DefCon speaker and host of DoingFedTime on YouTube, Sam Bent joins the podcast to shine light on operational security concerns on the dark web. The reformed darknet marketplace seller shares insights and advice for best practices when investigating on the dark web.
Sam Bent is an experienced cybersecurity expert and founder of Doingfedtime, LLC, with over two decades of expertise in InfoSec, OpSec and OSINT. Self-taught in the nuances of tech, Sam's career is defined by his systematic approach to challenging the norms and confronting formidable adversaries like federal governments. His specialization is on the Darknet. He adeptly navigates the complexities of OpSec, InfoSec and OSINT, focusing on empowering others to protect their privacy and anonymity. He is a paralegal who has published a book on crafting compassionate release motions effectively. He enjoys sharing his knowledge through his YouTube channel Doingfedtime, where he advocates for continuous learning and self-empowerment in the digital age.
Sam Bent
And what happened was there was a guy called Hugbunter who's just kind of a random person on the darknet who ended up creating this alternate version of Reddit on the darknet called Dread.
Jeff Phillips
Welcome to NeedleStack, the podcast for professional online research. I'm your host, Jeff Phillips.
Aubrey Byron
And I'm Aubrey Byron, producer and co host.
Jeff Phillips
So joining us today is Sam Bent. Welcome, Sam. Sam's a DefCon speaker. He's an author, YouTube content creator, and a paralegal, which we'll get into.
Sam Bent
Hi. Thanks for having me on.
Aubrey Byron
Sam, you're passionate about darkweb OpSec or operational security. What does operational security look like on the dark web?
Sam Bent
So the same thing it looks like in a context of a military or cybersecurity firm. And that's just looking at what you have, what data that exists that's out there about you or information, and limiting that data being out there or that information being out there, it's essentially depriving your adversary, whoever it is, of intelligence.
Aubrey Byron
And it's been a while since we talked about the dark web on this show. We should mention we're going to go into darknet marketplaces and how it can be used for narcotics and other sorts of illegal activity. But we should mention there are legitimate uses for the dark web, such as subverting censorship and dictatorships and a free flow of information.
Jeff Phillips
Awesome. Well, let's go a little bit in deeper into darknet. So, Sam, you have experience as a former darknet vendor who was actually caught in what you were doing online and served some time for that. How did that experience affect your outlook on intelligence gathering and the flow of information? I know you're now, I should say, mentioned earlier, besides the darknet, you're passionate about OSINT. So can you tell us a little bit about how that all came together?
Sam Bent
Sure. Yeah. Well, through bad decision making, pretty much having a background in cybersecurity and being in a bad circumstance and making the decision to do narcotics trafficking, you tend to go with what you're familiar with. And for me, that was doing it from a cybersecurity standpoint, and that was pretty much the darknet. That was the outlet that I ended up going down with. It how I actually got there was a culmination of those things of understanding about operational security, information technology and Infosec. All those things kind of combined together to create a perfect storm for me to make this wrong decision and start trafficking narcotics on the darknet.
Jeff Phillips
But now, from a cybersecurity perspective, we were talking earlier a little bit about why different people should be. Well, when you look at the darknet and OSINT and why it's such a valuable information source, can you talk a little bit about that from a cybersecurity perspective? Why as a threat intel analyst or a SoC analyst, you might want to pay attention to what's going on out on the dark web.
Sam Bent
Yeah, I would liken it to any other landscape where there's a vast amount of information or knowledge that's put out by people who know what they're doing. So, for example, a lot of the people that you mentioned, they're going to be fans of DefCon, right? They're going to attend those kind of conferences. Why? Because there's a ton of valuable information there or interesting things that they think are awesome and that's why they attend. And it's kind of the same idea with the darknet, except it's not an actual place you go to, but it does have a ton of information and a ton of knowledge and some scary things along with that. It's just another place with information. I guess looking at it and saying, Why is it valuable? Would be the equivalent of looking at the Internet in 1992 and asking that same question.
Aubrey Byron
Sam, you talked about kind of your path to becoming a paralegal. Can you tell us a little bit about that?
