 Welcome to the OPSEC of protesting. Don't worry about taking notes or screenshots. Of course this talk is recorded, but References and links to everything I'm talking about can be found at tiny si slash OPSEC So who am I and what do I do? My name is O'Shaugh Marshall. I code. I teach. I hack I am a full-time developer full-time red teamer cyber security consultant pen tester Whatever you want to call me, but when I'm not doing either of those things. I'm teaching you how precisely to take over the world now as part of the penetration testing you're doing constant risk assessments from the perspective of the customer finding an exploit is fun and dandy But if you don't explain why it's bad and how it harms operations, you won't get anywhere And so I'm inviting you into that same mindset Last year I wrote this blog on the OPSEC of protesting this was following the George Floyd Breonna Taylor Ahmed Omri Tonya McDay protests and a lot of fishy stuff was going on in terms of the surveillance date as well as people trying to dox people and So this blog was a collection of advice I was passing along to my activist friends He in that article I focused on basic security hygiene use multi-factor authentication everywhere encryption at rest and in transit all of the the password managers VPNs all of these little things that you can add to improve your security posture and different security controls and That is great. That's excellent and that fits in line with my background and what I do and Not these Steps will actually improve your privacy. However, you need to focus in on the why Because why is critical? Why determines what security controls you're willing to put into place? Why also determines which security controls are better than others and why can help determine? Security controls that it implemented will harm your OPSEC in other ways And so we're in a quiet moment now politically But that doesn't mean that the government or some other institution isn't going to do something that you don't agree with so Protesting is also not just a right here in the United States. It is a responsibility Societies that fail to update themselves become brittle stagnated tyrannical and crumble and I really love this year's Def Con theme I can't stop the signal because this is how You promote change. This is how you promote where you can change the world More specifically the society that you live in in a way that actually makes things better for you and everyone around you you know and So you do protesting is the PRs that is how we update society source code And when we finally implement and do that that gets transformed into the nitty gritty Legislation as well as judicial or reinterpretation of laws and executive policy My goal in this talk is to arm you to the teeth because I don't care about your particular politics You as a human being have every right to express your thought in your opinions without ruining yourself, you know So let's dive into OPSEC so I'm gonna this huge definition from NIST What really you need to focus in on is OPSEC is short for operational security and you Really the goal of this is control is protecting yourself by threats by controlling evidence of your Plans your thoughts and your intentions from an adversary. And so it's not about Hypothetical is not about best practice or whatever. It's actually working through what will work for your situation for the goals that you're trying to achieve and For an activist these sorts of strategies can be immediately practical So say this with me. Ah, yeah, that is I quadruple a That this is the five step process for ops protesting so These steps don't have to be taken in any particular order But any Prethought meditation and information that you can glean from previous steps will only serve you And by enhancing the analysis and thought process and subsequent steps so the first step is The first step is the identification of critical information The second step is the analysis of threats. Third is analysis of vulnerabilities fourth Is assessment of risks now that you know what your threats are and what your Vulnerabilities are and then once you have all all that knowledge together Then you apply the appropriate countermeasures So What exactly is sensitive information? I can tell you one thing that isn't necessarily sensitive information in terms of My ability to In terms of my ability to be a cyber security consultant or developer Is images of my naked body? So I shower at the local ymca So all you have to do to get read-only access to me Is wake up at five in the morning and make a drive Then also be also be identify as male So knowing that information Although it would be embarrassing and my wife would have some words to say to you Knowing that information does not impact my ability to both write code and to present and to Do risk assessments as a cyber security consultant And note that the crypt that what I said is that critical information isn't That information isn't critical for me Um, what is critical for you depends on what your goals are and what and what um It and what the adversary can do armed with that information So if you're the department for defense, for example anything about DoD activities intentions capabilities um limitations Any of those things that can be used to get military economic or political advantage or strategic advantage That an adversary can get That um that is critical that automatically falls under the umbrella of critical information So how do we bring this back down to the perspective of an activist or Or an activist organization? Usually for an activist the goal is to spread the message of the movement And so the usually the things that are critical information include time of location of demonstrations now Again, you you have to strike a balance. You want To gather in large numbers. That's the whole point but Disclosing that information a bit too early can allow Can allow the adversary to respond with an increased police presence Also, if you are consciously breaking the law Uh, if you're a conscious as a