OPSEC:Operational Security

This post focuses on learning and familiarizing yourself with various measures on how to deal with powerful adversaries, understanding the basic principles of OPSEC, and understanding how to effectively maintain anonymity online.

Security Habits and Behaviors

To ensure that there are good security enforcement habits and behaviors in place, it is possible that targeting this control is underestimated and most likely to compromise your security, privacy and anonymity if implemented poorly.

Privacy and Anonymity

So let’s again define privacy, anonymity, and pseudo-anonymity. Privacy is nobody seeing what you do but potentially knowing who you are. Privacy is about content, maintaining confidentiality and keeping secrets.

Anonymity is nobody knowing who you are, but potentially seeing what you do. Anonymity is keeping your actions and activities separate from your true identity. Anonymity concerns your identity. Anonymity is when out of a set of all the possible people there is an equal chance it could be anyone. You may desire this for viewing content but not for making it; it depends. Anonymity means non-attribution to your actions, to be nameless, to be faceless. Finally, pseudo-anonymity is when you wish to retain a reputation against an identity. A common example is having an alias for social media or for a forum online. This picture sums it up. An adversary may not know who the blue bag user is, but they can attribute posts and activities to him or her. This is an alias, a cover, a false identity.

The Importance of OPSEC

This section is aimed more for those who want anonymity and non-attribution to their actions. OPSEC is as important as your adversary is well-resourced and the consequences of your actions are high. If non-attribution really matters, then OPSEC must not be skipped.

If your adversary is a law enforcement agency or nation-state, this section is aimed at freedom fighters, journalists, whistleblowers, the repressed, and others without justice.

From a Wall Street Journal article by James Kilpatrick, one of the HSI agents who is or was part of Operation Roundtree, he emphasizes the need for OPSEC. He said, “There’s not a magic way to trace people.” He’s talking in this example through TOR, but it applies generally to attribution online. So we typically capitalize on human error, looking for whatever clues people leave in their wake. “Capitalize on human error.” Another quote for you. “Most people don’t have the discipline to not make a mistake.” Kilpatrick continues, “the average person is too worried about doing their business to never make a mistake.” Waiting for mistakes is part of good old-fashioned, standard police work.

Law enforcement investigations traditionally rely on people making mistakes, basic OPSEC failures. It’s not about decrypting your encryption or finding you through tunnels of anonymity; it’s about basic OPSEC failures. That’s what’s more likely to get you.

People are usually caught because of activities they performed in the early stages that were non-anonymous and tie back to their real identity, not realizing the internet never forgets and you are being watched.

Sound OPSEC is required from the beginning to counter any serious adversary.

GitHub – psal/anonymouth

Multiple Identities Online

Many people have at least two identities, separated into different security domains: personal laptops, personal emails, personal accounts, etc., and then you have a professional laptop, professional email, and accounts. However, the line is blurring between these two identities due to factors like bring your own device, accessing work via personal laptops and mobiles, using business laptops for personal activities, and mixing social media with work and personal contacts. With more of our lives becoming part of the internet, consider the risks associated with your online activities.

Could an unfortunate post on social media affect your career? Could simply liking a post cause you problems? Are you hesitant to like posts due to potential reactions from others? What are the consequences of posting, viewing, or creating content online? How might your personal opinions impact your career? Do you want to mix colleagues with friends and family online? Do you have distinctly private activities that you don’t want associated with your real identity? Do you engage in activities that law enforcement agencies or nation states have laws against?

To successfully manage your privacy, anonymity, and pseudo-anonymity online, you need an identity strategy to deal with these issues.

Identity Strategies

Here are some main strategies for managing contextual identities online. You may already have an identity strategy but might not have considered the details of how you’re implementing it.

