Silk Road forums
Discussion => Security => Topic started by: BigEasy on September 24, 2012, 12:57 am
-
In the interest of bringing more decent info to people on SR and help keep you safe, I'm posting an great set of slides one of Grugq's recent talks:
http://www.slideshare.net/grugq/opsec-for-hackers
Please feel free to discuss and ask questions...
-
If you want people to read it, you're going to have to upload it some place my friend.
Nobody should be using clearnet to view a link posted on SR, and nobody should be enabling things like flash/java/javascript etc in order to do so with Tor. Poor OpSec!
Hence...
The best thing is to convert it to HTML, images or something else that doesn't involve execution of scripts. Because otherwise to be properly secure people have to use my VM tutorial in order to securely open pdf and other files. It's not actually difficult, but I'm not sure whether enough people are doing this.
-
Quite true.
Thanks Pine I realized just after I posted it and went to download a copy which was turned off by the author. Unfortunately I have yet to find a copy to download yet, anyone know of any easy way to convert that type of slideshow to html?
+1 for my -1 - thx
-
Quite true.
Thanks Pine I realized just after I posted it and went to download a copy which was turned off by the author. Unfortunately I have yet to find a copy to download yet, anyone know of any easy way to convert that type of slideshow to html?
+1 for my -1 - thx
Hi,
An easy way? No, there was a hack but now it looks more involved such that you'd need to be using 3rd party software, so it may not be worth the trouble. I read the transcript, and appreciate what the author was saying about mentioning geo specific factoids. It always makes me facepalm when posters on here are all "good morning!" or "listen to my songs on youtube!". Ugh. Post your social security while you're at it. Maybe other people should read that too, but you know to be honest there is a severe comprehension problem for some people on here, they don't even so much as venture into the Security subforum. They think we're a bunch of whackos getting in the way of them sharing their holiday snaps from facebook or something.
So, the real problem is not finding good sources of information, but finding a way to make more people read about it and take it seriously. You can't be a freerider when it comes to your security in general, you can't outsource that shit to everybody else. Or you can, but then more knowledgeable members of the forum start making jokes about bears, lions and running velocities.
And I didn't give you a negative karma, I think you said you gave me a -karma and then a +karma to balance it out, but not sure.
To be honest, I lose respect for any creator of a lulzsec document who then goes and posts it on slideshare with download disabled. What kind of bullshit move is that? Makes me suspicious of their intentions. Maybe they are really LE agents hoping to snag some lulzsec people by making them use clearnet.
-- happy thoughts
-
Thanks for your comments. I do understand the trouble trying to get some people to understand how important security is. I suppose it culls the weak...
The slides have some really good information in them, I'll try and find a way to convert them.
I thought you had given me the minus 1, I just got, I thought wrong.
I did give you a +1 for the good advice.
-
OPSEC for hackers — Presentation Transcript
1. OPSEC for hackers: because jail is for wuftpd the.grugq@gmail.com
2. OPSEC forFREEDOM FIGHTERS hackers: because jail is for wuftpd the.grugq@gmail.com
3. Overview• Intro to OPSEC • Methodology • lulzsec: lessons learned • Techniques • Technology• Conclusion
4. Avon:You only got to fuck up once… Be a little slow, be a little late, just once. How you ain’t gonna never be slow? Never be late? You can’t plan for that. Thats life.
