Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Panopticon’ Category

Leaderless Jihad and Open Source Jihad: A Marriage Made In Hell.

leave a comment »

7631834-3x2-700x467

In 2013 I wrote about leaderless jihad and the “Stand Alone Complex” Now we are seeing this type of leaderless, “inspired by” thought virus playing itself out on the national stage. Last nights attack using a lorrie was something that was presaged by two issues of Inspire Magazine back in 2010 and 2014. There isn’t much to it really to gather some weapons, steal a truck, and then plow it into a crowd but it has taken this long for the insidious idea to take root in the collective unconscious of the would be jihadi’s. The days of a more rigid and trained “jihad” are being eclipsed by would be unbalanced individuals seeking attention and reinforcement of their sick ideas through the media, the internet, and our collective inability to look away from a tragic scene on a glowing screen.

Screenshot from 2016-07-15 07:00:082014 Inspire

 

Screenshot from 2016-07-15 07:04:082010 Inspire 2 “Ultimate Mowing Machine”

 

Soft targets were always the preferred avenue of attack but now they are becoming seen as a top priority for security forces since the attacks in France and other places like Bangladesh. While Dahka on the face of it had a contingent of more trained individuals the attack last night is as simplistic as they come. This is what is really scaring the populace and the security services because now it seems that the authors and actors of these acts are in fact just one guy and not a cabal that they could perhaps track using pervasive surveillance. A cell of one is hard to track and certainly if they self radicalize by just downloading Inspire magazine and watching YouTube, well, what can one do? There are no easy answers here in the world of detection and prevention.

Screenshot from 2016-07-15 09:26:04

So here we have it, I have been pointing this out for a while and at first it was AQAP trying to inspire “OSJ” or Open Source Jihad. Now Dabiq and Da’esh are carrying it on and furthering it with the media zeitgeist that ensues with each attack. The net effect here is that these people are selfradicalizing with the help of the media’s obsession on covering ad nauseum these acts. The pervasive hand wringing and talking heads only serve to whet the appetite of the would be jihobbyist into action. Forget the Inspire magazines and the videos, just watch CNN and that is enough it seems. This all is very much like the plot line to “The Laughing Man” arc of Ghost In The Shell. An act carried out on the media instilled others to carry out like acts to be on the media and further the idea(l) as well as serve as a means to self fulfil the actors need for attention and satisfaction.

laughing-man

This is pure psychology at work and there are a host of reasons and syndromes that could likely be pointed at to rationalize it’s happening. The fact of the matter is that now we are seeing it play out rather bloodily on the streets of the world in furtherance of an idea and ideal set that lends itself to the like minded.. Or should I say mentally ill? Yes, I would say mentally ill. These actors are acting out and likely have some borderline tendencies to start with. These people feel outcast in their societies or out of place within the societies they are living in as a second generation citizen. It is a complex thing to nail down and I suggest that anyone who might want to delve into it further read “Leaderless Jihad” by Marc Sageman.

We need a more nuanced approach to the GWOT and I am afraid we won’t get that…

K.

 

The DARKNET: Operation Legitimacy?

leave a comment »

strongbox

gaiuaim ioi dui pln!

The DARKNETS…

The “Darknets” You’ve all heard of them. Some of you out there may have traversed their labyrinthine back alleys. However, have you ever thought that someday the darknet would be just as legitimate as the “clearnet” is today? With the recent bust of DPR and the Silk Road there has once again been great interest in the “Deep Web” and this interest was sparked once again for me too. It seems that the darknet is the new black once again and people are flocking to it just like onlookers at a traffic accident. Others though seem to be aiming to use the darknet technology (TOR and hidden services) to support free speech and to pass information as a legitimate whistle blower.

Still Mos Eisley but….

I loaded up TOR & Tails and took a trip once again into the digital Mos Eisley. It is still dark and full of crazy things and if you go there you too will see black market items, services like Assassinations for Bitcoins, and run of the mill blogs. You can (allegedly) buy just about any kind of drug in quantity just as easily as buying/mining bitcoins and paying for your drugs with them. All anonymously (once again allegedly as you can see from the DPR fiasco) via the Onion hidden services and backed by other services from anonymous email on TOR to bitcoin exchanges. However one can now see other sites out there that aren’t so black market oriented as well.

One such site is pictured above. The New Yorker decided post Ed Snowden’s revelations, that it was a good idea to put their new “secure dropbox” on the hidden services. This is a legit site that has been talked about on the clearnet as well as in the media a couple months ago. This is one of the first more legit sites I have seen out there that is offering a secure means to talk to reporters using the security that others on the darknets are using to carry out illegal activities. I have yet to really look at the site’s security but overall I see this one site being the key to showing others out there how the darknet can be used for something other than crime. Of course then again, if you ask the Obama Administration even this site could be considered illegal or an accessory to illegal leaking I guess. It’s really a matter of perspective.

Gentrification?

So what about other sites? What would you out there use the darknet for that is not “illicit” but requires some security and anonymity? I can foresee other sites popping up perhaps in the arena of free speech or even political movements that might like this model to pass their ideals on. I honestly think this is a turning point for the darknet. Of course this is all predicated on the darknet being “secure” after the revelations from the Snowden Archive of late. It seems the NSA is really trying pretty hard to de-anonymize anyone they want to and would love to have it just not anonymous at all. Well, let me re-phrase that.. Have them THINK it’s anonymous while it is not so much to the NSA.

Other sites out there include an online Koran as well as all kinds of other non criminal sites that are.. Well.. Kinda goofy or fringe. I think that perhaps now things might shift as the technology becomes easier to manage making it easier with global connectivity for us all to hang up a shingle in the darknet.

Time will tell though I guess…

K.

