[Idea] Encryption for Confirmation and Hack-Protection (Simple)

So this has gone through my mind for awhile now and after reading Grave's suggestion in this exact forum, I have a fairly simple idea that may solve a few problems that are seen too often on Sythe.

Since I have joined this site (and earlier), there has always been the question of, “What if ----- gets hacked?” or “What if the ----- which I am talking to on MSN isn't actually ----- on Sythe?” Even after four years I see problems like these still pop up from time to time. While my resolution isn't the end-all solution, it will add another level of security so your crucial information does not end up in the wrong hands.

So, what's the catch?
Well, site admins don't have to make one alteration to the forums. No extra coding would be necessary. The responsibility is in the hands of the users and enforcement in the hands of the moderators.

Wait, what?
Oh god a simple solution! Just keep reading, maybe grab a beer if you function better that way.
​

Problems Addressed:

'Hacked' Sythe Accounts
'Hacked' Instant Messaging Accounts
Differentiating fake and real Instant Messaging Accounts

Here's the delivery:

- PGP Key Encryption -

For those of you who haven't come across this yet in their internet-life, that might be a good thing. It's gained its popularity largely due to -cough- deepweb -cough- and I feel as though it could have its uses here at Sythe.

So, what is it? Well, PGP keys are used to encrypt messages into blocks of code, code which only the receiver can understand and sender can type (yes you probably read that correctly).

I will get into a PGP Encryption tutorial further down but for now I will discuss how this works, how this will help, how it should be implemented, etc.

--I'd recommend you read this following question and answer solely so you can understand how PGP encryption usually works, although it is not necessary.--

How does PGP Encryption work when it comes to trading? (Simplified in Paren)
There are two endpoints in this system. One being the client and the other the seller. The client has the ability to translate a message from English into a 'public' PGP block given by the seller (let's pretend that's a different language). That is all the client has the ability to do. Once the message has been encrypted into the PGP block, ONLY the seller can understand it. The client does not even have the ability to decrypt his now encrypted message (because the client does not understand this language, nor can find out what language it is, he can only speak it). The seller is the only one who can decrypt the message because he is the only one with access to HIS private key (he is the only one who will ever know what language it is and fully understand it as opposed to just being able to speak it). In this message that the client sent, though, was another key, the client's 'public' PGP block. Which acts the same way that the seller's PGP block acts towards the client. The seller, will now send a message back using the client's public PGP key which only the client will understand. So on and so forth.

Implementation in Sythe Trading –

If you read the above question/ answer. You now have some general knowledge of how PGP encryption works. If not, you are fine, but you may find the following a little bit harder to understand.

Basic Steps:

Step 1: Seller creates a default key
Step 2: Seller reveals public key on thread
Step 3: Buyer encrypts message using seller's public key
Message Includes: Basic trade/contact, etc. info and the buyer's public key
Step 4: Via PM (preferred) or IM, buyer gives encrypted PGP block to seller.
Step 5: Seller decrypts message
Step 6: Seller contacts client via IM/PM (not PGP) and verifies that the client's public key is indeed theirs.
Step 7: Basic discussion involving trade (do not reveal important/personal info(client))
Step 8: Both sides compromise (still not having revealed any critical info (client))
Step 9: Seller encrypts a message to buyer asking for any essential info needed for the trade
Step 10: Buyer decrypts message
Step 11: Buyer encrypts message with his/her essential info that is needed
Step 12: Trade carries out via IM/ PM or PGP (for those who want to be 'extra' safe)

THIS IS NOT THE TUTORIAL, THIS IS JUST A BASIC IDEA ON HOW IT COULD BE USED.

How will it help?
If a seller's Sythe account gets hacked or MSN account gets hacked. There remains two things that haven't been found out, the seller's private PGP key (which is ALSO password protected) and the buyer's public key. Which is now the only barrier between the 'hacker' and his prey. Implementation of this idea will involve that both the seller and client and communicate important information ONLY using PGP encryption/decryption. This barrier not only stops the hacker from accessing any important information that was given to the seller from the buyer but also adds another way to verify that the seller is indeed the seller that you think it is by matching up the public PGP key he or she gives you via IM with the one in the seller's thread.