5. IntrotoOPSEC
6. WTF is it?
7. OPSEC in a nutshell• Keep your mouth shut• Guard secrets • Need to know• Never let anyone get into position to blackmail you
8. STFU
9. Methodology
10. • put the plumbing in first • create a cover (new persona) • work on the legend (history, background, supporting evidence for the persona) • Create sub-aliases • NEVER CONTAMINATE
11. The 10 HackCommandments
12. FREEDOM The 10 Hack FIGHTINGCommandments
13. • Rule 1: Never reveal your operational details
14. • Rule 1: Never reveal your operational details• Rule 2: Never reveal your plans
15. • Rule 1: Never reveal your operational details• Rule 2: Never reveal your plans• Rule 3: Never trust anyone
16. • Rule 1: Never reveal your operational details• Rule 2: Never reveal your plans• Rule 3: Never trust anyone• Rule 4: Never confuse recreation and hacking FREEDOM FIGHTING
17. • Rule 1: Never reveal your operational details• Rule 2: Never reveal your plans• Rule 3: Never trust anyone• Rule 4: Never confuse recreation and hacking FREEDOM FIGHTING• Rule 5: Never operate from your own house
18. • Rule 6: Be proactively paranoid, it doesn’t work retroactively
19. • Rule 6: Be proactively paranoid, it doesn’t work retroactively FREEDOM• Rule 7: Keep personal life and hacking FIGHTING separated
20. • Rule 6: Be proactively paranoid, it doesn’t work retroactively FREEDOM• Rule 7: Keep personal life and hacking FIGHTING separated• Rule 8: Keep your personal environment contraband free
21. • Rule 6: Be proactively paranoid, it doesn’t work retroactively FREEDOM• Rule 7: Keep personal life and hacking FIGHTING separated• Rule 8: Keep your personal environment contraband free• Rule 9: Don’t talk to the police
22. • Rule 6: Be proactively paranoid, it doesn’t work retroactively FREEDOM• Rule 7: Keep personal life and hacking FIGHTING separated• Rule 8: Keep your personal environment contraband free• Rule 9: Don’t talk to the police• Rule 10: Dont give anyone power over you
23. Why do you need OPSEC?
24. It hurts to get fucked
25. No one is going to go to jail for you.
26. Your friends will betray you.
27. #lulzsec:lessons learned
28. never ever ever do this
29. ViolationNever trust anyone
30. ProTip: Don’t use your personal Facebook account to send defacement code toFREEDOM FIGHTERS your friends
31. ViolationDon’t contaminate
32. ViolationKeep personal life and hacking separate
33. ViolationKeep personal life and FREEDOM hacking separate FIGHTING
34. ViolationNever operate from your home
35. Violation Don’t revealoperational details
36. Violation Don’t revealoperational details
37. ViolationBe paranoid
38. Virus (10:30:18 PM): dont start accusing me of[being an informant] - especially after youdisappeared and came back offering to pay me forshit - thats fed tactics
39. Virus (10:30:18 PM): dont start accusing me of[being an informant] - especially after youdisappeared and came back offering to pay me forshit - thats fed tacticsVirus (10:30:31 PM): and then your buddy, topiary,who lives in the most random place
40. Virus (10:30:18 PM): dont start accusing me of[being an informant] - especially after youdisappeared and came back offering to pay me forshit - thats fed tacticsVirus (10:30:31 PM): and then your buddy, topiary,who lives in the most random placeVirus (10:30:36 PM): whos docs werent even public
41. Virus (10:30:18 PM): dont start accusing me of[being an informant] - especially after youdisappeared and came back offering to pay me forshit - thats fed tacticsVirus (10:30:31 PM): and then your buddy, topiary,who lives in the most random placeVirus (10:30:36 PM): whos docs werent even publicVirus (10:30:38 PM): gets owned
42. Virus (10:30:18 PM): dont start accusing me of[being an informant] - especially after youdisappeared and came back offering to pay me forshit - thats fed tacticsVirus (10:30:31 PM): and then your buddy, topiary,who lives in the most random placeVirus (10:30:36 PM): whos docs werent even publicVirus (10:30:38 PM): gets ownedSabu (10:32:29 PM): offering to pay you for shit?
