OPSEC For Activists, Because Encryption Is No Guarantee 89
Nicola Hahn writes: "In the wake of the Snowden revelations strong encryption has been promoted by organizations like The Intercept and Freedom of the Press Foundation as a solution for safeguarding privacy against the encroachment of Big Brother. Even President Obama acknowledges that "there's no scenario in which we don't want really strong encryption."
Yet the public record shows that over the years the NSA has honed its ability to steal encryption keys. Recent reports about the compromise of Gemalto's network and sophisticated firmware manipulation programs by the Office of Tailored Access Operations underscore this reality.
The inconvenient truth is that the current cyber self-defense formulas being presented are conspicuously incomplete. Security tools can and will fail. And when they do, what then? It's called Operational Security (OPSEC), a topic that hasn't received much coverage — but it should.
Yet the public record shows that over the years the NSA has honed its ability to steal encryption keys. Recent reports about the compromise of Gemalto's network and sophisticated firmware manipulation programs by the Office of Tailored Access Operations underscore this reality.
The inconvenient truth is that the current cyber self-defense formulas being presented are conspicuously incomplete. Security tools can and will fail. And when they do, what then? It's called Operational Security (OPSEC), a topic that hasn't received much coverage — but it should.
Re: (Score:1)
Mkay, and that has nothing to do with a predictable species living in networked habitrails.
Semantic games (Score:5, Insightful)
How many pointless articles could be avoided if authors and editors understood the difference between a necessary condition and a sufficient condition? Of course comsec is not a solution per se, Ulbricht can tell you all about that! (And how many more pointless discussions could be avoided if everyone knew "per se" = "by itself".)
Re:Semantic games (Score:5, Insightful)
You've got a good point, but the implementation of said conditions have a different intrinsic suspicion. Discussions on encryption will only get you put on the NSA watchlist along with everyone else. Conversations about OPSEC may get you a little bit more. For example - getting revealed as someone who sends encrypted messages to your friends is either in that category of nerdy or slightly suspicious. Getting revealed as someone who passes parcels to others via dead drops will probably get your door kicked in by the DEA shortly followed by a long line of other three letter groups.
PS - I'm not sure if I'll ever be able to use the word "intrinsic" without thinking of eating leprechauns or quantum mechanics. Does anyone else have this problem?
Re:Semantic games (Score:5, Interesting)
Problem with your analysis, damned if you do, damned if you do not. Many of the activities of the three letter US agencies have become largely criminal with gross and purposeful misinterpretations of the law and this not in pursuit of justice but in the pursuit of the psychopathic ego of many out of control 'agents' or upon the direct orders of political or corporate appointees. So doing nothing is no more or less effective at getting you door kicked in, being threatened with real and impending death for any reason imaginable including not obeying orders fast enough, a barking dog, happening to have some item in your hand at the time, any item. Then you and all other people in residence at the time being physically assaulted, really assaulted, not grab you hands put them behind your back and being handcuffed but thrown to the ground kicked and jumped on, a bought of "stop resisting' with more blows to the head and then of course your home trashed and your stuff stolen. Then if they hate you ludicrous bail conditions the ensure you remain in jail for years during an hugely purposefully extended trial and the inevitably had sucker you have been in jail for years, plead guilty and you will released with time server ha ha ha.
Basically you are attempting to defend yourself against really lazy and self serving types who in reality wont be bothered with the real leg work, the real reports or any real effort.
Besides it can be hugely fun. Be overtly covert, make a big show of analogue person to person communications. Don't be lazy yourself, do everything you can person to person, the more the merrier and the more wasted spy vs spy efforts. In the whole spy vs spy vs the rest of us, being overt, exposing your efforts, being more public about your activities, serves to protect you and will inevitably expose their spy vs spy efforts to the ridicule and derision it so often rightly deserves.
You are correct. (Score:3, Informative)
Snowden confirmed our suspicions. And for that he lost his livelihood and his home. And in return for his sacrifice we....have done nothing.
We benefited from his revelations, and then we let him rot. We can't even be arsed into signing an online petition [aclu.org] to help him out.
Given how we reward whistle blowers, I am surprised we have any at all.
