
OPSEC for hackers - stfu
http://www.slideshare.net/grugq/opsec-for-hackers
======
narsil
From the Q&A at the end (
[http://www.youtube.com/watch?v=9XaYdCdwiWU&feature=youtu...](http://www.youtube.com/watch?v=9XaYdCdwiWU&feature=youtu.be&t=1h1m58s)
), Grug has this to say on TOR:

"Against [Law Enforcement Officials], it's fine. Against a nation-state, the
TOR network has insufficient resources and has sufficient bad actors that it
is not actually secure. So if you're going to hack the shit out of the NSA and
do really really bad planning and do not actually evalute the targets you are
after, you will go to jail."

He also expands on how to unmask a user by controlling both the exit and entry
nodes:

"So if you can purchase 300 VPS accounts at $5 each then you can set up 1% of
the TOR network and statistically, over a month, you will be able to uncover a
large number of users. [...] You are better of selecting your targets so they
will not be state actors."

------
uiri
The full talk which goes with these slides:
<https://www.youtube.com/watch?v=9XaYdCdwiWU>

~~~
5555624
And the .pdf file of the slides:
[http://conference.hitb.org/hitbsecconf2012kul/materials/D1T3...](http://conference.hitb.org/hitbsecconf2012kul/materials/D1T3%20-%20The%20Grugq%20-%20OPSEC%20-%20Because%20jail%20is%20for%20wuftpd.pdf)

(The link is on the video of the full talk.)

------
mikemoka
The so called hackers have to be dissuaded about sharing personal details in
the chatrooms? This document looks like the proof that these groups are made
of regular kids more than security experts in my opinion.

~~~
zorlem
Not really. These things are hard to get right and stick to for prolonged
periods of time. This requires practice and discipline.

Ordinary people (and even trained professionals [1]), get sloppy and make
mistakes. Thus, this line from the presentation is golden:

 _"Amateurs practice until they get it right, professionals practice until
they can't get it wrong._

[1]: Another excellent essay by the same person - grugq (of +HCU and Fravia+
fame) on the major OPSEC fuck-up by CIA in Lebanon and the factors that likely
have lead to the full compromise of a big informant network, and possibly the
deaths of a number of people [2]:
<http://grugq.github.io/blog/2013/03/12/anonymity-is-hard/>

[2]: <http://www.wired.com/dangerroom/2011/11/pizza-cia/>

_added:_ even small things like complaining about freezing your ass off due to
the cold weather, accidentally linking two nicknames, emerging at regular
times (synced with a specific timezone) could be used to uncover your
identitiy. As evidenced, slip-ups like could get you in jail. You can check
the discussion from a few weeks back about the hassles of creating a truly
anonymous page on Internet: <https://news.ycombinator.com/item?id=5638988>

------
revelation
I'm somewhat concerned with the blanko recommendation of TOR. As has become
clear, TOR traffic is blatantly obvious. Yes, your data is secure, but the
fact that you are using TOR.. is not. And there should be no surprise feds
employ the low-tech methods like just matching your activity on a chat to
traffic on your line and the like.

We really need something like automatically mutating protocols, not the TOR
"I'm HTTPs that no one would ever use for HTTPs" stuff.

~~~
nikcub
Their method would have been a lot more difficult had they not caught Sabu and
flipped him. Even with Sabu flipped, absent a confession they only have a lot
of circumstantial evidence on Jeremy.

Sabu was blatantly poor at covering up his identity. He was doxed by other
hackers online long before the FBI found him (apparently it was one of the
anti-anonymous 'patriot' hackers who passed on Sabu's real ID to the FBI).

Without Sabu, they wouldn't know where to park the van, or which VPN providers
and ISP's they need to subpoena.

Sabu made two mistakes. First he pasted a link to a file in IRC that was
hosted on prvt.org. Somebody looked up the historic whois records for that
domain and found the name Hector Monsegur.

His second mistake was that his Tor setup didn't "fail close", and when his
local SOCKS server died his IRC client accidentally logged him in using his
real IP address.

The feds can't match Tor activity if they don't know where to park the van.
They also relied on Jeremy having a weak Wifi setup where they could watch his
network connections. All of these other leads, including the personal details
to match against, relied on first flipping Sabu.

The idea Tor setup is having an intermediary isolating proxy, and preferably
one that is hosted offshore in another jurisdiction. For extra security, run a
VPN connection over that, so it would look like:

laptop => OpenVPN or SSH tunnel => offshore server => privoxy (header munging)
=> VPN connection => tor => tor exit node => VPN server => internet

To prevent matching against a shared circuit, setup multiple tor circuits and
random load balance across them, and do the same with the VPN.

Tor is just like a lot of other things, it can be setup and used in such a way
where it leaks a lot of data and information, but it can also be used as part
of a chain that makes the job of unmasking the user a lot more difficult.

------
contingencies
"fail safe technological solution" = tor? Grug, that's not good advice to give
out.

First, it's never good to rely on anything. Second, it's well known that
people run tor gateways as a means to acquire 'interesting' traffic, and that
probably includes law enforcement (though Applebaum does seem to have an
honest aura, the project did originate from US government funding). Many
people relying on tor probably do not realise this.

Be careful out there!

~~~
gpcz
I believe the term Grugq used was "fail-closed" (at least that's what he said
rather than wrote). By that, he didn't mean that Tor was foolproof, but rather
that you should use a setup that sends information through Tor by default
(opt-out), rather than using something where you have to activate it in order
to use it (opt-in). The idea is to reduce the potential for silly mistakes
like engaging in activities with Tor off by accident.

Also, one of the questions he answered at the end of the talk was about
whether Tor could protect you against determined state actors, and he talked
about a certain flaw where if you have control over a certain percentage of
the Tor network you could infer people's source IPs. He also speculated on
what levels of government Tor would or would not be a viable means of
protection against, so I think he'd agree with you about the risks of Tor.

------
dublinclontarf
It's very very difficult to be anonymous online.

~~~
Karunamon
Not really. The methods detailed in that slide deck are hardly difficult to
implement. Most consist of common sense.

~~~
wiml
You only need to screw up once to blow your identity, though. And _never
screwing up_ is ... difficult.

------
Core-TX
Seems to be a proper beginners guide, however the Bitcoin part is heavily
flawed. It should show a intro guide or link to a wallet greening manual as
BTC can destroy your anonymity.

