Hacker News new | past | comments | ask | show | jobs | submit login
OPSEC for hackers (slideshare.net)
87 points by stfu on May 18, 2013 | hide | past | favorite | 15 comments



From the Q&A at the end ( http://www.youtube.com/watch?v=9XaYdCdwiWU&feature=youtu... ), Grug has this to say on TOR:

"Against [Law Enforcement Officials], it's fine. Against a nation-state, the TOR network has insufficient resources and has sufficient bad actors that it is not actually secure. So if you're going to hack the shit out of the NSA and do really really bad planning and do not actually evalute the targets you are after, you will go to jail."

He also expands on how to unmask a user by controlling both the exit and entry nodes:

"So if you can purchase 300 VPS accounts at $5 each then you can set up 1% of the TOR network and statistically, over a month, you will be able to uncover a large number of users. [...] You are better of selecting your targets so they will not be state actors."


The full talk which goes with these slides: https://www.youtube.com/watch?v=9XaYdCdwiWU


And the .pdf file of the slides: http://conference.hitb.org/hitbsecconf2012kul/materials/D1T3...

(The link is on the video of the full talk.)


The so called hackers have to be dissuaded about sharing personal details in the chatrooms? This document looks like the proof that these groups are made of regular kids more than security experts in my opinion.


Not really. These things are hard to get right and stick to for prolonged periods of time. This requires practice and discipline.

Ordinary people (and even trained professionals [1]), get sloppy and make mistakes. Thus, this line from the presentation is golden:

"Amateurs practice until they get it right, professionals practice until they can't get it wrong.

[1]: Another excellent essay by the same person - grugq (of +HCU and Fravia+ fame) on the major OPSEC fuck-up by CIA in Lebanon and the factors that likely have lead to the full compromise of a big informant network, and possibly the deaths of a number of people [2]: http://grugq.github.io/blog/2013/03/12/anonymity-is-hard/

[2]: http://www.wired.com/dangerroom/2011/11/pizza-cia/

added: even small things like complaining about freezing your ass off due to the cold weather, accidentally linking two nicknames, emerging at regular times (synced with a specific timezone) could be used to uncover your identitiy. As evidenced, slip-ups like could get you in jail. You can check the discussion from a few weeks back about the hassles of creating a truly anonymous page on Internet: https://news.ycombinator.com/item?id=5638988


I'm somewhat concerned with the blanko recommendation of TOR. As has become clear, TOR traffic is blatantly obvious. Yes, your data is secure, but the fact that you are using TOR.. is not. And there should be no surprise feds employ the low-tech methods like just matching your activity on a chat to traffic on your line and the like.

We really need something like automatically mutating protocols, not the TOR "I'm HTTPs that no one would ever use for HTTPs" stuff.


Their method would have been a lot more difficult had they not caught Sabu and flipped him. Even with Sabu flipped, absent a confession they only have a lot of circumstantial evidence on Jeremy.

Sabu was blatantly poor at covering up his identity. He was doxed by other hackers online long before the FBI found him (apparently it was one of the anti-anonymous 'patriot' hackers who passed on Sabu's real ID to the FBI).

Without Sabu, they wouldn't know where to park the van, or which VPN providers and ISP's they need to subpoena.

Sabu made two mistakes. First he pasted a link to a file in IRC that was hosted on prvt.org. Somebody looked up the historic whois records for that domain and found the name Hector Monsegur.

His second mistake was that his Tor setup didn't "fail close", and when his local SOCKS server died his IRC client accidentally logged him in using his real IP address.

The feds can't match Tor activity if they don't know where to park the van. They also relied on Jeremy having a weak Wifi setup where they could watch his network connections. All of these other leads, including the personal details to match against, relied on first flipping Sabu.

The idea Tor setup is having an intermediary isolating proxy, and preferably one that is hosted offshore in another jurisdiction. For extra security, run a VPN connection over that, so it would look like:

laptop => OpenVPN or SSH tunnel => offshore server => privoxy (header munging) => VPN connection => tor => tor exit node => VPN server => internet

To prevent matching against a shared circuit, setup multiple tor circuits and random load balance across them, and do the same with the VPN.

Tor is just like a lot of other things, it can be setup and used in such a way where it leaks a lot of data and information, but it can also be used as part of a chain that makes the job of unmasking the user a lot more difficult.


Tor is useful for hackers and law enforcement alike because it anonymizes the TCP client from the TCP server. Obviously this is useful for both hackers and law enforcement investigators alike. You're right in that that has its limits. It doesn't protect against traffic analysis by an adversary who is able to observe both the client's and the server's internet connection.

But the talk was about "OPSEC for Hackers". If the hacker's adversary is already monitoring his internet connection for correlation to specific and ongoing attacks, he's pwned.

This was filed in court in at least one of the Anonymous prosecutions. Basically the investigators said "We observed the suspect walk into his house, we observed his Mac connect to his wifi, we observed Tor traffic over his wifi, and we subsequently observed the suspect's hacker alias join the IRC channel."


The limitations of TOR were made clear in the talk that the slides were meant to accompany.


"fail safe technological solution" = tor? Grug, that's not good advice to give out.

First, it's never good to rely on anything. Second, it's well known that people run tor gateways as a means to acquire 'interesting' traffic, and that probably includes law enforcement (though Applebaum does seem to have an honest aura, the project did originate from US government funding). Many people relying on tor probably do not realise this.

Be careful out there!


I believe the term Grugq used was "fail-closed" (at least that's what he said rather than wrote). By that, he didn't mean that Tor was foolproof, but rather that you should use a setup that sends information through Tor by default (opt-out), rather than using something where you have to activate it in order to use it (opt-in). The idea is to reduce the potential for silly mistakes like engaging in activities with Tor off by accident.

Also, one of the questions he answered at the end of the talk was about whether Tor could protect you against determined state actors, and he talked about a certain flaw where if you have control over a certain percentage of the Tor network you could infer people's source IPs. He also speculated on what levels of government Tor would or would not be a viable means of protection against, so I think he'd agree with you about the risks of Tor.


It's very very difficult to be anonymous online.


Not really. The methods detailed in that slide deck are hardly difficult to implement. Most consist of common sense.


You only need to screw up once to blow your identity, though. And never screwing up is ... difficult.


Seems to be a proper beginners guide, however the Bitcoin part is heavily flawed. It should show a intro guide or link to a wallet greening manual as BTC can destroy your anonymity.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: