It's a pretty good presentation, and it cannot be understated that good security is hard to quantify until shit hits the fan. Especially in an environment where "hackers are no longer the apex predator."
In case of living life on the edge (of legality), all it takes it one slip-up and then you're doing 40 years of hard time. In terms of predator-prey, hackers will now always be running and desperately looking behind them.
Good advice: Predators always love playing with their prey, so make sure you're not being manipulated.
> Especially in an environment where "hackers are no longer the apex predator."
and especially in an environment where your peers sing like canaries because they usually lack the (violence-driven) codex regarding the treatment of snitches. and yeah, I remember the case of that tortured guy from that cc forums, but from what I read about all those arrests, it's an exception that proves the rule.
It has nothing to do with codex or creed or any of that, it's simply self-preservation. Most people aren't ideologues willing to go all the way (to death and destitution) for their ideals.
There are almost no organisations that expect a code of silence indefinitely. It is not really a practical expectation of a human being. Most covert organisations (e.g. Hizbollah [0], KGB [1], IRA [2]) will expect their agents to remain silent long enough for everyone else at risk to escape.
This is what happens when you remain silent rather than turn informant [3]. I have immense respect for Stephen Watt for keeping his honor, but I would not recommend taking that path to anyone in a similar situation. Lawyer up, and angle for the best plea deal you can get.
Tx for the links, seem interesting, saved them for a later read.
Yeah, you are absolutely right, but still I wouldn't compare lulzsec to the orgs you mentioned or mobsters. Lets get this straight - no hacktivist or cracker was found hanging on the cell bars or shot in the woods, that's just not a comparable environment to serious organized crime. If nobody is afraid even of getting their knees broken, not to mention ditched in a hole, is there anything stopping them from snitching the minute le shows up at the door? Snitching is punishable for a reason, and there is a reason that ruleset goes all the way down to street level crime or even minor offences (that last one actually differs among places for cultural and political reasons).
Informants are the greatest fear of all clandestine organisations. The reason for this is that they are privy to sensitive information that can be used to damage other members of the organisation.
Modern clandestine organisations use strict compartmentation to limit the information available to operatives so that informants have limited information. Examples of this exist even in the movies: http://grugq.github.io/blog/2013/03/11/opsec-lessons-from-re...
it is not lack of violence-driven knowledge about the ones that got caught.
It is the lack of self preservation forward thinking of the ones not caught.
Crime syndicates usually have insurance for families for people caught, and assurance that when they came out they will keep their share. If they didn't have this benefit they would be talking the same.
>>> it cannot be understated that good security is hard to quantify until shit hits the fan.
One of the reasons I stopped being a hacker a long time ago. You never know how good you've covered tracks until the Feds show up in your dorm room, take you to a windowless room and grill you for about an hour, scaring the shit out of you in the process.
I was lucky, I only lost some network privileges. Today the stakes are way higher and the Feds have some insane resources at their disposal. It's a zero sum game to them. You will lose every time.
Even worse is the speed of escalation -- organizations didn't used to go right to the feds, and when they did then the feds didn't immediately use 4am SWAT teams.
Nowadays the rate at which you'll get fucked hard is pretty fast, and they won't waste their time washing you through the legal system instead of letting you stew in a holding cell. Sure you'll get your plea bargain, but you won't like the part where you're forced to work as an informant immediately.
Criminals isolate, target, and research individuals based on this information. This includes everything from simple identity theft to murder. You may also recall numerous yahoo email address "hacks" based off easily locatable answers to security questions of public figures.
There are some basic lessons here that are applicable to anyone using the internet, even just for casual reasons. That includes your parents or grandparents. What do you think the chances are that they would be able to proactively defend themselves against someone tearing apart their private lives based on information they didn't even know was public?
-Not sharing/linking email addresses an alias
How is this relevant? This could be as basic as not wanting to link your persona as a member of the town council to your postings in a World of Warcraft forum.
Even if your life is mundane and none of your hobbies are embarrassing this is still important. Forum posts, which most users treat as casual chat, along with many social media interactions are permanent, public, and searchable.
There is no compelling reason to allow anyone in the world to know an enormous amount of personal details about you. At least on your Facebook page, if Zuckerburg hasn't recently screwed with your privacy settings, you are narrowing the number of people who can look at these things.
