Team Security and Vetting Course

NOTE: This class has been postponed. We will post more information later.. Thanks!

 

 

The Security and Vetting course is a two-day course that prepares students to obtain the skills needed to adequately validate and verify personnel in your teams and organizations. Over the course of two days, we cover the following topics:

• Introduction to Counterintelligence
• In Depth look at the threats of CI
• Operational Security
• Conversation and how to utilize it
• Elicitation skills (and Social Engineering)
• Assessing Credibility of Personnel
• Planning and Conducting a CI Interview

 

These topics are a broad overview, and we will dive much deeper into each topic. Multiple exercises are incorporated into the class to make sure students understand the topics and are able to competently perform them. This course will require critical thinking and coming out of your comfort zone.

The skills taught in this class can be utilized by any individual who values the integrity of their teams or organizations and wants to learn how to maintain that security. You will be given literature we will go over during the course and you will also receive access to exclusive content that you can access after the course to keep up with your skills. As these skills can be perishable if not practiced, we provide you all the tools required to maintain success.

The course is taught by Martin, a former Marine who served as a Counterintelligence and Human Intelligence Specialist. He currently teaches this class as part of Forward Observer Magazine.

Dates: July 23-24

Location: Seattle, WA

The class is $225 per person for the whole weekend. An advance deposit of $100 is required to hold your place in the class.

Email us to hold your seat!

How to Make a Truly Anonymous Facebook Account Part I

There are plenty of articles about how to use social media without making your information public, or leaking it to various ad services and info-grabbing bots. That’s not what we’re doing. We’ll be setting up a Facebook account that is not linked to us in any way—even for those who know how to look. Keep in mind that this is NOT your standard alias account. This account not only hides your name and identity from others on Facebook, but it also hides your identity from people or agencies that might be tracking your activity–not by hiding your name, but by making you into someone else.

 

 

Why This Needs to Be Split Into Multiple Articles

Because people have short attention spans, and because the actual process of setting up the framework and getting this put together requires very careful adherence to the process. Before you even create the account, you need certain things set up—including your own head and mindset. This is a building block exercise. Today we are simply exploring the concept. Next we will start making the building blocks necessary to create and run that alternate identity on Facebook—and ultimately online in general.

Why Have a Fake/Anonymous Facebook Account?

  1. Because you want to join groups and communities without it being displayed on your personal page.
  2. Because you don’t want people in the groups you’re joining to know who you really are.
  3. Because you don’t want people who add you or interact with you to know who you are.
  4. Because you don’t want your information tracked or cataloged.
  5. Because you plan to use Facebook as a means to disseminate and/or collect information and propaganda that you don’t want linked to you.
  6. Because you plan to use this account to infiltrate a group.
  7. Because you plan to derail discussions or do some social engineering/rapport building/elicitation.
  8. Because you can, and you shouldn’t have to explain why to anyone.

Any one of these reasons is reason enough, and you may have other reasons not listed here. Whatever your thought process, let’s assume that you want/need an anonymous Facebook account that is not in any way traceable back to you. The nice thing is, this process is repeatable as many times as you need.

The Mindset You Need

In order for this to work, it needs to be used a certain way. Before undertaking this, think through your purpose in creating this account and what you want to do with it. Keep in mind that if you just want an alias account there are ways to do that. This isn’t a how-to for making an account where your name is listed as Bamf Fo Real, or Sheepdog Extraordinaire, or *Your Name* followed by a III.  That will not help you.

If you want an account where you have a new name and story, and you become someone else, that’s what this article is for.