43. Virus (10:30:18 PM): dont start accusing me of[being an informant] - especially after youdisappeared and came back offering to pay me forshit - thats fed tacticsVirus (10:30:31 PM): and then your buddy, topiary,who lives in the most random placeVirus (10:30:36 PM): whos docs werent even publicVirus (10:30:38 PM): gets ownedSabu (10:32:29 PM): offering to pay you for shit?Virus (10:32:55 PM): yeah, you offered me money for"dox"
44. Virus (10:30:18 PM): dont start accusing me of[being an informant] - especially after youdisappeared and came back offering to pay me forshit - thats fed tacticsVirus (10:30:31 PM): and then your buddy, topiary,who lives in the most random placeVirus (10:30:36 PM): whos docs werent even publicVirus (10:30:38 PM): gets ownedSabu (10:32:29 PM): offering to pay you for shit?Virus (10:32:55 PM): yeah, you offered me money for"dox"Virus (10:33:39 PM): only informants offer up cashfor shit -- you gave yourself up with that one
45. HAPPY ENDINGVirus is still free
46. ViolationNever contaminate
47. Bonus: w0rmer
48. Techniques
49. Plumbing
50. It is boring.
51. You’ll know it worked if nothing happens.
52. Put it in place first.
53. Paranoia doesn’t work retroactively
54. Personas
55. Spiros: He knows my name, but my name is not my name. And you... to them youre only "The Greek."The Greek: And, of course, Im not even Greek.
56. Problem:You are you.
57. Solution:Be someone else.
58. Personas• Danger to personas is contamination • Contact between personas (covers) contaminates both • Keep cover identities isolated from each other
59. Layered defense
60. • Fail safe technological solution • TOR all the things!• Back stop persona • Primary cover alias as first identity • Secondary cover aliases (eg. handles)
61. Profiling data
62. Pitfalls• Location revealing information • Weather • Time • Political events• Profiling data
63. Practice• Amateurs practice until they get it right, professionals practice until they can’t get it wrong• Practice makes perfect
64. Stringer: What you doing?Shamrock: Roberts Rules says we got to have minutes of the meeting. These the minutes.Stringer: Nigga, is you taking notes on a criminal fucking conspiracy?
65. No logs. No crime.
66. Staying Anonymous
67. Personal info is profiling info
68. Guidelines against profiling• Do not include personal informations in your nick and screen name.• Do not discuss personal informations in the chat, where you are from...• Do not mention your gender, tattoos, piercings or physical capacities.
69. Guidelines, cont.• Do not mention your profession, hobbies or involvement in activist groups• Do not use special characters on your keyboard unique to your language• Do not post informations to the regular internet while you are anonymous in IRC. • Do not use Twitter and Facebook
70. Guidelines, cont.• Do not post links to Facebook images. The image name contains a personal ID.• Do not keep regular hours / habits (this can reveal your timezone, geographic locale)• Do not discuss your environment, e.g. weather, political activities,
71. Hackers are no longer the apex predator
72. Hackers are no longerFREEDOMFIGHTERS the apex predator
73. That position has been ceded to LEO
74. That position has been ceded to LEO * *Law Enforcement Officials
75. Technology
76. VPNs vs. TOR• VPNs provide privacy• TOR provides anonymity• Confuse the two at your peril
77. • TOR connection to a VPN => OK• VPN connection to TOR => GOTO JAIL
78. On VPNs• Only safe currency is Bitcoins • because they come from nothing• Purchase only over TOR • http://torrentfreak.com/which-vpn- providers-really-take-anonymity- seriously-111007/
79. Fail closed
80. PORTAL
81. PORTALPersonal Onion Router To Avoid LEO
82. PORTAL• Router ensuring all traffic is transparently sent over TOR • Reduce the ability to make mistakes• Use mobile uplink • Mobility (go to a coffee shop) • Reduce risk of wifi monitoring
83. PORTAL• Uses tricks to get additional storage space on /
84. Hardware• TP-LINK AR71xx personal routers • MR-11U • MR-3040 • MR-3020 • WR-703N
85. MR-3040 & MR-11U• Battery powered • Approx. 4-5 hrs per charge• USB for 3G modem
86. http://torporfavor.org/ download/portal/
87. Conclusion
88. STFU
89. Questions?
90. If you think, don’t speakIf you speak, don’t writeIf you write, don’t signIf you sign, don’t be surprised