So here’s my thing….

with 3 comments

dark_of_night_OURO

VQX HWMVCUSE JQJFASSNTG QV! X HQ JD ISIAVVE!

Face it.. We are all PWND six ways to Sunday

Every frigging day we hear more and more about how the NSA has been emptying our lives of privacy and subverting the laws of this land and others with their machinations. It’s true, and I have been saying as much since the day Mr. Klein came out of his telco closet and talked about how the NARUS system had been plugged into the MAE West back in the day. We are all well and truly fucked if we want any kind of privacy today kids and we all need to just sit back and think about that.

*ponder ponder ponder*

Ok, I have thought about it and I have tried to think of any way to protect myself from the encroachment of the NSA and all the big and little sisters out there. I am absolutely flummoxed to come up with any cogent means to really and truly protect my communications. Short of having access to the NSA supercloud and some cryptographers I don’t think that we will not truly have any privacy anymore. If you place it on the net, or in the air. We have reached in my opinion the very real possibility of the N-Dystopia I have talked about before in the Great Cyber Game post.

As the pundits like Schneier and others groan on and on about how the NSA is doing all of this to us all I have increasingly felt  the 5 stages of grief. I had the disbelief (ok not completely as you all know but the scope was incredible at each revelation) Then the anger came and washed over me, waves and waves of it as I saw the breadth and scope of the abuse. Soon though that anger went away and I was then feeling the bargaining phase begin. I started to bargain in my head with ideas that I could in fact create my own privacy with crypto and other OPSEC means. I thought I could just deny the government the data. I soon though began to understand that no matter what I did with the tools out there that it was likely they had already been back door’d. This came to be more than the case once the stories came out around how the NSA had been pressuring all kinds of tech companies to weaken standards or even build full back doors into their products under the guise of “National Security”

Over time the revelations have all lead to the inescapable truth that there is nothing really anyone can do to stop the nation state from mining our communications on a technological level. Once that had fully set in my mind the depression kicked in. Of late I have been more quiet online and more depressed about our current state as well as our future state with regard to surveillance and the cyberwarz. I came to the conclusion that no matter the railing and screaming I might do it would mean nothing to the rapidly approaching cyberpocalypse of our own creation arriving. ….In short, we can’t stop it and thus the last of the five stages for me has set in. I accept that there is nothing I can do, nay, nothing “we” can do to stop this short of a bloody coup on the government at large.

I now luxuriate in my apathy and were I to really care any more I would lose my fucking mind.

OPSEC! OPSEC! OPSEC!

Speaking of losing one’s mind.. Lately people all have been yelling that OPSEC is the only way! One (the gruqq) has been touting this and all kinds of counterintelligence as the panacea for the masses on these issues. Well, why? Why should we all have to be spies to just have a little privacy in our lives huh? I mean it’s one thing to be a shithead and just share every fucking stupid idea you have on FriendFace and Tweeter but really, if you can’t shut yourself up that is your problem right? No, I speak of the every day email to your mom telling her about your health status or maybe your decision to come out etc. Why should the government have the eminent domain digitally to look at all that shit now or later?

If you take measures to protect these transactions and those measures are already compromised by the government why then should you even attempt to protect them with overburdened measures such as OPSEC huh? I mean, really if you are that worried about that shit then go talk to someone personally huh? I know, quite the defeatist attitude I have there huh? The reality is that even though I claim not to be caring about it (re: apathy above) I actually do but I realize that we no longer have privacy even if we try to create it for ourselves with technical means. If the gov wants to see your shit they will make a way to do so without your knowing about it. I fully expect someday that they will just claim eminent domain over the internet completely.

Fuck OPSEC.. I want my government to do the right thing and not try to hide all their skirting of the law by making it classified and sending me an NSL that threatens to put me in jail for breaking the law.

Fuck this shit.

CYBERWARZ

Then we have the CYBERWARZ!! Oh yeah, the gubment, the military, and the private sector all have the CYBERWARZ fever. I cannot tell you how sick of that bullshit I am really. I am tired of all the hype and misdirection. Let me clear this up for you all right here and right now. THERE IS NO CYBERWAR! There is only snake oil and espionage. UNTIL such time as there is a full out kinetic war going on where systems have been destroyed or compromised just before tanks roll in or nukes hit us there is no cyberwar to speak of. There is only TALK OF cyber war.. Well more like masturbatory fantasies by the likes of Beitlich et al in reality. So back the fuck off of this shit mmkay? We do not live in the world of William Gibson and NO you are not Johnny Mnemonic ok!

Sick. And. Tired.

I really feel like that Shatner skit where he tells the Trekkies to get a life…

Awaiting the DERPOCALYPSE

All that is left for us all now is the DERPOCALYPSE. This is the end state of INFOSEC to me. We are all going to be co-opted into the cyberwarz and the privacy wars and none of us have a snowball’s chance in hell of doing anything productive with our lives. Some of us are breaking things because we love it. Others are trying to protect “ALL THE THINGS” from the breakers and the people who take their ideas and technologies and begin breaking all those things. It’s a vicious cycle of derp that really has no end. It’s an ouroboros of fail.

RAGE! RAGE! AGAINST THE DYING OF THE PRIVACY! is a nice sentiment but in reality we have no way to completely stop the juggernaut of the NSA and the government kids. We are all just pawns in a larger geopolitical game and we have to accept this. If we choose not to, and many have, then I suggest you gird your loins for the inevitable kick in the balls that you will receive from the government eventually. The same applies for all those companies out there aiding the government in their quest for the panopticon or the cyberwarz. Money talks and there is so much of it in this industry now that there is little to stop it’s abuse as well.

We are well and truly fucked.