Re: (Score:2)
Re: (Score:1)
Back in the day, I alwa
Re: (Score:2, Insightful)
The ironic thing is that OPSEC is a must for any business organization. You can have data at rest protection, and data in transit, but without protection against the VoIP spoofer demanding access or else he will get people fired, this does work. I've worked at a company where the head security guy got fired because he challenged a muckety-muck PHB who was tailgating (trying to get past a door into a sensitive area from the outside of the building without badging in), and this fear caused people to not cha
Such A Nice Bootlicker (Score:1)
...you are.
Here's a gem: You night to FIGHT for freedom. The government and their mohammedic friends are hell-bent on implementing Mohammedic Security (total surveillance, torture, kidnapping etc) here.
There is NOTHING WRONG with using TOR and turning off the NSA Beacon as much as possible. As long as you dont conspire to harm anybody else, that is.
And yeah, I get regular black helos, C130 overflights and the odd three-strange-persons visits in the train. When I was in Atlanta they once showed me about 50%
Re: (Score:2)
You want to play 'semantic games'?
When 'opsec' is outlawed, only outlaws will have opsec.
In other words: if you're employing opsec, you will be construed as a terrorist, and the NSA et al will use even more secret laws to fuck you over even more.
There is no scenario in this security paranoid world in which being secretive about your actions isn't red flags.
Which is precisely why these 'intelligence' outfits need to have much shorter leashes. Quite possibly suspended from trees high enough to keep their fe
Re: (Score:2)
Opsec is just a procedure you apply.
Invent one procedure that works only for your closed group, it shall only be known to all of you. What the procedures and patterns you have within your closed group will have to be seen as normal variations that to the casual observer don't look outside the ordinary.
A certain variation on how the clothing is worn might be your way of signaling to your group a certain message - or be part of the message when you casually meet.
Re: (Score:2)
(And how many more pointless discussions could be avoided if everyone knew "per se" = "by itself".)
Not to mention that the phrase is toe the line.
Re: (Score:2)
A lot of pointless discussions could be avoided if everyone knew = is an assignment operator and == is a relational operator.
Re: (Score:2)
Oh boy, forgive me for not appending [sic], too.
Not necessarially opposed to grammatical errors, just the nonsense that it causes. Like this one up here ^
Of course (Score:3, Insightful)
If I'm the only one who can unlock your encrypted communications, then it's in my best interest to have everyone encrypt their communications, because then, I'll be the only one with total situation awareness.
It won't be in any of your interests, of course, because you'll be handing me my advantage on a silver platter... but you're all far too shortsighted to pay attention to such things.
Of course Obama and the NSA want you all using strong encryption. Stupid of you to give them what they want, though.
Test your security with false information (Score:5, Interesting)
The high tech equivalent would be to mention a network resource where access can be monitored. When the network resource is accessed, you know there is a problem.
Re: (Score:2)
When access to that network resource is being monitored, you don't know there's a problem.
OPSEC (Score:2)
Old school.
http://radicalsurvivalism.com/... [radicalsurvivalism.com]
http://www.outofregs.com/postI... [outofregs.com]
Opsec? (Score:2)
It's called know what you're doing and don't be stupid.
OPSEC (Score:2)
Re: (Score:2)
Re: (Score:2)
You have a key that is far larger than the data you are encrypting, you never reuse parts of the key. The key is random garbage not generated by the computer, but sampled, e.g. random video mashes together or random noise audio mashed together. You transfer the private key by trusted method,
If you have a trusted communication method you could use the same method to send the actual message. (Exception being when you have a trusted channel once in a while)
Next is that video and audio are far too regular to count as reliable source of randomness. Have a look what work went into defining the entropy sources for the Linux pseudo random number generator. Things you thought should be more than random over a large stretch of time showed to be surprisingly predictable.
Uninteresting (Score:3)
Re: (Score:1)
Every American is tracked, in case they choose to have a political life in the future. The same is true of just about every developed country today to varying extents. Your best choice is to emigrate to a Rule Of Law state and keep a low profile.
In America you can be violently attacked and/or robbed blind and have your life ruined by police/politicians/bureaucrats for any reason or none at all. In Australia and New Zealand everything is monitored, same as the US, but you still have civil recourse even if yo
Some Real Advice (Score:4, Informative)
- It is technically possible to air-gap the machine you use to access your email, by copying the email over from an insecure computer to the air-gapped machine.