I'm aware that some of you may have some more questions, please read until the end as I will include a small FAQ at the end of my thread.

----------------------------Onto the Tutorial (It has pictures! I promise!)----------------------------
In the following tutorial you will be given links to applications needed, and all the instruction on how to get your own public key, etc.​

Only one program is necessary:

GPG4WIN 2.1.0 - GPG 2.1.0
http://www.gpg4win.org/download.html

Setup Tutorial:​

Start: Download GPG 2.1.0 from the above link.

Once it finishes downloading, run the .exe file.

You should get a window like this:

​

Hit next and you should get here:

​

Click next once more:
(Once you are at this window make sure you have everything I have checked off)

​

Click Next, choose your target location at this window:

​

Choose next and create any shortcuts you find necessary:

​

Next, click next:

​

At this window, check off the box and hit next:

​

And then finally finish:

----------End Setup Tutorial----------

CREATING A KEY AND OBTAINING YOUR DEFAULT PUBLIC KEY​

Goto your Start Menu > All Programs > gpg4win > GPA

Once it opens you should see a window like this, click Keys at the top of the window and goto New Key:

​

Type all the necessary information once the window opens:

​

Hit Okay.

You will be asked for a pass phrase, I would recommend you make a brand new one up, at least 15 characters and not similar to any passwords you currently have in use:

​

Hit next.

You then have to re-enter your pass phrase:

​

Hit next and you will bought back to the beginning screen, now with your default key:

​

Make sure the key you just made is selected and hit export at the top of the screen, you will be asked for a file name to export as, I recommend typing yourname.txt because it will export your key as a text file so you can view it, select a location to export it to and hit save:

​

Find your text file, open it, this is your public key which you can give away to people for contacting you:

End Creating Key and Obtaining Public Key

Start Encrypting and Decrypting Tutorial​

In order to encrypt or decrypt a message start with clicking clipboard at the top right hand corner of the window:

​

A new window will open, in the text box is where you will type the text which you want to encrypt (in this case it would be trade info and your own public key since this is going to be encrypted to another person's key):

​

Once you have your message typed up hit encrypt at the top, a new window will open up with all the keys you have in your 'keyring'. Currently that would only be the key you made, if you'd like to test it out highlight your key and hit Okay:

​

Your text should have changed into a PGP block like this:

​

Decrypting a message is as simple as copying and pasting a pgp block into the clipboard textfield and hitting decrypt, and then typing your password:

​

And then the PGP block should turn into plain text like so:

--------------------------------------------------------------------------------​

FAQ:
How do I import other people's public keys?
In order to import others' public keys you have to copy their public PGP block into a .txt file and place it somewhere you will remember. Once you are at the main window, hit import and find the file, highlight and click OK. The program should recognize the key and it should now be in your keyring.
How are moderator's supposed to enforce this?
There is a large multitude of ways moderator's can help ensure this system works. All of which should take only a 10-15 minutes a week. I will go over this once I receive some feedback on the general idea that I've come up with.
What is this preventing exactly?
Encrypting messages in the way I mentioned in the above tutorials/ can prevent any info regarding accounts, payment methods, currency exchange, etc. from being revealed to 'hackers' in case your or another person's account is compromised. Likewise, it can also aid in confirming a user's identity since the only person who can understand a message encrypted using their key is themself.
If this is simple, why does the tutorial seem so long?
The tutorial isn't really long, and once you understand the basic idea, encrypting and decrypting a message will only at a few minutes to trade time and an unparalleled level of security.
What are you suggesting exactly?
For Sythe members to adopt this method of contact in order to make trading information safer from hackers, which can only be fully done with community approval.
I would love some feedback on the idea, it was a good time - killer. Thanks for reading.

 

If anyone is having trouble reading the dark blue text as I did, simply highlight over it and it will be readable.

