Security through Obscurity

Are cops stupid? Seriously, why would anyone sign on to do such a horrible job, risking their
lives, for under $40K a year? And prison guards have a starting pay of less than $30K, so
there is a pay versus intellect algorithm at play there somewhere, but we’ll tackle that
another time. That being said, collectively, in a hive-mind sort of fashion, law enforcement
can be brilliant. When they win one with the hive-mind, it can be Hollywood blockbuster
material, often meaning lengthy sentences or death for the opposition. Less you think the
FBI has access to direct neural cloud-computing, I shall explain.

When I was 16 years old I was picked up for credit card fraud, or some such nonsense that
Law Enforcement didn’t truly understand yet. In actuality I had a Commodore 64 setup with
a 600 baud modem to call a credit card processor to authorize $1. 00 for random Credit Card
numbers, and to print out the ones it got right. Not really fraud, but they didn’t know what
to call it at the time. There in the Criminal Investigation Division of the Marshall, Texas,
City Police Department, Detective Mark Maranto gave me some information that shaped my whole
world. Keep in mind, this was a small town circa 1989 where the goal was to correct the path
of wayward youth, and not to profit from mass incarceration via Draconian methods as would
be employed today.

The detective said, and I am paraphrasing, “Faulkner, you are smarter than me, I can admit
that. I would even say that you are smarter than anyone in this building. I’ll give you that
too. But to be a successful criminal you have to be smarter than all of us, all the time,
and all of us that have ever done this job. It’s because, we take notes, we keep in touch,
and all the cops in the world share information about each and every crime they run across.
So to get away with anything you not only have to be smarter than all of the cops past and
present, but all the criminals too. Because when they get caught by random chance, misplaced
trust, or any number of reasons as to why their crimes may have come to light, then it’s
known to all of us. And in fact, most criminals don’t commit crimes that are never detected,
as most just plan to get the goods and be somewhere else by time the crime is noticed, so
most crimes come to light eventually either way. Now, do you really want to put that much
work into being a criminal? Is all that work really worth it?”

No, it wasn’t worth it. And I chose not to be a criminal in spite of the fact that I ended
up in prison shortly thereafter for a pipe bomb. We’ll call it “excessive recreation”. East
Texas didn’t offer a lot of leisure activities in the early 90’s, still doesn’t for that
matter. I wasn’t a terrorist, or trying to hurt anyone. I was just an impulsive teenager
momentarily fascinated with the thermodynamic properties of combustible materials, and stuck
in a pre-internet world of intense boredom.

The point is, cops took notes back then, and now it’s way beyond note taking. The damn “Case
Management Systems” used by Law Enforcement are algorithm and data driven platforms that
are approaching the nexus of Big Data and Machine Learning. For extremely well documented
cases like drug dealing, the cops can literally push a button and generate a full color
report on a drug conspiracy with enough data to get a warrant, and subsequently seat a grand
jury for indictments. That process is of course predominantly only used in the United
States, but it happens. The details of these systems are covered in “Big Data Small Targets”
(see the nonfiction section).

Meanwhile, nations are churning out new laws, and bad criminals are filling up databases
with new ways to get caught breaking those laws. To be a criminal in a Police State like
the US is a simple game of attrition. If you are selling drugs, you are competing against
an empire with a multi-billion dollar budget that does an expert job of fully controlling
illegal drug imports via multiple agencies, and a labyrinth of political deals with the
cartels. Today, if all illegal drug sales stopped, over 40% of the US economy would be
impacted. Check the FBI’ s Crime Statistics for their own opinion as to how much of the
economy is from crime, it’s staggering. And I know for a fact that the cartels do not send
their financial reports to the FBI, so the real numbers are likely higher.

Here’s some stats for you would-be drug dealers: If you are selling drugs in the US your
career is statistically likely to last under 3 ½ years, assuming you have no criminal history
yet, and that number shrinks each year. Statistically, the sentence you will get when you
get caught is 6 years for a first offense, and that number goes up every year. Now, if you
already have a felony, your name is going to be heavily weighted in law enforcement
databases, and you have less civil rights, so it’s even easier to get caught. In fact, your
career is statistically going to last less than 18 months, and the average sentence doubles
after the first offense. The only safe money in illegal drug sales is at the top, in the
boardrooms of the men who own and operate the cartels. As you might have guessed, those
millionaires in their Italian suits don’t spend a lot of time in the US, and thus have
little to fear from US Law Enforcement. In most cases, the logistics of drugs is just a
subsection of their investment portfolio. If you believe that the guys running the cartels
are the rural cowboys portrayed on TV then I have a bridge to sell you.

