Hacker OPSEC

STFU is the best policy.

Yardbird's Effective Usenet Tradecraft

Survival in an Extremely Adversarial Environment

If your secure communications platform isn’t being used by terrorists and pedophiles, you’re probably doing it wrong. – [REDACTED]

A few years ago a group of child pornographers was infiltrated by police who were able to monitor, interact, and aggressively investigate the members. Despite engaging in a 15 month undercover operation, only one in three of the pedophiles were successfully apprehended. The majority, including the now infamous leader Yardbird, escaped capture. The dismal success rate of the law enforcement officials was due entirely to the strict security rules followed by the group.

This post will examine those rules, the reasons for their success, and the problems the group faced which necessitated those rules.

(An examination of the group’s security from a slightly different perspective was conducted by Baal and is available here)

Covert Organizations, Seen One, Seen ‘em All

All covert organizations face a similar set of problems as they attempt to execute on their fundamental mission – to continue to exist. A covert organization in an adversarial environment faces a number of organizational challenges and constraints. Fundamentally how it handles trade-offs between operational security and efficiency mandates how group members perform their operational activities. Strong OPSEC means low efficiency, while high efficiency necessitates weak OPSEC. The strength of the oppositional forces dictate the minimum security requirements of the covert organization.

Examining the operational activities – those actions the organization must engage in to self perpetuate – allows us to evaluate their operational security decisions within their environmental context.

Operational Activities:

The Yardbird child abuse content group (hereafter also called the enterprise) had a number of core goals that had to be addressed to continue operation: they needed to distribute their child abuse content to members; communicate between members; raise funds to acquire new content; recruit new members (presumably for access to additional child abuse content).

Explicitly stated, this is an enumerated list of the operational activities that the group had to engage in to self perpetuate.

  1. Distribution of Child Abuse Content
  2. Communication and Coordinate Action
  3. Fund raising
  4. Recruitment and Vetting

Except for the first issue (strategically significant only to this group), these are pretty typical activities for a clandestine organization. Besides their defining operational activity, they need a communications channel, fund raising capability, and membership management processes.

Opposition Success: The Penetration

The law enforcement authorities caught a pedophile distribution child abuse content. He is a member of the Yardbird group and offers up complete access to the group, along with archival logs, in exchange for leniency.

All of the information about this group comes from the Castleman Affidavit, the Baal analysis, and some Baal follow ups.

A Frustrating Infiltration

The law enforcement authorities were about to completely penetrate the enterprise for a 15 month period from 2006-08-31 through 2007-12-15. During that time the group’s posted 400,000 images and 1,1000 videos. The enterprise had approximately 45 active members, although independent observers have claimed this is low with the real membership anywhere from 48 to 61.

The total number of arrests was 14, or somewhere around 1/3rd. A fully staffed, highly motivated, well trained adversarial force with complete penetration of a large complacent group was only about to achieve a one in three success rate. The majority of those successes were achieved due to group members being insufficiently cautious and violating the enterprise security rules. Obviously, these security rules are extremely resilient against adversarial assault.

The members who were caught were those who violated the security SOP of the group:

  • Accessing a newsgroup server without using Tor (e.g. VPN, or directly)
  • Revealing personal details about themselves
  • Contacting each other outside the group’s secure comms channel

Operational Activity: Distribution

The enterprise was careful to ensure that the location of the encrypted files containing child abuse images was a different newsgroup from the communications newsgroup. One possible reason is to unlink the obvious encrypted group discussion from the larger encrypted content posts. That is, they compartmented their commo from their file sharing. As an additional, although superfluous step, the enterprise would apparently alter the sequence number of the split binary uploads so that reassembly would be hampered. What this cumbersome step added beyond the existing PGP encryption is unclear (if your adversary can break PGP they can probably figure out the order some files).

Operational Activity: Communications

The enterprise would use the primary newsgroup, at the start of the investigation alt.anonymous.messages, to announce the location of a media cache for group members. The communications newsgroup is always reserved strictly for communications. The announcements regarding new downloads provided detailed instructions as to the location of the child abuse content, plus how to download, assemble and decrypt it.

