#1 and #2 really should just be a part of #3: catastropic opsec.
I don't know what it is about people who run these criminal enterprises on the darknet, but they constantly seem to be failing even the most basic of opsec. Re-using identities across multiple services, using e-mail addresses with real names, posting photos with identifiable information (and before websites stripped metadata for them, often posted with metadata), etc. I mean it's nice that they are making it easier to catch themselves, but at the same time I can only wonder how some genius can invent some novel and complex ransomware operation just to turn around and use the email they've had since they were 13 to register the services that operate it.
I suspect anywhere in the world, if you're capable of avoiding all 3 of these, you can get a job that pays in the 85th-99th percentile for your country, and 60th percentile globally.
It's not a particularly high bar, but I suspect the majority of technically apt people would fail it.
People with lucrative work available legally have more to lose and less desperation to engage in activities that are both illegal and malicious
> you can get a job that pays in the 85th-99th percentile
Being in 85th-99th is no longer attractive. Because of extreme level of taxation people who earn real money are not included in those statistics, as in they are not paid a salary.
In my country (UK) being in 85th-99th percentile, means you'll have okay-ish life. After years of saving you may be able to afford an old terraced house, second hand, couple of years old car. Oh and if you decide to have family and your spouse won't be working, then you are screwed.
These indicators are no longer what they used to be.
My point is that those mistakes are made by plenty of ransomware gangs, some of the largest dark markets to ever exist (AlphaBay, Silk Road, etc.), Freedom Hosting, and more. All of which were, at some point, major entities on the darknet making absolutely rudimentary opsec mistakes.
What sort of answer are you looking for? All of these proprietors are human. Humans make mistakes and act irrationally at times. Criminal enterprises are complex. Opportunity for mistakes increases with scale. The guy who ran Doxbin is the only high-profile case I can think of with apparent-flawless opsec, and that much only because he bailed before the long tail caught up to him.
The tightest opsec I've ever seen is maintained by disability fraudsters. Privacy laws protect the evidence anybody would need to present against you, so as long as you keep doctor-hopping and never admit to anything, nobody can touch you. These people tend to be reclusive and not public-facing, but with such low risk comes low reward-- there's no real money to be made in it.
(...unless you're the doctor knowingly signing off on false diagnoses. This increases scale, at which point, the more of those you write, the greater the chances of some mistake made by you or any single one of your patients bringing the whole enterprise down.)
They said that some of the 3 I listed by name had "great opsec". I am curious which one of those they thought was great, and laid out why I think the opsec in these cases was really far from "great".
Maybe when they said "those listed", they were referring to the list on the website and not my list. In that case, I misunderstood and obviously my comment doesn't make much sense. But I presumed they were referring to my list.
>Humans make mistakes and act irrationally at times. Criminal enterprises are complex.
Agreed on both fronts.
But I think that the severity of mistakes is a scale, and some of the really big players on the darknet have made mistakes that I argue is much closer to the "really dumb mistake, trivially avoided" end of the scale, such as using your LinkedIn email to run your multi-million dollar black market.
>Opportunity for mistakes increases with scale.
Agreed. But none of the three examples I listed by name were affected by scale. Using outdated software with known vulnerabilities, posting your own email, and using an email connected to your LinkedIn are all not issues of scale.
Edit to clarify, as I think people may be misunderstanding me (maybe? hard to tell from just downvotes and no replies):
Opsec is hard. 100%. You have to maintain it basically forever, which makes it really hard.
But, if I walk into a bank intending to rob it and start shouting out my full name and address (or, say, left my drivers license at the scene), people would have a jolly laugh at how bad of a robber I was. This is analogous to using the same email to run your multi-million dollar black market as well as sign up for a LinkedIn account. Most people would agree that in my hypothetical, the robber made some really trivial mistakes. I'm not sure why it's so hard to say that for these darknet operators that basically did the same thing, but in computer form.
The original Silk Road supposedly had amazing opsec but they caught him because one time he used the same, oblique username to register something many years previous IIRC.
It sounds pretty easy to inadvertently visit a site on an old laptop with javascript enabled. Is this what counts as a profound opsec failure these days?
Remembering that you only have to make an error like that once.
And if all these high-profile people manage to get caught (It seems like pretty much everyone that isn't a nation state ends up getting found eventually!) then maybe it's not that these people are terrible at Opsec, it's maybe that it's much harder than it looks, especially when the government has access to tools that you have no idea about, and maybe it's inevitable that you make an error if you are a human operating for a long time, regardless of 'opsec' skillz.
