Opsec Full Guide - Lucifers
Opsec Full Guide - Lucifers
Opsec Full Guide - Lucifers
ME/DARKCARDERS666
REACH ME PERSONALLY AT HTTPS://T.ME/darklucifer619
LUCIFER
3/23
Theory: Definition
OpSec is the control of information- and artifact-flow that could endanger operational success or
operational capabilities. It is a default position that does not rely on opponent interaction (as does
offensive counter-intelligence).
Theory: Principles
Deterrence by opponent:
• Acceptability: Is the behavior unacceptable to the opponent? If yes, the opponent will spend
resources to detect, deceive and/or neutralize.
• Credibility: Can the opponent gather intelligence that makes the threat credible and
demonstrable? Is there evidence or cause for reasonable suspicion.
• Perception: Does the opponent see/know information relating to operations, assets, capabilities
and persons?
Detection by opponent:
• Who is involved? Names, aliases, skills, background, identifying marks (biometric,
technological, habitual).
• What is done? Operation.
• When is it done? Time, date, event relations (eg. after conference, two days after meeting).
• Where is it done? Address, place, geolocation, place relation (eg. restaurant within 5 minutes
walking distance to hotel).
• Where is an asset? Person or resource. Address, place, geolocation, place relation (same city
as another asset).
• With whom or what is a person/asset related? Ownership / possession of resources, social
relationships, affiliations.
• Why is something done? Goals, motives, assumptions of effectiveness.
• Gaining access: Documents, information, keys, passwords, identifiers, tools, decoration, etc.
Opponent will use criminology, forensics and various collection methods. The opponent does not
require certainty but usually operates on likelihood/probabilities and alternative explanations.
Some opponents have an unlimited and long-time memory.
4/23
Counteraction by opponent:
• Deception to direct target action towards opponent's goals.
• Implants to stabilize access. Technologies, methods, artifacts, persons, cars, other assets.
Theory: Flow
Object type Flow direction Opponent Principle Effect
Information T => O Perception Offensive capture, Implants
Artifact T => O Credibility Neutralization
Person T => O Perception, Credibility Offensive capture, Neutralization
Information O => T Deception Neutralization
Artifacts O => T Deception Offensive Capture, Neutralization
Persons O => T Deception, Credibility, Offensive Capture, Deception,
Perception Neutralization, Implants
5/23
Theory: OpSec process
Prevent, Prepare, Respond, Recover
• Prevent: Control asset/artifact/information flows. Limit information content of
artifacts/documents/conversations. Limit information lifetime/relevance. Limit predictability.
Prevent and/or limit impact of outflow/leak.
• Prepare: What happens in case of outflow/leak? How to contain leaks? How to do damage
assessment? Fail-over/emergency plans. Emergency/Danger signals. Detection methods.
Protocols for containment, reporting. Backups and caches. Savings. Define rally points and side
channels.
• Respond: Contain leak/implant. Destroy asset/artifact. Destroy ties/relationships/tracebacks.
Notify necessary parties. Enact fail-over/emergency plans.
• Recover: Replace capabilities, assets, persons. Use side channels. Rally points. Access
caches/backups.
Theory: Atomicity
Atomicity: By default nobody knows anything, is no where, knows nobody else, has no history or
future. Sub Rosa/Secrecy is the default.
Cooperation and interaction destroys atomicity. The purpose of “need to X” is to preserve atomicity as
much as possible while accomplishing the minimal operational goal.
6/23
Methods: Classification, Compartmentalization, Separation, Isolation
• Classification:
Methods: Accounting
Keeping track of:
• Who knows what?
Accounting enables “Need to X” application by being able to determine the operational footprint.
7/23
Strict accounting and planning also increases the efficiency of response and recovery measures like
caches, backups, signaling/notification and emergency savings. Without accounting it becomes
impossible to assess the impact of compromises, breaches and leaks.
The method of accounting and the storage of this data needs special attention. Since the data relates to
multiple operational contexts, persons, artifacts etc. accounting itself breaks all the need-to-X
principles. This makes accounting data the treasure of any opponent. Extreme measures must be taken
whenever accounting data is accessed, manipulated and stored. Use of strong encryption, dead man
encryption, multi-party/four-eyes access, concealment/steganography, air-gapped computing and on-
person carry at all times is prudent. It is also necessary to develop a quick, always executable and
effective destruction method.