I'm not going to endorse any particular services, but many sites allow you to search accounts by email address. Amazon, in particular, can reveal your public wishlist based on email address (rossulbricht@gmail.com shows an account but not a wishlist.) You can figure out a lot about a person from their wishlist + reviews.
Quite frankly I think this all is very relevant and mass marketable to anyone building tools and products to firewall personal information.
The issue is less about any specific ideology, but rather the social environment he was immersed in. Other than radicals, drug seekers, drug dealers and undercover law enforcement officials, he doesnt seem have had much social interaction. His peer group was ideologically warped far away from societal norms. He had no outlet for either gaining ego validation (e.g. going to a bar and griping about his crap day at his startup cause some weed dealer ran off with $200,000); or social validation (e.g. "Hey everyone, my startup marketplace is doing really well! I've struck it rich due to my hard work and clever understanding of Austrian School economic theory!"). He had to talk with the same people that were drawing him further away from society, because he could not talk to anyone in mainstream society. This is a problem for almost everyone living a "high security" covert life.
I also strongly suspect that many of the undercover agents were acting as agent provocateurs, urging him on towards more extreme positions and actions. The Maryland Indictment reads like a set piece put-up job. I can believe that it was an operation with the dual intent of (a) documenting DPR committing a heinous crime, and (b) unmasking DPR, most likely though the wire transfer. Even if (b) failed, they would still have (a) to prosecute him with later.
He was left in a very terrible situation and decision. He was facing someone who was willing to destroy many other people's lives (assuming drug dealers would be arrested). If you take that as a given prior, then the step of deciding to prevent that person from hurting others seems like basic self defense (while noting that the USG prevented him from using other measures).
Edit: There's always still the possibility that DPR was aware he wasn't hiring hitmen, but felt it was the best negotiation tactic.
Yes, particularly for the second "hit" that he arranged (the one in the Complaint). However, the first "hit" (outlined in the Maryland indictment) seems to have been more of a set piece entrapment-alike. This was when he popped his online-hitman cherry, and it was the most difficult one for him. He seems quite distraught and upset in the messages, he has trusted this guy ("The Employee") as an admin, he loaned him the money for the "substance that would test positive as cocaine", he likely socialized with him and revealed a great deal of personal information.
I think the Feds played him (Ross Ulbricht) in this case and totally set him up for a fall. I accept that he stepped off that cliff himself, but I think it is likely that he was guided the whole way there by the Feds.
After this first hit, orchestrated from start to finish (?) by the feds, the second one seemed easier. He had learned to live with himself after the deed was done, he had pushed beyond that moral barrier of "don't have other people tortured and killed", and he had learned that violence can solve problems.
Now, as to whether this second "hit" was just him negotiating with a scammer, or whether he believed he was actually having someone killed. I think it is clear that without that first job, that first hand held walk through the dark side of the underground, he wouldn't have reacted that way.
I think he would have been less susceptible to the manipulations of the feds if he was in a normal social peer group. If he had some rational people who weren't inside the Silk Road bubble who could say "you want to have someone killed because they stole some SHA256 hashsums? Are you fucking insane?!?"
Sigh, I guess I was not clear enough with "If you take that as a given prior".
If you do have the assumption, axiom, belief, whatever, that drugs are moral and ease suffering, and that releasing data on these people will lead to long lives in prison, causing a chain of disastrous effects on many families, then yes, stopping the person that is trying to harm these other people may be considered.
Many people die each year due to the USG's war on drugs policy, and it has a violent affect on many of the countries to the south of Texas. Just for a bit of context/scope.
Edit: On second reading, I actually dislike your rhetoric even less. You can rephase anything as a series of immediate actions. It's not the harm of "reporting to law enforcement" it's what happens next.
The response that your second reading of my comment generated seems to be "you didn't fully consider the impact of reporting someone to law enforcement, and, by implication, could be incorrect in your weighting of whether it might be justifiable to have someone killed to prevent them from doing that."
Given the stated assumptions, yes. Is there a flaw in that logic?
To arrive at another outcome, you'd need to weigh the suffering and somehow decide that a single person's life, who is actively trying to hurt others (that is, they aren't an innocent bystander), is somehow worth more. In some scenarios this can be a philosophical debate (how much small annoyance to millions of people is one other person's life worth?), but with an active adversary and no other course of action, it seems like the only rational decision.
