Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,570 --> 00:00:09,120 Get some interesting case studies in OPSEC failures then you'll find that these failures are indeed 2 00:00:09,210 --> 00:00:16,830 basic and you'll observe that if you just get basic OPSEC right as I've detailed here you would be an 3 00:00:16,830 --> 00:00:24,400 advanced opponent to your adversary who relies on basic OPSEC failures and easy targets. 4 00:00:24,450 --> 00:00:25,710 The criminal actions. 5 00:00:25,710 --> 00:00:28,570 In these case studies are condone at all. 6 00:00:28,590 --> 00:00:35,970 They are here to demonstrate our OPSEC failures result in a breakdown of security privacy and anonymity 7 00:00:36,510 --> 00:00:40,430 which illustrates the point of how important OPSEC is. 8 00:00:40,440 --> 00:00:43,260 The first case study is low sec. 9 00:00:43,620 --> 00:00:50,070 Hector Monsour gear known as Sabu normally connected to the little sec I'll see Channel Wajir tour. 10 00:00:50,070 --> 00:00:52,200 The FBI was monitoring the channel. 11 00:00:52,260 --> 00:00:56,760 On one occasion you logged in using his real IP address and that was it. 12 00:00:56,790 --> 00:00:57,720 Game over. 13 00:00:57,810 --> 00:01:01,110 After being caught he started collaborate on this day. 14 00:01:01,170 --> 00:01:02,750 Was all that talk. 15 00:01:02,760 --> 00:01:10,470 Jeremy Hammond another sex member and Hector spoke with each other on I'll say HAMOND casually let slip 16 00:01:10,650 --> 00:01:16,830 he was on probation where he had been arrested and other groups who were involved with this Nerine down 17 00:01:16,830 --> 00:01:19,990 to a small number of possible suspects. 18 00:01:20,010 --> 00:01:24,030 Allowed the FBI to get a court order to monitor his internet access. 19 00:01:24,030 --> 00:01:27,390 This is classic profiling Hamdoon tool. 20 00:01:27,460 --> 00:01:31,890 Wish wasn't the anonymize by the FBI because it wasn't even necessary. 21 00:01:31,890 --> 00:01:38,630 Old fashioned police work is the most effective method most often because of OPSEC failures. 22 00:01:38,790 --> 00:01:42,710 The FBI just correlated times the soap on the. 23 00:01:42,870 --> 00:01:49,650 ID was talking to subdue on I.R.S. with when Hammond was at home using his computer. 24 00:01:49,650 --> 00:01:52,020 This is called a correlation attack. 25 00:01:52,020 --> 00:01:58,290 We talk more about counter's to this later little sect members talked about their operational activities 26 00:01:58,290 --> 00:01:58,440 . 27 00:01:58,440 --> 00:02:00,000 They use Tor. 28 00:02:00,030 --> 00:02:01,130 Apple laptops. 29 00:02:01,140 --> 00:02:03,600 They talked about which VPN they used. 30 00:02:03,600 --> 00:02:10,230 One member used stolen credit cards to buy used car parts and got them shipped to his own house. 31 00:02:10,230 --> 00:02:12,330 These are all basic mistakes. 32 00:02:12,390 --> 00:02:15,010 They failed to apply many of my OPSEC rules. 33 00:02:15,120 --> 00:02:16,790 They didn't keep their mouth shut. 34 00:02:16,830 --> 00:02:19,600 They trusted people who are working for the FBI. 35 00:02:19,620 --> 00:02:21,920 They contaminated their identities. 36 00:02:21,960 --> 00:02:27,330 They allowed themselves to be profiled by giving away personal information and didn't protect their 37 00:02:27,330 --> 00:02:33,030 main assets LASEK is no more the next case study is Silk Road. 38 00:02:33,030 --> 00:02:35,400 This is based on what has been published. 39 00:02:35,400 --> 00:02:44,010 How true it all is is on Ross William Ulbrich is the alleged Dread Pirate Roberts and operator of the 40 00:02:44,010 --> 00:02:52,110 original So road so road had almost a million user accounts by July 2013 and is alleged to have processed 41 00:02:52,110 --> 00:02:55,600 1.2 billion in transactions over two years. 42 00:02:55,680 --> 00:02:57,930 Probably because of the drugs being sold. 43 00:02:57,960 --> 00:03:04,250 The FBI became very interested in who was running and who was this dread Pirate Roberts. 44 00:03:04,290 --> 00:03:08,290 The FBI started look for references to Silk Road on line. 45 00:03:08,310 --> 00:03:10,430 Simply google searches. 46 00:03:10,530 --> 00:03:17,970 An account called out Hoyte had posted jobs for Silk Road and related projects on the showroom re dot 47 00:03:18,000 --> 00:03:23,490 org forms an account named aldehyde also made a post on Bitcoin. 