software it is still possible to recover that file until it is written over. You have to securely delete a file to actually delete it. Which writes over the space where the file was written on the hard drive. With the tools the government has even a secure deletion isn't even sufficient. I'd day you need to write over the file at least 7 times for it to be un-recoverable. The air force does a 35 pass or writes over their hard drives with random data 35 times.
I've also heard that some three letter agencies say they physically shred their hard drives AFTER doing a 35-pass secure deletion.
So my point is, even though privnote.com claims the note is "destroyed" after its read, the data is still on the server and could easily be recovered!
and what happens if it gets recovered?
the three letter agencies have every "private note"
you filled out... during your career here.
/thumbs
-
ok so they have a list of addresses
and...?
-
ok so they have a list of addresses
and...?
Looking at intelligence as a singular entity is going to give you a false sense of anonymity. The point of SR is to arguably obscure 3rd party interference. Adding a third party throws in another variable, as well as gives analysis teams an extra variable to work with in discerning your identity.
All of this seems very tin-foil-hat because it largely is. Is it likely that you'll be detained for SR use? No. However, a 4% chance of being caught may land on you. That chance of being caught drops considerably when you rid of possible traces.
This is illegal. It is a felony. We are no different than rapists in many jurisdictions. 2-10 seconds of military-grade encryption is a small price to pay for avoiding 15 year sentences.
-
ok so they have a list of addresses
and...?
Looking at intelligence as a singular entity is going to give you a false sense of anonymity. The point of SR is to arguably obscure 3rd party interference. Adding a third party throws in another variable, as well as gives analysis teams an extra variable to work with in discerning your identity.
All of this seems very tin-foil-hat because it largely is. Is it likely that you'll be detained for SR use? No. However, a 4% chance of being caught may land on you. That chance of being caught drops considerably when you rid of possible traces.
This is illegal. It is a felony. We are no different than rapists in many jurisdictions. 2-10 seconds of military-grade encryption is a small price to pay for avoiding 15 year sentences.
+1
/thumbs