Sam Bent
Yeah, sure. I think any Red Team or Blue Team individuals out there can appreciate the ability of looking at something and trying to reconfigure it to have a different purpose or make it do what you want it to do, which for me is the definition of hacking. It's not something solely related to computers. You have like, phone freaks and whatnot, but when you were a kid, if you took apart clocks and put them back together for an alternate purpose, you were a hacker. By definition, repurposing anything to come to a different end is exactly that is hacking. It doesn't have to be in a cyber realm. It doesn't have to be any of that. So I just got totally lost in a train of thought. What was your original question?
Aubrey Byron
Just about how you became a paralegal. But that's a very interesting perspective on it.
Sam Bent
So becoming a paralegal for me was kind of an evolutionary step, I guess you would say, when I ended up going to federal prison. Because when you first go in, you go into solitary for seven to 14 days. So after being there, it didn't take long for me to put together like, this isn't a place I really want to remain. So I started using the most powerful thing in the world, is information. Anyone who's innocent knows that there's a lot of inherent power in information. So one of the places in a prison that has the most information is the law library. And I spent many hours there educating myself on a daily basis. And I got to a point where I was able to write my own motion, file it, and actually won my freedom after 18 months, when I was supposed to be in for 60 months. And it was all thanks to information that was out there that was free. So it was thanks to OSINT. But it's looking at things from that perspective of trying to get information in order to complete an objective or a task, and we all do that.
Sam Bent
We just do it in different ways and not in as extreme situations. But it really goes to show you, once you take on that mindset, whether you're looking at it from a hacker's mindset or you're looking at it from the mindset of an OSINT practitioner, that at the end of the day, you can do some really powerful things with these skills. And they're not things that are simply limited to online. I would argue some of the original collectors of OSINT were putting cups against walls, listening to elders negotiate in tribes. It was an evolutionary step, I guess I would say, in my hacking and OSINT methodologies.
Jeff Phillips
You also had mentioned that during your time, and there were other people in for narcotics, but you were the only dark web or darknet vendor that you met. Why do you think that was the case?
Sam Bent
Low hanging fruit. And what I mean by low hanging fruit is when if I was to take five people and put them outside with signs that said that they were selling an illegal substance, depending on what city you're in, there's plenty of cities where they open air drug markets and nothing's being done about it. But depending on where you're at, that could get shut down almost immediately. And then if you were to ratchet up and have a little bit more security now it's not openly advertised, the lifespan of that drug trafficker is probably going to go up a little bit because they have less risk now. They've mitigated that by upping their security. And they've done that by restricting information, which is OpSec. It's restricting information to your adversaries. So when you take that to another level and now they're no longer texting, they're no longer using mediums with no encryption, and they're not using the Clear net and they're not using social media for trafficking. You're taking it. To a whole nother level where now you're using encryption and all these other things that while law enforcement has the ability to some point to be able to intercede and make arrests, if you do the research into these arrests, what you'll find is that most of the time it's very stupid.
Sam Bent
OpSec mistakes, for example, because we're talking about OSINT, if you looked at the headers in, I think it was alphabet at one point, it had the admin's email address in there, like it's clear night email. So that is a massive OpSec issue, but it's freely available, right? So anyone could have seen that information. But it's stupid mistakes like that that typically end up bringing down darknet vendors, darknet market admins, I worked as both. So those little mistakes are massive, massive problems. So when you're saying, we're going to take this race car and we're going to race it on this beach, but we have to make sure not one grain of sand gets into this high performance engine, that's a massive undertaking, especially when you're the only one who's doing the work like with a lot of companies, it cybersecurity. Those are teams of people and sometimes they're teams of hundreds of people. So it's like, okay, well now it's just you and you're also in charge of logistics and everything. So it's a very big apple to try to swallow. But for the people who take that challenge, again, they are significantly restricting information that gets out there.
