Author Topic: PGP Email Address Metadata: Pay some damned attention, please.  (Read 513 times)

whom

  • Full Member
  • ***
  • Posts: 226
  • Karma: +87/-4
    • View Profile
    • Personal Message (Offline)
Someone posted a thread earlier about how hard it is to keep forum users' PGP keys straight with identities elsewhere.  I thought I'd share a little of the other side of that coin.   Many of the older posters here remember Pine's post from the old forum about how the keyid of a PGP key can tell you a lot.   I just wanted to make a brief Public Service Announcement about something even more obvious than that:

When you create a PGP Key, and stick a real personal email address in there, then post that key on your profile on a fucking darknet forum, that personal email address is visible to everyone who sees your key.

So after SRFv1 went away, I decided to do my own archiving of forums that I like, because I'm sick of shit disappearing.  Around the time the whole "DPR account may be compromised" thing unfolded, I grabbed another full copy of the forum and the user profiles.

I decided to take a quick crunch through the PGP keys in the user profiles here, extracting the email addresses from the PGP key metadata.    The data I'm pasting below represents the most common legitimate domains (the part after the '@') for email addresses in PGP keys posted here, with counts of how many times they're used.   My source data is a couple weeks old.

While many of the GMail/Hotmail/Yahoo/etc addresses are obviously bullshit or burners (somebody just sticking '@gmail.com' at the end to fill up space), some quick Internet stalkery told me that more than you'd figure are actually people's real personal email addresses.  That match Facebook/etc accounts.  With pictures.     None of the ones I found turned out to be beautiful blonde women, by the way.

36% of the PGP keys posted to user profiles here (as of a week or two ago, whenever I scraped it) have email addresses in the domains listed below.

There were plenty of '[email protected]' addresses.   That's a perfectly good approach.  Just don't use anything that actually ties to your real identity.   

When you're creating a key, and it asks for an email address, give it a fake one, please.

Quote
536 safe-mail.net
325 gmail.com
86 hotmail.com
77 hushmail.com
58 yahoo.com
34 riseup.net
28 countermail.com
24 live.com
23 lelantos.org
20 aol.com
18 outlook.com

snowwhite421

  • Sr. Member
  • ****
  • Posts: 312
  • Karma: +56/-22
    • View Profile
    • Personal Message (Offline)
Re: PGP Email Address Metadata: Pay some damned attention, please.
« Reply #1 on: January 01, 2014, 10:57:18 pm »
damnit that is ignorant of people. just like ignorance of the law wont save your ass from being charged, ignorance of opsec wont save your ass from being compromised.

pub 4096R/03EB326E 12/10/2013 SnowWhite <[email protected]>
    Primary key fingerprint:  13EA 2BB7 370A 5096 BC23 7EB4 4971 F957 03EB 326E

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.15 (MingW32) - WinPT 1.4.3
Charset: UTF-8

