Keystroke Loggers in USB Chargers

The FBI, interestingly enough, is warning private industry partners to beware of “highly stealthy keystroke loggers that surreptitiously sniff passwords and other input typed into wireless keyboards.” You think?

“If placed strategically in an office or other location where individuals might use wireless devices, a malicious cyber actor could potentially harvest personally identifiable information, intellectual property, trade secrets, passwords, or other sensitive information,” FBI officials wrote in last month’s advisory. “Since the data is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen.”

Before you get excited and think the FBI was looking out for you, take note of the following:

The FBI’s Private Industry Notification is dated April 29, more than 15 months after whitehat hacker Samy Kamkar released a KeySweeper, a proof-of-concept attack platform that covertly logged and decrypted keystrokes from many Microsoft-branded wireless keyboards and transmitted the data over cellular networks. [emphasis added]

Keep in mind how simple it would be to put one in a hotel room or other public place. Do you leave your laptop in your hotel room? Extremely bad idea. And by the way…if you think that the FBI is being altruistic somehow…you’d be wrong.

Here’s another article on the Evil Maid attack type. You should most definitely read it.

One last thing. If you’re thinking about buying a Blackphone, don’t. Here are three reasons why…but there are more.

How to Make a Truly Anonymous Facebook Account Part I

There are plenty of articles about how to use social media without making your information public, or leaking it to various ad services and info-grabbing bots. That’s not what we’re doing. We’ll be setting up a Facebook account that is not linked to us in any way—even for those who know how to look. Keep in mind that this is NOT your standard alias account. This account not only hides your name and identity from others on Facebook, but it also hides your identity from people or agencies that might be tracking your activity–not by hiding your name, but by making you into someone else.

 

 

Why This Needs to Be Split Into Multiple Articles

Because people have short attention spans, and because the actual process of setting up the framework and getting this put together requires very careful adherence to the process. Before you even create the account, you need certain things set up—including your own head and mindset. This is a building block exercise. Today we are simply exploring the concept. Next we will start making the building blocks necessary to create and run that alternate identity on Facebook—and ultimately online in general.

Why Have a Fake/Anonymous Facebook Account?

  1. Because you want to join groups and communities without it being displayed on your personal page.
  2. Because you don’t want people in the groups you’re joining to know who you really are.
  3. Because you don’t want people who add you or interact with you to know who you are.
  4. Because you don’t want your information tracked or cataloged.
  5. Because you plan to use Facebook as a means to disseminate and/or collect information and propaganda that you don’t want linked to you.
  6. Because you plan to use this account to infiltrate a group.
  7. Because you plan to derail discussions or do some social engineering/rapport building/elicitation.
  8. Because you can, and you shouldn’t have to explain why to anyone.

Any one of these reasons is reason enough, and you may have other reasons not listed here. Whatever your thought process, let’s assume that you want/need an anonymous Facebook account that is not in any way traceable back to you. The nice thing is, this process is repeatable as many times as you need.

The Mindset You Need

In order for this to work, it needs to be used a certain way. Before undertaking this, think through your purpose in creating this account and what you want to do with it. Keep in mind that if you just want an alias account there are ways to do that. This isn’t a how-to for making an account where your name is listed as Bamf Fo Real, or Sheepdog Extraordinaire, or *Your Name* followed by a III.  That will not help you.

If you want an account where you have a new name and story, and you become someone else, that’s what this article is for.

DON’T try to make an anonymous account if:

  • You plan to immediately add all the same friends you already have.
  • You plan to use it to go right back to all of the same groups you’re already in.
  • You plan to talk to your friends and family or even known contacts with it.
  • You plan to list your location, hobbies, employer, or any other personal information.
  • You plan to use it in any way that mimics how you personally, currently use Facebook.
  • You cannot control your temper, need for attention, or need to be in charge of something.
  • You plan to use it to engage in any kind of drama involving people already in your life (such as spying on your significant other or sending jackass messages to your arch-nemesis).
  • You are too lazy to use it correctly (“I’m just gonna check this one thing quick while I’m here at home…”)

DO make an account if:

