Recruiting on Facebook? You’re Doing It Wrong.

There’s an excellent article at Grugq regarding how police in Spain arrested a cell of five ISIS members. If you haven’t read it, you need to. Pay special attention to this part:

The group used social media, specifically a Facebook page “Islam en Español” (Islam in Spanish), which had over 32,000 followers, to glorify the Islamic State and spread the message of the militant group that operates out of Syria and Iraq, the ministry said.

Out of 32,000 people on that page, they found the five that were operating together as a cell. Why? How? Grugq breaks it down:

The fundamental problem here is that a sympathetic individual who becomes “radicalized” has to learn security procedures to protect themselves against security forces. This is a bootstrapping problem, because they must go from a state of ignorance and curiosity, to knowledgeable without attracting attention.

Using Facebook as a recruiting ground is not the way to avoid attracting attention…ISIS in Europe does not have the luxury of training people, since they have such a weak presence. They are heavily invested in online communities as recruiting groups, which means they’re fishing in a pool of already identified recruits.

Now re-read that, and substitute “III% group” or “Patriot group” or whatever else for “ISIS” and maybe you’ll see the problem. Like it or not, the “patriot’ community is heavily invested where? Online. Thousands and thousands of groups. The same names showing up in every group. What does that say? It highlights the recruiting pool.

If you expect to be operating with any kind of secrecy, then you should not be recruiting on Facebook. Why? Because you’re recruiting—by default—from a pool of people who ALREADY are known to the powers that be for their political activities. Your baseline group pool is contaminated in terms of security.

Now this is not to say you can’t recruit people who have Facebook accounts. You should, however, think long and hard about two things.

  1. What exactly are you recruiting for? If you’re just looking for people who will show up to your FTXs, click like on your stuff, and be general folks you aren’t doing anything major with or sharing privileged information with, then sure. Go ahead and post your roll calls and recruiting drives. If you’re planning actual resistance actions, creating a supply train, looking for people to run a safe house, etc., you’re going to want to look outside people who have already announced their presence on Facebook as being involved in anti-tyranny activities.
  2. What exactly are your recruits doing on Facebook? Are they announcing their wish to “start shooting”? Are they penning threatening letters or otherwise engaged in high profile activities? They probably already have attention. By recruiting from Facebook, you’re literally inviting (and possibly even guaranteeing) compromise of your group. It could be argued that even if someone is not an informant, merely having them as part of your group, communicating/working with them could bring your group attention you’re trying desperately to avoid.

You’ll see a lot of groups say that they don’t care if the government sees what they’re doing. The arrogance and

Grugq plainly states that “All of this means that, if you join ISIS from a Facebook group, you’re gonna get arrested.” Think through that (including how many arrests this year included information from Facebook pages and groups for those cases), substitute your own stuff there, and act accordingly.

Basic Privacy and Anonymity Part 2 Webinar, 31 August 2016

[et_pb_section admin_label=”Section” fullwidth=”off” specialty=”off”][et_pb_row admin_label=”Row” make_fullwidth=”on” use_custom_width=”off” width_unit=”on” use_custom_gutter=”on” gutter_width=”1″ padding_mobile=”off” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” parallax_2=”off” parallax_method_2=”off” column_padding_mobile=”on” padding_top_1=”8%” padding_right_1=”8%” padding_bottom_1=”10%” padding_left_1=”8%” padding_1_last_edited=”on|desktop” padding_1_tablet=”0%|5%|5%|5%”][et_pb_column type=”1_2″][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” text_text_color=”#303030″ text_line_height=”1.5em” use_border_color=”off” border_color=”#ffffff” border_style=”solid” max_width_last_edited=”on|desktop” custom_margin_last_edited=”on|desktop” custom_margin_tablet=”10%||10%|10%” custom_margin_phone=”5%||5%|5%” text_font=”Source Sans Pro||||” header_font_size=”15px”]

Description

This class is geared to those who either need to learn the basics of privacy and anonymity, or who would like a refresher. Everyone has the right to conduct their affairs in private, and this Basic Privacy and Anonymity webinar class will show you how to start doing that. Whether you’re a total beginner who’s never heard of any of this, or someone who’s dabbled but doesn’t feel comfortable with it, or even if you do it all the time and just want to double check and make sure you’re doing it right, this class is for you.

