My zef is fresh!lol. I already forget the gargantuan password I made for the first account.
Anyways, yeah that does give away where you are, but Brazil (Or Russia, Ukraine.. any non MLAT/extradition country) is a big place. If you sell everywhere, then there's nowhere you can flee because you broke laws in every single country. Something to think about, whoever new DPR is. Personally I would set up in Belarus. No taxes, girls everywhere, no extradition, banks don't give a shit about source of income either.
The grugq's critique of DPR's Opsec failures: Note, "backstopping" is intel lingo for creating a completely fake identity that has depth. More info here: http://grugq.github.io/blog/2013/10/10/silk-road-security/
The OPSEC Failures
The fundamental error is poor compartmentation. Ross Ulbricht, the real person and the online persona (Google+, LinkedIn, etc), and the Dread Pirate Roberts persona share ideological views and geographic locations. There is contamination between the two personas. Most of these seem to be due to the organic evolution of the Silk Road venture, where early naive Ulbricht makes mistakes that later smarter DPR wouldn’t. Unfortunately, the later DPR is more ideologically extreme and consequently less savvy about mainstream society.
Poor Compartmentation
Profiling
Geographic Location
Isolation
Poor Compartmentation
Contamination: seriously fatal links created between personas
Silk Road + altoid: Shroomery, BitcoinTalk forums
altoid + rossulbricht@gmail.com: BitcoinTalk
Ross Ulbricht + frosty@frosty[.com]: StackOverflow
frosty@frosty + Silk Road: Silk Road server admin SSH key
The compartmentation failures are somewhat pervasive, in particular the ideological “Austrian School of Economics” and the mises.org site. However two particular contamination errors stand out:
Silk Road –> altoid –> rossulbricht@gmail.com link in 2011
Ross Ulbricht –> frosty@frosty.com –> Silk Road server link in 2013
The first of these failures happened because the altoid persona used to promoted Silk Road was poorly fleshed out (e.g. no email address). Ross did not put the plumbing in place to backstop his altoid cover. He then joined the BitcoinTalk community using this contaminated cover. His participation and search for social validation left him with his guard down. Consequently, he revealed a great deal of profiling information about his project and beliefs. Many of his posts are about Silk Road infrastructure or his mises.org influenced economic theories. After participating for 10 months he finally made the fatal OPSEC error of posting his personal email address.
The second error was poor compartmentation of his online Ross Ulbricht persona, the tech savvy San Francisco based startup guy, and “frosty” the system admin of the server hosting the Silk Road site. His poor compartmentation, likely using the same computer for both personal and business use, and his limited backstopping of the DPR/altoid/frosty persona meant that any error would be fatal.
These two errors combine to link Silk Road with Ross Ulbricht, and Ross Ulbricht with Silk Road.
“I’ll take Profiles for $300, Alex” : “Too much in common” : “What do Ulbricht and DPR share?”
Profiling: Ross Ulbricht talks and acts like Dread Pirate Roberts
LinkedIn profile
Timezone leakage: private messages, forum posting times
BitcoinTalk altoid posts about: economics (mises.org), security, programming
Silk Road Forum Dread Pirate Roberts -> Mises + “Austrian School of Economics”
Mises.org Ross Ulbricht account
Ross Ulbricht, the person, was an active participant in the mises.org website and the BitcoinTalk forums. In both cases he was deeply committed to the “Austrian School of Economics”, something the Dread Pirate Roberts was also a huge fan of. The altoid cover alias, linked directly to Ross Ulbricht, frequently talked about bitcoin security and PHP programming. He is, based on his posts, clearly invovled in running some sort of PHP based bitcoin using venture that requires high security. Sort of like the Silk Road site.
Geographic Location
Silk Road web server administered over VPN from a server
VPN server IP stored in the Silk Road PHP source code
VPN server accessed from a location 15240 cm (500 ft) from a location that accessed the Ross Ulbricht GMail account.
The location of the Dread Pirate Roberts was something of an open secret. It is clear that he was based in the west coast of the US. Ulbricht was located in San Francisco at the same time as DPR, as proved by his large online footprint: Google+, YouTube, GMail.
Isolation is bad, mmmkay
Isolation without relief
Rented room under assumed name
No “mainstream” social circle to realign with social mores
No peers to talk to, only Silk Road forum members and admins
After the altoid persona is retired from BitcoinTalk, Ulbricht migrates his social interaction to a more extreme community: the Silk Road forums. This appears to have been his “scene”, where he interacted with people and cultivated friends (including an impressive array of undercover law enforcement officials).
The underground life forced on Ulbricht as the Dread Pirate Roberts led to the major problem of isolation. Human beings are social animals. We require social interaction to maintain a healthy mental state. The strict security of DPR required isolation, leaving Ross Ulbricht living his social life on forums with niche ideological views, initially BitcointTalk (in 2011) and then the Silk Road forums. Isolation from mainstream society is known to lead to ideological extremism as members of the niche community self-reinforce their ideological tendencies. Consequently, they are less able to understand mainstream society’s ideas, beliefs and morals. This is dangerous. This isolation leads him to rationalize hiring online hitmen to preserve the Silk Road community is morally acceptable.
Apparently the only source of social validation and ego gratification that Ross had was a group of bitcoin libertarians, drug seekers, drug dealers and undercover cops. This is not a healthy social environment conducive to a balanced state of mental health.
What have we learned?
So, the Dread Pirate Roberts Complaint basically tells us nothing that we didn’t already know about OPSEC. There are some lessons learned which can be used to harden OPSEC practices going forward. The main things are still: strong compartmentation; use Tor all the time; avoid leaking profiling information, and it is prudent to regularly migrate to new cover personas.