The Technologies That Betrayed Silk Road's Anonymity

itwbennett writes Silk Road was based on an expectation of anonymity: Servers operated within an anonymous Tor network. Transactions between buyers and sellers were conducted in bitcoin. Everything was supposedly untraceable. Yet prosecutors presented a wealth of digital evidence to convince the jury that Ross Ulbricht was Dread Pirate Roberts, the handle used by the chief operator of the site. From Bitcoin to server logins and, yes, Facebook, here's a look at 5 technologies that tripped Ulbricht up.

Stupidity is a technology now?

Looks like I might have my shot at being a multimillionaire.

TL;DR

[OverlordQ]

Rusty treated OpSec as suggestions instead of law.

Re:TL;DR

[Jeremi]

Rusty treated OpSec as suggestions instead of law.

Of course, he also treated the law as suggestions instead of law. I have no sympathy at all. :P

More than a little retarded

[HBI]

If I were running a criminal enterprise via my computer, wtf would you go out in a public place and do so? At least sit in your car or something.

Why would I have a facebook account?

Why would I be advertising on facebook for people to join my enterprise?

Why would I keep logs of any sort?

There is so much stupid here, it hurts. Some "Dread Pirate" he turned out to be.

Re:More than a little retarded

[hodet]

Sounds like a case of hubris. He was overconfident in his abilities and probably got more and more sloppy as time went on, convincing himself that he was too smart to get caught.

Re:More than a little retarded

[taustin]

The cops don't have to be smarter than the crooks to catch them. They only have to be competent, and patient.

Re:More than a little retarded

It seems to me, that when he was just starting he didn't realize the magnitude of the enterprise he was launching; later he tried to go back & cover his tracks, but couldn't do it completely. And then he made a few slipups along the way.

Re:More than a little retarded

[demonlapin]

As the saying goes, it's not enough to be smarter than every cop; you have to be smarter than all the cops put together.

Re:More than a little retarded

[rogoshen1]

also the cops only have to 'get lucky' once. the criminal (or suspect) needs to be lucky 100% of the time. The odds are definitely in the police's favor.

Re:More than a little retarded

[Comrade+Ogilvy]

Yup. The real secret to not being caught by Columbo is not, as would be geniuses tend to think, by having a "full proof" scheme by which Columbo will never be able to prove you did it. It is by never showing up on Columbo's suspect list in the first place. Ulbricht's post that reveals his email was probably his doom, putting him on a select list of mere hundreds of people who knew about Silk Road early in the game. Then it becomes a numbers game, and the list shortens and shortens until the Dread Pirate has made one too many small errors.

Re:More than a little retarded

[blueg3]

This is true.

I mean, the "cybercrime" investigators that work for the FBI are not stupid and they're not incompetent. If you're running a large, well-known drug-selling site, they probably will put resources into finding you. On top of that, the deck is really stacked against you -- as a criminal, you need to avoid making any mistakes, while the investigator only need to wait for you to make a mistake. They're patient. (And "investigator" is not just people working for the police -- it's also anyone who might both have reason to dislike you and also motivation to reveal your identity to the police.) So, it may well be possible to hide indefinitely from prosecution, but it's not easy.

Re:More than a little retarded

Posting anonymously, just because. :-)

While I am not, and have not been involved in any criminal matters, I happen to be somewhat paranoid about my privacy. If you have.. interesting private fetishes that won't get you into any legal trouble but WILL generate mockery from your co-workers, you learn that in that private world you have to simply be very careful.

Let me tell you, if you want to keep your professional and private lives separate, being 'careful' for decades is very, very difficult. You always have to resist the impulse to chat about what you do at work, lest you create a connection between the two. You have to resist posting about each side in their various communications forums.

Maintaining privacy for extended periods of time is just difficult. For a week? Sure! Constant vigilance! Wheee! After a year, you start to slack off. Maybe you start to think "fuck it." Maybe not getting caught with anything will make you lower your guard. Maybe there will be a point of time when you start to take shortcuts. You may also greatly regret the public Usenet postings you made under your real name in your early college years when you were young and dumb and thought "privacy? Who will ever care about this?" You might even think "eh, I'm tired of being in the closet. Who really cares if I'm a furry anyway? I don't even do any of that weird stuff people would associate with them."

Then you come back to your senses and get back into the closet, and keep your two lives separate! But boy, it's difficult to not accidentally leave evidence around Google, etc.

Good lord, that photoshop job.

[Sowelu]

Not much really needs to be said.

Non-repudiation

[mitcheli]

The advantages to Encryption and defense-in-depth strategies is they are based on the triad of information assurance, one key of that is "non-repudiation". The "downside" to non-repudiation is the ability to connect the dots come litigation time. Interesting that they mention that the SSH sessions used key based authentication when the opposing attorneys claimed that anyone can name their systems "frosty" and use the login name "frosty". My question is, did the key on the laptop that was supposedly logged in as "frosty" also correlate to the key on the server? If so, the "anyone" list just got a lot smaller.

Problem Exists Between Chair and Keyboard

[darkmeridian]

I think the knee-jerk response is to say that the problem exists between the chair and keyboard. Just reading the article makes it impossible to draw another conclusion. He was nabbed in a public library before he had a chance to turn his laptop off so nothing was encrypted. Similarly, ARE YOU TAKING NOTES ON A CRIMINAL FUCKING CONSPIRACY? Why would you ever keep data in plain text even if the hard drive is encrypted? I am not expecting the FBI to raid me at any time, but just out of caution, I have my computer encrypted using Bitlocker (yeah, I know) and all data at rest is stuck in a hidden TrueCrypt partition. If I want to access it, I have to sign in separately. But most hilariously, he had a stupid freaking Facebook page that linked him directly to his true identity and Silk Road.

However, this only underscores how difficult it is to have operational security for any complex business. At some point, he needs to keep track of all transactions, with reasonably easy access. It's a pain in the ass for me to repeatedly log in and access data. I can only imagine how difficult it must have been to conduct business. I guess the bottom line is that physical security is crucial.

How do we know this is not parallel construction?

[Magnus+Pym]

This seems like a perfect use of parallel construction: figure out who he is by using illegal/secret technologies, and develop a plausible narrative of how legal methods were actually used. Maybe we are jumping too quickly to the "He was stupid" conclusion.

Re:Feds tipped hand

Oh boy, that is what they want ***YOU*** to think.

Just read how Churchill ordered "recon planes" to "mysteriously" show up five minutes before the bombers dropped the ordnance on the u-boats.

He fooled Admiral Dönitz with that method.