TyperTech
Regular Member
- Joined
- Feb 26, 2024
- Posts
- 44
- Reaction score
- 0
- Status
- Offline
- Last Seen
You, Yourself, and the Meaning of Opsec
A Beginners' Guide to the NSFW Art of Opsec
To start with, let's look at opsec in general. "With what?" I hear lots of you ask. Opsec is¹
The systematic and proven process by which potential adversaries can be denied information about capabilities and intentions by identifying, controlling and protecting generally unclassified evidence of the planning and execution of sensitive activities.
Clear as a blindfold. At its core, though, this just says opsec is putting on a poker face in poker so others can't guess your hand. Whenever someone decides to play dumb about a secret they've heard, lie about their greatest weakness in a job interview or play hard-to-get with a suitor, that's opsec.
If you're on NSFW, though, you probably have a particular adversary in mind: law enforcement and government intelligence agencies.
The Golden Rule of Opsec
Regardless of why you need opsec, or how short your attention span is, there's one thing you need to know about opsec:
You cannot do the fifth step properly until you've done the first four.
Oh yeah- you probably need to know what the steps are too. Turning back to drunk uncle Sam¹:
[OPSEC] involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures.
Just like with the two text boxes above, the Golden Rule says things won't work if you try to re-arrange or skip steps. It seems obvious, but when you see all the cool tools and tips and tricks out there, it's easy to just pick the easy and exciting ones and forget about the four planning stages. It's not the worst thing you could do, but will you be able to live with your choice if it's not enough to protect you?
By following the rules instead, you've mastered half the art of opsec. Everything else is just words and tools.
Privacy, Anonymity, and Pseudonymity
You would expect people would know words mean if they come up constantly, but do you know what "privacy" and "anonymity" are? Most NSFW users don't seem to, and (ignoring the trolls) they aren't especially stupid. Even I didn't until very recently! These are two of the words that help in identifying critical information and risk assessment, though, so here's some definitions:
Privacy is about hiding what you're doing². If I ask for a private moment, then you'd better go away and not watch what I'm doing or you'll be feeling sorry (for me probably, but that's not important). A private message is similar- only a select group know what it says. Everyone might know who the sender and receiver are, though, or that I'm having a private moment in the bathroom. And sometimes that's all you need to fill in the missing information.
Anonymity is the other half of the puzzle- hiding who you are². An anonymous message is one where only a select group know who the sender is, even if the contents might be public information, and an anonymous purchase is one where the buyer isn't identified. Anonymity can be combined with privacy in (for example) a sealed, unsigned letter, but it doesn't need to be. Whistle-blowing is often done anonymously but not privately, for example.
While it's extremely useful to classify information as public, private to Group 1, private to Group 2, and so on, subdividing anonymity isn't as helpful. Instead we talk about pseudonymity- actions linked together by an identifier or "name" separate from the author's real identity, like a pen name for an author or an account on NSFW. This is useful for keeping a person's identity secret but still being able to build up a history or reputation to, for instance, establish an illegal business or earn and spend money on illicit goods. By choosing what information to link to an identifier, pseudonymity can be divided up as finely as privacy.
Unless you want a history or reputation, though, anonymity is almost always the best option. Linking harmless data points together with a pseudonym can show patterns that make them much less harmless³ ⁵.
Correlation and Compartmentalization
This linking together of data points is a broad class of threat called correlation. It's been widely used in medicine to make wonderful new discoveries, but sadly also supports the invasive profiling of "Big Data" that businesses and governments use to catch people. If you're on NSFW it probably appears someone in your analysis of threats, both to pseudonymous identities and attempted anonymity.
crickets
Don't tell me you weren't going to do an analysis of threats. You did read "The Golden Rule" didn't you?
The simplest correlation to is based on things you would think of about a person, such as username, any hobbies or life events mentioned, and so on, but there are also some more subtle factors that might be worth considering depending on your adversary's capabilities⁸:
Browser fingerprinting
IP fingerprinting
Time online or Time zone settings
Choice of words……etc.
