POPSEC: Operational Security Lessons Learned from Archer

Please consider subscribing to my Patreon.

Sterling Archer is a well-known, widely loved secret agent whose methods are… unconventional. Despite having a background in covert and clandestine operations, he manages to fuck up on a pretty consistent basis, often with hilarious and disastrous results. Fortunately, the multitude of mistakes made by him and his cohort provide a wealth of learning opportunities for those of us who watch.

Lesson 1: Op First, Drinks After

Archer is notorious for his love of Glengoolie Blue Label… or literally anything else with an alcohol content greater than or equal to that found in NyQuil. While Sterling’s reputation for being a boozehound certainly sets the stage for some entertaining and hilariously catastrophic scenarios, the truth is that if you’re actually trying to keep secrets, and accomplish anything either covert or clandestine, you may actually want to skip the Scotch until it’s time to celebrate your success. Drinking can slow your reflexes, dull your situational awareness, and strip away your inhibitions in ways which may endanger both you, your colleagues, and your operation. Additionally, even after your operation is complete, it is wise to remember that alcohol lowers inhibitions, and it is best to drink in moderation so as to keep your wits about you when in mixed company.

Lesson 2: Cocaine is Probably a No?

I mean, do whatever you want, but if we’re being honest, cocaine basically never leads to good life choices, and that goes double when you actually have good reason to keep your mouth shut about literally anything. Additionally, if you’re trying to fly under any sort of radar, it’s generally a good call to avoid carrying anything super illegal which isn’t directly related to completing your task at hand. In fact, you may actually want to expand this general rule to also include illicit substances which are not cocaine, including but not limited to: opiates, amphetamines, and probably even weed, even if possession is legal in your state. While there are doubtless exceptions to this rule, in general it is probably best to stick to No-Doze and Jolt for your upper fix.

Lesson 3: Maybe Don’t Sleep with Fellow Operatives

Relationships are messy. Workplace relationships are about eleventy times messier than your normal level of messy, especially if at least one person in the relationship has had multiple workplace relationships. Ongoing relationships impact the judgement of those engaging in them, and catastrophic relationship-ending events can damage, if not outright destroy, the trust necessary for running a successful operation. It’s true that we spend a lot of time in close quarters with those with whom we collaborate, but there are enough fish in the sea that it’s probably worthwhile to turn our gaze outside of the goldfish bowl of our affinity groups or other organizational collectives.

Lesson 4: Brag Less

Yeah, okay, Burt Reynolds IS pretty cool, but that doesn’t mean you should brag to him about being recognizable because you’re “the world’s most dangerous spy.” In fact, you probably shouldn’t actually tell people you’re a secret agent. Or admit to it when asked. Or cop to it when accused. There are varying schools of thought on how best to go about denying your involvement in anything secretive, but general consensus is don’t discuss things outside of the very limited context needed in order to complete operations, and don’t give any indication that you’re up to anything remarkable or interesting. It’s important to note that lying is not most people’s strong suit, so employing tactics like misdirection instead of relying on outright falsehoods may be a more viable option, especially in the long term. When in doubt, speak at great length on a dull subject, then politely excuse yourself once your conversation partner’s eyes have safely glazed over from boredom.

Lesson 5: Leave Your Personal Shit at Home

While your personal issues may not be “parachuting into Russia under pretext of committing a political assassination to find out whether a high-ranking KGB operative is your father”-level bad, Archer’s profoundly poor decisions in this realm serve as an excellent reminder of how our personal issues can negatively impact both our safety and our odds of completing our objectives if we are unable to set them aside to focus on our work. We all have problems in our personal lives, but if you are unable to set them aside and focus on your projects, the responsible choice is to recuse yourself from your work until you are able to focus on it without allowing your distraction to put yourself, your peers, and your operation at risk.

