Hacker’s Guide to Stay out of Jail 2: Do’s and Don’ts

Covering practical tips for doing OPSEC, this part of The Grugq’s talk makes it clear what you should and should not do when freedom-fighting on the Internet.

Basic methodology for doing OPSEC

Basic methodology for doing OPSEC

One methodology for doing OPSEC is, basically, you need to think about how to put the plumbing in first, so you need to set up your environment for OPSEC before you actually start doing things. You need to set up your cover identities before you start using them.

My recommendation will be that you create a cover; your cover is basically an alias, a fake identity. Then you need to work on the legend, which is history, the background and supporting documentation for that cover.

For example, one very famous cover is the case of the man who never was, which was a guy who died of pneumonia that was dumped overboard during World War II next to Spain with fake documents for the D-day invasion; and the idea was that when found, these fake documents will be taken as legitimate and would act as disinformation against the Nazis. It worked: he had 42 pieces of identifying documentation on him, from ticket stub for a movie to his driver’s license, to his officer ID. He had a huge amount of background documentation to act as bona fide, which, basically, made it appear that he was who he said he was.

Be very conscious of contamination – avoid it like the plague.

Creating a new persona is essential for appropriate OPSEC You need to do the same thing: having a simple Gmail account is not sufficient; you’re better off if you create an entire fake persona with a fake Twitter, fake Facebook, and so on. Even better if you can get fake photographs which appear to be of some other individual, and create this entire persona. And then you become that persona first, so you inhabit that before you create your online alias, your online usernames, and so on. And then when you do your freedom fighting activities from your online alias, when that gets compromised, the person that takes the heat is your cover, someone who doesn’t exist. And it’s very critical that you never contaminate. Contamination is when there is contact between 2 cover identities or 2 aliases, or in this case between your real identity and your cover persona. So be very conscious of contamination – avoid it like the plague.

A concise set of rules

A concise set of rules

This is actually from the Ten Crack Commandments by Biggie Smalls – he has an excellent guide on how to conduct an illegal business, or illegal activities, without going to jail (see left-hand image). Never reveal your operational details; don’t tell people how you do, what you do, or what you are doing. Never reveal your plans: don’t let people know what you plan on doing or what you intend to do. Never trust anyone; this particularly goes for people you’re operating with, they are not your friends, they are criminal co-defendants. You want to make sure that they are not in the position that they can do harm to you if they get busted, and there’s a high likelihood that they will, because they are probably dumb, that’s why they’re doing what they’re doing.

You need to never confuse recreation activity hacking and freedom fighting activities. Recreation is shit that you do for fun; freedom fighting activities should be treated like a business, it’s an operation. You need to plan who you’re going after, you need to pick your targets, you need to select, you need to actually invest some time and effort into that, and then when you conduct your operations, you need to do that in a systematic and logical fashion, and you need to be careful about how you go about doing it. If you’re just going around popping boxes because it’s fun, you will go to jail.

Make sure that you are using TOR before you go anywhere else.

Kevin Poulsen’s Kingpin book about the notorious hacker Max Butler And never operate from your own house. For example, the Iceman who got popped a while ago, who was documented in the Kingpin book by Kevin The-hard-to-pronounce-last-name – he would rent hotel rooms and use those hotel rooms to operate from with a huge Wi-Fi antenna to hack into neighboring businesses and then steal their bandwidth to use that. So, that would keep his house contamination free, free of contraband. That’s a bit extreme; if you have the capability of doing that, you should do that, but at a bare minimum you have to make sure that you are using TOR before you go anywhere else. TOR provides a level of anonymity. However, you are better off just not using your own house.

Further recommendations

Further recommendations

You need to be proactively paranoid, as I said before. Paranoia does not work retroactively – you need to plan in advance to be terrified of getting busted. And you need to work with that in mind all the time otherwise you’ll make mistakes and go to jail. You need to keep your personal life and your freedom fighting activities completely separated. You want to make sure that people who know about your freedom fighting activities do not know who you are, and the people who know you personally should not know that you are conducting freedom fighting activities. It’s dangerous for everyone: if you want friends, go to the pub; don’t hang out in IRC and hacker channels to meet people, it’s a terrible idea, you will go to jail.

You want to keep your personal environment contraband free – as I said earlier, you want to make sure that your own equipment is kept neat and tidy. You want to make sure that all of the evidence that you’re generating is not kept on your personal equipment, that it’s kept on your first Jump Box, on your hot box. It’s not a situation where if you get busted then it could be used against you. It’s a situation where if it gets busted, it can also not be used against you. It shouldn’t be on your person, ever.

Obviously, don’t talk to the police – it’s a dumb idea. And never give anyone power over you, which, again, is the one law at a time; or, similarly, don’t let people blackmail you, don’t get into a situation where there are other people who can control your actions. If someone else is in charge of your actions, then it’s going to end very badly – like you have no ability to control your own life at that point; that’s not where you want to be.

So, you might be thinking: “Wow, that sounds hard. Why do you need it?” Very simply: it hurts to get fucked. You’re better off going to the effort now and not going to the pain later, or with the army quote: “The more you sweat in peace, the less you bleed in war.” And it’s important to remember that no one is going to go to jail for you.

Read previous: Hacker’s Guide to Stay out of Jail: OPSEC for Freedom Fighters
Read next: Hacker’s Guide to Stay out of Jail 3: LulzSec Failures

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: