For a book from 1996 that is not about computers, Running a Ring of Spies by Jefferson Mack has some relatively good OPSEC advice concerning the use of computers (pages 163-164):

The techniques of using computers as spy tools and protecting the integrity of the files are far beyond the scope of this book. Any intelligence agent intending to use a computer as part of an intelligence-collection operation should go through the following checklist:

• Don’t save or store any documents you want to keep secret on the hard disk or a floppy disk with no encryption. Always work on plain text documents in RAM memory and encrypt before storing the information on disks.
• Always use a total erase program when deleting any sensitive file from a hard or floppy disk that you or your spy controls.
• Keep all sensitive information in encrypted format on floppy disks rather than the hard disk drive and have a hiding place for such disks that is located as far from the computer as is practical. Take the disks out of hiding only when working on them and return them to their hiding place immediately when you’re finished.
• Most encryption systems sold on the market can be easily broken, including many that advertise they can’t be broken. Many of the encryption systems bundled with word processor software are not secure. Know what makes an encryption program trustworthy.
• Even if you are sure you have the best encryption program available, double-encrypt everything, using two different systems.
• If you are sending messages by modem, always use an encryption system based on the RSA analog and a public key code. Among the best of these programs is Pretty Good Privacy, which can be found on many computer bulletin boards for free.
• Change passwords frequently. The great advantage of the RSA encryption system is that the public key passwords can be changed daily and given out in an open message.
• Be aware that it is possible to read a computer screen from a distance of up to several hundred feet with equipment that can be put together in a garage. Always take steps to ensure your computer is isolated and electromagnetic emissions are minimized.

If you don’t understand what I’m talking about in any of the above points don’t put your trust in computers until you do. If you do understand what I am talking about, you will not only be able to use computers with some degree of confidence, but you will be able to quickly and easily steal computer data of the computers of most people using them.

Secure wiping, plain text in RAM, trusting software, public key cryptography, changing passwords often, TEMPEST: key aspects even 19 years after the book was published.

Further reading:

• The OPSEC Process (1996, from U.S. DoD Joint Publication 3-54; explains the general OPSEC process. The suggestions made by Mack are measures that could be taken on the basis of this process, in Action 5. The DoD OPSEC process, too, is still relevant in 2015, but obviously the threats, vulnerabilities and measures have changed with technology.)

EOF

UPDATE 2017-08-17: another incident occurred today at the NPO headquarters in Hilversum. A man took a hostage and was arrested after a peaceful resolve of the hostage situation. It is said to concern a confused man, speaking poor Dutch, and reportedly told police he wanted to speak to a (any?) CNN reporter. (CNN has no physical presence in Hilversum.)

UPDATE 2015-06-19: the Dutch Public Prosecution Service demands 4yr prison sentence for hostage taker at Netherlands Broadcasting Authority (=NOS).

UPDATE 2015-01-29 23:56 UTC+1: turns out the attacker used a fake weapon. Suspect not known to police.

UPDATE 2015-01-29  23:14 UTC+1: BBC story: Gunman arrested at Dutch news broadcaster NOS.

UPDATE 2015-01-29 22:30 UTC+1: it is suggested the attacker is 19-year old Tarik Z. from the town of Pijnacker; freshmen student of chemistry at TU Delft; not listed among known jihadists; NOS anchor is quoted as saying: “confused loner, student who lost parents [EDIT: last week], not a terror-motive”.

UPDATE 2015-01-29 22:05 UTC+1: Attacker seems to suggest affiliation with a hacker collective, claims they were hired by intelligence services. Claims they have seen things that they want to bring to light. It is unclear whether there’s any truth to his claims. The building is now cleared.

