Silk Road forums

Discussion => Security => Topic started by: hopdub on July 25, 2013, 05:28 pm

Title: privnote is down...
Post by: hopdub on July 25, 2013, 05:28 pm
I don't use privnote, but I know a lot of people do. If LE ever subpoenaed them for their data, they would be able to flag quite a bit of addresses. I don't really think they would or even could without solid cause. I realize many people use it for other things and business addresses and what not, but still....kinda makes you wonder.

Learn PGP people. There is no reason to give your address to a third party. You might as well just send it through SR.
Title: Re: privnote is down...
Post by: valentinesmith on July 25, 2013, 05:31 pm
I was about to start a new thread on the same subject, here's the post I wrote:

At the moment privnote.com seems to be down, and buyers are likely to turn to other sites offering the same service.

If one of those "new" services turns out to be a LE honeypot, any vendor that visits the honeypot to retrieve a delivery address without using Tor (or similar) would be trivial for LE to track down.

I'm sure others have pointed out the risks associated with using privnote.com, but now that buyers might start using a multitude of unfamiliar but similar sites I think the opportunity for LE to launch a dragnet honeypot attack is big enough to start a separate thread.

Vendors: Do you accept these services as a valid way for buyers to give their addresses? Are you sure you are following best practice when opening those links?
Title: Re: privnote is down...
Post by: Tessellated on July 25, 2013, 05:44 pm
I am glad it is down.

PGP is easy to learn, but using privnote instead makes things worse not better. Pleased just send as plain text if you cannot figure PGP. The only thing that privnote accomplishes is sharing the information with privnote.

If you use PGP then only the vendor can read it.

If you send plain text then only Silk Road and the vendor can read it.

If you send by privnote then privnote, Silk Road and the vendor can read it.

Privnote saves information and surrenders it to law enforcement on request.
Title: Re: privnote is down...
Post by: hopdub on July 25, 2013, 05:48 pm
I have never seen privnote down so that would worry me a little bit if you ever have used privnote before...maybe they could get a subpoena and sift through all the "destroyed" notes and random addresses.  Even if the code is written to destroy the notes, the data must be saved somewhere or is at least retrievable by someone with technical skills.
Title: Re: privnote is down...
Post by: Tanethia on July 25, 2013, 06:01 pm
I am in agreement with you all. I think that if a vendor really cares or the privacy of thir buyers then they would make it a requirement to order from them. PGP is dam good privacy. I read somewhere that it took a government operative all of 6 months to hack into one PGP encrypted message
Title: Re: privnote is down...
Post by: Tessellated on July 25, 2013, 06:06 pm
I am in agreement with you all. I think that if a vendor really cares or the privacy of thir buyers then they would make it a requirement to order from them. PGP is dam good privacy. I read somewhere that it took a government operative all of 6 months to hack into one PGP encrypted message

As far as I know nobody has ever demonstrated the cracking of a strong PGP message. Not in 6 months, not ever.
Title: Re: privnote is down...
Post by: modziw on July 25, 2013, 06:12 pm
Use http://sms4tor3vcr2geip.onion instead.

Modzi
Title: Re: privnote is down...
Post by: goblin on July 25, 2013, 06:29 pm
Use http://sms4tor3vcr2geip.onion instead.

Modzi
Well, it's OK in that it doesn't require javascript, and it is a hidden service so it would be much harder to track down its servers. But still, it's the same as privnote otherwise. Why trust all these services instead of doing it yourself (i.e., pgp)?
Title: Re: privnote is down...
Post by: Sukey on July 25, 2013, 07:08 pm
Use http://sms4tor3vcr2geip.onion instead.

Modzi
Well, it's OK in that it doesn't require javascript, and it is a hidden service so it would be much harder to track down its servers. But still, it's the same as privnote otherwise. Why trust all these services instead of doing it yourself (i.e., pgp)?

No. That is not a good thing that it doesn't require javascript. The javascript on Privnote encrypts the contents *before* (client-side) sending them off to the server. This means that if there is no javascript for encrypting client-side, you are sending plaintext to the third party and *hoping* that they encrypt it for you and throw away the key.

Just use PGP.
Title: Re: privnote is down...
Post by: RxKing on July 25, 2013, 07:13 pm
PRIVNOTE IS NOT DOWN....

