SecOps/opsec.md

Dyne.org Operational Security Handbook

AKA a certain behaviour and a set of rules of thumb that will keep you and your information more safe as well in day to day as in production, with a particular focus on mac users. Plus an appendix on operational choices for dyne.org projects confidentiality.

THIS IS A LIVING DOC

##A draft

v 0.09 last revision 25-09-2018

Discretion and confidentiality

1. Behavioural discretion First thing first: assess the type of opposition you have. Consider that we operate in general in medium confidential environment. Type of opposition: who wants to know, why. Risk assessment: always assess that the opposition is stronger than you, better organised and knows a lot already (is true that it has a lot of resources). At the same time avoid paranoia: you act and think in a way that males you a tough cookie.

• you act according to the law and to your constitutional rights
• you act according to high etical standards
• you are not alone

As such role playing on project based compartments and personal trust is at the base of any security assessment. You use paranoia

• RULE OF THUMB: if you have no trust in someone you should not have business with him :)
• RULE OF FOOT TUMB: friends with everyone, in bed with no one

2. Operative discretion: when project is running or when you are in indian country (a.k.a. unfriendly or uncharted territory)

If operation has a peculiar opsec level everyone will be briefed beforehand. In any case: * tree circles metaphore: inner, outer and opposition * Exemples from cospiracy: rings - in a ring of pairs all information is accessible by all the peers, but nothing goes out to others without agreeing between the inner parties: rule of 5; no more than 5 persons can be efficiently part of a ring. Communication needs escalates. In soviet classic security organisations this was compartmentalised with a controller/ringleader mechanism. We are not in need of that level of paranoia. Yet is good to know just in case. * Positive view: in/out border: Enforcing confidentiality between peers, agree if disclosure to outer ring is necessary, and keep it on a need to know basis. * keep a plan B * “l’agendina": write down stuff with pen and ink and keep it in a drawer; It is not safer but is much more expensive for the opposition to send a team to break in your house and look for a piece of paper than bug your computer with malware * "il pizzino": a paper written by hand that can be sent to someone, gets read and destroyed on spot. Or such kind of things. Works, is safe from sigint, implies a certain level of trust. A plus is that you can recognise calligraphy and handwriting brings signs of emotional stress. Consider a form of talk that might carry a world that if used implies you believe you are compromised... the rest is a Le Carre book (a very good read). * Need to know - a measure to be used in delivery or operations: you know only what you need to know to perform your task to protect the operation. In this case you don’t talk any more about the whole picture, you operate temporarily on a "need to know" basis. Because we are peers you will be debriefed at the end. * Communication loop outside the magic circle: strategies, objectives, keywords

3. Confidentiality - A document marked confidential has to be kept such: partial or total disclosure is up to be decided upon by the responsible. Has to have a distribution list printed on his first page so that all recipients know who has access to the document. A document not marked confidential is still to be spoken of with a bit of discretional assessment outside our circle.

3.1. Dyne is a think (&do) tank but also a software foundry. WE USE FIRST OUR OWN SOFTWARE if it does the job. Then open source, then eventually proprietary. Some software we DONT USE ON PURPOSE. IS BANNED. For security reasons AND also for public image reasons.

3.2. Project based workflow confidentiality

• project lead has always to know
• project lead has consultive decision power regarding to the project
• project leader is responsible of its course of actions

3.3. Confidentiality tool:

• You need to create a ssh key, that is composed by two keys, a public and a private
• You need to create a GPG key. Get familiar with double key encryption
  • The public key is also attached to your dyne.org mail.
  • Use a long key (>4k)
  • backup your secret key SAFELY
  • use to unlock your key a unique pass phrase that you don't have to write anywhere and you will always remember.
  • never put your passphrase in a keychain, never write it down, never use easy to guess stuff or cyphers
• keep a secret password file in a safe place. To do so you can use gpg, keep a password file encrypted with gpg.
• dyne developed tomb for hiding secret things in your file servers if on linux get familiar with tomb
• on mac you can use encryption AES 256 on disk images
• dyne developed secrets.dyne.org for shared passwords. Use it were necessary. This tool allows you to encode a string (a password) and shread it into 5 string that can be distributed to friends. Putting 3 of them together can reconstruct the secret string and, as an example, use the lost password to re-open a bitcoin wallet. Use it.

3.3.1. Use of dyne.org git for confidential material: gitea.dyne.organisations 3.3.2. Use cloud.dyne.org for keeping files you want to sych within your machines or share with your collegues

• avoid google docs. A file on gdocs is to be consider compromised
• avoid dropbox type of services for sharing: use cloud.dyne.org

4. What if

• Your computer is stolen
  • give alarm to your peers, let us know
  • if your HD was encrypted as described chances are your data is not compromised
• Your computer is compromised for example by virus or malware
  • you can learn a lot by cleaning it up
  • you have been compromised, call home to allow us assess the damage

OSX "security for toddlers"

written by fredd

4. MAC OS X security hardening for everyone

Basic computer security for mac users. • physical MAC can be stolen or bugged • passwords and user setup 101 • encrypted home • Password manager and password security rules of thumbs: use apple keychain • Email is king • double key how it works for dummies • gpgmail https://gpgtools.org/index.html install and configuration walkthrough

ref: https://www.intego.com/mac-security-blog/15-mac-hardening-security-tips-to-protect-your-privacy/

ABOUT CRYPTO https://www.gnupg.org/faq/gnupg-faq.html

Data security

• use encrypted disk image instead of tomb (howto)
• Backups and safekeeping (cloud.dyne.org)
• to find stuff back on many disks I use diskcatalogmaker
• cloud: walkthrough for nextcloud configuration and use
• you can use apple security tools (cloud backup etc) for your stuff but not for any dyne confidential stuff. Best not to use icloud
• don't trust icloud keychain backup

• INSTALL SHELL OSX DEV tools

• INSTALL HOMEBREW

• how to use GIT: GUIs

• how to use SSH keys just as GPG keys private/public part unlike GPG keys they are bound to devices not to people. A new laptop you make a key and collect it in

• Privacy Some tools that are there to assure you a certain kind of privacy if you think you might be observed * Tor * Tor Browser * Heads * remember that any phone is a perfect recording and tracking device

Mobile is your channel in clear or not? Is your channel cleared or memorised forever? Were the memory is going to stay? Logs?

