Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • The Security Leadership Issue
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!

Sponsored Content

Confusing Privacy with Security: The Fatal Mistake

By Pieter Danhieux
Confusing Privacy with Security
September 16, 2019

ContentProvidedByBrivo

On a recent long-haul flight, I took the opportunity to devour, quite frankly, an insane volume of podcast episodes. Keeping up-to-date with so many different series means I am never short of something to listen to, with compelling -- albeit one-sided -- conversation just a touch of my phone screen away.

Eventually, I got to an episode of the true crime podcast, Casefile. This dramatic, no-holds-barred series (complete with an ominously-voiced and nameless host) delved into a topic that fascinates even the most knowledgeable and savvy technologists: the deep web, and the cataclysmic ascension of contraband trade website, Silk Road. Split into two parts, those familiar with the rise and fall of Silk Road would have undoubtedly followed news on the case, but the podcast divulges every little detail, in delicious, edge-of-seat narrative.

 

The Silk Road: Lessons From The Deep Web Dungeon

If you’re not intimate with the ins-and-outs of Silk Road, the TL;DR summary is that a man built a trade website on the deep web, hidden from the prying eyes of the general public and unviewable without the use of special software - the Tor browser, to be exact. The site initially only offered his homegrown magic mushrooms, but, virtually overnight, exploded with vendors offering everything from hardcore drugs to illegal weapons and stolen credit card details. You can get up to speed here. The creator and site admin went by the Princess Bride-inspired pseudonym, Dread Pirate Roberts. He was everyone, he was no-one. All users traded a veritable bounty of illegal goods, and they did it completely anonymously (and in the process, got Bitcoin a reputation as the drug dealer currency of choice; a moniker it is only just beginning to shake).

However, Dread Pirate Roberts’ anti-establishment experiment was a beast unto its own. Soon, hitmen were advertising their services. Bad people were doing bad things… and he was intoxicated by his newfound unfathomable wealth. He even tried to utilize the services of an advertised hitman to dispose of a former employee. Long story short, this was one of many knuckle-headed decisions that brought about his undoing. He has been unmasked as Ross Ulbricht and he is currently rotting in a US jail cell, serving a double life sentence plus forty years without the possibility of parole.

 

But, how was he caught if everything was completely private and anonymous?

Well, to put it bluntly: he was a pretty crappy coder. The Silk Road site itself was like a leaky old barge marooned in the ocean. Considering it was a hub of illegal activity (and all the data behind that activity) it was not secure at all; it was a sitting duck just waiting to be exploited by an opportunistic hacker. To be fair, when you’re the mastermind of a huge, illegal drug trafficking business, it’s probably not easy to find competent employees who would like to get involved with your operation. He made no secret of his skill-gap, either - he even posted under his real name on Stack Overflow (yep, that’s his user account), asking for help to properly configure his site code to connect with Tor using Curl in PHP. He changed his real name to the handle “frosty” less than a minute after posting, but this clearly didn’t help… in fact, it probably did further damage: the encryption key on the Silk Road server ended with the substring "frosty@frosty”, thus implicating him further once the FBI caught wind of his scent.

Despite such a huge push for privacy, with encrypted messaging, currency and explicit instructions on securing the contraband itself in transit and delivery, the site was not the impenetrable fortress of libertarian fantasia that Ulbricht may have envisioned. Those with the skills (read: programmers employed by the FBI) slowly, but surely, unraveled it to reveal everything… including the identities of thousands of people who transacted on the site. It’s possible that those who purchased naughty goods many years ago are still going to get a knock on the door from long arm of the law at some point, like this guy in Germany. Yikes.

The FBI released documentation outlining how they were able to penetrate Silk Road, with the general explanation being that of utilizing an IP address leak. A misconfiguration of the Silk Road login page revealed the IP address and thus the physical location of its servers, without any underhanded hacking required. A rookie error, to be sure, and one which eventually led the FBI straight to Ross Ulbricht.

There is speculation that this flaw - if it did exist - would have been spotted long before this moment in time, by one of the many security professionals monitoring the site. Nik Cubrilovic, an Australian security consultant, claims it simply wasn’t there in an interview with WIRED:

"There’s no way you can be connected to a Tor site and see the address of a server that’s not a Tor node. The way they’re trying to make a jury or a judge believe it happened just doesn’t make sense technically."

Cubrilovic then goes on to allude that the information may have been obtained by illegal hacking practices. That practice seems to be SQL injection, an unproven rumor that has been discussed as a plausible method of extraction on many sites since.

The legalities surrounding the tactics of the FBI are an entirely separate discussion. The fact the information could be obtained at all is indicative of Silk Road’s poor security practices, despite the general user understanding of the site being “private”. When privacy is confused with security, the possibility of exposure to vulnerabilities is most certainly increased.

There is also the possibility that the site would still be running (in its original form, anyway; it has been resurrected several times, and there are even larger sites just like it operating right now) if Ross Ulbricht had made the distinction between privacy and security, actively working to ensure both before it grew into a giant heat lamp, attracting every unsavory crook with slightly above-average tech knowledge on the planet. Instead, the private club and all its secrets were revealed the moment someone found a way to open the door.

 

You’re not a drug lord, so why should you care?

The loss of Silk Road and imprisonment of its founder is not a sad, sympathetic tale, but it is a fascinating case study into the nuanced differences between privacy and true, robust site security. There are many legitimate operations that require transactions and information to be private - think digitized medical records, or even the millions of credit card numbers held by a large bank - but if they are not also secured with iron-clad software development, that information could be cherry-picked by an attacker (and, ironically, end up on a site like Silk Road). Privacy does not exist without security.

The good guys, like you, could have software that is vulnerable to SQL injection attacks and other vulnerabilities from the OWASP Top 10, so it is vital that these are prepared for and mitigated efficiently. If developers are trained to code securely from the very start of the process, these flaws won’t see the light of day. It is imperative that organizations are focused with a security mindset, and empowering their dev teams to code securely.

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Pieter Danhieux is the CEO & Co-founder of Secure Code Warrior

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Logical Security
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security camera

40,000 IoT Security Cameras Are Exposed Online

Fountain pen

Trump Administration Executive Order Changes Cybersecurity Policy

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!