1. Open Strategy This involves using your real identity and being transparent. Some people live their real lives in the public eye, which is suitable for certain situations and cultures. However, this can be risky and makes you vulnerable. Your circumstances will determine if this is viable. Even if you have an open strategy, you can still restrict the amount of personal information you disclose for security reasons.
2. Avoidance Strategy This strategy involves avoiding certain social media, not posting, or even not viewing certain content. While this is often unrealistic and deprives you of the internet’s advantages, some security professionals employ this strategy and maintain no online presence apart from an email address.
3. Audience Strategy This strategy keeps separate audiences for different aliases and content. For example, using Facebook for friends and family and LinkedIn for professional networks. This is risky because, despite restricting content to a certain audience, there’s no guarantee that audience won’t share the content with others.
4. Content Strategy This involves only posting, viewing, and creating carefully considered content. With this strategy, you’re required to create content that presents a consistent image to everyone, which may not always be authentic. This approach could still lead to unintended consequences.
5. Compartmentalization Strategy This strategy uses one or more contextually separate identities from your real identity. For instance, you might use “John Smith” on Facebook, “John Doe” on a forum, and your real name on LinkedIn. Compartmentalization between identities is necessary for maintaining anonymity and pseudo-anonymity online.
6. Custom Strategy Most people’s strategies will be a combination of avoidance, audience, content, and compartmentalization. When the content is tailored for a specific audience or the identity aligns with the content, the risks are reduced.

In summary, you should choose and implement an effective strategy tailored to your situation if you need privacy, anonymity, and pseudo-anonymity online. Remember, the internet doesn’t forget, and nation states are collecting and maintaining your internet traffic en masse. This could be used against you in the future based on your past and future actions. If you’re sending traffic without strong ephemeral keys, nation states could retrieve it from their archives and decrypt it with advanced technology in the future.

Therefore, having an effective identity strategy is crucial to maintain your privacy, anonymity, and pseudo-anonymity online.

OPSEC for Political Dissidents

This section is dedicated to political dissidents, freedom fighters, and those who require non-attribution to their real identity. The first step in establishing effective Operational Security (OPSEC) for maximum anonymity is to set up your environment and identities. The more serious your adversary and the potential consequences, the more seriously you should take OPSEC. You will need separate security domains for each identity. If you aren’t sure what that means, refer to the section on security domains to understand it fully.

Identity and Environment Setup

Separate security domains per identity are crucial. Even the configuration of your browser, known as the browser fingerprint, can link identities together. Therefore, you need to use separate browsers, achieved through isolation. We will discuss how to achieve this in the isolation and compartmentalization section. Remember, your identities require isolation and compartmentalization, meaning they need their own security domains so that everything remains separate and relevant to them. This includes different browsers, operating systems, and cookies.

Establishing a Cover

Once you have set up security, anonymity services, and compartmentalization, the next step is to establish a cover. A cover is a character or identity that will appear responsible for your actions when necessary. This character takes the blame when things go awry. You need your own “Kaiser Soze.” If you aren’t familiar with this reference, your task is to watch the movie “The Usual Suspects” to understand who Kaiser Soze is.

Utilize anonymizing services like VPNs, Tor, and other security controls discussed throughout the course to remain anonymous. You also need to create accounts for your private and anonymous activities related to the new alias you are establishing. This includes setting up fake Twitter, Facebook, Gmail, and forum accounts, and creating supporting evidence for your alias.

Creating Supporting Evidence

For inspiration, try using a site like Fake Name Generator, where you can generate fake identities, including social security numbers. Use a secure method, like LastPass or another secure identity manager, to store the information for each alias profile. You can customize the generated identities by selecting different attributes such as gender, name, and country.

Depth of Your Alias

To maintain anonymity against a serious adversary, you must create an entire persona. Define your alias’s gender, location, job, physical attributes, and even personal history. You must embody this character to avoid revealing personal information inadvertently. Even casual conversation about local weather could compromise your identity.

Sub-Aliases and Networks

You can also create what are called “sub-aliases.” For instance, if you are a political dissident, you might register on a forum under a username that does not relate to your main alias but is connected via email. This way, if one identity is investigated, it only leads to other fake aliases.