A little before 20:00 UTC+1, at which the eight o’clock national TV news starts broadcasting, an armed gunman [EDIT: allegedly Tarik Z. from the Dutch town Pijnacker] entered the building of Dutch broadcasting organization NOS, located at the Media Park in Hilversum, and demanded air time. He has been arrested, and nobody got hurt. Nothing was broadcasted live, but the arrest was recorded by rolling cameras. A photo appeared on Twitter showing a letter the man handed to NOS reporter Martijn Bink. Here is a translation of that text (the second paragraph seems to be text that the gunman wanted the presenter to tell live on television):

When you read this, do not panic. Do not scream and do not warn your colleagues. Act as if nothing is happening. I am heavily armed. If you cooperate, nothing will happen to you. Be aware that I am not acting alone. There are five other and 98 hackers who are ready to carry out a cyber attack. Moreover, eight heavy explosives have been placed in this country that contain radioactive material. If you do not bring me to studio 8 to take over the live broadcast, we are necessitated to act. You do not want to be responsible for that, right? So bring me to studio 8 now, the NOS studio.

We have been taken hostage by heavily armed men [added in handwriting: in studio 8, Media Park Hilversum]. More of them are present in the rest of the country and they have 98 hackers ready to carry out a cyber attack. Also, eight heavy explosives have been placed throughout the country, that contain radioactive material. They want to carry out a live broadcast to tell their story. From the outside it is monitored whether the broadcast can be viewed throughout the Netherlands. Their demands are therefore, among others, 1. This building will not be assaulted. 2. The live broadcast will not be delayed, not interrupted for one second, and not edited. 3. To be clear, no information and no subtitles will be added to the live broadcast. If these demands are met, we will be released. I will repeat this. [repeat]

It is currently [Jan 29th 22:49 CET] unclear to what extent the statements are true or false, and even whether the gun was real or not.

A video fragment is available of the attack, and the gunman, after reportedly having self-identified as belonging to a hacker collective, is saying:

[…inaudible…] will be said, that are very great world affairs. We were, say, hired by intelligence services, and there we saw things that cast doubt on current society. We will now bring those things to light.

Allegedly, NOS personnel was forbidden, via an internal email, to tweet about the affair, or bring information out in any way.

Here is a copy of the video still of the gunman published at http://www.nu.nl/binnenland/3982448/gewapende-man-zendtijd-eist-opgepakt-in-nos-pand.html :

Here is a copy of the photo of the letter shown on Twitter (original source: https://twitter.com/IbHaarsma/status/560883916736065536 ; edited to be more readable and republished at https://twitter.com/FloortjeHVNL/status/560889377153642497/photo/1):

EOF

UPDATE 2015-01-31: AIMSICD is an alternative to SnoopSnitch that does not require a Qualcomm MSM8210 chipset.

Jacob Appelbaum (@ioerror) wrote instructions for modifying a Motorola Moto E phone to install SnoopSnitch and — notably — removing the internal microphone and other sensors to prevent the phone from being used as a remote bug (e.g. the mic being eavesdropped whilst you’re not calling). For fun, I bought the exact model Jacob mentions, a Moto E XT1021, at a Dutch Media Markt store for EUR 103. Modification of the hardware is very simple and demonstrated clearly on Jacob’s page through a series of photos. You need a regular phone Torx screwdriver (a dozen or so of screws need to be removed) and something sharp to pry off both microphones; I used a potato knife (to state the obvious: removing the mic will not hide your call metadata or contents of your phone calls). I left the other sensors untouched for now. The software modification is slightly more involved. Perhaps of use to some, here are the steps it took to root the phone from an OS X 10.9 system, and to install SnoopSnitch (if you find errors or omissions, please contact me, I will correct it). Your mileage may vary.

1. Get the Android SDK and Motorola’s Moto E drivers for OS X:
   • Android SDK: http://developer.android.com/sdk/index.html
   • Motorola MDM: https://motorola-global-portal.custhelp.com/app/answers/detail/a_id/88481 (note: OS X 10.9 isn’t officially supported, but it works. When connecting the phone to my system, some “networksetup” dialog kept popping up, but it can be ignored)
   • Install both.
2. Enable USB debugging:
   • Turn on the phone. Go to the “Settings” screen, then to “About phone”. Touch “Build number” entry 7 times to get the “Developer options” menu item to appear under “Settings”. Go there and enable “USB debugging”. On connecting to a computer, a dialog will pop up asking whether to permit USB debugging from that computer: press “OK”.
3. Unlock the bootloader:
   • Go to https://motorola-global-portal.custhelp.com/app/standalone/bootloader/unlock-your-device-a , sign in, press “Next”.
   • Boot the phone into fastboot mode by pressing and hold power + volume down for a few seconds, then release. The phone should boot and show the following screen (note: at the top it lists the CPU as a Qualcomm MSM8210):
     
