
Usenet Tradecraft: Survival in an Extremely Adversarial Environment (2013) - setra
https://grugq.github.io/blog/2013/12/01/yardbirds-effective-usenet-tradecraft/
======
tristor
> Real security must start with the content itself, and then use encryption as
> an additional layer.

Extrapolating from this to other reasons you might operate in an adversarial
environment, for instance political dissidence, this conclusion has a rather
chilling effect. The content of the communication itself must be severely
limited in how it can assist coordination of outside efforts in order to
maintain the anonymity of the members. Or in the inverse, if the member's have
strong identities (via PGP WoT, et al) then the /only/ barrier protecting them
from their adversary is the control of the keys themselves.

Not that this is any great revelation, per se. But it means that in the cases
where you're using encryption as the basis for communicating with a group in
secret, that you still must experience a chilling effect on the content of
your messages. In other words, encryption alone is not sufficient to achieve
the same result as "freedom of speech" at a social level.

~~~
vinceguidry
> In other words, encryption alone is not sufficient to achieve the same
> result as "freedom of speech" at a social level.

It's tempting to think you can solve political problems with technology, but
ultimately you have to fight those battles the old fashioned way.

------
mpbm
What I'm getting from this is that if you use Tor and never reveal personal
information you get 90% of the benefits.

The encryption was just a way to prevent non-members from obtaining the
benefits of membership. The relocation and rekeying was just a way to punish
non-compliant members by excluding them, turning them back into non-members.

~~~
sheraz
Excellent summarization!

I'm going to use this explanation when I have discussions with less
technically minded people on this issue.

~~~
mpbm
Thanks. That's one of the best compliments I can get.

------
Mendenhall
I have a feeling the people who are very serious about OpSec never use the
net.

~~~
mseebach
The "OP" in OPSEC means operational. The field is entirely about securing
operations. Not performing an operation at all may be inherently secure (as
relates to the operation) but is entirely orthogonal to the field of OPSEC.

~~~
tc313
I think he means using thumb drives and burkas instead of the Internet.

------
unimpressive
"Finally, to demonstrate both their deep involvement in the activity and to
prove they are not an undercover cop, they must pass a timed written test on
the minutiae of various child abuse victims and media."

This part seems strange to me. Police officers working in...this area, look at
a lot of the relevant material and are probably intimately familiar with the
details of famous cases. If anybody can be expected to pass such a test, it's
a cop.

~~~
pdkl95
This is the hubris of "NOBUS"[1].

Believing that "NObody But US" has secret knowledge tends to create a false-
confidence trap. It doesn't matter if your are a small criminal organization
or a large and well-funded government agency; assuming your adversary is
ignorant or stupid is terrible security.

[1] [https://en.wikipedia.org/wiki/NOBUS](https://en.wikipedia.org/wiki/NOBUS)

~~~
jiiam
It's still better than letting anyone with just basic knowledge in. I mean, if
a cop can learn to pass those tests, surely a committed pedophile can, with
the twist that the pedophile would not find the whole process disgusting.

In a way, the test could be taken to be a deterrent to police forces, who
presumably will be challenged by the prospect of having to learn the minutiae
involved in child abuse.

~~~
zdkl
If you can't beat em, make them more like you, right?

~~~
dsfyu404ed
I'll take "effects of terrorism in the united states since 1990" for $400,
Alex.

------
tomtoise
[https://dee.su/uploads/baal](https://dee.su/uploads/baal)

Related reading, touches upon the same case.

~~~
executesorder66
That was very interesting.

How did you find it by the way?

~~~
Xylakant
It's linked in the article

------
jokoon
I know this might sound political, but I'm still curious if there are enough
laws and regulation surrounding digital security.

I guess companies are catching up and implementing good enough measures to
protect their users, but sometimes I wonder if there are enough incentives so
that companies can really start to invest in security, especially when you
hear about big credit card leaks.

Of course governments might not be really be able to make the difference
between actual security, privacy and consumer rights, but I'm just talking
about auditing big companies where the money stakes are high and where damage
can happen easily. I mean there already a lot of security measures in the real
world, and it doesn't seem there are enough efforts being made in the digital
world.

Meanwhile you can of course argue that letting systems being insecure can
become an asset if your "computer agency" can benefit from it.

~~~
daxorid
_enough laws and regulation surrounding digital security._

Many people, _particularly_ those who follow the grugq, regard those who pass
and enforce laws and regulation to be the #1 adversary in their threat model.

the grugq's writing is heavily influenced by real world tradecraft
specifically because his audience's adversary uses it somewhat effectively
against other nation states.

------
nickpsecurity
It's actually a good write-up. Many of the rules are the kind of basic OPSEC
from the Cold War days that apply online. The Tor, Usenet, and key management
angles could be improved on. Tor is prone to many attacks so best combined
with other things like using physically, different connection and/or regular
proxies. Potential Usenet replacements come out of cloud and free hosting
services. There's group communication schemes in academia to semi-automate
that which could probably be bolted onto PGP. You'd bolt them onto PGP so it
looks like regular PGP traffic and avoids you being extra, singled out.

So, these basic rules might be combined with a few, other techniques to be
strengthened.

------
mr_spothawk
I'd like to see somebody express this in front of lawmakers: > The encryption
was not a factor in their successful evasion. Rather, it was the content of
the messages, controlled and dictated by the security rules, which protected
their secrets.

~~~
nickpsecurity
I'm not sure that's possible given concealment was essential. Just as it is
offline. The argument for lawmakers is that neutral, legitimate technology
always gets abused by a tiny minority for criminal purposes. Yet, we don't ban
or sabotage that technology. One can illustrate the many, good things
encryption protects, the few bad things it conceals, alternative methods of
concealment crooks might switch to, and prior failures of escrow. Then, it's
an argument whether lawmakers want to destroy or put at risk all the good
things done by innocent people to temporarily stop some crooks. I argue that's
a bad tradeoff.

------
robryk
What was gained by regular nickname changes?

~~~
zdkl
It could help further obfuscate the usage patterns of the underlying actors.
If you change the parameters, the party doing search and correlations needs to
take that into account and expend more effort. Basically, you want to make
them work harder to ascertain any bit of information

~~~
joncrocks
I think I'd better describe it as helping in the case of identifying
information being correlated over time.

Even if you've got good OpSec, you may reveal things about yourself
accidentally over time, and with a long-lived nickname, this could potentially
narrow down your identity. Things like colloquialisms/references that are
culturally specific/indicative, or reference to things that indicate things
about yourself by association.

This could potentially be counteracted by analysing usage patterns/language
patterns to try and associate a set of nicknames as 'the same person', but
it's probably hard-ish to do if communication is terse + sparse.

~~~
dsfyu404ed
This. You leak little personal details about who you are. Word usage analysis
could be used to track a member across multiple usernames but frequent
username changes is just part of defense in depth.

------
dsfyu404ed
Groups with effective opsec don't get blog posts written about their opsec.

Additionally, opsec doesn't scale well beyond Dunbar's number. Once you have
too many members for everyone to have a general familiarity with who's who
"quality control" becomes a much harder problem.

~~~
knowaveragejoe
Except it appears this group had effective-enough opsec, and it's likely at
least some of them are still operating(if not the group itself). Grugq is
widely respected in this field and there's a lot to learn here.