8/23
Application: Prevention Checklist - again
. First order: Persons → Names, aliases, background, identifying marks. Addresses/locations of
persons.
. Second order: Means of access → Keys, passwords, identifiers.
. Third order: Activities → Operations, Methods.
. Fourth order: Persons → Social relationships, affiliations, social graph.
. Fifth order: Places → Addresses, locations, locational relationships.
. Sixth order: Time → Dates/Time of activities, time relationships.
. Sevenths order: Goals, motives, ideology.
The higher the order, the more protection the item deserves and the more careful should any sharing be
considered.
• DO NOT TALK.
• Don't expose your social network. Don't drop names. Don't share contact details.
• Cooperate or conceal.
9/23
• Sharing is a threat.
• Keeping your mess around leads to big troubles. Delete/destroy what you don't need.
• Higher security through less efficiency → efficiency leads to repetition and sharing.
• Beware of identifiers → social media, phones, numbers, addresses, photos, number plates,
names, brands….
• Learn about opponent resources, methods, tactics. Be aware of manipulation and the unknown
when relying on outside information.
• You connect everything: Keep security as high as the highest risk.
• Stay away from surveillance (cameras, crowds, automatic number plate recognition, cellphones,
wifi hotspots….).
• Use imprecise/fuzzy information where information sharing cannot be avoided but is not
necessary for operational success. (Social situations).
• Synchronize fuzzy information. It's a legend.
OpSec is a lifestyle. Retain your operational capabilities in an age of mass data production and
retention, surveillance states, corporate manipulators, intelligence competition (corporations as
well), and noisy “transparent” societies.
10/23
Application: Notes
The following are notes, starting points for your own thinking. This is what is often called “defensive,
pro-active” tradecraft. These notes are far from exhaustive, they are meant as inspiration and everyday
practical advice. All digital OpSec has been excluded and will be covered by another seminar.
11/23
Application: Notes: Pocket litter – cars, bikes, bags and trackers.
Cleanup
Every person carries many things without being aware of them. For example, the litter we carry in our
pockets and wallets – receipts, boarding passes, business cards, tickets etc – paint a substantial picture
of our activities and whereabouts.
It is also very easy to attach a tracker device to a car or bike, or slip it into a bag. Trackers are cheap
and effective, making them ideal devices for cost efficient surveillance.
To prevent both problems it is important to regularly search pockets, bags and vehicles to get rid of
trackers and litter. This should be done before each meeting/activity and after, before entering or
leaving the area of operation.
In general no vehicles should be brought into operational areas or to meetings if at all possible. This
also prevents an opponent from recording license plates around points of interest to identify persons of
interest and assets.
Computers carry pocket litter as well!
CLEAN UP: Bags, bikes, cars, wallets, pocket, computers.
12/23
Application: Notes: Deniable physical communication
When information needs to be exchanged in a meeting that might be under surveillance and/or the other
party might be untrustworthy and trying to collect artifacts (evidence), the following protocol can be
used:
• Do not vocalize incriminating information.
• Instead, write the information on a piece of paper, in block letters. If possible, do not write with
your dominant/writing hand which is doable with a bit of practice and for block letters and short
notices.
• If possible, cover your writing with the other hand.
• Use a hard, ideally glass, underground to write, and only use a single sheet.
• Tear the paper so that part of the pattern is present on each piece.
• Hand the message to the other party who should conceal it with his hands when reading.
• The other party has to return the message immediately after reading.
13/23
Application: Notes: Cellphone security
Cellphones are easy to track by almost anybody. Furthermore they carry a lot of sensitive information,
and smart phones can also be turned into audio and video bugs.
In general, the use of cellphones is to be avoided. If they need to be used, the following rules apply:
• Never bring them into operational areas or to meetings. Leave them at home/hotel, switched on,
and protected by a pass code/PIN. Switching them off/on during operation sticks out of the
baseline and reveals sensitive information.
• Call logs, texts/short messages and contact/phone book should be cleaned up frequently,
especially before and after operations.
• If possible, cellphones should be single-use. Destroy and dispose of them after use as soon as
possible.
• Use different cellphones for different social graphs. Due to the tracking problem of phones this
makes it necessary to only use phones that are not linked to ones name, and that are always
physically separate from each other.
• Make calls, do not send short messages/texts. Texts are much easier to capture both from the
phone as from the air, and their contents are recorded automatically.