Browsing habits / patterns
The techniques and code you use, if you're hosting or hacking things
In order to protect yourself, you'll need to be careful to make sure you don't accidentally build links between things that you don't want connected. The best way to do this is compartmentalization, which you can prepare for in three steps:
Firstly, construct a list of separate aspects of your life- "identities"- that you don't want correlated with each other. Keep this list as short as possible to make it as manageable as possible⁷: "everyday" and "criminal" is enough in almost all cases.
Now divide everything you do or will do between them. This doesn't need to be very detailed, but regular or significant things should at least be listed for everything except your "actual me" category. Warning: don't split things that are already connected by a pseudonym, your actual person, or some other factor over two identities. That defeats the purpose of doing this in the first place.
After that, establish a profile for each simulated identity⁷. The simpler the better, but it's worth thinking about what each of the correlation factors (other than fingerprinting, which is covered in Chapter 3) will be. Wherever one option is extremely common for internet users (e.g. EST for time zone, greeting with "hi"), that's the best choice, but if that doesn't work or there is no "majority" choice then just pick something different to your other identities. Above all, don't stress too much about it. You make mistakes when you stress, and being boring and normal is far more stressful than it seems.
.
With the planning done, it's time to learn the mindset. Always remember that you can only have one identity at a time. Mixing activities from two different parts of your life is strictly forbidden, and even speaking or thinking about them is to be avoided. You might be shit at acting like me, but you will put on your identity mask and wear it like your life depends on it! It's not even COVID-19 chasing you this time: it's the law.
Thankfully for people like us, there's a second rule: keep your lips tight⁹. The less of those character profiles you have to use, the less chances you have to slip up. So don't talk about the weather or your trip to Afghanistan or make contact with everyone if you can avoid it. Save all the excitement for your personal identity, where you don't have to make things up and then get caught out when somebody asks an unexpected question.
With these two rules and the appropriate prior planning, it will become much less difficult to develop effective opsec strategies for the aspects of your life that need them most.
A Beginners' Guide to the NSFW Art of Opsec
To start with, let's look at opsec in general. "With what?" I hear lots of you ask. Opsec is¹
The systematic and proven process by which potential adversaries can be denied information about capabilities and intentions by identifying, controlling and protecting generally unclassified evidence of the planning and execution of sensitive activities.
Clear as a blindfold. At its core, though, this just says opsec is putting on a poker face in poker so others can't guess your hand. Whenever someone decides to play dumb about a secret they've heard, lie about their greatest weakness in a job interview or play hard-to-get with a suitor, that's opsec.
If you're on NSFW, though, you probably have a particular adversary in mind: law enforcement and government intelligence agencies.
The Golden Rule of Opsec
Regardless of why you need opsec, or how short your attention span is, there's one thing you need to know about opsec:
You cannot do the fifth step properly until you've done the first four.
Oh yeah- you probably need to know what the steps are too. Turning back to drunk uncle Sam¹:
[OPSEC] involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures.
Just like with the two text boxes above, the Golden Rule says things won't work if you try to re-arrange or skip steps. It seems obvious, but when you see all the cool tools and tips and tricks out there, it's easy to just pick the easy and exciting ones and forget about the four planning stages. It's not the worst thing you could do, but will you be able to live with your choice if it's not enough to protect you?
By following the rules instead, you've mastered half the art of opsec. Everything else is just words and tools.
Privacy, Anonymity, and Pseudonymity
You would expect people would know words mean if they come up constantly, but do you know what "privacy" and "anonymity" are? Most NSFW users don't seem to, and (ignoring the trolls) they aren't especially stupid. Even I didn't until very recently! These are two of the words that help in identifying critical information and risk assessment, though, so here's some definitions:
Privacy is about hiding what you're doing². If I ask for a private moment, then you'd better go away and not watch what I'm doing or you'll be feeling sorry (for me probably, but that's not important). A private message is similar- only a select group know what it says. Everyone might know who the sender and receiver are, though, or that I'm having a private moment in the bathroom. And sometimes that's all you need to fill in the missing information.