Monitoring and Security

Setting up monitoring for your identities can alert you to anything relating to them, including your real identity. Just remember that alerts should be sent to the correct alias to avoid cross-contamination.

https://www.google.com/alerts

Real-World Considerations

If your adversary has significant resources and motives, such as a nation-state, total privacy and anonymity online require that you are also anonymous in the real world. Unfortunately, there is no compromise on this. The nature of the internet and the supporting technology is not designed for privacy or security; thus, you cannot guarantee total anonymity online.

Final Thoughts

For those in extreme situations, like political dissidents or freedom fighters, it may be necessary to establish fake offline identities and cover stories. A recommended resource is the book “The Baby Harvest,” which discusses how virtual identities can be established for terrorist financing and money laundering.

Additionally, consider searching the dark web for fake IDs and setting up realistic aliases. If you need to escape your country, look for nations without extradition treaties. This information is critical for those needing non-attribution due to their circumstances.

Maintaining Compartmentalization and Isolation

If you have separate identities, it is crucial to maintain compartmentalization and isolation between them. Failing to separate your identities is the number one mistake people make when attempting to establish security for anonymity. Layers of compartmentalization and isolation through security domains help reduce contamination. There should be no contact between identities and aliases, as this represents your biggest risk. Identities can also be referred to as covers, aliases, or pseudonyms.

Importance of Cross-Contamination Checks

If your identities matter to you, it’s important to check for cross-contamination between them. A notable example is Ross William Ulbricht, the alleged dread pirate Roberts, who operated the original Silk Road—a deep web hidden service used for the exchange of illegal goods and services. Ross contaminated his real identity from the beginning, which made him susceptible to capture.

He made posts under his real identity related to hidden services and Bitcoin coding, and years later, he used an alias on Silk Road that tied back to those original posts. This connection was easily discoverable through a simple Google search—no complex decryption was required. This case exemplifies identity contamination and a fundamental failure in OPSEC.

Steps to Find and Mitigate Contamination

1. Search for Cross-Contamination: If you have separate identities, spend time searching for cross-contamination if you want to continue using them. Start with a simple Google search and use other search engines as well. Ensure you use anonymizing services during this process.
2. Addressing Contamination: If you find that contamination leads back to your real identity, and there are consequences, you need to initiate damage control immediately. This may include removing the contamination, which might not always be possible.
3. Evaluate OPSEC Rules: If you have failed to maintain OPSEC and contamination exists, plus the consequences are severe, you may need to abandon those identities and cut your losses completely. For example, if Ross had recognized his contamination and decided to quit, it might have protected him since authorities typically need evidence to convict.
4. Creating New Identities: If the situation is dire, consider starting fresh with new identities. If the “tree is already poisoned,” don’t keep consuming its fruit. Given high consequences, you might need to establish a new real-life identity.

Deleting or Modifying Online Information

• Information Deletion: Google provides limited support for removing information. This could include national IDs, bank account numbers, credit card numbers, images of signatures, and sexually explicit images. Most social media sites allow you to delete your account, but they might retain archived backups.
• Social Media Account Deletion: You can delete accounts on platforms like Facebook and Twitter through account settings. However, understand that archives of your data might still exist.
• Falsifying Existing Information: For accounts you cannot delete, consider falsifying the information stored in them. Unsubscribing from mailing lists and deleting your search engine history is also advisable.
• Contacting Webmasters: Reach out to webmasters to request deletion of content. Data clearinghouses might be effective in removing some of your information, and you can get unlisted with relevant phone companies.
• Managing Email Accounts: Delete your email accounts and all associated emails. In forums, you may be able to edit or delete your posts.

Your Private Data Is All Over the Internet. Here’s What You Can Do About It – CNET

Archival Considerations

The Wayback Machine is a site that archives the internet. If you search for your information there, it’s possible that your data is stored in their archives, which can potentially be deleted by contacting them at info@archive.org. However, your adversary may have already recorded the information.

Legal Considerations

Finally, consider what you can do legally under the right to be forgotten. Research how this might apply to your situation, as it may provide a way to remove information about you.

Ten OPSEC Rules for Serious Anonymity

Let’s go through ten OPSEC rules that I highly recommend for those who need serious anonymity and pseudo-anonymity online. These rules are designed to help you maintain security and protect your identity. Here they are, in no particular order.