DON’T try to make an anonymous account if:

  • You plan to immediately add all the same friends you already have.
  • You plan to use it to go right back to all of the same groups you’re already in.
  • You plan to talk to your friends and family or even known contacts with it.
  • You plan to list your location, hobbies, employer, or any other personal information.
  • You plan to use it in any way that mimics how you personally, currently use Facebook.
  • You cannot control your temper, need for attention, or need to be in charge of something.
  • You plan to use it to engage in any kind of drama involving people already in your life (such as spying on your significant other or sending jackass messages to your arch-nemesis).
  • You are too lazy to use it correctly (“I’m just gonna check this one thing quick while I’m here at home…”)

DO make an account if:

  • You are joining your local leftist/anti-gun/communist/liberal group and you need a new ‘identity’ to get into it.
  • You are planning to use the account for controlling discussion in various groups through tactics discussed elsewhere, such as these.
  • You plan to use it for disruption in certain groups, or releasing information that exposes people.
  • You don’t plan to really post anything but the kind of stuff your targets and/or groups are looking for and aren’t going to foster discussion on your page; you just want to be able to lurk.
  • You need to have a Facebook account to ‘back up’ the name or identity you’re giving people for your liberty activities.
  • You want to keep Uncle Sugar out of your liberty activities (if you plan to perform support functions and/or ‘gray’ activities, you need to keep Uncle Sugar out of your stuff).

Facebook is horrible. We all know that. However, there are times you may need to use it. This is for those times.

**Note: We are not advocating that you use this for illegal activity. We are not responsible if you decide to watch/buy/sell/interact illegal, immoral, or just plain disgusting stuff. Use your powers for good.

The Tools You Need

In order to pull this off, you need to have a few things in place. Setting up the account itself is rather simple, but you need to have a framework in place to make it as airtight as possible (keeping in mind that nothing is 100% perfect…this will definitely make them work for it, if they can get it at all). Here’s a basic list of things you need already set up. (We’ll go over these in more detail).

  1. Access to a VPN, ideally two. (check PrivacyTools.io for a list of solid VPNs that do not operate in the US.)
  2. An updated and current Tails OS running on a flash drive, or a virtual machine.
  3. The Tor Browser (found on Tails as well as a standalone for other uses)
  4. At least $20 in Bitcoin, already mixed, split, and sitting in an anonymous wallet (or five). Bonus points if you also have at least two other wallets in other cryptocurrencies and did some swapping back and forth there as well.
  5. A new name and basic cover (try this site if you get stuck thinking of a random name/identity).
  6. Patience.

What can we do with all of that? A lot.

In the next article we will walk through some of the steps necessary to set up your completely new identity on Facebook. In future articles we’ll go over how to flesh out that identity, give it some depth, and start using it for various activities even outside Facebook. In the meantime, get familiar with the tools and articles above, and start thinking about how to leverage them in your favor.

Signal vs. Wickr: How Secure is Your Secure Messaging App?

Bottom line: Facebook doesn’t cut it; in fact, if you’re still using Facebook to coordinate, recruit, and communicate about your activities (stop doing roll calls!), then you’re a liability to your contacts–there’s no two ways about it. You need secure messaging. No excuses.

Some of you have a secure messaging app you use—but is it secure? The Electronic Frontier Foundation released a Secure Messaging Scorecard that will tell you, and we’ll flesh those ratings out with information from other experts. Let’s see how two of the more prominent apps stack up.

Secure Messaging Criteria

EFF uses a list of criteria to grade each application on a simple yes/no basis; it uses the simple formula these are the features it should have. Does it, or not? Some of these criteria include whether your password or identifying details are stored on their servers, or whether the provider themselves can access your messages. While even a full green light doesn’t mean the app is completely government-proof, it gives you a good idea as to whether you’ll at least make them work for it, and whether the company is on the right track in terms of their goals and capability.

On FacebookWickr

Perhaps one of the most popular apps used by those in the movement, Wickr claims that their level of security is better than any other app on the market. It’s free to boot, which makes it highly attractive to many. It has a mostly green light from EFF, but the problem is that Wickr is missing two critical components:

  • Its code is not open for independent review and audit.
  • The security design is not properly documented; i.e., public.

