With all the misinformation, rumors, and flat-out lies that pass around the internet with regard to the deep web and dark web, it’s refreshing to talk to someone who actually knows their stuff.
I had such an opportunity recently; I interviewed Deku_shrub, author of the blog Pirate dot London. In his words, it’s “a blog about the dark web & cybercrime, transhumanism and other geekery.”
Some of you may also know him as one of the moderators of the subreddit r/deepweb, which is dedicated to sharing factual (as opposed to mythological) information about the deep web, and all that that entails.
So, for some further education about these subjects, read on!
What is your background with regard to Tor, darknet markets, etc.? How did you first get introduced to the dark web?
I’ve had a light understanding of underground websites for many years, mostly through mapping out the increasingly resilient torrent sites from about 2004 onwards. However, sometime in 2012 I checked out Tor in the early days and took a look around.
Websites giving away and trading hacked data were not entirely new to me, but I was surprised to see it happening so openly. It was Silk Road and the large amount of drug listings that surprised me however, having never seen that before online. I have since found out that drugs have been sold more privately on the Internet since the 70’s, and markets such as the Farmer’s Market even pre-date Silk Road.
Like most people I was frustrated that there were no useful guides or reliable information about the nature of these sites, so it was a couple of years before I got into more structured research in this area.
You wrote that you’re a “systems admin.” What kind of tasks do you do in that position? Are you also skilled in IT security?
I keep my work life separate from my online persona for obvious reasons, but yes, as a sysadmin I have to defend companies against a huge range of web and corporate IT threats. To understand how to defend oneself, you might first develop realistic threat models and either put in the necessary technical protections, or get higher-ups to accept the risks of not doing so.
Understanding newer threats like ransomware, the plummeting prices of launching a DDOS, password reuse and leaks, how common automated attacks and worms work is essential towards being a good sysadmin. However when you know so many vulnerabilities as I do, you realise ultimately everything is an exercise in risk management. Telling software companies that their products are still insecure and watching them try and get out of deploying fixes is a perk to having a security specialism.
Many darknet markets, vendor shops, and other sites have turned out to be scams or honeypots. Can you explain how someone might be able to tell the difference between a scam and a legitimate site on Tor, etc.?
The term ‘legitimate’ can be confusing when discussing illegal websites. So I tend to prefer ‘scam vs non-scam’. The darknet markets ecosystem is relatively robustly structured; one needs only refer to the two sources of truth for market listings: DeepDotWeb and the /r/darknetmarkets superlist. This hierarchy of index legitimacy is poorly known and consequently opportunistic guides are always springing up on blogs, wikis, or even forum recommendations. Identifying the legitimacy of specific vendors on an individual marketplace is highly comparable to buying from someone on eBay. You understand their feedback history, product and various other markers of being established.
The broader fraud site ecosystem is not as comprehensively documented, despite a few of my additions to Wikipedia, and for various different reasons is much more fractured and complex to identify legitimacy. What’s worth considering is the average intelligence of an entry-level scammer is not very high, and hence there is a commercial market for fraud guides, and a significant market for scamming the scammers.
It’s important to realise there are very few legal commercial activities on Tor and I obviously draw the line at producing guides on how to be an online criminal.
Many of the so-called “hitman services” on Tor have turned out to be scams. Do you believe that all “hitman sites” on Tor are scams, or are there ever “legit” ones?
I don’t want to get into too much detail here, but yes, I fully believe that there has never been a real such site based on my first hand investigations. I would prefer to avoid comment on this matter entirely please.
What are some outlandish things that people think they can buy on the dark web?
Anything! Everything! People are convinced the dark web ‘is 98% of the internet’ due to YouTubers and bloggers who continue to conflate the idea with Deep Web search and people’s imaginations go wild. I’ve assembled a fairly complete list…but I have a soft spot for people trying to peddle Human Hunting, and fixed sports matches. I often get frustrated that in this day and age of so much information at our fingertips, that lies and half-truths are so much more effective at spreading than the actual facts.
Most experts say that red rooms cannot exist on the dark web, even though many still believe in their existence. Can you explain why a red room can’t technically exist on networks like Tor, I2P, and Freenet?
A few reasons. Firstly (and people hate me for saying this), snuff films do not exist. They have never existed. There was a million dollar prize for evidence of such things being found and it was never claimed over 20 years. This doesn’t stop a huge section of society (maybe 25%?) thinking otherwise. This is comparable to the large scale belief in the moon landings being a hoax. I’ve researched the history of media in this area, which was interesting. It’s a wonderful expression of contemporary techno-paranoia.
Technically speaking is a lot simpler; multicast streaming over Tor performs terribly. Whilst 1:1 streaming has happened over Tor, the performance degrades to the point of unusability.
Show me a reliable multicast streaming onion site and I’ll revise this part of my belief.
On your blog, you’ve described yourself as a transhumanist. Can you go into a little more detail about what this means?
This would be an entirely separate interview to talk about my other research [specialty]. I recommend anyone interested in the future of humanity to check out my H+Pedia Project, where I have assembled the largest collection of information about transhumanism ever.
On Reddit, you commented that certain people on YouTube promote bogus “security” advice when it comes to the dark web (like using Tails OS to protect your identity).
I do not believe privacy is something you can install on a computer. You have to pick a personal boundary of your internet self and work out what goes on the outside, middle and inside.
Creating a proper threat model is essential too; many people don’t understand [that this won’t be enough] if they’re trying to hide from the NSA or from a hacker on the same Wi-Fi network as them. Some people understand the benefits of Tor meta data obscuration but then download .exe files over HTTP, which can be tampered with from rogue exit nodes.
