Tradecraft for Patriots: Moscow Rules Part 2

Yesterday we looked at the first part of the Moscow Rules, a list of operating protocols for CIA personnel stationed in Moscow during the Cold War. As we’ve discussed many times, security procedures are remarkably similar regardless of the field or group using them, including the Moscow Rules. Drug dealers, organized crime, and even terrorist groups use tradecraft, and a smart partisan will study their methods, see what works and what doesn’t, and learn from it.

In this article we’ll go through the second half of the Moscow Rules and what they mean to you as a well-rounded partisan.

  • Any operation can be aborted; if it feels wrong, then it is wrong.

Right out of the gate, we see another reference to trusting your gut. Yes, it’s that important. If you’re going out to train with your firearm and suddenly one of your guys wants to bring one of his buddies, if it feels wrong, don’t do it. If you’ve set up a buyer for your firearm and when you get there the guy doesn’t seem right, don’t sell. Use your head, trust your gut.

This brings me to another pair of points. We talked in the last article about people getting turned into informants against groups and individuals, as law enforcement looks to criminalize the patriot movement. The recent case of Schuyler Barbeau is a classic example of how informants are used to put people in jail. More importantly, it’s a quintessential case study in how NOT to act on social media. It’s also a perfect example of why you should vet the people you associate with. We’ll be doing an article specifically on the OPSEC failures in this case—not because we believe that Barbeau didn’t have the right to own an SBR. The Second Amendment secures the right of any citizen to own whatever they want, and to buy and sell that personal property as they see fit. However, the truth is that we live in enemy territory, so to speak. You can bet that Barbeau’s OPSEC and PERSEC failures are being used to full advantage by the authorities, and every single person he associated with is now getting their own info parsed out. The fact that his arrest and imprisonment is unconstitutional does not negate the fact that Barbeau made some basic mistakes. To ignore them is stupid and dangerous. We can be incensed about the unconstitutionality of his arrest while still admitting that mistakes were made and learning from them.

  • Keep your options open.

Again, self-explanatory. Don’t put all your eggs in one basket. Don’t be caught with only one plan and no backups.

  • If your gut says to act, overwhelm their senses.

You can figure out what this one means.

  • Use misdirection, illusion, and deception.
  • Hide small operative motions in larger non threatening motions.
  • Hide an SD card transfer in a friendly hug.

This speaks to some of the smaller gestures that we engage in. When transferring information between yourself and another party, make it a small motion encased in a bigger, innocent motion—such as hiding an SD card transfer in a hug or even handshake.

  • When free, In Obscura, immediately change direction and leave the area.
  • Break your trail and blend into the local scene.
  • Execute a surveillance detection run designed to draw them out over time.
  • Avoid static lookouts; stay away from chokepoints where they can reacquire you.

There is a decent tutorial on detecting and countering surveillance over at ITS Tactical. While you’re over there, check out their piece on performing a self-surveillance. It’s critical that you understand your own movements; you might realize that no matter how many “secure” text apps you have, your actions may be wide open.

  • Once is an accident; twice is a coincidence; three times is an enemy action.

This is one of the more important rules, and one that is pooh-poohed by a fair amount of people. The truth is that it goes back to trusting your gut. Some people—myself included—believe that coincidences rarely happen. If something seems wonky, that’s because it probably is. Pay attention to patterns; things that match, and things that don’t. Pay attention to people. Get training in seeing deception (the Statement Analysis class coming up in February is a fantastic start), and learn to detect changes in their conduct patterns. Learn what motivates the people around you and how that motivation may be used against them—and by extension, against you.

  • Select a meeting site so you can overlook the scene.
  • Keep any asset separated from you by time and distance until it is time.
  • If the asset has surveillance, then the operation has gone bad.
  • Only approach the site when you are sure it is clean.
  • After the meeting or act is done, “close the loop” at a logical cover destination.
  • Be aware of surveillance’s time tolerance so they aren’t forced to raise an alert.
  • If an alert is issued, they must pay a price and so must you.
  • Let them believe they lost you; act innocent.

These are all rules for setting up meetings. They seem pretty logical and obvious, but you’d be surprised at how many people don’t do them or even think of them. People like convenience, and if things are inconvenient (such as setting up a meeting properly, using secure comms or engaging in OPSEC), people don’t like to do them. It takes work to operate correctly. It takes vigilance and attention to detail. It only takes one mistake to compromise not only yourself, but everyone you work with. If you have people you trust to have your back, don’t screw them over by being lax in your dealings.

  • There is no limit to a human being’s ability to rationalize the truth.

