OpSec

1. Forward
2.  
3. Hello! This is designed to function as a basis for teaching how to and the importance of OPSEC/PERSEC. OPSEC stands for Operational Security where as PERSEC stands for Personal Security. The two are different and the definitions are largely self explanatory when considering the names, but for the sake of the guide, and for the fact that colloquially most people use "OPSEC" to mean both, we will refer to them as "OPSEC". This guide will contain a few notes and some resources to help you.
4.  
5. Introduction
6.  
7. First and foremost, OPSEC is not a program you install. OPSEC is more like a sliding scale from least/no security to more/most security. Furthermore, OPSEC is a state of mind. Always ask "How can this be broken or used against me?" Try to break it or learn ways to break your own OPSEC and then fix the vulnerabilities.
8.  
9. All the privacy oriented software in the world will do you no good just by having it installed. In addition, there is no such thing as 'perfect' security. The sliding scale goes from nothing to infinity, a number high school algebra should have taught you that you can never reach. OPSEC and security in not only the digital era but throughout physical history has been a proverbial arms race. New techniques and software will be developed on both sides of the fight. It's about moving as far up the scale as you can to protect yourself, and sometimes it's about not being low hanging fruit and letting attackers go after easier targets.
10.  
11. Evaluating OPSEC Tools
12.  
13. Skills and habits will only get you so far, much like using your hands to fix a car. Sometimes you need tools. But you need good ones. How can you tell which tools are good and won't screw you with, for example, back doors ) where law enforcement, or anyone who happens to know about it like hackers and thieves, can just waltz right through your "security" and take as they please? Or what if it's a company like Google or most other large companies in the tech sector that collect your data and sell some of it and will hand all of it over to the government whenever asked?
14. All of these are very real concerns, and here are some guidelines to help:
15.  
16. FOSS/FLOSS Software
17. Meaning Free Open Source Software and Free/Libre Open Source software respectively, the two are often used interchangeably. Free software is both free in terms of cost and in terms of freedom. FLOSS reiterates this by including both 'free' and 'libre' (as in liberty) in the acronym as software can have not cost but not be 'free'.
18.  
19. Why is this software good?
20. The key features are the "libre" and "open source" aspects. This software first of all respects liberty, your freedom, and your privacy (and often anonymity). The open source nature keeps the software accountable and transparent. Not only can the source code be taken and changed if you find an issue, it's publicly audited. Meaning everyone involved in the project, community, or just a passerby can examine the code. These people are likely to be aficionados and other users who like you value and prize the 'libre' aspect. If they find backdoors, security vulnerability, data-mining, etc. It will be made public and fixed. Consistently and well audited software is best.
21. Second it's free and done as an open community. Volunteers basically do the work. The software isn't tied to a company with a pure money making agenda and there is no company that has to make profits and answer to investors that government can go after. There's little to no pressure, relatively speaking, to add back doors, to data-mine, etc. Should a project be pressured, developers can more easily walk away.
22. Third, free stuff is awesome and since it's made by other knowledgeable, passionate users it's often better than the paid/proprietary alternatives. Alternatives can almost always be found and the incidents where proprietary software is better is often rare.
23.  
24. Avoid proprietary software when possible This is largely a foil to the above guideline. At the time of this writing, Windows 10 is out and Microsoft is getting a bad rap for forced installs and shoving it down users throats with updates they make vary hard not to opt out of. It's data-mining and is filled with telemetry. Windows and OSX, two of if not the biggest operating systems are closed source. Meaning we have no idea what they gather, to what extent, how, what back-doors exist, etc. We can't be sure what they do with it and who they sell or give it to.
25. Sometimes it's unavoidable, like the use of Adobe Photoshop for most people that need image editing capabilities. GIMP is a viable alternative, but isn't quite as good. However, safeguards can be taken, like blocking applications from internet access or by running them in a controlled, virtual environment.
26.  
27. Privacy/Anonymity Oriented Groups
28. Several organizations, foundations, etc. for FLOSS, privacy/anonymity, etc. software exist. Some big ones are:
29. The Electronic Freedom Frontier, the Free Software Foundation, The GNU Project, and many others that give endorsements, examine software, keep lists of said software and even get involved in the political side.
