Monday, January 4, 2021

COMSEC for 2021

A lot of folks are wondering what happens if things get spicy.  Big Country has been posting tactical tips, as did Aesop last year (it doesn't look like he has a blog post tag for these so you'll have to dig).  Other folks are posting, and they have an expertise there that I simply don't.

On the other hand, I do have a (professional) background in COMSEC - Communications Security.  This post is how to pull off a level of COMSEC and OPSEC that will make it harder for you to end up on The Powers That Be's radar.  Note that I said harder, not impossible.  Ross Ulbricht messed up OPSEC, and he was very good at it.  A professional grade level of paranoia is not just desirable, it's probably mandatory.

One thing that I keep seeing repeated is the phrase "Be the Gray Man".  That's the primary objective here.  That will limit the sorts of communications that you will be able to (hopefully) keep off TPTB's radar.  And so what I'm going to write about here is not useful for voice or email protection (mostly), and won't help with GPS geolocation tracking.  It's purely a thought experiment on how to transmit decently large quantities of information without TPTB being likely to understand the content, or even know that information is likely being transmitted at all.

That last point is the key.  Traffic Analysis is pretty terrifying, at least to those in the know, and was by far the biggest issue in the whole Snowden/NSA brouhaha.  I'm not sure that this solves that problem, but it takes some steps in that direction.  Remember, your mileage may vary, void where prohibited, do not remove tag under penalty of law.

The first thing we need to look at is how to hide data in a way that doesn't make people think that there's any hidden data.  XKCD captured the problem for the would-be crypto nerd:

This is actually called the Rubber Hose Attack, and it's considered generally effective.  So encrypting your hard disk is A Bad Thing, because it tells anyone who looks that the data is encrypted.  More to the point, encrypting your data communications is A Bad Thing for exactly the same reason.

IMPORTANT NOTE: Using TOR is the absolute opposite of being The Gray Man.  Ignore the widespread reports of state compromised entry or exit nodes, just the use of the TOR network protocols puts you on the list of "People who think they have Very Important Data that might be worth monitoring".  It's the express lane to Fed.Gov snoops.

OK, so no encryption.  How do you keep communications confidential from prying eyes, and ideally make traffic analysis less likely?  This is Borepatch, and so that means that we'll start with a history lesson.

People have been trying to keep secrets secret for pretty much as long as there have been people.  Growing up, there was a pretty interesting book in the Borepatch household library, Hidden Images.  It gave a number of historical examples of how people hid images of things that were considered double plus ungood, typically via distorting perspective or some such.

This was a picture of (IIRC) English King Charles I who had been beheaded by Parliament.  It was dangerous for people to have images of the dead King, and so you had to use a reflective cylinder to make the distorted image of the Sovereign comprehensible.  The problem is that you need the cylinder, and you have a pretty suspicious distorted picture.  Either of these if discovered in a search might result in a Rubber Hose Attack.  We'd like to have our data in a normal image (I'll get to how to hide the "cylinder" in a bit).

There's a modern tool available to do this, called Steganography.  It relies on the fact that many of the data formats in common use today are "lossy" - you can remove a lot of the original data bits without degrading the message.  Jpeg image format is one example, MP3 is another.  Stego uses this to introduce loss into the picture without degrading the picture (or into an MP3 without degrading the audio).  The "loss" introduced is your secret message, which can be text, image, audio, or whatever you'd like.  I did this once here:

Crash the Wundercat contains a secret message (well, the picture of Crash does; work with me here).  You need a tool that does Stego to embed the message/data, and the person who wants to extract the message/data needs a Stego tool.  Windows users can use OpenPuff which will embed your data in images, audio, video, and Flash.  It will even encrypt the data and add white noise to make it even harder to detect.  It's free and open source.  Steghide is perhaps your best bet for Linux.

And now we have to peel the onion: how do you get your message distributed?  The answer here is to use your regular methods.  You shouldn't use email, as it's pretty direct (you sent it to someone, which is interesting in an of itself).  Social Media is a much bigger haystack to hide in - Facebook, blogs (hello!), Reddit, Flickr - all of these excel as "dead drop" locations for seemingly innocuous pictures of your cat.  The people you want to read your secret message have to know what password you're using in your stego, but there are a lot of ways to do that - for example, everyone has a copy of Gibbon's Decline and Fall of the Roman Empire and uses the 11th word on the page as the password.  Each day, use the next page.

Sure, NSA will see that people are looking at Reddit, but it's an extra layer of indirection that they're looking at what you posted to Reddit.  It's potentially a very large haystack indeed.  By now you should see why this isn't any good for voice communications or email.  

And so now to the last layer of the onion - reducing the chance of a rubber hose attack.

Remember the mirrored cylinder that was used to view the picture of King Charles?  That was a give away.  Well, so are steganography tools.  If it comes to an investigation and someone finds that you've, say, installed the Ubuntu version of Steghide, there will likely be a lot of questions.  So how do you hide your stego tools?  I think that the best way is via the Purloined Letter approach - hide them in plain sight.

