Month: February 2015

Some remarkably good OPSEC advice concerning computer use, for a 1996 non-computer book

For a book from 1996 that is not about computers, Running a Ring of Spies by Jefferson Mack has some relatively good OPSEC advice concerning the use of computers (pages 163-164):

The techniques of using computers as spy tools and protecting the integrity of the files are far beyond the scope of this book. Any intelligence agent intending to use a computer as part of an intelligence-collection operation should go through the following checklist:

  • Don’t save or store any documents you want to keep secret on the hard disk or a floppy disk with no encryption. Always work on plain text documents in RAM memory and encrypt before storing the information on disks.
  • Always use a total erase program when deleting any sensitive file from a hard or floppy disk that you or your spy controls.
  • Keep all sensitive information in encrypted format on floppy disks rather than the hard disk drive and have a hiding place for such disks that is located as far from the computer as is practical. Take the disks out of hiding only when working on them and return them to their hiding place immediately when you’re finished.
  • Most encryption systems sold on the market can be easily broken, including many that advertise they can’t be broken. Many of the encryption systems bundled with word processor software are not secure. Know what makes an encryption program trustworthy.
  • Even if you are sure you have the best encryption program available, double-encrypt everything, using two different systems.
  • If you are sending messages by modem, always use an encryption system based on the RSA analog and a public key code. Among the best of these programs is Pretty Good Privacy, which can be found on many computer bulletin boards for free.
  • Change passwords frequently. The great advantage of the RSA encryption system is that the public key passwords can be changed daily and given out in an open message.
  • Be aware that it is possible to read a computer screen from a distance of up to several hundred feet with equipment that can be put together in a garage. Always take steps to ensure your computer is isolated and electromagnetic emissions are minimized.

If you don’t understand what I’m talking about in any of the above points don’t put your trust in computers until you do. If you do understand what I am talking about, you will not only be able to use computers with some degree of confidence, but you will be able to quickly and easily steal computer data of the computers of most people using them.

Secure wiping, plain text in RAM, trusting software, public key cryptography, changing passwords often, TEMPEST: key aspects even 19 years after the book was published.

Further reading:

  • The OPSEC Process (1996, from U.S. DoD Joint Publication 3-54; explains the general OPSEC process. The suggestions made by Mack are measures that could be taken on the basis of this process, in Action 5. The DoD OPSEC process, too, is still relevant in 2015, but obviously the threats, vulnerabilities and measures have changed with technology.)

EOF