The US spends billions controlling the drug trade directly, and via the criminal justice
system. Modern Law Enforcement tools have GUIs that are as easy to use as the McDonald’s
point-of-sale system. You can’t beat 20 years of programmers working against you with
terabytes of data to work from. It’s statistically impossible. If you think you can beat
those odds you should probably play the lottery instead. If you really think you are smarter
than all of the talent in the industry, or that has ever been in the industry, then perhaps
you should use your intellectual super powers to cure cancer instead. Otherwise, you are
just gambling your freedom with bad odds, and little in the way of reward. That’s stupidity
by any other name. •

The key to successful criminal activity, intelligence operations, or whatever your goal is
when working against such a well funded and overwhelming opposition, is to get off the bell
curve. Without getting too deep into statistics and Gaussian Mathematics, the only way to
“win” is to hide your activities in the dark obscurity of statistics. You are less likely
to get run over on the road less traveled, true enough, but if you have to travel a road
at all, it needs to be in a statistically neutral Gray Honda Accord going the same way as
the flow of traffic. –

To give a specific example: the FBI works just like the cybercriminals. Hackers write
crimeware to target Windows OS machines because there are simply more of them, and there
are only so many versions of Windows in service at any given time. The FBI uses a product
called Encase for their forensic recovery work, and it works great on Windows, but it
doesn’t work well on all the many custom flavors of Linux. So here it pays to be a bit
obscure, but not to appear so. For example, if you are searching a target web server with
your browser, you’d want your browser’s User-Agent (passed in HTTP) to blend in with the
most popular Windows OS in the logs of the server. Obviously using a VPN or Proxy helps,
but changing your Linux User-Agent to appear to be a Windows OS will add a layer of
I could write books on the benefits of using Linux versus Windows, but the point in ‘this
case is that you are obscure, but do not appear so. This is a parameter of layered
security, which we’ll cover in more detail soon.

Another example of obscurity in action: we’ve used International Driver’s License for
years. These exist, and you can get one online via a copy of any driver’s license from any
state or country. They however do not have the ability to check with every jurisdiction
on the planet to verify what was sent to them wasn’t the product of a Photoshop template.
The World Service Authority passport works in similar fashion. It’s a great ID for use in
any situation where they have no idea what it is, but you can’t use it for banking, or
actual travel, at least not without some social engineering. And you’d be insane to try
to enter the US from abroad with such documents. However, a clerk in a Western Union office
no doubt has a nice book that describes all the counter-measures built into the driver’s
licenses of all 50 US states. It doesn’t cover International ID cards, or random Federal
Agency identification documents. Western Union would of course err in favor of security
and just tell you they can’t do business with you if they didn’t like your ID, but hotels,
car rental places, and any number of places that aren’t handing out money, would readily
allow you to use an obscure ID. When I was on the run in Mexico, I made a new Nevada
Driver’s License every day, and never used the same one twice. In Monterrey, Mexico, they
see Texas IDs all the time, but not so many Nevada. Besides, with a Las Vegas address, the
conversation jumps to “How’s Las Vegas…” and not to “hey, this hologram looks a lot like
Elvis … ”

If you are on a mission, and your life or freedom is at stake, it pays to have multiple
layers of ID, and to have a back story for everyone of them. That is a given, and yet
another topic for another time. There are no absolutes, but security through obscurity
should be a tool in your tool box. You need to know when to be obscure, and when to blend

Concerning the bigger picture, cybercrime requires knowledgeable opposition. The FBI has
damn few Computer Science graduates because they can’t pay them the $200K a year that Cisco
or Google can. So high-tech crime will always be a better risk/reward ratio than drug
dealing, bank robbery, or any of those “crimes of desperation” that seem to attract the
least educated of criminals. I will allow the caveat of sophisticated bank robbery though.
A friend of mine used his Bureau of Prisons Inmate ID card, all of which say “Department
of Justice” on them, as a “Federal ID” to con a bank manager into believing he was an FBI
agent. He used that tactic to rob a number of banks by conning the bank manager into a back
office, then showing them the gun, and thus getting to the vault without any alarms being
triggered. It didn’t always work out perfectly, but it was a much more solid plan than
dealing with a teller. The key here is that what most people do, is what the opposition
expects, and this represents the well guarded front door of every target, and it’s never
a good idea. Accordingly, downloading the latest plug-and-play crimeware doesn’t make you
very obscure for very long.