 

[/et_pb_text][/et_pb_column][et_pb_column type=”1_2″][et_pb_image admin_label=”Image” src=”https://www.whiterose.us/wp-content/uploads/2016/08/063.jpg” show_in_lightbox=”off” url_new_window=”off” use_overlay=”off” animation=”fade_in” sticky=”off” align=”right” force_fullwidth=”off” always_center_on_mobile=”on” use_border_color=”off” border_color=”#ffffff” border_style=”solid”] [/et_pb_image][/et_pb_column][/et_pb_row][et_pb_row admin_label=”Row” make_fullwidth=”off” use_custom_width=”off” width_unit=”on” use_custom_gutter=”off” custom_padding=”7.5%||7%|” padding_mobile=”on” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” column_padding_mobile=”on”][et_pb_column type=”4_4″][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”center” max_width=”86%” text_font_size=”48″ text_text_color=”#303030″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” custom_css_main_element=”font-weight:900;” text_font=”Source Sans Pro||||” text_line_height=”1.2em” text_font_size_phone=”36″ text_font_size_last_edited=”on|phone”]

These skills will help you protect not only you, but the people you talk to and work with.

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row admin_label=”Row”][et_pb_column type=”4_4″][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

This is Part 2 of a two-session class. In this first session, we’ll cover the following:

  • Secure messaging – which ones are best for privacy?
  • Virtual Private Networks (VPN) – how to connect to the internet anonymously.
  • Bitcoin Basics – how to buy and sell cryptocurrency for anonymous purchases.
  • Best practices for online activities – how to evade digital surveillance and protect your metadata.

(Check out the agenda for Part 1 here.)

Both sessions will have a question and answer period as well. Sessions are limited to 25 people so everyone gets a chance to ask questions.

We recently offered this class in-person as a one-day event, and it was a huge success. We had so many requests from outside the Pacific Northwest for this kind of training that we have broken the class up into two sessions, two hours each, and are offering them as a live webinar. (It’ll also be available later as an archive.)

This is an overview class, meant to introduce you to the concepts of privacy and why they’re so critical to Three Percenters and patriots. It’ll also set you up for more advanced classes we will be giving this fall that deal with more advanced functions and operations. If any of the following statements have ever come out of your mouth….

  • I’m not doing anything illegal.
  • There’s no point in any of this; the government can see you no matter what you do.
  • Go ahead and let them look!
  • If you try to be private you’re just making yourself more of a target.

you need to be in this class. You will have your eyes opened.

You get access to BOTH sessions–a total of four hours of live instruction—for $25. That not only includes both webinar sessions live, but access to them later as well so you can go back over the material.

Session 2 is August 31, from 6:30-8:30PM Pacific time. You can reserve your place and get payment info by contacting us here.

Don’t miss your chance to learn how to protect yourself and your group.

[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]

TOWR Guides: The Case for Throwaway Email Addresses

As of April of this year, there were 336,724,945 breached accounts in the Have I Been Pwned? database (yes, I suggest you go to that database and check your email addresses).  That number has since jumped to 1,307,907,501.  This means almost 1.5 BILLION people/credit card numbers/addresses/email addresses/etc. are available, and not many of them are throwaway email addresses; most of them are people’s actual, log-in-every-day, synced-to-your-phone addresses. Before you raise your nose in the air just slightly and sniff that there’s no way you’re on that list because you are careful, let me ask you the following:

  1. Do you remember every single site you have ever entered your email address, name, or any other details about yourself, since the first time you ever logged into the internet?
  2. If by some act of God you could answer “yes” to the above, do you know (and have you kept track of) every business acquisition, re-branding effort, or data sale from every site you’ve ever given your data to, for as long as you’ve been on the internet?

I rest my case. (By the way, here’s a link to answer the question “How is my data in a breach on a site I never gave info to?”) That’s not even counting all the ways that major email providers such as Gmail, Hotmail, and Yahoo already spy on you and use your information.

