http://blogsofwar.com/2013/11/11/interview-hacker-opsec-with-the-grugq/
By John Little
Blogs of War
November 11, 2013
The Grugq is an world renowned information security researcher with 15
years of industry experience. Grugq started his career at a Fortune 100
company, before transitioning to @stake, where he was forced to resign for
publishing a Phrack article on anti-forensics. Since then the Grugq has
presented on anti-forensics at dozens of international security
conferences, as well as talks on numerous other security topics. As an
independent information security consultant the Grugq has performed
engagements for a wide range of customers, from startups to enterprises
and the public sector. He has worked as a professional penetration tester,
a developer, and a full time security researcher. The Grugq's research has
always been heavily biased towards counterintelligence aspects of
information security. His research has been referenced in books, papers,
magazines, and newspapers. Currently an independent researcher, the grugq
is actively engaged in exploring the intersection of traditional
tradecraft and the hacker skillset, learning the techniques that covert
organisations use to operate clandestinely and applying them to the
Internet. You can follow him on Twitter at @thegrugq.
John Little: You blog and have given conference presentations on Hacker
OPSEC. You started doing this before the recent NSA revelations (and the
general hysteria surrounding intelligence collection) but you were already
warning hackers that states had superseded them as the internet's apex
predator. In just a couple of years we’ve moved from the seeming
invincibility of LulzSec, to high profile busts, and now onto serious
concerns being raised about the every aspect of the internet's
architecture, security models, and tools. Rock solid OPSEC is a refuge but
maintaining it for long periods of time under significant pressure is very
difficult. The deck is obviously stacked against anyone trying to evade
state surveillance or prosecution so where do freedom fighters and those
with less noble intentions go from here?
The Grugq: You raise a number of interesting points. I'll ramble on about
them in a moment, but before that I’d like to clarify for your readers a
bit about where I am coming from. Firstly, I am not a "privacy advocate",
I am an information security researcher. My career in information security
has been mostly focused around denial and deception at the technical
level.
Recently, however, I became aware that this "fetishizing the technology"
approach is simply not effective in the real world. So I turned to
studying clandestine skills used in espionage and by illicit groups, such
as narcotics cartels and terrorist groups. The tradecraft of these
clandestine organizations is what I am trying to extract, inject with
hacker growth hormone, and then teach to those who need real security:
journalists; executives traveling to adversarial environments; silly kids
making stupid life altering mistakes, etc.
The media has actually expressed a lot of interesting in improving their
security posture, and I am engaged in helping some journalists develop
good OPSEC habits. Or at least, learn what those habits would be, so they
have some idea of what to aspire to. There is a strange intransigence with
some who reject improved security with the line: "but we're not criminals!
Why do we need this?" Well, the only answer I have is that OPSEC is
prophylactic, you might not need it now, but when you do, you can’t
activate it retroactively. As I phrased it in my "The Ten Hack
Commandments" -- be proactively paranoid, it doesn't work retroactively.
So, that's how I've arrived at hacker tradecraft, and where I'm trying to
take it. On to the issues you’ve raised about good OPSEC and living a
clandestine life.
[...]
--
Find the best InfoSec talent without breaking your
recruiting budget! Post a Job, $99 for 31 days.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/
