Slashdot Mirror

← Back to Stories (view on slashdot.org)

OPSEC For Activists, Because Encryption Is No Guarantee

Posted by Soulskill on from the protect-yourself-before-somebody-wrecks-yourself dept.

Nicola Hahn writes: "In the wake of the Snowden revelations strong encryption has been promoted by organizations like The Intercept and Freedom of the Press Foundation as a solution for safeguarding privacy against the encroachment of Big Brother. Even President Obama acknowledges that "there's no scenario in which we don't want really strong encryption."

Yet the public record shows that over the years the NSA has honed its ability to steal encryption keys. Recent reports about the compromise of Gemalto's network and sophisticated firmware manipulation programs by the Office of Tailored Access Operations underscore this reality.

The inconvenient truth is that the current cyber self-defense formulas being presented are conspicuously incomplete. Security tools can and will fail. And when they do, what then? It's called Operational Security (OPSEC), a topic that hasn't received much coverage — but it should.

4 of 89 comments (clear)

  1. Semantic games by diamondmagic · · Score: 4, Insightful

    So it would appear that POTUS is now towing a line advocated by none other than whistler-blower Snowden who asserted [8] that “properly implemented strong crypto systems are one of the few things that you can rely on.”

    Only there’s a problem with this narrative and its promise of salvation: When your threat profile entails a funded outfit like the NSA, cyber security is largely a placebo.

    How many pointless articles could be avoided if authors and editors understood the difference between a necessary condition and a sufficient condition? Of course comsec is not a solution per se, Ulbricht can tell you all about that! (And how many more pointless discussions could be avoided if everyone knew "per se" = "by itself".)

    --
    Wonder what the public key field is for?
    1. Re:Semantic games by Defenestrar · · Score: 4, Insightful

      You've got a good point, but the implementation of said conditions have a different intrinsic suspicion. Discussions on encryption will only get you put on the NSA watchlist along with everyone else. Conversations about OPSEC may get you a little bit more. For example - getting revealed as someone who sends encrypted messages to your friends is either in that category of nerdy or slightly suspicious. Getting revealed as someone who passes parcels to others via dead drops will probably get your door kicked in by the DEA shortly followed by a long line of other three letter groups.

      PS - I'm not sure if I'll ever be able to use the word "intrinsic" without thinking of eating leprechauns or quantum mechanics. Does anyone else have this problem?

    2. Re:Semantic games by rtb61 · · Score: 5, Interesting

      Problem with your analysis, damned if you do, damned if you do not. Many of the activities of the three letter US agencies have become largely criminal with gross and purposeful misinterpretations of the law and this not in pursuit of justice but in the pursuit of the psychopathic ego of many out of control 'agents' or upon the direct orders of political or corporate appointees. So doing nothing is no more or less effective at getting you door kicked in, being threatened with real and impending death for any reason imaginable including not obeying orders fast enough, a barking dog, happening to have some item in your hand at the time, any item. Then you and all other people in residence at the time being physically assaulted, really assaulted, not grab you hands put them behind your back and being handcuffed but thrown to the ground kicked and jumped on, a bought of "stop resisting' with more blows to the head and then of course your home trashed and your stuff stolen. Then if they hate you ludicrous bail conditions the ensure you remain in jail for years during an hugely purposefully extended trial and the inevitably had sucker you have been in jail for years, plead guilty and you will released with time server ha ha ha.

      Basically you are attempting to defend yourself against really lazy and self serving types who in reality wont be bothered with the real leg work, the real reports or any real effort.

      Besides it can be hugely fun. Be overtly covert, make a big show of analogue person to person communications. Don't be lazy yourself, do everything you can person to person, the more the merrier and the more wasted spy vs spy efforts. In the whole spy vs spy vs the rest of us, being overt, exposing your efforts, being more public about your activities, serves to protect you and will inevitably expose their spy vs spy efforts to the ridicule and derision it so often rightly deserves.

      --
      Chaos - everything, everywhere, everywhen
  2. Test your security with false information by hamjudo · · Score: 4, Interesting
    In the days of brick and mortar spying, the people being spied on would send messages that included false meeting times and locations. For example, in a town with underground utilities, announce a meeting to take place in a rarely used manhole. If the manhole cover is disturbed, then you know that the communication channel has been compromised. No math is required.

    The high tech equivalent would be to mention a network resource where access can be monitored. When the network resource is accessed, you know there is a problem.