So what are you supposed to do about all your personal data floating around everywhere? The bad news is, you can’t take that info off the internet completely. The good news, however, is that you can keep them from getting more, and you can change some of the info you have. Enter the throwaway email. When combined with a fake name and even birthdate, you can do a great deal to mitigate the threat there. Before we get into the advanced stuff, however, let’s take a look at one easy way to sign up for things without giving away the proverbial farm.

Mailinator

I happen to think this option is the best for certain situations. The way it works is this: You have a site you need to give an email to in order to sign up; we’ll call that site databuyers.com. You give databuyers.com literally any email address you want, as long as it ends in mailinator.com. It does not matter what mailinator address you give them, because when databuyers.com sends an email to that address, it will create the address at mailinator. This means that if you want to have databuyers.com go to circusmidgetfestival@mailinator.com you can, without setting up an account at mailinator.

How is this possible? It’s because Mailinator has no privacy. Every single email address is public domain and wide open, and anyone can read any email sent to any address. So, if you tell databuyers.com to send the verification email to circusmidgetfestival@mailinator.com, you can immediately go to Mailinator and type that address in (no password needed, since it’s public) and hit Check Any Inbox, and boom, there’s the email. Any email sent to mailinator also gets deleted after a few hours, so don’t think you can go back 2 weeks from now and see that email you got, because it’ll be gone. You can, however, still use the email again, simply by putting the address into whatever site you need it for, because mailinator will recreate it as soon as the email is received. Nifty, right? The more intelligent and creative among you can probably think of some other ways to use this as well.

Pros:

  • You don’t have to give any personal information. In fact, I’d advise against using your real name in Mailinator or when signing up for new accounts at all (even when you’re purchasing something, but circumventing the whole “need all personal info” thing when buying online is a whole other article and involves a bit more work).
  • No passwords or account setup are needed; you simply make up an address that you plan to use, and give that out.
  • Free. We like free.
  • Anonymous at the mailinator site (caveats exist; see the Con list for details)
  • Very easy to use.

Cons:

  • Anyone can read anything sent to any email address in Mailinator. You can test this by going to the Mailinator site and checking johnsmith@mailinator.com. You’ll see all kinds of emails, from spam to account resets. This means you would NOT use this for sending uncoded sensitive messages within your group, for instance (the mailinator website, in fact, points out that if you do, you’re a “stupid head”).
  • If you do need to reset your password (you use KeePassX, so this isn’t a problem, right?), you’d have to send your password reset to the public mailbox, which could be a problem. See above point.
  • Some sites may not allow you to use these email addresses since they’re known as anonymous. They don’t like when you send them fake data; they want your real data. If you find yourself in this position, you may want to ask yourself if you really need to sign up there.

Overall, Mailinator is a solid way to stop giving your personal information to every site you log into. You may even want to change some of your existing accounts to a mailinator address as well.

GuerrillaMail

GuerrillaMail is another option for those who need a throwaway email. Also free, this works somewhat like Mailinator in that it’s a publicly available email inbox. Where guerrillamail differs, however, is in the scrambling of the email address, which means your email can be something like 43r1vk+bze63cax9k05c@sharklasers.com. If someone knows the ID you used on the email inbox, they can access whatever is in there, so it’s best to not use your.name1@sharklasers.com or something like that.

Basically, GuerrillaMail has the same pros and cons as Mailinator, but also has address scrambling to help obfuscate your actual email (which may be something like randomname@, but show up as 43r2cd+8cdzul7vlvf4@sharklasers.com).

The Advanced Stuff

If you’re familiar with the dark web, you may want to consider something on the Tor network as well, for sites you need to use there. (Keep in mind that Tor has its own issues, however; best practices for Tor include using a virtual machine–Qubes if you can run it–a VPN, and not using it at home or work.) Same goes for other darknets like i2p or freenet. If this paragraph made no sense to you, that’s okay for the moment; you might want to start learning though.