• A rule never to break is: Do NOT bring the cellphone anywhere closer than 30 miles to the
operational area (the GHCQ rule).
Best is to have a cellphone (like everybody else), but keep it at home, switched on, never carry it
around.
14/23
Application: Notes: Travel security
Travel is an operational nightmare because records of border crossings, hotel bookings and flights
contain personal identifiers. This can lead to uncovering ones identity quickly if an opponent becomes
aware of the travel details (places and times).
It is therefor paramount to investigate beforehand if a cover can be used, and to conceal travel
information as much as possible. One should therefor never give prices travel destination, time and date
of travel, or other travel itinerary data to anybody. Furthermore hotels should be booked and paid under
cover, and no meetings should be held there – including being dropped off or picked up there. Special
care must also be taken to prevent information leakage by having key cards, boarding passes or luggage
tags become known to an opponent at all cost. They should be concealed, and destroyed at the earliest
moment possible.
When asked about travel dates it may become necessary to give out false information that is a few days
off. The same applies to routes taken.
• Randomly pick one of these locations to travel to before traveling to the meeting. Point T.
• Latest at these decoy points all pockets, wallets, bags, vehicles should be cleaned from litter and
possible trackers/bugs.
• If a cellphone is carried, it should be dropped off at point T. When traveling back, first travel to
15/23
point F, do the cleanup, then travel to point T to pick up the phone. The same applies to other
items that need to be carried from point H but should never be present at point T.
If no list of locations matching the baseline exists, as for example when operating away from home,
either select a random tourist attraction (or other point of interest with a cover) or a random place on
the map.
16/23
use music to make audio surveillance harder. Be aware that both methods are not perfect.
Fourth, be aware that many hotel rooms have been spiked with surveillance equipment already.
Especially above the desk, facing the bed and sometimes the bathrooms. Be aware to not have private
conversations in the hotel room, over the room phone. Do not place your documents on the desk for
reading or your computer for working. Instead, move the desk a bit or use a blanket to prevent viewing
the keyboard and ideally the display. Best is to avoid the desk completely.
Fifth, whenever entering the room sweep it for placed objects. An opponent might want to place false
evidence or surveillance equipment. A previous guest might have hidden drugs or weapons himself and
forgot about it. Make sure your room is “clean” and nothing in it can be used to frame you. This is
especially important for luggage, clothing and the safe. The sweep must be repeated every time the
room has been unoccupied for any time. Also be careful with room service. Do not allow entry to the
room when ordering food but accept it at the door. Room service will look around in the room and/or
drop something.
Sixth, if possible use a door blocker/alarm while in the room, and lock the door (including the security
lock or chain). Cover the door viewer with a small piece of tape – it can be used to look into the room.
Use the door viewer before opening the room. If available, use video surveillance while in the room
and before opening the door – a tablet/computer will do the job. It helps collecting evidence in your
favor and help with detecting attacks.
Seventh, if available and the operational profile demands it, use video surveillance with tamper evident
and/or offsite recording. Be aware that use of security technology will raise suspicions and attention by
the opponent if he notices.
17/23
term viable (not easily found/destroyed by accident), concealed and accessible in should the need arise.
Occasionally caches must be checked if they are still in place. Furthermore caches should be tamper
evident and should only hold information relating one specific task so that discovery does not lead to
broad breaches.
Caches that are used regularly should be located near regular routes. Caches for recovery purposes
must be outside of normal routes so they cannot be used as pickup locations for surveillance or attack.
Whenever a cache is created, checked or otherwise accessed anti-surveillance methods must be in place
and the surrounding should be observed before making a move towards the cache.
Caches should be accessed infrequently so that they do not become convenient surveillance or
collection targets. For operational caches, for example those containing regularly used objects related to
covers, frequent rotation should be employed. Whenever tampering with a cache or surveillance of a
cache is detected, the contents should be considered toxic and the cache should not be accessed ever
again. Contingency protocols concerning the objects/information in the cache must be employed at
once (notification, destruction of related artifacts/information, cleanup).
Digital caches for important information should be paid anonymously and for long periods in advance.
Access should only happen when necessary and for infrequent verification. Access must use
anonymization techniques. All data stored in the digital cache must be encrypted. Access details should
be memorized so the cache remains useful even if other storage and computing has been compromised
or lost.
