view the rest of the comments
news
Welcome to c/news! Please read the Hexbear Code of Conduct and remember... we're all comrades here.
Rules:
-- PLEASE KEEP POST TITLES INFORMATIVE --
-- Overly editorialized titles, particularly if they link to opinion pieces, may get your post removed. --
-- All posts must include a link to their source. Screenshots are fine IF you include the link in the post body. --
-- If you are citing a twitter post as news please include not just the twitter.com in your links but also nitter.net (or another Nitter instance). There is also a Firefox extension that can redirect Twitter links to a Nitter instance: https://addons.mozilla.org/en-US/firefox/addon/libredirect/ or archive them as you would any other reactionary source using e.g. https://archive.today . Twitter screenshots still need to be sourced or they will be removed --
-- Mass tagging comm moderators across multiple posts like a broken markov chain bot will result in a comm ban--
-- Repeated consecutive posting of reactionary sources, fake news, misleading / outdated news, false alarms over ghoul deaths, and/or shitposts will result in a comm ban.--
-- Neglecting to use content warnings or NSFW when dealing with disturbing content will be removed until in compliance. Users who are consecutively reported due to failing to use content warnings or NSFW tags when commenting on or posting disturbing content will result in the user being banned. --
-- Using April 1st as an excuse to post fake headlines, like the resurrection of Kissinger while he is still fortunately dead, will result in the poster being thrown in the gamer gulag and be sentenced to play and beat trashy mobile games like 'Raid: Shadow Legends' in order to be rehabilitated back into general society. --
Yep, ALWAYS encrypt your messages yourself (pgp) and don't rely on the site's encryption. Ever. This isn't just opsec 101, but absolutely basic practice for anyone using DNMs. Literally the only downside of doing that is that it's slightly less convenient while the upsides can't be counted but include making it impossible for the market/site admins to extort you like this. Any buyer should know this but it's understandable that some people just need to get their meds as easily as possible and let the opsec slide where they shouldn't. But vendors?? Not using PGP to talk to people you're selling drugs to is just astoundingly short sighted. The whole purpose of DNMs is that anonymity is maintained to an extent that this kind of thing isn't possible.
Vendors I think have the ability to deny customers for whatever reason they want and vice versa. If you're a buyer and your vendor refuses to use PGP, you should find another vendor. If you're a vendor and your buyer refuses to use PGP you should simply block them and not vend to them. I'm also getting the impression that this wasn't common practice on Incognito, but years ago back when I, um, read about this stuff, it was never a majority but it wasn't uncommon for vendors to state up front they only vend to people who will use PGP. Sometimes vendors would give a discount to people who did. I'm sure a lot of vendors right now are wishing they had followed that very common sense policy.
I edited this comment for clarity and because I accidentally said something backwards initially:
Hmm, it should be plainly obvious if someone is encrypting their messages to you. Like, what I think you're describing couldn't even work by accident. Other people's keys can't be used. If someone wants to communicate with you, they need your public key to encrypt their message to you and only you can then decrypt that message with your private key. If you then want to respond, you need their public key to encrypt your response, which only they can decrypt.
Example: if a buyer contacts a vendor, the buyer is not using their (the buyer's) own key. The buyer must use the vendor's public key to encrypt a message that the vendor then decrypts locally (which only the vendor can do with their private key). If the buyer used any other key, the vendor couldn't decrypt the message and no transaction could proceed. If the vendor wants to then send a message to the buyer, that's when the vendor uses the buyer's public key to encrypt that message. If the buyer gave the vendor any public key that is not their own, that buyer then couldn't decrypt the message the vendor sent them. There's really no place in this process where the vendor wouldn't know if the buyer was using their own PGP key.
In my past experience, people would put their public keys in their profile. The auto-encryption doesn't even look like encryption, it just looks like sending messages normally, the same way it looks using any encrypted messenger service: you just accept and trust that the service really is encrypting and decrypting at both ends and all you see is the text that someone sends you. There are steps both you and the person you're talking to have to take when doing your own encryption. Even when you're using PGP, you're still sending text over the market messaging system, and the market is encrypting that, but the text you're sending will look like total gibberish to everyone. Not just to the market, but it will look like total gibberish even to you after you encrypted the text locally on your own device, and of course it will also look like total gibberish to the person you're sending it to until they decrypt it locally on their end. There really should be no room for confusing who's public key is being used, not even mistakenly because the decryption wouldn't work. Unless I'm still misunderstanding you, or unless communication methods on the DNMs have so drastically changed in recent years that they're incomparable, but I know that's not the case.