Interview: Hacker OPSEC with The Grugq

[InfoSec News <alerts () infosecnews org>]

http://blogsofwar.com/2013/11/11/interview-hacker-opsec-with-the-grugq/

By John Little
Blogs of War
November 11, 2013

The Grugq is an world renowned information security researcher with 15 
years of industry experience. Grugq started his career at a Fortune 100 
company, before transitioning to @stake, where he was forced to resign for 
publishing a Phrack article on anti-forensics. Since then the Grugq has 
presented on anti-forensics at dozens of international security 
conferences, as well as talks on numerous other security topics. As an 
independent information security consultant the Grugq has performed 
engagements for a wide range of customers, from startups to enterprises 
and the public sector. He has worked as a professional penetration tester, 
a developer, and a full time security researcher. The Grugq's research has 
always been heavily biased towards counterintelligence aspects of 
information security. His research has been referenced in books, papers, 
magazines, and newspapers. Currently an independent researcher, the grugq 
is actively engaged in exploring the intersection of traditional 
tradecraft and the hacker skillset, learning the techniques that covert 
organisations use to operate clandestinely and applying them to the 
Internet. You can follow him on Twitter at @thegrugq.

John Little: You blog and have given conference presentations on Hacker 
OPSEC. You started doing this before the recent NSA revelations (and the 
general hysteria surrounding intelligence collection) but you were already 
warning hackers that states had superseded them as the internet's apex 
predator. In just a couple of years we’ve moved from the seeming 
invincibility of LulzSec, to high profile busts, and now onto serious 
concerns being raised about the every aspect of the internet's 
architecture, security models, and tools. Rock solid OPSEC is a refuge but 
maintaining it for long periods of time under significant pressure is very 
difficult. The deck is obviously stacked against anyone trying to evade 
state surveillance or prosecution so where do freedom fighters and those 
with less noble intentions go from here?

The Grugq: You raise a number of interesting points. I'll ramble on about 
them in a moment, but before that I’d like to clarify for your readers a 
bit about where I am coming from. Firstly, I am not a "privacy advocate", 
I am an information security researcher. My career in information security 
has been mostly focused around denial and deception at the technical 
level.

Recently, however, I became aware that this "fetishizing the technology" 
approach is simply not effective in the real world. So I turned to 
studying clandestine skills used in espionage and by illicit groups, such 
as narcotics cartels and terrorist groups. The tradecraft of these 
clandestine organizations is what I am trying to extract, inject with 
hacker growth hormone, and then teach to those who need real security: 
journalists; executives traveling to adversarial environments; silly kids 
making stupid life altering mistakes, etc.

The media has actually expressed a lot of interesting in improving their 
security posture, and I am engaged in helping some journalists develop 
good OPSEC habits. Or at least, learn what those habits would be, so they 
have some idea of what to aspire to. There is a strange intransigence with 
some who reject improved security with the line: "but we're not criminals! 
Why do we need this?" Well, the only answer I have is that OPSEC is 
prophylactic, you might not need it now, but when you do, you can’t 
activate it retroactively. As I phrased it in my "The Ten Hack 
Commandments" -- be proactively paranoid, it doesn't work retroactively.

So, that's how I've arrived at hacker tradecraft, and where I'm trying to 
take it. On to the issues you’ve raised about good OPSEC and living a 
clandestine life.

[...]

--
Find the best InfoSec talent without breaking your
recruiting budget! Post a Job, $99 for 31 days.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/