lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 25 May 2007 09:43:56 -0400
From: <auto294156@...hmail.com>
To: <full-disclosure@...ts.grok.org.uk>
Cc: 
Subject: PHRACK 64: YOUTUBE IS THE ATTACK

              _                                                _
            _/B\_                                            _/W\_
            (* *)             Phrack #64 file 4              (* *)
            | - |                                            | - |
            |   |     The Revolution will be on YouTube      |   |
            |   |                                            |   |
            |   |                 By Gladio                  |   |
            |   |                                            |   |
            |   |              Gladio@...ack.org             |   |
            (____________________________________________________)


Forget everything you know about revolutions. It's all wrong.

Fighting a conventional war in an industrialized nation is suicide. 
Even
if you could field a military force capable of defeating the 
government
forces, the wreckage wouldn't be worth having. Think about mortar 
shells
landing in chemical plants. Massive toxic waste spills. Poisonous 
clouds
drifting with the winds. Fighting a war in your own backyard is just
plain stupid. Notice how the super-powers fight each other with 
proxy
wars in other countries.

Sure it might be fun to form a militia and go play army with your 
friends
in Idaho. Got some full-auto assault rifles?  Maybe even mortars, 
heavy
machine guns and some anti-aircraft guns?

Think they can take out an AC-130 lobbing artillery shells from 12 
miles
away? A flight of A-10s spitting depleted uranium shells the size 
of your
fist at a rate that makes the cannon sound like a redlined dirt 
bike? A
shooting war with a modern government is a shortcut to obliteration.

Most coups are accomplished (or thwarted) by skillful manipulation 
of
information. There have been a number of countries where tyrants 
(and
legitimate leaders) have been overthrown by very small groups using 
mass
communications effectively.

The typical method involves blocking all (or most) information 
sources
controlled by the government, and supplying an alternative that 
delivers
your message. Usually, you just announce the change in government, 
tell
everyone they are safe and impose a curfew for a short time to 
consolidate
your control. Announce that the country, the police and the 
military are
under your control, and keep repeating it. Saturate the airwaves 
with your
message, while preventing any contradictory messages from 
propagation.

Virtually all broadcast media use the telephone network to deliver 
content
from their studios to their transmitters.  Networks use satellites 
and
pstn to distribute content to local stations, which then use pstn to
deliver it to the transmitter site.

Hijacking these phone connections accomplishes both goals, of 
denying the
'official' media access, and putting your own message out.

In cases where you can't hijack the transmitters, dropping the pstn
will be effective. Police and military also use pstn to connect 
dispatch
centers with transmitter towers. Recently, many have installed 
wireless
(microwave) fallback systems.

Physically shutting down the pstn just prior to your broadcasts may 
be
very effective. This is most easily accomplished by physical damage 
to
the telco facilities, but there are also non-physical technical 
means to
do this on a broad scale.  Spelling them out here would only result 
in the
holes being closed, but if you have people with the skill set to do 
this,
it is preferable to physical means because you will have the 
advantage
of utilizing these communications resources as your plan progresses.


Leveraging the Internet

Most of the FUD produced about insurgence and the internet is 
focused on
"taking down" the internet. That's probably not the most effective 
use
of technical assets. An insurgency would benefit more from 
utilizing the
net. One use is mass communications. Get your message out to the 
masses
and recruit new members.

Another use is for communications within your group. This is where 
things
get sticky. Most governments have the ability to monitor and 
intercept
their citizen's internet traffic. The governments most deserving of
being overthrown are probably also the most effective at electronic
surveillance.

The gov will also infiltrate your group, so forums aren't going to
be the best means of communicating strategies and tactics. Forums 
can
be useful for broad discussions, such as mission statements, goals 
and
recruiting. Be wary of traffic analysis and sniffing. TOR can be 
useful,
particularly if your server is accessible only on TOR network.

Encryption is your best friend, but can also be your worst enemy. 
Keep
in mind that encryption only buys you time. A good, solid cipher 
will
not likely be read in real time by your opponent, but will 
eventually
be cracked. The important factor here is that it not be cracked 
until
it's too late to be useful.

A one time pad (OTP) is the best way to go. Generate random data and
write it to 2, and only 2, DVDs. Physically transport the DVDs to 
each
communications endpoint. Never let them out of your direct control. 
Do
not mail them. Do not send keys over ssh or ssl. Physically hand 
the DVD
to your counterpart on the other end. Never re-use a portion of the 
key.

Below is a good way to utilize your OTP:

Generate a good OTP (K), come up with a suspicious alternate message
(M), and knowing your secret text (P), you calculate (where "+" = 
mod
26 addition):

K' = M + K 
K'' = P + K 
C = K' + P

Lock up K'' in a safety deposit box, and hide k' in some other off
site, secure location. Keep C around with big "beware of Crypto 
systems"
signs. When the rubber hose is broken out, take at least 2 good 
lickings,
and then give up the key to the safety deposit box. They get K'',
and calculate

K'' + C = M

thus giving them the bogus message, and protecting your real text.


Operational Security

The classic "cellular" configuration is the most secure against
infiltration and compromise. A typical cell should have no more 
than 5-10
members. One leader, 2 members who each know how to contact one 
member
of an 'upstream' cell, and 2 members who each know how to contact 
one
member of a downstream cell. Nobody, including the leader, should 
know
how to contact more than one person outside of their own cell.

Never use your real name, and never use your organizational alias in
any other context.

Electronic communications between members should be kept to a
minimum. When it is necessary, it should only be conducted via the 
OTP
cipher. Preferably, these communications should consist of not much 
more
than arranging a physical meeting.  Meet at a pre-arranged place, 
and
then go to another, un-announced place where surveillance is 
difficult,
to discuss operational matters.

Do not carry a phone. Even a phone which is switched off can be
tracked, and most can be used to eavesdrop on discussions even when
powered down. Removing the battery is only marginally safer, because
tracking/listening gear can be built into the battery pack. If you 
find
yourself stuck with a phone during a meeting, remove the battery and
place both the phone and battery in a metal box and remove it from 
the
immediate area of conversation.

It never hurts to generate some bogus traffic. Gibberish, random 
data,
innocuous stories etc., all serve to generate noise in which to 
better
hide your real communications.

Steganography can be useful when combined with solid crypto. 
Encrypt and
stego small messages into something like a full length movie avi, 
and
distribute it to many people via a torrent. Only your intended 
recipient
will have the key to decrypt the stegged message. Be sure to stego 
some
purely random noise into other movies, and torrent them as well.

Hopefully you'll find this document useful as a starting point for
further discussion and refinement. It's not meant to be definitive, 
and
is surely not comprehensive. Feel free to copy, add, edit or change 
as
you see fit. Please do add more relative to your area(s) of 
expertise.

--
Click to get freedom from your annoying glasses. Save on LASIK surgery.
http://tagline.hushmail.com/fc/CAaCXv1RuqPFiCNGPfNWUZuSsrrmGaem/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