I read the entire thing and I think what you said is the easy but not necessarily accurate conclusion. The site was in business since February of 2011. The operator of the site was careful enough that they successfully ran the world's largest black market website for over 2.5 years. Doesn't really align with a characterization of "careless".
Sure, he re-used a few login names but I don't know how many people could've successfully gone without doing that over a 2.5 year period. I think it's more accurate to say he "wasn't perfectly careful" than it is to say he was careless.
OPSEC for Hackers ( http://www.youtube.com/watch?v=9XaYdCdwiWU ) uses a quote from The Wire to reference what you're talking about: “The thing is, you only got to fuck up once. Be a little slow, be a little late, just once. And how you ain’t never gonna be slow, never be late? You can’t plan for no shit like this, man. It’s life.”
The Grugq addresses this issue by recommending that one set up an entire fake persona before doing anything, and then doing all the activities "in character" as that persona. If you stay in character, then even making the types of mistakes DPR made would only lead the authorities to the persona rather than yourself.
Granted, this video didn't exist when DPR made Silk Road...
grugq makes plenty of mistakes, just like the rest of us. He's just pimping an image to suck up more 0day from independent developers to unethically onsell to various dot govs. Sad friggin' industry, full of vacuous husks of people.
I believe Grugq's message is just that: everyone makes mistakes, and therefore if you're in that line of work you need infrastructure to shield yourself from those inevitable mistakes.
However, I'm not sure how his academic discussion about OPSEC "pimps an image" for his 0day business -- wouldn't security researchers writing 0days not really need the advice in OPSEC For Hackers since they are still acting legally?
wouldn't security researchers writing 0days not really need the advice in OPSEC For Hackers since they are still acting legally?
Your own government isn't your only potential enemy.
True story: A friend of mine works for a large defense contractor. He's done a fair amount of foreign travel to support projects on foreign soil. Not clandestine projects, they are fully above board with the cooperation of the host countries, but as Kissinger said, america has no permanent friends or enemies, only interests. (Kissinger's a douche, but he's right about that)
The result of all his work travel is that he's made it onto spear-phishing lists at all kinds of national hacker groups. His employer's IT security has had to put his corporate email address in a special group that gets extra scrutiny because of all the attacks directed specifically at him.
> Sure, he re-used a few login names but I don't know how many people could've successfully gone without doing that over a 2.5 year period.
That is the difference between a professional and an amateur. An amateur tries hard to get things done, but doesn't really pay attention to methods or details. A professional knows that methods and details matter more than knowledge... and uses best practices to get things done.
If you're running the worlds largest illegal market place, the primary goal should be security and privacy. He re-used login names by accident, or maybe even just laziness.
A simple way of avoiding the above issue is to have a "personal" computer with personal accounts and activity, and a "work" computer, with work accounts and activity. Never use the work computer at home, and never use the home computer in the same place you use the work one. There's no way to confuse identities or traffic patterns.
I think Silk Road is proof of just how good Tor is. It can protect you from governments who are trying to find you. It can even protect someone who knows nothing about programming or security.
He definitely thought he was untouchable, a clear sign of an amateur. Even after all the press touting the fact he was running a huge illegal drug market under the FBI's noses, he continued to carry on like he wasn't going to get caught. Even the most low level criminals have a healthy sense of paranoia. Even close calls will make them completely change how they do things.
Even if he took the modest steps you proposed, he could have wiped and then physically destroyed the HD, tossed into a trash bin and flee the country for a few years until things quieted down. I mean, he had plenty of money, in the most secure, untraceable form so it would've been cake to hideout for a few years or forever if need be.
The other problem is learning as you go. It seems like some of his mistakes were in the very early days of the site, and they were uncorrectable due to Google caches and such.
"A simple way of avoiding the above issue is to have a "personal" computer with personal accounts and activity, and a "work" computer, with work accounts and activity. Never use the work computer at home, and never use the home computer in the same place you use the work one. There's no way to confuse identities or traffic patterns."
The problem with this approach is that you need to never use the wrong computer for the wrong thing. You can help yourself somewhat by setting up different window colors / desktop backgrounds / etc, but what happens when you go visit your great aunt for thanksgiving and forget to pack both laptops? What happens when your work laptop breaks, and you desperately need to update the site to deal with some issue?
A more reliable approach would be to have one computer with two accounts (or if you like technically sophisticated approaches, use a mandatory ACL system), one for work one for personal things. Set up each account with noticeably different colors / themes, so that you are less likely to accidentally use the wrong account for the wrong thing. If you forget/damage your laptop, you have less of a temptation to use the wrong computer.
I am sure that Truecrypt fans will point out that hidden volumes work equally well, though the extra effort required is something of a stumbling block in my opinion (and I am not a big fan of hidden volumes to begin with).
So, I have been mulling this over. Not because of SR but just as anti doxing hive BS. I started to use prng to generate usernames (I was already using it for passwords). But the "problem" is that these prng usernames hit like lazer beams in database searches. And I would assume that the surveillance companies everywhere hone in on tracking usernames everywhere like crazy.
I guess you want to pick names that have lots of false positives when searching. But of course you can't ping google to check. Is there a known mechanism for this? I guess the old dice + newspaper to pick a phrase?
Maybe I'm too sensitive about this since nobody in the history of the known universe has the same name that my parents picked, so any hits in search engines are never about anyone else. Unique usernames function the same way.
An easy way to disguise your behavior is to steal someone else's username. Pick a popular user on a popular site, and then assume their name on a new service.
It would have been rather uncomfortable to have been a Tor user with "Dread Pirate Roberts" as a username, if you knew nothing about Silk Road and happened to be a Princess Bride fan.
I guess you want to pick names that have lots of false positives when searching
I think that's right. I got my first modem in 1985 and been on the Internet since the start of the 90s. I never re-use user names between sites, frequently delete my accounts and start with fresh ones.
I've started recently using random word generators to generate common words to use as usernames.
Whenever I want a username that isn't associated with any internet persona of mine, I look around on big forums for names and start googling them. I think the best is to find one that's a character in some obscure book/story, and then pick another character from that story - thank Wikipedia for having this type of info for all sorts of things. Best is something odd enough that it isn't likely to be taken already, but still common enough that the search results for it are too noisy to see a few forum posts.
But then, it depends a lot on what you're trying to hide, and who you're trying to hide it from. Keeping bored teenagers on 4chan from finding your home address and keeping whole departments of the FBI from tracking you down are whole different ballgames.