Sam Bent
So to answer your question, I think you see a massive reduction in arrests going from regular drug dealers, street dealers, to middlemen to the darknet vendors because of the assistance of that technology and more so the intelligence that goes into it. Because if you read we have to have like a quote from Sun Tzu to really nail this. The general who does more calculations at the end of the day is going to win. So one of my favorite sayings is that a fool with a plan beats a genius without one every time. I think there's a lot of truth in that. But at the same time, I'd like to make clear that I don't advocate for anyone to do drugs. Obviously it's not a good thing, but at the same time, it's idiotic to think that you can stop. It's like, well, if we do really good job with cybersecurity, we'll eliminate nefarious hacking. It's not going to happen. And I think it's foolish to think so, but it's a massive, massive world that exists and it's one that is completely removed from the normal world that exists. So if you could look into an alternate reality, that's pretty much what you're doing.
Sam Bent
One with very little regulation or rules, your average agorist is going to love the darknet because they can vote with their dollars, right? There is no regulation. The government's not regulating anything. And what's crazy is you're going to have more harm reduction there than you're going to have on the streets.
Aubrey Byron
Do you think it speaks to the sophistication of law enforcement? Sort of like how few of these darknet vendors are getting caught? Or do you think it's more just that there's so much on the street, physical crime already that they just don't have as much time or resources to look into?
Sam Bent
Think I think we could pretty much bring up Twitter and plug in anything about San Francisco and at the end of the day, we could pretty much see that crime, whether it's on the darknet or in the real world. And not to hate on San Francisco, just an example, there's a ton of crime everywhere and even more so because I've had know have the argument, well, you're a criminal. Like what you did was illegal and that was wrong. I'm like, okay, but there's a massive difference between doing something morally wrong and doing something criminal. And at the end of the day, everyone, including everyone on this podcast is a criminal. And it's like, wait a minute, what do you mean by that? Well, if you look at a lawyer, a lawyer studies for at least seven years, right, to be a lawyer. And at the end of the day, they're not a lawyer in everything. They're a lawyer typically with one or two specialities, right? So maybe civil or maybe intellectual property or criminal, but they pick a specific part of the law. They don't know all of the law because you would have to be an LLM, too.
Sam Bent
So for us, as people who have never went to law school are not lawyers, to think that we can somehow know every single law and follow it is absolutely insane. And there was a Harvard study called Three Felonies a Day. I believe it was a book by a Harvard professor called Three Felonies a Day where he talks about how your average citizen commits three felonies a day and are completely unaware of it because the crazy amount of regulations and laws that just the tax code alone. No one here can quote me the entire tax code. I put 50 grand on it. But that's my point. And when you have that much crime, where literally everyone's a criminal, how would anyone police that? I wouldn't be able to, even with the resources that they have. And you have to figure, like on the darknet, we're not just talking about federal law enforcement here in the United States. We're talking about federal law enforcement like Dutch, the EU, all these different agencies that actually some of them have joint operations together coming together. And even then, there's not a whole bunch of change effectuated unless there's a really stupid OpSec mistake by a vendor or a market.
Jeff Phillips
We've mentioned OpSec. Can I turn that around a little bit as compared to the OpSec of a darknet vendor. But on the other side of it, if you're a fraud analyst or a threat intel analyst, can you talk like, I don't know what you use on your system to protect yourself if you go on the dark web, right? It is the wild, wild west. Are there things you recommend or do on your end when you're accessing? As compared to saying, I just downloaded Tor and I go on my work machine and I just go surf the darknet. Can you talk a little bit from that perspective?
Sam Bent
Yeah, sure. If you're in an environment and you're like, I don't know if I'm doing everything that I should be doing, then you shouldn't be in that environment. That's the best advice I can give anyone, because it's going to be timeless. If you find yourself in a place, let's say you go to a party and you're like you're uneasy about it, that's your mind telling you there's a problem, there's something happening. Maybe you're not aware of it consciously, but there's an issue. So if you find yourself in an electronic environment where you have those same kind of feelings or you're unsure, then you probably have a bigger issue. And it's not necessarily what browser you're running, what OS you're running, but the intellect. You have to fully understand what information you're actually putting out there making available to OSINT practitioners to grab up, whether it's for federal agencies, criminal gangs, whatever it is. Because at the end of the day, as a criminal, I would use a Google Dork exactly like a Fed would. There's no difference. It's like people make the distinction like, oh, black hats and white hats, and it's like they're both using the same tools.