In general there is a trade off between complexity of caching operations and need-to-X principles. It is
important to not be lazy in this regard. Caches should hold minimal artifacts/objects/information
(separation), never hold objects/information relating to multiple operational contexts
(compartmentalization), and be unrelated in makeup and location (isolation).
18/23
Application: Notes: EDC, Bugout bag
A bugout bag containing cash, identity information, emergency contact information, emergency tools,
communications equipment, camouflage, medication, clothing, high protein food and unvalidated
tickets for local transportation should be created. This allows the operative to quickly withdraw on a
moment's notice. Such a move might be necessary whenever a leak/breach/opponent attack has been
detected but no damage assessment has been yet performed. The ability to get out of any immediate
danger greatly improves stress and results. A bugout back must be easy to access (possibly in an
emergency cache) without revealing additional information to the attacker. What has been said about
caches in general also applies. Furthermore the bugout bag should be cleaned (searched for
manipulation, planted evidence, planted trackers) as early as possible and before making any distinctive
moves.
A bugout bag loses its value if the operative is not prepared to immediately use it. This means that all
places of operation should be clean at all time and that destruction/cleanup procedures can be enacted
quickly and effectively. Escaping while leaving behind critical information/artifacts will only increase
the damage, not mitigate it.
In addition the “every day carry” should be planned and assembled to allow for minimal escape and
recovery options if the bugout bag becomes inaccessible.
19/23
DVDRs. USB stick, portable hard discs and SD-cards are no option because they have processing
abilities themselves and can be written to multiple times. Any media used with the air-gap computer
must be immediately destroyed after the data has been transferred.
For transferring data from the Air-Gap computer to any other system must use the same methods.
However, transfer from the air-gap computer should be the absolute exception.
All transfer to/from the computer should also happen through encrypted text files. No complex data
formats should be used. They must be visually verifiable without needing complex interpretation by
any software. Encryption should use per-media keys only that are randomly generated and never
reused. Furthermore integrity protection of any transferred data should be employed.
An Air-Gapped computer can be equipped with writable permanent media only if this media can be
removed and it is encrypted and integrity protected. When using writable media, no “incoming” media
should still be attached to the system. After initial processing and storage of incoming media the system
should be rebooted from the read-only boot medium to reduce attack persistence.
Should an air-gapped computer be used in multiple operational contexts, it should be rebooted into a
clean state whenever the context is switched. Writable permanent media should always be reserved for
a single context. Ideally every context also comes with its own operating system installation and its
own hardware, if feasible.
Air-gapped computers should ideally be contained in a complete Faraday cage, be sound-proved and be
sealed. They should also be visually verifiable and should carry tamper evident markers.
If possible such a system should always be procured from a randomly selected source that is physically
visited for procurement on no or very short notice.
20/23
caution.
In certain cases surveillance of the dead drop and a danger signal can be employed. However, using
surveillance increases the operational profile and can increase the risk of detection.
Digital dead drops must only be accessed through anonymous communication means and may only
contain encrypted information. Digital dead drops may never be reused. They are always throw-away.
A special case of physical-digital dead drops exists. These can be public wifi networks, or custom
hidden wireless networks that are temporarily set up for data exchange.
Physical-digital dead drops can be an extremely effective means for cover communication if they are:
1. Self destructing and use encrypted ephemeral storage.
2. Short range.
3. Have cover (such as mimicking a corporate network) or public hotspot.
4. Use encrypted communication.
5. Wifi security (see above) is employed.
6. Activated only some time after they are deployed.
Using drop&forget devices (throw away, automatic upload/download devices) that use long (multi-
hour) random delays before activating further increases security for the involved parties. Their
downside is complexity and cost.
21/23
(including contents) should be the same.
At least one of the parties employed in the brush should never be used for a brush with the same party
again to prevent recognition by the attacker.
In general, brush passes should not be employed unless absolutely necessary.
22/23
reduces the ability to detect surveillance in such environments. If possible counter-surveillance should
be used.
Meetings should be used rarely, and should be as short as possible. Usually they are both unnecessary
and come with high risk.
Instead, meetings should be intersections of both party's baseline. Like attending the same regular
events. This provides good cover not just for being there at the same time but also for interacting with
each other.
23/23
https://t.me/darkcarders666
https://t.me/wittcherss
https://t.me/darklucifer619
1CWmToidFy5WdcL79HSPJyFS1Upp6c12qe