OT: After reading your 'suggestion', I found this more as a 'guide' because it is a more user-related 'suggestion', rather then a site suggestion.

I don't see how staff can 'enforce' this, particularly only spending 10-15 minutes a week?

I honestly do not see many, if any at all, people using this.

Unless they are absolutely concerned about their personal security over a large exchange, then perhaps.

Otherwise using technique would definitely be much more of a hassle to most people.

However I do like the concept, but as I've already stated, I would consider this more of a guide then a suggestion.

Good effort though.

 

I had a trouble differentiating it from a guide as well after I had finished typing, admittedly it started as a small idea and I just kept going.

I was assuming that this should be a site suggestion since black market trading has obviously advanced greatly, I for one had never seen this many people buying and selling @ $1k USD + so often. Yet I still see announcements regarding middlemen, or trusted members who are often seen in the black market forum reporting as having been hacked, pretty much as often as I did back when I was more active in the forums around 2007 and 2008.

This probably won't be necessary for everything, most definitely, but with people trading fairly larger sums of money, another user's incompetence in self-security shouldn't be a problem. This is a simple solution to a worrying problem. If only I knew how to make the guide shorter, because all of it really takes less than 5 minutes in itself.

As for staff enforcement, it was going to be a simple PGP key submission, so staff could have on file what the PGP SHOULD be so when it is altered publicly on the forums, it can be spotted fairly quickly.

EDIT:
Now that I read over it more, I should probably move the tutorials to a guide section and rename this thread to "Encryption for High Profile Trades" and change the direction in which I was going. If I receive more feedback similar to yours I probably will go about doing that.

 

Not a bad suggestion at all, but I would rather see a guide on securing your computer from Viruses, Keyloggers, RATs, Worms, and not being tricked by phishers.

This is not a bad idea at all, but it would just be a big hassle for most people.

 

That is funny because before I had proofread a little I had started off with a joke about how people somehow still aren't cautious enough to avoid downloading infected software.

Although if it is really necessary I can do a long boring guide on that too!

 

It is not a bad idea, the problem would be implementing it fully :/

 

Nice idea, i'll look into that program when I get the chance.. however, this isnt something that the staff could moderate or control, and its not really a site suggestion.. we could advise this, but nothing else.

 

Well it seems that it will only slow all trades with very complicated system, if you can make it more simply than it would be easier.

 

I've also seen another program which just encrypts anything you type and decrypts it which avoids keyloggers, that may also be better.

 

Definitely necessary.

The only 'problem' if this were to be compulsory (which will never be as it is almost near-impossible to enforce) is by detecting whether or not a user is actually using the program or not.

However, this would be on a personal choice in my opinion.

It's actually very simple to comprehend.

I'd recommend using this for large trades.

Care to share?

 

Tl;dr

Too difficult for the amount of trades that go on.
No support.

 

Okay, I'm obviously receiving a lot of feedback of it being too abstruse to implement all the time.

Also, as I've put it through my head a few times, staff enforcement would have to be a tad bit different than I had previously thought... and yes it would take longer than 10-15 minutes a week. Precisely it would probably add at least an extra 15-30 minutes to each trade. Which, to me at least, is nothing in comparison to losing $300+ due to someone being 'hacked'. But that is where a middleman comes in, in fact as I'm thinking this over this would simply be a suggestion to staff to advise using the system and enforcement would be in the hands of the users and middlemen, and would barely add 10 minutes to a trade.

As I've said before I will probably change the title of the thread and alter a good amount things but only as soon as my new computer hardware decides to cooperate with me.

Maybe this could become a more viable option for only large trades as stated by Jeff.

Also @Karl, that is why I had put this as a site suggestion. I am hoping that people would recognize the simplicity and safety behind this simple piece of software and that staff would begin to advise members, as mentioned before for large trades, to use it to protect themselves.

Hopefully I cleared a few things up there.

EDIT: Also it would be helpful if a moderator could change the title of my thread (if possible)?

 

Not a site suggestion, but thanks for making this thread!