You seem to be indicating that in this scenario you'd always value a single person's life (despite their actions) above many others' suffering. Is it because you view LE as morally superior, or do you have another set of priors that shape your reasoning?
Further down in the comments, you indicated it was OK in the case of Nazi Germany since it wasn't "real" law enforcement and it "involves certitude". That seems to indicate to me that you don't actually believe it's "invariably wrong".
OK, easier scenario: A guy is insane, and is going to murder 20 people. Your only option is to ask his friend to kill him. Is is still "invariably" wrong?
Anyways, my original question to you (and on other threads, like where you appear to defend seizure actions) is where exactly are you getting your priors? In all your replies you just rephase things as if we're supposed to draw the right conclusion.
And I'm only asking because it's you, someone proven in security and rather insightful on many threads.
If it's just an innate, fundamental belief you hold, fine. I was just wondering if you had some special source or logic that lets you decide these things so absolutely.
Should DPR have considered nonviolent means to prevent the release of this information? Maybe he could have offered money in exchange for silence and everybody walks away healthy?
The hit in the complaint I read basically had the extortionist (FriendlyChemist) say he needed $500K to pay a dealer. DPR asks to talk to the dealer, and FC drops out of the picture and the dealer is happy to settle for $150K or so.
That makes zero sense, if $500K was actually owed. I doubt DPR was so naive to think that instantly a new contact would come online and trust him completely and be willing to negotiate a murder.
It looks FAR more likely that DPR and FC both "knew" the "dealer" was just FC on another account, and it was a way of negotiating that let DPR look "hard".
The complaint also makes it clear that police found no evidence of such a murder around the timeframe given.
First, you're missing the other hit story, the one he was actually charged with, where he paid an undercover cop to have a business associated murdered.
Second, the story you provide here is implausible. The "way of negotiating" you describe here doesn't make Ulbricht look hard; it makes him look guilty of an extremely serious felony. It would be well beyond incompetent to use "I'm ordering a hit on you" as a cover story.
Correct, in the complaint I only saw a mention of the second "hit" which looks a lot like negotiating the price down. After all, it did work; he didn't pay $500K. But perhaps I'm just wrong.
I'd be pretty sure his failure mode didn't take into account severity of his crimes. If you're gonna go operate on the scale he did, might as well go all out. Considering they can prosecute and probably give him life if they want, what's a few additional life sentences?
Ridiculous and slightly offensive comparison: It's not like Thomas Jefferson left an out clause for himself when starting the US revolution.
It is easy to imagine circumstances in which this is obviously true. Imagining isn't even necessary, if you allow your mind to wander to events and circumstances in history, though many people seem to find references to history to be distasteful...
Once we accept that there are indeed circumstances where the harm of killing somebody is outweighed by the harm of reporting a community to law enforcement, the question becomes "Is this situation one of them."
The war on drugs is extremely problematic for a multitude of reasons; are these reasons relevant in this case?
Wait, exactly who is accepting that there might be circumstances where it's less harmful to kill someone than to have them report others to law enforcement? I'm not within a million miles of accepting that premise. Are you?
I can see a rather obvious hypothetical circumstance. Someone from your town finds out you're hiding Jews from the Nazi government, and instead of immediately reporting you he confronts you in an alleyway and demands you hand over your life savings within the hour or else he'd report you. You're armed with a loaded pistol. Ignoring other potential options (such as merely subduing him then moving yourself and the Jews to safety, or paying up and hoping he doesn't report you) is it strictly more or less harmful to kill him (assuming you can get away with it) than to let him go report you to the Nazis and have you and the Jews you're hiding be sent to extermination camps?
Could anything at all similar to that hypothetical circumstance happen (or have already happened in history) in real life? I don't think the answer is a definite "no".
Exactly my line of reasoning; this is an example of an easy to think of scenario where it is "obviously" better to kill somebody than allow them to report something to law enforcement.
This example is rather black and white, though it is extreme. Before the inevitable objections to how extreme it is roll in, let me point out that it is suppose to be extreme; it establishes that there is a boundary, somewhere out there.
The DPR case is less extreme; is not nearly so black and white. The question we should ask is "How gray is it?".
The Nazi case is easy to adjudicate because it involves certitude. The Nazis didn't have a "law enforcement" objective; they were executing a genocide.
