47 comments

[ 0.20 ms ] story [ 77.0 ms ] thread
"Finally, to demonstrate both their deep involvement in the activity and to prove they are not an undercover cop, they must pass a timed written test on the minutiae of various child abuse victims and media."

This part seems strange to me. Police officers working in...this area, look at a lot of the relevant material and are probably intimately familiar with the details of famous cases. If anybody can be expected to pass such a test, it's a cop.

This stood out to me too. Seems like it's a subculture with social norms like any other- not just a prosaic file sharing system.
This is the hubris of "NOBUS"[1].

Believing that "NObody But US" has secret knowledge tends to create a false-confidence trap. It doesn't matter if your are a small criminal organization or a large and well-funded government agency; assuming your adversary is ignorant or stupid is terrible security.

[1] https://en.wikipedia.org/wiki/NOBUS

It's still better than letting anyone with just basic knowledge in. I mean, if a cop can learn to pass those tests, surely a committed pedophile can, with the twist that the pedophile would not find the whole process disgusting.

In a way, the test could be taken to be a deterrent to police forces, who presumably will be challenged by the prospect of having to learn the minutiae involved in child abuse.

If you can't beat em, make them more like you, right?
I'll take "effects of terrorism in the united states since 1990" for $400, Alex.
While not perfect it may not have 0 value. I work in a somewhat esoteric part of finance and it is very easy to distinguish experts from people with a medium amount of knowledge. It forces your adversary to become far more committed and use far more resources than they otherwise would. Although I could imagine using a watson like technology to obviate the need for a human to memorize all the required information.
What was gained by regular nickname changes?
It could help further obfuscate the usage patterns of the underlying actors. If you change the parameters, the party doing search and correlations needs to take that into account and expend more effort. Basically, you want to make them work harder to ascertain any bit of information
I think I'd better describe it as helping in the case of identifying information being correlated over time.

Even if you've got good OpSec, you may reveal things about yourself accidentally over time, and with a long-lived nickname, this could potentially narrow down your identity. Things like colloquialisms/references that are culturally specific/indicative, or reference to things that indicate things about yourself by association.

This could potentially be counteracted by analysing usage patterns/language patterns to try and associate a set of nicknames as 'the same person', but it's probably hard-ish to do if communication is terse + sparse.

This. You leak little personal details about who you are. Word usage analysis could be used to track a member across multiple usernames but frequent username changes is just part of defense in depth.
Reminds me of the film Reservoir Dogs.

Each gang member is given a nickname (Mr. Blue, Mr Pink etc) for each job. Only the leadership picks the names, the nicknames change with each job\event.

Members do not share real names or personally identifiable info.

The benefits include: Plausible deniability about duration of membership. Plausible deniability about which jobs\events member was party to. Compartmentalization of the enterprise.

I'm struggling to find a legal use case where this could be applied. Although political dissidents (with recent events in Turkey in mind) may have to break the law in any case.

What I'm getting from this is that if you use Tor and never reveal personal information you get 90% of the benefits.

The encryption was just a way to prevent non-members from obtaining the benefits of membership. The relocation and rekeying was just a way to punish non-compliant members by excluding them, turning them back into non-members.

> The encryption was just a way to prevent non-members from obtaining the benefits of membership.

I suppose it also prevents automated detection by bots crawling newsgroups.

Excellent summarization!

I'm going to use this explanation when I have discussions with less technically minded people on this issue.

Thanks. That's one of the best compliments I can get.
> The relocation and rekeying was just a way to punish non-compliant members by excluding them, turning them back into non-members.

It's also a necessary way to provide forward secrecy, which is how you make sure that even if a message could be decoded, it wouldn't help the decoder to get to the other message's content.

