compress images, fix spelling and minor issues

opsecmistakes/index.md

@@ -1,13 +1,15 @@
 ---
 author: Mulligan Security
-date: 2025-05-16
+date: 2025-05-22
 gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/312"
 xmr: 86NCojqYmjwim4NGZzaoLS2ozbLkMaQTnd3VVa9MdW1jVpQbseigSfiCqYGrM1c5rmZ173mrp8RmvPsvspG8jGr99yK3PSs
 ---
 
-![loose lips sink ships](opsec.jpeg)
+# Realistic OPSEC Mistakes and Threat Scenarios
 
-# OPSEC: the name of the game
+![loose lips sink ships](opsec.jpg)
+
+## OPSEC: the name of the game
 When running any kind of clandestine operation, if you want to remain anonymous, you have
 to follow OPSEC (operational security) rules and procedures.
 
@@ -22,7 +24,7 @@ it is through OPSEC mistakes.
 From the adversary's point of view, repression requires the following broad steps:
 
 - Initial detection: someone is doing something we don't like
-- Identification: who those someones are
+- Identification: who those "someones" are
 - Neutralization: make sure they stop doing whatever they set out to do
 
 ## Initial detection
@@ -40,8 +42,8 @@ and make it less likely that your activity will be identified properly.
 A simple example:
 
 - sabotage during ww2 ([source](https://www.cia.gov/static/5c875f3ec660e092cf893f60b4a288df/SimpleSabotage.pdf))
-  - choose acts for which many people could be responsibl, and it's even better if it can be credibly blamed on an accident
-  (such as an unsecurely fastened hydro-turbine cover leading to a flooding of the facility)
+  - choose acts for which many people could be responsible, and it's even better if it can be credibly blamed on an accident
+  (such as an insecurely fastened hydro-turbine cover leading to a flooding of the facility)
 
 
 ### What bad OPSEC looks like
@@ -56,24 +58,24 @@ If you are a novice in clandestine ops, it is likely that you still have stuff t
 order to be safe. If your activities are quickly identified, that's even less time available to you
 to actually get better at survival.
 
-## Extorsionists
+## Extortionists
 
 ### Zeekill
-Julius "zeekill" Kivimaki extorted a Finnish online psychotherapy service, threatening them with the release of patient data (thereapy notes among them).
+Julius "zeekill" Kivimaki extorted a Finnish online psychotherapy service, threatening them with the release of patient data (therapy notes among them).
 While preparing a data package for release he mistyped the tar command and instead of only releasing the pilfered data also released the entire content
 of his home directory, helping investigators identifying him. That way he managed to speedrun both initial detection and identification, what a champ!
 
 ### USDoD
-USDod made several OPSEC mistakes, allowing investigators to link his public and clandestine personas.
+USDoD made several OPSEC mistakes, allowing investigators to link his public and clandestine personas.
 
 
-- same bio on public and clandestine twitter accounts, shared with an instagram account as well
+- same bio on public and clandestine Twitter accounts, shared with an Instagram account as well
 - Instagram account mentioned by
   - a tattoo artist
   - a SoundCloud profile with his public identity and pictures of his face
     - the pictures were the same used on a medium blog, allowing for trivial linking
-- The medium blog contained a post about an alien vault pulse (a cyber threat intelligence report) mentioning the same pseudonym used for his instagram account
-- Associated gravatar account with the instagram pseudonym and pictures of his face
+- The medium blog contained a post about an alien vault pulse (a cyber threat intelligence report) mentioning the same pseudonym used for his Instagram account
+- Associated gravatar account with the Instagram pseudonym and pictures of his face
 - Gravatar linked email publicly associated with
   - registered domains
   - github accounts
@@ -99,13 +101,13 @@ respectively.
   - OPSEC Mistakes
     - bungling the weight and balance of a smuggling ship so much that its course became erratic and attracted attention
   - Outcome
-    - Seizure of the ship and it's 32M$ worth of cargo, arrest of the crewmembers
+    - Seizure of the ship, and it's $32M worth of cargo, arrest of the crew members
 - zeekill
   - OPSEC Mistakes
     - lack of operational segregation: there is no valid reason for having PII on the same machine as the one you use to manipulate operational data, at least use a different user created only for this purpose
   - Outcome
     - Arrest and conviction (6 years)
-- USDod
+- USDoD
   - OPSEC Mistakes:
     - too many to count in this section, see above
   - Outcome
@@ -130,11 +132,11 @@ Standardized Operating procedures for your organization providing a framework fo
 
