
Twitter Activist Security - idlewords
https://medium.com/@thegrugq/twitter-activist-security-7c806bae9cb0#.881ljtvmr
======
angry_octet
Because it is always possible you will fail your Tor discipline, I would add
some defense-in-depth aspects, in case your browser is compromised and your
network address is revealed.

\- Use separate hardware. A cheap laptop and a cheap phone.

\- Burn the receipt and chuck the packaging.

\- Cash. Pay in cash.

\- Buy from small stores with no CCTV, or better yet, from people like migrant
workers.

\- You can buy stored value cards (debit cards) without ID, and some you can
load with cash at ATMs. (Also good to buy from travellers.)

\- Once you have a debit card you can pay for data without going to a store.

\- If you turn on your Wifi tethering and other devices are in range you have
created an event in their logs. Just use a cable. If you must, change the SSID
regularly and use Android 6 which has MAC randomisation. Never have any other
SSIDs saved, especially not your home network.

\- Turn the phone off when not in use. Removing the battery is advisable.

\- Don't connect to 3G near your home or work or where there is pervasive CCTV
or not many people.

\- If your commute is logged (via your cellphone, number plate recognition /
tolling, personally identified public transport like Oyster cards) then your
location can be correlated against when your persona was online.

\- It might seem that transmitting from different locations is a good idea.
But not really, it gives a more unique history.

\- Run Tor on the laptop. Run _nothing_ on the phone, its just a radio.

\- If you want to use Signal, get another burner phone.

\- Invest in some numbered wafer seals or tamper bags. Keep your kit in them
when cached.

\- Don't tell fibs to federal agents. Record all interactions with them.

~~~
stevarino
You make a lot of interesting points with frequency analysis, but these facts
can be used for your benefit.

For example, if you're concerned about transit systems being used to identify
you, try leaving the devices in a safe location for several hours and have
them respond on a timer system. Any analysis ran across millions of users will
end up filtering you out, lowering your own suspicion factor and increasing
the adversaries uncertainty when facing big data.

How a system fails is just as important as how it performs when it comes to
security, the young-adult novel Little Brother by Doctorow goes into this in
good detail.

~~~
angry_octet
Sure, but it depends how complicated you want to make it.

Ideally you would use an electronic dead drop -- any tweets would be sent by a
small embedded computer which listens passively on Wifi for a message sent to
it from you as you transit past it, then at some random time later fires up
the 3G to send to twitter etc (still via Tor). This can be automated to run
from an android phone. Of course if this phone is found its credentials can be
extracted and it can be turned into a method to locate you. See the FBI CI
bust in New York of 'Anna Chapman'. They really should have used Tor, but of
course that flags your IP as of interest in the big NSA computer in sub-
basement 19.

[https://vault.fbi.gov/ghost-stories-russian-foreign-
intellig...](https://vault.fbi.gov/ghost-stories-russian-foreign-intelligence-
service-illegals)

------
ShinyCyril
I'm glad they included something about mental health. There was an interesting
post on /r/privacy the other day of someone with burnout from the paranoia of
government surveillance [1]. I browse /r/privacy from time to time and am
worried by the threat models that many people on there have. I don't know the
reasons for their threat model, but I suspect a large number of people don't
have any solid reason for such a rigorous model other than paranoia. The
cognitive load of maintaining privacy at that level must just be overwhelming.

[1]
[https://www.reddit.com/r/privacy/comments/5qfpb6/im_exhauste...](https://www.reddit.com/r/privacy/comments/5qfpb6/im_exhausted/)

~~~
viraptor
I can't find the tweet easily now, but the original reason for including that
was because people apparently have problems handling disconnected
personalities for a long time. the_grugq says this affected undercover people.

Edit: here's the tweet with some interesting comments
[https://twitter.com/thegrugq/status/824949499688726528](https://twitter.com/thegrugq/status/824949499688726528)

~~~
grugq
yeah, a study of the literature will show that it is a constant problem for
people that start to assume a secret identity. There is a class of people that
are actually better at this than others[0]. For police that go undercover flow
long periods, they run the risk of "going native" [1][2]. There was
Tolkachev[3][4] who insisted on personal meetings rather than dead drops
(although it was ultimately Alrich Ames' betrayal that doomed him, not KGB
surveillance or tradecraft errors.)

Karl Fuchs described his mental trauma of being both a Western atomic
scientist and a Soviet Atomic Spy[5].

There are many more references available, but it is seldom discussed. This is
one of the reasons that the CIA (and other secret agencies) become so insular.
The members are unable to be open with anyone else except each other, and so
they tend to stick together.

Theres more on the extensive work that RUC and Special Branch had to do to
maintain the sanity of the IRA informants they were running. There is a
constant refrain, human beings do not operate well with secret identities
under high stress environments for long periods of time.