One of the most important parts of the security process is ensuring that each app’s code is available for other coders and security researchers to audit. It’s a self-imposed accountability system that allows the community to ensure quality and that apps do what they say they are supposed to do. In addition, developers typically release a white paper or other technical document to explain in detail how their encryption process works–again, for accountability and transparency. If the system’s encryption process is solid, it doesn’t matter if every single line of code is publicly available. Audits like these have caught both backdoors and coding errors—resulting in a better product. When you’re talking about life and death communications, you need to have the most secure app available. Audits help achieve that through public disclosure of both the encryption and the code itself. The keys are what stay private.

Wickr, however, has not released its code (refusing to even consider it), and that’s caused an interesting debate in the security community. Security researcher Brian Krebs puts Wickr in a group of apps “that use encryption the government says it can’t crack” but others aren’t so sure. This video explains some of the reasons why you should perhaps think twice before trusting your secure information to Wickr. The video was made in 2014; it would be a good idea to check some of the documents he’s talking about to see if any of these issues have changed. (I can tell you from experience that his first issue—them storing your password on their server after claiming they do not—is not rectified as of yet. Also, check out his other videos, especially the one regarding your contacts).

Several other security researchers have also voiced concerns regarding Wickr’s lack of open source accountability.

 

“We have a kind of a maxim in our field, in cryptography, which is that the systems should be open,” says Matthew Green, a cryptography researcher and professor at Johns Hopkins University Information Security Institute. […] For Green, that means “if you don’t know how a system works, you kind of have to assume that it’s untrustworthy.” He adds that this is not about being an open source activist. But Wickr, he says, doesn’t even have white papers on its website explaining how the system works…”From my perspective I don’t think the company should be telling us, ‘Trust us, it’s safe,’ ‘Trust us, it’s encrypted,’ or ‘Trust us, it’s audited,'” says Nadim Kobeissi, a cryptographer and founder of encrypted browser-based chat service Cryptocat. “We should be able to verify ourselves.”

Others believe that Wickr’s refusal to make their code open to independent audit is just fine. Dan Kaminsky, a security guru, has said he personally audited Wickr’s code and it’s secure. However, Matthew Green sums it up thusly:

Should I use this to fight my oppressive regime? Yes, as long your fight consists of sending naughty self-portraits to your comrades-at-arms. Otherwise, probably not.

It’s each individual choice whether to use Wickr, and Kaminsky’s admonition that “nothing is 100% secure” is a fair one. I use Wickr myself, but not exclusively, and not for anything critical.

Signal

Another increasingly popular app is Signal (formerly RedPhone and TextSecure). Offering both texting and secure calling, the EFF gives Signal a green light across the board. It has all of the encryption features of Wickr, and also has open source code and documented encryption processes. Matthew Green says that it “does not retain a cache of secrets from connection to connection.” The Intercept also endorses Signal, with the caveat that any app you install is only as secure as the device you install it on. Other endorsers include Bruce Schneier, Edward Snowden, and Laura Poitras (for whatever that may be worth to you personally).

Like Wickr, Signal also has a desktop version. And, since it’s tied to the device, it doesn’t save your password on a server like Wickr does. From Signal’s website:

The Axolotl ratchet in Signal is the most advanced cryptographic ratchet available. Axolotl ensures that new AES keys are used for every single message, and it provides Signal with both forward secrecy and future secrecy properties. The Signal protocol also features enhanced deniability properties that improve on those provided by OTR, except unlike OTR all of these features work well in an asynchronous mobile environment.

For those who would like to audit Signal’s code themselves, you can find that here.

Conclusion

What you choose to use and trust is a personal decision. Nothing is completely secure all of the time; anything critical should be kept to face to face meetings. In addition, all standard OPSEC rules should apply. (For a real world case of security fails and how that ended, read this story.) For those who claim that “we aren’t doing anything illegal,” keep in mind that we have reached a point where that determination is made on a case by case basis these days, and the odds are not in your favor. I also daresay that there are quite a few people recently put in jail who, if they’re smart, are rethinking a lot of their OPSEC and security strategies. Besides, as world renowned information security researcher The Grugq points out that “OPSEC is prophylactic, you might not need it now, but when you do, you can’t activate it retroactively.”

