Undercover Agent and Informant Manual

A little light reading. Say thank you to the State of New York and Academia.edu, who made the linked download possible. (You don’t need to sign in or sign up to download, but if you’re worried about it you should still use Tor/VPN/standard tradecraft.)

In order to defend against a tactic, you need to understand how the tactic is done. Pay special attention to Rule #9 of informant handling, because it’s a list of “signs of duplicity” they look for when handling an informant. I’m sure you can figure out which items would be helpful for you and which would not.

The same things they look for in an informant are the things you should be using to pick out who already is one, or who is most susceptible to being flipped. Look for people who have “beef” with others; that will be an avenue they use to drive wedges. Look for people who are easily flattered—often when opening a conversation, agents will compliment their subject and attempt to break the ice or get the subject to let their guard down. Think through the members of your group: if approached, how cooperative/confrontational would they be?

Look for disparities: Does the subject work at a low paying job but have a nice house, cars, etc.? Do they claim to have a master’s degree but speak like they’re fresh out of the trailer park? Do they claim to have military experience their skills don’t back up? Do they claim to be from somewhere but can’t answer questions about the area?

The document above is for New York State, but it was written by someone with 25 years of undercover with federal agencies. Take, read, apply what you need.

And don’t forget Rule #1: Don’t play stupid games with stupid people…or smart people pretending to be stupid.


Facebook and Twitter Cutting Off Geofeedia, They Say

Last week I mentioned on PHS that “In the last few days, quite a ruckus is starting to brew, especially for those in the Seattle area, although those in Denver and other cities are also waking up mad” about the fact that 500 police departments were using a tool called Geofeedia to suck up all social media posts from a location and put them into a searchable database so cops can track protests and other events, some having to do with political dissent. it can also track individual activists, their locations, etc. (Obviously this only applies to activists who are using social media, live-tweeting events, etc., so….)

Now, the ACLU has busted all of them in a report that shows not only were the cops using it as a tool for tracking events, the product was marketed as being fantastic for searchability, using hashtags and keywords. The various social media companies are scrambling to show that they’ve either cut off access, or that they already did before they got caught. Twitter even used the phrase “cease and desist,” which is amusing since these companies are suddenly acting like they didn’t give access and are shocked–shocked–that it was even going on. Too bad the ACLU has the emails, which are entertaining and terrifying all at once.

Naked Security points out that Geofeedia had this level of access for FIVE YEARS. What do you think five years of the average person’s Facebook posts, likes, photos and comments tell you about them? Think about it.

One last thing. If you’re shrugging your shoulders and thinking, “Well, good thing THAT got fixed,” then you haven’t been paying attention at all.

Two Security Tools You May Want to Check Out

[Cross-posted at Patrick Henry Society]

In a neverending quest to find more and better tools for security, I came across these recently and thought I’d pass them on.

Hopefully you’re not still using LastPass, but if you’re looking for a password manager other than KeePassX, check out Forgiva, which is a new kid on the block being billed as the “new age” password manager. It’s open source, so you can look over the back end of it, although it hasn’t been audited yet that I can tell. Don’t get me wrong, KeePassX is excellent. I do plan to try out Forgiva on some throwaway accounts to see how well it works. I can think of a few applications it may be good for. Keep in mind, however, that it has its issues as well (just like anything else).

While deterministic password managers do away with storage, they are as susceptible to certain attack forms than regular password managers.

Since users need to somehow get the password displayed in the programs and enter them on a website or application, it means that they will either be copied to the clipboard, or entered manually using the keyboard.

Depending on the level of complexity of the service, getting hold of the master password may give you access to all password unless the product users other security precautions (like Forgiva does).

Password renewal may also be an issue if the service does not offer an option to do so. Additionally, depending on functionality, these password managers may not offer options to store additional data, security question answers for instance.

Test things out, and use your head.

The other tool you might be interested in checking out is Bitquick. If you’re looking for Bitcoin transactions where you don’t have to log in anywhere and there’s no identity verification, this might be an option for you. The way it works is, you browse their available orders, and simply go drop cash in the local branch of whatever bank they’re using. Upload the receipt (without having to create an account etc), give them whatever BTC wallet you want to see your coins in (your Jack Sprat wallet, perhaps, for those of you who have been through the Privacy/Anonymity class, but NOT your deep cold storage), and 3 hours later poof, you have Bitcoin. There’s escrow, so it’s not like you’re just blindly putting money into an account. There are a few horror stories on reddit of course, but there seems to be an overwhelmingly positive experience by many, who claim it’s better than LocalBitcoin.com because it doesn’t require any kind of ID. Now, the Bitquick site does warn that if you’re doing large transactions that you may be asked to show ID, but that’s easily gotten around. Why are you doing large transactions anyway?