mQINBFKnb3IBEACwxQ6Em1eq1GbXdheQZYr0LFYGMIMsUt6EYQ26fAe8sewNwboy
1IT+epleE0+oq9Tw6bRzK/0YsEEBGjnXdx8fAr++3ZZ9E0e9X2s09nDfBPLeJj8z
/DVp/g4ffyrhWmwMdGpu5Hx8w9ocEsvijigCzSkOoU2eztu+cjNUOq1PupWSz+Gk
vovCXWX8kFgPcUIflRwiUZQO92OSAzYfuw0VZGAVGidwOUcogqLzerVBUKN110Sv
f2ZuAZ7Y46z0syJoQaBlKbrsrDH/eVsqsQxgKHqQ3w9l5/eDOjEfYazAEZwA1Egv
ueNOD2eiHrlM7mcBBJW+vskSs4rCj0x43pnO/lRJpJcYSdUMigGBLXriEWJKQ/2v
zJIiac0/enXWmlr+w0eLvLKhCzyXmxkXzMrhysx4D0ElJ1EmUuqKTaQgeOGntUj9
KcTlxQUwwWXqaQeYr+4g+Qzx/YVY16bROtHN6YrdFkOMk7gwTsQxhOSyvht8rxl3
nXHTBerkB2czAHz5id6qs91Dasna3/r+8+fu8/5VxN9Vwsvl+c8L7seWcE4XV2mO
adbbFnNb0FSZNKdLejH5axBvSJ2hsT0gIHynlzD9JXkPG3Tru0T7HO219ctVuzwq
M1uA5o2lxO21T3zbJPym/d0ahY1qjDiNxhzgC/89ghMvHRNn2wkpQziv3QARAQAB
tBlTbm93V2hpdGUgPHNub3d3aGl0ZUBzcjI+iQI4BBMBAgAiBQJSp29yAhsDBgsJ
CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBJcflXA+sybqLyEACUI2Wa8nxXtxB7
uhG1wuP5u/Pkmpa3dk5dniGZmJ0cR/MaTEtaXZ2XItLkeCGdX5C9tU36OV/FCFvT
iFzu4+NaPhv9mLNn/LkaM3lBvF9i3voiOCknh1EzUCmK0ea59HR7V7/YBjIJwpPR
tck2C8d8UgE2fIkcp7rOehpobhV+Y/43jaM4s64AFuN+fb+2wHDYnKxdLMZHUOM3
i9nIbkkZH/U/9RWHpry9iECEHBrYMRUWHk6zGIBwB4T6WpkVq9G250qmv4WlO1N9
/Ucj5ZHnmnZ3M2vq3dlJEHmoCz9vqeqi+KFwlyPaPL8D1GmzDzYan2koBLW4GSlP
zHM3fOgyMKdtDvLVIYlVflFaeqFgv91JhlgntgdHQ0couSRqZDi/ixnIo3ANrIww
eY0vfDiQq3IctQQLjlSlZGRHieaPpeuj+LTsHBS3LidAvUMlcek46QH4o/8U+0CA
Xv3lwpMnhVmiezx2KvRPCPOHcxi15yM3YsqP1gTaZeajVDbaJetfCCJXlsFydra6
HI8v3nO93jKwVsSAveDbHUkDgMCv1BJzHMcRfYiwgSdQ9EzjBEgqp/UddeLVaOBl
iqjihn2hHI2ko1EL/sD7Et4UTxaQEW1kn+4nml6H7z7o7UeaFCou59MjKuKtkWD3
QVLxPKEcyJ6P77hhEHaJejAuIthMSrkCDQRSp29yARAAzyRLREwvYqj2wI9kg0Le
drHZ2/+rNIXRMdyi3tk0CD09V+i1HMn8vdYhHwVFXd89uy9zyiCOaxUmoAys/Aoc
R9oSaw9L3fdqGZYhpYEQI3TpOXzn8U4V835e14+20loWkBjd8sS+/PRIZLRCB4ry
bMW9AWCoMq+hT6Eh/2XtXymujt+H2fsHzv+sF8rsVf792fQgisWNgpz929ApSWvh
N9fHErF78DJ2/YqEzbuFJSdW/+sgFCn4YXHYX3T4cguLzBggFd3BwYRyTbneNhkV
OPqRA0d8B0QilONLPYbDypoSagjwNXviNt6kucEKe6mNWkCD2AV1EMAakqL6JjtD
DHkAAnc90m8TjJZMEh4nqEswmBHY2kajxl+foHDgHXXl4Acbwpx6eYpUdhY/8iOa
O641L8lakyNRfNw9OFktzscFGzMD1THfkrEJNbY2eUqT5423c1o9L8r+Qgd7Gp0s
Gep1bGIB9yywcNFZaUzG7vtqQ3QPLeQ4xyN2pOty3JWDPEEwp4lNmSCS+kCy2qrg
vUKUovgBPQIyziDXp0eJTg31g4Cf8hpDjar482iiDRu90mL5eq+iym+f2tLamZuK
sX57XHlJLTHqw44zTvOpZJ8UWDl1CRgEi6yjAnc/lfiLM5I+mLmnshY0tKTOrVmI
xUaGGskCL0JS2wpjsP+Xr/sAEQEAAYkCHwQYAQIACQUCUqdvcgIbDAAKCRBJcflX
A+sybpsBD/9WWserMDQCBLd06GXjaEST5Ij2kHW79eyurojT7AFFr8rEzmLV4vdx
D5S5+GNlosBI0jOANWPc/lufcp4Z1EWQHPgBKjLahRJLFxSutJrmkEVCxP3PLezw
P7Yk+Uu4kYXeygYYqr03ibo1K05OPNSDonQzWdP7sG0FaD7AJUvFQid7VbANSEeZ
hEw5DJjlcHSqfyU3ePazGoOpquMYGNGUlyqzIVWGkx3XMWlkTQ5oKkU3VqzeBv6j
HfmQNhm3OhNUsM5LF7ua2cs/Ehjcvj+F4kz3IowNfyyPzjFwqLZ0VH3CwSsES33l
YHX8CJig3SozAkTG98vA+g04SwFBcFc0iZ81HiQmZC2JFd3rrdDxPFVgDJrP9fSu
beNFtOy4ispW+w4qWZYupykFDtv4ZgxRXBrxCC9PvO2l80Kb8f/z1PigWAhMIlPp
6CMY4Azi3dBFSYtarzHMbj1oOd7VPgzshvsAesVvUUo/ckFJdSr/6PcXxKE2Bh09
gaOZ2FcrKBa8vrmmPWmAclnEA8g/gVZS3KBtGRm3jRNpM/IPQ6GbMHmafRu32Cwj
2fSFGWp5/eG9HMZSvq8NfeE3WKLljO4xcKM6Ds8k5irXiYF1O6o8UIIsrutj9unN
AgWdD/yGmlAzK283P9CPdDGce1UluFx3di8XNyAB9ZF6EM8nLLJbIQ==
=Tfat
-----END PGP PUBLIC KEY BLOCK-----



