Slashdot Mirror

← Back to Stories (view on slashdot.org)

OPSEC For Activists, Because Encryption Is No Guarantee

Posted by Soulskill on from the protect-yourself-before-somebody-wrecks-yourself dept.

Nicola Hahn writes: "In the wake of the Snowden revelations strong encryption has been promoted by organizations like The Intercept and Freedom of the Press Foundation as a solution for safeguarding privacy against the encroachment of Big Brother. Even President Obama acknowledges that "there's no scenario in which we don't want really strong encryption."

Yet the public record shows that over the years the NSA has honed its ability to steal encryption keys. Recent reports about the compromise of Gemalto's network and sophisticated firmware manipulation programs by the Office of Tailored Access Operations underscore this reality.

The inconvenient truth is that the current cyber self-defense formulas being presented are conspicuously incomplete. Security tools can and will fail. And when they do, what then? It's called Operational Security (OPSEC), a topic that hasn't received much coverage — but it should.

4 of 89 comments (clear)

  1. Semantic games by diamondmagic · · Score: 4, Insightful

    So it would appear that POTUS is now towing a line advocated by none other than whistler-blower Snowden who asserted [8] that “properly implemented strong crypto systems are one of the few things that you can rely on.”

    Only there’s a problem with this narrative and its promise of salvation: When your threat profile entails a funded outfit like the NSA, cyber security is largely a placebo.

    How many pointless articles could be avoided if authors and editors understood the difference between a necessary condition and a sufficient condition? Of course comsec is not a solution per se, Ulbricht can tell you all about that! (And how many more pointless discussions could be avoided if everyone knew "per se" = "by itself".)

    --
    Wonder what the public key field is for?
    1. Re:Semantic games by Defenestrar · · Score: 4, Insightful

      You've got a good point, but the implementation of said conditions have a different intrinsic suspicion. Discussions on encryption will only get you put on the NSA watchlist along with everyone else. Conversations about OPSEC may get you a little bit more. For example - getting revealed as someone who sends encrypted messages to your friends is either in that category of nerdy or slightly suspicious. Getting revealed as someone who passes parcels to others via dead drops will probably get your door kicked in by the DEA shortly followed by a long line of other three letter groups.

      PS - I'm not sure if I'll ever be able to use the word "intrinsic" without thinking of eating leprechauns or quantum mechanics. Does anyone else have this problem?

    2. Re:Semantic games by Anonymous Coward · · Score: 2, Insightful

      The ironic thing is that OPSEC is a must for any business organization. You can have data at rest protection, and data in transit, but without protection against the VoIP spoofer demanding access or else he will get people fired, this does work. I've worked at a company where the head security guy got fired because he challenged a muckety-muck PHB who was tailgating (trying to get past a door into a sensitive area from the outside of the building without badging in), and this fear caused people to not challenge anything... if it was someone who knew what they were doing, they could just claim to be someone higher up, and the company was theirs.

      OPSEC isn't just reserved to TLAs and the military... organizations need at as well.

      As for protesters and activists... you can't get most of the 20 something crowd interested in anything other than iPhones and beard oil, so things like keeping the ranks clean of trolls and goofballs are not even something they think about. Handing them an OPSEC guide would be like handing a duck an iPad... there would be curiosity, then it gets pooped on.

  2. Of course by ShieldW0lf · · Score: 3, Insightful

    If I'm the only one who can unlock your encrypted communications, then it's in my best interest to have everyone encrypt their communications, because then, I'll be the only one with total situation awareness.

    It won't be in any of your interests, of course, because you'll be handing me my advantage on a silver platter... but you're all far too shortsighted to pay attention to such things.

    Of course Obama and the NSA want you all using strong encryption. Stupid of you to give them what they want, though.

    --
    -1 Uncomfortable Truth