I can't believe there's anyone on HN who thinks that really thinks putting a hit out on a SR snitch is defensible.
Feel free to scratch Nazis and insert any other example of extreme injustice perpetrated by organizations that considered themselves to be apart of some sort of law enforcement or judicial system.
Change the setting to the Underground Railroad and try that on for size: As far as the law was concerned, the people who were transported by the Underground Railroad were property. The law enforcement did not necessarily consider themselves to be apart of some sort of atrocity (although we can of course all agree that they were). They were, undeniably, law enforcement. There is no question in either of our minds that they were acting in a reprehensible manner, but they were nevertheless law enforcement.
It would be, unambiguously (in my not so humble opinion, although I can't believe there's anyone on HN who would disagree), justifiable to kill anybody that threatened to bring law enforcement down on the 'operators' or 'passengers' of the Underground Railroad.
Note that I am not saying that DPR putting out a hit is justifiable (and to continue to head off the annoyingly standard complaint others here like to throw out: No, I am not saying the Underground Railroad and the Silk Road are comparable in importance, severity, morality, etc).
What I am saying is that it sits in a gray area that requires some consideration. I am not willing to write it off carelessly.
There are probably a bunch of people on HN who think what the US government (or others) does in the war on drugs is ethically up there in the same ballpark as genocide. (I'm not among them.) Starting the reasoning from that perspective it's just as easy to see DPR's action as defensible as it is to see shooting the blackmailer in the Nazi example as defensible. Starting the reasoning from a more conservative prior, though, it's harder to tell. (Of course it's easy to see it's completely unjustifiable if in the prior mindset "ordering a hit on someone" is automatically unjustifiable.)
If you asked me what I would decide in a situation similar to DPR's two weeks ago, I doubt "put a hit on the blackmailer" would have crossed my mind... That's a totally different world to me. I think I might try guilt-tripping the blackmailer over the consequences if he released the information, or offer him a lesser amount of funds to buy some personal security against or transportation away from the supposed creditor... Who knows how successful either of those would be in stopping the release?
I'm curious what you would have had DPR do and what do you think the consequences would be?
You know what, scratch that last comment. I'll leave it there, but it is shit and I can do better. Let's bring this back down to Earth:
"Dan contacts Steve and tells Steve that he has information on drug dealers and users in Singapore. He intends to turn this information over to the government of Singapore. Steve knows that Singapore will execute many of these people, imprison others (some of them for life) and will viciously beat likely all of them."
How far can Steve go to ensure that Dan does not turn these people over to the government of Singapore? Is having Dan killed to spare those other people completely off the table?
Presumably if Steve really does think that Dan is bluffing, then Dan can show Steve the data he has. Should Steve, knowing that Dan really is in possession of the data he claims, take the chance that Dan has no interest in actually giving the data to the government of Singapore? That is a very high-stakes game.
Lets say that Steve is unwilling to call that bluff, or he is confident that there is no bluff. Is having Dan killed off the table for Steve?
Maybe just shoot him in the kneecap and warn him that next time it'll be in the head? Steve should have some obligation to dissuade dan from his course of action prior to killing him, no?
This conversation aside, I hope you understand that you never shoot somebody without the intention of killing them. Never. There is no such thing as shooting somebody with nonlethal intentions, or as any sort of "warning".
Back on point, the recognition that killing Dan is on the table at all puts us on the same page. I certainly would not suggest jumping straight to that unless the circumstances made it absolutely necessarily.
I'm not sure you thought that one through. Shoot him in the kneecap. He says "ok fine you're right", then goes home and delivers the people to their deaths. Then flies somewhere and hides.
Being shot in the kneecap is likely to make you run and hide as well as doing the act you've been threatening.
Edit: Kneecapping is only used where you believe the target will actually reform, or as intimidation on someone that doesn't have any leverage (like some poor kid that took out a loan and isn't paying it back). In high-stakes like the one outlined here, it's not relevant.
Also this whole subthread was supposed to be "given these priors" but everyone seems to get hung up on murder, ignoring that other peoples' deaths are regularly accepted in society by pretty much everything we do.
Considering the probability that people reported to law enforcement agencies will be killed as a result, and the probability that innocent bystanders will be killed, it may not be all that bad of a choice. The reality is that drug enforcement in America is done by soldiers who have an economic incentive to conduct raids (and almost no punishment for attacking the wrong house or killing the wrong person, or any person for that matter).