Rastaman Vibration

  • Hero Member
  • *****
  • Posts: 596
  • Karma: +105/-11
  • ...Babylon makes the Rules...
    • View Profile
    • Personal Message (Offline)
Re: PGP Email Address Metadata: Pay some damned attention, please.
« Reply #2 on: January 01, 2014, 11:26:37 pm »
Thanks for that Public Service Announcement, whom. I remember vendors' actual gmails popping up when I imported their key on the old market site. SMH

Pay attention everyone.

Your freedom depends on it.
“One has a moral responsibility to disobey unjust laws.” - Dr. Martin Luther King Jr.

Join the Revolution. Teach someone PGP!

Microdosing LSD (and other psychedelic substances)  => http://silkroad5v7dywlc.onion/index.php?topic=626.0

Public Enemy #1

  • Jr. Member
  • **
  • Posts: 54
  • Karma: +18/-6
  • Louder than a bomb
    • View Profile
    • Personal Message (Offline)
Re: PGP Email Address Metadata: Pay some damned attention, please.
« Reply #3 on: January 02, 2014, 12:38:43 am »
Interesting and sadly not that surprising. It makes me cringe when I see how some people have dumped their IRL emails into their keys.

Surely though as long as it is a non-attributable email address, the risk is controlled - or perhaps more specifically the risk is not much greater than having a non-attributable email address in the first place or in fact a forum profile on this board attached to my PGP key.

So I (PE#1) have a safe-mail address ( It could be any mail provider as they are all nobbled.) - I only access it through Tor - I only use it for SR related activities and even then - very rarely. I myself probably wouldn't worry too much about that being in my key (although it isn't as it happens). It is basically just a backup comms method.




whiteshark

  • Sr. Member
  • ****
  • Posts: 308
  • Karma: +77/-50
    • View Profile
    • Personal Message (Offline)
Re: PGP Email Address Metadata: Pay some damned attention, please.
« Reply #4 on: January 02, 2014, 12:48:57 am »
I always figured it was a fake email or an email that was registered and only accessed via tor
Vendor Page: http://silkroad6ownowfk.onion/users/whiteshark