  • You are joining your local leftist/anti-gun/communist/liberal group and you need a new ‘identity’ to get into it.
  • You are planning to use the account for controlling discussion in various groups through tactics discussed elsewhere, such as these.
  • You plan to use it for disruption in certain groups, or releasing information that exposes people.
  • You don’t plan to really post anything but the kind of stuff your targets and/or groups are looking for and aren’t going to foster discussion on your page; you just want to be able to lurk.
  • You need to have a Facebook account to ‘back up’ the name or identity you’re giving people for your liberty activities.
  • You want to keep Uncle Sugar out of your liberty activities (if you plan to perform support functions and/or ‘gray’ activities, you need to keep Uncle Sugar out of your stuff).

Facebook is horrible. We all know that. However, there are times you may need to use it. This is for those times.

**Note: We are not advocating that you use this for illegal activity. We are not responsible if you decide to watch/buy/sell/interact illegal, immoral, or just plain disgusting stuff. Use your powers for good.

The Tools You Need

In order to pull this off, you need to have a few things in place. Setting up the account itself is rather simple, but you need to have a framework in place to make it as airtight as possible (keeping in mind that nothing is 100% perfect…this will definitely make them work for it, if they can get it at all). Here’s a basic list of things you need already set up. (We’ll go over these in more detail).

  1. Access to a VPN, ideally two. (check PrivacyTools.io for a list of solid VPNs that do not operate in the US.)
  2. An updated and current Tails OS running on a flash drive, or a virtual machine.
  3. The Tor Browser (found on Tails as well as a standalone for other uses)
  4. At least $20 in Bitcoin, already mixed, split, and sitting in an anonymous wallet (or five). Bonus points if you also have at least two other wallets in other cryptocurrencies and did some swapping back and forth there as well.
  5. A new name and basic cover (try this site if you get stuck thinking of a random name/identity).
  6. Patience.

What can we do with all of that? A lot.

In the next article we will walk through some of the steps necessary to set up your completely new identity on Facebook. In future articles we’ll go over how to flesh out that identity, give it some depth, and start using it for various activities even outside Facebook. In the meantime, get familiar with the tools and articles above, and start thinking about how to leverage them in your favor.

Signal vs. Wickr: How Secure is Your Secure Messaging App?

Bottom line: Facebook doesn’t cut it; in fact, if you’re still using Facebook to coordinate, recruit, and communicate about your activities (stop doing roll calls!), then you’re a liability to your contacts–there’s no two ways about it. You need secure messaging. No excuses.

Some of you have a secure messaging app you use—but is it secure? The Electronic Frontier Foundation released a Secure Messaging Scorecard that will tell you, and we’ll flesh those ratings out with information from other experts. Let’s see how two of the more prominent apps stack up.

Secure Messaging Criteria

EFF uses a list of criteria to grade each application on a simple yes/no basis; it uses the simple formula these are the features it should have. Does it, or not? Some of these criteria include whether your password or identifying details are stored on their servers, or whether the provider themselves can access your messages. While even a full green light doesn’t mean the app is completely government-proof, it gives you a good idea as to whether you’ll at least make them work for it, and whether the company is on the right track in terms of their goals and capability.

On FacebookWickr

Perhaps one of the most popular apps used by those in the movement, Wickr claims that their level of security is better than any other app on the market. It’s free to boot, which makes it highly attractive to many. It has a mostly green light from EFF, but the problem is that Wickr is missing two critical components:

  • Its code is not open for independent review and audit.
  • The security design is not properly documented; i.e., public.

One of the most important parts of the security process is ensuring that each app’s code is available for other coders and security researchers to audit. It’s a self-imposed accountability system that allows the community to ensure quality and that apps do what they say they are supposed to do. In addition, developers typically release a white paper or other technical document to explain in detail how their encryption process works–again, for accountability and transparency. If the system’s encryption process is solid, it doesn’t matter if every single line of code is publicly available. Audits like these have caught both backdoors and coding errors—resulting in a better product. When you’re talking about life and death communications, you need to have the most secure app available. Audits help achieve that through public disclosure of both the encryption and the code itself. The keys are what stay private.