Anonymity is the other half of the puzzle- hiding who you are². An anonymous message is one where only a select group know who the sender is, even if the contents might be public information, and an anonymous purchase is one where the buyer isn't identified. Anonymity can be combined with privacy in (for example) a sealed, unsigned letter, but it doesn't need to be. Whistle-blowing is often done anonymously but not privately, for example.
While it's extremely useful to classify information as public, private to Group 1, private to Group 2, and so on, subdividing anonymity isn't as helpful. Instead we talk about pseudonymity- actions linked together by an identifier or "name" separate from the author's real identity, like a pen name for an author or an account on NSFW. This is useful for keeping a person's identity secret but still being able to build up a history or reputation to, for instance, establish an illegal business or earn and spend money on illicit goods. By choosing what information to link to an identifier, pseudonymity can be divided up as finely as privacy.
Unless you want a history or reputation, though, anonymity is almost always the best option. Linking harmless data points together with a pseudonym can show patterns that make them much less harmless³ ⁵.
Correlation and Compartmentalization
This linking together of data points is a broad class of threat called correlation. It's been widely used in medicine to make wonderful new discoveries, but sadly also supports the invasive profiling of "Big Data" that businesses and governments use to catch people. If you're on NSFW it probably appears someone in your analysis of threats, both to pseudonymous identities and attempted anonymity.
crickets
Don't tell me you weren't going to do an analysis of threats. You did read "The Golden Rule" didn't you?
The simplest correlation to is based on things you would think of about a person, such as username, any hobbies or life events mentioned, and so on, but there are also some more subtle factors that might be worth considering depending on your adversary's capabilities⁸:
Browser fingerprinting
IP fingerprinting
Time online or Time zone settings
Choice of words……etc.
Browsing habits / patterns
The techniques and code you use, if you're hosting or hacking things
In order to protect yourself, you'll need to be careful to make sure you don't accidentally build links between things that you don't want connected. The best way to do this is compartmentalization, which you can prepare for in three steps:
Firstly, construct a list of separate aspects of your life- "identities"- that you don't want correlated with each other. Keep this list as short as possible to make it as manageable as possible⁷: "everyday" and "criminal" is enough in almost all cases.
Now divide everything you do or will do between them. This doesn't need to be very detailed, but regular or significant things should at least be listed for everything except your "actual me" category. Warning: don't split things that are already connected by a pseudonym, your actual person, or some other factor over two identities. That defeats the purpose of doing this in the first place.
After that, establish a profile for each simulated identity⁷. The simpler the better, but it's worth thinking about what each of the correlation factors (other than fingerprinting, which is covered in Chapter 3) will be. Wherever one option is extremely common for internet users (e.g. EST for time zone, greeting with "hi"), that's the best choice, but if that doesn't work or there is no "majority" choice then just pick something different to your other identities. Above all, don't stress too much about it. You make mistakes when you stress, and being boring and normal is far more stressful than it seems.
.
With the planning done, it's time to learn the mindset. Always remember that you can only have one identity at a time. Mixing activities from two different parts of your life is strictly forbidden, and even speaking or thinking about them is to be avoided. You might be shit at acting like me, but you will put on your identity mask and wear it like your life depends on it! It's not even COVID-19 chasing you this time: it's the law.
Thankfully for people like us, there's a second rule: keep your lips tight⁹. The less of those character profiles you have to use, the less chances you have to slip up. So don't talk about the weather or your trip to Afghanistan or make contact with everyone if you can avoid it. Save all the excitement for your personal identity, where you don't have to make things up and then get caught out when somebody asks an unexpected question.
With these two rules and the appropriate prior planning, it will become much less difficult to develop effective opsec strategies for the aspects of your life that need them most.