Lesson 6: Take Briefings Seriously

While it may be tempting to zone out during briefings, or only skim over relevant documents and/or communiques, it’s important to remember that minutiae can be the deciding factors in whether or not a mission is successful. Pirate King Archer has a wonderful resource in Noah, but Sterling’s unwillingness to listen or learn proves his undoing. In fact, this is a recurrent theme throughout Archer’s misadventures: time after time, Sterling’s missions and his personal safety are compromised by his cavalier attitude towards obtaining and retaining relevant information. Never underestimate the value of preemptive research when undertaking something risky. It’s generally better to have unnecessary information than it is to suffer from a lack thereof: the more information you have, the better prepared you are if things don’t go according to plan.

Lesson 7: Don’t Be Distracted by a Pretty Face

While it may be tempting to allow yourself to be distracted by an attractive person, it is important to remember that at best, a pretty face is just that: a distraction. At worst, an attractive person may be an actual adversary using your sexuality to neutralize you, and lure you into divulging sensitive information. Mercedes Moreno falls in the middle when she uses her sex appeal to divert and neutralize Archer so her mother can continue sneaking people across the border into the US. There are cases where it is both possible and pragmatic to use these tactics to your advantage. Playing along may allow you extract information from an adversary or to seed disinformation, but this tactic should never be undertaken lightly. Instead, this should be done deliberately and with every possible precaution in place, including an extraction plan for when the job is done and the faux relationship ceases to be useful to your aims.

Lesson 8: Don’t Reuse Aliases

Archer habitually reuses the same pseudonym, despite using different cover stories each time. We never actually see this bite Sterling in the ass (except for when he’s called on it in meetings, and subsequently uses the name “Rando” instead of his usual “Randy,”) it’s important to keep in mind that reusing a pseudonym can compromise your identity and your operation. If you’re going to use pseudonyms, it is best practice to use names which are both plausible and disposable, rather than reusing names, or using ostentatious handles. It’s unlikely that anyone will remember Emily Jones based solely on her name, but highly likely that people will take note of (and remember) Mariah Carey or Catherine Catastrophe. Retiring pseudonyms after use is still crucial. There is still always a chance that people will remember even an unremarkable name, and it is wise to compartmentalize both actions pertaining to an operation, and operations themselves, whenever possible.

Lesson 9: Never Trust Someone Offering You “Unhackable” Security

The first thing you should know is that, given an adversary with sufficient skill and resources, there is no such thing as “unhackable.” Since “unhackable” is an impossible objective to achieve, it stands to reason that at best, anyone claiming an “unhackable” service or product is a charlatan. At worst, they may actually be malicious, as shown in Cyril’s encounter with George Spelvin, a security contractor out to gain access to data on ISIS field operatives, and sell it to the highest bidder. A couple related things to keep in mind are: don’t take security advice from people who don’t understand the threats you face, and don’t trust anyone offering easy security solutions. Proper security practices are going to offer defense in depth in order to prevent creating a single point of failure, and will necessarily be tailored to the assets you are trying to protect, and the adversaries you’re protecting against.

It’s true that Archer is full of countless operational security fails and just plain bad tradecraft, but Sterling does manage to correctly implement what may be the most important security measure of all: Archer’s affinity group is reliable. No matter how many times they fuck up, or fight among themselves, the coalition of secret agents formerly known as ISIS understands that solidarity means nobody gets left behind.

POPSEC: Security Lessons Learned from Harry Potter

Please consider supporting my writing on Patreon.

There are a lot of security lessons we can learn by examining popular media, analyzing mistakes which are made, and striving not to repeat them. The Harry Potter series is rich with such lessons, and while the following contains all kinds of spoilers (for every one of the books/movies), it’s also full of important life lessons we can take away by scrutinizing the mishaps which take place in the Wizarding World.

Lesson 1: Don’t be Hagrid.

Hagrid is a lovable, gentle soul. This is all well and good, but if we’ve learned anything from the Harry Potter series, be it the books or the movies, it’s that Hagrid is a drunk, a braggart, and overly trusting. Each and every one of these traits leads to Hagrid divulging information that should really be kept private. Over and over again Hagrid slips up, from spilling secrets to hooded strangers in pubs who are actually the most evil wizard ever to live, to showing Madame Maxine his dragons. If loose lips sink ships, Hagrid is probably responsible for capsizing an entire fleet. Furthermore, as Jim MacLeod (@shewfig) points out, Hagrid also has a bad habit of sharing PARTIAL information, which has the result of endangering people who listen, as demonstrated when he tells Harry to “follow the spiders,” and almost gets Harry and Ron eaten by Aragog’s offspring when they take Hagrid’s advice.