Wickr, however, has not released its code (refusing to even consider it), and that’s caused an interesting debate in the security community. Security researcher Brian Krebs puts Wickr in a group of apps “that use encryption the government says it can’t crack” but others aren’t so sure. This video explains some of the reasons why you should perhaps think twice before trusting your secure information to Wickr. The video was made in 2014; it would be a good idea to check some of the documents he’s talking about to see if any of these issues have changed. (I can tell you from experience that his first issue—them storing your password on their server after claiming they do not—is not rectified as of yet. Also, check out his other videos, especially the one regarding your contacts).

Several other security researchers have also voiced concerns regarding Wickr’s lack of open source accountability.

 

“We have a kind of a maxim in our field, in cryptography, which is that the systems should be open,” says Matthew Green, a cryptography researcher and professor at Johns Hopkins University Information Security Institute. […] For Green, that means “if you don’t know how a system works, you kind of have to assume that it’s untrustworthy.” He adds that this is not about being an open source activist. But Wickr, he says, doesn’t even have white papers on its website explaining how the system works…”From my perspective I don’t think the company should be telling us, ‘Trust us, it’s safe,’ ‘Trust us, it’s encrypted,’ or ‘Trust us, it’s audited,'” says Nadim Kobeissi, a cryptographer and founder of encrypted browser-based chat service Cryptocat. “We should be able to verify ourselves.”

Others believe that Wickr’s refusal to make their code open to independent audit is just fine. Dan Kaminsky, a security guru, has said he personally audited Wickr’s code and it’s secure. However, Matthew Green sums it up thusly:

Should I use this to fight my oppressive regime? Yes, as long your fight consists of sending naughty self-portraits to your comrades-at-arms. Otherwise, probably not.

It’s each individual choice whether to use Wickr, and Kaminsky’s admonition that “nothing is 100% secure” is a fair one. I use Wickr myself, but not exclusively, and not for anything critical.

Signal

Another increasingly popular app is Signal (formerly RedPhone and TextSecure). Offering both texting and secure calling, the EFF gives Signal a green light across the board. It has all of the encryption features of Wickr, and also has open source code and documented encryption processes. Matthew Green says that it “does not retain a cache of secrets from connection to connection.” The Intercept also endorses Signal, with the caveat that any app you install is only as secure as the device you install it on. Other endorsers include Bruce Schneier, Edward Snowden, and Laura Poitras (for whatever that may be worth to you personally).

Like Wickr, Signal also has a desktop version. And, since it’s tied to the device, it doesn’t save your password on a server like Wickr does. From Signal’s website:

The Axolotl ratchet in Signal is the most advanced cryptographic ratchet available. Axolotl ensures that new AES keys are used for every single message, and it provides Signal with both forward secrecy and future secrecy properties. The Signal protocol also features enhanced deniability properties that improve on those provided by OTR, except unlike OTR all of these features work well in an asynchronous mobile environment.

For those who would like to audit Signal’s code themselves, you can find that here.

Conclusion

What you choose to use and trust is a personal decision. Nothing is completely secure all of the time; anything critical should be kept to face to face meetings. In addition, all standard OPSEC rules should apply. (For a real world case of security fails and how that ended, read this story.) For those who claim that “we aren’t doing anything illegal,” keep in mind that we have reached a point where that determination is made on a case by case basis these days, and the odds are not in your favor. I also daresay that there are quite a few people recently put in jail who, if they’re smart, are rethinking a lot of their OPSEC and security strategies. Besides, as world renowned information security researcher The Grugq points out that “OPSEC is prophylactic, you might not need it now, but when you do, you can’t activate it retroactively.”

I’ll do a future article on other apps such as Silent Circle, Telegram, Zello, and more. In the meantime, sit down and decide what your critical information is. Do some basic threat analysis. Next, do some research on the above programs and decide what you can afford to compromise in terms of security. For many users of secure chat, it’s a life or death decision. Keep that in mind.