>And if all these high-profile people manage to get caught (It seems like pretty much everyone that isn't a nation state ends up getting found eventually!) then maybe it's not that these people are terrible at Opsec, it's maybe that it's much harder than it looks,
I tried to make it explicitly clear, over several different comments in this thread, that I'm not saying opsec in general is easy nor am I saying that everyone who has been caught has made these easy-to-avoid mistakes. I am struggling to think of yet another way to word it, but here I go one last time:
A robber goes into a store and steals a bunch of money. On the way out, they leave their drivers license on the counter. Can we agree this would be a dumb mistake? This doesn't mean that all robbers ever caught made dumb mistakes; some robbers are caught through extraordinary police work and with the help of several technologies (DNA, facial rec, whatever). Those robbers, while still potentially making mistakes that lead to their arrest, have not made extraordinarly dumb mistakes like leaving government-issued identification at the scene of the crime.
This concept applies to opsec and computers as well. You can slip up once and be caught through the smallest of mistakes. Or you can literally tell everyone who you are and be caught that way. Both are mistakes, but one is a trivially avoided stupid mistake, and the other is not.
Many other operators (of dark markets, ransomware gangs, etc.) have been caught, but I did not include them because the ways they were caught did not appear to be through dumb mistakes, but through intense technical means.
Okay, how about that darknet market where their frontend got seized by the Feds with the big "website seized" plaster, and then the market operator seized it back, that was hilarious
the server was never seized and the operator was never sei
what about the currently existing markets still up? just one trip to dark.fail to check
Maybe the dark web makes people feel safe and they let their guard down? I cannot imagine why else someone would use their own email address in any transaction or operation.
You have to be a certain level of stupid to attempt these crimes, especially when you're up against such powerful nation-state adversaries. Stupid probably isn't the right word though. Lazy and arrogant might be more accurate.
Yea, it would be rather unfortunate terminology to call websites outside the realms of Google and bing as “dark web” as if somehow these services legitimize the internet itself.
the term 'deep web' refers to the subset of internet-connected information that is not widely published eg on search engines, where as the 'dark web' is specifically sites that hide their hosting information behind tor i2p etc
as unfair as it may be, a huge part of the usefulness of information is its accessibility, and these search engines currently hold a near-monopoly on which sites can generally be considered readily accessible, ie the 'surface web' above the deep web
I would personally call telegram/viber/whatsapp/et al. groups/chats/channels "dark web", since information is not indexed there and is basically decaying over time. In about a decade or decade and a half ago, forums flourished, it was really easy to find and share relevant information with relevant group of interested people. I particularly was interested in car's DIY service & retrofit topics. Unfortunately everything is mostly in messengers these days, which won users by offering real-time responses, but providing no real way of topic sorting or proper history. Duplicates of questions and answers of different topics and threads mixed together into an information garbage bin.
I know absolutely nothing about the subject but I would at least run nginx and tor in a docker container. Make sure no traffic comes out of the container on my public ip. Wouldn’t solve every problem but seems like it would solve…a lot of them?
That and I could move it around a lot. Not sure if that’s good opsec or bad though lol.
There are plenty of noob mistakes to make when using docker such as accidentally exposing their database port. A lot of mongodb "hacks" in the past was due to this.
You’d probably want some traffic going out on your public IP because everything going via Tor is itself a suspicious activity and likely to draw attention.
They key is to ensure only legal stuff goes out on your IP and the illegal stuff is anonymised. Which is easier said than done.
tunnel all the Tor traffic out through a VPN? I feel like there's probably a bunch of servers operating like that for legit reasons. they'd probably assume you're just seeding torrents or something.
you can do the same trick to connect to it from home - VPN use is common. you'd want a burner laptop, of course, and some physical box preventing the laptop from hitting anything other than the VPN.
I've thought about setting this kind of thing up for fun. you could get really fancy - talking to some hopbox through Tor where you script up actions to take asynchronously, to defeat timing attacks.
Same problem. Tunnelling all of your traffic will look suspicious and thus stand out from the thousands of other people who don't tunnel all of their traffic. If I recall correctly, one of the documents Snowden released even specified that people who tunnel all of their traffic via VPC land themselves on government lists for closer monitoring. Regardless of whether this is true or not, creating a lot of legitimate traffic on your same gateway should still make it harder to fingerprint you as someone who exercises in activities that warrant closer inspection.
The best approach really is just to use VPN for specific purposes. Everyday traffic, checking the news, personal email, etc shouldn't be via VPN. You should buy yourself a dedicated laptop for "work" with all that traffic going via VPN+Tor. Don't use your "work" laptop for anything personal and visa versa with your personal devices.
