Hacker harm reduction

2013-01-21
, , , ,

Hackers >

This is a rather interesting concept, first brought to my attention by:

Hackers As A High-Risk Population [29c3]
CCCen – Chaos Computer Conference, 2012
https://youtu.be/zq-bloM4Cmo

Overall I didn’t like the video. I found it somewhat boring until the half way mark. This is because the leading information is a necessary foundation to build the relevant material upon. It does get a lot better.

One particularly curious topic was her bringing up the Autism spectrum, particularly Asperger syndrome. Over the years I’ve seen links between genius and various neuro-atypical “quirks”. She cites a study where hackers are not on the Asperger side of the spectrum but more likely on the opposite side of the spectrum, with stronger emotions rather than with Asperger’s weaker empathy.

Another video was recommended, which I haven’t had time to watch:

#HITB2012KUL D1T3 – The Grugq – OPSEC: Because Jail is for wuftpd
Hack In The Box Security Conference, 2012
https://youtu.be/9XaYdCdwiWU
(pdf)

I’ve written up parts from a rough transcript I found. Even reading through the points without watching the video gives an idea

WTF is it? OPSEC in a nutshell

  • Keep your mouth shut
  • Guard secrets
  • Need to know
  • Never let anyone get into position to blackmail you

  • STFU

Methodology

  • put the plumbing in first
  • create a cover (new persona)
  • work on the legend (history, background, supporting evidence for the persona)
  • Create sub-aliases

  • NEVER CONTAMINATE

The 10 Hack Commandments

(Inspired by The Notorious B.I.G.‘s Ten Crack Commandments lyrics.)

  • Rule 1: Never reveal your operational details
  • Rule 2: Never reveal your plans
  • Rule 3: Never trust anyone
  • Rule 4: Never confuse recreation and hacking
  • Rule 5: Never operate from your own house
  • Rule 6: Be proactively paranoid, it doesn’t work retroactively
  • Rule 7: Keep personal life and hacking separated
  • Rule 8: Keep your personal environment contraband free
  • Rule 9: Don’t talk to the police

  • Rule 10: Dont give anyone power over you

Why do you need OPSEC?

  • It hurts to get fucked
  • No one is going to go to jail for you.
  • Your friends will betray you.

  • #lulzsec:lessons learned

    • never ever ever do this
  • Never trust anyone
  • ProTip: Don’t use your personal Facebook account to send defacement code to your friends
  • Don’t contaminate
  • Keep personal life and hacking separate
  • Never operate from your home
  • Don’t reveal operational details

  • Be paranoid

Paranoia doesn’t work retroactively

Problem: You are you.

Solution: Be someone else.

Personas

  • Danger to personas is contamination
  • Contact between personas (covers) contaminates both

  • Keep cover identities isolated from each other

Layered defense

  • Fail safe technological solution
  • TOR all the things!
  • Back stop persona
  • Primary cover alias as first identity

  • Secondary cover aliases (eg. handles)

Profiling data

Pitfalls

  • Location revealing information
  • Weather
  • Time
  • Political events

  • Profiling data

Practice

  • Amateurs practice until they get it right, professionals practice until they can’t get it wrong

  • Practice makes perfect

Staying Anonymous

Personal info is profiling info

Guidelines against profiling

  • Do not include personal informations in your nick and screen name.
  • Do not discuss personal informations in the chat, where you are from…
  • Do not mention your gender, tattoos, piercings or physical capacities.
  • Do not mention your profession, hobbies or involvement in activist groups
  • Do not use special characters on your keyboard unique to your language
  • Do not post informations to the regular internet while you are anonymous in IRC.
  • Do not use Twitter and Facebook
  • Do not post links to Facebook images. The image name contains a personal ID.
  • Do not keep regular hours / habits (this can reveal your timezone, geographic locale)

  • Do not discuss your environment, e.g. weather, political activities,

Technology

VPNs vs. TOR

  • VPNs provide privacy
  • TOR provides anonymity
  • Confuse the two at your peril
  • TOR connection to a VPN => OK

  • VPN connection to TOR => GOTO JAIL

On VPNs

  • Only safe currency is Bitcoins, because they come from nothing
  • Purchase only over TOR
  • https://torrentfreak.com/best-vpn-anonymous-no-logging/1 ]
  • Personal Onion Router To Avoid LEO [Law Enforcement Officers]
  • Router ensuring all traffic is transparently sent over TOR
  • Reduce the ability to make mistakes
  • Use mobile uplink
  • Mobility (go to a coffee shop)
  • Reduce risk of wifi monitoring

  • Uses tricks to get additional storage space on /

If you think, don’t speak. If you speak, don’t write. If you write, don’t sign. If you sign, don’t be surprised.

The talk mentions PORTAL, which is:

Footnotes


  1. was https://torrentfreak.com/which-vpn-services-keep-you-anonymous-in-2019/  ]
Comment

Leave a Reply

Your email address will not be published. Required fields are marked *