Menu Close

Tag: opsec

This website was archived on July 20, 2019. It is frozen in time on that date.
Exolymph creator Sonya Mann's active website is Sonya, Supposedly.

Watch Yourself

Let’s talk about sousveillance again. For those not familiar with the word, it literally translates to “undersight” — as opposed to oversight. Surveillance is perpetrated by an authority; sousveillance is perpetrated by the people. The unwashed masses, if you will.

Steve Mann (no relation) led the paper that coined the term. It came out in 2003! They had no idea about Instagram! What’s interesting is how much the connotations of “sousveillance” have morphed since Mann and his colleagues first came up with it. Here’s their original conception:

Organizations have tried to make technology mundane and invisible through its disappearance into the fabric of buildings, objects and bodies. The creation of pervasive ubiquitous technologies — such as smart floors, toilets, elevators, and light switches — means that intelligence gathering devices for ubiquitous surveillance are also becoming invisible […]. This re-placement of technologies and data conduits has brought new opportunities for observation, data collection, and sur/sousveillance, making public surveillance of private space increasingly ubiquitous.

All such activity [until now] has been surveillance: organizations observing people. One way to challenge and problematize both surveillance and acquiescence to it is to resituate these technologies of control on individuals, offering panoptic technologies to help them observe those in authority. […]

Probably the best-known recent example of sousveillance is when Los Angeles resident George Holliday videotaped police officers beating Rodney King after he had been stopped for a traffic violation. The ensuing uproar led to the trial of the officers (although not their conviction) and serious discussion of curtailing police brutality […]. Taping and broadcasting the police assault on Rodney King was serendipitous and fortuitous sousveillance. Yet planned acts of sousveillance can occur, although they are rarer than organizational surveillance. Examples include: customers photographing shopkeepers; taxi passengers photographing cab drivers; citizens photographing police officers who come to their doors; civilians photographing government officials; residents beaming satellite shots of occupying troops onto the Internet. In many cases, these acts of sousveillance violate [either explicit or implicit rules] that ordinary people should not use recording devices to record official acts.

Sousveillance was supposed to be a way to Fight the Man, to check the power of the state. Unfortunately, many governments’ surveillance apparatuses* were poised to take advantage of the compulsive documenting habit that smartphones added to daily life.

For example, the NSA has wonderful SIGINT. Theoretically they can mine Facebook and its ilk for whatever insights they might want to extract. Encryption mitigates this problem, but it’s not clear by how much. Anything that’s publicly available online can be scraped.

So now you have n00bs posting photos of protests on Twitter and accidentally exposing people with open warrants. Elle Armageddon wrote a two-part “OPSEC for Activists” guide, but by default the attendees of unplanned, uncoordinated events aren’t going to follow the rules.

Welp ¯\_(ツ)_/¯


*I thought it would be “apperati” too, but as it turns out, no. See this and this.

Image credit: My Second or Third Skin by Claire Carusillo.

Two Kinds of Fallibility

Over the weekend I read cryptographer Peter Todd’s fascinating account of helping get Zcash off the ground. (Zcash is an altcoin which describes itself thus: “If Bitcoin is like http for money, Zcash is https. Zcash offers total payment confidentiality, while still maintaining a decentralized network using a public blockchain.”)

Todd’s story is a great overview of practical opsec, from the point of view of someone who’s skeptical about the whole endeavor he’s undertaking. Plus all the evasion tactics and burner tech are just… cool.

Read more

The Productive Attitude to Privacy

Instead of considering privacy to be a right that you deserve, think of it as a condition that you can create for yourself. Comprehensive privacy is difficult to achieve — aim to hide the pieces of information that matter to you the most. Even in countries that say their citizens are entitled to privacy, abstract guarantees are meaningless if you don’t take action to protect the information that you want to conceal. (Remember, you’re only one “national security emergency” away from losing all the rights you were promised.)

What is privacy? Photo by Cory Doctorow.

Photo by Cory Doctorow.

For the most part, protecting information with your actions means restricting access to it. As I wrote before, “when you trust third parties to protect your privacy (including medical data and financial access), you should resign yourself to being pwned eventually.”