[0]
[http://www.slate.com/articles/business/the_dismal_science/20...](http://www.slate.com/articles/business/the_dismal_science/2015/04/sex_and_the_workplace_do_closeted_gays_and_lesbians_cluster_in_certain_professions.html)
[1] Undercover and Alone [2] Lu-CiFER: Memoirs of a Mongol [3] The Billion
Dollar Spy [4] [https://www.cia.gov/library/center-for-the-study-of-
intellig...](https://www.cia.gov/library/center-for-the-study-of-
intelligence/csi-publications/csi-studies/studies/vol47no3/article02.html) [5]
[https://archive.org/stream/sovietatomicespi1951unit/sovietat...](https://archive.org/stream/sovietatomicespi1951unit/sovietatomicespi1951unit_djvu.txt)

------
Perceptes
One comment and two questions:

I wish I had something important enough to say to be able to put this advice
to use!

How important is the physical location you work from? Should you religiously
avoid working out of a place that is associated with you, such as your home or
office? Should you avoid places that are near where you live, and if so, how
far should you go? Or is Tor sufficient for masking your physical location in
all cases?

I'm very interested in how the grugq is able to have had such a public persona
for so long and remain anonymous—including speaking at conferences in person,
I understand. Obviously, he is an expert, but that doesn't really explain
_how_. He writes prolifically on Twitter and sometimes other mediums. How is
this large body of content not subject to stylistic analysis? Information is
known about him, such as where he lives and what he does for a living. That
seems extremely revealing. How has he been able to speak at conferences, quite
literally tying his physical identity to this anonymous persona, let alone
traveling to the conference in the first place?

~~~
grugq
1) physical location

It depends a lot on how intense you expect the investigation to be. Strong
protection comes from using a network connection that is not linked to you, in
addition to using technology that masks your IP address. If there are CCTV,
then that increases the risk exposure, as does bringing a mobile phone with
you. It is a lot of trade offs based on the threat model. In the case of a
resistance twitter account, I suspect that simply using Tor Browser Bundle
will be sufficient, but it is hard to make a blanket statement.

2) anonymous

I'm not anonymous, I'm pseudonymous. There are hundreds, or thousands, of
people that know my "real" name. It isn't important, I don't use it for
anything. The only people who do use it are my mother and my bank. I've been
using the same handle "grugq" for over two decades. Everything I have done is
under my handle. I don't maintain two identities, I have only one -- the
grugq. You can't link my handle with another identity because there isn't one.

Over a decade ago I was at a small art college where +Fravia was giving a
talk. After his speech, we went for a walk and a chat. He lamented that all
the hackers were dropping their handles and going by their real names for
commercial reasons (so they could get jobs, basically.) He said to me, "you
and I are the only ones left still using our handles." A few years later he
died of cancer. So, now I am the only one left.

People who know my name, know where I live and know that it would increase my
risk profile to expose me. They respect my wishes to use my handle, and they
respect my privacy. It is no great secret, it is simply the choice I have
made, an obligation to an old dead friend, and also one that could have very
real security implications.

It always puzzles me why people care so much. A name is a name.

(also, you have no idea what I do for a living. lol)

~~~
jlgaddis
By chance, is this the same Fravia whose "guides" I studied 20-ish years ago
to learn how to "crack" old software applications?

~~~
grugq
Yes.

------
camperman
The principles The Grugq outlines here are explained in lots more detail in
his OpSec for Hackers presentation. It includes a detailed analysis of how
Lulzsec violated these principles which is why they were caught:

[http://www.slideshare.net/grugq/opsec-for-
hackers](http://www.slideshare.net/grugq/opsec-for-hackers)

~~~
pizza
That Avon quote: [https://www.youtube.com/watch?v=E2Fv-
nJCfrk](https://www.youtube.com/watch?v=E2Fv-nJCfrk)

~~~
camperman
Thank you. I thought it sounded familiar.

------
kyrre
interesting read, but isn't this written by the same guy who was selling
exploits to 3rd world dictators?

edit: it appears he was a "broker" / middleman. some moral high ground.

[http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-
th...](http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-
who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-
fees/#7437d3e69448)

~~~
grugq
no. never sold anything to "3rd world dictators."

~~~
angry-hacker
But you feel morally ok by selling exploits? You never know how are they being
used, how come you're so proud of it?

~~~
nickpsecurity
I was originally against it but now I'm neutral on it. Most of the exploits
are intentionally put there by companies that have enough money & expertise to
avoid them. The bigger ones have enough money to make compilers and CPU's that
make the software immune to code injection. Microsoft even has Steve Lipner
who did one of projects (below) that taught me high-assurance security. Like
them, his philosophy is shipping product over correctness since that is what
market rewards. As for market, they almost always buy something insecure over
something more secure if even the slightest extra benefit in insecure thing.
You can't get them to use something secure even when it's free (eg Signal).