Whilst increasing the total amount of relatively benign Tor users is beneficial for the network as a whole, failing to communicate the ‘why’ is a massive missed opportunity in my opinion. Also, very few people have a comprehensive understanding of personal online security (OPSEC); there is often a ‘cargo cult’ approach to technical configurations.
That being said, do you have some solid advice about protecting one’s identity on the dark web?
Use a unique handle and unique password if you need a login at all. Beyond that, it depends on what you’re trying to do. I could give advice for buying and selling contraband, but obviously I avoid making such comments. You must first understand what your online identity is comprised of and how much it needs segmenting for your requirements. So [few] people even realise that [they] have an online identity, let alone how to manage it.
I plan to produce some more materials in curating and protecting one’s online identity in the future – this is an important area poorly served right now.
You’re a member of the UK Pirate Party. Can you explain a little more about what the party stands for, and why you decided to join it?
I’ve downloaded files from the internet for many years ever since I realised I preferred media-on-demand over television. The Pirate Party formed in reaction to ongoing attempts by the Us to internationalise their copyright regime as well as their network governance laws epitomised by the 2006 raid on the Pirate Bay.
The issue of copyright as a tool of mass surveillance and censorship was around for years before we had the Snowden leaks. For someone like me, I was already familiar with relevant government capabilities because they are predicated not upon a coherent legal framework, but rather the numerous underlying insecurities of various internet technologies.
The Pirate Party has experienced [the] most successes in Sweden, Germany, and recently Iceland, putting digital rights at the front of a centre-left and anti-establishment position. However, it’s my recent opinion that copyright is no longer a rallying cry of the younger generation against the old, largely due to the more recent success of streaming platforms like Netflix. It remains to be seen where the Pirate Party brand [will] evolve to in response.
What are some “good” (or rather, legal) things that a person can find on the dark web? (Not involving child abuse, narcotics, stolen goods, etc.)
I have never found anything much of interest which was not primarily criminal or socially undesirable in nature. I’ve [become] aware of a number of news organisations [that] run drop sites, but these are of limited utility. Short lived attempts to sell adorable cookies, and dark web Cat Facts are some of the few that spring to mind. You can see pictures from the Virginia Tech steam tunnels and some puzzle sites, which are massively over hyped in my opinion. Intel Exchange and Hidden Answers may amuse conspiracy theory aficionados.
Remember – if it’s legal, it will be copied off the dark web very quickly, where it can be more openly discussed.
Do you think that using PGP for message encryption is still a useful tool, or is it outdated?
PGP has been described as a Swiss Army knife of encryption – when most people just need a knife and fork. The most common use-case of protecting emails requires you to use a desktop mail client like Thunderbird, which continues to be unpopular.
Protecting personal information such as your address when transacting on a darknet market is a very good time to use PGP. Also, if you want to communicate with persons of dubious legality, PGP is a must. However, PGP is typically unsuitable for most people’s daily use.
The mobile messaging app Signal is far more usable for end to end encryption and I highly recommend its use.
I eagerly await developments in web browser standards to allow more web applications to securely utilise a private key and to make the PGP user experience more seamless and invisible.
If you believe that your identity, data, etc. have been compromised on the dark web, are there still some steps you can take to protect yourself? Or are you, for lack of a better word, fucked?
It depends on your threat model. If a known adversary has your information, you can profile their capabilities and take action accordingly. If your personal information has been leaked as a part of a data breach however, the threat is harder to assess.
Management of financial information, limiting exposure of personal information and use of unique email addresses…are also things we can do to reduce the impact of data breaches.
However, I remain convinced that information practices by banks and similar financial institutions can be blamed for 90% of data breaches.
If you were (in theory) to start your own darknet market, what would you do to prevent it from being shut down?
On the technical side, I would refer to ‘So, you want to be a darknet drug lord…’! On the management side, I would perform heavier regulation of more dangerous drugs and not sell stolen data, fraud services or any other products that could cause bad PR.
What do you think the future holds for the dark web? For example, do you think new networks will replace Tor?
It’s possible various Tor forks in development right now could become dominant in the future. It’s possible multi-network browsing over a single network will win out in the future, but it’s too early to be sure.
I think we will continue to see the spread of untruths about the dark web from law enforcement organisations (who say they’re watching everything), from the Tor project (who play down the cybercrime element massively) and from the masses, who get their information from unreliable sources such as YouTube.
I would hope future conversations will get to the guts of cybercrime issues, such as the war on drugs, the financial reasons behind data breaches and [the] rise of censorship and mass surveillance, which is driving some of the criminals into the deepest pockets of the darknet.
What can I, as a writer, do to help dispel myths about the dark web?
Be specific. The dark web (less so than the ‘deep web’) still has overtones of mystery and danger when that’s hardly the case.
Rather than talking about darknet markets, talk about the online drug trade.
Rather than creepy sites, talk about puzzle sites and troll sites, referencing what we already do and do not know.
Rather than talking about the horrors of porn sites, talk about the legal precedents set by law enforcement malware.
Rather than talking about small to unknown numbers of terrorist sites, talk about how this is negligible compared to the impact of social media.
Talk about the Tor network’s legal uses in the first world as well as the developing world, and how reclaiming privacy practically protects you from being profiled by not only governments, but advertisers too.
There is a massive market for bullshit, and bullshit merchants are more than happy to provide. By showing quality, properly cited research, you don’t request your audience’s trust, simply their attention.
Finally, try not to pass judgment. People on the dark web are eager for narratives other than those provided by law enforcement. Consider the morality rather than the legality of what’s out there. If you don’t know the answer, first hand investigations are likely to be both exclusive and memorable.
If you’re interested in speaking with Deku_shrub, visit his contact page on pirate.london.