Sam Bent
But at the end of the day, it's the intent that's different. And that's how I would go about saying it. I would say that if you're in that position where you're not sure, then you need to learn more about it. If it's like, well, maybe it's like, well, I read about DNS leaks, maybe I have a DNS leak, and I'm using Tor on my mobile device. If you look up Tor on a mobile device and you go to Reddit, you're going to find real quick that people are like, listen, don't use mobile devices. If it's Apple, it's because it's not really Tor, it's Apple's version of it. And if it's Android, it's know Google has spyware in those devices. And I've seen people well, you can get de Googled phones and all that. But again, at the end of the day, if you're in a landscape and you don't understand what the problems are or what your potential vulnerabilities could be, then you need to learn more before proceeding because you're in a very dangerous spot not knowing. So with OpSec, you're controlling your information. I'm controlling what my adversary is seeing, but if I don't know what information I'm putting out there, I can't have OpSec.
Sam Bent
If I don't know what OpSec is, then it's a whole different level. And then information technology is kind of a drilled down aspect of OpSec, where we're talking about encrypting your device. So your question is more of the specifics of things, which I would say is more of like an infosec related question than an operational security related question. But they complement each other very much. But going out in a threat landscape where you're looking at those different kinds of things, you really need to analyze and know what's going on. And that's the really difficult part of it. And that's why you have departments that handle infosec, and whole policies are created for that. And that's kind of the fun challenge of being a darknet vendor and a darknet market admin was doing that as one person against agencies where their data collection methodologies in some cases are classified. How do you anticipate that where you just expect the worst. You get way paranoid and you try to say, what level of technology could they have? Or what level of technology would I have if I had billions? How would I spend it?
Jeff Phillips
Right?
Sam Bent
And you don't know because your adversary, again, it's classified information, but they have black budgets, but you can go out and you can learn enough to be able to keep yourself safe. And that is applicable in any situation, whether you're at a party. It's like, if you're a female, don't leave your glass unattended. Right? If someone walks up to you with a drink that's already open and you don't know them, might want to be careful about accepting it. There's a whole bunch of red flags that if you go into any environment and you know, because your adaptability is higher, your survivability for that situation will also follow really quick.
Aubrey Byron
You mentioned DNS leaks. Could you just quickly define that for anyone who might not know in the audience?
Sam Bent
Yeah, sure. So if we were to bring it back to, like, let's say back in the day when we had four one one, right, or the Yellow Pages and anyone who's under 20 or I'm sorry for the old school references. But basically, if I wanted to call you, if I didn't know your number, I couldn't pick up the phone and dial your phone number. I would have to know the phone number. So I would have to look you up in a separate directory, whether it was a phone book or calling a separate number to get your actual phone number. And basically how DNS works is when you type in, say, Twitter.com, you're not actually going to Twitter. You're hitting this separate directory that's saying, hey, what's the IP address for twitter? It's giving that IP address, then you're going to that IP address. Twitter is just a way for your human brain to be able to remember it, because trying to remember, like, 1283-862-6148 isn't practical for any human being.
Aubrey Byron
Yeah.
Sam Bent
So with those DNS leaks, basically what I was talking about is if you were using it and you had a DNS leak with Tor, if I'm monitoring your traffic, I might be able to see the sites you're requesting that DNS information from, so I might be able to see what it is you're asking for. And if I have your DNS compromised, I might be able to send you the wrong site so I could infect you. With malware, there's a whole that's a whole nother topic. It's important to know what the possibilities are and the problems that you could face. So, for example, for me, mitigating that issue would be like, okay, well, first off, I didn't have WiFi at my house, so I was like, if I need to check transactions, if I need to check orders, I'm going somewhere else. Or I'm using a long range antenna to grab someone else's WiFi so that if I do have a DNS leak, it doesn't matter anyways because I'm not actually on my WiFi.