So, if you too are feeling burned out by all of this take heart gentle reader. All you need do is just not care anymore. Come, join me in the pool of acceptance. Would you care for a lotus blossom perhaps? It’s all good once you have accepted the truth that there is nothing you can do and that if you do things that might secure you then you are now more of a target. So, do nothing…

Derp.

K.

Book Review: An Introduction to Cyber-Warfare: A Multidisciplinary Approach

with one comment

cyberwarprimer

IJPFRH CPAGP EIIL!

CYBER CYBER CYBER!

CYBER CYBER CYBER! or “CRY HAVOC AND LET SLIP THE DIGITAL DOGS OD CYBER WAR!”” is often what you hear from me in a mocking tone as I scan the internet and the news for the usual cyber-douchery. Well this time kids I am actually going to review a book that for once was not full of douchery! Instead it was filled with mostly good information and aimed at people who are not necessarily versed at all in the cyberz. I personally was surprised to find myself thinking that I would approve this for a syllabus (as it has been placed into one by someone I know and asked me to read this and comment)

The book really is a primer on IW (Information Warfare) and Cyber-Warfare (for lack of a better nomenclature for it) which many of you reading my blog might be way below your desired literacy level on the subjects. However, for the novice I would happily recommend that they read the book and then spend more time using ALL of the footnotes to go and read even more on the subject to get a grasp of the complexities here. In fact, I would go as far as to say to all of you out there that IF you are teaching this subject at all then you SHOULD use this book as a starting point.

I would also like to say that I would LOVE to start a kickstarter and get this book into the hands of each and every moron in Congress and the House. I would sit there and MAKE them read it in front of me *surely watching their lips move as they do so* There are too many people in positions of power making stupid decisions about this stuff when they haven’t a single clue. I guess the same could be said about the military folks as well. We have plenty of generals who have no idea either.. That’s just one man’s opinion though.

As we move further and further down the cyber-war road I think that books like this should be mandatory reading for all military personnel as well as college level courses in not only IW/INFOSEC but also political and affairs of state majors as well. We will only continue down this road it seems and it would be best for us all if the next wave of digital natives had a real grasp of the technologies as well as the political, logical, and tactical aspects of “Cyber”

I have broken down the book into rough chapters and subject areas as it is within the book (mostly) It really does cover more of the overall issues of cyber-warfare and methods used (not overly technical) The modus operandi so to speak of the actual events that have taken place are laid out in the book and give you a picture of the evolving of IW to what we see today as “cyber-warfare” I will comment on those sections on what I thought was good and what I thought was derpy of course, I mean would you all have it any other way?

IW (INFORMATION WARFARE) RUSSIA

The authors cover early IW with the Russian saga’s over Georgia and Estonia. There is a lot in there that perhaps even you out there might not know about the specifics of the incidents where Russia is “alleged” to have attacked both countries at different times with different goals and effects. Much of this also touches on the ideas of proxy organizations that may or may not be state run that were a part of the action as well as a good overview of what happened.

In the case of Georgia it went kinetic and this is the first real “cyber-warfare” incident in my mind as cyber-war goes. I say this because in my mind unless there is an actual kinetic portion to the fighting there is no “war” it is instead an “action” or “espionage” so in the case of tanks rolling in on Georgia we have a warfare scenario outright that was in tandem with IW/CW actions.

OUR CHINESE OVERLORDS

Ah Chairman Meow… What book on Cyber would be complete without our friends at the MSS 3rd Directorate huh? Well in the case of this primer it gets it right. It gets across not only that China has been hacking the living shit out of us but also WHY they are doing it! The book gives a base of information (lots of footnotes and links) to ancillary documentation that will explain the nature of Chinese thought on warfare and more to the point Cyber-Warfare. The Chinese have been working this angle (The Thousand Grains of Sand etc) for a long time now and there are more than a few treatises on it for you to read after finishing this book.

The big cases are in there as well as mention of the malware used, goals of the attacks and some of the key players. If you are out to start teaching about Chinese electronic/cyber/IW then this is a good place to start. Not too heavy but it gets the point across to those who are not so up to speed on the politics, the tech, or the stratagems involved.

ANONYMOUS/SEA/LULZSEC

Anonymous, as someone on my Twitter feed was just asking me as I was writing this piece, is also a part of this picture as well. The idea of asymmetric online warfare is really embodied by these groups. The book focuses more on Lulzsec and their 50 days of sailing but it doesn’t go too in depth with the derp. Suffice to say that all of them are indeed important to cyber-warfare as we know it and may in fact be the end model for all cyber-warfare. How so? Well, how better to have plausible denyability than to get a non state group to carry out your dirty war? Hell, for that matter how about just blame them and make it look like one of their ops huh?

Oddly enough just days ago Hammond wrote a piece saying this very thing. He intoned that the FBI via Sabu were manipulating the Anon’s into going after government targets. This is not beyond comprehension especially for places like China as well. So this is something to pay attention to. However, this book really did not take that issue on and I really wished that they had. Perhaps in the next updated edition guys?

THE GRID

OY VEY, the “GRID” this is one of the most derpy subjects usually in the media as well as the books/talks/material on cyber-warfare out there. In this case though I will allow what they wrote stand as a “so so” because they make no real claim to an actual apocalypse. Instead the book talks about the possible scenarios of how one could attack the grid. This book makes no claim that it would work but it is something to think about especially if you have an army of trained squirrels with routers strapped to their backs.

It is my belief that the system is too complex to have a systematic fail of apocalypse proportions and it always has been so. If the book talked about maybe creating a series of EMP devices placed at strategic high volume transformers then I would say they’d be on to something. However, that said, the use of a topological attack model was a good one from a logical perspective. They base most of this off of the Chinese grad students paper back years ago so your mileage may vary. So on this chapter I give it a 40% derp.

