Best Infosec-Related Long Reads of the Week, 11/5/22

'Michael Jordan of the dark web' made a serious security mistake that led to his downfall, Psychedelic decriminalization poses serious privacy risks in CO, Election deniers reign supreme in PA

Metacurity is pleased to offer our free and paid subscribers this weekly digest of long-form infosec pieces and related articles that we couldn’t properly fit into our daily crush of news. Tell us what you think, and feel free to share your favorite long-reads via Twitter @Metacurity. We’ll gladly credit you with a hat tip. Happy reading!

The Hunt for the Dark Web’s Biggest Kingpin, Part 2: Pimp_alex_91

Wired’s Andy Greenberg offers this new excerpt from his upcoming book, Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency, that delves into how “the Michael Jordan of the dark web” made a critical security error that led detectives to Alexandre Cazes, mastermind of the dark web marketplace Alpha Bay.

IN LATE NOVEMBER 2016, just before Thanksgiving, [federal prosecutor] Grant Rabenn was wrapping up his caseload in his office and preparing for the holiday when he got a call from Miller. “Hey, Grant,” Miller said. “I think I’ve got something big that we should talk about.”

They met at the Starbucks a block from Fresno's courthouse. Miller explained what his tipster had told him: In AlphaBay's earliest days online, long before it gained its hundreds of thousands of users or came under the microscope of law enforcement, the market's creator had made a critical, almost laughable security mistake. Everyone who registered on the site's forums at the time had received a welcome email, sent via the site's Tor-protected server. But due to a misconfiguration in the server's setup, the message's metadata plainly revealed the email address of the person who sent it—Pimp_alex_91@hotmail.com—along with the IP address of the server, which placed it in the Netherlands.

The error had quickly been fixed, but only after the tipster had registered and received the welcome email. The source had kept it archived for two years as AlphaBay grew into the biggest dark-web market in history.

Seeking Psychedelics? Check the Data Privacy Clause

Doctor, law professor, and psychedelic policy expert Mason Marks warns in Wired about how Colorado’s Proposition 122, or the Natural Medicine Health Act, which will decriminalize psychedelics and allow psilocybin to be produced in Colorado and administered under supervision at licensed “healing centers,” could become a privacy nightmare for patients who undergo psychedelic therapy.

A state-run database of psychedelic client information could easily be accessed by federal agencies such as the Drug Enforcement Administration (DEA) due to a case earlier this year, in which the federal First Circuit Court of Appeals held that the DEA could search a state prescription database without a warrant. The DEA and other agencies likely have more leeway regarding psychedelics because, unlike prescription medications, psychedelics will remain federally illegal if Proposition 122 passes.

“I think it’s really concerning,” said Holly Fernandez Lynch, assistant professor of medical ethics and health policy at the University of Pennsylvania. “I mean, why would you give your information about taking a federally prohibited substance to the government?” she asked.

Psilocybin providers at Colorado healing centers might also face legal and privacy risks. According to Spector-Bagdady and Fernandez Lynch, when researchers contribute to federally funded research, they obtain certificates of confidentiality that protect data they collect from being used as evidence in legal proceedings. However, practitioners in Colorado will likely be ineligible. After they collect client data and share it with DORA, they could be compelled to disclose it in court.

How Election Subversion Went Mainstream in Pennsylvania

On the eve of the all-important midterm elections, the New Yorker’s Eliza Griswold offers this cautionary tale of how Doug Mastriano, the Republican candidate for governor and a onetime insurrectionist, has so effectively promoted the false belief that the 2020 election was stolen to the point that it that threatens the integrity of the 2024 presidential election.

Mastriano has pledged to radically transform voting in the state. Last May, Faddis invited sixty-nine right-wing groups—including We the People, Ballot Security Now, and Unite PA—to the rotunda of the state capitol, in Harrisburg, to sign an “Election Integrity Declaration.” The oath, which begins with the words “We the People,” calls for the abolition of most voting that is not done in-person “with photo identification, proof of U.S. citizenship, state residency and hard copy paper ballots.” These measures could restrict voting among poor people, people of color, and other likely Democrats; they would also force poll workers to count ballots by hand, a process that could make tampering easier. And even the notion of widespread fraud lays the groundwork for future denials of election results. Toni Shuppe, Mastriano’s presumptive nominee for Pennsylvania’s secretary of state, who will certify elections if Mastriano wins, led a prayer at the U.S. Capitol during the insurrection. In Harrisburg, she sanctified the voting declaration by praying for a “spirit of unity” in the burgeoning movement.

Image by Катерина Кучеренко from Pixabay