Meanwhile, the guy fuzzing up his own exploits, or using physical ops to access closed
networks; those guys can mint money. Do you think the FBI doesn’t have agents using tax
dollars to buy the same crimeware you can? You don’t really think they don’t cruise the
dark web for just that purpose, do you? There is no law that prevents them from setting
up shell companies, BitCoin accounts, or to prevent them from using Tor. They do it all.
Remember, they get to keep the money they seize within their department, and there budget
gets cut every year. It’s pure survival for them. And at some point they
may even have cause to reverse engineer some of those apps, and they may even release some
of their own. Remember this, optimism is never a sound security policy! Don’t bet your
freedom on optimism, that’s a fool’s errand. Also, if I wrote crimeware, I’d be a criminal,
and as a good criminal I’d have a copy of everything your installation picked up sent to
my servers as well. That hustle has been around since the first SubSeven Remote Access
Trojan, in which case the client for monitoring the target’s installation (the server)
actually was infected with the server app for a master version elsewhere. Confused yet?

In short: if you downloaded the client and server for the RAT, and installed the server
on your boss’s computer to monitor remotely, while you would be using the client to monitor
his machine, the clown that wrote the app would be monitoring your machine. So instead of
hunting for victims, the programmer had effectively subcontracted out the hunting to lesser
coders: he let the script kiddies do the work for him. Of course back then you could gimp
the DNS Host File in Windows and keep your client from calling home, and then use it for
its intended purpose. I’m of the opinion that the original coder knew some of us would
figure that out, but we’ll debate black hat ethics and philosophy later. The point is, the
best of the best write their own code, and never have to worry about back doors, or Law
Enforcement, acting as a man-in-the-middle of your remote access. If writing your own code
is too hard for you, maybe you aren’t cut out for the life of a cybercriminal. Perhaps you
should consider getting a real job. Because let me tell you, federal prison sucks, and
nothing sucks worse than knowing you aren’t in prison from a lack of skill, discipline,
or work ethic… but merely because some federal agent caught a lucky break.

At some point we’ll hit a nexus where script-kiddies using off the shelf crimeware will
be equally as likely to be the victims of attrition as drug dealers are today. But for the
moment at least, I do know quite a few millionaire script kiddies. Even though they aren’t
coders, and they aren’t particularly technical, these guys at least got good security
right, and made it work for them. That’s not safe, and in a way many of them have just been
lucky. One didn’t even know about port mirroring, or Wireshark, he actually thought the
FBI would have to show up in his traceroute to be able to monitor his traffic. Amazingly,
that guy is still on the street stealing identities and I’m in prison with infinitely more
education and skill… but life isn’t fair, is it?

The biggest myth in crime is that it’s easy money. Maybe it used to be, but now you are
competing against machines using Big Data, with endless dollars to keep them running 24/7.
And when I say “crime”, I mean anything deemed “illegal” by one government or another, be
that stealing identities in the US, or supporting an unpopular democracy somewhere else,
depending on your geography and disposition. We’ll debate the differences between patriots
and terrorist another time. Until then, remember to be obscure, but not appear so. That
at its root is at least the beginning of a sound operational policy. Beyond that there’s
tradecraft, operational security, social engineering, physical ops, and a world of black
hat fun and adventure… but it all starts and ends with doing what it takes not to get
caught. That’s job one. If you put the money first, then you are in a bad statistical
scenario that leads to all manner of bad decisions each of which increase entropy, raising
the statistical likelihood of getting vectored by law enforcement via attrition, or those
nasty algorithms. Either way, no amount of money in offshore accounts can make up for the•
loss of freedom. Trust me on this.

One thought on “Security through Obscurity

Leave a Reply

Your email address will not be published. Required fields are marked *