4 important lessons learned from the Silk Road smackdown

Law enforcement has finally caught up with the notorious Silk Road underground market, and reporters are having a field day writing about an incredible story as revealed by federal investigators.

Rife with drug trafficking, secretive Internet sites, and assassins for hire, Silk Road's tale is a crypto-crime story of epic proportions. But Silk Road is more than just a fascinating yarn: The site’s demise also has a lot to teach us about our current digital environment, especially when it comes to online security.

Here are four key takeaways from the end of Silk Road and the Dread Pirate Roberts.

It’s about the crimes, not the tech

An oft-cited fact about Silk Road is that it was part of the ominous-sounding “Darknet,” a secretive, hidden part of the web that's unseen by search engines like Google and only reachable with the help of the anonymizing Tor software.

But Heisenberg-proportion criminal enterprises conducted in a crypto-laden back alley tell only half the story of the so-called Darknet.

“It's essential that the use of encryption, anonymization techniques, and other privacy practices is not deemed a suspicious activity,” the Electronic Frontier Foundation said in a recent blog post. “Rather, it must be recognized as an essential element for practicing freedom of speech in a digital environment.”

Beyond criminal enterprises, is also used by activists in parts of the world where speaking freely is impossible. Tor is even recommended by security experts as a good tool to use for anyone that objects to the U.S. National Security Agency’s reported surveillance activities.

[Now read: Meet the Darknet, the hidden, anonymous underbelly of the Web]

Endpoint security will get you in the end

Assuming the case goes to trial, some of the data tying Ulbricht to the Silk Road will likely come from his own computer. FBI agents arrested Ulbricht and seized his laptop only after he had turned on his laptop and entered his passwords, according to a report by Ars Technica. Presumably, Ulbricht had encrypted data on his laptop, which the feds wanted to have in a decrypted state before arresting him.

"Endpoints" like PCs and mobile devices are some of the hardest things to secure, because this is where data ends up sitting unencrypted and thus are choice targets for attackers. Agencies such as the NSA reportedly have a variety of exploits at their disposal to break into everything from iPhones to laptops running Ubuntu.

“What I took away from reading the Snowden documents,” security expert Bruce Schneier wrote in a recent Guardian column referring to information supplied by NSA whistleblower Edward Snowden, “Was that if the NSA wants in to your computer, it's in. Period.”

In Ulbricht’s case, law enforcement didn’t need to rely on any technical tricks to attack his laptop: They just snuck up on him after his data was exposed. Nevertheless, it’s a reminder that if you don’t secure the devices where you read protected data as best you can, no amount of encryption will help you.

[Now read: Here's how to best secure your data now that the NSA can crack almost any encryption]

Your online past really can come back to haunt you

In the search for the Dread Pirate Roberts, one of the earliest breaks in the case came when investigators discovered posts by Ulbricht on coding Q&A site Stack Overflow. The posts were questions that related to technology problems faced by Silk Road—and Ulbricht originally posted them using his own name. Ulbricht later changed his posts to the username "Frosty." That name that shows up in the encryption code on a Silk Road server. Double d'oh.

Remember: Deleting something you've already posted doesn't always wipe it from the company's servers.

Ulbricht was also tripped up by Silk Road-related posts under the online pseudonym Altoid, including a post where Altoid directs people to get in touch with him at “rossulbricht at gmail dot com.” That Gmail address eventually allowed authorities to link Ulbricht to VPN service used by the Dread Pirate Roberts.

Be careful what you post online folks. Even if you don't fancy yourself the online equivalent of John Dillinger, oversharing on social networks can cost you friends and potential employment opportunities down the line.

[Now read: How (and why) to surf the Web in secret]

Bitcoin sure is volatile

Following Ulbricht’s arrest, Bitcoin value plummeted by 8.6 percent, according to the Financial Times, ending trading on Wednesday at $128 per Bitcoin falling from $141. At this writing, Bitcoin was trading around $124.

The trading price of Bitcoins mere minutes after the Silk Road bust was announced. (Click to enlarge.)

It appears the Silk Road bust may have sunk Bitcoin due to the digital currency’s association with the online black market. The indictment against Ulbricht revealed that Silk Road brought in over $1 billion in sales, all traded in Bitcoin.

That said, Bitcoin frequently has erratic price changes. In April, Bitcoin exchange Mt. Gox said it was fighting off a denial of service attack designed to affect the value of Bitcoin. In June, Bitcoin prices dropped over fears that another DDoS attack, when in reality Mt. Gox was hit with a surge of interest in Bitcoin from new users.

Bitcoin is a really neat idea, but with the currency subject to volatile price swings, it’s a long way from becoming the magic crypto-anarchist currency that some Bitcoin advocates dream of. But as Reuters’ Felix Salmon points out, losing the association with Silk Road may actually help Bitcoin gain more legitimacy.

[Now read: 7 things you need to know about Bitcoin.]

Hollywood calling

The Silk Road in its glory days. (Click to enlarge.)

Who knows what else we’ll learn about the Silk Road case as Ulbricht’s case weaves its way through the courts? No matter what else gets dragged into the light, one thing’s for certain: With an incredible tale that includes drugs, weapons, hacking, a secret Internet, and murder for hire, The Ballad of the Dread Pirate Roberts is going to make an incredible movie one day.

Subscribe to the Security Watch Newsletter

Comments