subject or if you're consciously breaking the law Your personal and financial networks are also vital For an activist organization donor lists Um people who support you if they feel the if they feel that They can be de-anonymized or they can come under fire You will find you will find that funding gets stripped and things like that Another good one is a moral or criminal activity in the leadership of the activist organization so For ask any politician Reputational harm or reputational damage Is an easy way to stop spreading the message and stop and stop spreading the movement So knowing this information And knowing this information ahead of time you and organization can plan and Their leadership and say okay This person doesn't need to necessarily be in the forefront Because of past Criminal history or whatever Now we move on to step two and this is the analysis of threats now that you have an idea and intuition of What is critical information? What is sensitive what you're trying to protect? Now you need to view your threat landscape Any meaningful change to society's source code means that there will be opposition So threats are any potential occurrence that can create that undesired outcome Hurricanes are threats But in here in op sec we really focus in on the people threats Known as adversaries. So who are your adversaries when you're protesting? Well, there are two major ones. There are state actors Um, that those are governments as well as law enforcement and also you have counter movement protesters So counter protesters if you're protesting non-violently Your goal is to persuade the mostly inactive Majority to your cause some people put the mainstream media as an adversary and that may not necessarily be the case Uh, new major news outlets actually are an asset to any activists Um, they help spread the message and amplify the word the only time where you're in the direct opposition is when uh You're the message that you're saying may conflict with their revenue streams And so the only reason why any of these media outlets may be Particularly political one way or another is just to cater to certain demographics and continue on that revenue stream So if media Only opposes you if you are a boring or if you get in the way of their money so now that you know who the adversary is and Now you need to understand what is the adversary's intent and capability From there you can derive the adversaries goals Some adversaries want complete subjugation of your group identity Some want full on genocide others. It's just maintaining the status quo Usually the goals of the adversary in the more immediate term is to block the immediate goals of a particular protest if you're an activist Maybe you're protesting to influence a local or national election Or maybe you're applying pressure to certain institutions or Maybe it's just again to amplify and continue spreading that word the list could go on But anything that gets in the way of that Is the adversaries goal anything that negates that I should say So what are the tactics that your adversary will use? Infiltrators are a good one and a historical example I would like a historical example. I'd like to bring up is Thurgood Marshall and He was a senior member of NAACP He continued to act leader in that space He leaked information to the FBI in order to weed out communists Nowadays when you have a large protest You'll see that you have a large group of people and then all of a sudden a brick flies through the window and it dishevels from there Violence is another form of disruption Just because you may be protesting peacefully doesn't mean necessarily mean that Counter-movement protesters aren't going to explicitly target you and edge you on. This is especially can be This is actually can be part of the adversaries overall strategy Because certain news outlets will spread narratives in the story in different ways. So if you can ag on someone else get them to Get them to respond in a violent way That can get spun up that can get spun in different ways as well And also general surveillance is a is another tactic in strategy So With those strategies in mind You need to ask yourself What does the adversary already know about the mission What critical information has already been exposed by the adversary? So if you Attended this talk a bit late and the time and location Of a protest has already been leaked. Well, that information is already available To the adversary. So now there can be an enhanced police presence and I say things that It can be more or less severe depending on the particular threat that you're going into For example, if you're a Hong Kong protester time and location of large gatherings could be the difference between Life and death in some cases or indefinite whole Indefinite jail time Now that you know your threatened landscape now that you have an intuition of who your threats are their strategies Now you can go into the analysis of vulnerabilities. This is not Instead of looking outward at what the world looks like you now have to look inward So a vulnerability is the absence or weakness in an asset safeguard or countermeasure Being able to communicate digitally is an asset But the flaws limitations or errors within your technology stack Are vulnerabilities And so your adversary will constantly is all you have to assume that your adversary is constantly on the lookout looking for Critical information and things to glean And so you need to take inventory of what you use to communicate And let's take the hacktivist attacks on gab and parlor for example, and i'm not going to call parlor hack because Scraping a publicly available website Information that's out on the open internet. Anyway, it's not a hack but Those are the sort if there's no if your platform that you're using doesn't use any rate limiting The speed in which your adversary can gain that critical information then accelerates Now gab in the is actually a hacktivist attack because the sequel It was essentially a sequel injection flaw The one major reason why that sequel injection