This keeps things simple (conceptually) while also effortlessly creates genuinely normal looking traffic. However eventually you'll still get caught. It doesn't matter how careful you are, you only need to slip up once.
Avoiding all of this is incredibly basic and borderline common sense.
When running a darknet site you don't want associated with the clearnet, step one should be only having the http server listen on the Tor onion domain!
There is no silver bullet when it comes to protecting against ransomware. A ransomware attack A prime example of this was the WannaCry virus attack in May 2017, where 200,000+ computers worldwide were infected due to a weakness in Windows SMB EnternalBlue, which allowed hackers to hijack computers running on an unpatched Microsoft Windows operating system. Users were asked to pay anywhere from 300-700 bitcoins to decrypt the data in 3 days.
Basically they found some darknet onion sites whose operators reused the same unique favicon, self-signed TLS certificate, etc. on other sites hosted from public IP's. And in one case left a secret key in a publicly-accessible configuration file.
Anonymity of the origin server is not at all a design goal of SSL/TLS: in fact, the whole point is to tie a web host to a particular identity. Originally it was supposed to be legal identity, but that is actually fairly useless, so now it's just a domain name.
For end-users TLS and Tor both provide privacy; since you don't need to identify yourself in order to use https. In fact, with ESNI and DoH the only thing anyone snooping wire traffic can see is that you're connecting to whatever data center is owned by the company hosting the website.
The sites in the original article are criminal enterprises, which means they have the unique problem of needing the origin server to remain anonymous so that their hosting provider can't find out what they are doing. This is the one thing Tor does that TLS doesn't; and they were deanonymized by them insisting on providing a self-signed cert anyway. However, this is a particularly unusual threat model that is far harder to maintain. Even the whole anticensorship thing is usually just hiding what sites you're visiting from, say, the Great Firewall - we don't care that China can also use Tor to learn where Google's servers are.
To make the browser show the little lock in the address bar, I suppose?
Granted, that's still kind of pointless because you still have to self-sign, which gives scarier warnings than being unencrypted[0].
A knowledgeable user wouldn't care - they'd know that they installed a Tor gateway that resolves .onion to itself, so they're just as protected as they are on TLS. The catch here is that the ransomware operators are trying to criminally extort less-knowledgeable users and bureaucratic IT staff that are just being told to "run Tor and pay us in Monero to get your files back".
[0] There's nothing preventing these operations from shipping their own browser or root cert - they are, after all, already running on the local machine outside of any sandboxing. No clue if they do this.
Many security-enhancing technologies have been used to deanonymise websites. For example, by checking the certificate transparency log (the thing that prevents any CA from generating a certificate for Google.com that doesn't get nuked in seconds) it's often possible to find certificates for servers hidden behind Cloudflare. Those certificates can in turn be found using the mechanisms described here, and DDoS protection may quickly be bypassed that way.
Generally, though, TLS is not designed with privacy of the server in mind. The data exchanged between the client and the server is kept private between the two parties, but that's it.
If you wish to anonymise your connection, technologies like Tor will help. You'll still have to pay attention though. In a great many cases, security and usability are polar opposites, and a balance must be struck to find a workable solution. In this case the best balance is probably in-depth knowledge of how web servers work combined with reading through the documentation of the Tor project.
Certificates enable privacy for the user - fundamentally, they are about proving the identity of the server, which is at least somewhat at odds with privacy of the server.
Anyway, these all seem like pretty obvious opsec fails where the darknet website is also served over the regular internet, which is just atrocious.
If you follow the best practices and do not bind your onion service on 0.0.0.0 and use selfsign and don't reuse key, they do provide privacy against snooping exit node.
>they do provide privacy against snooping exit node
onion services don't use exit nodes. Your client and the service build circuits to nominated middle relays so https only offers very marginal increases in privacy. However, you are right to assume than any exit node may (or probably is) monitored.
Since I never ran a hidden service I never challenged my assumptions that they connected to an exit node, but it make sense that an hidden service would be routed through a middle relay without going through an exit node.
This is not a big deal really. Getting an SSL cert only requires you provide proof of ownership of your domain and has no KYC. You can get as many certs as you want, or sign it yourself.
Right now, SSL(or PKI to be precise) is a very privacy respecting technology. For both the server and the client.
I don't know what it is about people who run these criminal enterprises on the darknet, but they constantly seem to be failing even the most basic of opsec. Re-using identities across multiple services, using e-mail addresses with real names, posting photos with identifiable information (and before websites stripped metadata for them, often posted with metadata), etc. I mean it's nice that they are making it easier to catch themselves, but at the same time I can only wonder how some genius can invent some novel and complex ransomware operation just to turn around and use the email they've had since they were 13 to register the services that operate it.