 - general operations
   - what communication channels to use
-  - use of encryption, codewords, passphrases
+  - the use of encryption, codewords, passphrases
   - Channel structure
     - full mesh = more danger if any one participant is compromised
     - clandestine celle structure = more resilient but also makes communication more costly
-  - Communication plan for each members ([PACE](https://en.wikipedia.org/wiki/PACE_(communication_methodology) model)
+  - Communication plan for each member ([PACE](https://en.wikipedia.org/wiki/PACE_(communication_methodology)) model)
     - if one communication channel is cut or compromised, then there are fallback solutions that have already been investigated and whose risks level have been deemed acceptable
 - Specific action SOPS (eg: a protest)
   - initial assembly point
@@ -146,7 +148,7 @@ Standardized Operating procedures for your organization providing a framework fo
     - storage and delivery
     - disposal
 
-### What bad OPSEC looks lile
+### What bad OPSEC looks like
 
 ![cabincr3w](cabincr3w.jpg)
 
@@ -177,8 +179,8 @@ Such preparation has two required components:
 ### Detection
 Your general operations rules should have built-in detection capacities: either a way for operators to give advance warning or for the organization to detect when one has been turned or captured.
 
-- An easy to use counter-itelligence tool is the [baryum meal test](https://en.wikipedia.org/wiki/Canary_trap) or canary trap.  By detecting leaks you can use them in anti-surveillance operations or as a warning system.
-- another one is a simple canary (example: [warrant canary](https://en.wikipedia.org/wiki/Warrant_canary)) where the cessation of an inoccuous action is used to send a message
+- An easy to use counterintelligence tool is the [baryum meal test](https://en.wikipedia.org/wiki/Canary_trap) or canary trap.  By detecting leaks you can use them in anti-surveillance operations or as a warning system.
+- another one is a simple canary (example: [warrant canary](https://en.wikipedia.org/wiki/Warrant_canary)) where the cessation of an innocuous action is used to send a message
 
 #### What good OPSEC looks like
 
@@ -191,10 +193,10 @@ Let's talk about [Operation Delego](https://en.wikipedia.org/wiki/Operation_Dele
 - Strict metadata scrubbing policy for all shared media
 - Only share media over the trusted website channels
 
-##### The neutralization operation
+#### The neutralization operation
 After infiltrating the group, Leo managed to trick several users into directly sharing media and personal information other unsanctioned channels, without encryption.
 
-##### Final Tally
+#### Final Tally
 - 72 charges (out of 600+ active members)
 - 57 arrests
 
@@ -205,19 +207,19 @@ OPSEC works, even for the scum of the earth: 9.5% neutralization rate after bein
 
 ![lulzsec](lulzsec.jpg)
 
-Now let's have a look at Lulzsec. We have pretty much every OPSEC mistake rolled into one burrito of disappointment. We will use the analysis framework we've worked with so far
+Now let's take a look at LulzSec. We have pretty much every OPSEC mistake rolled into one burrito of disappointment. We will use the analysis framework we've worked with so far
 
 LulzSec (Lulz Security) was a high-profile hacker group active in 2011, known for brazen cyberattacks on corporations, governments, and media.
 
 
-One of their members (Sabu) was identified, turned and then used to compromise the rest of the goup.
+One of their members (Sabu) was identified, turned and then used to compromise the rest of the group.
 
 
-##### Detection
-That one's easy: between the defacement and bragging all over the web about their hacks, the operations were **meant** to be visibile
+#### Detection
+That one's easy: between the defacement and bragging all over the web about their hacks, the operations were **meant** to be visible
 
-##### Identification
-- Sabu was identified after logging into IRC from his home IP instead of through Tor: it only happened once but it was enough
+#### Identification
+- Sabu was identified after logging into IRC from his home IP instead of through Tor: it only happened once, but it was enough
 - Members reused online aliases across multiple platforms. For example, some had past activity linked to now-doxxed identities.
 - Email addresses used for domains or accounts were linked to real-life identities.
 - Boasting about hacks and providing technical details exposed them.
@@ -228,7 +230,7 @@ That one's easy: between the defacement and bragging all over the web about thei
 - This also gave law enforcement leads to correlate timing between attacks and online activity.
 - Use of non-anonymized IRC clients, known VPN services, and unencrypted communication channels made traffic analysis easier.
 
-##### Neutralization
+### Neutralization
 
 By mid-2012, most core members were arrested and charged.
 
@@ -237,7 +239,7 @@ By mid-2012, most core members were arrested and charged.
 
 ![threat modeling](threat_model.jpg)
 
-We now have a simple framework (detection, identification, neutralization), that's actually called an attack cycle model. This will help us think our OPSEC prosedures in a way that is methodical and grounded in rationality.
+We now have a simple framework (detection, identification, neutralization), that's actually called an attack cycle model. This will help us think our OPSEC procedures in a way that is methodical and grounded in rationality.
 
