

It Was DPR, in the Tor HS, With the BTC - ctoth
http://grugq.github.io/blog/2013/10/09/it-was-dpr/

======
j_s
Watch the author's 'OPSEC for hackers' presentation of the slides linked in
the article:

[http://www.youtube.com/watch?v=9XaYdCdwiWU](http://www.youtube.com/watch?v=9XaYdCdwiWU)

slides: [http://www.slideshare.net/grugq/opsec-for-
hackers](http://www.slideshare.net/grugq/opsec-for-hackers)

~~~
grugq
ta.

~~~
ihsw
It's a pretty good presentation, and it cannot be understated that good
security is hard to quantify until shit hits the fan. Especially in an
environment where "hackers are no longer the apex predator."

In case of living life on the edge (of legality), all it takes it one slip-up
and then you're doing 40 years of hard time. In terms of predator-prey,
hackers will now always be running and desperately looking behind them.

Good advice: Predators _always_ love playing with their prey, so make sure
you're not being manipulated.

~~~
zalew
> Especially in an environment where "hackers are no longer the apex
> predator."

and especially in an environment where your peers sing like canaries because
they usually lack the (violence-driven) codex regarding the treatment of
snitches. and yeah, I remember the case of that tortured guy from that cc
forums, but from what I read about all those arrests, it's an exception that
proves the rule.

~~~
ihsw
It has nothing to do with codex or creed or any of that, it's simply self-
preservation. Most people aren't ideologues willing to go all the way (to
death and destitution) for their ideals.

~~~
zalew
yes. I misused the word, sorry. was thinking codex as a set of strict rules,
not set of ideological values and mafia-family bullshit.

~~~
grugq
There are almost no organisations that expect a code of silence indefinitely.
It is not really a practical expectation of a human being. Most covert
organisations (e.g. Hizbollah [0], KGB [1], IRA [2]) will expect their agents
to remain silent long enough for everyone else at risk to escape.

This is what happens when you remain silent rather than turn informant [3]. I
have immense respect for Stephen Watt for keeping his honor, but I would not
recommend taking that path to anyone in a similar situation. Lawyer up, and
angle for the best plea deal you can get.

[0] [http://grugq.tumblr.com/post/61946725012/hizb-allah-
resurrec...](http://grugq.tumblr.com/post/61946725012/hizb-allah-resurrected-
the-party-of-god-s-return-to)

[1] [http://grugq.tumblr.com/post/59968838056/mastering-secret-
wo...](http://grugq.tumblr.com/post/59968838056/mastering-secret-work)

[2] [http://tensmiths.files.wordpress.com/2012/08/15914572-ira-
gr...](http://tensmiths.files.wordpress.com/2012/08/15914572-ira-green-book-
volumes-1-and-2.pdf)

[3] [http://infiltratecon.com/watt.html](http://infiltratecon.com/watt.html)

~~~
zalew
Tx for the links, seem interesting, saved them for a later read.

Yeah, you are absolutely right, but still I wouldn't compare lulzsec to the
orgs you mentioned or mobsters. Lets get this straight - no hacktivist or
cracker was found hanging on the cell bars or shot in the woods, that's just
not a comparable environment to serious organized crime. If nobody is afraid
even of getting their knees broken, not to mention ditched in a hole, is there
_anything_ stopping them from snitching the minute le shows up at the door?
Snitching is punishable for a reason, and there is a reason that ruleset goes
all the way down to street level crime or even minor offences (that last one
actually differs among places for cultural and political reasons).

~~~
grugq
Informants are the greatest fear of all clandestine organisations. The reason
for this is that they are privy to sensitive information that can be used to
damage other members of the organisation.

Read the links I posted. Read this analysis of evolving terrorist tradecraft:
[http://grugq.tumblr.com/post/61952592764/evolution-of-
terror...](http://grugq.tumblr.com/post/61952592764/evolution-of-terrorist-
training)

Modern clandestine organisations use strict compartmentation to limit the
information available to operatives so that informants have limited
information. Examples of this exist even in the movies:
[http://grugq.github.io/blog/2013/03/11/opsec-lessons-from-
re...](http://grugq.github.io/blog/2013/03/11/opsec-lessons-from-resevoir-
dogs/)

------
AJ007
Criminals isolate, target, and research individuals based on this information.
This includes everything from simple identity theft to murder. You may also
recall numerous yahoo email address "hacks" based off easily locatable answers
to security questions of public figures.

