SecOps/opsec.md

Dyne.org Operational Security Handbook

AKA a certain behaviour and a set of rules of thumb that will keep you and your information more safe as well in day to day as in production, with a particular focus on mac users. Plus an appendix on operational choices for dyne.org projects confidentiality.

##A draft

v 0.08 last revision 27-06-2017

Discrection and confidentiality

1. Behavioural discretion First thing first: assess the type of opposition you have. Consider that we operate in general in medium confidential environment. Type of opposition: who wants to know, why. Risk assessment: always assess the opposition as stronger than you (and is true that it has a lot of resources), but avoid paranoia: role playing on project based compartments and personal trust is at the base of any assessment. You should use to determine the level of trust of fellows.

• RULE OF THUMB: if you have no trust in someone you should not have business with him :)
• RULE OF FOOT TUMB: friends with everyone, in bed with no one

1.1.

2. Operative discretion: when project is running or when you are in indian country (a.k.a. unfriendly or uncharted territory) If operation has a peculiar opsec everyone will be briefed beforehand. In any case: * tree circles metaphore: inner, outer and opposition * Exemples from cospiracy: rings - in a ring of pairs all information is accessible by all the peers, but nothing goes out to others without agreeing between the inner parties: rule of 5; no more than 5 persons can be efficiently part of a ring. Communication needs escalates. In soviet classic security organizations this was compartimentalised with a controller/ringleader mechanism. We are not in need of that level of paranoia. Yet is good to know. * Positive view: in/out border: Enforcing confidentiality between peers, agree if disclosure to outer ring is necessary, and keep it on a need to know basis. * plan B * “l’agendina": write down stuff with pen and ink and keep it in a drawer; * "il pizzino": a paper written by hand that can be sent to someone, gets read and destroyed on spot. Or such kind of things. Works, is safe from sigint, implies a certain level of trust. * Need to know - a measure to be used in delivery or operations: you know only what you need to know to perform your task to protect the operation. In this case you don’t talk any more about the whole picture, you operate temporarily on a "need to know" basis. Because we are peers you will be debriefed at the end. * Communication loop outside the magic circle: strategies, objectives, keywords

3. Confidentiality - A document marked confidential has to be kept such: partial or total disclosure is up to be decided upon by the responsible. Has to have a distribution list printed on his first page so that all recipients know who has access to the document. A document not marked confidential is still to be kept with a bit of discretionality

3.1. Dyne is a think (&do) tank but also a software foundry. WE USE FIRST OUR OWN SOFTWARE if it does the job. Then open source, then eventually proprietary. Some software we DONT USE ON PURPOISE. IS BANNED. For security reasone AND also for public image reasons.

3.2. Project based workflow confidentiality

• project lead has always to know
• project lead has consultive decision power regarding to the project
• project leader is responsible of its course of actions

3.3. Confidentiality tool:

• You need to create a ssh key, that is composed by two keys, a public and a private
• You need to create a GPG key.
  • This key is also attached to your dyne.org mail.
  • Use a long key (>4k)
  • backup your secret key
  • use a unique pass phrase that you don't have to write anywhere and you will always remember.
• keep a secret password file in a safe place. To do so you can use gpg, keep a password file encrypted with gpg.
• dyne developed tomb for hiding secret things in your file servers
• on mac you can use encryption AES 256 on disk images
• dyne developed secrets.dyne.org for shared passwords. Use it were necessary. This tool allows you to encode a string (a password) and shread it into 5 string that can be distributed to friends. Putting 3 of them together can reconstruct the secret string and, as an example, use the lost password to re-open a bitcoin wallet. Use it.

3.3.1. Use of dyne.org git for confidential material

OSX "security for toddlers"

written by fredd

4. MAC OS X security hardening for everyone

Basic computer security for mac users. • physical MAC can be stolen or bugged • passwords and user setup • encrypted home setup • Password manager and password security rules of thumbs • Email is king • double key how it works for dummies • gpgmail https://gpgtools.org/index.html install and configuration walkthrough

ref: https://www.intego.com/mac-security-blog/15-mac-hardening-security-tips-to-protect-your-privacy/

Data security

• use encrypted disk image instead of tomb
• Backups and safekeeping
• to find stuff back on many disks I use diskcatalogmaker
• Owncloud: walkthrough for owncloud configuration and use
• you can use apple security tools (cloud backup etc) for your stuff but not for any dyne confidential stuff
• don't trust icloud keychain backup

GIT

SSH keys just as GPG keys private/public part unlike GPG keys they are bound to devices not to people. A new laptop you make a key and collect it in

Privacy • Tor • Tor Browser • remember that any phone is a recording and tracking device

Mobile is your channel in clear or not? Is your channel cleared or memorised forever? Were the memory is going to stay? Logs?