New Review Thread: http://silkroad5v7dywlc.onion/index.php?topic=6914.0

Cannabis Christmas GIVEAWAY!: http://silkroad5v7dywlc.onion/index.php?topic=7865.msg128216#msg

kr-rypt

  • Hero Member
  • *****
  • Posts: 1463
  • Karma: +186/-51
  • why so serious?
    • View Profile
    • Personal Message (Offline)
Re: PGP Email Address Metadata: Pay some damned attention, please.
« Reply #5 on: January 02, 2014, 12:55:12 am »
Someone posted a thread earlier about how hard it is to keep forum users' PGP keys straight with identities elsewhere.  I thought I'd share a little of the other side of that coin.   Many of the older posters here remember Pine's post from the old forum about how the keyid of a PGP key can tell you a lot.   I just wanted to make a brief Public Service Announcement about something even more obvious than that:

When you create a PGP Key, and stick a real personal email address in there, then post that key on your profile on a fucking darknet forum, that personal email address is visible to everyone who sees your key.

So after SRFv1 went away, I decided to do my own archiving of forums that I like, because I'm sick of shit disappearing.  Around the time the whole "DPR account may be compromised" thing unfolded, I grabbed another full copy of the forum and the user profiles.

I decided to take a quick crunch through the PGP keys in the user profiles here, extracting the email addresses from the PGP key metadata.    The data I'm pasting below represents the most common legitimate domains (the part after the '@') for email addresses in PGP keys posted here, with counts of how many times they're used.   My source data is a couple weeks old.

While many of the GMail/Hotmail/Yahoo/etc addresses are obviously bullshit or burners (somebody just sticking '@gmail.com' at the end to fill up space), some quick Internet stalkery told me that more than you'd figure are actually people's real personal email addresses.  That match Facebook/etc accounts.  With pictures.     None of the ones I found turned out to be beautiful blonde women, by the way.

36% of the PGP keys posted to user profiles here (as of a week or two ago, whenever I scraped it) have email addresses in the domains listed below.

There were plenty of '[email protected]' addresses.   That's a perfectly good approach.  Just don't use anything that actually ties to your real identity.   

When you're creating a key, and it asks for an email address, give it a fake one, please.

Quote
536 safe-mail.net
325 gmail.com
86 hotmail.com
77 hushmail.com
58 yahoo.com
34 riseup.net
28 countermail.com
24 live.com
23 lelantos.org
20 aol.com
18 outlook.com
I created my newest key when I was using safemail before I found out it was run by the isrealeas when alot of people thought it really was safe but since then I've deleted my safemail account and never wanted to change my key so it doesnt matter if it says my safemail it isn't mine anymore but to everyone using GMAIL
PLEASE STOP.
ITS HOW ROSS WAS BUSTED :((((((((
Ẅ͔͍̣̩́̾ͨͬ͞H̶̜̳̼̪͍̟̽ͯ̂ͯͬͨ̋̅Ơ̴̯̰̓̒͛̋ͪͮͅ ̷̯̣̘͚͙͇̟̲ͣ̋̃͌͝L͓͚͚͂̊ͮI̪̝͈̞͈͇͕̳͆ͥͧ̉͛V̵͖͓̦͕̝̭̘̯̻̆͟Ẻ̳̝͓͙̜̖̓̊̊̇̑̏́͜S̝̣̺̪͕̙̿ͫ̌͛͗͑ͨ́͞ ̋́҉͇̟̪Ī̷̷͕̥̠̙̭̰̥̜̌̐͆̽ͩ̕N̵̨̠ͦ͑ͦͩ͑ͯ̾̾͢ ̴̨͓̈̾ͣͨͬͪ͠A̷̶̲̱͇̘̘̫͂͐͆ͤ͢ ̒̔ͩͫ̔̆̋ͭ҉̴͚̫P̸̧̝̠̝̓͂̽ͯI̷̝͔̤̋͠N͚̗̐͋̾ͣ̂ͅE̱̰͍̝͂̈́̾̽ͨͧA̮̠̥͎̯̩̩̙ͥ̿̄ͣ̐̃͟ͅP̶̯͙̹͙͚̩̽ͨͪ̄ͣ͗͑̄͘͜P̯̜͈̯ͦͬ͊ͭͩ̌̐̍L̶̛͙̬͚̗̼ͣ̀ͣEͩͯ͂ͪ͑͘͡͝

kr-rypt

  • Hero Member
  • *****
  • Posts: 1463
  • Karma: +186/-51
  • why so serious?
    • View Profile
    • Personal Message (Offline)
Re: PGP Email Address Metadata: Pay some damned attention, please.
« Reply #6 on: January 02, 2014, 01:51:01 am »
So after SRFv1 went away, I decided to do my own archiving of forums that I like, because I'm sick of shit disappearing.

