During his talk ‘OPSEC for Hackers by The Grugq: because Jail Is for wuftpd’ at HITB 2012 Conference, The Grugq, a well-known information security guru specializing in studying anti-forensic techniques, advises online freedom fighters out there on how to avoid getting busted.
This is going to be a talk about OPSEC. It’s actually not very technical; most of the problems that people have with OPSEC are non-technical in nature – basically, they say too much. It’s intended for freedom fighters, so if you’re out freedom fighting on the Internet, this is useful for you.Very briefly, we’re going to go over an introduction on what OPSEC actually is; a methodology for how to implement it. Then we’re going to spend quite a bit of time looking at the LulzSec indictments to see what they did wrong and the OPSEC fails that they had. Then we’re going to go over techniques to help your OPSEC, and then technology that you can use specifically to make OPSEC easier to do; and then a brief conclusion. So, the problem that we’re facing is one that was expressed well on The Wire: it’s that you only need to fuck up once… (see right-hand image). One mistake is enough to be fatal. This one’s pretty awesome, right? So, you’ve only got to fuck up once, be a little late, be a little slow, just once, and you can never ever not be late or not be slow just once. Therefore you need to plan for that, you need to put methods in place to make it less likely that our mistakes will be fatal.
This is reflected later on in another slide, where we say one law at a time. Basically, you do not want to give people an opportunity to take control of your actions or your life – it’s a terrible idea. So, in short – shut the fuck up, alright? If you don’t say it, then you don’t have to encrypt it or try to protect it.This is an excellent guide to OPSEC (see left-hand image); it’s specifically for people who smoke weed – they’ve got a slightly different set of rules, but they’re aiming at basically the same thing. So, you need to be careful, you need to be conscious of what you’re doing, and you need to keep your fucking mouth shut. Again, the less you say it, the better off you are for it. As always, be paranoid, you need to be proactively paranoid; paranoia does not work retroactively. Mistakes you make will come back to haunt you.
You want to be tidy, so you want to make sure that you don’t leave contraband lying around. In the example of a freedom fighter this will mostly mean things like not leaving incriminating evidence on your laptop, making sure that your incriminating evidence is stored on your Jump Box, which will be the first hub that you reach before you start doing your freedom fighting activities on the Internet. You’d make sure that it’s always encrypted, that it’s not left lying around, that it’s not left in the state where other people can access it and copy it. You’d make sure that it’s not on your conference laptop, so that when you go to conferences and people break into your hotel room and copy your hard drive, they get nothing. Basically, you need to minimize the amount of stuff that’s left lying around that other people can find.
When you’re talking to people in an environment that might be monitored, which is whenever you’re talking to people, never be explicit, so don’t say: “Let’s go freedom-fight the hell out of Sony”, and also don’t use code. The clever codes that you come up to talk about stuff are terrible. They’re very easily, broken, so this example: “I would like 2 green sweaters and 1 mushroom pizza” – that is not a good code.
On the other hand, do use code words – cryptonyms are much better than being explicit, so if you’re going to be discussing a particular freedom fighting activity against a particular target, have a cryptonym set up for that target so you could say: “We are freedom-fighting the hell out of the Achilles”, and not “We are freedom-fighting the hell out of Sony”. That way it creates an additional layer of security so that if your conversation is monitored and logged, it is harder for people to understand what’s going on, and it is easier for your defense later on that you could say Achilles was not Sony, so that was actually not what we were talking about.
You need to provide less ammunition for people to try and go after you. You want to make sure that you are not breaking a large number of laws, that you get busted for one and then they find all your hacking kit; that would be bad. Similarly, it’s better off if you don’t do drugs, because, for example, with ‘weev’, who got busted in New York, they couldn’t get him on a hacking charge, they got him for drug possession. They will find a way to get you, so make it harder for them in that regard. And in general, camouflage is always good.