WHAT’S MISSING?

All in all I would have liked to have seen more in the political area concerning different countries thought patterns on IW/CW but hey, what can ya do eh? Additionally I think more could have been done on the ideas of offense vs. defense. Today I see a lot of derp around how the US has a GREAT OFFENSIVE CAPABILITY! Which for me and many of you out there I assume, leads me to the logical thought conclusion of “GREAT! We are totally offensive but our defense SUCKS!” So much for CYBER-MAD huh?

I would have also like to have seen more in the way of some game theory involved in the book as well concerning cyber-warfare. Some thought experiments would be helpful to lay out the problems within actually carrying out cyber-war as well as potential outcomes from doing so more along the lines of what I saw in the Global Cyber-Game.

OVERALL TAKE

Well, in the end I think it is a good start point for people to use this in their syllabus for teaching IW/CW today. It is a primer though and I would love to see not only this end up on the list but also the Global Cyber Game as well to round out the ideas here. To me it is more about “should we do this?” as opposed to “LETS FUCKING DO THIS!” as the effects of doing so are not necessarily known. Much of this territory is new and all too much of it is hyped up to the point of utter nonsense. This is the biggest problem we have though, this nonsense level with regard to the leaders of the land not knowing anything about it and then voting on things.

We need a more informed populace as well as government and I think this book would be a good start. So to the person who asked me to review this..

Put it in the syllabus!

K.

Creating Your Own Privacy & ROI

leave a comment »

img courtesy of XKCD http://xkcd.com/

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Preamble

With all the alleged revelations over the drift net surveillance happening to us all by the government I and others have been pondering the processes needed to protect one’s communications online and over the phone. Wired and other venues have put out reasonably ok articles on this but generally I think they have lacked on the ROI factor for the varying degree’s of surveillance that has been carried out for some time now, not just the NSA with PRISM. The immensity of it all I think can put one off on the idea of being able to keep their privacy especially given the pains that one must take to keep it on the nation state scale. However, there is much that could be done to have a modicum of privacy but one just has to understand the idea of OPSEC and have some technical base to work from in order to use the technologies such as TOR or CRYPTO in the first place. It is another thing altogether to keep that mindset every day and to understand the import of their use and the cause and effect that comes from failing to use them.

PRISM and NATION STATE SURVEILLANCE

As Ali (@packetknife) alluded to on the “Loopcast” recently with me, the idea that someone can completely deny the nation state program of surveillance is a tough one to swallow today. We all are connected to the net in some way whether it be your smartphone or some other connected device that we carry with us 24/7. In the case of the smart phone the utter and total pwn that goes on there is spectacular to think about. There is no need for tinfoil hat conspiracies about barcode tattoo’s on one’s neck here, all you really need is an iPhone and connectivity to know quite a bit about a person. This is why the metadata issue is a big one and people are seemingly unable to comprehend it. Let me clarify this for you all by also saying that not only are the calls to and from being easily monitored and mined (stored later for perusal when needed) by the NSA it seems, but also the GPS data as well. Remember the hubbub over the Apple collection of GPS data on the phones a couple years back? Remember the outrage on some parts over this? Well, now look at that in relations to how much of that data is accessible by the government too in this program. More to the point and this has not really been talked about, but are they correlating that data as well in the phone surveillance being carried out? My assumption is yes but like I said that seems to have been dwarfed and drowned out by the PRISM revelations.

Ok so now we are being data mined and correlated on the phone calls we make (metadata). Of who we are calling, how long we are talking, and when as well as  the GPS (location) as well?  All of that data is very informational about the habits of a person alone but start to analyze it from a personal and psychological perspective and you can build quite the dossier on someone without even having to listen to their conversations. Which I hasten to add that there are rumors of the caching of conversations generally not just under warrant from FISA. At this level, the nation state level of surveillance, one cannot hope to really be secure in their communications using technologies as they are because of the access the government has built for themselves post 9/11 with the Patriot Act as it’s fulcrum. Access mind you that we are giving them by proxy of the devices we buy and the services that provide the connection because without them we have no way to communicate other than in person or pen to paper with the post offices help right?

All of this though does not mean that the government is spying on you now. What it means though is that the legalities have been created or bent to the will of the government to have the illusion that the wholesale collection of all kinds of data for later use of anyone using these systems is legal. It also means that no matter the protestation of the government and the law enforcement bodies that they take all due care not to collect/use/surveill you vis a vis your data that there is a chance that someone within the system “could” and “might” do so outside of the rules and that is the problem here … Well other than the Constitutional, moral, and ethical issues that is. Just because it is against the rules does not mean someone won’t do it if they have the access. You know.. Like EJ Snowden having access to highly classified data that perhaps he shouldn’t have? Or furthermore the availability of Mr. Snowden being able to insert a USB drive into systems and siphon off said data to give to the press or anyone who’d listen right?

PRIVATE SECTOR or THE LITTLE SISTERS

Another issue that seems to be taking a back seat here is the notion of the Little Sisters to Big Brother. This idea springs from something I alluded to above in that the corporations that offer you the services (Gmail/ATT/Facebook etc) all collect data on you every minute of every day. They use this data for advertising, data mining, selling that data to other companies to form synergies on how to sell you on things etc. It is this practice of collecting all this data on us and our complicity in it that has given rise to the drift net approach that the government has taken with the surveillance programs like PRISM. The government is simply leveraging the capacities that are already there in the first place! You want to blame someone for this mess? Look in the mirror as you have allowed your data to be collected in the first place. YOU have placed your minute details out there on the internet to start with in email or posts to Twitter and Facebook for example. YOU are the culprit because you fail to understand OPSEC (Operational Security) and just scattered it on the net for anyone to see.