Never revealing personal information is harder than it seems though, as we often give away deanonymizing information unconsciously e.g. in the quirks of our writing style. The study of deanonymizing an author based on these tendencies is called stylometry, and was used for instance in another case about a child abuse ring that was posted to HN last week. One of the group's members consistently used the atypical greeting "hiyas", which was sufficient to give investigators a lead on his IRL identity. Stylometric tendencies can be much more subtle though, like putting two spaces or one after a period, capitalizing proper nouns, using an oxford comma, persistent misspellings, idiosyncratic phrases revealed by n-gram analysis, etc.
> Real security must start with the content itself, and then use encryption as an additional layer.

Extrapolating from this to other reasons you might operate in an adversarial environment, for instance political dissidence, this conclusion has a rather chilling effect. The content of the communication itself must be severely limited in how it can assist coordination of outside efforts in order to maintain the anonymity of the members. Or in the inverse, if the member's have strong identities (via PGP WoT, et al) then the /only/ barrier protecting them from their adversary is the control of the keys themselves.

Not that this is any great revelation, per se. But it means that in the cases where you're using encryption as the basis for communicating with a group in secret, that you still must experience a chilling effect on the content of your messages. In other words, encryption alone is not sufficient to achieve the same result as "freedom of speech" at a social level.

> In other words, encryption alone is not sufficient to achieve the same result as "freedom of speech" at a social level.

It's tempting to think you can solve political problems with technology, but ultimately you have to fight those battles the old fashioned way.

I'm not sure the chilling effect you speak of is that big: it's personal information that you must not disseminate. I think one can engage in political discussions without revealing anything else than their opinions, which aren't personally identifiable in most cases.

Edit: and then there's stylometry, which may prevent one to say anything… sigh.

https://dee.su/uploads/baal

Related reading, touches upon the same case.

> It should be obvious by now, that the only way to communicate stealthily and securely is to avoid raising suspicion to the level at which the authorities might consider it worthwhile to put you under active surveillance (e.g., park a van with TEMPEST equipment by your apartment).

I wonder if it's possible to make an IRC-like chat service that that works by using social media accounts through tor to post some stenographic messages that look like real content.

For instance, pick a random subreddit, generate some comment with some markov chain based on a bunch of posts, and use that to encode communications. If each comment had a very unused word like "Methinks" at the beginning and some other strange word inside then you could probably filter out messages quite easily.

I have a feeling the people who are very serious about OpSec never use the net.
The "OP" in OPSEC means operational. The field is entirely about securing operations. Not performing an operation at all may be inherently secure (as relates to the operation) but is entirely orthogonal to the field of OPSEC.
I think he means using thumb drives and burkas instead of the Internet.
(comment deleted)
I think this comes back to the line about "identifying minimum security for your threat level".

If you want to pass 'safe' data to lots of people or over long distances, you use the web. Throw it on pastebin via Tor, a burner computer, and Starbucks wifi. If you need to deal in live meetings or other identity-compromising communication (like a big drug deal) you probably want to deal in flashdrives and couriers.

We rarely used the Internet for anything if we were doing something questionable. If we did, we did it through 3rd parties' connections with or without proxies depending on what that might show. My scheme was covert communications embedded in HTTPS to blend in, remailers through various jurisdictions that don't cooperate, face-to-face for most stuff, dead drops, calls with lineman's headset, snail mail of CD's surrounded by coupons etc, and so on. Stuff that draws no attention or has strong security against likely threat profile. Not sure how much of it would work today but no tech and low tech methods are still best. Example was bin Laden succeeding with nothing more than trusted couriers, air gaps, and USB drives until he got ratted out by someone.

What you're seeing with most posts labeled "OPSEC" is mainstream security in action where something gets popular and people run with it. Grugq at least usually has good advice embedded in. Real OPSEC avoids visible encryption, things prone to attack like Tor, and so on. Unless you want them looking directly at you or absolutely have to be all-online. Which is another, tougher type of OPSEC altogether. Mafia has the most experience with the former. I'm not sure I've seen an example of the latter I trust.

"Strong OPSEC means low efficiency, while high efficiency necessitates weak OPSEC."