Rule 1: Always Keep Your Mouth Shut

• Details Matter: Never reveal operational details. For example, don’t tell people that you use specific VPNs or that you love certain devices.
• Be Vague: If you’re unhappy with a service like TOR, don’t explicitly say so; you’re revealing operational details.
• Public Discretion: In public places, use code words (cryptonyms) to avoid being explicit.

Rule 2: Trust No One

• Zero-Trust Model: Assume that everything and everyone cannot be trusted.
• Information Sharing: Share information on a need-to-know basis only. The fewer people who know your plans, the better.
• Co-Conspirators: Beware of co-conspirators; they can turn against you if caught. Treat them as potential adversaries.

Rule 3: Never Contaminate Identities

• Keep Identities Separate: Do not share anything between aliases—no email addresses, passwords, or even friends.
• Avoid Simultaneous Use: Don’t use different identities at the same time; it can lead to correlation.
• Isolation: Use separate devices and connections for different identities to prevent linking back to your real identity.

Rule 4: Be Uninteresting

• Fly Under the Radar: Make everything about you as uninteresting as possible.
• Avoid High-Risk Areas: Stay away from potentially risky forums or places where you could attract attention.
• Average Identity: Establish a believable, average identity instead of drawing attention with unusual traits.

Rule 5: Be Paranoid

• Active Awareness: If you have an adversary, be actively paranoid.
• Consider All Angles: Think from your adversary’s perspective and reinforce your basic security measures like patching your devices.
• Fail-Safe Technology: Use kill switches and other protective technologies to safeguard your anonymity.

Rule 6: Know Your Limitations

• Operate Within Your Knowledge: If you don’t fully understand something, either stop or accept the risks.
• Stick to Familiar Technology: Use technology and processes that you understand to avoid complications.
• Keep It Simple: The more complex your setup, the more likely it is to fail.

Rule 7: Minimize Information

• No Logs, No Crime: Avoid logging anything you don’t need.
• Destruction of Evidence: Keep only necessary operational information and destroy everything else.
• Vague Communications: Send as little information as possible in your communications, and always encrypt your messages.

Rule 8: Be Professional

• Serious Attitude: Treat your OPSEC, security, and anonymity with the seriousness they require.
• Educate Yourself: If you have limitations, take steps to learn more.
• Business Approach: Treat your efforts like a business, rather than a hobby.

Rule 9: Employ Anti-Profiling

• Avoid Personal Info: Don’t reveal anything that can be used to create a profile of you.
• Be Anonymous Online: Don’t use personal identifiers in your online identity, and avoid revealing your location or routines.
• Use Misinformation: Create misleading information about yourself to throw off any potential profiling attempts.

Rule 10: Protect Your Assets

• End-to-End Encryption: Always send data with end-to-end encryption.
• Choose the Right Technology: Based on your risk level, select and correctly configure the technology that best protects your assets.
• Know What Matters: Protect what matters most, and you’ll know you’ve succeeded if you don’t get a knock at the door.

Following these OPSEC rules will help ensure your anonymity and protect your identity online. Always stay aware of the risks and act accordingly.

Understanding Stylometry and Its Implications

What is Stylometry?

Stylometry is a statistical analysis method used to identify variations in the writing style of different authors or genres. Research indicates that if someone has access to around 5,000 to 6,500 words of your writing, they can determine with about 80% accuracy what other texts you might have written. This means that if you have an alias, it could potentially be linked back to your real identity based on your unique writing style.

The Challenge of Anonymity in Writing

English writing is currently easier to analyze due to the availability of more tools and extensive research focused on it. If your writing style can be recognized, it becomes a risk for your anonymity.

Tools for Analyzing Writing Style

Here are some tools available for stylometry:

• Jason: An open-source writing style analysis and anonymizing framework, consisting of:
  • JS Stylow: An authorship attribution tool that connects authors to their writings.
  • Anonamouth: An authorship evasion framework designed to help authors avoid detection.
• Signature: Another authorship attribution tool with similar capabilities.
• Anti-stylometer Tools: Simple tools that can help assess writing styles but may not be very effective.