 
 As we have seen, depending on the situation you might need higher or lower security measures. Usually, when you crank up the security, communication slows down and becomes harder. When you want easier and faster communication, you often have to lower your security requirements.
@@ -245,7 +247,7 @@ As we have seen, depending on the situation you might need higher or lower secur
 
 ## What is a threat model
 
-In order to decide which OPSEC practices to adopt you have to know what you are defending against. Gun running, protest organization against private corporations and civil disobedience are activities that can bring the wrong kind of attention but they all have wildly different threat models.
+In order to decide which OPSEC practices to adopt you have to know what you are defending against. Gun running, protest organization against private corporations and civil disobedience are activities that can bring the wrong kind of attention, but they all have wildly different threat models.
 
 
 A threat model is a description of your adversaries with:
@@ -258,13 +260,13 @@ A threat model is a description of your adversaries with:
 The more powerful and well-funded the adversary, the more dangerous it is (States being at the top of the food chain).
 
 ### Quick Example
-Alice wants to organize a protest against Evil Corp evil practicies of experimenting broccoli based diets on kittens. Evil Corp has been known to intimidate would-be protesters by hiring private detectives and thugs.
+Alice wants to organize a protest against Evil Corp evil practices of experimenting broccoli based diets on kittens. Evil Corp has been known to intimidate would-be protesters by hiring private detectives and thugs.
 
 ![evil corp logo](ecorp.png)
 
 #### Evil Corp threat model
 - goals
-  - preventing  disruption of their operations by protestors
+  - preventing disruption of their operations by protesters
   - preventing PR fallout from their evil experimentation becoming public knowledge
 - capabilities
   - technologically low, as they use tried and true methods of physically tailing people and throwing bricks through their windows
@@ -280,22 +282,22 @@ The next step is to run a risk analysis: you want to list all your assets that a
 
 
 ### Example
-Alice determine's that her group of protestors has the following asset
+Alice determines that her group of protesters has the following asset
 
 - Member list and contact info
   - Confidentiality requirement: **High**
   - Integrity requirement: **High** (we don't want someone infiltrating the mailing list)
   - Availability requirement: **Medium** (even if the list is destroyed, core members have copies and can reconstruct it together)
 
-Given her threat model, she determines the following plausible attack scenarii:
+Given her threat model, she determines the following plausible attack scenario:
 
 - Getting tailed after a protest and having her laptop stolen from her home with the list on it: **High likelihood, fits the MO and threat model**
-- Someone grabbing her laptop from her while she's planning her next big anti-corporate protest while sipping from a triple latte double macchiano at starbucks **Medium likelihood**
+- Someone grabbing her laptop from her while she's planning her next big anti-corporate protest while sipping from a triple latte double macchiato at Starbucks **Medium likelihood**
 - someone hacking the mailing list server to read all the protest prep exchanges **Low likelihood**
 
 ## OPSEC Standards and procedures
 
-Armed with her risk analysis, Alice's now knows which assets are most likely to be targeted. Thanks to the threat modeling exercise she has several attack scenarii. Based on their likelihood, her OPSEC efforts will be prioritize the following way:
+Armed with her risk analysis, Alice's now knows which assets are most likely to be targeted. Thanks to the threat modeling exercise she has several attack scenarios. Based on their likelihood, her OPSEC efforts will be prioritized the following way:
 
 - Anti-surveillance and Counter-surveillance techniques to identify whether members are getting tailed after meetings or protests
 - Encryption on her laptop, automatic shutdown if someone grabs it
@@ -304,15 +306,15 @@ Armed with her risk analysis, Alice's now knows which assets are most likely to
 ![stop sign](stop.jpg)
 
 ## Know when to stop
-Why isn't she preparing for a large scale hacking campaign against her identities, followed with a 0 day barrage of all her servers and a complete compromise of her household appliances down to the lowliest airtag?
+Why isn't she preparing for a large scale hacking campaign against her identities, followed with a 0-day barrage of all her servers and a complete compromise of her household appliances down to the lowliest airtag?
 
 
-**Because it does not fit the threat model, and it would be easier and more cost effective to break into her house and grab her stuff, especially if her machine is unencrypted**
+**Because it does not fit the threat model, and it would be easier and more cost-effective to break into her house and grab her stuff, especially if her machine is unencrypted**
 
 
 # Now what?
 
-A threat model is a living thing, like any GRC (Governance, Risk and Compliance) document. Your adversaries will change in capabilities, motivations, methods as time passes. Your organization will change too, adopting new tools, foresaking old ones. In order to stay safe, you need to keep your threat model and risk analysis up to date, so you security level is always where it needs to be.
+A threat model is a living thing, like any GRC (Governance, Risk and Compliance) document. Your adversaries will change in capabilities, motivations, methods as time passes. Your organization will change too, adopting new tools, forsaking old ones. In order to stay safe, you need to keep your threat model and risk analysis up to date, so you security level is always where it needs to be.
 
 
 - To be effective you need to be able to communicate with the highest bandwidth possible with the rest of your organization. Perfect OPSEC is useless if it makes you unable to function.