30. There are also several individuals who give similar endorsements and/or follow the free software philosophy and care about privacy. Two examples would be Edward Snowden of the NSA leaking fame and a user/advocate for TAILS OS and Richard Stallman, the author of the GPL (General Public License) and the GNU project.
31.  
32. Second, evaluate these groups and individuals. What's their history? What interests can you see? Are they a business with a bottom line? What's their track record? How do others in the community see them? Etc. Don't just trust a name or a title. Think for yourselves; don't be sheep.
33.  
34. Evaluate the software
35. Research the software. Learn how it works, search to see if any security issues have been found, etc.
36.  
37. OPSEC is a habit
38.  
39. As stated before, OPSEC is not a program that magically protects you. It's often a series of habits. For example, Tor is a very popular and effective anonymization tool, but if used improperly it can harm you. Signing in to personal accounts/services or doing something personally identifiable (like looking up reviews on a local pizza joint) while you're logged in to a Dark Net Market or other account tied to illegal activity, you just cross contaminated the two. Traffic analysis and various types of 'fingerprinting' can slowly wear away at your security and become personally identifiable and this is just one of many examples.
40.  
41. OPSEC is not just about acquiring tools or skills, it's knowing how to use them effectively.
42.  
43. Testing and double checking are tenants to live by.
44.  
45. Anonymity vs Privacy
46.  
47. Anonymity and privacy are two different things. While they're often thought of interchangeably and they do often go hand in hand, it is an important distinction. Private Internet Access (aka PIA, a well known and distinguished VPN service) has a good article on the subject. Privacy is the ability to keep things, often information/knowledge, to yourself. Anonymity is when you do not wish for others to know who is doing what. For the sake of OPSEC, the 'Dark Net', and its peripheries, anonymity is what we aim most often aim for.
48.  
49. Encryption
50.  
51. Cryptography, namely encryption, is your friend. Encryption is the backbone to OPSEC and your privacy/anonymity. Encryption, in essence, is encoding information so only a desired party or parties can read it. Encryption is done via "keys" that are most easily though of as the instructions for encoding and decoding the messages. Encryption keys can be either symmetric, where the key is used for both encoding and decoding, or public key encryption, where the message is encrypted with a publicly posted key (i.e. public instructions) but can only be decrypted with a private key (i.e. secret instructions only the recipient holds).
52.  
53. Symmetric encryption is the older form, and since only one key existed it could be thought of as a 'private key'. Public key adds a second dimension and is stronger as the instructions to encrypt can be easily given with virtually no consequence but the decryption method can not only still be kept secret, but even more secret as only one holder exists.
54.  
55. However, keys must be properly managed and protected. If a private key is ever given, leaked, etc. from the intended holder(s) the encryption is compromised. In terms of guarding keys good and common sense practice is needed, i.e. not giving your keys away, as well as security measures. If you keep private keys on a computer, the files can be accessed and stolen if someone gets access to the disk. Thus the key files need to be encrypted. We'll cover more on Full Disk Encryption later, but it encrypts the files on your computer and is opened via a password you memorize. Thus the only way for someone to get your files including your private keys and a lot more is to either break your encryption (highly unlikely), somehow catch the encryption key with keylogger malware that works before you boot into your OS, for you to divulge the password either purposefully or accidentally.
56.  
57. With good practice encryption will be your most powerful tool for protecting virtually all forms of data. Files you keep, data and internet traffic you send, etc.
58.  
59. Also keep in mind cryptography doesn't have to be broken/beaten/cracked to compromise the data it is protecting. Once again: OPSEC is a habit and a state of mind.
60.  
61. Digital & Physical
62.  
63. OPSEC/PERSEC is not just digital, it's physical as well. The old saying "loose lips sink ships" is incredibly relevant here. Some things are best kept private. Don't talk about your dark net doings IRL/AFK. If you make a career out of it, don't do other illegal things. Doing unnecessary illegal things, like speeding while carrying drugs, opens you up to getting caught. Keep your computer in a secure place, don't have windows where prying eyes can watch you, etc.
64.  
65. How to OPSEC
66.  
67. OPSEC Software and You
68.  
69. First off, here's a few places/listings that offer advice and info on OPSEC related software:
70.  