Lesson 1A: Don’t tell Hagrid your secrets.

We all have a friend like Hagrid. We all love that friend. That friend is fiercely loyal, loving, and always knows how to lift our spirits when we’re down. We all NEED friends like Hagrid. But we also all know that our friend/Hagrid is terrible at keeping secrets, and so we should maybe protect ourselves (and keep our friend from being put in a position to unwittingly betray us) by finding other ways to demonstrate our trust in our friend. Because Hagrid is a ride-or-die kind of friend, and accidentally spilling the beans hurts him almost as much as it hurts us. Cheer up, Hagrid: you’re still great!

Lesson 2: Security through Obscurity doesn’t work as a standalone measure.

It’s tempting to think that keeping vulnerabilities secret is a fail-proof way to ensure that they’re never exploited. Unfortunately, Security through Obscurity is great as an aspect of Defense in Depth, as a standalone measure it leaves one vulnerable to social engineering attacks, as in the case of Fluffy. Who could possibly know that a vicious three-headed dog is a sucker for harp music? Well, literally anyone who had ever come into contact with Hagrid. It is true, too, that given sufficient time and determination, someone could have figured out Fluffy’s weakness all on their own — and that keeping such things secret does make them harder to circumvent — but a combination of unpatched vulnerabilities and Hagrid’s inability to keep his mouth shut in the pub very nearly led to Lord Voldemort seizing the means to immortality.

Lesson 3: If you don’t know how it works, don’t trust it.

Remember that diary Ginny Weasley found that spoke to her? Remember how she confided her deepest, darkest secrets to it? REMEMBER HOW IT TURNED OUT TO BE AN ACTUAL MANIFESTATION OF HE WHO SHALL NOT BE NAMED? Arthur Weasley advised, “Never trust anything that can think for itself if you can’t see where it keeps its brain.” When talking about magic, this is perfectly sound advice. When talking about security in the real world, it’s probably wise to say you should never trust anything with your data if you don’t know how it intends to use it, and how it will store it. This also means you probably shouldn’t rely on tools if you don’t have at least a working understanding of how they function: you don’t need to know the particulars of how something is encrypted, but you should have a good idea of what a tool does and doesn’t do (and protect) before relying on it.

Lesson 4: Know your threats.

In order to protect yourself, you need to first correctly identify your threats. False negatives can leave you open to attack, while false positives can cause you to implement the wrong defenses, as well as cost you valuable resources and potential allies. Harry, Ron, and Hermione (and everyone else) spent an unreasonable amount of time trying to defend against Sirius Black, when it turned out that the man responsible for the deaths of Harry’s parents had been sleeping in Harry’s dorm room for years. The takeaway here is that fixating on a single threat can (and often will) distract you from where the real danger lies.

Lesson 5: Whitelisting > Blacklisting

Remember how the Goblet of Fire was bewitched to reject all entries not submitted by someone over a certain age? Remember how that didn’t matter, because an adult submitted Harry Potter’s name to the Goblet? Remember how that adult used a fake school that doesn’t even exist to ensure that Harry Potter’s name was chosen? Had the Goblet of Fire been enchanted to instead ONLY accept the names of actually eligible students, Cedric Diggory would probably still be alive today.

Lesson 6: Getting owned once doesn’t have to be the end of the line.

Things look pretty bad for Harry when Voldemort transports him to a graveyard, has him surrounded by Death Eaters, and strips away Harry’s most powerful protection against his adversary… but it’s not the end of the line for Harry, and getting bested once by your adversary doesn’t need to be the end for you, either. If your security is, in fact, compromised, take a deep breath, and start doing damage control. In most cases, getting beaten isn’t a sign you’ve failed, so much as an indication that you need to try something different. Get creative, and keep plugging away.

Lesson 7: Your security doesn’t need to be perfect, it needs to be good enough.