• Signal (http://support.whispersystems.org/hc/en-us/articles/212477768-Is-it-secure-Can-I-trust-it-) is not so cool but safe (maybe)
• Telegram is cool but not safe
• IRC * xchat azure configuration walkthrough

DYNE OFFICE Toolkit WALKTHROUGH

• office.dyne.org based on odoo: calendar, contacts, project kanban, archived documents
• docs.dyne.org repository for file sharing document based on our servers. Functionalities similar to google drive and dropbox
• pad.dyne.org and calc.dyne.org for shared document writing
• libre office reference office suite
• vdc.dyne.org video conference platform
• irc.dyne.org
• coggle.it (mindmap)

Federico Bonelli fredd@dyne.org

---

IRC ON LINUX (parazyd)

• weechat or irssi in terminal: https://irc.dyne.org
• xchat / hexchat as a standalone IRC client

Dyne.org has a ZNC bouncer that we've started using. We can say that ZNC simulates a connection and makes it look like you're always connected to IRC. This way, whenever and wherefrom(?) you connect to the ZNC server, you will get a playback of all the things you would have missed while you were offline. You connect to ZNC the same way you connect to any other IRC server;

Server info: * host: znc.dyne.org * port: 30001 * server username: yourusername/networkname (networkname will be "dyne" for dyne's IRC network) * server password: the same password we used for registration on ZNC service IMPORTANT! I DO NOT ALLOW ACCESS IF YOU'RE NOT USING SSL. YOU MUST USE SSL WITH YOUR CLIENT. IF YOU DON'T USE SSL, THE DOOR IS THAT WAY :) * channels we are using: #dyne - our main IRC channel, where most of the things are talked about #bridge - the channel mostly used for people based in Amsterdam

https://znc.dyne.org also allows you to configure your user via a web-panel. It's very well documented. I set good default settings for you and if you don't use IRC on other networks, you shouldn't need to change anything. You can change your password via the web-panel easily as well. You might like that. XChat/Hexchat Configuration: Get it using your usual package manager. It is probably in your official repositories. Run it, and see below. https://moo.projectarch.tk/qumwrf.png https://moo.projectarch.tk/xchat.webm - video IMPORTANT NOTES FOR ZNC/IRC IRC is generally not considered as a very secure platforrm, yet it's extremely useful for quick communication. Please encrypt sensitive data. We try to make it more secure by using SSL but this does not promise anything.

JABBER ON LINUX

• pidgin https://moo.projectarch.tk/gkpoia.png https://moo.projectarch.tk/pidgin.webm - video
• psi-plus https://moo.projectarch.tk/dxaplx.png https://moo.projectarch.tk/jyqanp.png https://moo.projectarch.tk/psi.webm - video You can also integrate your GPG key with psi+
• bitlbee (for more tech savvy people, terminal) IMPORTANT NOTES FOR XMPP/JABBER * use SSL/TLS. It's supported and good. * please spend some time and get to know your client. * at least find time to install the OTR plugin yourself and learn how it works. if someone just shows you how to do it, you will learn and gain nothing from it and your security is basically the same as without using it. * OTR doesn't work unless both parties are online and explicitly using OTR. Consider it when typing sensitive data.

IRC ON ANDROID * AndChat (Play Store, find apk if not using. app is worth it) Open app: https://moo.projectarch.tk/gqhsvp.png Add a server: https://moo.projectarch.tk/ilwdus.png https://moo.projectarch.tk/ulwgdz.png Setup authentication: https://moo.projectarch.tk/vwcwik.png Save & Connect! IMPORTANT NOTES AndChat allows you to encrypt all your configs and logs. Choose a strong password! JABBER ON ANDROID * ChatSecure (thx sn0wcrash ;) Open app, swipe right: https://moo.projectarch.tk/abjdzy.png Setup credentials: https://moo.projectarch.tk/qjopxw.png Advanced settings: https://moo.projectarch.tk/hbhezw.png Sign in!

IMPORTANT FOR ANDROID PHONES Encrypt your stuff. ESPECIALLY if you have a rooted phone.

IRC ON MAC

• xchat azure / xchat aqua (graphical)
• limechat (graphical) https://moo.projectarch.tk/yspysa.png https://moo.projectarch.tk/udnhel.png
• weechat/irssi (terminal) Installation via app store or terminal.

JABBER ON MAC

• pidgin
• adium (thx fredd ;)
• also facetime works in jabber if i am not wrong, i check please do :)

See what we can also use with iPhones.

I don't have much experience with Mac. I can do well if I'm in front of the computer, but remotely, without seeing what's going on I'm not quite good with Mac OS X. If you need any help with Mac, please find me AFK or at least provide screenshots.

Ivan aka. parazyd parazyd@dyne.org