API tools faq
paste
Advertisement
opsanon77

Compartmentalisation

opsanon77
May 3rd, 2023
181
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.52 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. >Welcome back to the /XMR/ general's weekly opsec discussion!
  2. This week we are going to cover the concept of identity compartmentalization. This topic came by request of one of our fellow Monerochads, and while it is a tougher one to cover, especially in short form, it is an extremely important topic for everyone from noob to DNM administrator. As always, thank you for reading and please share your thoughts on the topic and suggestions for future articles!
  3.  
  4. >Previous weeks discussion
  5. PGP - pastebin.com/K5uK4vvg
  6. File Verification - pastebin.com/64jdYSua
  7. Compartmentalization - pastebin.com/N88NA8Jy
  8. >OpsAnon's public key
  9. pastebin.com/kiEVscyb
  10.  
  11. >What does compartmentalization mean?
  12.  
  13. Compartmentalization of our identities, and activity online is the process by which we segregate our online personas and activities. In basic terms, this means for each activity, community, or purpose that we communicate online, we aim to have zero overlapping information, and avoid “self snitching” or doxxing ourselves accidentally.
  14.  
  15. >Why is compartmentalizing important?
  16.  
  17. We can think about compartmentalization of our online activities much like a ship. Modern ships are comprised of many water-tight compartments. By doing so, if the ship suffers a hole in its hull, the ingress of water can be contained to just one or a few of those water-tight compartments. This prevents mass flooding and losing the entire ship to Davie Jones locker. Compartmentalizing our online identities works in the same fashion. By segregating our activities, associated identities and our IRL identity, we can prevent a hostile actor from linking them all together to get a better picture of our online activities or even uncovering our IRL identity and sensitive accounts.
  18.  
  19.  
  20.  
  21.  
  22. -newpost-
  23.  
  24.  
  25.  
  26.  
  27. >What does a failure in compartmentalization look like?
  28.  
  29. Here we have a couple of articles that clearly demonstrate the consequences of failure in a high threat model scenario. You will notice that these failures did not occur due to any technical issue, or as a result of some NSA L337 H4xX0r... These are high profile people failing in very simple ways and more often than not, it is these simple mistakes that are the issue.
  30. https://www.ivpn.net/privacy-guides/online-privacy-through-opsec-and-compartmentalization-part-2/
  31. https://darknetlive.com/post/empire-market-vendor-chlnsaint-pleads-guilty-d8eb422b
  32. https://darknetlive.com/post/counterfeit-oxycodone-vendor-kingofkeys-imprisoned-722a1617
  33. The biggest takeaway we can get from this is for gods sake, do not link your personal email, especially one that is your own damn name, to any sensitive activities, That sounds like a no-brainer, but as we just read, stupid mistakes happen even to those who should have known better.
  34.  
  35. >Where do we start?
  36.  
  37. The first step to any opsec endeavour is to assess our threat model and in this case, to get a birds eye view of all our various accounts and identities. A good place to start is by creating a list of the communities/accounts we have created, breaking them down into categories or "tiers" of Public - Sensitive - Secret. Which of these accounts are you okay with, or need to be associated to your IRL identity? Which ones do you want to be pseudo-anonymous, but used in multiple communities/activities? Which ones do you want to be kept absolutely separate from your IRL identity and from any other community/activity you partake in? By doing this we can create an overview of the topography of our online activities and which ones are already linked.
  38. The next step is to assess our threat model. Before we can start hardening our defences, we need to have some idea of what kind of adversary is going to be at our gates.
  39.  
  40.  
  41.  
  42. -newpost-
  43.  
  44.  
  45.  
  46.  
  47. >Where do we start? (cont'd)
  48.  
