Hacker OPSEC

STFU is the best policy.

It Was DPR, in the Tor HS, With the BTC

Give it to me straight, dr the grugq

Generally, it appears that Ross Ulbricht was applying his economic and techno-libertarian philosophy to real life. As his project grew, his security posture improved – too late. The most serious mistakes that Ross Ulbricht made were made during the period Jan 2011 - Oct 2011. A full timeline of the events in the Complaint is available on my tumblr.

NOTE: This is an abridged version of a longer post pulling out the lessons learned from the Silk Road Complaint of 27th September 2013. This post will only list the OPSEC errors, rather than explore them in detail.

The OPSEC Failures

The fundamental error is poor compartmentation. Ross Ulbricht, the real person and the online persona (Google+, LinkedIn, etc), and the Dread Pirate Roberts persona share ideological views and geographic locations. There is contamination between the two personas. Most of these seem to be due to the organic evolution of the Silk Road venture, where early naive Ulbricht makes mistakes that later smarter DPR wouldn’t. Unfortunately, the later DPR is more ideologically extreme and consequently less savvy about mainstream society.

  1. Poor Compartmentation
  2. Profiling
  3. Geographic Location
  4. Isolation

Poor Compartmentation

  • Contamination: seriously fatal links created between personas
    • Silk Road + altoid: Shroomery, BitcoinTalk forums
    • altoid + rossulbricht@gmail.com: BitcoinTalk
    • Ross Ulbricht + frosty@frosty[.com]: StackOverflow
    • frosty@frosty + Silk Road: Silk Road server admin SSH key

The compartmentation failures are somewhat pervasive, in particular the ideological “Austrian School of Economics” and the mises.org site. However two particular contamination errors stand out:

  1. Silk Road –> altoid –> rossulbricht@gmail.com link in 2011
  2. Ross Ulbricht –> frosty@frosty.com –> Silk Road server link in 2013

The first of these failures happened because the altoid persona used to promoted Silk Road was poorly fleshed out (e.g. no email address). Ross did not put the plumbing in place to backstop his altoid cover. He then joined the BitcoinTalk community using this contaminated cover. His participation and search for social validation left him with his guard down. Consequently, he revealed a great deal of profiling information about his project and beliefs. Many of his posts are about Silk Road infrastructure or his mises.org influenced economic theories. After participating for 10 months he finally made the fatal OPSEC error of posting his personal email address.

The second error was poor compartmentation of his online Ross Ulbricht persona, the tech savvy San Francisco based startup guy, and “frosty” the system admin of the server hosting the Silk Road site. His poor compartmentation, likely using the same computer for both personal and business use, and his limited backstopping of the DPR/altoid/frosty persona meant that any error would be fatal.

These two errors combine to link Silk Road with Ross Ulbricht, and Ross Ulbricht with Silk Road.

“I’ll take Profiles for $300, Alex” : “Too much in common” : “What do Ulbricht and DPR share?”

  • Profiling: Ross Ulbricht talks and acts like Dread Pirate Roberts
    • LinkedIn profile
    • Timezone leakage: private messages, forum posting times
    • BitcoinTalk altoid posts about: economics (mises.org), security, programming
    • Silk Road Forum Dread Pirate Roberts -> Mises + “Austrian School of Economics”
    • Mises.org Ross Ulbricht account

Ross Ulbricht, the person, was an active participant in the mises.org website and the BitcoinTalk forums. In both cases he was deeply committed to the “Austrian School of Economics”, something the Dread Pirate Roberts was also a huge fan of. The altoid cover alias, linked directly to Ross Ulbricht, frequently talked about bitcoin security and PHP programming. He is, based on his posts, clearly invovled in running some sort of PHP based bitcoin using venture that requires high security. Sort of like the Silk Road site.

  • Geographic Location
    • Silk Road web server administered over VPN from a server
    • VPN server IP stored in the Silk Road PHP source code
    • VPN server accessed from a location 15240 cm (500 ft) from a location that accessed the Ross Ulbricht GMail account.

The location of the Dread Pirate Roberts was something of an open secret. It is clear that he was based in the west coast of the US. Ulbricht was located in San Francisco at the same time as DPR, as proved by his large online footprint: Google+, YouTube, GMail.

Isolation is bad, mmmkay

  • Isolation without relief
    • Rented room under assumed name
    • No “mainstream” social circle to realign with social mores
    • No peers to talk to, only Silk Road forum members and admins

After the altoid persona is retired from BitcoinTalk, Ulbricht migrates his social interaction to a more extreme community: the Silk Road forums. This appears to have been his “scene”, where he interacted with people and cultivated friends (including an impressive array of undercover law enforcement officials).

The underground life forced on Ulbricht as the Dread Pirate Roberts led to the major problem of isolation. Human beings are social animals. We require social interaction to maintain a healthy mental state. The strict security of DPR required isolation, leaving Ross Ulbricht living his social life on forums with niche ideological views, initially BitcointTalk (in 2011) and then the Silk Road forums. Isolation from mainstream society is known to lead to ideological extremism as members of the niche community self-reinforce their ideological tendencies. Consequently, they are less able to understand mainstream society’s ideas, beliefs and morals. This is dangerous. This isolation leads him to rationalize hiring online hitmen to preserve the Silk Road community is morally acceptable.

Apparently the only source of social validation and ego gratification that Ross had was a group of bitcoin libertarians, drug seekers, drug dealers and undercover cops. This is not a healthy social environment conducive to a balanced state of mental health.

What have we learned?

So, the Dread Pirate Roberts Complaint basically tells us nothing that we didn’t already know about OPSEC. There are some lessons learned which can be used to harden OPSEC practices going forward. The main things are still: strong compartmentation; use Tor all the time; avoid leaking profiling information, and it is prudent to regularly migrate to new cover personas.