[Dailydave] Fwd: Re: Friends, Romans...

[Dave Aitel]

Some people don't know how to use email, so I'm forwarding things for them.

-dave



-------- Original Message --------
Subject: 	Re: [Dailydave] Friends, Romans...
Date: 	Thu, 27 Sep 2012 20:18:05 +0700
From: 	the grugq <thegrugq at gmail.com>
To: 	Dave Aitel <dave at immunityinc.com>



On 09/25/2012 09:29 PM, Dave Aitel wrote:
> So I just got back from Ekoparty, in Argentina. Ekoparty has great
> technical content - much of which I listened to through a translator
> service they had (which was surprisingly effective). Of course,

Ekoparty was a lot of fun.

> sometimes the interesting talks are not technical at all (and, luckily
> for me, in English), as is the case with Grugq's OPSEC for Hackers
> <http://www.slideshare.net/grugq/opsec-for-hackers> talk.


The problems with OPSEC are mostly not technical, but
social/psychological. In future updates I plan to address the technical
solutions, but good tech won't save you if you can't learn to keep your
mouth shut.

> There are a lot of things I don't agree with in his talk, of course. I
> have this talk coming up in Ottowa
> <http://www.countermeasure2012.com/>in October in which I talk about
> this a little bit, in particular the part where Grugq postulates that
> hackers are not the apex predator on the Internet (which I assume is
> classic misdirection on his part?)[1].

I think we're using the term to mean different things. The intended
audience for this talk is not "members of state sanctioned cyber
operations units", but "independent enthusiast FREEDOM FIGHTERS" who are
at risk of arrest and incarceration (or worse).

There is a lot to be said about the rise to dominance of state
sanctioned actors on the Internet. It is really the main story of the
last decade. The massive disparity in resource availability has enabled
nation states to claim the apex predator position without necessarily
having access to the best resources (after all, Dave and Charlie both
left)...

> [1] I also don't agree that you should work alone, 

I don't suggest working alone. It is very hard for an individual to
provide sufficient resources to be effective. I would go so far as to
say, being a member of a team is a force multiplier (particularly in
regards to idea production, but also for motivation). However, I
strongly advise that non-state sanctioned FREEDOM FIGHTERS work
aggressively to mitigate the risk of judicial repercussions. In
particular: Never trust anyone [including your team mates]. As I said
during my talk, "don't socialize with your criminal associates. You want
friends -- go to the pub"

Before you join a team, create a new cover and flesh out the legend a
bit. This persona can create an alias (or handle, as we used to call it
back in the day), and join up with a crew. From then on, you should work
to minimize the profiling data you provide to the members of the crew.
Maintain a professional relationship. Stay in character as your cover
identity so when you make mistakes and reveal too much, it is the cover
identity which will be compromised... not yourself.

Ideally, you should be able to even join a crew comprised entirely of
Fed informants and remain anonymous. After all, the FBI was pretty
effective at running lulzsec for months.

> and my opinion is that you should log everything.


I think you might be reading too much into "no logs. no crime". I don't
advocate "never log anything", it is more nuanced and subtle than
expressed in the slide deck. I would suggest the 'commandment' "never
keep contraband at your house" applies to evidentiary data such as logs.
Keeping logs is inherently risky, so they should be stored in a location
which is not linked to you. For example, they could be kept on a tor
hidden service on a VPS in Kazakhstan paid for with LR.

As for 'no logs. no crime.', the Flame author's "kill all syslog
daemons" approach is in line with what I'd suggest. Keep useful
information, but don't even create useless (and potentially
incriminating) logs.

I'd also like to clarify the "don't work from home" commandment, which
seems to have caused some confusion. The real message there is, "don't
operate from a location that is linked to you". Everyone who has done
ops knows that the best approach is to use a "home base" staging box,
your first connection before you do anything else. This is where you
store you tools, logs and data, and from where you stage your
operations. So, again, this commandment doesn't mean to literally
conduct all operations from the library, but rather to avoid conducting
operations from a location that is directly linked to you.

> But the "break down what lulzsec did
> wrong" is a very useful task to take (and one I think he should expand
> on at length in a post here, perhaps).


They are actually dense with information on the techniques, methods and
capabilities of the feds working the case. The Hammond "sup_g" one is
the best, I think, as he had quite robust OPSEC (comparatively, anyway).

> Perhaps comparing it to the Flame team
> <http://www.securelist.com/en/blog/750/Full_Analysis_of_Flame_s_Command_Control_servers>
> would be useful? 

I'm looking at expanding the slide deck into a more formal document. As
well as possibly doing another deck on tech solutions so we can get
those off the table (they're easy wins) and get back to telling people
to keep their fucking mouth shut.


cheers,

--gq




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20120927/f82ba008/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 264 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20120927/f82ba008/attachment.sig>