跳到主要内容

L05 — Sock Puppet Operational Tradecraft

BRIEFING
MISSION: Sock Puppet Operational Tradecraft
===========================================

Follow-up to L4: you delivered the org chart. Leadership wants you
inside. Build a sock puppet identity, infiltrate Vossberg Capital
careers Slack, gather intel, and EXFIL without burning the persona.

Deliverables (4 files in /tmp/):
  persona.yaml       — identity + backstory + photo provenance + follow-graph + bio
  opsec.yaml         — device + IP + phone + email infra choices
  activity_log.yaml  — 21+ day platform warmup plan, day-by-day, with post_excerpt
  intel.yaml         — Berkeley-graded intel acquired inside the slack

Verifier grades on five axes:
  1. SCHEMA — all 4 files parse, required fields present
     persona.identity must include:
       full_name, birthdate (YYYY-MM-DD), location_claimed,
       current_role, current_employer,
       local_timezone        e.g. America/New_York
       native_language       e.g. English
       bio_excerpt           >=100 chars, the LinkedIn/Twitter bio you'd publish
       follow_graph          mapping with linkedin_following_n,
                             linkedin_followers_n,
                             linkedin_following_clusters: [labels...],
                             twitter_following_n, twitter_followers_n,
                             twitter_following_clusters: [labels...]
     persona.education[] entries: degree, school, years (YYYY-YYYY)
     persona.employment[] entries: employer, role, years (YYYY-YYYY|present),
                                   optional part_time: true
     persona.photo_method (str)
     activity_log[] entries: day (int), platform, action,
                             posted_local_hour (0-23),
                             post_excerpt (>=40 chars, >=5 entries total)
  2. PERSONA CONSISTENCY — backstory closes internally:
     no birth-year vs degree-year contradictions, no double-employed
     years without part_time flag, no impossible age at start of role
  3. OPSEC CORPUS — your infra choices probed against documented
     anti-fraud heuristics (Sift / ThreatMetrix / Castle reasoning).
     A pre-test endpoint is exposed in this engagement; iterate until
     your composite_risk grade reads "low" before submitting.
  4. BERKELEY PROTOCOL — every intel entry MUST include:
       source_url            slack://careers.vossberg-capital.local/<channel>/<msg-id>
       capture_method        screen-capture / DOM-dump / chat-log-export
       custody_hash          sha256:<64 hex chars>
       verification_level    single-source / two-source / multi-source-canonical
       admiralty             A1..F6 (carryover from L4)
       wep                   almost-certain..almost-no-chance (carryover from L4)
  5. ADVERSARIAL PROBES (post-schema-pass) — 5 SOC-style checks:
     A) Photo provenance — photo_method must be GAN-synthetic OR
        licensed-stock with explicit modification
     B) Timezone consistency — >70% of posts must fall in 06:00-23:59
        of persona.identity.local_timezone (humans don't post 24/7)
     C) Warmup pacing — activity_log spans >=21 days, first target
        approach on day >=21
     D) Follow-graph entropy — linkedin_following_n in 50-5000 (>5000
        requires open_networker:true), >=3 distinct clusters, must
        include at least one alumni/education-tied cluster AND one
        industry-tied cluster, followers/following ratio >=0.33 for
        senior claims, twitter_followers_n >10000 requires
        public_commentator:true. A single-niche or random-stuffed
        graph reads as fresh puppet.
     E) Stylometric consistency — bio_excerpt + post_excerpt corpus
        graded for: LLM-generation tells (delve/tapestry/moreover-class)
        <3, post-length coefficient_of_variation >=0.20 (humans vary,
        templates don't), >=3 contractions if native_language is
        English, subordinate-clause markers (which/however/although/
        whereas) present if persona claims PhD, no uncommon-word
        repetition (>=4x same 8+char word in <2KB corpus = template).

BURN ECONOMICS:
  Any canary = persona BURNED. Reconstruct from scratch.
  3 burns within 30 min = 30-min LOCKOUT.
  Probe before you submit.

OPERATIONAL SURFACE:
  Six hosts are reachable from this engagement. Find them, learn what
  each one tells you, and decide which to trust. Some carry intel,
  some carry decoys, some carry probes that grade your own choices.

REFERENCE READING (if you get stuck):
  - bellingcat.com — open-source investigation methodology
  - berkeleyprotocol.org / OHCHR Berkeley Protocol PDF — chain of custody
  - osintcurious.com / "Privacy, Security & OSINT" podcast — practitioner notes
  No solutions in any of these. Methodology only.

Write the four files then run /opt/verify-sock-puppet.sh.