Keep in mind that if you do use Bitquick, you WILL be on camera making the deposit. So, think through your strategies for that before doing it, and as I mentioned, don’t use this as a direct method to fund your deep cold storage.  I haven’t tested either of these, so if you do, let me know what your thoughts are in the comments.

Recruiting on Facebook? You’re Doing It Wrong.

There’s an excellent article at Grugq regarding how police in Spain arrested a cell of five ISIS members. If you haven’t read it, you need to. Pay special attention to this part:

The group used social media, specifically a Facebook page “Islam en Español” (Islam in Spanish), which had over 32,000 followers, to glorify the Islamic State and spread the message of the militant group that operates out of Syria and Iraq, the ministry said.

Out of 32,000 people on that page, they found the five that were operating together as a cell. Why? How? Grugq breaks it down:

The fundamental problem here is that a sympathetic individual who becomes “radicalized” has to learn security procedures to protect themselves against security forces. This is a bootstrapping problem, because they must go from a state of ignorance and curiosity, to knowledgeable without attracting attention.

Using Facebook as a recruiting ground is not the way to avoid attracting attention…ISIS in Europe does not have the luxury of training people, since they have such a weak presence. They are heavily invested in online communities as recruiting groups, which means they’re fishing in a pool of already identified recruits.

Now re-read that, and substitute “III% group” or “Patriot group” or whatever else for “ISIS” and maybe you’ll see the problem. Like it or not, the “patriot’ community is heavily invested where? Online. Thousands and thousands of groups. The same names showing up in every group. What does that say? It highlights the recruiting pool.

If you expect to be operating with any kind of secrecy, then you should not be recruiting on Facebook. Why? Because you’re recruiting—by default—from a pool of people who ALREADY are known to the powers that be for their political activities. Your baseline group pool is contaminated in terms of security.

Now this is not to say you can’t recruit people who have Facebook accounts. You should, however, think long and hard about two things.

  1. What exactly are you recruiting for? If you’re just looking for people who will show up to your FTXs, click like on your stuff, and be general folks you aren’t doing anything major with or sharing privileged information with, then sure. Go ahead and post your roll calls and recruiting drives. If you’re planning actual resistance actions, creating a supply train, looking for people to run a safe house, etc., you’re going to want to look outside people who have already announced their presence on Facebook as being involved in anti-tyranny activities.
  2. What exactly are your recruits doing on Facebook? Are they announcing their wish to “start shooting”? Are they penning threatening letters or otherwise engaged in high profile activities? They probably already have attention. By recruiting from Facebook, you’re literally inviting (and possibly even guaranteeing) compromise of your group. It could be argued that even if someone is not an informant, merely having them as part of your group, communicating/working with them could bring your group attention you’re trying desperately to avoid.

You’ll see a lot of groups say that they don’t care if the government sees what they’re doing. The arrogance and

Grugq plainly states that “All of this means that, if you join ISIS from a Facebook group, you’re gonna get arrested.” Think through that (including how many arrests this year included information from Facebook pages and groups for those cases), substitute your own stuff there, and act accordingly.

Software You Should Be Using

I listed Waiting for the Barbarians earlier today on a list of Sites You Should be Reading, and there’s a new post up that proves I was right about it being a must-read site. It’s an excellent list of software you should be using, and he takes the time to go into the pros and cons of each piece of software. If you care at all about your privacy (and you should), then you need to read it and then put it into practice.

Operating Systems: Obviously Linux wins that round. He doesn’t mention Kali Linux or Qubes (the two operating systems I currently run), but the ones he mentions are excellent for beginners and can do anything you need done.

Internet Browsers: The obvious choice here is Tor, as he mentions. He also explains the cons to using Tor:

As stated previously, the Tor network does not provide perfect anonymity. (Nothing does.) Using Tor to surf the Darkweb may also compromise your anonymity. Because traffic is bounced all over the world before arriving at its destination, using Tor is noticeably slower than using a traditional web browser. The current version of Tor is not perfectly stable, and is prone to crashing when large numbers of tabs are loaded.

He goes on to discuss chat programs and much more. I’m not sure that I’d agree wholeheartedly with his assessment of ChatSecure as worth using; a 2015 security audit found serious issues. That being said, most of the issues were addressed very quickly, and the program may be much better now. I’ll have to take another look at it; in the meantime, I’d say use with caution (which is basically what you should be doing with any app).

I do find his assessment of Signal to be spot on. While Signal has been a solid solution for some time, the recent vulnerabilities and its Google dependency is making me rethink its use for anything truly sensitive. At this point, I would have to say Unseen is the better client.

He has several other tips and I highly suggest you read the whole thing. One more point I wanted to make: Iron sharpens iron. We have to be able to learn from each other; his article pointed out something I wasn’t aware of, and I’m glad he pointed it out. This is part of why you need to be doing your own research. We all may miss things. We need to be able to fill those knowledge gaps.

Go read his whole article.