This is the best statement in the post. It's always true. It's why most "OPSEC" people use in practice sucks. ;)

"My scheme was covert communications embedded in HTTPS to blend in, remailers through various jurisdictions that don't cooperate, face-to-face for most stuff, dead drops, calls with lineman's headset, snail mail of CD's surrounded by coupons etc, and so on. Stuff that draws no attention or has strong security against likely threat profile. Not sure how much of it would work today but no tech and low tech methods are still best."

This is way off the mark I think, how can something that requires _physical presence_ be best? Bringing up Bin Laden is not a good example here, as the particulars of his case made using cyber extremely difficult.

The Internet is absolutely and by far the best way for anonymous and/or covert communications between individuals or groups, as long as they possess domain expertise.

And this is only going to get better, not worse, mass-surveillance notwithstanding, due to the proliferation of information. That doesn't necessarily mean everyone has to use TOR and PGP, just that it's very easy to _hide_ amidst the noise and not compromise on OPSEC.

Lots of ways to do that.

How can it be way off the mark if such methods have worked for decades while online communities keep getting decloaked and secrets inisibly copied? I think what already worked should be baseline go compare against. Plus, you can use Tor within my model so long as it's an untrusted layer among others. Important they dont see you using it.

Bin Laden was a good example because he likewise employed good, pre-Internet OPSEC. He stayed away from electronic communications mediums, used physical medium for data storage, moved it with trusted couriers, and couriers activity looked normal to observers. These principles are compatible with my recommendations and held off the most powerful, SIGINT attacker in existence. They can work for others, too. ;)

"That doesn't necessarily mean everyone has to use TOR and PGP, just that it's very easy to _hide_ amidst the noise and not compromise on OPSEC."

Snowden links directly contradict you. Such people and data stick out like a sore thunb. They also collect what encrypted data tgeg can for five years. People using my methods would likely have been filtered and ignored. Or, avoiding the net, they'd have never been seen at all.

You are making wide proclamations and generalizations with nothing to back them up, this is not the mark of someone with a deep understanding of the subject matter.

You're also all over the place, rather than concentrating on the point I made [physical presence]. What worked for decades, for some definition of worked -> debacles are numerous [when the Internet didn't even exist or wasn't as widely deployed/used as it is now] doesn't mean it is best _today_. This is a fool's argument, also see what Taleb has to say about tail events.

Moreover, the OPSEC details of most successful groups and individuals that use the Internet to communicate, will by definition, rarely become public. We can learn by example from failures but we can't learn by example from success _unless we are insiders_.

I said the particulars in the Bin Laden case are important and made cyber hard to use. That doesn't mean trusted couriers and physical storage are a good idea for the rest of us.

Re: Snowden

You yourself said you were using comms embedded in HTTPS to avoid sticking out like a sore thumb, how do Snowden docs contradict what I said? Read [and try to comprehend] my post again please.

To reiterate, I think domain expertise gives individuals a certain degree of confidence and a solid knowledge base that they can use to build their OPSEC strategies. What would you gamble your life on if you had to, meatspace domain expertise [with a huge number of totally unknown factors/capabilities] or Internet [some unknown factors but also lots of remedies]?

For most of us the answer is obvious.

When I go out, I can never be confident I'm not being followed, recorded in various ways or leaking biometric evidence. Online, I can operate with an assumption of full compromise _and still come up with useful OPSEC strategies_.

" rather than concentrating on the point I made [physical presence]"

A method for surveilling people's activities ideally has these properties:

1. Delivers intel on as many targets as possible.

2. Requires little to no effort on operator's part.

3. Is easy to deploy multiple times or stays persistently.

4. Doesn't reveal presence of surveillance.

5. Takes a lot of work to avoid.

6. Has reasonable cost.

A method for concealing communications or activities has at least these properties in this order (except for 5 which always helps):

1. Prevents detection of activity entirely against likely eavesdropping methods in use.

2. Makes the eavesdropping difficult to attempt

2-1. Focused instead of mass surveillance.

