Old Opsec file

file from 2017
This commit is contained in:
Federico Bonelli 2018-09-25 21:51:03 +02:00
commit 1bdb0f851d
1 changed files with 207 additions and 0 deletions

207
opsec.md Normal file
View File

@ -0,0 +1,207 @@
# Dyne.org Operational Security Handbook
AKA a certain behaviour and a set of rules of thumb that will keep you and your information more safe as well in day to day as in production, with a particular focus on mac users. Plus an appendix on operational choices for dyne.org projects confidentiality.
##A draft
v 0.08
last revision 27-06-2017
## Discrection and confidentiality
1. Behavioural discretion
First thing first: assess the type of opposition you have. Consider that we operate in general in medium confidential environment. Type of opposition: who wants to know, why.
Risk assessment: always assess the opposition as stronger than you (and is true that it has a lot of resources), but avoid paranoia: role playing on project based compartments and personal trust is at the base of any assessment. You should use to determine the level of trust of fellows.
* RULE OF THUMB: if you have no trust in someone you should not have business with him :)
* RULE OF FOOT TUMB: friends with everyone, in bed with no one
1.1.
2. Operative discretion: when project is running or when you are in indian country (a.k.a. unfriendly or uncharted territory)
If operation has a peculiar opsec everyone will be briefed beforehand. In any case:
* tree circles metaphore: inner, outer and opposition
* Exemples from cospiracy: rings - in a ring of pairs all information is accessible by all the peers, but nothing goes out to others without agreeing between the inner parties: rule of 5; no more than 5 persons can be efficiently part of a ring. Communication needs escalates. In soviet classic security organizations this was compartimentalised with a controller/ringleader mechanism. We are not in need of that level of paranoia. Yet is good to know.
* Positive view: in/out border: Enforcing confidentiality between peers, agree if disclosure to outer ring is necessary, and keep it on a need to know basis.
* plan B
* “lagendina": write down stuff with pen and ink and keep it in a drawer;
* "il pizzino": a paper written by hand that can be sent to someone, gets read and destroyed on spot. Or such kind of things. Works, is safe from sigint, implies a certain level of trust.
* Need to know - a measure to be used in delivery or operations: you know only what you need to know to perform your task to protect the operation. In this case you dont talk any more about the whole picture, you operate temporarily on a "need to know" basis. Because we are peers you will be debriefed at the end.
* Communication loop outside the magic circle: strategies, objectives, keywords
3. Confidentiality -
A document marked confidential has to be kept such: partial or total disclosure is up to be decided upon by the responsible. Has to have a distribution list printed on his first page so that all recipients know who has access to the document.
A document not marked confidential is still to be kept with a bit of discretionality
3.1. Dyne is a think (&do) tank but also a software foundry. WE USE FIRST OUR OWN SOFTWARE if it does the job. Then open source, then eventually proprietary. Some software we DONT USE ON PURPOISE. IS BANNED. For security reasone AND also for public image reasons.
3.2. Project based workflow confidentiality
* project lead has always to know
* project lead has consultive decision power regarding to the project
* project leader is responsible of its course of actions
3.3. Confidentiality tool:
* You need to create a ssh key, that is composed by two keys, a public and a private
* You need to create a GPG key.
* This key is also attached to your dyne.org mail.
* Use a long key (>4k)
* backup your secret key
* use a unique pass phrase that you don't have to write anywhere and you will always remember.
* keep a secret password file in a safe place. To do so you can use gpg, keep a password file encrypted with gpg.
* dyne developed tomb for hiding secret things in your file servers
* on mac you can use encryption AES 256 on disk images
* dyne developed secrets.dyne.org for shared passwords. Use it were necessary. This tool allows you to encode a string (a password) and shread it into 5 string that can be distributed to friends. Putting 3 of them together can reconstruct the secret string and, as an example, use the lost password to re-open a bitcoin wallet. Use it.
3.3.1. Use of dyne.org git for confidential material
### OSX "security for toddlers"
written by fredd
4. MAC OS X security hardening for everyone
Basic computer security for mac users.
• physical MAC can be stolen or bugged
• passwords and user setup
• encrypted home setup
• Password manager and password security rules of thumbs
• Email is king
• double key how it works for dummies
• gpgmail https://gpgtools.org/index.html install and configuration walkthrough
ref: https://www.intego.com/mac-security-blog/15-mac-hardening-security-tips-to-protect-your-privacy/
Data security
* use encrypted disk image instead of tomb
* Backups and safekeeping
* to find stuff back on many disks I use diskcatalogmaker