When Harry and his friends are attacked by Death Eaters in the Department of Mysteries, it looks like it’s lights out for the temerarious teens. They’re outnumbered and clearly outclassed by their adult adversaries, and the only tools at their disposal are perfectly puerile compared to the malicious magical mastery of the Death Eaters. Yet, against all odds, Harry and his cohorts are able to fend off their fearsome foes and stay alive long enough for reinforcements to arrive. Expelliarmus and Reducto may not seem like much, but they’re sufficient to keep Harry and his friends in the game. It’s easy to fall into the habit of thinking that if your security isn’t perfect, it’s useless, but the fact is that your security only needs to be good enough to narrowly beat your adversaries… and in some cases, only for a little while. Worrying that your security isn’t perfect can cause you to fall prey to security nihilism… and falling prey to security nihilism can make it hard to recognize that some (if not all) of your practices are sufficient at least in the interim, and can also make it hard to identify what can reasonably be improved upon to harden your security a bit more.

Lesson 8: Know your sources.

Even though Harry should have learned his lesson about putting trust in the contents of sketchy books after the incident with Tom Riddle’s Diary, he makes a similar mistake in putting his trust in the notes left in the margins of his borrowed textbook by a person known only as the “Half Blood Prince.” This leads to a newfound success at potions making, but also leads Harry to try a rather heinous (if not altogether Unforgivable) curse on Draco Malfoy. Harry’s faith in this unverified source essentially results in a lot of bloodshed… and that’s an important lesson for us to learn. If we don’t know where our information is coming from, we can’t verify it… and if we trust in unverified information, the results may be dire. Whether uncritically reading state-sponsored propaganda (I’m looking at you, everyone who shares links to RT content), or trusting un-vetted privacy resources (remember Firechat? How about Telegram?) can leave people dangerously misinformed, and devastatingly vulnerable. To keep from falling prey to this classic blunder, make sure you know where your information (and your tools) are coming from, and verify it before you rely on it.

Lesson 9: Don’t fall victim to tunnel vision.

Remember how Harry and Dumbledore go to retrieve a horcrux together? And remember how much energy they put into retrieving that horcrux? And remember how in order to actually get it, Dumbledore has to drink A LITERAL VAT OF POISON? And remember how it turns out it’s not even a real horcrux? This is a classic example of falling prey to tunnel vision. The duo is so focused on retrieving this objective, they don’t stop to think that maybe they should focus their energy on tracking down the OTHER horcruxes as well before taking action. Now Dumbledore’s dead, there are still six horcruxes out there, and Harry has no idea how or where to find them.

Lesson 10: Know a person’s circumstances before you trust them.

Xenofilius Lovegood is a decent person. Sure, he rats out Harry, Ron, and Hermione to the Death Eaters, but that’s because the Death Eaters have kidnapped his daughter, are holding her hostage, and have threatened to kill her. Xenofilius doesn’t do anything any reasonable person in his situation wouldn’t do, and that’s why it’s important to know our allies’ situations before we rely on them. The lesson here is never trust someone if you don’t understand what they have to lose from supporting you, and what they stand to gain by betraying you. Does this mean you should never trust anyone with anything? Of course not. It just means you should never willingly put your life (or freedom) in anyone’s hands if you aren’t certain they’ll protect it as if it were their own.

Lesson 11: Never underestimate your adversary.

Neville Longbottom is kind of a hapless foil for Harry’s cavalier, clumsy heroism. Neither is terribly graceful, but Neville is nervous where Harry is bold, and Neville is risk-averse, while Harry repeatedly throws himself into dangerous situations without a second thought. Because we spend the entire series watching Neville fail pretty miserably at most things, it’s easy to see why Voldemort and the Death Eaters may not have taken Neville seriously as a threat… RIGHT UP UNTIL NEVILLE SLICES OFF NAGINI’S HEAD. Now, of course, nobody could have seen that coming. There is no way Voldemort could have predicted that Neville-effing-Longbottom would be responsible for the loss of one of his last surviving horcruxes… but his loss is our gain, because we can take away from this that with enough determination, even the clumsiest of our adversaries can cause us to have a very, very bad day.

Lesson 12: Don’t get lax when you think you’ve neutralized a threat.