The final Moscow rule deals with human nature. We’ve all seen it: the anti-gun liberal who refuses to see the truth, the family members who willfully ignore the situation in our country and prefer to pretend like everything is fine. Another hard and cold truth, however, is that patriots do it too. They refuse to practice safety and security. They refuse to believe that privacy is necessary. They refuse to believe that their Facebook chats and Zello meetings and emails are being watched. They refuse to believe that physical fitness is necessary. They refuse to accept that intelligence is a critical part of the equation, or that having zero knowledge about the irregular threats in their area is dangerous. They even refuse to accept that the people they work with might be untrustworthy or even working against them. The reasons for these rationalizations are myriad, and could fill up an entire series of articles. But the bottom line is that they happen.

As patriots we have to be smarter than that. We have to pay better attention, be willing to learn from our mistakes; in fact, we need to be willing to admit that the mistakes happen at all. Don’t rationalize, don’t sugarcoat. Take hard looks at yourself, your training, your ability to operate. Be willing to accept that you have deficiencies—we all do. Be willing to learn, have a teachable attitude, and seek out the training you’re missing. Start practicing your OPSEC. Start working on your intelligence preparation. Start doing the things you’re not doing now. Share the information and training that you possess, and learn from those who are better than you are.

Educate. Empower. Resist.

Run Your Own Mail Server

If you read our article on secure email yesterday and still wonder if that’s enough to protect your communications, then perhaps you’ve thought about setting up and hosting your own mail server. While this might sound fairly daunting, the truth is that you don’t have to be a technical guru to pull it off. Mail in a Box is a production-quality project allowing you to set up your own email server. This gives you total control over all facets of its security and any other options. The site has very clear setup instructions and even a video you can follow along.

Keep in mind that you won’t be able to run this at home because computers on most residential networks are blocked from sending mail both on the sending end (e.g. your ISP blocking port 25) and on the receiving end (by blacklists) because residential computers are all too often hijacked to send spam. Your home IP address is also probably dynamic and lacks configurable “reverse DNS.” If any of these apply to you, you’ll need to use a virtual machine in the cloud. You can, however, set it up on that virtual machine.

While we don’t recommend this for the beginner, it’s also not as difficult as you might think. Take a look and see what you think. From the website:

Mail-in-a-Box is based on Ubuntu 14.04 LTS 64-bit and uses very-well-documented shell scripts and a Python management daemon to configure the system. Take a look at the system architecture diagram and security practices.

Development takes place on github at

Note that the goals of this project are to . . .

  • Make deploying a good mail server easy.
  • Promote decentralization, innovation, and privacy on the web.
  • Have automated, auditable, and idempotent system configuration.
  • Not make a totally unhackable, NSA-proof server (but see our security practices).
  • Not make something customizable by power users.

Mail-in-a-Box is dedicated to the public domain using CC0.

There’s another option too, if you’ve got a Raspberry Pi laying around. This guide will literally walk you through booting your Raspberry Pi for the first time, all the way up to getting a secure webserver running. In fact, the guide itself is hosted on a Raspberry Pi. Take a look.

Free Online Cyber Security Training

With the Thanksgiving holiday going on, we took a bit of time off to focus on our families. We are still here, however, and still working on bringing you excellent training spanning all the fields that you need to be a well-rounded partisan. While others are fighting over TVs and brawling in the store aisles, you can sit back and get some much-needed free online cyber security training right there on your couch—including CompTIA certification. Think about that. Free online cyber security training. is billed as the “world’s first free and open, online Cyber Security and IT training platform.” They believe cyber security and IT training should be free to all, and they offer entire courses in some pretty critical fields. The following list is JUST their Cyber Security Learning track (they have others as well):

  • CompTIA Security+ – In this class you will gain a stable foundation of Cyber Security and Information Assurance as well as prepare for the security industry’s most sought after entry level certification.

  • Cryptography – Learn how to secure data communications through the use of cryptographic messaging and practices.

  • Ethical Hacking and Penetration Testing – Learn the fundamentals of hacking and penetration testing. Think like a hacker, so that you can stop them from intruding into your systems. This class will help prepare you for the industries most sought after certification, EC-Council’s CEH.

  • Computer and Hacking Forensics – In order to catch cyber criminals, you have to learn how to retrace their steps and correctly acquire and document the evidence. Also prepare for the industry leading CHFI certification from the EC-Council.

  • CompTIA Advanced Security Practitioner (CASP) – This advanced certification covers deep topics that span across both Cyber Security as well as Information Assurance.