  49. If you're a normal everyday user and are not concerned about LE or Gov, your threat model is vastly different from that of a DMN vendor or a dissident of an oppressive regime. While the lowest threat models would also benefit from taking the most extreme measures, it is a daunting task, and many users would simply give up from the burden of all the extra steps and learning required. We don't want the pursuit of perfection to become the adversary of achieving the basics. Consider your activities and what the consequences of a breech of your opsec might look like. If you're thinking it would not be the end of the world, you may have a lax threat model, on the other hand, if a breech would result in your imprisonment, loss of life or have serious ramifications, you have a high threat model and you need to tailor your practises to meet that threat assessment.
  50. Now that we know what were protecting, and the degree of scrutiny that needs to be applied, we can begin exploring how we implement the process.
  51.  
  52. >Segregation
  53.  
  54. There are a wide array of items that we need to segregate in this process, so lets have a quick look at some of the most important/common ones:
  55. -Username
  56. -Email address
  57. -PGP keys
  58. -IP address
  59. -Method of access(tor,i2p)
  60. -Device used
  61. -Writing style/slang
  62. -Cryptocurrency wallet addresses (pseudo-anonymous currencies)
  63. Segregation requires us to not only to focus on the information we use to create the accounts, but also the content we post. if you follow the process in great detail, but then post a BTC address that is linked to your name, or a PGP key that is associated to your DN persona, you have undone that hard work and linked those accounts.
  64.  
  65.  
  66.  
  67. -newpost-
  68.  
  69.  
  70.  
  71.  
  72. >Compartmentalization in action
  73.  
  74. So far we have talked about what bad practises look like, the types of information that should be segregated and how to get an overview of our digital footprint, but lets see what a simple use case scenario looks like.
  75. In this case we have Anon A, this user has social media accounts, an online banking account and frequents Dread and a DNM. In this scenario we could break down the accounts into two of the three tiers, public and secret, with Anon's social media accounts being public and his Dread, DNM and banking accounts being secret.
  76. As you can see in picrel, the social media accounts could be linked together, which in this case is by design, but could be further segregated as required by your threat model. In the secret category, we see that all usernames and email's are different, with tor activities happening on a hardened laptop (preferably utilizing an amnesic OS like Tails, or a fully encrypted machine running a privacy oriented OS). Another item not mentioned in my info-graphic is the use of VPN's, while often overrated as a privacy tool, a trusted VPN can be useful when accessing accounts, especially banking, while on public wifi where a MITM attack could be a concern.
  77.  
  78.  
  79.  
  80.  
  81. -newpost-
  82.  
  83.  
  84.  
  85.  
  86. >Tools
  87.  
  88. While this process is largely one that has to be implemented by the user themselves, there are some tools which can make the process easier. The biggest issue being, how do we manage all these separate persona's, their usernames, passwords and addresses? The one i will mention here is KeePassXC, this software allows us to store our digital identities including usernames, passwords, email addresses and features a notes section for any additional information. If you're thinking, doesn't this break our compartmentalization? You're not wrong to some degree, but i believe the benefit outweighs the risk in most scenarios. The upside of using KeePassXC is that we can maintain many different "internet facing" identities in a single locally stored database which can be further encrypted for our protection. KeePassXC is an open source software which does not feature any cloud storage of your database, which is important, given the recent events with Lastpass.
  89. https://www.bleepingcomputer.com/news/security/lastpass-hackers-stole-customer-vault-data-in-cloud-storage-breach/
  90. Find out more about KeePassXC
  91. https://keepassxc.org/
  92.  
  93. >Conclusion
  94.  
  95. In this week's discussion we covered a very broad topic, and one that is arguably the most difficult to assess, monitor and rectify. Every user is going to have a significantly different "footprint", and because of that, their concerns, requirements and the steps taken will be different as well. I believe the important takeaway from this week is that we have to be constantly conscious of our persona's online and protecting the ones we deem most important or sensitive by not linking them together both in our conversations online and by the re-use of account information.
  96.  
  97. >Additional reading
  98.  
  99. https://www.ivpn.net/privacy-guides/online-privacy-through-opsec-and-compartmentalization-part-1
  100. https://blog.securityevaluators.com/technical-anonymity-guide-658a53adff5b
  101.  
  102.  
  103.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!