- TAILS is great, but they probably at least try to break it since it's popular. Will they succeed? Maybe. So use an OpenBSD live CD, it's more secure anyway. Or get creative: use Whonix. The FBI's pedestrian attempt at drive-by malware would have fallen flat on its face with an adversary using Whonix.
- Firejail. Google it. Won't protect you against local kernel privilege escalation attacks, though.
Yes, contingency planning is good. Yes, single points of failure are bad. But you can get very, very good communication security if you really try.
Re: (Score:1)
" It is technically possible to air-gap the machine you use to access your email, by copying the email over from an insecure computer to the air-gapped machine."
Serial port. Slow as hell but ZModem doesn't inject nasty malware.
Re: (Score:3)
I was thinking flash drive or possibly optical disk ... couldn't there theoretically be an exploitable buffer overflow in ZModem?
Re: (Score:2)
Due to risks like BadUSB, or even attacks using the filesystem itself, those methods carry risk of exploiting the air-gapped system.
IMO, its actually better to use an isolating OS like Qubes because it uses a simplified and hardened protocol for data transfer between domains. Even copy-and-paste between domains has been hardened. It can isolate USB controllers and external disks at the hardware level using the IOMMU/VT-d feature in newer chipsets.
Re: (Score:2)
Bugs in the filesystem driver, yes, but those are probably pretty rare I'd think. BadUSB, not really. That attack works by emulating a keyboard/mouse HID controller. If you plug your USB drive in and all of a sudden your computer starts typing things and moving the mouse on its own, you would notice immediately. Also it typically requires special hardware; a rooted box couldn't just take a real USB drive and turn it into a HID controller.
Re: (Score:2)
You've got the wrong impression of BadUSB as impersonating a HID certainly isn't required. USB is fundamentally insecure in a number of ways...
https://www.blackhat.com/prese... [blackhat.com]
http://media.blackhat.com/bh-d... [blackhat.com]
https://srlabs.de/blog/wp-cont... [srlabs.de]
When the USB drivers themselves can be attacked with malformed protocol data there is a fairly direct channel to gaining access to the whole system. Also a USB drive controller can make itself look like an internal drive, meaning that DMA (yes, USB supports DMA) restric
Re: (Score:2)
StackExchange says you're wrong about USB having DMA: http://security.stackexchange.... [stackexchange.com]
In any case, BadUSB would require reprogramming the actual device, so I still don't think it is a practical attack vector in this scenario. Moreover, if you're really paranoid, you can use write-once CD-Rs instead of USB devices.
QubesOS is an interesting idea, but it's more complicated and therefore more likely to have bugs than airgapping a machine. You're assuming there are no bugs in Xen, for instance.
As for filesyst
Re: (Score:2)
If the USB host controller firmware or any of the USB drivers available to the system are exploited, then malware delivered by the USB device may get use of the DMA channel between the host controller and RAM (if not simply gain root access). And calling customization of a device impractical is, I think, leaning a bit towards denial -- many hobbyists can do this now. Familiarity with common controller types used in consumer devices is also rising.
Its probably safer to bet security on a chokepoint like Xen h
Re: (Score:2)
Burz,
I'm not saying it's impossible to customize a USB device. I'm saying rooting a machine to the point that it can customize an arbitrary USB key plugged in by the legitimate operator of the machine is impractical. You're also invoking speculative, unknown attacks against the USB host driver and firmware, which I will see you with my previously invoked unknown, speculative attacks against Xen. Also, you completely ignored my suggestion of using an optical disk if you are concerned about USB.
Safest way
Re: (Score:2)
I'm saying rooting a machine to the point that it can customize an arbitrary USB key plugged in by the legitimate operator of the machine is impractical.
Except that privilege escalation attacks against these multi-decade-old systems appear year after year. A well-funded state attacker (OP is about activists, after all) would certainly have some at their disposal.
Which gets back to the premise that monolithic kernels enforcing user privs is an outmoded form of security. Re-purpose the kernels as feature sets under an isolating hypervisor and security begins to look realistic.
