Profound Tradecraft Failure: Wohl v. Mueller

Manchild scammer extraordinaire @JacobAWohl has been the center of a vortex of public attention for the last day or so, but it isn’t working out quite as he had envisioned. The scheme as revealed thus far has involved:

  • A front agency, Surefire Intelligence, with a claimed global footprint, based entirely on virtual office spaces.
  • A staff, several of whom had stock photos from A list celebrities, but only two of which had any contacts.
  • A second front agency, Atrium Private Intelligence, with a domain registered after Surefire’s, apparently existing to provide depth to the legend for the first agency.
  • Domains registered by proxy, but configured with a web site construction kit that included Wohl’s personal email in the SOA (Start Of Authority) for the domain.
  • Google Voice phone numbers, one of which Wohl validated with a real number belonging to his mother.

We are obviously publishing Analytical Tradecraft here, but Field Operations Tradecraft is another story entirely. One can not learn to tease things apart without gaining some sense of what not to do, but providing the affirmative defenses is a step we are not willing to take, at least not in the open. When we address Adversary Resistant Computing and Adversary Resistant Networking, the aim is to keep you safe in your pursuits. You will notice there is no Adversary Resistant Hosting category.

That being said, the failures can be summarized as “youthful enthusiasm”. Hertz will not rent to anyone under twenty five, our society’s firmest recognition that the neurological stuff that starts with the teen years doesn’t at high school graduation. Whatever role Jack Burkman and Jim Hoft played in this scheme, the execution was left in the hands of a lad that won’t be able to drink legally for another six weeks.

The primary reason you are reading this site (we think) is not for our slick production quality or our mastery of algorithms. You are here because we have been there. We try to keep what we do simple, rugged, and recoverable, because we are used to having too few resources, too many tasks, and not nearly enough time.


Adversary Resistant Computing

The very first question asked when one begins to awaken to the hazards in the world today will be “How do I ensure my current phone and computer safe?” Serious practitioners ask themselves this each day, when they first rise in the morning, and then again when the close their eyes to sleep.

We answer this simple question with a number of others, to sharpening thinking.

First, what hunts you?

Your answer(s) to this conditions the required level of discipline, as there are a spectrum of threats:

  • Largely civilian OSINT practitioners, law abiding, usually lacking a budget.
  • Sanctioned civilian investigators, corporate security or private detectives, with some skills, some budget, and some degree of law enforcement support in their jurisdiction.
  • Cyber specific adversaries, specialty vendors with skills, tools, and the talent to properly pursue threats to their interests.
  • Violent action groups, able and willing to engage in extralegal activities, or operating in areas where there are no surviving authorities providing law and order.
  • Nation state actors, who have less talent and flexibility across the board than the other threats, but much larger budgets, and who bring a long term perspective.
  • Global intelligence players, such as the Five Eyes everywhere, China and Russia in their own territories, and the set of competent regional powers such as Iran or India.

Once you have a sense of your peak problem, and understand that it can and will employ the smaller fish, you have a starting point to understanding what is required.

Second, what role does your organization play?

If you are reading this you presumably fit into one of those six very general threat buckets we just named. Depending on the day, we fit into the first three, we might be working for the upper two, and we have been involved in the study of, but not direct conflict with violent extralegal actors.

Third, what role do you yourself play?

If you are reading our internal documentation you’ll find that we partition people into three types of roles:

  • Actors – those who travel, who may interact with an observation target in some fashion, who face the risks of identification, device intrusion, device seizure, and so forth.
  • Collectors – typically passive observers whose intent is to go unnoticed, and who largely succeed. One the strengths of our system is the ability to capture cognitive surplus and the free time of motivated observers, who may be equipped with as little as a prepaid Android device.
  • Directors – those who can assess risk and advise Actors, who have overall situational awareness for group activity, who guide and motivate Collectors.

Having considered this, you now understand some of what we are thinking when we answer that first query about device safety.

What to NOT do …

If “Microsoft Windows” is ever meant to be a serious answer, the original question was poorly phrased. We just don’t use it unless there is a specific need to look like a Windows user, with the implication being that one is actively nosing around an adversary and wants to blend into the background noise.

NSA employees are known to use Apple products and many of us favor them, for the smooth blend of consumer software and Unix security features. Others prefer Linux.

If you mentally edit every mention of “cell phone”, replacing it with “small, stupid computer, too trusted, and far too easily lost or seized and searched”, you’ll be on the right track. They are a fact of life, but so is the common cold during fall and winter, and you know the steps you should take to avoid that.

There are decent Android products, albeit ZTE, in the second tier of such devices for prepaid services such as GoPhone or TracFone. $25 to $50 will net you a device which you do not need to fund for cell service in order to start using it for some purposes. A slightly dated phone you have retired is also a good choice here.

Some Specific Recommendations

You should be familiar with a type two hypervisor. The solid free one is VirtualBox. The paid solution is VMware Workstation on Linux/Windows, or Fusion on the Mac. Apple owners should avoid Parallels – the price is attractive, it’s a smooth OSX native, but power hungry and the ability to work with other platforms ranges from poor to nonexistent.

TAILS Linux is a live CD distro that defaults to using the Tor network. We like this on small laptops, but hardware support is variable, and they dropped the 32 bit version some time ago. This software works well under both VirtualBox and VMware.

We like the idea of Whonix, a dual VM gateway/workstation environment that will run under VirtualBox. Prior to this existing we rolled a solution of our own in this area, and we still use it, because Tor is not always the right answer when it comes to Adversary Resistant Networking.

The pinnacle for adversary resistance is Qubes, a type one hypervisor based on CentOS that provides multiple exclusive security domains. This system has some very specific hardware requirements and even an experienced Linux administrator is going to face challenges using it.

A minimum comfortable desktop for this sort of work will have an i7 processor, 16 gig of ram, and a solid state disk. Our group has several Dell M4600, which max out at 32 gig, which supports the latest Qubes, and which offers both a 2.5″ drive bay and an MSATA slot on the mainboard.

Leave Windows on the main drive if that is your current comfort zone, install VirtualBox to get started using a hypervisor, and a small MSATA drive will be fine for Qubes or Linux transition. A well appointed machine can be had on Amazon for $500.



Puzzling Over Boundaries

Much like the breakdown of Westphalian Sovereignty in the face of a well connected, easily traversed world, we are pondering just where the boundaries are on what we publish.

Best practices advice regarding Adversary Resistant Computing and Networking is broadly available, but highly variable in quality, and often not conditioned by real world experience. Communications Security advice is even more uneven. We might be educating bad actors by openly publishing, but the good guys are under the gun, and no white hat from inception thinks the way those of us who wear faded gray do. We’re going to put this content out there and count on the nonstop situational awareness required to truly excel keeping a lid on proliferation.

We publish studies on various groups, which can educate them in their failings, if they take the time to read. This is also conditioned on situational awareness and with information operations in particular, characterization is sterilizing sunlight. We use OSINT methods and release collected data in a form that facilitates others using it, but at this time the collection methods and software we use are not freely available.

Analytical Tradecraft is a matter of good systems and the right mindset to get teams using it effectively. There are guides out there, the CIA’s Psychology of Intelligence Analysis¬†¬†being a well known example. There is no substitute for real world experience when it comes to Sanctioned Irregulars, and that is where we are strongest.

And Field Operations Tradecraft seems to be a bridge too far – we’re not in the business of teaching bad actors how to caper.

The you have it. @NetwarSystem provides a feed of posts here, from LinkedIn, and selected content from other sources. The contact page has advice on who is qualified as a customer and how to reach us. We look forward to hearing from those of you who truly need what we do.