Example of Stylometric Analysis

To demonstrate, you could input a piece of writing (like Isaac Asimov’s style) into one of these tools to see how it analyzes the text. The output can reveal specific stylistic characteristics, which may help identify the author.

Implications of Stylometry

Nation-states are likely working on developing capabilities related to stylometry, although there is limited public information on this. The ability to combine stylometry with OPSEC failures and profile leaks makes attribution significantly easier for attackers.

Mitigating Risks from Stylometry

Here are some strategies to counter automated recognition tools:

1. Use Authorship Recognition Tools: To understand how vulnerable your writing is to stylometric analysis.
2. Consider Multiple Sub-Aliases: Using multiple aliases can complicate the process of linking back to your real identity.
3. Write Less: The less you write, the harder it is to attribute your work.
4. Use Content from Other Sources: If possible, share text from other authors or impersonate their writing styles.
5. Add Extra Data: Including lists or poems in your writings can mix styles, making it harder for automation to determine authorship.
6. Incorporate LeetSpeak: Using LeetSpeak (replacing letters with similar-looking numbers or symbols) can further obscure your writing style. For example, converting “leet” into “1337”.
7. Be Mindful of Coding Style: If you are writing code, your programming style can also be analyzed, making it essential to consider how your coding practices might reveal your identity.

Additional Resources

For further exploration of anonymous writing styles, you can check out the Hidden Wiki, which provides more resources and information.

Preparing for Law Enforcement Encounters

Planning for the Knock

If you anticipate that your adversary may be law enforcement or a nation-state, it’s critical to prepare for the possibility of being arrested, interrogated, or even tortured, depending on the regime you live under. Here are some strategies to consider:

• Laptop Security: Have your laptop set up to operate without a battery and include a kill switch to turn it off quickly. This prevents potential decryption efforts by anyone trying to access your information.
• Encrypted Storage: Store your private keys and sensitive data on an encrypted SD card that can be easily destroyed.
• Escape Routes: Plan an escape route in advance. Your “knock plan” should be developed as you progress through this course, especially if you have high-risk needs.
• Stay Calm: When confronted, remain calm and composed, but act anxious, scared, and confused if needed. This can work in your favor.

Legal Preparedness

• Solicitor On Call: If your country has a legal system you can somewhat trust, ensure you have a solicitor ready to call when needed. Prepay your solicitor to protect your funds from seizure.
• Know Your Rights: Research and understand your rights in your nation so you can effectively navigate the legal system.
• Signal Your Arrest: Have a method to signal to trusted people that you have been arrested or visited by law enforcement.

Interrogation Strategies

• No Comment Approach: In English-speaking nations, saying “no comment” to questions can often be beneficial. However, this depends on your specific situation.
• Silence Can Imply Guilt: Be aware that silence may be interpreted in various ways, so prepare for this possibility in advance.
• Avoid Interrogation Traps: Don’t be fooled by interrogation techniques that create a false sense of security or appeal to your ego. Remember, their goal is to secure a conviction, not to help you.

Understanding Your Environment

• Evidence Requirements: In Western countries, law enforcement typically needs solid evidence to charge you with a crime. However, in more repressive nations, evidence may be irrelevant, so understanding how the system operates is crucial.
• Use Activist Resources: Websites catering to activists often provide useful legal advice. Familiarize yourself with these resources, as they can guide you through your rights and options.

The Totality of Circumstances

In the United States, the legal standard often involves looking at the “totality of circumstances.” This means that all factors must be considered as a whole to determine probable cause or the legality of a detention.

• OPSEC Failures: The more OPSEC failures you exhibit, the clearer the picture you paint of your behavior to law enforcement.

During Interrogations

• Carefully Note Questions: Pay attention to what information the authorities do not ask about, especially regarding co-conspirators, who could potentially be working with them.

