OPSEC In the Post Snowden World
Operations security (OPSEC) is a term originating in U.S. military jargon, as a process that identifies critical information to determine if friendly actions can be observed by adversary intelligence systems, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information
I would take this definition further to include the tactics and methods of protecting your information from being compromised by the adversary. Compromise not only by technical means but also social and other means as well. (i.e. giving that information to the wrong people by being too trusting or careless with it) Given the focus I have seen online and in the media about “secure communications” by technologies that may or may not be worth trusting. I just can’t help but feel that the majority of people out there today concerned about their privacy or their security in communications will utterly fail in the end because they lack OPSEC awareness to start. Here are some key concepts for you all to consider as you download your new fresh install of TAILS with a vulnerable i2p instance and begin to wonder about the security of the product.. I will give you a hint… Unless you consider all these things you will fail at your security machinations.
Technology and OPSEC:
So you have a Laptop you bought new from your vendor and you have downloaded TAILS so you are good to go right?
Consider these things before you begin your super sekret affair online…
- Can you trust that that laptop doesn’t have some extra chips or other hardware installed? Have you taken it apart to see?
- Are you even capable of looking at the mainboard and determining what if anything does or does not belong there?
- Do you in fact own the pipe, the DNS, the router, or anything from the cable modem on your desk provided to you by the cable company? If not, then how do you know that the network is not already compromised?
- The same goes for the hardware router provided to you as well as the COTS Linksys router you bought
- Can you trust the supply chain of the TAILS instance you downloaded to start with?
- Can you sift through the code of that TAILS instance yourself to check if there is rogue code that allows for compromise and surveillance?
- Can you truly say you are a master of your GPG/PGP public and private keys and processes to encrypt and send email to one another?
- Can you say that you securely transmitted your keys to the other party in the first place? Or that your private key is not already compromised from an end point CNE attack?
All of these things are compromise-able and no one is a master of all things. Unless you build your own laptop from the ground up with hardware you checked at every step AND you never let it out of your sight then you cannot say that the supply chain has not been tampered with. Thus your security measures are potentially void.
The same can be said about the operating system on the laptop. Did you code it? Have you vetted it yourself? Sure there is open source but really, unless you do this yourself how can you be sure? You can’t really so you have to have a measure of trust that it’s safe. But hey, now we are talking about nation state efforts to listen in and watch everything you do online so really it’s game over right?
There is no sure thing here. So you have to take this stance from the start that you are likely already compromised. You can now either attempt to game the system and have some modicum of security by using OPSEC and technical means or you can just say fuck it and not care. If you are in the former category then you can move on in this post and perhaps consider some other things you need to protect your secrets. If not, you can stop here and go back to your blue pill existence.
Nation State Surveillance and YOU:
So you have decided to read on.. Gut gut…
OPSEC is more than just technical means. As you can see from the above nothing technical can really truly be trusted. Just as no one really can be trusted in reality. I am willing to bet many of the LulZSec gang trusted Sabu didn’t they? I mean after all they made some stellar OPSEC failures in trusting him that ended up with them in prison now right? They also had technology fails too, I mean Sabu was pinched when he logged into an IRC without a proxy with his own IP so there ya go. It was partly technical failure and partly human failure. Had there been a bulletproof technology to obfuscate himself Sabu would not be in the witness protection plan now and the kidz would not be in the pokey right?
So let’s consider some other things outside of the technical 0day and hackery bullshit.
POSIT: The technology is already owned and there is nothing you can do about it.
CONSEQUENCE: All your communications even encrypted by these means are compromised
RESULT: Nothing you do or say should be trusted to be secure
So what do you do then? Do you just give up? Or do you try other means in a layered approach to protect your security? Let me give you a hint; “it’s the latter” However you have to be diligent and you have to follow some ground rules. Given that the documents from the Snowden trove show that if you just use crypto for your communications, no matter how banal, you are now a target of interest and collection you have to consider using the Moscow Rules as a daily routine.
Now does this mean you are really an enemy of the state and in grave danger? No. However, the precedent has been set that we are all under scrutiny and at the whim of whatever algorithm that flags us for traffic on the wire as well as any analyst who might take an interest in you. What’s worse is that many times one might find themselves under suspicion for who they talk to or what they may say online in today’s world and this is where we all should be very afraid. The Fourth Amendment is in tatters kids and what the state considers as papers or personal items does not consist presently of your phone or your computer files according to many in power.
It’s Moscow Rules:
- Assume nothing.
- Murphy is right.
- Never go against your gut; it is your operational antenna.
- Don’t look back; you are never completely alone.
- Everyone is potentially under opposition control.
- Go with the flow, blend in.
- Vary your pattern and stay within your cover.
- Any operation can be aborted. If it feels wrong, it is wrong.
- Maintain a natural pace.
- Lull them into a sense of complacency.
- Build in opportunity, but use it sparingly.
- Float like a butterfly, sting like a bee.
- Don’t harass the opposition.
- There is no limit to a human being’s ability to rationalize the truth.
- Pick the time and place for action.
- Keep your options open.
- Once is an accident. Twice is coincidence. Three times is an enemy action.
- Don’t attract attention, even by being too careful
So there you have them. This is most likely a fictional list that was used in some book or other but the CIA and the Spy museum seem to have grabbed these as useful. These come obviously out of the old days of Spying in Moscow. Which coincidentally had so much surveillance on their native populace that I have begun to feel a strange sense of deja vu lately about our own affairs of state. Of course we don’t have the omnipresent fear of being disappeared.. Oh.. Wait.. Never mind…
Ok so we don’t really get disappeared so often but we can be taken into custody, our things searched, and our lives ruined by the government all on alleged information that you cannot see because it’s been marked as “Secret” with a handy NSL attached. I guess maybe that is a kind of disappearing huh? Not exactly to the Gulag Archipelago but close enough to ruin you. I know some of you out there probably just thought I put on my tinfoil hat there but I have personally seen this shit in action and it ain’t pretty.
Anyway, back to the purpose here, OPSEC is what you need to practice and you have to make it second nature if you want to keep your secrets secret. Unfortunately if you are in the sights of the nation state then you are pretty much fucked. However, you CAN make it more difficult as long as you are diligent and smart about it. So here’s the short and sweet of OPSEC for you:
- Trust cannot be implicit in technology or people
- Study up on disinformation and other obfuscation techniques and use them as a kind of chaff to protect your real comms
- Understand the adversary, their motives, their techniques, and their weaknesses
- If you use a technology be sure that you are it’s master
- Secrets are secret (First rule of Fight Club) keep them that way
- COMPARTMENT THE EVERYTHING!
- Layer your encryption techniques and if possible use a OTP
- Go read up on TSCM
- Go read up on Counter-Surveillance techniques
- If they can’t get at you technically they will send in assets to get close to you
- If they can’t get assets close to you they will use your friends
- If they can’t get your friends, assets, technical measures to work they will go after you in other ways (think legal issues)
I bet some of you are thinking I am a real paranoid freak right now. Well, welcome to the new age of the surveillance state kids. Get used to it. YOU wanted to play this game and now you are. Welcome to the big leagues.