I doubt that DPR was weighing these issues if indeed he tried to get someone killed. More likely it was simple self-preservation.
This is a comment that says that trying to have someone killed might not be "that bad of a a choice" if they are trying to report people to law enforcement.
"Law enforcement" does not refer to your friendly neighborhood patrol officers in this context. In the war on drugs, "law enforcement" refers to teams of soldiers who attack civilian homes following these kinds of anonymous tips.
My only point was that we should not immediately assume that reporting SR users to the police is a morally justifiable thing to do, and that the morals of killing someone to protect SR users are not unambiguous. I also said that more likely than not, if DPR tried to order such a hit it was because he was worried about his business, not his customers or the innocent bystanders who might be harmed by police raids.
I'm not sure how our differing opinions about the morality of reporting someone to law enforcement over drug sales is relevant to the question of the justifiability of having someone killed.
Whichever one he meant, he's on thin ground. If he meant "probable" as more likely than not, its facially ridiculous. So I assumed he wasn't being ridiculous and was referring to a small but non zero number, and asked for a cite to what it may be.
Putting scare quotes only makes sense if you think he meant more likely than not, since otherwise he's just saying that whatever probability it is needs consideration (if you're in that situation). Which seems utterly reasonable.
"""
> Considering the probability that people reported to law enforcement agencies will be killed as a result
I'd love to see a citation for this "probability."
"""
Those quotes are not about the meaning of the word. They were the reason I assumed he was misunderstanding the (likely, in my opinion) use of the word "probability". (These quotes are about the meaning of the word... :) )
"Does he need to keep considering it until he changes his mind?"
I don't understand where you think I said anything of the sort; I meant only that by using those quotes, rayiner seemed to have taken the original commenter to which he replied to mean it was more probable than not. Apparently other people also believe that it was meant that way, so perhaps I'm completely wrong about how it was meant.
Except that rayiner then suggested he took the word the same way I did, and just wanted the original commenter's citation of a probability figure that wasn't offered in the first place, which means I have no idea what he was suggesting by putting it in quotes.
Clearly I'm failing badly at communicating what I mean and understanding others. :/
"Considering the probability that" could be read to mean "Considering the chance that", since probabilities are the measurement of chance. I believe that it was written to mean that. The idea that reporting people to law enforcement usually means that they will be killed is an uncharitable reading of the sentence, in my opinion.
It is covered in the Complaint. Essentially someone using the alias FriendlyChemist (FC) gained illegal access to a vendor's account, and possibly to a lot more. This gave FC a large trove of PII on SilkRoad buyers and sellers (names, addresses, etc). FC attempted to blackmail Dread Pirate Roberts (DPR) saying he would release the information publicly unless DPR paid him $500,000... which he needed because he was in debt to his upstream drug supplier.
DPR then asked to be put in contact with the upstream supplier so he could "sort something out".
Sorry, I meant the question to be a bit more meta. You don't usually wake up and find yourself in "oh shit, I need a hitman" situations out of the blue. It takes some work to get there.
Is the premise here that nobody should ever put themselves into situations where they cannot rely on law enforcement and the justice systems to resolve disputes and incidents?
Shipping companies semi-frequently seem to find themselves in situations where the wake up and think "Oh shoot, I need to hire some mercenaries." It takes some work to get into that sort of situation, but does that imply that they shouldn't have gotten themselves into that pickle?
If you are running a massive international illicit market worth billions, you are probably going to require that service sooner or later, unless you can walk away from it.
> "... gained illegal access to a vendor's account..."
Kind of off topic, but suppose "FC" were arrested, could this person be charged with malicious entry into an otherwise illegal enterprise?
Do those legal rights extend to people who had already been breaking laws?
Obviously, a bank robber has a right to not to be murdered by another bank robber. But can the other bank robber be charged with stealing the victim's ill-gotten money in addition to the murder?
I find DPR to be a fascinating case study. Anarcho-libertarians often reject the use of force, except maybe in self-defense, on principle. But use of force is a fundamental interaction between organisms. It's one of the first modes of interactions young children come to understand. It's unrealistic to take it off the table. No matter how "civilized" you are, it's always lurking there as the most basic solution to conflicts. So here you have DPR, this smart, "civilized" guy. But when he's backed into a corner, he lashes out with violence just like any other animal would. In this case he didn't even have any reason to fear for his own life. He lashed out with violence to protect his material interests, just like an animal defending its kill.