* Owncloud: walkthrough for owncloud configuration and use
* you can use apple security tools (cloud backup etc) for your stuff but not for any dyne confidential stuff
* don't trust icloud keychain backup
GIT
SSH keys
just as GPG keys private/public part
unlike GPG keys they are bound to devices not to people. A new laptop you make a key and collect it in
Privacy
• Tor
• Tor Browser
• remember that any phone is a recording and tracking device
Mobile
is your channel in clear or not? Is your channel cleared or memorised forever? Were the memory is going to stay? Logs?
* Signal (http://support.whispersystems.org/hc/en-us/articles/212477768-Is-it-secure-Can-I-trust-it-) is not so cool but safe (maybe)
* Telegram is cool but not safe
* IRC
* xchat azure configuration walkthrough
## DYNE OFFICE Toolkit WALKTHROUGH
* office.dyne.org
based on odoo: calendar, contacts, project kanban, archived documents
* docs.dyne.org
repository for file sharing document based on our servers. Functionalities similar to google drive and dropbox
* pad.dyne.org and calc.dyne.org for shared document writing
* libre office reference office suite
* vdc.dyne.org video conference platform
* irc.dyne.org
* coggle.it (mindmap)
Federico Bonelli
fredd@dyne.org
-----------------------
IRC ON LINUX
(parazyd)
* weechat or irssi in terminal: https://irc.dyne.org
* xchat / hexchat as a standalone IRC client
Dyne.org has a ZNC bouncer that we've started using. We can say that ZNC simulates a connection and makes it look like you're always connected to IRC. This way, whenever and wherefrom(?) you connect to the ZNC server, you will get a playback of all the things you would have missed while you were offline.
You connect to ZNC the same way you connect to any other IRC server;
Server info:
* host: znc.dyne.org
* port: 30001
* server username: yourusername/networkname
(networkname will be "dyne" for dyne's IRC network)
* server password: the same password we used for registration on ZNC service
IMPORTANT!
I DO NOT ALLOW ACCESS IF YOU'RE NOT USING SSL. YOU MUST USE SSL WITH
YOUR CLIENT. IF YOU DON'T USE SSL, THE DOOR IS THAT WAY :)
* channels we are using:
#dyne - our main IRC channel, where most of the things are talked about
#bridge - the channel mostly used for people based in Amsterdam
https://znc.dyne.org also allows you to configure your user via a web-panel. It's very well documented. I set good default settings for you and if you don't use IRC on other networks, you shouldn't need to change anything. You can change your password via the web-panel easily as well. You might like that.
XChat/Hexchat Configuration:
Get it using your usual package manager. It is probably in your official repositories.
Run it, and see below.
https://moo.projectarch.tk/qumwrf.png
https://moo.projectarch.tk/xchat.webm - video
IMPORTANT NOTES FOR ZNC/IRC
IRC is generally not considered as a very secure platforrm, yet it's extremely useful for quick communication. Please encrypt sensitive data. We try to make it more secure by using SSL but this does not promise anything.
JABBER ON LINUX
* pidgin
https://moo.projectarch.tk/gkpoia.png
https://moo.projectarch.tk/pidgin.webm - video
* psi-plus
https://moo.projectarch.tk/dxaplx.png
https://moo.projectarch.tk/jyqanp.png
https://moo.projectarch.tk/psi.webm - video
You can also integrate your GPG key with psi+
* bitlbee (for more tech savvy people, terminal)
IMPORTANT NOTES FOR XMPP/JABBER
* use SSL/TLS. It's supported and good.
* please spend some time and get to know your client.
* at least find time to install the OTR plugin yourself and learn how it works. if someone just shows you how to do it, you will learn and gain nothing from it and your security is basically the same as without using it.
* OTR doesn't work unless both parties are online and explicitly using OTR. Consider it when typing sensitive data.
IRC ON ANDROID
* AndChat (Play Store, find apk if not using. app is worth it)
Open app: https://moo.projectarch.tk/gqhsvp.png
Add a server: https://moo.projectarch.tk/ilwdus.png
https://moo.projectarch.tk/ulwgdz.png
Setup authentication: https://moo.projectarch.tk/vwcwik.png
Save & Connect!
IMPORTANT NOTES
AndChat allows you to encrypt all your configs and logs. Choose a strong password!
JABBER ON ANDROID
* ChatSecure (thx sn0wcrash ;)
Open app, swipe right: https://moo.projectarch.tk/abjdzy.png
Setup credentials: https://moo.projectarch.tk/qjopxw.png
Advanced settings: https://moo.projectarch.tk/hbhezw.png
Sign in!
IMPORTANT FOR ANDROID PHONES
Encrypt your stuff. ESPECIALLY if you have a rooted phone.
IRC ON MAC
* xchat azure / xchat aqua (graphical)
* limechat (graphical)
https://moo.projectarch.tk/yspysa.png
https://moo.projectarch.tk/udnhel.png
* weechat/irssi (terminal)
Installation via app store or terminal.
JABBER ON MAC
* pidgin
* adium (thx fredd ;)
* also facetime works in jabber if i am not wrong, i check
please do :)
See what we can also use with iPhones.
I don't have much experience with Mac. I can do well if I'm in front of the computer, but remotely, without seeing what's going on I'm not quite good with Mac OS X. If you need any help with Mac, please find me AFK or at least provide screenshots.
Ivan aka. parazyd
<parazyd@dyne.org>