Here is a link

https://certified.privnote.com/
Title: Re: privnote is down...
Post by: hopdub on July 25, 2013, 07:19 pm
why did the link change? i though you could access it using just privnote.com in the past? weird.
Title: Re: privnote is down...
Post by: ananas_xpress on July 25, 2013, 07:30 pm
Why anyone would use that service in the first place is beyond me, If you are a vendor and endorse it I'm not saying you should be busted but when you do I'll make no shame in *Nelson Muntz voice,  shouting  HAHA

Only reason I can imagine to use is to give customers a false sense of security in buying from me and that's just scummy
Title: Re: privnote is down...
Post by: RxKing on July 25, 2013, 07:36 pm
Why anyone would use that service in the first place is beyond me, If you are a vendor and endorse it I'm not saying you should be busted but when you do I'll make no shame in *Nelson Muntz voice,  shouting  HAHA

Only reason I can imagine to use is to give customers a false sense of security in buying from me and that's just scummy

This post just shows how you understand VERY LITTLE.
Title: Re: privnote is down...
Post by: valentinesmith on July 25, 2013, 09:03 pm
why did the link change? i though you could access it using just privnote.com in the past? weird.

I don't think it's the same site. At the bottom of certified.privnote.com it says "Certified Privnote is an EuroPriSe certified version of Privnote" with a link to privnote.com (sans the certified).
Title: Re: privnote is down...
Post by: RxKing on July 25, 2013, 09:12 pm
No ...

I don't think it's the same site. At the bottom of certified.privnote.com it says "Certified Privnote is an EuroPriSe certified version of Privnote" with a link to privnote.com (sans the certified).

It is the SAME site.  And for people that do not understand Privnote...read here before you past anymore paranoid opinions and not facts.

For completeness, this is what happens when you view a note in Privnote:

1.The server extracts the NoteID from the URL

2.The server hashes the NoteID and gets the HashedNoteID. This is the same HashedNoteID used when generating the note, since the NoteID used to make the hash is the same in both cases
The server retrieves the note from the database using HashedNoteID as the database primary key and decrypts its contents using NoteID as the encryption key

3.The server shows the page with the decrypted note

4.The server permanently deletes the note from the database, keeping only a record of the HashedNoteID, the time when it was read, and the IP address where it was read from, to show it when someone tries to see the note again


If someone with access to the database would like to read the note she would be unable because she doesn't have the key to decrypt it (NoteID), only the database primary key (HashedNoteID). The HashedNoteID cannot be used to "go back" to the NoteID because hashes are "one-way". So the only person who can actually decrypt (and thus see) the note is the one who has the original NoteID or, in other words, the one who has the link to the note.


These are facts people.
Title: Re: privnote is down...
Post by: valentinesmith on July 25, 2013, 09:29 pm
No ...

I don't think it's the same site. At the bottom of certified.privnote.com it says "Certified Privnote is an EuroPriSe certified version of Privnote" with a link to privnote.com (sans the certified).

It is the SAME site.  And for people that do not understand Privnote...read here before you past anymore paranoid opinions and not facts.

They are not hosted on the same IP address, one is down but the other is online, and it even says on certified.privnote.com that it's a different ("certified") version of the regular privnote. They are two different sites. I'm guessing they are both run by the same entity though.
Title: Re: privnote is down...
Post by: RxKing on July 25, 2013, 09:35 pm
I never said they are on the same IP address. When I used the word "site" I meant same company, same thing.
Title: Re: privnote is down...
Post by: valentinesmith on July 25, 2013, 09:53 pm
I never said they are on the same IP address. When I used the word "site" I meant same company, same thing.

Sorry, I meant different sites as in different servers (or virtual hosts or whatever) with different backends to store the notes.
Title: Re: privnote is down...
Post by: i push the kush on July 25, 2013, 10:28 pm
I just placed an order without using PGP or privnote, because the vendors PGP key isn't working so he said use privnote or send address clearly over. Well privnote is down so I just send it clearly over. I'm not really worried though cuz it's a domestic order and SR has their own version of privnote built in, so no need to worry too much.
Title: Re: privnote is down...
Post by: ananas_xpress on July 25, 2013, 11:13 pm
I just placed an order without using PGP or privnote, because the vendors PGP key isn't working so he said use privnote or send address clearly over. Well privnote is down so I just send it clearly over. I'm not really worried though cuz it's a domestic order and SR has their own version of privnote built in, so no need to worry too much.

PGP, Doesn't simply not work ??? ???

Who is this POS vendor as they are clearly lying, take my advice dude and never use privinote in the first place, If you ever have to go to resolution you are screwed since all communication on your side is non extant
Title: Re: privnote is down...
Post by: RxKing on July 26, 2013, 12:52 am

PGP, Doesn't simply not work ??? ???

Who is this POS vendor as they are clearly lying, take my advice dude and never use privinote in the first place, If you ever have to go to resolution you are screwed since all communication on your side is non extant

Once again...bad information!!!

This guy...along with 99% of other buyers...ONLY use privnote for there address at check out. That is never needed for anything to do with resolution.

Plus if you just use a top vendor and are domestic...you will never need resolution...I have never had anything go to resolution in 1.5 years.