Of course other bits are more arcane. Cookies, tracking data within browsers and the like also give away much data on who you are, what you like, and allow the marketers to tailor ads for you when you go to sites that pay for the services. The aggregate of all of this data makes a digital portrait of you that unless you take pains to disallow the collection, will be sold and used by the corporations to package YOU as the commodity. I mean, how do you think Facebook works? It’s a social contract to connect to others and allow Facebook to make money off of your habits. Zucky is not in this to win a Nobel Peace Prize here ya know.

So when you think about all this surveillance going on please remember that you are complicit in it every time you surf the web, make a facebook post, a tweet, or send an email unencrypted (Google analytics kids) because they are all sifting that data to “get to know you better” *cough* It’s just a friends with benefits thing as the government see’s it being able to just hit them with an NSL and plant a server in the infrastructure to cull the data they want. As long as it doesn’t effect the bottom line (money) for them I suspect their worries about privacy are, well, pretty low on average. I mean after all you have already signed away your rights have you not? The little sisters are insidious and subtle and I am afraid they have already become metasticized within the society body.

The Only Privacy You Can Have Is That Which You Make Yourselves

“The only privacy that you have today  is that which you make for yourself” is something I said a while back on a blog post or podcast and I still stand by it. It seems all the more relevant in the post Snowden world today. By creating privacy I mean leveraging technologies like encryption to keep your communications private and OPSEC to consider how you transmit information over the internet and telco. There are inherent problems though with all of these things as you can always make a mistake and end up leaking information either technically (an instance would be logging online with your own IP address to something) or process wise like putting your current location on Facebook and saying you’re on vacation for two weeks. It is all a matter of degree though and even if you are practicing OPSEC there are things outside of your control when the nation state is looking to spy on you. There are just no two ways about it, you can only fight the nation state so much with technology as they have more resources to defeat your measures eventually by end run or by brute force.

On the level of defeating the little sisters, well the same applies but with limitations. You can in fact surf the net on TOR with NOSCRIPT, cookies disallowed and on an inherently anonymized OS on a USB stick right? The little sisters can only do so much and they only interact when they see a profit in it. They after all are not looking to be voyeurs just for the fun of it. They want to sell you something or sell you as metadata right? However, if you start to anonymize yourself as much as you can and you are diligent about it you can stop the Little Sisters which in turn may minimize what the Big Brother can use too. The caveat is that you have to take pains to do this and you have to know what you are doing. There are no magic easy button offerings on the shelf that will hide you from them all and if you care then you will take the time to learn how to perform these measures.

ROI On Privacy

Finally, I would like to take stock of the fight here that you need to take on and what the ROI is for each adversary involved. In reality unless you go off the grid, change your identity and never touch another piece of technology ever again there is a high likelihood that your information will be tracked. One may in fact create a separate identity to pay bills with and use that one to surf online as well as other things but that is an extreme just like the idea of becoming a Luddite. There must be a middle road where you can feel that you are protecting a certain portion of your lives from the unblinking eye of the companies and governments that own or access the technologies that we use every day. You have to though, understand all of this and accept that in the end you may fail at keeping your privacy yours and yours alone. Come to grips with this and be smart and you can have a modicum of success if you are diligent.

A for instance of this ROI would be on the phones. If you TRULY want to be private then you have to lose your smartphone that you have billed to you and buy a burn phone. Cash is king and there is no information taken if you do it right. The unfortunate thing is that you then have to call only others who have the same burn phones out there without any metdata that ties it back to their real identities. You just try getting mom and dad to buy burn phones to talk to them on… It’s not that easy. So really, some of the ROI is minimized by the nuisance factor. The same can be said for the lay individual who is not going to go buy encryption products nor are they capable of installing a Linux system and running something like GPG. This is not going to work for everyone as well as not everyone is going to care about their privacy as the recent Pew poll showed where 56% of polled ok with surveillance program by NSA.

In the end it all comes back to the idea that you create your own privacy by your own actions. Do not trust that the government is going to protect your privacy and certainly don’t believe that the corporations will either. I mean, just look at how many spectacular fails there were on passwords that weren’t hashed or encrypted in any way by companies hacked by LulzSec. As well you should not trust the government, no matter how well intended, that they will be ABLE to protect your privacy as we have seen with recent events like Brad Manning’s theft of (S) data as well as now Snowden (TS/SCI) The actions of one person can be the downfall of every carefully crafted system.

So what is the ROI here? Well….

NATION STATE:

Crypto and anonymized traffic online will minimize your footprint but eventually they will break you if they want to. You have to be exceptional to fight the nation state level of surveillance. As for the driftnet out there well, unless you go luddite they have a lot of data to sift and commingle. They have a pretty good picture of who you are and much of that comes from the little sisters. Your ROI here is minimal because they have the power and the thing you MUST remember is that CRYPTO IS YOUR FRIEND!! Encrypt sessions for chat and emails and you will leave them with the task of either having to break that crypto or hack your endpoint to see the plain text. Make them work for it. Otherwise you may as well just BCC the NSA.GOV on each and every email today it seems.

LITTLE SISTERS:

The little sisters though are another thing. You can in fact obscure a lot of what you do online and through telco but you have to be diligent. It means time and sometimes money (burn phones or laptops in some cases) to obfuscate as much as you can. The ROI here is that IF you take these pains you are then able to deny them easy access to your habits and patterns. If you start using crypto in sessions and in communications like emails then you will be also geometrically heightening your privacy status. But you have to do it.. AND that seems to be the hard part for many whether it is laziness or apathy I am not sure.

Privacy is what you make of it… He says as he hits enter on a public blog post!

K.