Jeff Phillips
Right.
Sam Bent
So all those kind of things are the insane things that you try to plan for, because you are playing the adversarial role. Your nemesis is the OSINT practitioner. They're the person looking for that information that's out there that's freely available. And there are times when OSINT practitioners won't just look at OSINT. They'll do other things to find that information. Whether they're ethical or not is a whole different matter. But that's my point. You doing OpSec is basically the opposite of what the OSINT practitioner is. You're trying to protect your information and see what data is put out there while the OSINT practitioner is trying to find information and put it all together.
Aubrey Byron
Yeah. So we've been talking kind of and using the term dark web pretty broadly. You mentioned Tor. Which darknets did you operate on, and do you have a favorite?
Sam Bent
Yeah, so Tor, I operated exclusively on Tor. I do like ITP, which is a separate anonymity network called an overlay network. The distinction to me, a darknet site is one that sells products or whatever that are illegal. There's an exchange of commerce there, whereas with deep websites, there's no maybe transactional information that's coming in. They're not there for financial gain, but it's for separate reasons. But it's just not categorized or crawled by Google. That's your deep web and then your clarinet is Twitter and everything else that we know, LinkedIn, all that kind of stuff. So those are the kind of the separations. And then once you get down to those darknet sites like we were talking about, you have different overlay networks, which are networks that go over your typical clear network that give you that extra reach out to be able to see these other kind of sites that are out there. So, like, with a Tor site, you would need the Tor browser or if you're more security conscious, tails, which is what I would advise, which is a whole operating system that fundamentally runs on Tor. When you start it up and it's kind of pre hardened and set up in a way that you have a lot more security as opposed to just running the Tor browser.
Sam Bent
But you're going to figure out what you're actually worried about by setting up a threat model and figuring out who are your adversaries and then planning ahead based on that in your depthcon talk.
Jeff Phillips
If we could kind of go back a little bit more into the OpSec threats in general. You mentioned one being linguistic analysis. Can you talk a little bit about how that works?
Sam Bent
Sure. So if I can identify, like, maybe I'm from a certain area, know Canadians, maybe say, a boat a or, you know, I know people from the East Coast, specifically Boston area, will drop their R's when they talk. But you have all these different dialects from all these different areas that can be used to drill down in an anonymous environment who you're actually talking to. And you saw that with the inception of, like, anonymous on four chan when they would go back and forth. I might not know you, but you might always say the same kind of thing or phrase a certain thing or maybe you always spell there wrong. And over time, even though we have no user account, I can kind of figure out when it's you that I'm talking to. So on the darknet, you have that kind of thing. But on the darknet, what you're risking as a participant is the potential of decades in federal prison. So when law enforcement is looking at stuff like that, they're looking at those linguistical keys of how you type, how you talk, when are you online, all those things can kind of add up.
Sam Bent
And what's interesting is enough is there are some tools, especially in I think it's Hoonix, that actually assist in nullifying those kind of linguistical attacks where they operate as counters to them. I couldn't break down the manual for those. But if you wanted to look at anti linguistic analyzing tools, they have them built into Hoonix, which is a distribution of Linux that's freely available and centered around anonymity and not privacy. And those are two distinctions too, because we might hop online and we want privacy. Like me, as someone who no longer does any criminal stuff, I would like to hop on and I would like to be able to go and check my email and do all that kind of stuff and not get targeted advertising. Right? So I get that by having good privacy practices and cyber hygiene. Anonymity, though, is the same but also different. Anonymity means you're completely unknown whereas instead of just your traits are unknown, you're completely unknown. So you have a difference between those two things too, the privacy and anonymity. And that's why I'm very specific when I say a lot of those systems, whether it's overlay networks or specific Linux distributions like Tails or Hoonix are primarily driven for anonymity, not privacy.
