OTPs as Second Factor
Only a couple of weeks ago, Dread Pirate Roberts (DPR) was arrested for his extensive involvement in Silk Road, an online platform only reachable via Tor offering more than ten-thousand sales listings for controlled substances. The variety of the products offered was immense: LSD, cocaine, methamphetamine, heroin, ecstasy – if you can name it, it was most likely for sale on Silk Road. You could have considered Silk Road something like eBay for illegal drug trafficking. You could find almost everything and even leave a seller feedback once the transaction was done and over. But not only drugs were sold on Silk Road: Hacked accounts for social networks, weapons, and various services ranging from digital petty theft to more extreme things, contract killers being just one of the more unsettling examples. Ross William Ulbricht, DPR’s real name, allegedly made millions with his website. The actual amount is disputed, but it is to be assumed that it was worth the trouble.
Silk Road’s performance depended massively on the fact that it was hosted anonymously and was only accessible via Tor. Tor is an important tool to provide users with anonymity, leaving it up to them how they use this privilege. People that are threatened and violated by oppressive governments can use Tor to communicate their dissent. Sokwanele for example, is a Zimbabwean website promoting democracy, illustrating the atrocities of the regime under Robert Mugabe. The content, while horrific in its nature, is important and puts the creators at great risk of being in harm’s way for publishing it. Tor is providing an amount of anonymity that makes it easier to stay moderately safe, no matter if this anonymity is required to exercise free speech or to buy drugs on Silk Road. Silk Road was incredibly popular, especially considering the fact that it was never reachable outside of Tor. Contrary to popular opinion, it is not hard to access sites like these, even for less tech-savvy users. Easy installers are readily available, that will allow access to Tor within minutes without any configuration or the need for credentials. TorBrowser, for example, is a standalone, portable installation of Firefox that will automatically redirect all traffic via Tor. It is easier to install than the most recent versions of Microsoft Office.
The question that the Silk Road bust raised almost instantly is clear: If this website was only accessible via Tor, how was Dread Pirate Roberts caught? Especially considering the fact that leaked documents recently confirmed that intelligence services were trying hard to get a handle on Tor, but were still failing? .
According to available sources, the key to Ulbricht’s downfall was not based on any intelligence agency’s skillful interception of encrypted communication. Tor, as far as we know today, remains a fairly anonymous way to use and offer services, whereas anonymous does not necessarily mean secure. Ulbricht, however, failed where most people do: When it comes to OpSec.
Considering that Ulbricht made a ton of money running a fairly smooth operation that enabled the sale of mostly illegal products and services for a surprisingly long time, the list of mistakes he made, concerning his operational security, that have now surfaced is surprising. For example, Ulbricht was looking for an IT professional for a bitcoin-backed venture in a forum, using his real email address to communicate with potential candidates. In a world where it is hard to determine if anyone you talk to on a computer is really what he claims to be, this seems like a really, really unfortunate idea. A similarly bad idea is the use of social networking to be vocal about ethical and ideological mindsets. That rings true for almost everyone, especially in a world after Snowden, but especially if you are currently building and running an international black market and try to stay somewhat in the shadows to avoid going away for a long, long time.
But it does not stop there. Dread Pirate Roberts also used various drug-related forums outside of the Tor-Protected Internet to market his product and get in touch with customers. He connected to his VPN server after logging into his Gmail account with the same IP address. He used his StackOverflow.com-alias frosty in the public SSH key stored on the Silk Road server. He also used his real name on StackOverflow. The list does not stop there, but it illustrates how many mistakes he made down the road that ultimately led to his arrest.
There are a couple of things that are interesting about all of this. First of all: Most OpSec mistakes seem not too bad as long as you look at them as a trail leading from you to a certain incident. But it is often forgotten that the trail works the other way too. Often, an investigation will start at the scene of the crime, search for the cookie crumbs and then follow them back to the jar they came from. Ulbricht’s post about an anarchistic vision of economic simulation he posted on LinkedIn in early 2012 would most likely not have been suspicious, but once the investigators got him on their list, the statement made a lot more sense in the context of Silk Road. Bold statements on your world-views are risky in this time and age, even if you don’t run an international drug exchange. If you do, you might want to shut down your Facebook account before you do it or at least refrain from posting content related to your activity.
The other conclusion is much more concerning though: What if Dread Pirate Roberts did everything right? What if he did not make these mistakes or if somebody learns from his school-of-hard-knocks lesson on OpSec? If it takes that many mistakes to be taken down, we might just face the next Dread Pirate Roberts very soon.
We are going to monitor the digital underground for you!
Our experts will get in contact with you!
Further articles available here