OPSEC and Compartmentalization

Opened: Sunday, 21 July 2019, 12:00 AM
Make a submission

Recommended Listening: https://www.youtube.com/watch?v=ZYb_8MM1tGQ

OPSEC is king

If someone has found you in real life and they want to do bad things to you, the game is over. There are all sorts of great technical approaches to protecting yourself we have gone over already, but technology only goes so far. There is always a log created digitally and if a motivated attacker wants you, they will get you at some point. OPSEC is what keeps you off the radar, and if you are going to be on the radar, gives them a cold trail and a fake account to chase into the ground. If you follow these rules, you will do much better towards not getting targeted.

Read This: http://blogsofwar.com/hacker-opsec-with-the-grugq/

Compartmentalization

Compartmentalization is based around the idea that you have various public facing personas, and you are unable to keep all of them private. You will never manage to completely erase your public, legal name persona from public record, and while you can attempt to keep it off the internet, it's a losing battle. Taken to an extreme, if you have separate personas for every website you use, with the appropriate technical protections we already went over, you could have a distributed profile that means that the discovery or unmasking of any specific account having no effect on the others.

Like everything we are talking about in this course, it's all about risk mitigation, at the cost of convenience. Keep working on the mentality of this, understanding risks, their mitigations, and how it fits into individual and group risk tolerances.

Think about the reasoning behind compartmentalization. You've already determined your risk model, so compartmentalization only matters as much as your risk model requires. Which of your accounts require compartmentalization? If you followed the directions earlier in the course, if you have a reset available for your password manager it is controlled by a gmail account that you don't use on any other sites.

Read Grugq's Commandments: https://grugq.tumblr.com/post/60463307186/rules-of-clandestine-operation

If you are taking this course, you likely do not require any advanced tradecraft knowledge, but it's still useful to wrap your head around the concepts. They are generally applicable to a lot of common scenarios, and knowing them can only help.

It's by a guy called Dual Core, makes some pretty great stuff . His number one song is 'Drink All the Booze, Hack All the Things'.

https://www.youtube.com/watch?v=FoUWHfh733Y

Let's put it this way, hackers don't take themselves all that seriously. If you listen to the lyrics to 'Hack All the Things' you will probably understand about one third of the references, at best. If you don't like it or are too cool for nerdcore rap, that's fine. If you stick around eventually you'll understand most of it and you'll go nuts when someone throws it on during a late night hack sesh after you've been passing around a bottle of whiskey.

Tasks:

  1. Do a quick thought exercise about the web of accounts, online, and real world activities that could be tracked back to you if an omniscent cyber entity decided you were a person based on correlation of:

    • Username and email reuse across sites
    • Password reuse (yes, people have been arrested because their unique passwords were found in a data breach)
    • Mobile phone use
    • Laptop use
  2. Give me the GPS coords for this picture: https://exposingtheinvisible.org/ckeditor_assets/pictures/32/content_example_ibiza.jpg .