  • ISACA Certified Information Systems Auditor (CISA) – Become an expert in information systems auditing and controlling with this leading auditor certification from ISACA.

  • Certified Information Systems Security Professional (CISSP) – The leading certification for Information Assurance management personnel. This course is both very deep, and very broad. Be ready to study hard!

  • Post Exploitation – Learn what to do to maintain your presence and to gather intelligence after you have exploited the target system.

  • Social Engineering and Manipulation – Take a look inside the form, function and flow of a highly skilled social engineering cyber-attack. Learn to protect the human element.

  • Python for Security Professionals – Learn the commands and functions that every aspiring cyber security professional must know from Python. This isn’t a full programming course, but rather a course designed for non-coders who are developing their career in security.

  • Metasploit – An in-depth look inside the Metasploit Framework intended to show you how to use it to its full potential.

  • Malware Analysis and Reverse Engineering – An introduction to reverse engineering malware. This class is for experienced Cyber Security professionals, generally at least two to three years in the field is preferred.

  • Advanced Penetration Testing by Georgia Weidman – This class is for advanced Cyber Security professionals. You will learn in depth, hands-on, advanced hacking techniques to help you target and penetrate almost any highly secured environment.

What does all that mean? It means that you can start at the beginning, and get walked through all the way to advanced skills, including certification, for free (all you pay for is the certification exam if you choose to get certified). It means you no longer have an excuse to not know at least the basics of things like cyber security, social engineering, encryption, and other topics. If nothing else, take the Social Engineering and Manipulation course.  These are skills used against us every day. Learn how to defend against them…or use them yourself.

This weekend while you’re laying around stuffed on turkey leftovers, take a look at and what they have to offer.

SHTF Threats: Your Neighbors, Friends and Family

One of the most important skills you can have as a partisan is that of threat analysis. Being able to know if someone or something is going to be a problem before they become that problem is a pretty critical tool to have. It’s a hard and uncomfortable truth that one of the most dangerous SHTF threats to you and your immediate family is not the government. It’s your next door neighbor, your non-prepping buddies, and even your extended family. A reader sent us an article recently from 299 Days on this (thanks Jeff!), and it reminded me that this topic needs to be written about—even if it doesn’t fit into the Tradecraft for Patriots series we’re currently in. Would you take on additional mouths to feed if your buddy showed up with his family? Let’s take a closer look at why or why not.

Continue reading “SHTF Threats: Your Neighbors, Friends and Family”

20 Web Pages, 500 Trackers

We all know that web sites often load trackers and ad programs when we visit. This is why it’s recommended that you use plugins like Ghostery, or take other steps to block those trackers. But how bad is it really? Try 500 trackers in 20 pages.

Politico, for instance, has over 100 trackers in its site. In one test, it loaded 89 of them on one visit to its front page. The Daily Mail, another popular site, was even worse.

A single click on its Mail Online flagship sends a whopping 672 requests, but it manages to run them at blazing speed (19 sec loading time) for a feather weight of 3 Mb, including 2.7 Mb for 578 super-optimized pictures that don’t exceed 120 Kb each.

The Mail Online wins many digital speed/weight records. It is one of the most optimized web sites in the world (see our last week story on the obesity plaguing the news industry). But when it comes to monitoring users, The Mail Online also scores high with 79 trackers loaded in one stroke (see below), of which I was able to detail only 63 in my main table:


These two sites aren’t alone. The author of that article tested 20 popular sites such as CNN, Wired, and others, and found over 500 trackers. Chances are extremely high that you visit at least one of these sites on a daily basis; then again, if you visit ONE of them, ONE time, you’re already tracked.

To get an idea of how complete a picture they get, now multiply that by all the times per day you visit, the places you are when you visit, and how you connect. Maybe you read your Facebook feed in the morning with your coffee between 0630 and 0700, and you visit a few links that go to CNN or Daily Mail or Politico. You connected via your wifi at home, so now there’s a series of data points showing that you are home at that hour every day, and that you probably leave for work between 0700 and 0730. Maybe you go to those sites on your lunch or break or while waiting on the train, carpool, or even in traffic. That’s another time/date stamp with location. None of this is even counting the part where it tracks what you click, what you like, buy, talk about, think about, and how all of that dovetails with other information about your browsing habits, interests, and what kinds of things you’re searching for on the internet.

If you’re a bit freaked out, that’s normal. If you’re angry and want to do something about it, now you’re on the right track. There are ways to stop these trackers from pegging your every move and time of movement. We’ll show you some of them at the Cryptoparty on December 5th. It’s free, so make plans now to attend. In the meantime, check out Ghostery.