me too..

can you post a link to a clone of the old forums? there was SOOOO must good info in there...including a few tutorials/posts, i made, i'd like to find again....since i was forced to take a sledgehammer to my laptops/flashdrives a while back...unfortunately... :(

peace

mirage
Thermite is neater...
Ẅ͔͍̣̩́̾ͨͬ͞H̶̜̳̼̪͍̟̽ͯ̂ͯͬͨ̋̅Ơ̴̯̰̓̒͛̋ͪͮͅ ̷̯̣̘͚͙͇̟̲ͣ̋̃͌͝L͓͚͚͂̊ͮI̪̝͈̞͈͇͕̳͆ͥͧ̉͛V̵͖͓̦͕̝̭̘̯̻̆͟Ẻ̳̝͓͙̜̖̓̊̊̇̑̏́͜S̝̣̺̪͕̙̿ͫ̌͛͗͑ͨ́͞ ̋́҉͇̟̪Ī̷̷͕̥̠̙̭̰̥̜̌̐͆̽ͩ̕N̵̨̠ͦ͑ͦͩ͑ͯ̾̾͢ ̴̨͓̈̾ͣͨͬͪ͠A̷̶̲̱͇̘̘̫͂͐͆ͤ͢ ̒̔ͩͫ̔̆̋ͭ҉̴͚̫P̸̧̝̠̝̓͂̽ͯI̷̝͔̤̋͠N͚̗̐͋̾ͣ̂ͅE̱̰͍̝͂̈́̾̽ͨͧA̮̠̥͎̯̩̩̙ͥ̿̄ͣ̐̃͟ͅP̶̯͙̹͙͚̩̽ͨͪ̄ͣ͗͑̄͘͜P̯̜͈̯ͦͬ͊ͭͩ̌̐̍L̶̛͙̬͚̗̼ͣ̀ͣEͩͯ͂ͪ͑͘͡͝

whom

  • Full Member
  • ***
  • Posts: 226
  • Karma: +87/-4
    • View Profile
    • Personal Message (Offline)
Re: PGP Email Address Metadata: Pay some damned attention, please.
« Reply #7 on: January 02, 2014, 02:04:50 am »
Surely though as long as it is a non-attributable email address, the risk is controlled - or perhaps more specifically the risk is not much greater than having a non-attributable email address in the first place or in fact a forum profile on this board attached to my PGP key.
Yeah, I think you're right about that.    If it's a burner safe-mail address that you don't use for anything (particularly, for anything you'd mind the contents of a subpoena disclosing), and you've only connected via Tor, there's not much of anything to worry about.

However, if I was a betting man, I'd bet that unlike your scenario,  many of the "disposable" email addresses I saw in that list end up being used by people for all sorts of one-on-one deals and communications.   And that a lot of people lack the self-discipline to *never* check an account except via Tor.  Just this one time, gotta grab one email, then I can head out the door.   I'm on coffee shop wifi, nobody will know shit.   That kinda thing.   Suddenly, where before there was no data available to an adversary, they now know that UserX was in a coffee shop in Jacksonville, Florida on the 8th of March.   Not because somebody used an email account, but because it was publicly tied to a forum persona by a frickin PGP key when it didn't need to be.

Cloquet

  • Hero Member
  • *****
  • Posts: 969
  • Karma: +125/-120
  • Official SR 2.0 Diplomat
    • View Profile
    • Email
    • Personal Message (Offline)
Re: PGP Email Address Metadata: Pay some damned attention, please.
« Reply #8 on: January 02, 2014, 02:24:29 am »
I intentionally put a bogus email in my keys.
I went down... to the SR Forums... to get my fair share of abuse...

whom

  • Full Member
  • ***
  • Posts: 226
  • Karma: +87/-4
    • View Profile
    • Personal Message (Offline)
Re: PGP Email Address Metadata: Pay some damned attention, please.
« Reply #9 on: January 02, 2014, 02:28:10 am »
can you post a link to a clone of the old forums? there was SOOOO must good info in there...including a few tutorials/posts, i made, i'd like to find again....since i was forced to take a sledgehammer to my laptops/flashdrives a while back...unfortunately... :(
Yeah, I'll put together an archive of the Security subforum and post it somewhere.   Remind me if I don't post something in the next week or so.   I've converted StExo's 300+M HTML archive to text, and the Security subforum is <25M that way, gz'd.    It's greppable, and fairly handy.   I honestly don't think there's a better collection of technical anonymity-related discussion anywhere than that archive.