What NOT to Do

A lot of us have a Gmail account (or Yahoo/Hotmail/MSN etc). In many cases it’s either our name or some identifying characteristic that lets people know it’s us (mine is from back when I was an aircraft mechanic but I have had Gmail accounts that were my name too, from when I didn’t know better). It’s easy and convenient to just use that for the spam and logins but that’s a bad idea. First of all, as we have taught in our Basic Privacy and Anonymity course, the more convenient something is, the less secure it is. Secondly, if you’re using one of those emails to log into everything, then everyone who has access to your email data also has access to everything in it. Gmail, by default, is a “gigantic profiling machine,” and as far back as 2013, Google was quite clear that anyone who emails a Gmail user has “no legitimate expectation of privacy in information” because they “voluntarily” turned over information to “third parties.”

This means that if you decide to get Protonmail (a good choice) for your sensitive emails but then decide to use your Gmail for all the rest of your everyday logins, you’ve just defeated the purpose of the exercise. In fact, if you own a Gmail account, go look at your Google Dashboard and see how much information there is about you.

The Third Option

Staying on top of your privacy is a never ending endeavor. If you’re an activist or involved in liberty work, however, you don’t have another choice. As a society we are conditioned to think in terms of binary options: one, or zero. Republican/Democrat is a classic example. In reality, however, often there’s a third option that we don’t think of. When it comes to being tracked everywhere we go or having all of our purchases cataloged, it seems sometimes like there’s no way out. Either we are getting tracked (in which case, our beliefs and activities draw suspicion and extra attention), or we go all out and drop off the radar, which also draw suspicion and gets us more attention. It’s easy to feel like we’re being funneled into a no-win situation. But we aren’t, if we think smart. There are ways to turn the system back on itself.

Imagine doing any of the following:

  • Having your Gmail signed up for updates from the DNC, Hillary, Obama, and every anti-gun group there is (if you paid attention to the article on infiltration, you may already be doing this). Obviously this won’t work if your Facebook looks like a meme shrine, and most people suffer from one very exploitable weakness that will ruin this, which I’ll talk about in a future article.
  • Downloading an app that you know tracks your every location when it’s open (such as Pokemon Go or Waze), and establishing a pattern of places and times where you are known to be. Then, send your phone with someone else, in your vehicle, to a place/time in the pattern who will have the app open, tracking “you”—while you go elsewhere to meet with a contact, pick up an anonymous purchase, or check your message drops.
  • Sending yourself a lot of encrypted material at Gmail. As in, so much encrypted stuff that they have to spend resources digging into it. I prefer encrypted cat pics, myself.  While they’re digging through those, I can send other things elsewhere, through different means. Do not send anything related to your activism through your regular email. Ever. For any reason. I see a lot of emails coming to TOWR, asking for training on various topics or wanting to ask us a question related to the movement somehow. It seems like with very few exceptions, all of them are coming from email addresses hosted at Gmail, MSN, or other open provider. In fact, we’ve gotten a few that were from their actual ISP domain (Comcast, Frontier, etc.) Do not do this.

The list goes on. Be creative.

The bottom line is, you’re being tracked. We know that; it’s old news. Our job is to find ways to either dodge that surveillance, or use it in ways that let us work the system to our own advantage. Throwaway email addresses are just one of the tools we have.

Elicitation: Is It Happening to You?

Something we don’t talk about often enough–and we should–is the concept of elicitation, or the process of getting someone to tell you information without them realizing they’re giving it to you. The biggest problem with it is simple: It’s getting done TO us a lot more than we’re doing it to anyone else. That needs to change.

Something we don’t talk about often enough–and we should–is the concept of elicitation, or the process of getting someone to tell you information without them realizing they’re giving it to you. The biggest problem with it is simple: It’s getting done TO us a lot more than we’re doing it to anyone else. That needs to change.

There are several ways to elicit information from someone, and they range from the blatantly obvious instant gratification type to the completely sneaky, long-game, over time version. You should be familiar with both–especially because the folks with the .gov after their name have all kinds of time to do it. Let’s take a closer look.

Why Does Elicitation Work?