His operational model should have been fine. He should have acted as if he was acting on the DEA's front lawn. He made fatal operational mistakes. If he was somewhere else, he may have even acted more carelessly.
Living somewhere else would be a minor hurdle. SR was an international site. Even without an extradition treaty, the feds would go to the country, say "psst, wanna hit a major international drug dealer?" And local police could bust him, jail him, then deport him, and then the USG could try him too.
If your opsec relies on you laughing from some small country, hoping legal barriers prevent your capture, you've totally failed.
Edit: He should have panicked as soon as agents visited him, but I guess he probably talked himself down. Probably figured "well they already have me or they don't", which, was probably true.
Yeah. He should have lammed it as soon as the feds first talked to him. Really he should have run much sooner. At that point, the only option for him would have been life as a fugitive on the FBIs most wanted list. It was too late.
The key question for me is still: how did the FBI locate the Silk Road hidden service servers? They never disclose how that was accomplished. If they had an assist from the NSA in breaking Tor, I would like to know. It has been shown that Tor hidden services are not anywhere near as secure as they are thought to be... but has anyone done a practical attack in the wild? Enquiring minds want to know!
Running probably wouldn't have helped too much. I think his Forbes interview was an advertisement for "hey, I want to cash out, buyers please contact me", and a weak attempt at throwing people off his personal trail.
I find it VERY odd how they mention they imaged the server with zero information on how they found it. Smells very funny, like they intentionally left that part out. If it was a simple "we asked Rackspace for files on a one Ross Ulbricht" then they'd have said so.
OTOH, they may want us to think it was a secret attack, when it was just more of DPR's poor opsec. If he ordered fake IDs to hire servers but with his real picture... who knows.
Well, at least he should have chosen a country where the maximum penalty for what he did is not open end. He may face several times life in the USA now while in Germany for example he would face max. 15 years.
Everyone seems to forget he was running a business that was illegal in every (?) country in the world. Germany could jail him, then deport him and the US might try him and jail him. Germany might also decide to extradite him directly.
I think it'd be hard to become a citizen of a country that has nice imprisonment terms, is where you want to live, and will ensure you're only tried once and never extradited.
Long-term, the best strategy probably would have been to launder the money[1], then become a large donor/philanthropist and get lots of political friends and great lawfirm on retainer. That way if they do catch up to him he's in a better position to deal with the DoJ.
Funny how everybody says that he should have done this and not done that. It is really an overwhelming experience to speculate and comment on past matters but don't forget that it was him who actually did it. Who actually ran the market place. Who cashed out and probably has reserves here and there. Who pressed that "submit" button on stackoverflow. You weren't capable of doing so. You think you have better ideas about it. That you could "disappear" and never get linked to the real "you". I am not daring you to do try it, as it can land you behind bars, but I am just saying that unless you actually experienced and lived all of this - the commentary is nothing more than a theoretical shim which will never become reality.
I'd agree with this sentiment except the mistake is a very fundamental, very flawed one: reusing the same ID. And it was made right at the beginning, when energy is highest. It's not like he made long mistakes over the years leading to an eventual arrest. He allegedly started off by posting with the same ID as his physical person.
Honestly it is more understandable to make that type of mistake at the beginning; there is no way he could have reasonably assumed that he would later have the level of fame that would make the feds run a high priority effort specifically to catch him.
You don't have to have tried building an international drug ring to see fundamental errors in the way he did things though. His alias was sloppy and insufficiently isolated from his real identity. I don't claim I could have done better, I can think of theoretical improvements but won't claim I'd have implemented them in that situation. You're right that nobody can claim to know they wouldn't make mistakes, but I don't think there's anything illegitimate in pointing those mistakes out.
Without performing "lessons learned" analysis on failures, how will we ever learn? Conducting this sort of exercise is critical to improving the capabilities of everyone who engages in clandestine activities. Dismissing it out of hand is remarkably short sighted.
This happens all the time. It's easy to make decisions if you now all the variables post factum. Sometimes you make decisions without all the knowledge.
For people analyzing the lessons learned it's easy...
http://www.youtube.com/watch?v=9XaYdCdwiWU
slides: http://www.slideshare.net/grugq/opsec-for-hackers