Operational Security for People Who Really Care About Security

“the surveillance capability of the adversary […] exceeds the evasion capability of the existing public tools.” [1]

Who’s the adversary?

“If you have been around the underground long enough, you know how many different people and groups have compromised Tier 1 ISPs.”

That sentence right there ought to change a few threat models. Tier 1 ISPs are the “big ones” through which most of the Internet’s traffic gets routed.

Not just the media’s favorite light-refracting corps is your adversary these days… everyone from the organized crooks of your choice to some really clever kid in Chisnau might be able to launch a “mostly global observer” attack on your data.

Also, this quote: “To do things properly, operate in this order. Figure out what you are trying to protect (and from whom), separate it from everything else, and then select tools, techniques and procedures that will enable you to protect it.”

Worth adding is that you should “minimize the information content” of your design, in other words, simplify the hell out of it.

(there’s probably some overlap into Shannon’s theorems and information theory here… perhaps this can be simplified into a rule of thumb: the more information a design contains, the more it enters into — evidently highly interesting — realms you don’t understand, and therefore the less secure it is.)

You should also keep different parts of the design as independent as possible — one solution per problem, and solutions should avoid interacting.

[1] http://grugq.github.io/blog/2013/06/10/good-luck-with-that/
http://www.reddit.com/r/privacy/comments/1gdnto/why_tor_and_encryption_are_not_enough_real/ http://grugq.github.io/blog/2013/06/14/you-cant-get-there-from-here/

“Now, as I advocate elsewhere, it is best to start your counterintelligence program early, because after you are targeted it is (usually) too late.

My central recommendation on how to operate safely, whether you are a hacker, a spy, a whistleblower, or whatever, is to implement compartmentation first. Classify the data which is sensitive (e.g. your real identity and anything linked to your real identity) and segregate it from everything related to your illicit activity. Preferably, by physically separating onto different machines. When conducting the illicit activity, use your illicit activity equipment, and do it over an internet link that cannot be linked to you. By all means, use Tor, or I2P, or a VPN, or whatever. But that technology must not be your primary and only line of defence.

This is how you do good CI. Develop a SOP that will protect your sensitive data even when things fail. That said, most of what will sink people is poor OPSEC, not poor SIGSEC. The more people that know about your illicit activity the higher the chance that Murphy will raise his head and it’ll all end in tears. Counterintelligence Cliff Notes

So, to reiterate, choosing a technology first and then relying on it for security is completely ass backwards. To do things properly, operate in this order. Figure out what you are trying to protect (and from whom), separate it from everything else, and then select tools, techniques and procedures that will enable you to protect it.”

Advertisements
%d bloggers like this: