Jihadist Fan Club CryptoCrap

Think of Mujahideen Secrets as a branded promotional tool, sort of like if Manchester United released a branded fan chat app. Although there has been a lot of FUD written about the encrypted messaging systems developed and promoted by jihadis groups, very little has focused on the how they are…

When In Doubt, It’s A Tout

When in doubt, it’s a tout Robust Operational Security Practices Aren’t Enough A British man, Lauri Love, has been indicted for hacking. The indictment is thin on details, but does have some interesting OPSEC insights that can be teased out by the patient reader. The indictment of Lauri Love doesn’t…

Episode 17

[this email was in response to a thread which started as a distress call over the unusually poor quality of CFP proposals. It is the start of some thoughts over how to “fix” the Info Sec Conference problem. ] X-Mailer: iPhone Mail (9A405) From: the grugq <thegrugq gmail com> Subject:…

New York’s Finest OPSEC

NYPD Social Media Investigation OPSEC The NYPD created an operations formula for conducting undercover investigations on social media. The procedural document reveals the operational security for these investigations. The security is founded on the use of an “online alias” (the officer’s undercover account) and strict compartmentation. Given the capabilities of…

A Fistful of Surveillance

The publication of this piece at The Intercept about NSA targeting via mobile phones prompted me to release this collection of notes. Some quotes and statements in the article wrongly promote the idea that the SIM card is the only unique identifier in a mobile phone. I’ve enumerated the identifiers…

Codes, What Are They Good For?

What is a Secure Communication? The goals of secure communications are the following. Some of these are surprisingly difficult to achieve: Make the content of a message unreadable to parties other than the intended one(s) Make the meaning of a message inaccessible to parties other than the intended one(s) Avoid…

In Search of OPSEC Magic Sauce

Of Bomb Threats and Tor Recently (December 16th, 2013) there was a bomb threat at Harvard University, during finals week. The threat was a hoax, and the FBI got their man that very night. The affidavit is here. This post will look at the tools and techniques the operative used…

Yardbird’s Effective Usenet Tradecraft

Survival in an Extremely Adversarial Environment If your secure communications platform isn’t being used by terrorists and pedophiles, you’re probably doing it wrong. – [REDACTED] A few years ago a group of child pornographers was infiltrated by police who were able to monitor, interact, and aggressively investigate the members. Despite…

How to Win at Kung Fu and Hacking

Everybody Was Hack Foo Fighting I’m going to discuss a serious problem with the organisational structure and social dynamics of the hacker community, and why this puts hackers at risk. Hackers operate essentially the same way as the henchmen in a kung fu movie: they attack the adversary one by…

required reading

This is a short list of articles and papers that you absolutely must read if you want to understand OPSEC. Terrorist Group Counterintelligence :: This is the thesis which later became the book Terrorism and Counterintelligence. Read at least one of them (the thesis is free). Allen Dulles’s 73 Rules…

Morris Worm OPSEC lessons

25th Anniversary of STFU about your computer crimes Reading this interview with the prosecutor of Robert Morris Jr about the Morris Worm there are a few cool OPSEC lessons we can learn. How was Morris caught? One way was with computer forensics. Tracing back the source of the worm. The…

OPSEC isn’t security through obscurity

OPSEC revisited The goal of OPSEC is to control information about your capabilities and intentions to keep them from being exploited by your adversary. In typical hacker fashion, the term OPSEC has come to mean more than just information about capabilities and intentions, but also personal information about the yourself.…

Observations on OPSEC

Briefly, I would like to highlight some important considerations for good OPSEC. Firstly, OPSEC is a mode of operating, not a tool or a collection of tools. Secondly, OPSEC comes at a cost, and a significant part of that cost is efficiency. OPSEC is slow. Finally, maintaining a strong security…

Silk Road Security

Counterintelligence Lessons for Drug Dealers NOTE Events have overtaken my slow writing speed. This post was in the works before the Silk Road bust in September 2013. I’m uploading it anyway because it has some useful information, however there seems little point in finish it now. The dealers on Silk…

It was DPR, in the Tor HS, with the BTC

Give it to me straight, dr the grugq Generally, it appears that Ross Ulbricht was applying his economic and techno-libertarian philosophy to real life. As his project grew, his security posture improved – too late. The most serious mistakes that Ross Ulbricht made were made during the period Jan 2011…