Aubrey Byron
That's a really important distinction that I don't hear a lot of people make. Actually, I agree, as a Midwesterner, the Ope is going to give me away every time, though. You mentioned the forum Dread, which is a darknet forum. Can you tell us a little bit about that and what you can find there?
Sam Bent
Yeah, sure. So Dread's been around for a long time. On Reddit there used to be a subreddit called Darknet Markets and it was abbreviated DNM. Then markets, places I think, if memory serves, it's been like five years. But what happened was kind of out of the blue, reddit just shut it down. They shut down a bunch of other subreddits. These aren't small subreddits. These subreddits have hundreds of thousands of people but they just cut them off the knees. They disappeared. And what happened was there was a guy called Hugbunter who's just kind of a random person on the darknet who ended up creating this alternate version of Reddit on the darknet called Dread. And when you go on there, there are categorizes just like in Reddit. You have categories, right? You assume I have ChatGPT, all these different categories of different things. When you go on dread on the darknet, it's the same thing, but they call them sub dredits, a little play on words. So you have these sub dreadits. And it's a place where people go and they talk about darknet markets, they talk about OpSec, they talk about kind of all these things that we're discussing.
Sam Bent
But these are people who maybe they have a Reddit account, but they don't want what they're discussing to be out there on Reddit, or they don't want their Reddit account to be banned, or they just want complete anonymity. When discussing these know, they, they hop on this forum to do know. Now there's another site on the darknet now called Pitch. And pitch is basically Twitter. And what happened was Twitter had for the longest time, facebook has a onion, which is when you go on Tor and you go on a deep website or a darknet site, it ends in onion, right? not.com or net, and it's a unique address that specifies that you're using Tor. Um, and that's how you navigate different sites. And they all end the same with dot onion. So for the longest time, and Facebook still does have a so, like, you can access Facebook again if you want more privacy, because if you made your Facebook profile and you go and you access it, you're not going to have privacy because it's your identity. Your information is already out there, right? You've already used your Gmail to create it. They know who you are, but it will give you a semblance of privacy because they don't know where you're logging in from now, because you're using the Tor network.
Sam Bent
And Facebook has a legitimate onion mirror, whereas Twitter for the longest time did have one, and it lapsed and they didn't renew it. So what happened was one thing you tend to see with the darknet is if there's a problem, someone steps up in the world to take that problem on, they usually don't make any money from it. It's a community thing, which is kind of the cool niche things about the darknet community. It's intrinsically kind of capitalistic, where if there's a hole that needs to be filled, they'll fill it. But the interesting thing is, it's not always done for money. So like with this new site, Pitch, it's basically Twitter on the darknet. And they've been like, hey, listen, Twitter didn't want to renew their dot onion, so we're going to go ahead and just create our own infrastructure. And they did. So you see really kind of crazy spin offs like that. It's a very small site right now. It's relatively new, but it will be interesting to see how that progresses in terms of OSINT. Excuse me, because I think a lot of OSINT practitioners right now, they use Twitter, right? They use Twitter.
Sam Bent
With the conflict between Hamas and Israel, some of the first news to. Break was on Telegram and on Twitter. It wasn't on CNN. People want their information immediately and they want it semi unfiltered and no spin put on it and polished. I think you see this movement towards this because it's more holistic and in line with human beings as a whole. So it's really interesting seeing the kind of the similarities on the darknet, but removing a lot of those fiscal motivations, because at the end of the day, it's going to take you a ton of time to manage a site like that. It's going to cost a lot of money. The server has to be hidden. There are a ton of costs associated with that. Not just time, but also financial. And then you have the intellect issues where it's like, okay, how do you set up Twitter? Have you done it? I haven't. There's a whole host of issues that arise. It's an interesting challenge for the intellectually insane, I guess.
Jeff Phillips
I want to go back. You mentioned we're hitting on OpSec, but also the capitalism side of things on the dark web. I take it you dealt with crypto and now we also got a passion on the OSINT side. So can you talk a little bit about your experience with crypto? Maybe leveraging it from an OSINT capacity, doing chain analysis, those types of things?