Above all, take the time to research and learn. You don’t have to be a computer wizard, but you do need to learn the basics of encryption and how to protect  yourself. There’s an excellent beginner primer here (add this blog to your daily reads). For those who prefer a classroom setting, we have the Groundrod Primer class coming up in a few weeks. We highly recommend you check out both.

Whatever you do, for the love of Pete, stop using Facebook as a coordination, networking and recruiting tool.

10 Rules for Liberty Guerrillas

There’s an excellent list up here regarding some basic operating rules for liberty guerrillas. If you haven’t seen it, we highly suggest you take a look. Read, learn, and live. Via WRSA:

1. It is important to maintain a belief in final victory. Morale is everything.

2. Large numbers of [counter propaganda] appearing day after day, night after night, everywhere, will make the Regime nervous and raise the self-confidence of the population since such activities demonstrate the inefficiency of the existing Regime and the power and strength of the resistance movement.

3. Whenever practical, successful guerrilla forces use non-electronic means to communicate.

4. It is a principle of political science that it is easier to persuade people to vote against something or someone than to persuade them to vote in favor of something.

5. Liberty guerrillas form centers of resistance EVERYWHERE and they are always in action. Thus, when the Regime attempts to confront/solve one “media” crisis of anti-Regime opinion, another flares up. This serves to also drain the Regime’s manpower and resources.

6. Always, always, ALWAYS be on the offensive.

7. Short, snappy slogans spread the message. Advertising/marketing gurus know that to gain traction, a slogan must be 7 words or less.

“BE ALL THAT YOU CAN BE”.

Turn the tables on the opposition: Palin’s “Obama: WTF indeed” is classic.

8. Mix it up. Never be predictable. But always be lawful.

9. Undermine the Regime’s morale and their propaganda by exposing their methods and by constant emphasis on the unjustness of their cause and effects on the population.
(Higher prices? Thanks, Obama).

10. Exploit the alternative media to communicate the ideas of the Liberty movement and resistance to the Regime. Be everywhere; be informed; make it known you are aware of the lies disseminated by the Regime and aren’t falling for them.

We need to stop posting memes and talking about action, and start using the tools available to us (social media, computers in general, tradecraft, peaceful civil disobedience, etc.) to change the game.

73 Rules of Spycraft for Patriots – Rules 61-73

Happy Sunday, Patriots.

Check out our upcoming events – there are still a few seats for the AR-15 80% Receiver Completion course.  Think about this: for only $200 you leave the class with new skills AND a legal AR-15 receiver that you built yourself.  No I-594, no 4473, nothing.  The class is 3/5.  Contact us at TOWR@whiterose.us to get a seat.

RegistrationSucks

We are also have a two-day statement analysis class on 2/6-7.  Learn to identify liars and figure out what they might be hiding.  This is a PROFESSIONAL course and we will have LEOs attending; it’s THAT good.  We worked with the instructor to get you the class for $100, a hefty discount on material that’s normally only available to professionals.

With that out of the way, we’re on the home stretch of the Rules of Spycraft series.  The original document we’re quoting is available here.  Mr. Dulles, take us away:

61.  The place you live in is often a thorny problem.  Hotels are seldom satisfactory.  A flat of your own where you have everything under control is desirable; if you can share it with a discreen friend who is not in the business, so much the better.  You can relax into a normal life when you get home, and he will also give you an opportunity of cover.  Obviously the greatest care is to be taken in the choice of servants.  But it is preferable to have a reliable servant than to have none at all.  People cannot get in to search or fix telephones, etc. in your absence.  And if you want to not be home for awkward callers (either personal or telephonic), servants make that possible.

All this talk of servants makes me think of Bruce Wayne and Alfred.  Unfortunately, as normal Americans, most of us can’t afford a manservant to handle our mundane business.  Like many of the things we do, we must improvise.  For us, I think the “discount Alfred” could perhaps be an elderly parent.  They may not be physically capable of running and gunning, but they can keep an eye on your home and contribute to your mission.

62.  If a man is married, the presence of his wife may be an advantage or disadvantage.  That will depend on the nature of the job – as well as on the nature of the husband and wife.