Polygraph Testing

• Skepticism Towards Polygraphs: Understand that polygraph tests lack scientific reliability and are largely dependent on your fear and ignorance. Educate yourself about them.
• Resources for Learning: Consider reading “The Lie Behind the Lie Detector,” a resource that outlines the deception behind polygraph tests. Websites like Antipoligraph also offer helpful information.

Repressive Regimes

In countries with oppressive governments, conventional advice may not apply, and the methods of dealing with interrogations can be unpredictable. Knowledge of the local system is essential for navigating these situations.

Educate yourself on interrogation and counter-interrogation techniques as this knowledge can be invaluable. Always prepare for the worst while hoping for the best.

Case Studies in OPSEC Failures

Let’s explore some compelling case studies highlighting failures in Operational Security (OPSEC). These examples demonstrate that many failures arise from basic mistakes, often exploited by advanced adversaries. None of the criminal actions in these cases are condoned; they serve to illustrate the importance of OPSEC.

Case Study 1: LULSEC

• Background: Hector Monsegur, known as Sabu, typically connected to the LULSEC channel via TOR. The FBI monitored this channel.
• Failure: He logged in using his real IP address, leading to his capture. This single mistake set off a chain of events.
• Collaboration: After being arrested, he began to collaborate with authorities.
• Communication Errors: Another LULSEC member, Jeremy Hammond, inadvertently shared that he was on probation, which narrowed down possible suspects and led the FBI to monitor his internet access.
• Profiling and Correlation: The FBI correlated times when a user was active in the channel with when Hammond was online, demonstrating effective profiling based on simple OPSEC failures.

Common Mistakes

• Operational Discussions: Members discussed their operational activities, including the use of TOR and VPNs, and even used stolen credit cards for purchases linked to their identities.
• Lack of Discretion: They didn’t adhere to basic OPSEC rules, failed to remain discreet, and trusted people who were working for the FBI.
• Result: LULSEC’s activities ultimately led to its downfall.

Case Study 2: Silk Road

• Background: Ross William Ulbricht, alleged to be the Dread Pirate Roberts, operated the Silk Road, which processed approximately \$1.2 billion in transactions.
• Investigation: The FBI used simple online searches to connect Ulbricht to Silk Road. His online posts linked him directly to the operation.
• Technical Mistakes: Ulbricht’s use of a Gmail account to post on forums directly tied his real identity to Silk Road.
• Capture: The FBI located Ulbricht at a library, where he was logged into the Silk Road while using his laptop, which was not locked, exposing him to evidence collection.

OPSEC Failures

• Identity Contamination: Ulbricht’s failure to separate his personal identity from his online persona led to his capture.
• Lack of Encryption: His unencrypted laptop was seized, containing a detailed journal of his actions.
• Result: Silk Road was ultimately shut down due to these failures.

Case Study 3: Harvard Bomb Threat

• Background: Aldo Kim allegedly made a bomb threat to avoid a final exam, using the university network to connect to TOR.
• Mistake: He sent the threat using a disposable email account, which still revealed his IP address through the originating headers.
• Investigation: Basic policing techniques identified students accessing TOR during the relevant time frame, leading to Kim’s identification.
• Confession: Under questioning, Kim confessed, illustrating basic errors in maintaining OPSEC.

These case studies underline the necessity of strong OPSEC practices. Simple mistakes can lead to significant consequences, making individuals vulnerable to legal repercussions. The people with effective OPSEC typically remain unnoticed, as there are no case studies about their success. For more interesting stories of OPSEC failures among spies, consider checking out additional resources on this topic.

2012 On the Feasibility of Internet-Scale Author Identification.pdf

AntiPolygraph – YouTube

Black Hat 2013 – OPSEC Failures of Spies

Don’t Talk to the Police

Conclusion

This article discusses how to effectively protect privacy, anonymity, and pseudo-anonymity, emphasizing the importance of OPSEC and providing online identity management strategies. It also explores combating online identity contamination, legal issues, dealing with law enforcement, and preparation for potential interrogations. Additionally, it covers the threat of stylometry to anonymity and coping strategies, and illustrates the consequences of OPSEC failures through case studies.