Here The Grugq describes some of the techniques to use for building layers of anonymity and defense which will guard personas from getting associated with you.So, techniques – basically, you need to put in the plumbing. Plumbing is all of the stuff that you’re going to use to maintain your cover identities and to keep them separate from your actual identity to create an environment where your personas appear to be legitimate and real and are not actually in contact with who you are.
The problem is: plumbing is fucking boring. It’s not exciting to go and create a fake Facebook account and generate fake activity and make it appear legitimate and make sure that every time you do this, you do it from the correct IPs and all this other stuff, and that you never make mistakes on that, and on and on. It’s tiring, it’s boring, and it’s really not fun. And my advice, by the way, is use Gmail, because it’s a pain in the ass to set up Hotmail or Yahoo – that shit sucks, and then they ask for money if you want something like more than 10 MB of space. Gmail is actually fairly good for that. Obviously, it’s all monitored.
The awesome thing about plumbing is if you’ve done it correctly, then nothing happens. The important thing is, of course, you have to put it in place first, because paranoia does not work retroactively. Really, you have to be proactively paranoid; you have to worry about all of this shit before it happens.So, if we talk briefly about personas, you need to have legitimate personas, ones that are vaguely believable. Again, an awesome quote from The Wire: “He knows my name, but my name is not my name. And to them you’re only The Greek. And of course, I’m not even Greek”. So, in this case they have set up very legitimate personas which provide a strong level of protection so that even if the other criminal co-defendants are compromised, they will not be able to reveal information that is actually useful against these 2 individuals. That’s why your handle should be something like Jose, rather than your name. The problem is, basically, you are you. You are a unique butterfly, you stick out in the crowd. Really, what you want to do is you want to be someone else. If you’re someone else, people will be distracted from wanting to know who you are. So, as you all notice, he’s wearing a mask (see right-hand image). The primary danger that you will face when you are using an online persona is contamination. Contamination is when there is contact between any cover identities or your real identity. That contamination will occur when they interact, and it can then be used to trace from one compromised identity through to the other, so it’s always important to keep them completely separated and never interact. They need to be in isolation from each other.
You also need to do layers, so simply having an initial cover identity is not sufficient. Once you have one cover identity, you then start creating sub-aliases from that. It’s better to have multiple cover identities so that when you get paranoid and you believe one has been compromised, you can phase it out rapidly and move another one into place.
An important thing to realize with the cover identity is that the time when it is most compromised is when it appears to be most effective. So, once it’s generated a sufficient, large history and legend and it’s got enough background, enough interaction with a whole bunch of other people, it’s at this point that you need to kill it and roll in a new one, because it’s at this point that it has generated enough interactions to be dangerous, that it is going to be the most compromised and the most interesting to other people. And it’s at that point that you want to get rid of it and then move on to a new one.You need to use technologies that fail closed; you need to make sure that you do, for example, TOR before you do anything else. TOR will provide a level of anonymity so that if your other techniques get compromised or broken, then at least you have TOR to fall back on as a final layer of defense. TOR is not foolproof, but that’s why it’s part of a layer defense, and it’s part of your last layer, so that there is a level of anonymity around you before it gets to anything else.
You should have your back stop persona, which is your sort of primary cover identity, and then you have your sub-aliases underneath that. For instance, you can have your primary cover identity, set up a secondary cover identity and use that secondary cover identity to create your online handles and have layers of defense in that regard. So, you would basically become your primary cover, your primary cover will become your secondary cover, your secondary cover will become your online handle, who would then go and do freedom fighting activities. When they’re compromised, there’re layers that need to be unwrapped. And if you’ve been diligent in avoiding contamination, it’ll be hard to link back through those multiple layers.One way you can avoid that is to avoid profiling information (see right-hand image). The problem with profiling information is when you provide information about yourself or about where you are, and this can reveal your location geographically, it can reveal information about you that can be used to unmask and figure out who you are.
I’ve been having a discussion with some people about exactly how many weather events with time stamps you would need to correlate before you can figure out where someone is geographically. If someone gets on IRC and goes: “I fucking hate how hot it is today”, if you’ve got a time stamp you can start eliminating places that are not hot at that point in time. Then, later on he starts complaining about the rain – you could then use that time stamp to correlate for all of the areas that were previously hot that are now also raining, and so on. And from that you can probably track down someone’s geographic location. It’s likely not going to be easy, but again, it’s better off – when it’s raining – bitch about the heat, when it’s hot – bitch about the cold, and so on. Do some disinformation there, or just don’t talk about it.The other important thing that you need to realize is that it appears very easy to create a cover identity and assume that cover identity and do it without contamination; it’s actually something that requires practice (see left-hand image). So, what you need to do is you need to do it several times in situations that are not likely to end up with you going to jail. You need to practice being someone else. You need to practice going through the steps of creating a new cover identity. As it says: “Amateurs practice until they get it right, professionals practice until they can’t get it wrong.” You need to get really deeply engrained that when you are your cover identity, you are your cover identity. You are not pretending to be your cover identity, you actually are that person, so don’t fall out of character.
Briefly on logging – again, The Wire has got massive amounts of respect for having some excellent OPSEC rules: “What are you doing?” – “Robert’s Rules of Order says we need to have minutes of the meeting. These the minutes” – “Nigga, is you taking the notes on a criminal fucking conspiracy?” Avoid logging useless information, so no logs – no crime. In particular, the logs that you want to have are things like your scan logs or information that you’ve pulled down, such as your password lists and so on. Those are useful pieces of information that can be used to conduct operations in future.
Pieces of information that are not useful are things like syslog. Your Jump Box does not need to know at which times you have logged in. That’s not information that is actually useful to you, and it could be used as evidence against you, so kill syslog. If you’d look at the script that was released with the Stuxnet CNC servers, that’s very good in how to strip down and eliminate information about what sort of activities you’re doing, and mitigating against the risks of unnecessarily logged information. Other interesting things that they do are, for example, they don’t call their botnet a botnet, they have a very primitive interface which appears to be juvenile, except that it’s simply making it uninteresting to the casual observer. There’s a huge amount that can be learned from the operational activities of these Stuxnet CNC administrators.