• Signal (http://support.whispersystems.org/hc/en-us/articles/212477768-Is-it-secure-Can-I-trust-it-) is not so cool but safe (maybe)
• Telegram is cool but not safe. This is good. Get used to the fact that your everyday communication is NEVER SAFE. NOTHING IS SAFE NOR SECURE.
• IRC * LimeChat configuration walkthrough

DYNE OFFICE Toolkit WALKTHROUGH

• office.dyne.org is obsolete been replaced by nextcloud: cloud.dyne.org
• repository for file sharing document based on our servers. Functionalities similar to google drive and dropbox, install the client on your desktop/laptop/Mobile
• pad.dyne.org for shared document writing. Preferibly use "code" and write in markdown.
  • really, get used to markdown! 3 minutes guide https://guides.github.com/features/mastering-markdown/
• for note taking and todos: https://joplin.cozic.net free and open source, integrated with Nextcloud and multi-platform (as well for mobiles)
• libre office is the reference office suite
• vdc.dyne.org is our in-house video conference platform (jitsi)
• irc.dyne.org old school irc server (accessible as well on http://irc.dyne.org)
• coggle.it (mindmap, not secure but useful)

Federico Bonelli fredd@dyne.org

---

IRC ON LINUX (parazyd)

• weechat or irssi in terminal: https://irc.dyne.org
• xchat / hexchat as a standalone IRC client

Dyne.org has a ZNC bouncer that we've started using. We can say that ZNC simulates a connection and makes it look like you're always connected to IRC. This way, whenever and wherefrom(?) you connect to the ZNC server, you will get a playback of all the things you would have missed while you were offline. You connect to ZNC the same way you connect to any other IRC server;

Server info: * host: znc.dyne.org * port: 30001 * server username: yourusername/networkname (networkname will be "dyne" for dyne's IRC network) * server password: the same password we used for registration on ZNC service IMPORTANT! I DO NOT ALLOW ACCESS IF YOU'RE NOT USING SSL. YOU MUST USE SSL WITH YOUR CLIENT. IF YOU DON'T USE SSL, THE DOOR IS THAT WAY :) * channels we are using: #dyne - our main IRC channel, where most of the things are talked about #bridge - the channel mostly used for people based in Amsterdam

https://znc.dyne.org also allows you to configure your user via a web-panel. It's very well documented. I set good default settings for you and if you don't use IRC on other networks, you shouldn't need to change anything. You can change your password via the web-panel easily as well. You might like that. XChat/Hexchat Configuration: Get it using your usual package manager. It is probably in your official repositories. Run it, and see below. https://moo.projectarch.tk/qumwrf.png https://moo.projectarch.tk/xchat.webm - video IMPORTANT NOTES FOR ZNC/IRC IRC is generally not considered as a very secure platforrm, yet it's extremely useful for quick communication. Please encrypt sensitive data. We try to make it more secure by using SSL but this does not promise anything.

JABBER ON LINUX

• pidgin https://moo.projectarch.tk/gkpoia.png https://moo.projectarch.tk/pidgin.webm - video
• psi-plus https://moo.projectarch.tk/dxaplx.png https://moo.projectarch.tk/jyqanp.png https://moo.projectarch.tk/psi.webm - video You can also integrate your GPG key with psi+
• bitlbee (for more tech savvy people, terminal) IMPORTANT NOTES FOR XMPP/JABBER * use SSL/TLS. It's supported and good. * please spend some time and get to know your client. * at least find time to install the OTR plugin yourself and learn how it works. if someone just shows you how to do it, you will learn and gain nothing from it and your security is basically the same as without using it. * OTR doesn't work unless both parties are online and explicitly using OTR. Consider it when typing sensitive data.

IRC ON ANDROID * AndChat (Play Store, find apk if not using. app is worth it) Open app: https://moo.projectarch.tk/gqhsvp.png Add a server: https://moo.projectarch.tk/ilwdus.png https://moo.projectarch.tk/ulwgdz.png Setup authentication: https://moo.projectarch.tk/vwcwik.png Save & Connect! IMPORTANT NOTES AndChat allows you to encrypt all your configs and logs. Choose a strong password! JABBER ON ANDROID * ChatSecure (thx sn0wcrash ;) Open app, swipe right: https://moo.projectarch.tk/abjdzy.png Setup credentials: https://moo.projectarch.tk/qjopxw.png Advanced settings: https://moo.projectarch.tk/hbhezw.png Sign in!

IMPORTANT FOR ANDROID PHONES Encrypt your stuff. ESPECIALLY if you have a rooted phone.

IRC ON MAC

• xchat azure / xchat aqua (graphical)
• limechat (graphical) https://moo.projectarch.tk/yspysa.png https://moo.projectarch.tk/udnhel.png
• weechat/irssi (terminal) Installation via app store or terminal.

Ivan aka. parazyd parazyd@dyne.org