Name:
John Ostrander
Website:
exclusionzone.org
EMail:
[email protected]
GPG:
AF69395B
A408 : E320 : 570C : 057F : D920 : B912 : EAB5 : 7AD8 : AF69 : 395B
Warnings & Disclaimers
●
I am not a lawyer
–
●
There is no such thing as a 100% secure system
–
●
●
Do not misconstrue anything I say as legal advice
Hardware bugs, software bugs, and OpSec bugs still exist
InfoSec and OpSec are a system
–
These are just tools; not a comprehensive solution
–
InfoSec and OpSec take study and practice
This will not protect you from an APT
–
Alphabet soup is slimy
●
This Presentation is not rated PG
●
I am human
–
I wont maliciously mislead y'all, but I make mistakes too
How Can Into OpSec
5 Part OpSec Process
●
Identify Critical Information
–
●
Analyze Threats
–
●
The ways the bad people might come to know that
shit
Asses Risks
–
●
The bad people that want to know that shit
Analyze Vulnerabilities
–
●
The shit you don’t want others to know
What might happen if the bad people find that shit out
Apply Countermeasures
–
Ways to stop the bad people from finding out that shit
This Guy
My 2 Part OpSec Process
●
●
STFU
–
Put down the ego
–
Ops are need to know
One law at a time
– Minimize risk
Crypto and Codes
●
●
Crypto is great
●
–
Crypto in layers is
even better
–
TOR + HTTPS
–
HTTPS + GPG
Don’t be explicit
●
“Start project Comus at
Duke”
Don’t use codes
–
Hang out at the library
●
●
●
Hang out == Start
project Comus
At the library == at
Duke
Use Cryptonyms
–
“Start project Comus at
the gates”
–
Grants deniability
Context Switching
●
●
Use aliases
–
Setup Background
–
Accounts
● Email
● IRC
● Facebook
–
Sub-Aliases
Don’t cross contaminate
–
Use Op specific gear
–
Don’t keep contraband on your personal gear
–
Use Counter Intel techniques
Data Retention
●
Don’t keep useless
information
–
Chat logs
–
Old Intel
●
Don’t keep data on your personal gear
●
Keep and follow a strict data retention policy
Stay Frosty
●
●
Paranoia only works pro-actively
–
You can’t fix these mistakes
–
It only takes one mistake
Keep an eye out for malicious actor tactics
–
Counter Intel Pro
–
Informant Tactics
●
Don’t allow yourself to be ignorant
●
Don’t allow yourself to be lazy
–
If you’re going to be lazy then you might as well
just stay home
Don’t Mix Work and Play
●
●
●
●
Don’t run Ops just for giggles
Don’t run Ops from locations that can be tied to
you
Friends != Op Partners
–
Don’t talk shop when you’re at the bar
–
STFU
Op Partners != Friends
–
Co-Defendant, not bar buddy
–
Don’t let them know about your life
●
–
Even the weather
STFU
Questions?
Resources
●
My Email:
–
●
●
My GPG:
–
AF69395B
–
A408 : E320 : 570C : 057F : D920 : B912 : EAB5 : 7AD8 : AF69 : 395B
My Site
–
●
https://www.exclusionzone.org
The Grugq’s site
–
●
[email protected]
http://grugq.github.io/
The ALF guides
–
http://www.animalliberationfront.com/ALFront/Activist%20Tips/Security
/Security_Protection_and_Self_Defense.htm
Special Thanks to The Grugq and Zoz if y’all ever see this. Your talks on
OpSec and not fucking it up helped to guide me in making this.