71. Pay close attention to your OS selection
72.  
73. PrivacyTools.io
74. Provides information and background on privacy related software, its importance, and a little bit of the law/political side. It has information and recommendations on service providers (VPN, email, etc.), Operating Systems, and general software for most of your needs.
75.  
76. PRISM-Break
77. Named with the intent on defeating PRISM and other related forms of surveillance. Similar to Privacytools.io in what it offers in terms of info on software. Individual recommendtions and information may vary, so look at both.
78.  
79. InstallGentooWiki
80. A wiki page mostly maintained by 4chan's /g/ board. It's very much FLOSS oriented as well as privacy oriented, as the two often go hand in hand. It's 4chan and they respect the idea of privacy/anonymity and it's their tech board. The community is knowledgeable and useful, but it is 4chan, so expect their brand of humor and way of doing things.
81. They have excellent software recommendations for whatever OS you might be on, including:
82. GNU/Linux
83. Windows
84. OSX
85. Even Android.
86. They also have some decent info on anonymizing yourself, encryption, or even routers and firmware should you need one or want to install a VPN on one.
87.  
88. Tor
89.  
90. Tor is arguably the first thing you should install on a computer. It's maintained by the Tor Project and offers a great degree of protection and is the method used to get to .onion sites, which is the bulk of 'dark net' sites most people think of and use. It should be the browser you use for anything nefarious.
91.  
92. As previously stated. OPSEC is a habit and you need to learn how to use the tools. Tor is one such example. **Browsing habits often need to change to properly make use of Tor. Click this link and read this shit because it's important
93.  
94. Tor has a wiki, and FAQ, and much more. Read it. Learn it. You need it. They also have a blog with useful info like this one on why torrenting over Tor is a bad idea and not anonymous
95.  
96. Tor also maintains TAILS OS. TAILS is so great even Edward Snowden uses it.
97.  
98. VPNs
99.  
100. /r/VPN is a great resource. It also explains VPN marketing and bad reviews. VPNs often use affiliate links, sponsor articles, etc. Research and corroborate claims. ThatOnePrivacyGuy also maintains a solid list of VPNs and evaluates them..
101. VPNs are highly recommended even if using Tor. They can even be stacked and its quite easy to do if you install one to a router. Make sure the router has a good processor to handle the encryption or just use a basic/old computer as a router.
102.  
103. Virtual Machines
104.  
105. VMs are great. If you're using a good OS (usually a Linux distro) but need to use proprietary software, like Photoshop on Windows or OSX, a VM lets you run a virtual instance of the OS. Virtual Box is good and free virtual environment software. (VMWare is also an option but is non-free). Virtualization is incredibly useful. You can run secure OSes like Whonix or [Qubes](qubes-os.org) from one among a myriad of other things. Here's a guide to get you started in Virtual Box
106.  
107. Passwords
108.  
109. Good passwords are vital to security. They function like keys that unencrypt and allow access to applications, data, etc.
110. Good passwords should be long and not easily guessable. They shouldn't be basic words or variations. Chances are if you thought of a way to "spice up" a basic password, attackers though of it yesterday.
111. Randomly generated passwords are highly recommended and a good password manager such as KeePassX are recommended to keep track of them. Outside of passwords you can keep in a manager you have important passphrases that are the first layer and will unlock your full disk encryption and password manager. They should be long, and easy to remember but hard to guess, often a string of words. Should you ever backup passwords, make sure they're encrypted. For maximum effect physically separate them from what they decrypt, which would be incredibly useful for full disk encryption passwords.
112. Here's a decent page about good password habits
113.  
114. Full Disk Encryption
115.  
116. FDE is a must. GNU/Linux distros often have it built in as an option. Windows has BitLocker but it's proprietary, closed source, and likely more vulnerable and likely has a backdoor. OSX has FileVault but has the same basic concerns being proprietary.
117. TrueCrypt was the old standard but was abandoned in 2014. However, a fork, VeraCrypt exists and even offers functionality with old TrueCrypt disks.
118.  
119. Backups
120.  
121. Backups are not only a good idea but a useful tool. For example, you run a Windows virtual machine and malware makes its way to the virtual environment. A backup lets you shred the infected VM file(s) and you can roll it back to a known good state. Sometimes disks fail. If you back things up, encrypt them.