48 00:03:23,490 --> 00:03:31,020 Talk all about looking for an I.T. pro in the Bitcoin community and asked interested parties to contact 49 00:03:31,090 --> 00:03:38,430 Russ Allbery at gmail dot com this tydings real identity to Silk Road then Ross Obrecht Gmail account 50 00:03:38,490 --> 00:03:46,380 also posted on Stack Overflow asking for help with PH p code to connect to a tor hidden service the 51 00:03:46,380 --> 00:03:52,380 user name was later then changed to something called Frosti So this then connected him to hidden services 52 00:03:52,680 --> 00:03:59,010 when he was caught by US Customs receiving 9 fake IDs allegedly told them. 53 00:03:59,040 --> 00:04:04,110 Anyone could have ordered them from Silk Road using Tor and they hadn't even mentioned so road or talked 54 00:04:04,110 --> 00:04:04,890 to him. 55 00:04:04,890 --> 00:04:06,530 So this infected him too. 56 00:04:06,540 --> 00:04:12,930 So I wrote again and to using tor the real IP address of the Silk Road servers was identified by the 57 00:04:12,930 --> 00:04:13,750 FBI. 58 00:04:13,860 --> 00:04:20,340 How this was done isn't known but it could have been any number of ways possibly by exploiting a vulnerability 59 00:04:20,340 --> 00:04:25,920 on the server and then forcing you to connect not using Tor once located. 60 00:04:25,920 --> 00:04:32,280 The FBI was able to get a copy of one of the servers the server used and S-sh public key that ended 61 00:04:32,280 --> 00:04:39,060 in frosty frosty and had some of the same code posted on stack overflow. 62 00:04:39,060 --> 00:04:41,880 This is cryptographic attribution. 63 00:04:41,910 --> 00:04:48,270 The FBI located Ross at a library observed him using the laptop at the same time as Dread Pirate Roberts 64 00:04:48,270 --> 00:04:54,640 was logged in and grabbed him while his laptop was not locked so description wasn't protecting the data 65 00:04:54,650 --> 00:04:54,770 . 66 00:04:54,930 --> 00:05:00,240 And then allegedly more evidence was found in his laptop including a full journal of his activities 67 00:05:00,240 --> 00:05:00,300 . 68 00:05:00,330 --> 00:05:04,290 And this seems so stupid that it's hard to even believe it is true. 69 00:05:04,290 --> 00:05:10,200 Personally I question these alleged happenings but based on this information you can see a combination 70 00:05:10,260 --> 00:05:12,780 of basic OPSEC failures. 71 00:05:12,910 --> 00:05:16,260 He contaminated his real identity with Dread Pirate Roberts. 72 00:05:16,320 --> 00:05:18,580 So it was doomed from the moment he did that. 73 00:05:18,690 --> 00:05:24,210 He didn't keep his mouth shut and he blabbed about Silk Road and tour without even being asked about 74 00:05:24,210 --> 00:05:24,750 them. 75 00:05:24,750 --> 00:05:30,410 It became far too interesting and a target to an extremely well resourced adversary. 76 00:05:30,420 --> 00:05:36,120 He had no plans for the not leaving his laptop on encrypted when caught with evidence on it. 77 00:05:36,120 --> 00:05:38,560 That should never have been there in the first instance. 78 00:05:38,640 --> 00:05:40,770 And the list of his failures goes on. 79 00:05:40,800 --> 00:05:42,760 If they are indeed true. 80 00:05:42,840 --> 00:05:44,780 Silk Road is no more. 81 00:05:45,060 --> 00:05:50,360 And the final case Turi is the Harvard bomb threat a character called Aldo Kim. 82 00:05:50,430 --> 00:05:52,760 Want to get out of a final exam. 83 00:05:52,880 --> 00:05:59,040 So he's alleged to have made a bomb threat and what we know about this case is using the university 84 00:05:59,040 --> 00:06:00,930 network he connected to talk. 85 00:06:00,960 --> 00:06:02,700 Attempting to anonymize himself. 86 00:06:02,700 --> 00:06:09,420 He used a disposable email account from Gorilla mailed home to send the bomb threat the email received 87 00:06:09,420 --> 00:06:17,130 contained as normal an X originating IP header indicating the IP address of the sender which in this 88 00:06:17,130 --> 00:06:25,710 case would show the Tor exit nodes IP address all Tor exit nodes are publicly known except bridges. 89 00:06:25,770 --> 00:06:30,180 So it is possible to know the email was sent via a toll. 90 00:06:30,180 --> 00:06:37,910 Basic policing would look at motives of the person sending in the bomb threat so who would have motives 91 00:06:37,920 --> 00:06:38,140 . 92 00:06:38,220 --> 00:06:39,540 Students of course. 93 00:06:39,630 --> 00:06:42,920 So the first obvious step is to look through the logs. 94 00:06:42,990 --> 00:06:49,140 The university network see if any students were accessing tore at the same time either was identified 95 00:06:49,140 --> 00:06:52,560 as using Tor at the same time as e-mail was received. 96 00:06:52,560 --> 00:06:58,440 Again this is called Traffic correllation and under questioning he confessed pretty basic errors didn't 97 00:06:58,440 --> 00:07:04,180 keep his mouth shall contaminate is identity's by not maintaining compartmentalisation. 98 00:07:04,230 --> 00:07:08,070 He could have simply gone off site to a network that wasn't monitored. 99 00:07:08,130 --> 00:07:10,370 The people with good OPSEC you never hear about. 100 00:07:10,410 --> 00:07:12,390 There's no case studies on them. 101 00:07:12,510 --> 00:07:17,670 And finally here's an interesting story of OPSEC failures of spies. 102 00:07:17,700 --> 00:07:21,550 If you want to check out that video that's quite interesting. 10730