The key to perfect privacy is to avoid recording or sharing any information in the first place. If you never write down your secret, then no one can copy-paste it elsewhere, nor bruteforce any cipher that you may have used to obscure it. Thank goodness we haven’t figured out how to hack brains in detail! But unfortunately, some pieces of information — like passwords with plenty of entropy — aren’t useful unless you’re able to copy-paste them. Who can memorize fifty different diceware phrases? The key to imperfect-but-acceptable privacy is figuring out your limits and acting accordingly. How much risk are you willing to live with?

The main argument against my position is that responsibilities that could be assigned to communities are instead pushed onto individuals, who are demonstrably ill-equipped to cope with the requirements of infosec.

“Neoliberalism insists that we are all responsible for ourselves, and its prime characteristic is the privatisation of resources — like education, healthcare, and water — once considered essential rights for everyone (for at least a relatively brief period in human history so far). Within this severely privatised realm, choice emerges as a mantra for all individuals: we can all now have infinite choices, whether between brands of orange juice or schools or banks. This reverence for choice extends to how we are continually pushed to think of ourselves as not just rewarded with choices in material goods and services but with choices in how we constitute our individual selves in order to survive.” — Yasmin Nair

Reddit user m_bishop weighed in:

“I’ve been saying this for years. Treat anything you say online like you’re shouting it in a crowded subway station. It’s not everyone else’s job to ignore you, though it is generally considered rude to listen in.

Bottom line, if you don’t want people to see you naked, don’t walk down the street without your clothes on. All the written agreements and promises to simply ‘not look’ aren’t going to work.”

Cybersecurity Tradeoffs & Risks

Kevin Roose hired a couple of high-end hackers to penetration-test his personal cybersecurity setup. It did not go well, unless you count “realizing that you’re incredibly vulnerable” as “well”. In his write-up of the exercise, Roose mused:

“The scariest thing about social engineering is that it can happen to literally anyone, no matter how cautious or secure they are. After all, I hadn’t messed up — my phone company had. But the interconnected nature of digital security means that all of us are vulnerable, if the companies that safeguard our data fall down on the job. It doesn’t matter how strong your passwords are if your cable provider or your utility company is willing to give your information out over the phone to a stranger.”

There is a genuine tradeoff between safety and convenience when it comes to customer service. Big companies typically err on the side of convenience. That’s why Amazon got in trouble back in January. Most support requests are legitimate, so companies practice lax security and let the malicious needles in the haystack slip through their fingers (to mix metaphors egregiously). If a business like Amazon enacts rigorous security protocols and makes employees stick to them, the average user with a real question is annoyed. Millions of average users’ mild discomfort outweighs a handful of catastrophes.

Artwork by Michael Mandiberg.

Artwork by Michael Mandiberg.

In semi-related commentary, Linux security developer Matthew Garrett said on Twitter (regarding the Apple-versus-FBI tussle):

“The assumption must always be that if it’s technically possible for a company to be compelled to betray you, it’ll happen. No matter how trustworthy the company [seems] at present. No matter how good their PR. If the law ever changes, they’ll leak your secrets. It’s important that we fight for laws that respect privacy, and it’s important that we design hardware on the assumption we won’t always win”

Although Garrett is commenting on a different issue within a different context, I think these two events are linked. The basic idea is that when you trust third parties to protect your privacy (including medical data and financial access), you should resign yourself to being pwned eventually. Perhaps with the sanction of your government.

Keep Your Head Down

Reading about operational security has turned my mind toward privacy rights. Opsec tactics are concerned with shielding information from enemy access — mostly through rigorous, consistent caution. As the Animal Liberation Front put it in one of their direct action guides, “True security culture requires a clear head, a rational mind, and personal self-control.” The assumption made by savvy opsec practitioners is that all data will be compromised eventually. Therefore, they aim to minimize the inevitable consequences.