There are some basic lessons here that are applicable to anyone using the
internet, even just for casual reasons. That includes your parents or
grandparents. What do you think the chances are that they would be able to
proactively defend themselves against someone tearing apart their private
lives based on information they didn't even know was public?

-Not sharing/linking email addresses an alias

How is this relevant? This could be as basic as not wanting to link your
persona as a member of the town council to your postings in a World of
Warcraft forum.

Even if your life is mundane and none of your hobbies are embarrassing this is
still important. Forum posts, which most users treat as casual chat, along
with many social media interactions are permanent, public, and searchable.

There is no compelling reason to allow anyone in the world to know an enormous
amount of personal details about you. At least on your Facebook page, if
Zuckerburg hasn't recently screwed with your privacy settings, you are
narrowing the number of people who can look at these things.

I'm not going to endorse any particular services, but many sites allow you to
search accounts by email address. Amazon, in particular, can reveal your
public wishlist based on email address (rossulbricht@gmail.com shows an
account but not a wishlist.) You can figure out a lot about a person from
their wishlist + reviews.

Quite frankly I think this all is very relevant and _mass_ marketable to
anyone building tools and products to firewall personal information.

------
kiba
If I were still an anarchist/hardcore libertarian, hiring hitman would still
be unacceptable.

(It doesn't still make me root for the FBI though)

~~~
MichaelGG
He was left in a very terrible situation and decision. He was facing someone
who was willing to destroy many other people's lives (assuming drug dealers
would be arrested). If you take that as a given prior, then the step of
deciding to prevent that person from hurting others seems like basic self
defense (while noting that the USG prevented him from using other measures).

Edit: There's always still the possibility that DPR was aware he wasn't hiring
hitmen, but felt it was the best negotiation tactic.

~~~
tptacek
The premise of this comment is that the harm of having someone killed is
outweighed by the harm of reporting a community of people to law enforcement.

~~~
MichaelGG
Sigh, I guess I was not clear enough with "If you take that as a given prior".

If you do have the assumption, axiom, belief, whatever, that drugs are moral
and ease suffering, and that releasing data on these people will lead to long
lives in prison, causing a chain of disastrous effects on many families, then
yes, stopping the person that is _trying to harm these other people_ may be
considered.

Many people die each year due to the USG's war on drugs policy, and it has a
violent affect on many of the countries to the south of Texas. Just for a bit
of context/scope.

Edit: On second reading, I actually dislike your rhetoric even less. You can
rephase anything as a series of immediate actions. It's not the harm of
"reporting to law enforcement" it's what happens next.

~~~
tptacek
The response that your second reading of my comment generated seems to be "you
didn't fully consider the impact of reporting someone to law enforcement, and,
by implication, could be incorrect in your weighting of whether it might be
justifiable to have someone killed to prevent them from doing that."

~~~
MichaelGG
Given the stated assumptions, yes. Is there a flaw in that logic?

To arrive at another outcome, you'd need to weigh the suffering and somehow
decide that a single person's life, _who is actively trying to hurt others_
(that is, they aren't an innocent bystander), is somehow worth more. In some
scenarios this can be a philosophical debate (how much small annoyance to
millions of people is one other person's life worth?), but with an _active_
adversary and no other course of action, it seems like the only rational
decision.

You seem to be indicating that in this scenario you'd always value a single
person's life (despite their actions) above many others' suffering. Is it
because you view LE as morally superior, or do you have another set of priors
that shape your reasoning?

~~~
tptacek
I don't need to interrogate my priors to come to the conclusion that it is
invariably wrong to order hits on people.

~~~
MichaelGG
Further down in the comments, you indicated it was OK in the case of Nazi
Germany since it wasn't "real" law enforcement and it "involves certitude".
That seems to indicate to me that you don't actually believe it's "invariably
wrong".

