There’s an amazing story talking about how the American actor Sean Penn accidentally gave away the location of El Chapo, the Mexican drug lord that has been on the run. The best part of the story is the OPSEC fails. I don’t want to duplicate the article so go take a read if you want the full story. Let me summarize a few things though. From the information we’ve gleaned, here’s what he was doing for OPSEC:
- used “mirroring” to send messages
- sent messages via draft folders
- used a Blackberry Messenger, Blackphone, and burners
- allegedly was caught because he ordered too many tacos
The El Chapo story reminds you of the gangsters of old that were notoriously crooked, but everyone couldn’t wait to see what they would do next. The Gangster Version of Kim Kardashian.
Enter the new OPSEC term, “mirroring”. At first, no one knew what this was because it’s a made-up term for a simple OPSEC measure. It just means that communications were proxied to an intermediary party that would receive the message, and literally retype it by hand to another communication medium. The benefit here is that when El Chapo received a message, it only came from a single person which is hard to target as part of mass surveillance.
If we’re going to make up phrases, lets start calling using the Drafts folder to send messages, “drafting”. This is a now famous way of communicating that Al Qaeda used to do years ago and I’m sure others used it before them. They would communicate via Yahoo mail and save messages in the drafts folder then have the recipient log in and just read the draft.
It’s adorably ineffective today but back then and in the 90’s, it was actually practical. The issue was that all SMTP communications were sent in the clear and the US Government programs were literally reading every email sent because they could. By not sending an email and just saving the message into the drafts folder, there was no email to intercept and you would just have a dead drop.
Things have changed and we’ve moved beyond that but the idea of the electronic dead drop is still alive.
The best story, if you want to believe it, is that the Mexican authorities ultimately caught El Chapo because the number of tacos purchased was more than it should be for a place that size. Thus, he was “Tacoed”.
Lessons in OPSEC
While some of these stories are unlikely to be true like how El Chapo was tacoed, but if you put yourself in some of their roles, I think we can learn something
- Tacoed or not, it’s a real attack: You’re unlikely to get tacoed anytime soon but if you believe you’re under surveillance, what can you do to keep your purchasing patterns looking legitimate? Buying nothing is a red flag, but buying 50 pairs of pants in 50 different sizes is another red flag. Make purchases based on the type of person you’re pretending to be. If you don’t want anyone to know that you’re there, maybe you shouldn’t purchase anything at all, just go and pick it up.
- Mirror mirror: If you have the resources to hire a crew of people to help you, sure, go ahead and mirror. It really does offer a defense from targeted mass surveillance. But just remember that whoever was transcribing the messages, was a trusted confidant of El Chapo.
- Lets stop drafting: It was a good idea back in the day but now it’s just a tribute. I’m all for finding interesting ways of doing a electronic dead drops like online forums, Craigslist, or blogs, but using a messaging system to save a draft is just silly. Find a medium that isn’t specifically targeted by law enforcement and use that as a dead drop.
- Burners still good (sometimes): We know that burners make it really hard for certain jurisdictions to track someone because it takes a few days to get a warrant approved but the NSA doesn’t have that problem. If you can afford it, do it, but that doesn’t mean that it’s secure.
- Be careful talking to the OPSEC-less: I think the real story here is the difficulties that El Chapo had in talking to Sean Penn. Penn says he didn’t know how to use computers, was given all the electronics to use, but still it required a ton of effort that he wasn’t willing to invest. You should never need to trust that the person you’re communicating with is adhering to an OPSEC plan. Your measures should ensure that if the other party is turned or caught, it doesn’t point back to you. Of course this is an ideal but it’s something you should always be thinking about when deciding if you might be burned or not.