I’ll do a future article on other apps such as Silent Circle, Telegram, Zello, and more. In the meantime, sit down and decide what your critical information is. Do some basic threat analysis. Next, do some research on the above programs and decide what you can afford to compromise in terms of security. For many users of secure chat, it’s a life or death decision. Keep that in mind.

Above all, take the time to research and learn. You don’t have to be a computer wizard, but you do need to learn the basics of encryption and how to protect  yourself. There’s an excellent beginner primer here (add this blog to your daily reads). For those who prefer a classroom setting, we have the Groundrod Primer class coming up in a few weeks. We highly recommend you check out both.

Whatever you do, for the love of Pete, stop using Facebook as a coordination, networking and recruiting tool.

SHTF Intelligence Course

Sam Culper of Forward Observer Magazine is teaching a SHTF Intelligence course in Spokane, WA in mid-March. If you haven’t taken this class yet, you need to–and if you’re one of the folks who have been asking us for an intelligence class in the Spokane area, we’ll simply point you in Sam’s direction for this one. He’s one of the best out there for this particular topic; he literally wrote the book on it. Here’s a taste of what you’ll be learning:

– threat identification
– threat analysis
– understanding the threat environment and you
– understanding the community security mission
– community security strategies
– the Intelligence Cycle
– how to gather intelligence information (specific for your locale)
– how to analyze incoming intelligence information
– how to set up a community intelligence section
– the fundamental tasks and responsibilities of the intelligence section
– Intelligence Preparation of the Battlefield & Community
– Area Assessments

There’s a lot more information on the FOMag website. If you want to know what’s really going on around you, if you truly want to understand the threats we face, and if you want to learn how to effectively deal with community intelligence then you need this course. Don’t wait until SHTF to care about this stuff—you need to understand SHTF Intelligence NOW.

As an added bonus, you can help out TOWR’s mission as well by attending! Sam has agreed to donate to TOWR for any students who we send to his course. So, go learn some critical skills AND let him know we sent you, so you can help us bring you more classes as well, such as the Groundrod Primer class in just a few weeks!

 

CSG Groundrod Primer Class

This is the first course of the Groundrod series, which establishes the educational foundation of secure internet and device usage in the age of Pri$m.

The Groundrod Primer course is designed to incorporate a high level of student interaction. You will learn by doing.

* Understanding the current threat models in regards to nefarious collection of:
– Web browsing
– Phone calls
– Emails
– Chat
– Contact lists
– Location
– Private storage/data

* Options to counter the threat:
– Devices, hardware and software
– Human terrain, practicing practical tradecraft

* Implementation techniques
– Personal computer options
– Using a secure laptop successfully
– Using a secure phone / tablet

* Student lab / FTX
– Working in teams
– Establishing comms via secure accounts
– Covering your tracks / forensics

Need to bring:
Personal Laptop
Libertas Tablet (if you have one)
3 USB “thumb drives” (minimum) of at least 4GB capacity each
Note taking material

If you’ve been reading TOWR for any length of time then you understand why this class is needed, and why you need to be there. The bottom line is this: If you do not have the skills in this class, then you are putting the people you work with in danger. We are long past the point where lack of skills is acceptable.

This is NOT like our other classes. Participants will be vetted and approved to attend. Once you are vetted and approved, you will be registered in the class. Cost is $220 per person, but if there is a hardship, please contact us. Do not allow the cost to deter you from taking this course.

Dates: 26-27 March 2016

Class location will be given to each participant but not posted publicly.

This class will be taught by K@CSG. His bio can be found here.

The Groundrod Primer class is perhaps one of the most necessary courses you’ll take as a member of the patriot movement. Don’t miss it!

Registration:

  1. Email towr@whiterose.us and request vetting for the class.
  2. You will be mailed further instructions.