Dailydave mailing list archives
Fwd: Re: Friends, Romans...
From: Dave Aitel <dave () immunityinc com>
Date: Thu, 27 Sep 2012 09:27:27 -0400
Some people don't know how to use email, so I'm forwarding things for them. -dave -------- Original Message -------- Subject: Re: [Dailydave] Friends, Romans... Date: Thu, 27 Sep 2012 20:18:05 +0700 From: the grugq <thegrugq () gmail com> To: Dave Aitel <dave () immunityinc com> On 09/25/2012 09:29 PM, Dave Aitel wrote:
So I just got back from Ekoparty, in Argentina. Ekoparty has great technical content - much of which I listened to through a translator service they had (which was surprisingly effective). Of course,
Ekoparty was a lot of fun.
sometimes the interesting talks are not technical at all (and, luckily for me, in English), as is the case with Grugq's OPSEC for Hackers <http://www.slideshare.net/grugq/opsec-for-hackers> talk.
The problems with OPSEC are mostly not technical, but social/psychological. In future updates I plan to address the technical solutions, but good tech won't save you if you can't learn to keep your mouth shut.
There are a lot of things I don't agree with in his talk, of course. I have this talk coming up in Ottowa <http://www.countermeasure2012.com/>in October in which I talk about this a little bit, in particular the part where Grugq postulates that hackers are not the apex predator on the Internet (which I assume is classic misdirection on his part?)[1].
I think we're using the term to mean different things. The intended audience for this talk is not "members of state sanctioned cyber operations units", but "independent enthusiast FREEDOM FIGHTERS" who are at risk of arrest and incarceration (or worse). There is a lot to be said about the rise to dominance of state sanctioned actors on the Internet. It is really the main story of the last decade. The massive disparity in resource availability has enabled nation states to claim the apex predator position without necessarily having access to the best resources (after all, Dave and Charlie both left)...
[1] I also don't agree that you should work alone,
I don't suggest working alone. It is very hard for an individual to provide sufficient resources to be effective. I would go so far as to say, being a member of a team is a force multiplier (particularly in regards to idea production, but also for motivation). However, I strongly advise that non-state sanctioned FREEDOM FIGHTERS work aggressively to mitigate the risk of judicial repercussions. In particular: Never trust anyone [including your team mates]. As I said during my talk, "don't socialize with your criminal associates. You want friends -- go to the pub" Before you join a team, create a new cover and flesh out the legend a bit. This persona can create an alias (or handle, as we used to call it back in the day), and join up with a crew. From then on, you should work to minimize the profiling data you provide to the members of the crew. Maintain a professional relationship. Stay in character as your cover identity so when you make mistakes and reveal too much, it is the cover identity which will be compromised... not yourself. Ideally, you should be able to even join a crew comprised entirely of Fed informants and remain anonymous. After all, the FBI was pretty effective at running lulzsec for months.
and my opinion is that you should log everything.
I think you might be reading too much into "no logs. no crime". I don't advocate "never log anything", it is more nuanced and subtle than expressed in the slide deck. I would suggest the 'commandment' "never keep contraband at your house" applies to evidentiary data such as logs. Keeping logs is inherently risky, so they should be stored in a location which is not linked to you. For example, they could be kept on a tor hidden service on a VPS in Kazakhstan paid for with LR. As for 'no logs. no crime.', the Flame author's "kill all syslog daemons" approach is in line with what I'd suggest. Keep useful information, but don't even create useless (and potentially incriminating) logs. I'd also like to clarify the "don't work from home" commandment, which seems to have caused some confusion. The real message there is, "don't operate from a location that is linked to you". Everyone who has done ops knows that the best approach is to use a "home base" staging box, your first connection before you do anything else. This is where you store you tools, logs and data, and from where you stage your operations. So, again, this commandment doesn't mean to literally conduct all operations from the library, but rather to avoid conducting operations from a location that is directly linked to you.
But the "break down what lulzsec did wrong" is a very useful task to take (and one I think he should expand on at length in a post here, perhaps).
They are actually dense with information on the techniques, methods and capabilities of the feds working the case. The Hammond "sup_g" one is the best, I think, as he had quite robust OPSEC (comparatively, anyway).
Perhaps comparing it to the Flame team <http://www.securelist.com/en/blog/750/Full_Analysis_of_Flame_s_Command_Control_servers> would be useful?
I'm looking at expanding the slide deck into a more formal document. As well as possibly doing another deck on tech solutions so we can get those off the table (they're easy wins) and get back to telling people to keep their fucking mouth shut. cheers, --gq
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Friends, Romans... Dave Aitel (Sep 25)
- <Possible follow-ups>
- Fwd: Re: Friends, Romans... Dave Aitel (Sep 27)