Voldemort killed Harry in the Forbidden Forest. We all saw it happen. He used Avada Kedavra, the killing curse. There was a bright flash of green light, and Harry’s lifeless body sprawled out on the detritus of the forest floor. We even see Harry speaking with the absolutely-definitely-verifiably-dead Dumbledore in a sparklingly-clean train station in the sky… so where did Voldemort go wrong? There are actually a few different mistakes he made here. The first was not verifying *HIMSELF* that the threat-known-as-Harry had been truly neutralized. Instead, Voldemort asks Narcissa Malfoy to check that Harry is dead (violating Lesson 10 in the process… see? That one is important!) Naturally, Narcissa lies, because she cares way more about her own kid than she does about some creepy old bald guy with no nose and a weird obsession with teenage boys. Voldemort also makes the mistake of violating Lesson 11. He assumes that because Harry has been taken out of the picture, everyone else will just sort of flop over and let him conduct his evil reign of terror completely unchecked. Now, had Voldemort checked to ensure that Harry was dead himself (and maybe taken the extra step of rifling through his pockets), he’d have realized that Harry was very much alive, and in possession of the Resurrection Stone, and he probably would have behaved accordingly, rather than marching on as though he were frigging invincible. So what can we take from this? A) never assume that you’ve succeeded in neutralizing a threat. If you think you’ve eliminated a threat, verify it yourself, and B) just because you’ve taken out an adversary doesn’t mean there aren’t many others out there just waiting for you to show a little weakness so they can take you out in turn.

Now, I realize that, had the characters in the Harry Potter series not made all these mistakes, the stories would have been much less interesting, and might have had an entirely different outcome… That said, we can take a lot away from fictional blunders by imaginary people, and we can (and should!) always be on the lookout for ways that the characters in our favorite books and movies could have done things differently. (And yes, there will be future installments of POPsec, so stay tuned!)

Eternal gratitude to @deviantollam for his eyes and his notes on this piece.

Social Media Self-Defense

Please consider supporting my writing on Patreon.


español – 

Recent events have raised conversation about the necessity for operational security in relation to social media. Discussions about how to maintain an online presence while protecting one’s private life and personal identity are cropping up in communities who had previously never felt the need to exercise operational security, and who had never considered the possibility of falling prey to compromised security and data breaches.

In the age of social media, there are a myriad ways our online presence may be used against us by a multitude of adversaries. From stalkers to prosecutors, any public information that can be attached to our identities may be used to their advantage and our detriment. It is important that we are mindful of the resources we make available to potential attackers.

In the interest of making practical operational security accessible to more people, I have composed a list of basic strategies for helping to mask the link between a social media account and one’s true identity. This list is by no means exhaustive, and it is important to keep in mind that an adversary with enough resources will likely be able to circumvent this obfuscation, given enough time. That said, it is nearly always worthwhile to make these connections more difficult, especially when they come at very little cost to us in terms of implementation.

1. Use a unique email address.
When attempting to mask connections between social media profiles, including dating sites, it is important to use a dedicated email address that does not relate back to other profiles, our legal name, or, ideally, any of our public associations. Using firstname.lastname@workplace.com is a bad idea; using randomcolor.randomnoun@gmail.com is a great idea. Creating new email addresses is easy, so there is no need to reuse one for accounts you’d like to keep separate.
Pro-tip: you can use a service like 10minutemail.net to generate a temporary email for creating a new Gmail account.

2. Choose a unique handle.
Do not re-use handles across platforms you’d like to keep separate. Do not use firstnamelastname69 for accounts you do not want to have connected to your legal identity. Pick something else. Anything else. It doesn’t matter.

3. Don’t use the same photos.
Do not use the same photos on profiles you’d like to keep separate. Reverse image search is a thing, and it will fuck your shit up. Ideally, you would not use images of your face at all on a profile you did not want tied to you, but if you must, make sure they can’t be linked back to your Twitter or Facebook accounts simply by using a quick drag-and-drop search.

4. Your tabs are YOUR business.
Give no indication that you’re using a site you don’t want people to know you’re using: if you’re trying to keep your private account private, make sure you’re not hinting at its existence by means of open tabs. Ensure you’re not being shouldersurfed while interacting with that account, and never post screencaps that show tabs. EVER.