[Jmhhw Kutdegc ohl Vmgi Uizvsr pspmspw avuzyiw ypicl Qephcv Tmwfcj’a yere. Kutdegc plqfkw sd Vqklsn vcukipd.]
Polvc Ayzfiui: Elr npwr, xfslm’k Qephcv Tmwfcj…[tgsoq on i xspbsl ezmpc Auzlmr fom i tpely mbsvi. Uoftsgi rilvk xlc titviv rc mpga mr vua fs tydyzk] Li bcyaf’x wcsg bg lets u xswx.
Zwmpgt: [Ayzea saew] W’g agvvw, pob A hsl’h qwjo jmf npw kstslveirr.
Rckc Kspriv: Oi hm. [Gbwow e aoll] Fexgchid Wiailqlc Eeshkq.
Fmqvix: Sl. Cmi’lm lli eisa A liyf vzwexfwho gr xfs ibziv cbx wx qc nvivw.
Hmay Awjhsl: Bi, bzex’q hbm XFM. Us’lm fsx avuzlivcr zwj hsksmbag wsfpmappybwm.
Tmwfcj: Wz, M wcs. Swm nyqh idwvxffie yszcfhuwrxq. Gyb mt jpwyvvpc bwwbsxspg.
Xquo Kmfxwf: Rs, rvub’k xlc QCI. Oi tpcnmux ssf awnivlayvl’w gmagcfmgyhcwfw, ac hlg ls fpsus lli mhbmj jijzu’a ushcg. Qm’ji xfs awgh ksmm, Usvxw.
Pcazst: Esy, Q uer’r hytd css kbil e vczcmx xlyh ca…Vmgi.
Rckc Kspriv: Uleluy ggyv kwhl, uepj im il xlgg hcefip… [ucdww Fggbwh e jmzxmv tmcqy wx tensl] Uj. Fvgqy.

State Of Surveillance: PRISM & Other Driftnets

leave a comment »

Zlx kpkmn qp hbx ieandl bh hi lxjywy kx hbxbr bcjzwgy, lhnzix, jczsll, tnp cxmmvzw, tzhmsmv eblxtsalsitx yitkjljm cxr mxbzgpwz, aagpe gvx gy xscftmep, yfk vh Cekkhrym urofe bsesw, icm athg wvtvclzy vtuec, kbxiuvmxk fd Icdv ik tfrgjtimosg, tuh uutdwwneadjq kmlivbuprl njo dftve fm tl axgvvalh, fhf dvy ixremfz wk zlbgnw yi do gybsep.

Revelations

Some of you out there may be shocked and dismayed that the NSA and the FBI as well as other “customers” in the IC world have been collecting vast amounts of data from sources like Verizon (telco) and Google (internet) sources. Others already knew this but perhaps did not understand the sheer scope of the hoovering that has been going on. Myself, well I have had an inkling since I read the manuals for the NARUS STA-6400 system back in 2003 I think it was. That system was the progenitor of what we are seeing now within not only PRISM but other as yet to be named projects. Suffice to say though that we are well and completely surveilled and we have ourselves to blame really. We elected these people into positions of power and we also have not taken enough steps to insure that our elected government is being ethical, moral, and legal in their actions.

These programs have been ongoing for some time now and it seems now they have become monsters that some even within the vast machine have decided are too big and too scary for the government to have control over without the public’s knowledge. Whoever leaked this information must have reached much the same conclusions that we all are now post the leaks that the government wields a set of tools that it should not be using without the approval of the governed who’s rights they are “encroaching” upon and for this I laud them. It is my personal feeling that the government and the LE as well as IC community have overstepped their bounds in this driftnet surveillance behemoth that they have built in the name of anti-terrorism. It is also my opinion that the number of plots allegedly broken up before going into action does not outweigh the constitutional rights that they are contravening to uncover and stop them.

Equivocations

Since the revelations on the wiretapping, metadata, and now internet content slurping we all have seen the reaction of the IC and the administration in response to them. What we have seen thus far has been a set of carefully worded speeches and ameliorating press releases hoping to quell our distrust in our leaders and these constitutionally questionable programs. The height of this for me was President Obama’s press meeting to address the issues where he uses language that basically says “ok yes you are right, your rights are being encroached upon but the benefits of this program outweigh your rights” This was a telling for me as the implication here is that the president, who is in fact alleged to be a constitutional scholar knows and admits that these programs are infringing on our fourth amendment right to privacy.

So what we have here is an administration that has not only carried on the programs and ideals of the previous piteously poor one but gone as far as to expand them for our “greater good” all the while increasing the classification of everything to protect their bad decisions from the public they claim to be protecting. This all may well have been done with good intentions but as “we the people” see it after the fact it comes off as overreach and Orwellian to say the least. In my world view having the power to do something is one thing if you have a sunlight policy that allows for some transparency but all of this is covered in a cloak of secrecy under the rubric that it is to protect us all from terrorism. While I can understand the need for operational security in anti-terrorism and intelligence work I cannot say that this data mining in the way it is being carried out outweighs the fundamental right to privacy that the Fourth Amendment affords all citizens. Furthermore all of the alleged oversight and controls that are in place over these programs may be best intentions but this is not to say that the programs cannot be abused or end run around by those in the chain of command to their own ends. Remember that it was Nixon who ordered the taps of enemies including the NSA as a means to that end until J. Edgar Hoover, out of a feeling of losing his own power, stopped the NSA by threatening to out the president and the program. So there is a history here to be cognizant of and that history is basically the aphorism; “Power corrupts and absolute power corrupts absolutely”

No matter the equivocations or couched and secretively worded explanations that this is all for “our good” the people have a right to reserve judgement as well as demand accounting on what is being done in their name by their duly elected government. The problems though for me are that all too many times the choices are classified, national security letters used to quash any resistance, and oversight by the people prevented with rhetoric over the greater good and this is wrong. The governed need to have a say in this and the government is not allowing that by classification and word play. Games of word semantics may be fun if it were just a game but when it comes to programs like PRISM it’s all really just sleight of hand and NLP to allow the government to do what it wants to, the most expedient thing, to protect the homeland (another nice NLP there by the way) from terror. I guess the question then becomes could this activity be carried out in a better and more transparent way that would still work against terrorism?

