Intro to OpSec

Your basic introduction to Operational Security, commonly known as OpSec. Learn what OpSec is all about and why it is important.

Basic threat modeling

A basic plain and simple guide to threat modeling. Get to know who your adversary is and how to effectively counter your adversary.

Choosing the right tools

Learn about the common well tested tools used for anonymity, privacy, and security. Learn how to choose the tools that will be most effective for you.

OpSec is short for Operational Security. Operational Security is the process of identifying mission/operation critical information that may be the target of an adversary in order to disrupt your operations. The goal is to protect and secure the information to prevent an adversary from being able to obtain it. In terms of anonymity, this can be described as a process to prevent an attacker from being able to successfully gain the information necessary to deanonymize you and/or disrupt your operations.

http://jqibjqqagao3peozxfs53tr6aecoyvctumfsc2xqniu4xgcrksal2iqd.onion

10 chapters of great learning

Encryption

All about encryption, learn about strong popular algorithms and algorithms you should avoid. Learn what to look for before using software or hardware for encrypting your data.

Metadata

Learn what metadata is and how it can be abused and how you can avoid creating metadata or remove how to remove metadata from files such as documents and images.

Mobile device location tracking

How mobile devices such as Phones and Laptops can be used to track your location and possible methods on how to avoid these types of location tracking.

Security through isolation

Learn about security through isolation and how you can apply it. Learn about Virtual Machines and Qubes OS and how security through isolation is used almost everywhere today.

Defense in depth

Learn about defense in depth and layered approaches to security including how to apply defense in depth in an efficient and effective manner.

Myths

Common myths reguarding Operational Security. Sometimes called FUD, these myths include a variety of things you should avoid and things that are just flat out incorrect.

Common mistakes

Learn about the most common operational security mistakes and how you can avoid them. A simple mistake can have big consquences depending on what you are trying to protect.

Diceware

Learn how to properly generate a strong Diceware passphrase using dice or KeePassXC with a Diceware wordlist.

Signal Guide

How to set up Signal with some additional security tips. Also includes how to set up the hardened fork of Signal, Molly.

OnionShare Guide

Guide for sharing files using OnionShare using both OnionShare’s send and receive mode.

I2P Torrent Guide

Learn how to set up I2P with Mullvad Browser and how to torrent files anonymously using I2P.

Computer Anti-Forensics

How to significantly slow down or even stop forensic investigations of common electronic devices such as mobile devices, personal computers, and external storage devices.

Common Mistakes

100% security

People still believe that there is such thing as 100% security. Everything is flawed in some way, for there to be 100% security there would need to be perfect security, which simply isn’t possible. If someone is determined and has enough time and funding on their hands, they will find a way around your security. A better approach is to have reasonable security and to keep up to date with the latest threats through constant software updates and applying things such as defence in depth. What this does is it makes the time and effort required not worth it or impractical for your adversary. Cryptography does this, a 128-bit key can be cracked, but the only thing stopping us is the fact it just takes too long. Anonymity also plays a role, it is harder to attack someone who you don’t know anything about.

FUD

This stands for Fear Uncertainty and Disorder. Sometimes, people will spread information that is blown out of proportion or just false which creates fear, uncertainty, and disorder about a particular OpSec practice or sometimes a protocol or a piece of software. For instance, a while ago, there was somebody who had been using LUKS on one computer and VeraCrypt on the other. Law enforcement was able to get into the LUKS encrypted computer and not the VeraCrypt encrypted computer. The person in question claimed to have been using a “secure password” and that suggested that LUKS wasn’t secure, and in turn many began to believe that LUKS was not secure. The LUKS encrypted computer was actually using LUKS1 not LUKS2, which is quite easy to password crack due to its weak PBKDF2 parameters. This also means that the password that was supposed to be secure was actually not so secure because it was easier to crack. Tails in response to this decided to switch to LUKS2 and make an announcement regarding LUKS1 and LUKS2 and how it was harder and more expensive to password crack LUKS2 which used Argon2 instead of PBKDF2. If the password was longer or if it was a passphrase of sufficient length, this probably wouldn’t of ever happened in the first place.

Instead of automatically believing or claiming is insecure, it is better to investigate why it didn’t protect something as well as it should have, and then make changes accordingly. Sometimes things are insecure, and you should stop using them, such as 1024 bit RSA, other times something wasn’t used or done properly, there are typically a lot of factors involved. Basically, don’t take things at face value and do your own research.

Overlooking other vectors

When threat modelling, accounting for possible attack vectors can very difficult, you are going to overlook something. You can minimize the chance of overlooking attack vectors by studying how something you are using or trying to protect operates, the more you know the better. For instance, if you want to PGP encrypt your email, you should understand how email works. Once you know how it works, you will find more vectors such as the email metadata and the fact that PGP encryption will not protect the metadata of an email such as the subject line. You can then plan a mitigation accordingly, such as not using a subject line, putting the subject line in the body where it can be encrypted, or using a vague subject line.