Cradicle Explorer
OPSEC-OSINT-Tools
/ markdown / badopsec.md
badopsec.md
  1  ## 📚 Table of Contents
  2  
  3  1. [Here are some notable examples of bad Tor OPSEC](#here-are-some-notable-examples-of-bad-tor-opsec)
  4  * 1.1 [School Bomb Threats](#school-bomb-threats)
  5     * [Florida High School Student](#florida-high-school-student)
  6     * [Harvard Student Eldo Kim](#harvard-student-eldo-kim)
  7  * 1.2 [Silk Road Case](#silk-road-case)
  8  * 1.3 [LulzSec Hacking Group](#lulzsec-hacking-group)
  9  * 1.4 [General Bad OPSEC Practices](#general-bad-opsec-practices)
 10  
 11  3. [External Lists on GitHub](#a-few-lists-i-found-on-github)
 12  
 13  4. [Mullvad VPN: A Contrast in Security](#mullvad-vpn-a-contrast-in-security)
 14  
 15  5. [Final Thoughts](#final-thoughts)
 16  6. [References](#References)
 17  7. Back to [main guide](../README.md)
 18  
 19  # Here are some notable examples of bad Tor OPSEC:
 20  
 21  In short
 22  
 23  [You Didn't Have to Post That](https://www.youtube.com/watch?v=AkQaL9SU2BY)
 24  
 25  ### Harvard Student Eldo Kim
 26  
 27  Eldo Kim, a Harvard student, emailed bomb threats over Tor to avoid taking exams[^2]. His OPSEC mistakes were:
 28  
 29  1. Using the school network to access Tor
 30  2. Being the only Tor user on the network at the time of the threat
 31  3. Admitting to the crime when questioned by police
 32  
 33  ## Silk Road Case
 34  
 35  Ross Ulbricht, alleged operator of the Silk Road dark web marketplace, made several OPSEC blunders[^1]:
 36  
 37  1. Using his real name email ([email protected]) in forum posts seeking IT help
 38  2. Posting on Stack Overflow about Tor hidden services under a username later linked to Silk Road
 39  3. Mentioning Tor and Silk Road to customs officials when caught with fake IDs
 40  4. Failing to protect the real IP address of Silk Road servers
 41  
 42  ## LulzSec Hacking Group
 43  
 44  Members of the LulzSec hacking group made various OPSEC mistakes [^3] [^4]:
 45  
 46  1. Discussing operational activities in IRC channels
 47  2. Revealing personal information, allowing profiling
 48  3. Using stolen credit cards for purchases shipped to their own addresses
 49  4. Trusting individuals who were working with the FBI
 50  
 51  ## General Bad OPSEC Practices
 52  
 53  Other examples of poor OPSEC when using Tor include:
 54  
 55  1. Contaminating identities by not maintaining compartmentalization
 56  2. Failing to keep sensitive information confidential
 57  3. Using predictable naming conventions for usernames, code, and passwords
 58  4. Maintaining consistent working hours that can be traced to a specific time zone
 59  5. Leaving command-and-control servers unsecured, exposing sensitive data
 60  
 61  A few lists I found on github:
 62  
 63  https://github.com/jermanuts/bad-opsec 
 64  
 65  https://opsecfail.github.io/
 66  
 67  Another one I'd like to add is mullvad and it's features:
 68  
 69  ## Mullvad VPN: A Contrast in Security
 70  
 71  Mullvad VPN offers several features that prioritize user privacy and security:
 72  
 73  1. **Anonymous account numbers**: Mullvad generates random 16-digit account numbers, eliminating the need for personal information like email addresses or usernames.
 74  
 75  2. **Strong encryption**: Mullvad uses AES-256 encryption for OpenVPN and ChaCha20 for WireGuard connections.
 76  
 77  3. **No-logs policy**: Mullvad has a strict no-logs policy, verified by independent audits.
 78  
 79  4. **Lockdown mode**: This feature blocks internet connections not secured by Mullvad's servers.
 80  
 81  5. **DNS content blockers**: Users can restrict access to ads, adult content, malware, and more.
 82  
 83  6. **Open-source software**: Mullvad's commitment to transparency includes making their software open-source.
 84  
 85  7. **Use of cryptocurrency such as monero**: Mullvad can use monero which is a private cryptocurrency that can be mined on a persons node, they also take in cash payments or deposits in mail.
 86  
 87  However I'd like to point out that even with services like mullvad you'd still get caught on some circumstances even with a no log policy. Humans can deduce and figure stuff out on their own machines cannot and have to be guided. None of these tools are fullproof and the issue will exist between user and keyboard. 
 88  
 89  See also:
 90  
 91  [OPSEC-OSINT-Tools - OPSEC Toolkit (n.d.)](./opsec.md)
 92  
 93  ## References:
 94  
 95  [^1]: “Ross Ulbricht, a/K/a ‘Dread Pirate Roberts,’ Sentenced in Manhattan.” U.S. Department of Justice, 29 May 2015, www.justice.gov/usao-sdny/pr/ross-ulbricht-aka-dread-pirate-roberts-sentenced-manhattan-federal-court-life-prison
 96  
 97  [^2]: “Harvard Student Charged With Making Hoax Bomb Threat.” United States Department of Justice, 16 Dec. 2014, https://web.archive.org/web/20250710222935/https://www.justice.gov/usao-ma/pr/harvard-student-charged-making-hoax-bomb-threat
 98  
 99  [^3]: FBI. “Leading Member of the International Cyber Criminal Group LulzSec Sentenced in Manhattan Federal Court.” FBI, 27 May 2014, https://www.fbi.gov/contact-us/field-offices/newyork/news/press-releases/leading-member-of-the-international-cyber-criminal-group-lulzsec-sentenced-in-manhattan-federal-court.
100  
101  [^4]: Hope Trampski. “Hacktivism: The Short Life of LulzSec.” Purdue University cyberTAP, 5 Dec. 2024, https://web.archive.org/web/20250303215642/https://cyber.tap.purdue.edu/blog/articles/hacktivism-the-short-life-of-lulzsec/.