Opsec for Noobs

Now that the digital Red Scare has begun, protecting your identity is crucial to ensure your life does not get destroyed. At the rate the regime is moving, poor opsec could lead to much worse things. This is the first of a series of poasts about ways to protect yourself.

In this poast I'll go through some basic ways to protect yourself and to not be low hanging fruit. This will range from security basics like using a VPN and using encrypted chats to more advanced tactics like making sure your iPhone won't turn into a listening device and getting your racist memes off of Apple's servers.

Since this is intended for very noobie noobs, let me note the definition of OPSEC. Wikipedia defines it pretty well:

Operations security (OPSEC) is a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information.

A few things worth noting before I begin:

Let's get down to it.

OPSEC

Facebook

I'll make this short and sweet. Delete Facebook. Now. If you insist on keeping it, carefully comb through your profile and comments and look for anything that might be deemed as offensive by the most ruthless of shitlibs and delete them. Platforms that require you to share your identity, like Facebook, have the highest amount of risk. Apply this principle to Instagram as well.

Twitter

Twitter requires you to share a phone number and email address with them. Under no circumstances should you give them your real phone number or an email address that can easily be traced to your identity (think yourrealname@gmail.com). You also shouldn't give them an email address that you use for services that are tied to your identity, like Amazon or your doctor's office. If you already gave them a real phone number or a standard email address, it's very likely already stored in their change logs. An extreme and precautionary move would be to delete that account and create a new one.

Here are different ways to protect yourself on Twitter:

One last note about Twitter. If you're feeling nervous about how bad some of your old tweets may have been, you can use tweetdelete.net and nuke them. You can also nuke all of your likes (remember, people have lost their jobs over liking the wrong tweet). I recently did both after the most recent purge. You can also set tweetdelete.net to auto-delete tweets older than a week, a month, etc.

Moving on...

I have many racist memes on my phone. Wat do?

Adhering to the first principle, keeping your personal photos and / or racist memes on Apple and Google servers is a bad idea. A racist meme is just as risky as a racist text. If you have memes that can slightly be interpreted as racist (who would do such a thing?) and have them on Apple's servers than yes, then you are dancing with the devil. Download your photos off their cloud and onto an external hard drive. Yes, Google Photos categorizes your photos oh so well. Don't you just love scrolling back to that trip in Amsterdam when you banged your Airbnb hostess? Maybe you do, but who cares. People look back at old photos maybe twice a year anyway. It’s not worth your livelihood.

Again, I know it sounds crazy to think that Apple will dox their customers. But Twitter just banned Donald Trump. I repeat: trusting the Big Tech companies is not wise.

After you put your photos onto a hard drive, put them on a very safe cloud server that prioritizes privacy. If you can build your own server, PrivacyTools.IO has some suggestions. If not, Proton has a cloud product in beta now and some email users have been given access.

Messaging Apps

To abide by the first principle, stop using iMessage and WhatsApp. Download Signal, Telegram or Keybase and start asking your friends to try them. All of them are focused on privacy and have features that cause your messages to self-destruct after a period of time that you decide. Signal is my preferred app of choice. Urbit is another more extreme option, but it requires a bit of technical knowledge.

Of course, you’re not going to convince all of your friends and family to jump onto these encrypted apps they never heard of. That being said, now is the best time to push for it, as Elon Musk has recently promoted Signal and it's the #1 downloaded free app on the App Store as of today.

If and when you do have to use iMessage or WhatsApp, be very mindful of what you talk about there. If people bring up politics, don't engage, just say “hey sorry, you gotta watch what you say these days, happy to talk on other apps that are more protective over privacy if you don’t mind”. Ideally you won't type that and will say it in person, but it may not be an option and not replying can be awkward. This is ideal because in an extreme scenario, you can now be accused of having “something to hide.” Remember, our enemies don't have to make sense.

Handling Multiple Platforms

Ideally, you will have a different username across all of your anonymous profiles. If they're coming after User X, and User X is called “SaintFloyd” on Twitter, Gab and Parlor, now they can find all of their content in just a few clicks. If you have a big following it makes sense why you would want to keep your brand and not start from scratch. This is a best practice.

BASIC DATA SECURITY

Remove Trackers From Your Phone

Chances are your iPhone is tracking every step you take, collecting your behavior and creating a profile about you and selling it. On top of that, you probably have multiple apps that are allowed to turn your camera or microphone on and record you. Let's undo this immediately.

Protect Your Passwords

Download a secure and well-known password manager LastPass or One Password. You can install it as a browser extension and it will automatically store all of your logins and passwords there. It can also import your saved passwords from your browser. Good password managers will tell you when you are using duplicate passwords on multiple sites, rank your privacy strength, and create very long complex passwords very easily.

Use A Safe Browser

If you are using Chrome: Wipe your history from it (cookies, logins, browser history), sign out, delete it from all of your devices and never download it again. The Golden Rule has been enforced. Moving on.

Firefox is historically known as very trustworthy but they just released a blog post saying deplatforming people isn’t enough. Tremendous red flag. I stopped using them because of this.

Download Brave. Brave is designed around protecting privacy, has a pre-installed ad blocker, wipes your history after you close the app, and makes it easy to connect to Tor.

Use a VPN

Using a VPN scrambles your IP address, plain and simple. Knowing your IP address makes it extremely easy to know where you are and then some. I prefer Proton VPN as I tend to trust Proton with all privacy related matters. They have a “Secure Core” option which guarantees you won't connect to the internet without a VPN. So if there is a connection issue with your VPN, you'll lose Wifi until it reconnects.

Encrypted Email Only

Applying the Golden Rule, get off of Gmail, Yahoo, Outlook, etc. and move to ProtonMail. Again, it isn't as simple as having one ProtonMail address. Tutanota is another safe and encrypted platform as well. I recommend having one that you're going to use for every day things that are inevitably connected to your identity — your bank, Amazon, etc. You are now well aware your identity is connected to that email and it should therefore NOT be used on ANY platform where you are worried about what you're posting. As mentioned in the Twitter portion of this poast, create another ProtonMail address specifically for those platforms and ideally create one per platform. ProtonMail requires a backup email, so I recommend creating a Tutanota email first and using that as the backup. It doesn't make sense to create a secure email and then using yourrealname@gmail.com as the backup.

Google yourself. What can your enemies learn?

It's crucial to remove what is searchable about you publicly. Google your real name. See what comes up and go through it meticulously. You’re going to find yourself on those shitty scraping websites that also have your age and address. ALL of them have an option for you to request to remove yourself. Do it for every single one. Look up old usernames you’ve used on forums. Go back into them and delete your posts. Make your real name on Twitter private or just delete it. Use Google Images too. If you find your picture on sites, email the company and demand they take it down. Ideally, you want to get to a place where you can search for yourself and then again with basic info (hometown, residence) about you and nothing appears.

That's it for this poast. On my next poast I will go through more tactics like:

I hope this was helpful. If you have questions, message me on Keybase @medgold or on Telegram @TuddyCicero