In the meantime, I believe that the site that did the world class OSINT analysis on  the SR/SRF/Ulbricht timeline (which is forbidden to post here because it's dox-related) still has a link to a copy of StExo's archive in their Downloads section.  I don't know which version of the archive they have, though.

Mone4them

  • Full Member
  • ***
  • Posts: 248
  • Karma: +33/-6
  • I have access to below market price RCs
    • View Profile
    • Personal Message (Offline)
Re: PGP Email Address Metadata: Pay some damned attention, please.
« Reply #10 on: January 02, 2014, 02:31:36 am »
People who use any real contact info are out of their minds IMO. My PGP keys all link to a real email that I can check, but they are all either HMAmail, HushMail, or Safe-Mail accounts that have only been accessed through VPN -> TOR. I have also played Email PGP tag with a few of my suppliers. Send an email to the account that is in their "public" public key, get a response containing a different key with a different email, and follow the trail of digital breadcrumbs until I finally get to the email they actually use.

Seriously though people FREE ANNON EMAILS or fake information. NEVER put anything that can potentially identify who you are in your profiles, posts, and especially not in your PGP key.
Users of any marketplace should be treating them as if they are compromised. Protect yourself, learn PGP.

I'm happy to chat it up in PM, but unencrypted messages are deleted and your response will be my public key.

Your unofficial RC connect. Sure to beat market rates.

El Presidente

  • Sr. Member
  • ****
  • Posts: 288
  • Karma: +134/-5
  • Buena Mierda
    • View Profile
    • Personal Message (Offline)
Re: PGP Email Address Metadata: Pay some damned attention, please.
« Reply #11 on: January 02, 2014, 02:33:29 am »
+1 whom - this is something that people do need to be aware of.

We too were driven to many collective face-palms during the compilation of the directory. We found several obvious examples of people using personal email addresses and valid names in some cases. We even found scenarios where users had posted private keys onto market and forum profiles....

As you know we are proponents of vendors having valid contact details in their keys but it is essential that those details relate to email addresses that cannot be tracked back to the individual, that they are ONLY accessed using tor and that they are only used for market activities and NEVER used for anything else EVER. Importantly they should NEVER be used to receive or send messages to any other accounts you own or anybody you know in real life.

And a happy new year to all you all from us.

Love

EP

« Last Edit: January 02, 2014, 02:39:56 am by El Presidente »
=================================================
The All Market Vendor Directory - http://directory4iisquf.onion
=================================================

whom

  • Full Member
  • ***
  • Posts: 226
  • Karma: +87/-4
    • View Profile
    • Personal Message (Offline)
Re: PGP Email Address Metadata: Pay some damned attention, please.
« Reply #12 on: January 02, 2014, 02:45:38 am »
Importantly they should NEVER be used to receive or send messages to any other accounts you own or anybody you know in real life.
This is great advice, and I'm glad you brought it up.

It's *so* tempting to "just send this one test message to my other account, to make sure [email works, PGP is formatted right, whatever]".  Don't do it.   Create a second disposable account at the same provider if you want to test back and forth to get something right.

And always use Tor for that account, so the provider *never* get a legitimate source IP to log.   I'll insert a Jacob Appelbaum quote here:  "When you bareback on the Internet, you're barebackin' with Big Brother."

skeetlord

  • Full Member
  • ***
  • Posts: 209
  • Karma: +8/-35
    • View Profile
    • Personal Message (Offline)
Re: PGP Email Address Metadata: Pay some damned attention, please.
« Reply #13 on: January 02, 2014, 03:08:17 am »
Use fake email address, simple.