So, what you should be thinking is you and/or other people are using and
financially rewarding companies that intentionally leave vulnerabilities in
software. Is that morally right? Probably not. Is someone making money off
those vulnerabilities morally right? Probably not. The first seems worse,
though, as the vulnerability market would be tiny if it wasn't happening.
They'd command higher prices but even that would mean less damage.

[http://www.cse.psu.edu/~trj1/cse543-f06/papers/vax_vmm.pdf](http://www.cse.psu.edu/~trj1/cse543-f06/papers/vax_vmm.pdf)

Note: Compare Design and Assurance sections to how commercial or FOSS VM's are
built today. Regular "security" is a joke.

~~~
md_
Wait, what? Did you just say software companies intentionally embed
vulnerabilities in software?

~~~
nickpsecurity
Yes. They don't put the individual vulnerabilities in there on purpose. It's
an indirect effect that they're conscious of. They know certain practices will
reduce the amount of vulnerabilities in their software at some increased cost.
They know a quick-and-dirty approach will leave a ton of bugs, including
vulnerabilities, in there at a higher, profit margin. If not embedded, they
also usually sell the fixes for it in terms of support contracts or upgrades.
They consciously choose to go the route that increases vulnerabilities and
profits. After problems happen, they do as little as possible to patch them
while underlying process creating them for profit remains. We call the result
of this game penetrate-and-patch.

By avoiding QA for extra profit, they're effectively adding vulnerabilities to
their software. There's other companies that know certain practices reduce
their defect rates or security worries. They're preventing or removing defects
on a regular basis while still making a profit. These companies are rare. Most
leave vulnerabilities in. The project managers will even tell you that if you
question them in a way to get a straight answer.

Here's Lipner at Microsoft straight up saying it. He at least still turned
their security around a lot with compromise that was SDL.

[https://blogs.microsoft.com/microsoftsecure/2007/08/23/the-e...](https://blogs.microsoft.com/microsoftsecure/2007/08/23/the-
ethics-of-perfection/)

A recent example comes from Jack Ganssle in The Embedded Muse where he points
out basically nobody commissioning embedded systems will sacrifice dollars or
time-to-market for security:

[http://www.ganssle.com/tem/tem314.html#article2](http://www.ganssle.com/tem/tem314.html#article2)

A follow up was a person that lost their job improving security in an embedded
product:

[http://www.ganssle.com/tem/tem315.html#article5](http://www.ganssle.com/tem/tem315.html#article5)

Others in later issues & other forums I've read all consistently say the same
things. Total apathy where it's not even on the checklist or requirements is
default. I experienced this myself with a lot of people I tried to sell on
security at 10-30% extra cost. Just 10-30% on a critical system! Most in
embedded will also frown on or fire you for improving security if it adds
substantially to the BOM cost, dev cost, or time-to-market. You're supposed to
do it cheap as possible. It's why 8-bitters are still selling by the millions
of units or however large number despite little to no built-in
safety/security. Hard to argue with $1 a chip vs $5-30 when selling 100,000+
units of a product with that different being profit. And you probably won't
even get sued over hacks! :)

Counterexamples in case you're curious of methods for making software with low
defects at somewhere from slightly to 50% increased cost:

[http://infohost.nmt.edu/~al/cseet-
paper.html](http://infohost.nmt.edu/~al/cseet-paper.html)

[http://www.anthonyhall.org/c_by_c_secure_system.pdf](http://www.anthonyhall.org/c_by_c_secure_system.pdf)

Companies using those methods actually _warrantied_ their software at specific
defect levels that were usually under 6 bugs per loc. Praxis is still around
as Altran.

------
Shivetya
I would go so far as to make sure you know who is near you when you engage in
any such activities because when a government begins to limit its suspects to
a small number of people they can catch you in the most innocuous places; like
a public library

------
protomyth
#8 cropping might not be adequate as many photos have meta-data attached (e.g.
EXIF) - you probably want to at least view that or delete it entirely before
posting a picture.

------
r721
I recall Twitter was suspending accounts for logins using Tor - I assume, it's
no longer true? Or it's sufficient to provide phone number to safely login via
Tor?

~~~
mysticmarvel
You must verify your account with a mobile phone if you sign up using Tor. You
can use an email address if it's not over Tor.

------
saycheese
Does Twitter have a Tor .onion address for accessing their system?

~~~
intoverflow2
Considering the fact they lock accounts for "suspicious behaviour" that don't
provide a phone number and keep it that way until you do provide one. I'd say
they don't care about your privacy.

------
sogen
Nice seven samurai avatar :)