~~~
tptacek
Ridiculous and a little offensive.

~~~
MichaelGG
OK, easier scenario: A guy is insane, and is going to murder 20 people. Your
only option is to ask his friend to kill him. Is is still "invariably" wrong?

Anyways, my original question to you (and on other threads, like where you
appear to defend seizure actions) is where exactly are you getting your
priors? In all your replies you just rephase things as if we're supposed to
draw the right conclusion.

And I'm only asking because it's you, someone proven in security and rather
insightful on many threads.

If it's just an innate, fundamental belief you hold, fine. I was just
wondering if you had some special source or logic that lets you decide these
things so absolutely.

------
Stately
Am I the only person who was sure this post was going to mock excessive use of
acronyms?

~~~
hackerboos
I just thought it was a Cluedo
([http://en.wikipedia.org/wiki/Cluedo](http://en.wikipedia.org/wiki/Cluedo))
joke.

~~~
grugq
Yeah, it is.

------
nachteilig
I remain surprised that he operated from America, especially if he was truly
as socially isolated as this post suggests.

~~~
MichaelGG
His operational model should have been fine. He should have acted as if he was
acting on the DEA's front lawn. He made fatal operational mistakes. If he was
somewhere else, he may have even acted more carelessly.

Living somewhere else would be a minor hurdle. SR was an international site.
Even without an extradition treaty, the feds would go to the country, say
"psst, wanna hit a major international drug dealer?" And local police could
bust him, jail him, then deport him, and then the USG could try him too.

If your opsec relies on you laughing from some small country, hoping legal
barriers prevent your capture, you've totally failed.

Edit: He _should_ have panicked as soon as agents visited him, but I guess he
probably talked himself down. Probably figured "well they already have me or
they don't", which, was probably true.

~~~
grugq
Yeah. He should have lammed it as soon as the feds first talked to him. Really
he should have run much sooner. At that point, the only option for him would
have been life as a fugitive on the FBIs most wanted list. It was too late.

The key question for me is still: how did the FBI locate the Silk Road hidden
service servers? They never disclose how that was accomplished. If they had an
assist from the NSA in breaking Tor, I would like to know. It has been shown
that Tor hidden services are not anywhere near as secure as they are thought
to be... but has anyone done a practical attack in the wild? Enquiring minds
want to know!

Edit: looks like he did move after the feds showed up.
[http://www.forbes.com/sites/ryanmac/2013/10/09/living-
with-r...](http://www.forbes.com/sites/ryanmac/2013/10/09/living-with-ross-
ulbricht-housemates-say-they-saw-no-clues-of-silk-road-or-the-dread-pirate-
roberts/)

~~~
MichaelGG
Running probably wouldn't have helped too much. I think his Forbes interview
was an advertisement for "hey, I want to cash out, buyers please contact me",
and a weak attempt at throwing people off his personal trail.

I find it VERY odd how they mention they imaged the server with zero
information on how they found it. Smells very funny, like they intentionally
left that part out. If it was a simple "we asked Rackspace for files on a one
Ross Ulbricht" then they'd have said so.

OTOH, they may want us to think it was a secret attack, when it was just more
of DPR's poor opsec. If he ordered fake IDs to hire servers but with his real
picture... who knows.

------
pearjuice
Funny how everybody says that he should have done this and not done that. It
is really an overwhelming experience to speculate and comment on past matters
but don't forget that it was him who actually did it. Who actually ran the
market place. Who cashed out and probably has reserves here and there. Who
pressed that "submit" button on stackoverflow. You weren't capable of doing
so. You think you have better ideas about it. That you could "disappear" and
never get linked to the real "you". I am not daring you to do try it, as it
can land you behind bars, but I am just saying that unless you actually
experienced and lived all of this - the commentary is nothing more than a
theoretical shim which will never become reality.

~~~
MichaelGG
I'd agree with this sentiment except the mistake is a very fundamental, very
flawed one: reusing the same ID. And it was made right at the beginning, when
energy is highest. It's not like he made long mistakes over the years leading
to an eventual arrest. He allegedly started off by posting with the same ID as
his physical person.

~~~
esrauch
Honestly it is more understandable to make that type of mistake at the
beginning; there is no way he could have reasonably assumed that he would
later have the level of fame that would make the feds run a high priority
effort specifically to catch him.