This is a USB drive.  It will hold a ton of data.  Unfortunately, everyone knows that it's a USB drive, including Mr. Fed.  Should the day come where The Man swoops down to investigate your electronic breadcrumbs, they'll look for stuff like this.  What we want are the electronic guts of the drive, in an innocent looking exterior.  Maybe something like this:

This is a Lego toy.  Actually, it was a Lego toy until someone took a box cutter, Dremel, and some manual labor to cut it open and embed a USB drive in it:

You can have a whole Operating System with Stego tools on it.  Boot from it when you need to encode/decode, copy the resulting image/MP3/etc to a different (maybe disposable) USB drive to load onto your regular computer for posting to Reddit/etc.  Just keep it with a bunch of other similar figurines in a bucket of toys in the basement in case someone comes snooping around.

Or you could just buy a Lego brick USB drive.  Remember to keep it with your other Lego.

Now it's important to point out here that nothing is foolproof.  NSA will be collecting traffic data showing that you're uploading to Reddit and Facebook.  They will see that other people check Facebook and Reddit.  They will build maps of relationships - maps showing who knows who.  Someone might take a look at your Facebook page.  If they really want to spend the time with the right people analyzing your pictures (or podcasts, or youtube vids) they might very well sniff something fishy. But they'll have to work a lot harder, and the work will be much less automated.  That means that it will be expensive, and there will be a lot less of that sort of thing going on.

And this will give you a close to "Professional Grade" level of paranoia which is a Very Good Thing.  If I seem that way myself, please remember that I was trained to be that way by the finest minds in the Free World. 

This is an updated version of a post from 2013, but the information is as needed now as then.


Toirdhealbheach Beucail said...

Thanks Borepatch. Useful discussion and good to know (I am a great fan of the Grey Man and try to be one). The TOR comment was interesting as well - I admit that in the past I have toyed with it, but found it too difficult to use (I go with a VPN and Brave and trust me, I go no-where on the Interweb remotely interesting.

drjim said...

Thanks for the tips, BP!

BigCountryExpat said...

Duuuuuuuuuuude! Repoasted and linked at my Haus! This's awesome intel! Many thanks brother. See you in February!

Chuck Pergiel said...

As I recall, what got Ulbricht caught was that he used an email or some address that was connected to him when he first set up his network. After that everything was copasetic. But the feds somehow traced the net back to that original address and that's what got him busted.

Jonathan H said...

Back in the days of Echelon disclosures (late 90's) the most secure means of communication was a handwritten fax since most traffic is processed automatically and handwriting can't be, especially if it's messy and poor quality.
Is this still true, and is it relevant due to traffic analysis?

Does using a 'clean' laptop from public wifi (while your phone is off or not with you) help, or is that too awkward for most people?

Pachydermis2 said...

I didn't read this and certainly don't know anyone named Borepatch.....

MrGarabaldi said...

hey Borepatch;

I had remembered posting on my blog something called "Moscow Rules" Perhaps it can be updated to reflect the new reality of todays world. and trying to not attract the attention of the .gov security apparatus.

Stefan said...

Pixelknot for Android.

Aesop said...

Which posts were you thinking of?
I can whip up a tag to make them easier to find.
I've seen me do it.

Aesop said...

BTW, thumb drives now hold stupid huge amounts of data,
and can be put inside plastic snap-lid canisters smaller than old 35mm film cans.

Then you coat the plastic canister with plaster of paris, or hot glue it, and roll it around in sand, etc., you've got a camouflaged "rock" dead drop that'll hold an entire library, inside a sealed weatherproof container.

You can also hot-glue the canister to the inside of an old can, like a tuna or cat food can (get a rusty old tin can, not an aluminum one, and it won't be molested or recycled), and smash that into the ground, and you've got a bombproof way to trade messages back and forth locally, in the time it takes to squat and tie your shoelace.

Russian spies have been doing that for decades.
Why should they have all the fun?

Let your imagination run wild.
You can epoxy a short 3/4" pipe end into a wall, with a threaded pipe cap tip, and you have a mailbox that will last for years.
The same is true for a piece of rubber dog poop left under a bush (which you could drop off and/or pick up unobtrusively while supposedly cleaning up doggie mess on your walks).
Or a small plastic ziplock bag (look in the crafts and beads section of WallyWorld) stuck in place with double-sided tape. To the underside of a bench, the underside of a bottom bookshelf in a store or library (ask me how I know), or even a plastic bottlecap, under which you can put up to 256MB of data and pics, i.e. enough to hold the entire multi-volume operational plans for the Normandy D-Day invasion.

If you're doing local, local, local, you should be trading messages with people nearby, making anything requiring higher tech a bad idea anyway.

Borepatch said...

Aesop, this is the post I was thinking about.

Aesop said...

Uh huh.
That post, and the follow-up, complete with feedback from some Anonymous Soopergenius, were comedy masterpieces.

But they weren't so much about When Things Get Spicy, as much as my off-the-cuff grunt-level response to an article claiming AI battlefield drones were going to be Unbeatable, Because Reasons.

Not that there weren't some outside-the-box tactical pearls therein, just that it wasn't the focus of the piece... ;)