Staying in the darkness

Managing Pseudonyms Better Than DPR

When Dread Pirate Roberts was caught, there was a lot of talk about all of his OPSEC failures. Specifically how he had used a pseudonym to reference another pseudonym’s email address, letting investigators tie together the activities of both of those accounts.

We’ve heard it time and time again that we need to “compartmentalize” our lives and identities and never let them touch. For most, this is easier said that done but here are a few thoughts on making it easier.

Start From Scratch

When he started out, DPR probably didn’t realize that his darkmarket forum would take off as well as it did, and he probably didn’t know he was going to be such a juicy target for law enforcement. So he had made some pseudonyms and was doing some research without paying much attention.

What we should learn is that, when it’s time to go dark, there is no looking back; we have to start from scratch. It doesn’t matter how popular you have become under one of your other nyms and how much community “cred” you’ve earned thus far, you have to drop it all.

Start from scratch and decide what you’re doing. Make up new accounts, and document your adversaries that you need to plan for. If you think you might ever accidentally cross back over, burn those accounts. Generate new passwords and forget them. Don’t let yourself ever log into them again.

Lose the Ego

Starting from scratch also means accepting that, in some ways, you’ve completely wasted your time. The previous accounts you’ve created can never be used for what you other accounts are doing. You can send a private message to your friends saying, “Hey, this is actually Th3D@rkDru1d” because no matter how much you trust them, they will have become a liability.

You can see this issue again coming into play with DPR. He writes about how he is rich and powerful and feels limitless. It was his final power move of trying to kill someone that actually took him down the hardest.

Know Your Identity

If you’re creating more than one identity, you need to be able to know that person inside and out. Names, addresses, background history, social network, common websites. Even things like writing style and personality type. All of these are tools that an adversary could use to correlate your accounts.

Real Life is its Own Identity

Your real life identity should be your most prized possession. It’s the most difficult one to burn, you can’t just start from scratch, and most do not want to cut ties with their personal relationships. So this is the one you should protect the most.

One of the most common mistakes is tie your real life identity, to an online pseudonym. It’s becoming popular for “hackers” and “security researchers” to share all their projects and information; some of which is illegal. Technically, port scanning an un-owned host is illegal but it’s one of those accepted things like speeding. As “hackers” are becoming famous at things like Defcon, Blackhat, and any of the other thousands of security conferences, the reward for disclosing things to the public is higher. This makes them make riskier decisions to get that fame.

Know Your OPSEC

Decide on your OPSEC measures. Figure out what you’re going to do to protect yourself and your identities. Each of your risky online activities will usually require its own separate OPSEC measures. Keep them divided, but keep them consistent.