Hand Wringing

Look we know that communications are being watched. The terrorists know it too and have used tradecraft to protect their actions in the past. It’s really just common sense, so really do we need to keep it all a secret that we are collecting information? For that matter, do we need to really collect everything and sift through it to find that needle in the haystack as the press has been going on about? As I remember it the players have pretty much been known quantities even after the advent of the internet and the FISA court was a good tool in keeping the government on the straight and narrow with regard to taps and surveillance. In fact the FISA was set up to prevent another Nixon like abuse of the system. Now though it seems like the technology has outstripped the ability of a court like FISA to really watchdog the watchers and has become more of a lapdog than a pitbull. Remember that the FISA court was being end run quite a bit during the Bush administration because it held them up in their eyes. What then happened was the Patriot act and other mechanisms to make it easier for the LE’s and IC’s to just get what they wanted without a warrant, something we came to know as “warrantless wiretapping” or “roaming taps” where the FBI and others could just start surveillance without a warrant for up to 72 hours. It all began there really and down the primrose path we all went.

Frankly the Congress in my eyes went along with all of this because of a couple reasons. The first reason was fear. The second reason was fear of not being re-elected. Both of these reasons are no good and completely spineless. What has happened is that we went from a country of checks and balances to a country with few of either because you can’t check or balance that which has been classified as secret can you? Of course I also blame the populace as well for not being engaged in their governance as well but in cases like this it is much more about things being done in secret and not about us being disinterested. The telling thing will be what happens from here. Will the populace demand some sort of accountability? Will there be a groundswell of support for measures to insure the government is not abusing this power they have in collecting all this data? Or will we all go back to sleep collectively and settle in to watch Survivor and probe our navels? Things will remain status quo unless the populace speaks up and does something about it and if they do not it is my opinion that we will keep sinking further into a surveillance state.

Anger

Anger is what we need now and it is anger we should be feeling over all of these revelations this past week. I want you all out there to take a long look back at our country’s actions and laws since 9/11 and think. Do you really want to be represented to the world by the actions of total information awareness and prevarications by John Yoo that torture is acceptable as a common practice? Do you really trust that the government, law enforcement, and the IC’s will not overstep even more and abuse the system in place today for their own needs? Finally, do you really think that your government and those within it are that altruistic as to be all shining versions of Mr. Smith? I really don’t believe that you all think that that is the case so why would you just lay there and allow all this to go on without at least some kind of sunlight policy allowing the governed to know what the government is doing in their name or more to the point to the governed?

As for me well, I am just a dark bastard as some have called me. You might read this and think well that’s just him, but, I implore you all out there to take a step back and look at our history and the nature of human nature and then decide. I think you will all come to the same conclusion that this is the wrong path to be on. No matter how many times the players may tell you that the game is played fairly and for your protection ask yourselves and them to tell you how many times it has foiled a plot and saved us from ruin. If they say “well we can’t because it’s classified” then I want you to see them in a pair of plaid pants and white belt with matching shoes trying to sell you a car …because that is what they are doing.

Get angry and demand some transparency. Keep your eye on them because in fact you cannot trust them. Given the power to do what they like they will do so especially if there are no repercussions as it’s all classified. Alternatively though and in reality all you can do today is use encryption and take care with your communications if you do not want Uncle Sam and his pals to know about them. As I see it now they have a complete backdoor into everything and people start to use more encryption I would expect crypto to become a munition again….

But that’s just the dark bastard in me I guess…

K.

Written by Krypt3ia

2013/06/09 at 17:34

Deep Throat: The Outer Edges

leave a comment »

Jz etgstrj Wtmfvl! X lsg pmj lsgzlv fs!

SOURCES

The FBI surveillance of 2 months of the AP’s phone traffic reminded me much of the heady days when Nixon and Hoover cornered the market on domestic spying. Now this is not to say that I think the current White House administration is in fact as demented about surveillance as Hoover or Nixon but I do think that it has been feeling more insecure about it’s ability to govern the way it wants to because of leaking. Take from that statement what you may but let me further say that once you have the ability to do something you tend to rationalize about doing it if that thing is perceived at all to be wrong. In the case of grabbing two whole months of ALL of the traffic for AP to “investigate” leaks I think the FBI/DOJ/WH et al rationalized quite a bit to just go ahead and do it and the consequences as well as the law be damned.

In a world where Wikileaks has opened up the floodgates to all kinds of materials being leaked whether or not they are relevant to any wrongdoing, I am sure the governments of the world have shifted back to the cold war mentalities of protecting everything they can with classifications and more secrecy. The current environment has the government scared, the advocates rallying, and the leakers becoming more plentiful and the motives for leaking myriad. In many cases though the leak is more motivated by personal gains in esteem by others (perceived) and perhaps even financial at times for those who are getting paid for information. Once in a while though, you get the leak that would seem to be the right thing to do. This is the case where someone leaks the misdeeds of the government or a corporation for the good of the many. Unfortunately though, in the cases of the leaks of late, it has been more a prestige motive or a political motive than outrage at some wrong doing.

