He made many truly stupid mistakes. But the article is generally clueless. Sure, the Silk Road server leaked the IP of that cafe. But adversaries wouldn't have known that unless his onion server had leaked its physical IP in an Apache error header. And then there were the posts on Stack Exchange and Bitcoin Forum that leaked his real name. Oh, and those fake IDs. Homeland Security found them, before the FBI had a clear bead on him, and he told them that he might have bought them on Silk Road.
It's not that, it's just that Ulbricht and his team exhibited journeyman competence at their best. What implementation feature of Silk Road gives you the impression that it was out of the reach of pretty much any salaried Bay Area developer in the market? I'm simply agreeing: there's no evidence for Ulbricht's technical "gifts".
None, right, but tptacek -- it's time to give this one up... I stopped getting annoyed a while ago about this stuff and I'm happier for it..
I mean.. Look. The difference between someone who, to us, just "threw up some crap php cms over tor then ended up having to outsource most of the technical 'tasks' involved in running said site to people who were barely better than he was, who then ended up blackmailing him while he was over his head" and ... say, the majority of us who could actually make such a site in a weekend completely anonymously (tech wise anyway, marketing/ad is a diff game I guess and today the competition has guns) is only even barely understood by most of the 'technical community' even.
What do you expect journos respewing AP, making clickbaity titles will people such as Ulbricht other than 'genius' or whatever? This guy installed a browser plugin and ran mod_php on a VPS, d00d. To the dailymail or vanityfair, the difference between that and say, what the GPU compiler opti dudes at intel do is zero and we will NEVER be able to explain to difference to those people.
All I'm saying is; give up -- it won't stop being annoying, next year another 19 year old will bruteforce "administrator/password" and get into a receptionist's email at NASA and then be jailed for 20 years as the 'hacker of the century'; desktop support will still wear 'genius' t-shirts and you'll still be expected to fix some 2000's printer for an aunt, and when you can't you will lose respect from your non-technical family even if your dayjob is programming distributed systems for 6 figures...
Now repeat this for every article about anything that requires the minutest amount of expertise, and you have the nth reason why the general public is so dangerously misinformed about... well, everything.
I've recently been enjoying https://theconversation.com/ -- all articles are written by experts in the field they are about...
> the majority of us who could actually make such a site in a weekend completely anonymously
I believe that you're underestimating the criteria for "completely anonymously". I mean, that's arguably impossible against the NSA, if they care enough to truly bother. But even well short of that, there's more to anonymity than you might think.
Well maybe. If you become a big enough target then defence is about how expensive it is to find you..
Still, look at the folks who get caught by such agencies -- usually it's some amateur mistake...
I think most of us can obtain suitably anonymous/blended bitcoins and spin up a .onion site which couldn't be directly linked to us in the way that SR was linked to DPR though, which was the point...
Completely anonymous? Maybe not, you're right. Could you or I host a .onion site that, if we abandoned it as soon as it was up, would be impossible to tie to our real identities? Yes.
Yes, I am appalled by all the amateur mistakes that I read about.
But one can't rely just on Tor. CMU's exploit of the relay early bug, and cooperation with the FBI, pwned a few onion services. That didn't depend on any misconfiguration of the onion services that got pwned. The only defense would have been using private entry guards and/or nested VPN chains between the onion server and its guards. And that's not something that's widely known outside the darknet community.
Your point about "abandoned it as soon as it was up" is a good one, though :) It's totally nontrivial to get around adversaries sniffing at those network edges ;)
I think it's pretty trivial to get around the edge sniffing..
You just need a bunch of pwned hops to go through first.. I mean.. Did you take a the infector code for mirai [0] when it was kicking about? It's beyond basic..
20 of those nodes (literally CCTV cameras with busybox netcat....) is enough. Want to go harder? Burner 3G sim before you even start proxying through them towards entering TOR is what, an afternoon's work?
Today the "Hajime" botnet [1] is reported at 300,000 infected internet connected nodes... Recon they're logging?
It's very hard for servers to evade edge sniffing, because it's trivial to modulate traffic with them. For an adversary with access to lots of intercepts, anyway. Users can protect themselves by using public WiFi hotspots or burner cell modems. But that's not workable for servers, unless you host them yourself, which is too iffy for me.
But yes, DPR could have stayed anonymous, even if his onion server had been pwned.
The onion service implementation reflected far from even journeyman competence. Even when he was getting started, the dangers of Apache error leaks and Tor bypass were well known. And his OpSec was abysmal. Neither of those are part of the usual SV toolkit, however. But yes, we basically agree.
> The onion service implementation reflected far from even journeyman competence.
Oh ya, Ulbricht was not even close to journeyman competence. Falling victim to well know PHP issues, poor Apache security implementation and really poor OpSec is what doomed him.