5. Scrub your browsing history.
Religiously. As with the above point, if you don’t want people to know you’re using a site or service, it’s best not to leave evidence around and available to the casual observer. Deleting your browsing history is easy. Using Chrome in incognito mode and closing your tabs after every session is even easier.

6. When possible, pay in cash.
When making purchases connected to your private persona, pay in cash. When cash isn’t possible, consider paying with a pre-paid card. Purchased with cash. You do not need bank statements or credit card statements establishing a link between you and places you never were, or sites you do not use.

7. Don’t use your legal name.
Pick a name. Any name. There is no need whatsoever for you to use your legal name on social media. You certainly CAN if you feel comfortable with it, but it is absolutely not mandatory. DO pick a name you will actually respond to, though.

8. If you want to keep a secret, KEEP QUIET.
Don’t talk about it. Don’t brag, don’t discuss it anonymously. Don’t tell your best friend, don’t tell your workmates, don’t tell that stranger at the bar. Just SHHHH. Stop talking.

9. Use strong passphrases.
“Password,” “Passw0rd,” “password123,” etc. are not good enough. Use strong unique passwords for each site or service. Better yet, use a password manager with a strong master password.

10. Don’t share identifying information.
If you’re trying to keep a profile secret, don’t share personally-identifying details on it. Keep your workplace, alma mater, tattoos, and the freckle on your left butt cheek private; there is no benefit to sharing these details on an account you don’t want to have linked back to you.

11. “Plausible deniability” is a terrible failsafe.
If your operational security is poor enough that you have to rely on plausible deniability, you are almost definitely not capable of pulling off plausible deniability. It’s far better to share false information from the start than it is to put honest information out there, and then try to lie to cover up its connection to you. If you are relying on plausible deniability to keep you safe, you are fucked.

12. Being recognized will fuck your shit up.
Don’t conduct clandestine meetings in places you frequent in your normal life. It only takes one staff member, regular patron, etc. to recognize you, call you by the wrong name, and totally blow your cover. It only takes an innocuous comment to someone in your normal life to make your secrets known. Pick somewhere you are unlikely to be recognized, dress differently than you normally do, and don’t go to that place in your day-to-day life if you can avoid it.

13. Alibis can be helpful, but they’re hard.
Use your credit card to buy a movie ticket or pay for food somewhere you frequent often. The problem with many alibis is that they involve having someone else lie on your behalf, which in turn requires violation of rule number 8. If you are going to construct an alibi, make sure you’re fabricating evidence, rather than relying on false testimony.

14. Strict compartmentalization.
The first rule of Fight Club is, do not talk about Fight Club. The second rule of Fight Club is DO NOT TALK ABOUT FIGHT CLUB. This rule actually goes both ways; just as you should not be discussing your secret life within your mundane existence, there is also no reason to discuss your day-to-day life within your secret life. Just don’t. Keep it completely separate; no overlap, no allusion, nothing.

15. Maintain composure.
If you want to get away with keeping a secret, you must keep your cool. Be mindful of being fidgety. Don’t giggle every time someone says the word “secret.” Be aware of your facial expressions and your reactions to the people around you. Be aware of what names you’re responding to, when. Stay calm.

16. Don’t get cocky.
Persona maintenance requires constant vigilance. Personal security is never assured, and one should never forget this. Cockiness breeds sloppiness, sloppiness leads to discovery.

17. Perfection takes practice.
None of these skills are innate. All of them require extensive practice. You may find that you need to start over and start clean over and over again. There is no shame in failure, but it is important to remember that the internet never forgets; it is best to always err on the side of caution and add additional information as you go, after having properly assessed the risk.

Again, while this is by no means an exhaustive list of all possible precautions one might take, and while these precautions may not be as helpful against adversaries with a lot of time and resources, they are absolutely an easy way to minimize risk from stalkers, dangerous family members, nosy employers, and potentially even low-level state adversaries. Social media can very well be a point of vulnerability for many of us, but through careful persona management, it is possible to negate some of that insecurity while maintaining a robust online presence.