2-2. Expensive.

2-3. Physical.

2-4. Requires talent instead of brainless drones.

3. Increases odds of person being surveilled detecting the surveillance.

4. Allow for countermeasures to end or recover from the surveillance.

5. Is deniable and inexpensive.

So, let's look at average person using common recommendations. The average person will be using Torbrowser, TAILS, Windows + Tor, Mac + Tor, Linux desktop + Tor, or main mobile OS + Tor. They will not be professionals at attacking or securing systems like the criminal or government hackers tasked with uncloaking them. The attacks on Tor, by NSA & by academics, apply where many users get unmasked remotely in a way they never see. They can all be surveilled at once by NSA's existing infrastructure. Outside this, the FBI deanonymized users by using a browser 0-day (endpoint attack). Five Eyes, esp NSA, have 0-days on each desktop and mobile OS with high, market share per leaks. We regularly see Russian and Chinese hackers breach them in the news. We also see all kinds of hackers breach systems in general plus lots of bad decisions by users. The risk of a stealthy, mass, inexpensive leak of people using digital communications is very high whereas the odds of them outthinking average surveillance is low and targeted hacking very low.

So, let's look at people using meatspace with methods like I described above and simple guides on their use. They've spent their whole life learning how to tell when people are watching them, nervous, or just acting unusual. They have numerous ways of blending into a crowd where WiFi or drops are available but with limited camera coverage. They can learn the traffic patterns of the area to see if anyone sticks out. Likewise, there's private spots to stash a long-range antenna and camera to do the same from a distance. Many know how to ditch evidence or pay for stuff with cash. Keeping their name and I.P. out of it reduces odds they'll be seen where no tech or HTTPS-style comms increases odds surveillance ignores them entirely as mere Internet, background noise. These methods were and are used successfully by many crooks and spies... today just like decades ago with drops, radios, and countersurveillance... while "smart" people, their OS's, and anonymity software get owned on computers quite regularly.

So, the average person looks to be better off avoiding the Internet, executable media, or anything that draws attention when trying concealed communication with other average people. It's easier for them to follow this advice like that than learn arcane, technical information that changes constantly. It also turns inexpensive, stealthy, mass attacks into requiring footsoliders focused on one person or a small group at a time risking detection constantly. That's also with no guarantee they'll keep whatever gains they acquire in intelligence collection. That's a significant increase in effectiveness versus new methods where you trust things that can be and are often invisibly hacked by remote attackers.

"When I go out, I can never be confident I'm not being followed, recorded in various ways or leaking biometric evidence. Online, I can operate with an assumption of full compromise...

This was never about the "average person" (that has clearly already lost, especially in USA) but the _dedicated_ practitioner with domain expertise.

Most physical risks that one would need to mitigate, completely disappear when one _is not operational_ in meatspace, you assume this is always the case. It is not.

I'm going to stop here, I'd ask you to read again what _you wrote_ esp the parts about blending into crowds, learning area traffic patterns etc. These would be well-placed in Hollywood movies, but I fear you're deluding yourself in a major way if you believe they're remotely close to being practical.

You've hit me with at least 3 ad hominems but no counter-evidence so far. You should stop. While you're at it, you should look up one of those Tor papers where they say they deanonymize (percentage here) traffic for all hiding in the Tor network. Then come back with the attack on my methods that deanonymized the same percentage.

You won't because it's delusional to think average or experts will be safer given all of them that were already compromised online (including Tor) remotely, stealthily, and cheaply. Versus the gangs and spooks kicking same LEO's asses with stuff simple as shortwave radio in random places and affiliated couriers delivering messages. Or has the NSA remotely uncovered a third to half of all terrorists, cartel members, or IP thieves? Wait, they're still going strong by the billions in cash and damage with impunity.

TOR de-anonymization can be factored into a working OPSEC strategy. The OP article itself _demonstrates a pedophilia ring that did not get compromised due to correct usage of TOR and other measures_.