flaw was found was because gab is an open source social media platform the source code for the platform is Public is publicly available and has to be in order to maintain the licensing so When you are planning communications for an hacktivist organization, you need to examine Okay, the pros and cons of each Of each communication tool that you use because as the navy says loose lips sink ships And that's true within protesting and activism as well so My advice here is if you're planning sensitive meetings about the inner workings of your group potential discussing Major overall strategies Try not to have those sorts of things on the open internet You can use social media to get the word out But there are some things that have to stay internal before it can be presented to the general audience in general public Do you also keep in mind that there are some things that you some Things that can leak Critical information later on so let's say Let's say time and sense say Knowing that this member a Corresponds directly to leadership in an activist organization That in and of itself may not be critical information but member a Also Attent also has this style of laptop Also connects to the wi-fi at that grandmother's house with a weak wi-fi password That's how that you could see that that's That through the chaining of all that information together Is how critical information can then continue on and be leaked so One of the best ways to identify what could be pieced together and As critical information of all is hack yourself Like not just go through threat modeling and as an intellectual exercise, but actually buying people In industry who are willing to just do not just the risk assessment, but see All right, we use these sorts of communication tools These people are or your targets. Can you get can you get the information from them? And that's a really good way to find out real vulnerabilities So now that you know your threat landscape and as well as the vulnerabilities within your particular organization now You have the tools with which to actually define your risks because risks are Anything risk level of risk depends on the level of threat of your threats multiplied by the number or the intensity of your vulnerabilities And so you could have a single threat actor exploiting multiple vulnerabilities or multiple Threat actors exploiting just one critical flaw So There is in nonviolent protesting. There's no such thing as eliminating threats What you do instead is just denying information to your threats And you reduce your vulnerabilities by Selecting your communication mechanisms limiting information Limiting information through a members so authorization checks for certain things And also thinking through okay if these members are also leaked What's the risk if the information known by this group is leaked or is leaked out? Now we're at the fun part and that is the applying the appropriate counter measures. So Now that we can do a risk probability Whether it's high medium or low Then you can start addressing your various risks Now again, none of this is ironclad in terms of order. You don't have to You don't have to start at one two three, but any information that you Glean from the first Works in the last so So What makes a good now that we're in this step? We can work out what makes a good counter measure and any counter measure that does not reduce risk In a meaningful way It's not an effective counter measure. It's just a waste of time right second Is that the counter measure in and of itself cannot lead to? Opset indicators little pieces and nuggets of information that can be pieced together and Disclose critical information Again that reduces the effectiveness of what a counter measure is supposed to do And third and this is something that you really Involve some meditation and some planning is the cost of the counter measure Cannot exceed the benefit Of what cannot exceed the Cost Cost of if that risk was exploited in the first place. So counter if the counter measure Or if the counter measure is way too expensive to actually implement And i'm not talking about expensive in terms of money. I'm talking about expensive in terms of effort In coordinating and collaborating Then the benefits are mute because no one's going to use it Now that we know that we know these three things we can cycle back to the how Now things like burner phones You can actually do an assessment on that Burner phones work. However If you use your Purchase the burner phone with the debit or credit card That's not really going to help That's not really going to help you if you use the burner phone in proximity to your real cell phone That is that's not going to help you. In fact, they're in fact creepy doll Talk, there's another def con doc that was done a while ago You can show that correlation between two devices being activated And so every security control that you wish to implement has to be examined within the context Other security controls pass this small test. So Let's use signal for example like using signal for For Encrypted communication that works and that doesn't seem to be difficult to implement And so there are other tools like password managers VPNs multi-factor authentication And setting up encryption at rest all of these things Or are effective and will pass the smell test So keep calm and calculate on So in the beginning I promised you to give you the how and explore the why and the how of opsec is simple It is the five steps the identification of critical information the analysis of threats in the Analysis of your own vulnerabilities a risk assessment Not armed with the previous two pieces of information as well as the application of appropriate countermeasures That's the how and that just leaves us with the why And I can't give you your why But I can present mine I am here right now speaking to you because someone made a pull request It took planning it took ingenuity and of course some caution And I want to empower you to keep the signal going And present your changes into the world Thank you