[GeneralQuestions] So what do we REALLY know about OPSEC and its effect on arrests?

Take this with a grain of salt. I'm not a DNM scholar like /u/gwern.

But based upon what I have seen, this is the list of things people are worried about:

(and maybe a few more I have missed)

I can see how all of these things COULD be important.

However, as far as I can tell, these are the things that have been confirmed to lead to arrests:

Am I missing a lot of arrests due to failures in the "non-talking" OPSEC factors? I don't really put too much stock into the arrest reports that have no confirming factors at all. But it seems like we are are worrying about a bunch of stuff that doesn't matter much, and 99% of OPSEC is just keeping your mouth shut.

Edit1: /u/gwern has a great summary on this:

"No single theme emerges reading through the many arrests."


Comments


[35 Points] GrandWizardsLair:

Most of what people on /r/darknetmarkets call "OpSec" is really Security Theatre. It gives them a sense of control and makes them feel safer but that's about it. The guy buying a quarter-ounce of bud every month can get away with a 1024-bit PGP key and a Windows machine: if history is any indication so can the guy selling quarter-ounces of bud. Personal use buyers (and arguably small sellers) don't have to worry about tumblers, VPN-to-TOR-to-Cracked Wireless Connection schemes or any of the other schemes you see waved around on Reddit like somebody's penis substitute.

Unfortunately, a lot of our Rusty Shacklefords will make 256k PGP keys and keep all their computer stuff stored on a well lubed flash drive ready to be kiestered at the first sign of a policeman -- then tell their friends all about their adventures in great detail. Or they'll take the drugs they bought using Sooper OpSec and sell them out of their college dorm, or send them to their parents' house. And those are the cases when Security Theatre stops being a joke and starts being a real problem.

The last three points you highlighted are the ones that matter for just about everybody reading this. Real OpSec begins at home -- and that starts with not dealing out of your home and extends to "don't share your felonies with your friends."


[25 Points] gwern:

However, as far as I can tell, these are the things that have been confirmed to lead to arrests:

Your list is very incomplete - no mention at all of packages being profiled, caught by Customs, reusing return addresses, insufficient postage, reuse of post offices, being caught on camera by using postal machines for stamps, ordering from flipped vendors (something like 50 buyers for Xanax King alone!), having a dirty house...

If you wanted, you could work your way through the ~300 cases I've compiled in http://www.gwern.net/Black-market%20arrests and for each one list the relevant opsec material.


[12 Points] katzphan:

You can always boot from an SD card and encrypt all your information so absolute worse case scenario you just swallow your SD card, this is what a lot of hackers do. When I encrypt my files I encrypt them with a poem that I have memorized so that way my password is over 100 characters it makes it close to uncrackable.


[7 Points] MLP_is_my_OPSEC:

Proper OPSEC is thinking about what you know can happen, not what you know is happening. It's the same in any security field, whether that be infosec or netsec. Will LE ever track your transactions in the blockchain? Probably not. But it can happen. Will your international order be seized? Probably not, but it can happen. etc etc


[4 Points] Spoogly:

Mitigation of risk is a big, important factor in playing your role in these markets. You do whatever you can to close as many holes as you can. I would wager that at least to some degree, the reason we don't hear about arrests due to OPSEC failures of the type you mention is because those are the low hanging fruit. Even the least technically competent buyer can pull off using PGP and TAILS, and we have aimed to make explanations as simple as possible. I'd guess that a fair number of buyers don't even bother to use their own PGP key, let alone post it to their profile on any markets, for the simple reason that with most transactions, sending address info is enough to be done.

We concern ourselves with those areas of OPSEC because they are the ones that can be readily understood by members, at least well enough to do them well. As far as OPSEC outside of darknet sites goes, though, there's a lot of subtleties there, that take a bit of work to deal with. If, for example, you're going to be dealing to real, physical people, making sure they don't have enough information on you to incriminate you is a good step. A better one is picking customers who know their damn rights and keep their fucking mouths shut, but that's not easy either. Picking customers is a hard problem, if you're dealing directly. If you're dealing indirectly, it gets a bit easier because you won't take the fall if the customer rats, but you also paint a bigger target on yourself.

As far as buying to your house and having your roommate/mother/neighbor's dog rat you out, if you can't tell the people around you what's in the package and have them just ignore it, and there's a chance they might open the package, then you should not order to your address. That's a solved problem.

BTW, since I've decided it's relevant to my post, here's the video I encourage any of my friends watch if they tell me they're breaking the law: https://www.youtube.com/watch?v=6wXkI4t7nuc


[3 Points] deluser:

The best home security system in the world is worthless if you keep your tv outside.

tl;dr the number one rule of fight club


[4 Points] None:

[deleted]


[2 Points] katzphan:

If you want to use a drop address to make sure it's not an address that has been vacated for too long. I used to use drop addresses but I got tired of the mailman stealing my damn mail. I have used hotels too you just send it to a hotel and you call the hotel and tell them that you were staying there and a package got there after you left.


[2 Points] delta_eight:

I have some theories but I'm afraid I'd be laughed out of room. I do hold to them though (my opsec is quite different than most peoples in a few key ways), because so far I'm not in prison and I'm able to make this post on reddit, so that should be proof enough.


[2 Points] DaveBowmanX:

can someone specify what using Tails REALLY does ? I understand it doesn't hold any information, but what else ?


[2 Points] Yourconscious69:

The biggest flaw in OPSEC is one of the biggest flaws in the human race = EGO. It can not be changed without experience. People can not help but talk and brag.


[2 Points] Big_Daddy_Trucknutz:

Being arrested isn't necessarily the problem, being convicted is.


[2 Points] radium_fire:

Thanks for this thought-provoking post.