Sam Bent
Yeah. So the only thing I can really speak to is what I've done. And the one thing I didn't do ever was use a tumbling service. So basically a tumbling service is like if I went out and robbed a bank and I got a bunch of these notes from the bank and if I gave it to a money launder, maybe they go they get rid of them all and they give me back notes. But all the notes have different serial numbers now, so it's cleaner, but they take a good portion of that for that service. They're going to want money for doing that and be anywhere from 1% to 25%. It varies, just like in capitalism, anything varies when you're dealing with that. First off, they're taking a huge piece. But remember, if we go back to what we were talking about with OpSec, with OpSec, we're controlling what information we put out there. If I say, hey, here's a service that does tumbling, can you tell me if what they're doing is legitimate? I couldn't. Right. Just like I hear people advocate for the use of a VPN with Tor and I see the Tor developers saying not to do that, they also say, do, do it if you're well aware of everything that's involved.
Sam Bent
But that's a big amount of knowledge to fully understand. So for me, when you look at it from the standpoint of do you use a VPN from that criminal point of view of I'm going to use the darknet for criminal activities, are you going to incorporate a VPN into that? For me, the answer was always no. Because no company is going to resist a subpoena that's been issued to protect your data, and you don't know what they're saving. People would be like, well, this company says they don't have any logs. I'm like, okay, cool. They don't log anything. How do they remember customer data? How do they know you're a premium member? What are you talking about? These are fundamental questions. In the server room in Venezuela. Do you know what's in there? Do you know who controls it? Do you know if the guy in there is a gambling problem? And there's a massive amount of risk that's involved with something like that. Whereas if I use an anonymity network or an overlay network like Tor, and I drive to the next town over and use someone else's WiFi, and my Mac address on my computer is spoofed.
Sam Bent
Your Mac address is like a hardware address inside of a computer, so I can spoof that. So now there's virtually no traces of who I am when I connect to anything, because I'm connecting on a totally different wireless network. My Mac address is that of a printer. And you're getting to a point where trying to figure out who I am is going to be ridiculously complex or you're going to have to do just a ridiculously amount of illegal stuff in order to actually do it. I think I got totally sidetracked from where your original question was.
Jeff Phillips
Well, I was just, no, that's great on the OpSec side, and then I just didn't know if you had any thoughts on the OSINT side. We know crypto is not completely anonymous, right? It can be looked into. It can be an information source, I suppose I don't know how to do it and haven't done it, but I was kind of coming at that side.
Sam Bent
I got you now. Yeah. So instead of the tumbling service, what I would do is I would take my Bitcoin, because Bitcoin, whenever you get it, wherever you send it, it's all logged, right? It's all on the blockchain. Every transaction is saved. So even if it's like, well, right now I don't have to worry about that because going through every single transaction, they can't possibly trace my transaction. That's like, okay, yeah, maybe not now, but if it's saved, do you think they can in 20 years? There's a reason Signal just upgraded their encryption going forward. That was my concern. It's like, maybe it's not available. You don't have the resources to comb through all of it right now, but will you in 20 years? And yeah, probably you will, because we didn't really have AI wasn't five years ago. No one wasn't even a thought, really, unless you're a researcher. So for me, I would take my Bitcoin that I got from this market and I would trade it for XMR or Monero, because it's a privacy centered coin. I would exchange it for that. I would get that, and then I would exchange it back for Bitcoin.
Sam Bent
This way with the chain of evidence, it would be severed. You're not figuring out the monero that I got in exchange for that, and then you're not making that connection back. And that was essentially how I would launder my money, or alternatively, I would just buy narcotics to sell in real life, because that was another option. But you have those ways of preventing OSINT. Again all come back to having good Ops. Like it really is probably a horrible comparison, but I think there's a lot to be said for red teams, which do offensive security, they try to break into places, and blue teams which defend against it. I think we see a lot of those same parallels inside of the OpSec versus OSINT, because a lot of times those people who are those OSINT practitioners are the ones going out there trying to find that information that's out there that someone left. Whether it's a court system, it's an individual who made profile, whether it's a guy who put up pictures and he didn't remove the metadata out of his pictures. So now we got tags. I've seen some of the crazy ones is know, a guy takes a picture of a drug like this and uses it as a picture on the darknet, and the FBI or the Feds can look and they can see his fingerprints from the know.