The group used a single shared PGP key for all members. On the one hand, this would completely negate the security provided by PGP if the key falls into the wrong hands. It also limits the groups ability to expel a member who transgresses the rules and needs to be punished. On the other hand, the use of a shared key makes key management significantly easier which is a serious concern when you need to rekey every few months. Additionally, using only one key reduces the ability of the adversary to determine group size by examining the PGP packets. It also removes the potential for a group member to reuse a key that is linked to their real identity. See this excellent presentation for more details on those attacks.

Operational Activity: Recruitment

The enterprise expanded by allowing new members to join. There were clear guidelines, procedures and rules for expansion. First there was a background check to ensure that the prospective member was an established and active participant in the wider community of child abuse image traders. Then an existing member has to invite the prospect to the group. Finally, to demonstrate both their deep involvement in the activity and to prove they are not an undercover cop, they must pass a timed written test on the minutiae of various child abuse victims and media.

Vetting

  • Demonstrate active participation in the “trading scene”
  • Invited by existing member
  • Must exhibit deep domain specific knowledge via timed written test

Security Rules that Work

  • Never reveal true identity to another member of the group
  • Never communicate with another member of the group outside the usenet channel
  • Group membership remains strictly within the confines of the Internet
    • No member can positively identify another
  • Members do not reveal personally identifying information
  • Primary communications newsgroup is migrated regularly
    • If a member violates a security rule, e.g. fails to encrypt a message
    • Periodically to reduce chance of law enforcement discovery
  • On each newsgroup migration
    • Create new PGP key pair, unlinking from previous messages
    • Each member creates a new nickname
      • Nickname theme selected by Yardbird

Root of Success

The reason the majority of the group was able to avoid capture was in a small way due to the technology they were using (Tor), but primarily it was adherence to the security rules of the group. They had very good OPSEC and they followed it consistently. Fundamentally, they had complete compartmentation within the group – they did not reveal information to each other. The law enforcement authorities were able to get logs of all their communications traffic, plus logs of their IP addresses they used for posting. Everyone that used Tor (as per the recommendation of Yardbird) was anonymous at the IP layer. This protected them from a subpoena revealing their identity. As long as there was no additional information that they had revealed about themselves in their messages, they were secure against the opposition.

The use of PGP was essentially a No-OP in this case. It excluded the general public from accessing the content of the communications traffic (and the child abuse videos and images). It did not protect the traffic against analysis by the opposition (who had successfully infiltrated the group). The encryption was not a factor in their successful evasion. Rather, it was the content of the messages, controlled and dictated by the security rules, which protected their secrets.

Lessons Learned

Guarding secrets involves not sharing them. Encryption can only ever protect the content of a communique. Real security must start with the content itself, and then use encryption as an additional layer.

Note from the Editor

(Feel free to skip this part if you don’t think studying how child pornographers avoid capture is relevant)

When analyzing the activities of groups operating in an adversarial environment to learn what works, what doesn’t, and why, (unfortunately) the pool of covert organisations is somewhat limited: intelligence agencies; terrorist groups; hacker crews; narcos; insurgents; child pornographers… Few other groups face such a hostile operating environment that their security measures are really “tested”.

The group examined in this post had an incredibly effective set of security practices. They imposed strict compartmentation, regularly migrated identities and locations, required consistent Tor and PGP use, etc. They had legitimate punishments for people who transgressed the rules (expulsion) and they survived a massive investigation effort. Clearly, they were doing something right (actually a number of things). Just as clearly, they are reprehensible people who engage in activity that is immoral and unethical, by any measure. (Paying for child pornography to be produced is flat out wrong, regardless on where you stand on the spectrum of opinions regarding child porn laws).

The thing is, there are basically no nice people who provide case studies of OPSEC practices. Most are engaged in violence, serious drug trafficking (at the “kill people for interfering” level), theft and manipulation of human beings, etc. Thats the nature of the beast.

People with well funded, trained and motivated adversaries have the strongest incentives to practice the highest level of security. They’re the ones to learn from.