63.  Should a husband tell his wife what he is doing?  If is taken for granted that people in this line are possessed of discretion and judgment.  If a man thinks his wife is to be trusted, then he may certainly tell her what he is doing – without necessarily telling her the confidential details of particular jobs.  It would be fair to neither husband nor wife to keep her in the dark unless there were serious reasons demanding this. A wife would naturally have to be coached in behavior in the same way as an agent.

A common thread in prepper communities is the unsupportive spouse.  Sometimes it’s the hustband, sometimes it’s the wife.  I’m not going to attempt to weigh in there, aside to remind you that your priority is your spouse and family.  If your prepping causes a major divide between you, then it’s all for naught anyway.

64.  Away from the job, among your other contacts, never know too much.  Often you will have to bite down on your vanity, which would like to show what you know.  This is especially hard when you hear a wrong assertion being made or a misstatement of events.

65.  Not knowing too much does not mean not knowing anything.  Unless there is a special reason for it, it is not good either to appear a nitwit or a person lacking in discretion.  This does not invite the placing of confidence in you.

66.  Show your intelligence, but be quiet on anything along the line you are working.  Make others do the speaking.  A good thing sometimes is to be personally interested “as a good patriot and anxious to pass along anything useful to official channels in the hope that it may eventually get to the right quarter.”

This goes back to the grey man.  I admit that on occasion I struggle with not correcting folks when they’re wrong (doggone INTJ tendencies), but I continue to work on it.  There are advantages to not being known as the “right-wing extremist nutjob” at work.

67.  When you think a man is possessed of useful knowledge or may in other ways be of value to you, remember that praise is acceptable to the vast majority of men.  When honest praise is difficult, a spot of flattery will do equally well.

That’s basic social engineering right there.

68. Within the limits of your principles, be all things to all men.  But don’t betray your principles.  The strongest force in your show is you.  Your sense of right, your sense of respect for yourself and others.  And it is your job to bend circumstances to your well, not to let circumstances bend or twist you.

69.  In your work, always be in harmony with your own conscience.  Put youself periodically in the dock for cross examination.  You can never do more than your best; only your best is good enought.  And remember that only the job counts – not you personally, excepting in the satisfaction of a job well done.

70.  It is one of the finest jobs going, no matter how small the part you play may appear to be.  Countless people would give anything to be in it.  Remember that and appreciate the privilege.  No matter what others may do, play your part well.

Sticking to your principles in our movement can be tough.  When people in our circles start playing politics and manipulating people to gather power to themselves it can be disheartening.  You may be in the minority, even within the movement.  During those times, do your job, do it well, and don’t give up.

With rule 70, obviously folks aren’t clamoring to be in our movement, however how many of us have thought to ourselves, “I was born in the wrong time,” or, “I hope that if X ever happens again that I will do my part.”  We’re heading into interesting times and we need to be ready to do our part to keep liberty going.

71.  Never get into a rut.  Or rest on your oars.  There are always new lines around the corner, always changes and variations to be introduced.  Unchanging habits of work lead to carelessness and detection.

For years, folks in our movement focused on storing beans, bullets, and bandaids.  In the past few years, as a group, we’ve expanded that; people are maturing and picking up medical and comms skills.  Today, the trend is to add intelligence gathering to the mix.  There is always a way to expand our capabilities both individually and collectively.  TOWR wants to help you do that by providing affordable and quality training.

72.  If anything, overestimate the opposition.  Certainly never underestimate it.  But do not let that lead to nervousness or lack of confidence.  Don’t get rattled, and know that with hard work, calmness, and by never irrevocably compromising yourself, you can always, always best them.

73.  Lastly, and above all – REMEMBER SECURITY.

We have a powerful adversary, but the American people are uniquely suited to defeating tyranny.  Nobody can say for sure what’s happening tomorrow, but we can do our best to be ready.

PS. The above points are not intended for any cursory, even interested, glance.  They will bear – each of them – serious attention, and at least occasional reperusal.  It is probably, furthermore, that dotted here and there among them will be found claims that have particular present application for each person who reads them.  These, naturally, are meant to be acted upon straightaway.

Couldn’t have said it better myself.

EDUCATE. EMPOWER. RESIST.