Sam Bent
I think a lot of OSINT practitioners already know about metadata. And if I take a picture, it can embed information about my camera, my location, stuff like that. A lot of social networks will scrub that stuff nowadays, and they'll clean it. But the other thing to remember is PDFs, right? There was a story I watched a Sans talk. I want to say it was by Matt Emerson, who's a fantastic speaker for Sans when it comes to OSINT stuff. And he was talking about going in, and if it was him, he was talking about going in. And there was a PDF that Anonymous had published shortly after WikiLeaks cut off support I'm sorry, PayPal cut off support for WikiLeaks. There was a threatening PDF that was sent that basically said that they were going to destroy them. And what they did was they looked at the everyone always thinks about metadata for pictures, but it's in videos, it's in PDFs. And they looked at the EXIF data, not metadata, the EXIF data inside of it. And it had the guy's name who owned the Adobe product that created the Know. They went, they showed up his it's like it's not Know pictures.
Sam Bent
And you have it in videos and you have it in EXIF data. You have it embedded in all these different things. So there's a million of those little things. So when you're coming at it from the opposite end and you're looking at it from the OSINT spectrum, the nice thing is with OSINT, if you screw up and maybe you look at a certain file and you didn't catch the EXIF data, but you have 30 pictures, you can always check the next one, right? If you delete it. But on the other hand, if you're looking at it from the operational standpoint, like operational security standpoint, you can't screw up multiple times. You only have to screw up once to screw up everything. Whereas with OSINT, you can miss a few things and you're still all right. But that's really the cool thing about OSINT is I could take someone who's never done it before and sit them down and be like, yeah, these are Google Dorks, or this is Maltego. Or, let's go to GitHub and just punch in OSINT and just grab stuff that shows up and play with it and see what it does.
Sam Bent
Someone can learn a lot just by doing that. And then if you incorporate that into if they have an issue, say they have an issue installing one of these issues, one of these programs, they plug it into ChatGPT or whatever, and now they're getting debugging information on it. So they're learning about configuring things, they're learning about setting them up in addition to being able to retrieve that information. So it's like a multilateral learning session. And that's really, I think, the beautiful thing about OSINT.
Aubrey Byron
So before we wrap up, I wanted to ask, you mentioned a few tools just now, but do you have any favorite tools you recommend for OSINT researchers or just advice in general? So if I had to pick two, I would say spiderfoot and Are. Those are probably my two favorites. And Spiderfoot's just it's just so ridiculously big that you can do a lot of stuff with it. And a lot of the stuff, I think, that Maltego limits or makes you pay for, you can get away with in spiderfoot. And the other cool thing that I like to do is they used Case file for a while, which was like kind of just to view what's made in Maltego. What I do is if I grab entity data, I hop on a site and I got a bunch of info, maybe it's like your email address, your Facebook, all these different links. What I'll do is I'll put it into ChatGPT. I'll be like, take all this information and turn it into Maltego entities, and it'll turn it into textual entities, which will say it'll be like Maltego URL, pound sign, then the information, and it will classify the URLs, the names, the email addresses into text. Then you can copy that text, go into Maltego, hit paste, and it adds all those entities in. If you don't have the ability to find them and have them integrated in.
Jeff Phillips
Well, awesome. Well, Sam, thank you so much for.
Sam Bent
Thank you for having me.
Jeff Phillips
This has been super interesting. And of course, thanks to our audience for listening. If you like what you heard, you can view transcripts and other episode information on our website authenticat8.com/needlestack. That's authentic with the number eight.com, slash needlestack. Be sure to let us know your thoughts on X, formerly known as Twitter. We're @needlestackpod and to like and subscribe wherever you're listening today. We'll see you next time with another guest and more on professional online research. Thank you.
