OPSEC For Activists, Because Encryption Is No Guarantee

Nicola Hahn writes: "In the wake of the Snowden revelations strong encryption has been promoted by organizations like The Intercept and Freedom of the Press Foundation as a solution for safeguarding privacy against the encroachment of Big Brother. Even President Obama acknowledges that "there's no scenario in which we don't want really strong encryption."

Yet the public record shows that over the years the NSA has honed its ability to steal encryption keys. Recent reports about the compromise of Gemalto's network and sophisticated firmware manipulation programs by the Office of Tailored Access Operations underscore this reality.

The inconvenient truth is that the current cyber self-defense formulas being presented are conspicuously incomplete. Security tools can and will fail. And when they do, what then? It's called Operational Security (OPSEC), a topic that hasn't received much coverage — but it should.

Test your security with false information

[hamjudo]

In the days of brick and mortar spying, the people being spied on would send messages that included false meeting times and locations. For example, in a town with underground utilities, announce a meeting to take place in a rarely used manhole. If the manhole cover is disturbed, then you know that the communication channel has been compromised. No math is required.

The high tech equivalent would be to mention a network resource where access can be monitored. When the network resource is accessed, you know there is a problem.

Re:Semantic games

[rtb61]

Problem with your analysis, damned if you do, damned if you do not. Many of the activities of the three letter US agencies have become largely criminal with gross and purposeful misinterpretations of the law and this not in pursuit of justice but in the pursuit of the psychopathic ego of many out of control 'agents' or upon the direct orders of political or corporate appointees. So doing nothing is no more or less effective at getting you door kicked in, being threatened with real and impending death for any reason imaginable including not obeying orders fast enough, a barking dog, happening to have some item in your hand at the time, any item. Then you and all other people in residence at the time being physically assaulted, really assaulted, not grab you hands put them behind your back and being handcuffed but thrown to the ground kicked and jumped on, a bought of "stop resisting' with more blows to the head and then of course your home trashed and your stuff stolen. Then if they hate you ludicrous bail conditions the ensure you remain in jail for years during an hugely purposefully extended trial and the inevitably had sucker you have been in jail for years, plead guilty and you will released with time server ha ha ha.

Basically you are attempting to defend yourself against really lazy and self serving types who in reality wont be bothered with the real leg work, the real reports or any real effort.

Besides it can be hugely fun. Be overtly covert, make a big show of analogue person to person communications. Don't be lazy yourself, do everything you can person to person, the more the merrier and the more wasted spy vs spy efforts. In the whole spy vs spy vs the rest of us, being overt, exposing your efforts, being more public about your activities, serves to protect you and will inevitably expose their spy vs spy efforts to the ridicule and derision it so often rightly deserves.

Not having a mobile phone is suspicious...

[Richard+Kirk]

Any pattern in the way you behave can be used against you. If you are not emitting a mobile phone signal, then you are suspicious. If you have an iPhone, and the logs suggest you regularly take the batteries out, then you are very suspicious. A modern spy would carry a mobile phone - not the latest security recommended one, but something dull - and would tweet and post pictures of what they are eating and listening to just to get the right watch profile. You would have to leave the phone behind when you want to do Spy Things, but you could leave it in the locker at the swimming pool, or something plausible like that. If you have to send crypto messages over this phone, keep the message very short, and plausible.

I don't think there are many real spies here on Slashdot, but there are probably people who would like to keep their data secure in a way that does not attract attention to themselves. Perhaps we should all use encryption whether we need it or not, so those that need it will no longer stand out.

Re:Not having a mobile phone is suspicious...

[Bob+the+Super+Hamste]

Personally if we really wanted to mess with them set up a bunch of disposable e-mail addresses over the course of a week using open WiFi connections with a computer running ToR and then periodically e-mail random data attachments back and forth. Hell I've done this for shits and giggles, when I am at the bank send off some random data since I can connect the Starbucks WiFi across the parking lot, at the used book store connect to McDonalds WiFi next door. Poisson the well make their mining of data useless and make them waste resources trying to decrypt output from /dev/random. The e-mail address are just first names of people in groups (the Beatles, the 12 apostles, Metallica, the US senate judiciary committee, etc) with random letter/number combination passwords. After a couple of months stop using those e-mails and then after a bit create a new set of accounts but a different number of them rinse and repeat. Being a white male with US citizenship, born in the US and residing in the US offers a lot of protection to do this but I wouldn't recommend anyone with a suspicious* background to do this.



* By suspicious I mean someone who might have ties to any protest organization, be a naturalized citizen, have visited any strange countries, be a minority, committed a crime other than a traffic/parking ticket, or any other group the government may want to target or would be ignored by the news media. Basically it would be similar to driving while black, or the opposite of being a young white girl who gets murdered or put on trial in a foreign country. I hate to say it but it is sadly true that the general population would't care about your plight if you could be painted as an undesireable.