He committed the oldest opsec mistake of all - bragging about what he did.
"He who would keep a secret must keep secret that he has a secret to keep" - Sir Humphrey Appleby but I think he was paraphrasing Goethe
That said, opsec is (to all practical intents and purposes) impossible in the long run in the face of a very determined adversary. If they want to find you, you will have done something to give someone a lead and there will be enough pieces to put the picture together.
"He that would keep a secret must keep it secret,
that he hath the secret to keep."
Who said that?
It was Sir Humphrey.
- Who said it originally?
- Francis Bacon, wasn't it?
I read an OpSec manual around the time of GamerGate. One truly basic thing: never do anything to link two accounts together. Never mention it, never promote it. I doubt many people know who I am on reddit but I 100% know that anyone sufficiently inclined could identify me.
Next: obviously avoid biographical details. People can compile a lot of information about you online.
Quite a while ago somebody shared some post analysis tool that would try to pair up the accounts of multi-account users. Used some cosine distance magic IIRC. Anyway, can’t remember the link, but it seemed to impress folks (I have only one account so wasn’t able to test it myself).
I wouldn’t be surprised if anybody you wanted to do opsec against had a much better version of that tool…
I do sort of wonder where that sort of stuff will go. In one hand, we’re all mostly just shitposting anyway so we don’t really need privacy. On the other, I dunno, we all enjoy being able to explore ideas pseudonymously, right? I wonder if we’ll all end up having to pass our arguments into LLMs to get any sort of pseudonymity in the future.
I totally concur, Mr President. Now I must steal back my spaceship from the Russian embassy before moon fall tomorrow night or I won't get my deposit back!
I wonder if that really works / throws anything off?
Every time we see someone caught it is one very solid and clear link that triggers the rest of pieces to fall into place. It almost never seems like it's a bunch of minor bits making up the whole.
The main takeaway for me is the following. Everything you post online will end up in a public archive. That includes everything you post to supposedly private or semi-private venues, like Telegram channels. Everything you posted when you were a dumb kid will be there too, however long ago that was. So, if you’re gonna be a cybercrminal, make absolutely sure that you start with a clean slate. No one can know the connections to your past, because even if you’re careful, other idiots can let slip (like using your old moniker to address you) at any time. And don’t post fucking photos, ever.
It's not like you can't find them on Amazon for cheap. There's also more than one master key it's a whole set. That said, when the lock picking lawyer bought a bunch of TSA locks, they all used master key #7 I think.
The article also mentioned the whole platform he was using was cracked by police. They might have been able to get the metadata but not want to explain that to others still using that platform.
I think most audio-only BBC programmes are available globally, even if they sometimes have ads inserted into them which aren't present if you're in the UK.
Why not? Seems like a pretty clear shot of three of his fingers and a good partial print of his thumb. I assume the original was higher resolution than the version in the article.
The CCC made a point a couple years ago by publishing finger prints of high ranking German government officials extracted from photos
I did fingerprints from a digital photo in 2012 maybe earlier. Old mate was holding up drugs to be photographed. Bit of contrast, blew it up, sent it to fingerprint bureau and what would you know, we had those prints on file. Not the crime of the century and not absolute proof, but a damn good start for a case from a simple post on socials. More useful than most intel/hearsay that ends up in crimestoppers or similar channels.
This reminds me of things that I've read about intelligence agencies increasingly finding it impossible to give agents fake identities for cover; everyone now has just left too much of a trail of data behind them. And if you find or create someone with no such trail, that stands out as being suspicious.
As an aside, this is a paradox that has fascinated me for a while. Potentially any step that we take to be more private or anonymous makes us stand out more, thus easier to track and re-identify, because we end up in a smaller crowd (i.e. anonymity set).
Boasting is required in his line of work, that's how they build street rep, sell their products/services, and recruit people. (Contrast this to spycraft where the acceptable amount of boasting is zero.)
What did him in was boasting from a non-clean slate identity among other things. He needed strict separation between big time jobs which require an absolute clean slate because all the attention will be there, small time jobs that are likely numerous and sloppier but no one will bother to investigate, and pleasure. He didn't have that.
I'm worried this new "level up" of communication and record keeping technology at a time when fundamental ideological differences between groups in the western world are causing problems is going to result in a repeat of 1500s europe.
I once read a detailed account of how he was caught. It seemed like the kind of clues that you could only connect post-hoc.
It seemed like parallel construction [1] to me. Considering that the NSA is known to give the DEA "tips" [2], and has a division specifically to start parallel construction investigations [3], and this was a high profile drug case, it would be odd that they didn't use parallel construction techniques.
I read the book about it, and it was actually an IRS agent who found a super old forum post where the guy announced he had created the Silk Road using a username that was easily linked to his real name.
The IRS guy figured it out and nobody would act on it because they all figured the FBI would know better and they should wait for the FBI to do it right. ... but actually he nailed it.
But how are they to be tied together? If you don't use the same name, or talk about very specific or correlateable things, then it's hard for me to imagine how you're tying my old IRC chats to my facebooks groups to my Telegram conspiracies. As far as I'm aware the really useful metadata is rarely available since only the site operator had that and most likely deleted it or threw it in a drawer.