   • Connect the phone to the computer using the USB cable. The message “USB connected” will appear on the phone.
   • On the computer, run the following commands:

     $ cd $HOME/Library/Android/sdk/platform-tools/
     $ ./fastboot oem get_unlock_data
     ...
     (bootloader) [............ part1 ..........]
     (bootloader) [............ part2 ..........]
     (bootloader) [............ part3 ..........]
     (bootloader) [............ part4 ..........]
     (bootloader) [... part5 ...]
     OKAY [  0.257s]
     finished. total time: 0.257s
     $

   • Append the five parts into one string, and enter it in the input field “Can my device be unlocked?” in the Motorola website, press “Agree”. You should receive an email containing an unlock code.
   • Run:

     $ ./fastboot oem unlock [.....unlock code....]
     ...
     (bootloader) Unlock code = [.....unlock code....]
     (bootloader) Unlock completed! Wait to reboot
     $

4. Root the phone:
   • Download SuperSU (credits to @ChainfireXDA) and the CWM recovery image (credits to members of the XDA-Developers Moto-E forums), for instance these DDL mirrors:

     $ wget -O SuperSU-v2.45.zip https://cyberwar.nl/d/20150124_MotoE_UPDATE-SuperSU-v2.45_MIRROR.zip 
     [...] 
     $ wget -O cwm6.0.4.9_recovery.img https://cyberwar.nl/d/20150124_MotoE_cwm6.0.4.9_recovery_MIRROR.img 
     [...] 
     $

   • Connect the phone via USB, then put SuperSU on it as follows (don’t forget the trailing “/” in “/sdcard/” or it fails to copy):

     $ ./adb push UPDATE-SuperSU-v2.45.zip /sdcard/ 
     4043 KB/s (4016989 bytes in 0.970s)
     $

   • Disconnect the phone, put it in fastboot mode by pressing and holding power + volume down.
   • Flash the CWM recovery image as follows (note: after running this command, an error message appears on the phone that can be ignored: “Mismatched partition size (recovery)”):

     $ ./fastboot flash recovery cwm6.0.4.9_recovery.img
     target reported max download size of 299892736 bytes
     sending 'recovery' (8146 KB)...
     OKAY [  0.430s]
     writing 'recovery'...
     OKAY [  1.123s]
     finished. total time: 1.553
     $

   • Press volume down, then volume up. The unlocking is now triggered. Wait a few seconds until the “CWM-based Recovery” menu appears. This looks as follows:
     
   • Press volume down to select “install zip”; then press power.
   • “choose zip from /sdcard” is already selected; press power.
   • Press volume down to select select “0/”, press power, press volume down several times to select “UPDATE-SuperSU-v2.45.zip”, then press power.
   • Press volume down to select “Yes – Install UPDATE-SuperSU-v2.45.zip”, press power.
   • Select “+++++Go Back+++++”, press power.
   • “reboot system now” is selected; press power. When asked “Root access possibly lost. Fix?”, select “No” (default). Press power.
5. Install SnoopSnitch:
   • Under “Settings”, “Security”, enable “Unknown sources”, and disable “Verify apps” (else the phone will keep asking “Allow Google to regularly check device activity for security problems, and prevent or warn about potential harm?”)
   • Connect your phone to the internet (e.g. via WiFi), then open https://f-droid.org/, click “Download”.
   • Pull down the screen from the top, wait until the FDroid.apk download is complete. Scroll down, press “Install”. When done, click “Open”.
   • Press the magnifying glass, search for “SnoopSnitch”. Press “(+)” to install it. Grant it all the privileges it requests.
6. DONE.

EOF

UPDATE 2015-07-01: Ars Technica reports: “The UK’s prime minister, David Cameron, has re-iterated that the UK government does not intend to “leave a safe space—a new means of communication—for terrorists to communicate with each other.” This confirms remarks he made earlier this year about encryption, when he said: “The question is are we going to allow a means of communications which it simply isn’t possible to read. My answer to that question is: no, we must not.””