I used to disregard privacy. My attitude was a classic: “If you’re not doing anything wrong, then you have nothing to hide!” (a viewpoint refuted very well by Robin Doherty). The problem is that even people who are acting ethically can run afoul of the law or be persecuted by the authorities. Consider how the FBI treated civil rights activists in the 1960s. Current mass surveillance by the NSA and similar government bodies is equally worrisome, as is the treatment of whistleblowers like Chelsea Manning. I’m not naive enough to think that this behavior will stop. People do anything that they are physically or technically capable of doing in order to access power — especially state agents.

Portrait of Edward Snowden by John Meyer of The Spilt Ink; $130.79 on Etsy.

Portrait of Edward Snowden by John Meyer of The Spilt Ink; $130.79 on Etsy.

I’m still not convinced that privacy should be a guaranteed legal right, or if so, to what extent. The best way to restrict your own information is simply to be secretive — stay quiet and maintain the impression of insignificance. After all, the vast majority of day-to-day privacy compromises are self-inflicted, simply because most people don’t care. That’s how Facebook and other social networks manage to compile detailed dossiers on their users.

So, what’s the essential takeaway here? I’m not sure. It’s interesting to ponder the consequences of a post-privacy society, until you realize that we already live in one. The results are quite mundane. Feels normal, right?

Behavior Can Trump Encryption

Advice from Whonix’s guide to preserving internet anonymity via web opsec:

“Someone sent you an pdf by mail or gave you a link to a pdf? That sender/mailbox/account/key could be compromised and the pdf could be prepared to infect your system. Don’t open it with the default tool you were expected use […] by the creator. For example, don’t open a pdf with a pdf viewer.”

I’m less interested in this specific suggestion than the principle behind it. The bolded sentence hits on a key insight — when you can, subvert your enemy’s expectations. How would their perfect target behave? Adopt the opposite practices. Of course, this adds a lot of inconvenience to your life, so keep in mind whether your situation warrants elaborate identity-protection.

Photo by Shannon Kringen.

Photo by Shannon Kringen.

I also read through some of the Hacker News comments on Whonix’s how-to, and this one by user nikcub stood out as being particular savvy: “Your personas [should be] isolated and segregated. They share no information, hobbies, interests and at a tech level they don’t share connections, machines, browsers, apps.”

When you’re trying to stay anonymous, having access to high-tech tools is very helpful — donate to TOR! — but being careful and thinking through every step is even more crucial.

nikcub’s comment also recommended Underground Tradecraft (thegrugq’s Tumblr) so I fell into an opsec rabbit hole. Expect more on this topic soon.

Don’t Get Busted

Italian police

Photo by Rodrigo Paredes.

“That’s a cop, you moron,” she hissed in his ear, tugging him down the tight alleyway. Actually, it was too small to be an alley — more like an unfilled gap between buildings. The concrete bricks scraped against Jason’s back. He could feel the roughness through his jacket.

“I know. But my sister is still out there,” he protested, squinting through the narrow channel to the street. He could vaguely hear yelling but couldn’t see much.

Evvy yanked on his arm. “We can’t do shit for her right now. And if you don’t come with me, I can’t do shit for you either.”

He blew air out between his lips. Jason could feel the headache expanding in his brain. When they had dodged into this space, the cop was still fifty feet away. His sister Melissa was frantically packing up her mobile shop, where she sold game IP burned onto old spindisks. Evvy was holding, so she panicked and dragged Jason with her into this tightly squeezed escape route.

Pain spiked in his temples. Jason closed his eyes and shoved his way after her. Evvy muttered an expletive. “Do you know what’s on the other side?” he asked.

“Yup,” she said curtly. “We’ll be fine. I don’t think anyone saw us. But let’s move fast, okay?”

“Melissa saw us.”

“We have to hope she doesn’t squeal,” Evvy growled.

Jason didn’t answer. He felt guilt spreading through his head along with the throbbing soreness.

If the cops caught you with amphetamines and neuro hookups, they’d arrest you. So of course Evvy was afraid. After you were rounded up, there was a slim probability that you’d disappear. Rumored locations ranged from North Korea to Tennessee to an ignominious hole in some police chief’s backyard. The rumors were probably exaggerated — people got picked up and released all the time. But Evvy was paranoid. She had resistance friends. Like him.