Either way however, the leaking seems to have prompted a response on the part of the government that would have been a justified “leak” had someone given it to the media. The wholesale surveillance and fishing expedition on reporters, news services, and in the end, leakers who may or may not have relationships with those reporters. Sources have always been a core to the news business and the constitutional protections on freedom of the press have been an integral part to our democracy. This move by the Obama administration and the DOJ/FBI not only seems to be quite the overreach but also a not so subtle warning to both leakers and the press that they are playing hard ball. It seems that journalism has become just another casualty of the surveillance culture that the government now has it’s finger on and control over.

It is thusly that I bring this topic to the blog in hopes to enlighten the reporters as well as the leakers out there on some OPSEC and Tradecraft that could make their leaking more secure even if the government decides that they should cull all of the media’s access for months if not years. All “sources” out there are now subject to having their anonymity blown by such action as the surveillance of the AP phone logs whether or not they are in fact leaking information that they shouldn’t be according to their employers or governments. If I were a source I would now certainly think twice about giving any information to anyone unless I had taken great pains to insure the transactions are secure if not in person and unseen like in the clip at the top of the page from “All The Presidents Men” Such interactions though all require a certain care that must be learned as they may not come as second nature to many unless you are just a paranoid to begin with. However, there are many technical countermeasures and tricks that one can learn if you look in the right places for the information.

SURVEILLANCE

Surveillance is as old as the hills but now it is augmented by so much digital methodology that it seems rather quaint at times to consider that someone may in fact be following you. Today one can carry out an effective surveillance on an unknowing target by merely booting up a program and connecting to a system that shows you the GPS coordinates of where you are. This is of course so readily available now because we all have taken to having our own personal GPS unit on us at all times in the form of a cell phone. Since we have made it so easy not only with GPS but also tweeting, Facebooking, Tumblr-ing, and generally streaming every second of our lives online (exceedingly poor opsec kids) it is surprising to me at least that we don’t see many more cases in the courts where freely given personal details online were the source of the probable cause to arrest someone if not the actual proof in a case of committing a crime. Basically  we have given up much of our privacy already to little brother and sooner or later BIG BROTHER will re-legislate to allow themselves more access to the same streams. When this happens we need to all worry, but for now they will be happy to just secretly wiretap or to secretly subpoena your records and use them that way.

Still though, there are times when surveillance still means a guy with a camera or a team of people following you around. For those times I suggest that you start to learn countermeasures for surveillance. The book linked is a good start to understand not only surveillance techniques but also the direct actions you can take to defeat it. Of course once again I have to remind you that you need to have good OPSEC (Operational Security) and Tradecraft in the first place (like presence of mind to not have your phone with you and on for a GPS location lock) to also obfuscate your position and prevent being watched. Remember, if you don’t want to be compromised you have to be mindful of the threatscape. This of course also goes for the digital landscape as well, you have to know how to prevent data leakage in order to keep things secret.

TRADECRAFT

So you want to keep things a secret? Well then you have to learn how to take due care in everything you do. If you are looking to compartmentalize your life it can be done but you have to be mindful all the time of making slips that could unravel all your best laid plans. You need to study “Tradecraft” which is an espionage term and is not something that is just picked up, you have to practice it in order for it to work. If you want to leak information or you want to keep a a portion of your life secret then you need to learn from the links below to secure yourself. Online this means doing such simple things as using encryption on emails that you do not want Google or the DOJ to read or by using an encryption product on your phone or your chat sessions. What it comes down to is your security is what you make of it. If you do not do the work then you aren’t secure. Remember that all of your lives now are broadcast through internet, phones, cameras and the like and none of those things do you actually own, you pay for a service and the data you send is not really yours once you hit send in many cases.

What was once thought to be true, primarily that you have privacy in your effects and papers is no longer really the case where digital media is concerned. The courts have taken different approaches and interpretations on “papers and effects” where computers and the internet are concerned. One apt analogy is the old garbage on the sidewalk scenario. Once you put your garbage on the sidewalk for pickup it is no longer considered private. You are basically putting it out there for anyone to grab including the government or LEA’s. The same idea is being floated in the terms and agreements with digital media. If you send an email to someone is it really private? Does the carrier (Google say) have any mandate to consider your data private when it sits on their servers that they “rent” you? It’s their asset right? Unless you take pains to protect that email with encryption then you are just as much putting it on the sidewalk as the garbage according to some interpretations.

Overall, you need not be a leaker to take up these precautions and protect your privacy. This incident with the AP records though only shows you just how far a reach the DOJ is willing to take on records like these. Of course if you have been paying attention over the years since 9/11 you would know that many NSL’s (National Security Letters) were sent to the likes of Google and other places demanding end users records and forbidding the company any redress to tell the end user or to fight the demand because the request was considered “CLASSIFIED” by the government and law enforcement. So, if the government can just do that, classify it, and make it disappear what else are they likely to do when they want to have a looksee at your chat logs huh? The electronic spook genie is out of the bottle and running amok. It’s up to you to prevent it from running rough shod over you.

K.

Reading resources:

TRADECRAFT

OPSEC

CRYPTO

DROPBOXES & DEAD DROPS

COUNTER SURVEILLANCE TECHNIQUES

ENCRYPTED CHAT

BURN PHONES

THE DARK NET

FACE TO FACE MEETING OPERATIONAL SECURITY

TSCM

TOR (THE ONION ROUTER)

I2P (ANONYMOUS PROXY)

IPREDATOR (PROXY)

BURN COMPUTERS/TABLETS

ALTERNATE IDENTITIES AND LEGENDS

BIOMETRIC DEFEATING CLOTHING

CELL BLOCKING BAGS/CONTAINERS

OFF THE RECORD MESSAGING (OTR)

SILENT CIRCLE CELL AND MESSAGING CLIENT

 

Written by Krypt3ia

2013/05/21 at 19:45