Re: CD-R, lets assume I use an optical disk to move a quantity of email messages fro
Re: (Score:2)
Except that privilege escalation attacks against these multi-decade-old systems appear year after year. A well-funded state attacker (OP is about activists, after all) would certainly have some at their disposal.
All code has bugs. Xen has bugs. Qubes has bugs. And yes, OSes have bugs, although Linux local privilege escalation bugs are not an everyday occurrence, and OpenBSD bugs are very rare. You can't handwave a 0-day privilege escalation vulnerability into existence and claim that there are no 0-day privilege escalation vulnerabilities in Xen.
Re: CD-R, lets assume I use an optical disk to move a quantity of email messages from a networked/untrusted machine to an airgapped one (both conventional architecture). If I export as .eml files, I have to archive them before burning them. So, over and above the risk from nasty email attachments, there is the risk the untrusted machine could use malformed email or archive format to perform an exploit. If you think that's far-fetched, consider how much more complex email and archive formats are compared to the .lnk files that were recently discovered as an NSA exploit.
tar is pretty solid, actually, but, if you don't like it, make up your own trivial archive format (it's not hard), or don't use it and follow a one-disk-per-message pro
Re: (Score:2)
Indeed, all code has bugs. Its a question of who/what is using the least amount of code necessary to provide a security mechanism. That's what reducing the attack surface is really about.
From a security standpoint, Qubes would by definition have very few-to-no additional bugs above what exist in Xen. OTOH, as I have implied, a Linux or Windows kernel + supporting libraries and also the firmware for USB controllers and NICs are immense compared to Xen plus a couple Qubes drivers (there is more to Qubes code,
Re: (Score:2)
- Firejail. Google it. Won't protect you against local kernel privilege escalation attacks, though.
Yes, contingency planning is good. Yes, single points of failure are bad. But you can get very, very good communication security if you really try.
Qubes OS [blogspot.com] should protect you against privilege escalation *and* VM breakout attacks where sandboxes like 'Firejail' do not. Its a hardened hypervisor-based [qubes-os.org] desktop OS that isolates elements like graphics and network IO from each other using a system's IOMMU if necessary. Its single-user, and all security is implemented using the hypervisor.
Qubes is put out by white-hat hacker group Invisible Things Lab who switched their focus when they saw the need to do something about endpoint security. Their philosophy
Re: (Score:2)
"The traditional security model of monolithic OS kernels" ...have been abandoned because they don't work against external threats. Of course, that doesn't prevent you from using traditional security within a Qubes VM.
(Sorry. Finishing sentence from previous post :) )
Ugh (Score:2)
It's bad enough you gotta bunch of guys out there who read too much goddamned Tom Clancy and use military/police-esque terms for everything whilst wearing their size XXXXXL tactical camo pants, but do we really want to start throwing around terms like OPSEC? Goodie, you know a new term/acronym; you're still not a badass.
Open source USB and hard drive firmware (Score:1)
Not having a mobile phone is suspicious... (Score:4, Interesting)
Any pattern in the way you behave can be used against you. If you are not emitting a mobile phone signal, then you are suspicious. If you have an iPhone, and the logs suggest you regularly take the batteries out, then you are very suspicious. A modern spy would carry a mobile phone - not the latest security recommended one, but something dull - and would tweet and post pictures of what they are eating and listening to just to get the right watch profile. You would have to leave the phone behind when you want to do Spy Things, but you could leave it in the locker at the swimming pool, or something plausible like that. If you have to send crypto messages over this phone, keep the message very short, and plausible.
I don't think there are many real spies here on Slashdot, but there are probably people who would like to keep their data secure in a way that does not attract attention to themselves. Perhaps we should all use encryption whether we need it or not, so those that need it will no longer stand out.
Re:Not having a mobile phone is suspicious... (Score:4, Interesting)
* By suspicious I mean someone who might have ties to any protest organization, be a naturalized citizen, have visited any strange countries, be a minority, committed a crime other than a traffic/parking ticket, or any other group the government may want to target or would be ignored by the news media. Basically it would be similar to driving while black, or the opposite of being a young white girl who gets murdered or put on trial in a foreign country. I hate to say it but it is sadly true that the general population would't care about your plight if you could be painted as an undesireable.