Contraband game IP wasn’t such a big deal, Jason told himself. Besides, Melissa was quick. She might have dodged into another unseen escape avenue. Or sweet-talked her way out of a full search.

Evvy gripped Jason’s elbow and pulled him back into the light on an open street. He stumbled slightly as he followed her. “Keep it together,” she said in a strained voice.

“I’m cool,” he said. “Just getting a headache.”

“Stop worrying about Melissa. And don’t freak out on me. I’ll plug you in. Just give me a minute to get us —” Evvy stopped mid-sentence. There was another cop in front of them.

“Hey,” the officer said. He had his fists on his hips, and his sleeves were rolled up so that Jason could see the chrome forearm reinforcements. They weren’t powered on, but the threat was implicit. Metal banded the cop’s wrists, and it shifted when he did.

Evvy was half-crouching, but she straightened when the officer spoke. “Can I help you, sir?” It’s better to stay alive than make a point, Evvy told herself. It’s better to stay free and kicking. She tried to beam this thought to Jason even though 1) she didn’t have neuro ports and 2) he wasn’t aggressive enough confront this guy anyway. Jason seemed frozen like an old OS.

The policeman said, “Why are you in such a hurry, folks?”

“We’ve got an appointment,” Evvy answered.

“Sure,” the cop snorted. “You’re late for a very important date. Okay, you know the drill. Face the wall and get your hands on the brick.”

Evvy turned. Adrenaline buzzed through her brain. The stash wasn’t directly in her pockets, but it wasn’t hidden very many layers deep. She cursed herself for choosing convenience over security. Sloppy. Of course you get caught.

Jason put his hands on the wall and felt his weight pulling on his shoulders. The pain in his head was intensifying. It felt worse than a regular headache. He could hear the officer talking — recognized the noise as a voice — but units of sound weren’t converting to understandable words.

The cop started patting down Evvy. “When I see scrapers like you two running, I know something’s wrong.” He ran his hands up and down her legs, then reached into her pockets to turn them inside out. He grabbed her four-inch wafer and looked it over briefly. “Old school.” The screen awoke when he tapped it. “Unlock this,” he ordered, prodding Evvy to turn around.

Before she could do it, Jason collapsed, jerking against the wall and falling heavily to his knees. He toppled further toward his right side and landed half-twisted, mouth lolling open. Evvy stared at the red wet opening. She noticed that Jason’s teeth were still wired together in the back, from getting fixed up after that fight.

“What’s he on?” the policeman demanded.

“Nothing,” Evvy said. “He’s clean.”

“Yeah, yeah. You kids always lie to me. Just turn over whatever you’ve got and we’ll call this even. I don’t want to deal with your boyfriend.” He nudged Jason with the metal toe of his boot. Jason made a grunting noise.

Evvy bit her lip, trying to decide quickly. Was this some kind of ploy to catch her? But he could haul them both back to the precinct if he wanted, or simply pull out his scanner. Then again, this cop could be a sociopath who got off on manipulating his perps. They certainly existed.

Evvy looked at Jason again. He didn’t seem okay. She knew he kept playing those shoddy games that Melissa ripped — maybe this was a bug. She had friends who tweaked their firmware on purpose, so surely it could happen by accident.

“Make up your mind before he pukes and chokes on it,” the officer advised.

Instinctively turning to face the wall, Evvy lifted the hem of her shirt and pushed down her waistband, then felt for the latch on her hip compartment. The patch of silicon skin popped open, and she pulled her stash out. “Here you go.”

The policeman took her plastic bag of amphetamines and the small tangle of neuro hookups. He stuffed them in his pocket, nodded to Evvy, and started strolling away. She tried not to think about the money.

Passersby were skirting the scene and walking on. Evvy knelt by Jason’s head and jostled him a little. He groaned. “Wake up, Jason,” Evvy said. She slapped his cheek softly. “Now would be a really fucking good time for you to wake up. I want to get out of here.”

He opened his eyes but didn’t say anything.

© 2019 Exolymph. All rights reserved.

Theme by Anders Norén.