This is the final part of the Grugq’s presentation at HITB SEC event, where he takes questions from the audience about OPSEC for online freedom fighters.
The Grugq: So, are there any questions?
Question: What’s, in your estimation, the average cost per persona?
Answer: In terms of time, you probably want to invest something like 6 months to bring it up. There has been some discussion of creating a marketplace for personas, because it’s just really a massive pain in the ass.Question: In terms of money?
Answer: In terms of money, I wouldn’t know. In terms of time investment that I put into it to create a bare bones persona, it took me 3 days. Yahoo! fucking sucks. Hotmail is a pain in the ass, you cannot believe. I think that could probably be cut down by at least 1 day, because I had to do a fair amount of learning on-the-go, but if you calculate my time based on what I would charge for doing that, you’re looking at thousands of dollars per persona. The hassle of doing it is pretty epic.
I don’t know if the sweatshops in India that are good at clicking on CAPTCHAs and stuff like that could be trained to create online personas – basically, more filled-out spam accounts. They already have a lot of the infrastructure for that, and if they can be trained to do that, then they might be such a volume of stuff that the price goes down and the anonymity goes up, because it’s an online marketplace. That’s possible. I mean, if you’re doing this yourself, you’re looking at several days of work, and depending on how you would value them, that’s quite a lot of money. I mean, for you that must be tens of thousands of dollars.
Question: Prepaid credit cards?
Answer: I don’t really like them. So, the question was what is my opinion on prepaid credit cards? The issue I have with a prepaid credit card is the acquisition is inherently unsafe, like, even if you just walk into a local 7-Eleven to purchase one over the counter, you’re going to be tied to that particular card via CCTV. So, if they do trackback, they have your picture, which is not great, and they have your geographic location, which is, again, not great. So you have to travel to make sure that it’s not from your hometown, you have to wear a hat and a hoodie and look like you’re going to mug someone, which is going to draw attention, which is going to make it even more annoying.
You also have the problem that when you use it, it is tracked and monitored online. I actually do prefer Liberty Reserve for those sorts of things. Liberty Reserve is monitored by the FSB, but the FSB basically doesn’t give a fuck as long as you don’t fuck with Russia. And if you’re Russian, as long as you fuck with other people, they, again, don’t give a fuck. So they have a very myopic view of things, and you can take advantage of that. It might not be completely foolproof, but it does provide this level of, like, it’s being administered the FSB, FSB is not going to cooperate with external entities because that’s just not what they do. And as long as you don’t piss in their tent, they’re not going to care about you, so you can kind of fly under the radar on that one. I would not be very comfortable with prepaid cards.
That could work. The idea would be to have a mixer or an online exchange for prepaid credit cards. If you actually do want to purchase prepaid credit cards that are anonymous, you can buy them with Liberty Reserve from Russian websites. It costs 20% more than the actual cost, but it is purchased through a layer of indirection, and it comes from criminals, so it’s probably not being monitored. And shut the fuck up about your prepaid credit card use.
Question: I wanted to ask a question about children. I work a lot with children, and when I do, I like to use a prepaid credit card. What are your thoughts on proxying resources through other countries, for example, paying a small child to get a credit card on your behalf in another country?
Answer: Basically, there is a lot of value to having an understanding of geopolitics. I had a friend who got busted for a different hack, but what he used to do was hack the shit out of Iran, all the time. He loved it, and his reasoning was: there is no way in hell that the US is going to extradite someone to Iran for hacking, it’s just never going to happen. So he could hack as much as he fucking liked, and no one would care. If you do similar things like that, for example, if you’re Malaysian, I’m pretty sure you can hack the shit out of Singapore with impunity. I don’t think that you’re going to have to worry too much about that. I wouldn’t recommend doing it, but again, that is the sort of understanding of the geopolitical environment that you can use to your benefit.
In terms of proxying through multiple places, again, I would recommend using TOR – it is sufficiently anonymous to keep you safe at that level. If you want a lot of proxies, you can purchase them from the LD4 botnet. The LD4 botnet has been set up from millions of bots across the world. You can buy – again, using Liberty Reserve – SOCKS proxies from the LD4 botnet, from AWMproxy.net; they have an online site that actually has a Firefox plug-in that will use their proxies for you automatically, so you can just click Refresh and get a new proxy sent to you from the botnet pool.
If you use that as a final hub, you’re probably going to be safe, because the bots are developed in such a way that no connections are ever logged. So you will be able to choose your geographic location, where you’re going to exit, your terminal point; you can probably choose down to a particular state or a city in the US. Similarly, you can probably choose a particular country in Europe. You can purchase from criminals – again, they will happily give up their logs once they get busted, but you should be doing it in such a manner that the logs that they can provide do not incriminate your actual identity, that they don’t allow you to go to jail. They have no monitoring of the end points, the actual traffic that goes back and forth. They can show that someone purchased stuff, but you’re basically safe.
Question: What is your assessment of the security of TOR as an anonymizer? If you’re into bad shit, how good is TOR going to be?
Answer: So, the question is, basically, how secure is TOR against a motivated nation state. What happens with TOR is it’s completely effective against a motivated police agent; against LEO it’s fine. Against a nation state, the TOR network has insufficient resources and has sufficient bad actors that it is not actually secure. So, if you’re going to hack the shit out of the NSA, if you do really bad planning and you do not actually evaluate the targets that you’re going after, and you pick on a state actor that is going to come down on you like a ton of bricks, you will go to jail.
There are problems with TOR in that if someone controls a sufficient percentage of the network, they will be able to monitor exit nodes and entry points, and that percentage is really low. I think there’s only something like 3000 nodes in the network at any one time. I’ve heard that you only need to control 1% of them to statistically have a guarantee that you will be both an entrance node and an exit node at some point in time, and you can use that to damask. So, if you can purchase 300 VPS accounts at $5 each, then you can set up 1% of the TOR network, and statistically, over a month you’ll be able to uncover a large number of users. So, TOR is actually not super effective for that, but what else are you going to do? You’re better off selecting your targets so that they will not be state actors.
Read previous: Hacker’s Guide to Stay out of Jail 7: VPNs vs. TOR