I also love your constant assumptions about .. everything really. And you're supposed to be some sort of expert?

I think not.

Groups with effective opsec don't get blog posts written about their opsec.

Additionally, opsec doesn't scale well beyond Dunbar's number. Once you have too many members for everyone to have a general familiarity with who's who "quality control" becomes a much harder problem.

Except it appears this group had effective-enough opsec, and it's likely at least some of them are still operating(if not the group itself). Grugq is widely respected in this field and there's a lot to learn here.
The Dunbar's Number complaint doesn't really seem to apply here. New members couldn't compromise anyone else (we know because they tried), so quality control failures only punish the people who fail to control quality. As a 'distributed' system it was basically safe for reliable users, and could reasonably continue operating while compromised.

That's not a total success by the group's goals (people got caught, and they got monitored), but they lost their keys, got subverted by their own members, and still didn't lose their anonymity.

I know this might sound political, but I'm still curious if there are enough laws and regulation surrounding digital security.

I guess companies are catching up and implementing good enough measures to protect their users, but sometimes I wonder if there are enough incentives so that companies can really start to invest in security, especially when you hear about big credit card leaks.

Of course governments might not be really be able to make the difference between actual security, privacy and consumer rights, but I'm just talking about auditing big companies where the money stakes are high and where damage can happen easily. I mean there already a lot of security measures in the real world, and it doesn't seem there are enough efforts being made in the digital world.

Meanwhile you can of course argue that letting systems being insecure can become an asset if your "computer agency" can benefit from it.

enough laws and regulation surrounding digital security.

Many people, particularly those who follow the grugq, regard those who pass and enforce laws and regulation to be the #1 adversary in their threat model.

the grugq's writing is heavily influenced by real world tradecraft specifically because his audience's adversary uses it somewhat effectively against other nation states.

> Meanwhile you can of course argue that letting systems being insecure can become an asset if your "computer agency" can benefit from it.

At the levels being dealt with here, digital security laws stop being about ensuring good security. They become, almost exclusively, international weapons. The crypto export ban was about ensuring other nations could be monitored. So was the Enigma coverup-and-selloff. So was Dual_EC_DRBG, and so on the flipside are SKIPJACK and other secure products.

There's privacy and consumer security, and then there's real security. When some company loses a bunch of unencrypted passwords and credit card numbers, you're right that that should be illegal - just to motivate doing a better job. If you can get fined for obvious screwups then it's easier to justify paying some competent security people (and allowing researchers to help you out).

At the "actually secure" levels of operation I'm not sure it makes sense to talk in terms of simple domestic laws. Pretty much everything that gets done there is part of a bigger game.

I'd like to see somebody express this in front of lawmakers: > The encryption was not a factor in their successful evasion. Rather, it was the content of the messages, controlled and dictated by the security rules, which protected their secrets.
I'm not sure that's possible given concealment was essential. Just as it is offline. The argument for lawmakers is that neutral, legitimate technology always gets abused by a tiny minority for criminal purposes. Yet, we don't ban or sabotage that technology. One can illustrate the many, good things encryption protects, the few bad things it conceals, alternative methods of concealment crooks might switch to, and prior failures of escrow. Then, it's an argument whether lawmakers want to destroy or put at risk all the good things done by innocent people to temporarily stop some crooks. I argue that's a bad tradeoff.
It's actually a good write-up. Many of the rules are the kind of basic OPSEC from the Cold War days that apply online. The Tor, Usenet, and key management angles could be improved on. Tor is prone to many attacks so best combined with other things like using physically, different connection and/or regular proxies. Potential Usenet replacements come out of cloud and free hosting services. There's group communication schemes in academia to semi-automate that which could probably be bolted onto PGP. You'd bolt them onto PGP so it looks like regular PGP traffic and avoids you being extra, singled out.

So, these basic rules might be combined with a few, other techniques to be strengthened.