B3RN3D

Let your plans be dark and impenetrable as night, and when you move, fall like a thunderbolt.

Analyzing Trust and Secret Disclosure

OPSEC and relationships are often opposing forces. You’ve spent months perfecting your OPSEC for a campaign when your friend walks in and says “Ooh what’s that.” Or you signifigant other finds a file marked “Super juicy secret.” I do believe that humans are social beings no matter how hard we try. Even nerds that stay home will end up yearning for personal contact in some way. How do you determine if you should share a secret with another person and build a relationship with that person at the risk of compromising your campaign?

Look at the OPSEC measures that the members of lulzsec used. They all trusted eachother and everyone knew other peoples names, and in some cases addresses. This relationship of trust ended up being their downfall.

Example

Let us start with a secret for sake of discussion: I have a laptop riddled with Taylor Swift songs.

My OPSEC campaign includes that I’ve encrypted my laptop so that even with access, the songs would be difficult to find. I hide my laptop in a broom closet. The broom closet for some reason has a lock on it. But still there are days when I really want to listen to my favorite Swift jam and because I live with my mother, she catches me rocking out.

In this case, its straight forward. Your mother is the adversary, she can never know about Taylor Swift songs and you’ve likely done a better job at hiding.

But what about the situation where you are hanging out with a friend and notice that she is an avid Taylor Swift fan and if you share this commonality with her, you might establish a deeper relationship.

The Three Disclosure Tactics

I’ve found that people handle this in three potential tactics when disclosing a secret:

  1. You decide that you can trust this person and privately disclose that you are a Taylor Swift fan.
  2. You drop hints that you may or may know something about Taylor but you’re unwilling to disclose it out-right to just anyone but secretly hope that the other person will ask you about it.
  3. You don’t let on that you’re into TS at all.

These are stupid situations but these are how most people handle secrets.

Trusted Disclosure

Option 1, trusted disclosure is where you analyze the relationship with the other person, look at the risk involved in disclosing, and the potential reward that exists if you do share. This is what some may call “normal” in terms of relationships. You decide that you will disclose a secret to a trusted person and expect that the trusted person does not use this information against you. If for example, you know that the other party has worthwhile knowledge related to your secret, the reward may outweigh the risk that the disclosure is used to exploit you.

Plausibly Deniable Disclosure

In option 2, plausibly deniable disclosure, you hint that you might have a secret but you can still plausibly deny that the secret exists. There is less analysis of risk vs reward or analysis of the trust of the person so you’ll often hear people leak this in public. “I might know something about X but I can’t tell you”. If you go to DEFCON, you will hear this just about every day.

This is the most common tactic with people missing social contact/relationships and let their ego get in the way. This either means that the secret being kept is not that risky of a secret, or the person is not disciplined enough to follow opsec. In either case, frowned upon in terms of OPSEC.

Zero Knowledge

The last option is not a disclosure at all but maintains a zero knowledge relationship going forward. In terms of OPSEC, you can consider this a firewall rule that blocks all by default. In this scenario you get no reward, no commonality in the relationship, and no benefit besides the fact that you can keep in your pocket that you have a secret in-depth knowledge of a subject that may be of interest to the subject. Because remember, knowledge is power and knowledge of someone’s knowledge is a power you may not want to concede.

Be disciplined. Be in control. Make active decisions about your disclosures and your relationships.