The beauty of elicitation is that it isn’t some kind of magic. It’s simply leveraging and exploiting facets of people’s personality, and the basic things that exist in human nature. In our quest to learn from everyone, and not just the people we like, we’re going to look at the FBI’s page on elicitation (I refuse to link to it, however. You can find it yourself). Here’s a list of traits that the FBI likes to exploit:

  • A desire to be polite and helpful, even to strangers or new acquaintances
  • A desire to appear well informed, especially about our profession
  • A desire to feel appreciated and believe we are contributing to something important
  • A tendency to expand on a topic when given praise or encouragement; to show off
  • A tendency to gossip
  • A tendency to correct others
  • A tendency to underestimate the value of the information being sought or given, especially if we are unfamiliar with how else that information could be used
  • A tendency to believe others are honest; a disinclination to be suspicious of others
  • A tendency to answer truthfully when asked an “honest” question
  • A desire to convert someone to our opinion

elicitation 2How many of those fit you? I guarantee a good number of them. If you love those Facebook debates, guess what? You’re on this list. If you can’t stand to hear incorrect information without standing up and saying “That’s wrong because…” then you’re on this list. If you’ve never done an assessment of your critical information, you’re probably underestimating the information you know. If you need to feel like you’re contributing something and have those efforts recognized, you’re on the list. In other words, whoever you are, something on this list will probably work on you if you’re not paying attention.

How it All Works

Elicitation is actually less work, in some ways, than you might think. It simply requires setting aside your own wants and beliefs and needs (such as your need to talk a lot in a conversation), and encouraging the person you’re talking with, to talk more. Let’s look at some examples.

Target: I can’t believe the laws about guns and ammo they just passed here in California.
Collector: I haven’t had a chance to study them. Are they really that bad?
Target: YES they are horrible! I don’t know how my group is going to keep up our weekly ammo buys now.
Collector: Weekly ammo buys?
Target: Yeah, we do a group buy of 5000 rounds every week. It lets all 10 of us get bulk ammo at a reduced price. We’ve been doing it for about 6 months now.
Collector: Oh, nice. That’s pretty shrewd of you! Good planning!
Target: We’ve got some very good connections. One of my guys’ cousins works at the gun shop on 173rd, and he makes sure we get a good price under the table. I could hook you up if it wasn’t for the stupid law. We’re not sure how we’ll get any now. Good thing we stocked up.

Three different tactics were going on here, in succession.

Tactic 1: Naive Mentality, or playing stupid. In the first exchange, the target made a complaint; the collector paid attention, and played as though he didn’t know what the fuss was about. The target was all too happy to expound on his anger and how that law will affect him directly.

Information gained:

  • He’s in a group.
  • They do weekly ammo buys in bulk.

Tactic 2: Repetition. This is where the collector picks up on the key words in the statement, and repeats them back to the target, who will then (again) expand on his statement.

Information gained:

  • Number of rounds purchased.
  • Number of people in the group.
  • Time factor.
  • These three figures mean the collector now knows a baseline of how much ammo each individual in the group has (not counting any previous or side purchases). He knows, at the very least number, what the ammo count is for that group.
  • It’s a good bet that the 5000 rounds is also all in one caliber, which means the collector now can guess that they all run the same weapons platform as well.

Tactic 3: Flattery. People love to be complimented on their skills, their looks, whatever. It’s no different in the patriot/liberty/III movement. In this case, all the collector had to do was compliment the target’s “planning skill” and he got a few more nuggets.

Information gained:

  • Source of the ammo.
  • Location of the source.
  • Nature of the source, and the fact that he’s not internal.
  • The sales are “under the table,” and from a legal gun shop.
  • Perhaps most important: a peek into the target’s mindset. Not exactly an out of the box thinker. They “can’t” get ammo because of the “law.”

If you were playing for a different side, what could you do with that information? How hard would it be to shut down that avenue completely–ensuring that not only can they not get bulk ammo, but no one else in the area can buy anything from that shop?

These are only three very common tactics. There are plenty more. At this point you might be thinking, “who cares if the group has 5 or 50,000 rounds? How is that critical?” What if the collector is a fed looking to know about supply caches? What if he’s simply a ‘marauder’ planning to steal the supplies of others instead of preparing for himself? What if…? And you may, through your critical information assessment (you’re doing one, right?), decide that the amount of ammo you have available to you is okay to be public knowledge. That’s fine—except this guy also decided that the other 9 members of his group ALSO have their ammo numbers as public knowledge. As I’ve said before: your choice to employ information security is yours alone. However, you don’t get to make that decision for others. And if your being a big mouth puts THEIR information at risk, then you’re a jackass.