UPDATE 2015-01-30: the joint statement (.pdf) that followed the meeting does not contain any indication that mandatory disclosure of encryption keys was in fact discussed during the Jan 29/30 meeting. (Which does not imply it was not discussed.)

The EU Counter-Terrorism Coordinator (CTC) wrote input (.pdf, Jan 17) for preparation of the informal meeting of Justice and Home Affairs Ministers in Riga, Latvia on January 29th. On page 10 (of 14) the document addresses access to communication, and explicitly suggests discussing rules to oblige internet companies and telcos operating in the EU to disclose encryption keys:

f) Encryption/interception

Since the Snowden revelations, internet and telecommunications companies have started to use often de-centralized encryption which increasingly makes lawful interception by the relevant national authorities technically difficult or even impossible. The Commission should be invited to explore rules obliging internet and telecommunications companies operating in the EU to provide under certain conditions as set out in the relevant national laws and in full compliance with fundamental rights access of the relevant national authorities to communications (i.e. share encryption keys).

This of course is not unlike the UK Prime Minister reportedly (Jan 13, BBC) stating that there should be no “means of communication” that “we cannot read”; and a few days later, Barack Obama reportedly (Jan 16, WSJ) making statements of similar nature.

It is not clear why the EU CTC’s document mentions “often de-centralized” in the first sentence in the above quote, as “de-centralized encryption” in its usual meaning is not a problem that one would typically address by obliging internet companies and telcos to disclose keys.

We’ll learn more after January 29th.

Related:

• 2015-01-20: Europe Considers Surveillance Expansion After Deadly Attacks (Paul Hockenos / The Intercept)

EOF

UPDATE 2015-01-06: news item by AP (preceding and unrelated to this blogpost).

On January 6th 2015, the Dutch Review Committee on the Intelligence & Security Services (CTIVD) announced (in Dutch) that it will carry out an investigation into the role of the Dutch intelligence & security services AIVD (general) and MIVD (military) in decision-making concerning flight route safety. This follows the MH17 disaster of July 2014. The remainder of this post consists of an unofficial translation of the CTIVD’s announcement.

Announcement of investigation into role of AIVD and MIVD in decision-making concerning flight route safety

In a letter of November 21st 2014, the Minister of the Interior and the Minister of Defense have requested the Dutch Review Committee on the Intelligence & Security Services (CTIVD) to investigate the role of the intelligence & security services AIVD and the MIVD in the decision-making concerning safety of flight routes. The Dutch Safety Board has requested the Ministers to commission the CTIVD to start an investigation.

The letter states that following the crash of flight MH17 of Malaysia Airlines of July 17th 2014, the Dutch Safety Board is investigating, among others, the decision-making concerning the establishment of flight routes. During this investigation, three research questions emerged concerning the AIVD and MIVD.

These research questions are:

• What is the formal structure between the AIVD and MIVD and the parties relevant to aviation safety, such as airlines, air traffic control and the Ministries concerning information sharing on threats to safety?
• What are the specific activities carried out by the AIVD and MIVD in exchanging information with parties relevant to aviation?
• What information did the AIVD and MIVD have about the safety situation in Eastern Ukraine prior to the crash of the MH17, and to what extent did they share the information with parties relevant to aviation safety? What were the considerations to share, or not to share?

The CTIVD decided it will meet the request of the Ministers. Different than usual according to the Dutch Intelligence & Security Act of 2002 (Wiv2002), the CTIVD will report its findings directly to the Dutch Safety Board. This has been requested by the Ministers. In accordance with the CTIVD’s method of investigation, the CTIVD strives to deliver its report during the spring of 2015. The Dutch Safety Board will publish its own findings together with the CTIVD’s findings.

This announcement accompanies a letter (.pdf, in Dutch) sent by the CTIVD to Parliament, and the letter (.pdf, in Dutch) sent by the Ministers to the CTIVD. Neither document contains information beyond what is presented in the above translation.

EOF