The previous Krebs article [1] on this walks through the opsec mistake(s) but it always comes down to email address re-use and nickname/ handle re-usage. As more data breaches happen the likelihood of an opsec mistake increases. Once a handle is burned it’s best to never re-use it again… ever. Even if it’s been a decade.
Also, the reuse of email or any form of contact information on a service/ web hosting or DNS registration is another common opsec oopsie
He expressed negative sentiments about South Korea and showed he accessed a particular website at a given time.
Don’t post anything on the internet if you wish to remain anonymous. Don’t express opinions about anything.
We’ve had a few different posts on HN demonstrating that it is trivial to link aliases based on writing style. To avoid this you’d have to pipe everything you write through an LLM. And then you have another potential data point.
I will consciously alter the way in which I write wordz on le intranetz to make it more difficult to single me out as a Vietnamese female. I’m guessing not everyone puts this much thought into making words for posterity :-)
It used to be a fun lab prank to set text filters on browsers of unattended laptops, like swapping all gendered words. A colleague spent a week in an alternate universe before he realized something was amiss when he read a movie review for "The Lady of the Rings".
> I wish there was at least a way to delete ones profile here.
Not that will help much, because all 1013 of your comments[1] are likely archived in at multiple indexes: search engines, hn.algolia.com, the internet archive and half a dozen AI project by HNers
Yeah, deleting comments doesn't work because of the threaded nature of conversations here. Deleting the user, though... you might suggest this to dang (hn@ycombinator.com).
If you click through the FAQ link, there's a link to a comment from dang that says they'll reassign comments to throwaway accounts on request, or even change your distance to something random, which will in effect delete your account, but keep all your comments attributable to a single "anonymous" entity.
I think allowing for account deletion line reddit does (with all comments attributed to "[deleted]") is bad for following a conversation after the fact. I'm fine with HN's policy here and think they've struck a decent balance. I think this should be a case of "if you're not ok with this, don't post on HN".
Someone created a tool two years ago that does this, https://stylometry.net but it appears to be offline. The creator at the time said:
This site lets you put in a username and get the users with the most similar writing style to that user. It confirmed several users who I suspected were alts and after informally asking around has identified abandoned accounts of people I know from many years ago. I made this site mostly to show how easy this is and how it can erode online privacy. If some guy with a little bit of Python, and $8 to rent a decent dedicated server for a day can make this, imagine what a company with millions of dollars and a couple dozen PhD linguists could do.
It's also possible to eyeball similar writing styles, although not at scale. That's how "Fake Steve Jobs" was uncovered in 2007:
Last year, his agent showed the manuscript to several book publishers and told them the anonymous author was a published novelist and writer for a major business magazine. The New York Times found Mr. Lyons by looking for writers who fit those two criteria, and then by comparing the writing of “Fake Steve” to a blog Mr. Lyons writes in his own name, called Floating Point
In spite of every programmer at work following the same styling guidelines and programming patterns, I can quite easily identify the author of a pull request by reading their code alone. The commenter's claim seems plausible to me.
I might actually have an easier time identifying authors by commit messages/patterns rather than their content since the styling guidelines are mostly handled by linters.
This sounds like an advice for living in a crazy authoritarian country, not in the West.
It's astonishing how people are supposed to have freedom of speech and freedom from being spied on, since they live in the West and not in a Stasi controlled state, but they are given an advice not to talk too much, or the Big Brother is going to get them.
Well Big Brother is going to get you if you're a criminal. This advice was for cybercriminals who don't want to get caught, not some random person disagreeing with the government on the internet.
I do think there is some danger in writing anything publicly. Our next government could decide to jail you based on something you said. Society could decide that some widely held opinion you once had is now forbidden. Anything you write could be used by nuts to dox you and expose you to harm.
You might as well say there is some danger to going outside because any random person could just stab you in the street. There is some danger to eating because anything you eat may have been poisoned. Yes, theoretically, everything but the laws of physics are arbitrary, anything is possible, and everything is dangerous. But this isn't an insightful or interesting observation to make.
In a vacuum you might be right, but come next month the serial stabbers and food-poisoners will be in charge of the executive branch of the US government. So it’s correct to be concerned about it, if you live there.
I have watched a Defcon tall about a drug dealer and his opsec was already pretty good (fake name and address, yagi for wifi, etc.) but he still got caught because of one of the guys he used to launder Bitcoin was caught.
So I think the point is not to get into the bullseye of the state.
I can't help but recall a NYC robbery around 20-30 years ago where the perps took photos of each other with a Polaroid camera they found at the scene and left the Polaroids behind.
> So what was his opsec mistake so that we can learn something from this case?
From the article:
"Anonymously extorting the President and VP as a member of the military is a bad idea, but it’s an even worse idea to harass people who specialize in de-anonymizing cybercriminals"
> On November 26, KrebsOnSecurity published a story that followed a trail of clues left behind by Kiberphantom indicating he was a U.S. Army soldier stationed in South Korea
Read the article, There is a link in that sentence.