All of the above comes down to this: The tactics can be used against anyone, on any topic. I have done them, I have seen them work, and I’ve even been caught by them myself. It sounds like a good time to talk mitigation and prevention.

How to Combat It

Here’s an alternative conversation that could/should have happened:

Target: I can’t believe the laws about guns and ammo they just passed here in California.
Collector: I haven’t had a chance to study them. Are they really that bad?
Target: Yeah. I’ll send you a link. Or just do a search for them. You’ll see. Let me know what you think.
Collector: Are these going to affect you and your group?
Target: I don’t have a group. I can’t even keep my own family in line.

See the difference? Here the collector used a new tactic as well when the first one didn’t work–he straight up went fishing. By pretending to already know the target had a group, he encouraged the target to confirm that yes, this will affect them. The target did something that is not exactly easy for a lot of people to do: He hinted at his own incompetence. Even when it’s false, people have a hard time with this. They want to be seen as knowledgeable and competent–which, if you remember from the beginning of this article, is one of the exact things that can be exploited.

Being vigilant can be difficult, but it’s worth it. Here are a few basic examples on what to look for.

  • Flattery – If someone frequently compliments you and you’re not married to them, they want something. People who constantly tell you how amazing/skilled/etc. you are should trip an alarm in your head. If it sounds too good to be true, it is.
  • Frequent repetition – If you’re having conversations where someone is repeating key pieces of your side of the conversation, be aware. Don’t expand. Think through what you just told them that prompted the repetition and decide if you just screwed up–and if you did, how to stop the damage.
  • Be aware of leading questions and fishing expeditions. Figure it this way: Does the person you’re talking to need to know the information you’re about to give them? If not, then it doesn’t matter if it seems as though they may already know. Don’t fall for it.
  • If they are bold enough to flat out ask a direct question, simply ignore it or tell them you don’t know (another difficult thing for folks to do). If you don’t want to lie to people, you can simply say, “Look, I don’t have those kinds of conversations,” and let that be the end of it.
  • Normally I would say to trust your gut. Unfortunately, far too many people have managed to put their “brotherhood” over their brains. It cannot be said enough: Just because someone calls you “brother” does not make them so, and just because you trust someone does not make them trustworthy.
  • Think before you talk. Every time, no matter who you’re talking to.

Elicitation can’t be taught in the space of an article, nor will reading this make you impervious to all forms of it. What it can do, however, is make you want to learn more, to do some research, and to get familiar with it yourself. It does come in handy for a lot of reasons–good, solid ones.

Here’s an interesting case for you to see it in action. And when you’re done, here’s a bit more.

Team Security and Vetting Course

NOTE: This class has been postponed. We will post more information later.. Thanks!

 

 

The Security and Vetting course is a two-day course that prepares students to obtain the skills needed to adequately validate and verify personnel in your teams and organizations. Over the course of two days, we cover the following topics:

• Introduction to Counterintelligence
• In Depth look at the threats of CI
• Operational Security
• Conversation and how to utilize it
• Elicitation skills (and Social Engineering)
• Assessing Credibility of Personnel
• Planning and Conducting a CI Interview

 

These topics are a broad overview, and we will dive much deeper into each topic. Multiple exercises are incorporated into the class to make sure students understand the topics and are able to competently perform them. This course will require critical thinking and coming out of your comfort zone.

The skills taught in this class can be utilized by any individual who values the integrity of their teams or organizations and wants to learn how to maintain that security. You will be given literature we will go over during the course and you will also receive access to exclusive content that you can access after the course to keep up with your skills. As these skills can be perishable if not practiced, we provide you all the tools required to maintain success.

The course is taught by Martin, a former Marine who served as a Counterintelligence and Human Intelligence Specialist. He currently teaches this class as part of Forward Observer Magazine.

Dates: July 23-24

Location: Seattle, WA

The class is $225 per person for the whole weekend. An advance deposit of $100 is required to hold your place in the class.

Email us to hold your seat!