122.  
123. Good Hardware
124.  
125. A few notes on hardware. First, encryption will slow your computer. It will happen, you can mitigate it with good hardware. A good processor should be priority as it handles most of the legwork for your encryption. Full disk encryption may harm your read and write speeds to your hard drive. So if you use a laptop, make sure the drive is 7200RPM. On a desktop, go for something like a Western Digital VelociRaptor. It's 'industrial/workstation' grade in terms of life time and durability and it spinds at 10000RPM, allowing faster read and write times. Putting a VPN on a router will likely tank your speeds relative to software VPNs. This is largely due to the processor in the router not being able to handle the encryption algorithms at full speed. Get a good router that has solid reviews from VPN users or turn an old computer into a router, pfSense is one of the most popular and best solutions. If you use a router, then secure it. This and this should help a bit.
126. Once again learn your hardware and how sometimes it can be used against you
127.  
128. Secure Email and PGP
129.  
130. When it comes to using email for nefarious/illegal purposes, select a good one. Hidden services over Tor are usually good. Some of the software recommended above contains some providers. Anonymousspeech.com and sigaint.org are two popular choices.
131.  
132. However, using a secure email is sometimes not enough and plaintext is vulnerable. Enter PGP.
133.  
134. PGP is an end to end, public key method of encrypting text and files. Only the recipient with the corresponding public key can decrypt the data. It's very useful and a staple of dark net markets.
135. Here's a good guide to using it. Read it
136.  
137. Some of the Physical Side
138.  
139. Keep common sense and your wits about you. Don't speed or drive with a broken tail light with contraband in the back seat or so other illegal things that can attract attention. Don't talk about your dark net habits. Keep computers and materials in safe locations, keep them out of sight.
140.  
141. "Air Gapping" is a popular and powerful physical layer of security. If you need to keep backups of encryption keys, keep them away from what they decrypt. If you vend on dark nets, access the internet from one location and then produce in another that has no suspicious internet connection/traffic (ideally none at all). If traffic analysis or any other de-anonymization tool/technique leads to issues and a warrant is served to the location, then law enforcement will show up to a location with nothing but computer hardware and no contraband or evidence of anything illegal. If they seize devices, encryption and other good practices will still protect you.
142.  
143. Easily accessible and usable kill switches are also helpful. Should a raid happen, you can quickly kill power to a computer. If law enforcement makes a raid an open work-space may allow them to copy files (or even just see what you're doing) and gather evidence. Killing power will automatically cut processes, without power the RAM will 'dump' its information, and upon rebooting they'll have to defeat your encryption.
144.  
145. Learn and understand the hardware you're using. SSDs are not as secure as HDDs. If you're using a printer, does the printer have/maintain memory? How? Some may have temporary memory and unplugging the printer will dump the RAM. Some may have none, some may actively store it in flash memory. If a printer is seized and has information on what it printed, that could be evidence against you. Learn how to delete it if you need to.
146.  
147. Shipping
148. Be discreet and you'll be OK. Make your packages blend. A standard box with a standard looking shipping label attracts no suspicious. So long as it doesn't tick like a clock, have wires poking out, or smell like drugs then you'll be fine. Mail carriers process tons of packages, they won't investigate yours if it looks normal. If your shipping outside the country, use a little stealth. Find a few methods to disguise whatever you're sending so upon opening it it looks like it's just a sealed keyboard box or whatever. If you have to take it to the post office take it pre-boxed/wrapped. You can often buy labels in bulk and often at a discount from some suppliers. Some take cryptocurrency or other anonymous methods. Stamps at the post office can be bought in cash.
149.  
150. Purchasing Stuff
151. To maintain privacy in your purchases don't leave a paper trail. Cash is your friend, sometimes services will take pre-paid cards that you can buy in cash like they do credit or debit cards. Cryptocurrency is the standard for online transactions and you should get familiar with it. Learn how and when to tumble coins, the most important being before 'dirty' coins are cashed out and hit your personal finances. So long as it's never linked to your identity or personal financials you can buy with a reasonable degree of anonymity. If you're dealing with volume, find a way to launder and good luck!