Operations security

From Leftypedia
Jump to navigation Jump to search
This article is a stub. You can help Leftypedia by expanding it.

Operations security (OPSEC) is the process which identifies critical information in order to determine if friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information.

Computers[edit]

Operating system[edit]

Both Microsoft Windows and macOS are backdoored by intelligence agencies and phone home, and so are inherently insecure options for privacy and security. Use Linux instead. There is no single "Linux" operating system, and so truly Linux refers to just the essential kernel software, thus you'll be downloading what's called a "distro", or distribution. Distros are basically ready-made operating systems that take the Linux kernel and add software onto it that makes it usable like Windows or macOS. Most distros, especially the more popular ones, are actually really easy to install; step-by-step like many well-known operating systems. You can start off with something like Linux Mint, which specializes in giving a particularly easy-to-use experience through the software and multimedia support that it comes with. The vast majority of software that is available on Windows and macOS can also be readily downloaded on Linux as well, with Wine being available to provide support for most other things otherwise.

If you need extra privacy for a particular reason, use the Tails operating system, which is a version of Linux optimized for anonymity.

Web[edit]

Browsers[edit]

Google Chrome has spyware built into it, as does Chromium. Firefox is a more secure option that also happens to be very customizable and fast (especially since the Firefox Quantum update).

Tor[edit]

Use Tor if you really need privacy. It does, however, tend to be rather slow, and many services block it in some manner. Make sure to continue following other best practices because even while using Tor you may still, for example, become exposed through Javascript or just not being careful with what information you give out.

Use Tor bridges (also known as Tor bridge relays) with Tor. These are alternative entry points to the Tor network that are not all listed publicly. Using a bridge makes it harder, but not impossible, for your Internet Service Provider to know that you are using Tor, which would be disadvantageous for a few reasons. Your traffic can be singled out and identified if you are known to use this service, so it's a method of tracking first of all. Using Tor may also be illegal, or just otherwise bring closer scrutiny towards yourself otherwise. Official manual on Tor bridges

Web extensions[edit]

  • uMatrix: blocks out things like scripts and cookies unless you specifically specify which ones you want enabled and on what level of a domain you want it enabled on (for instance, you can enable a certain script either only on the subdomain www.example.com, or only everything on the domain example.com, or everything contained by the top-level domain .com.
  • HTTPS Everywhere: Makes your browser use HTTPS instead of HTTP wherever possible. Of course, this won't work if a website hasn't configured HTTPS and only works on HTTP, so be wary about going to HTTP pages. Most of the time though, especially in the case of more important websites, there will be an HTTPS version of a page.
  • uBlock Origin: filters content, largely advertisements that can track your activity across the Internet. It's less resource-intensive than other content filters, like Adblock Plus.
  • Cookie AutoDelete: deletes unused cookies upon tab close, however may be configured in plenty of other ways. Has support for whitelists and greylists.
  • User-Agent Switcher: randomizes your user agent, which tells websites what kind of operating system and browser you use.
  • Privacy Settings: allows you to change settings found in about:config (on Firefox at least). You may want to keep this add-on as opposed to just changing those settings once because some websites may break because of these changes, and you may have to toggle some settings periodically, which this tool allows you to quickly do.
  • Invidition: automatically redirects requests to YouTube and Twitter towards Invidious and Nitter, respectively. Both of these are alternative front-ends that basically just give you the content without the spyware. In the case of Invidious, this extension also lets you do some other things like switch between different instance of the Invidious service or setting the default resolution. On the Invidious instances themselves you can also set many more settings, such as whether dark mode is enabled or the default speed.

The more people using these extensions, the more they can blend in and not have a unique signature. Thus it is important to share them.

Best practices[edit]

Search engine[edit]

Use Startpage or some other privacy-oriented search engine. Google, Bing, and Yahoo all aggressively farm your data and you should try to never use these.

Email[edit]

Protonmail and Tutanota are decent email providers — Riseup.net on the other hand has been known to give up records of its users, so stay clear of that one.

Cookies[edit]

Change browser cookie preferences to reject all third-party cookies or at least to only accept third-party cookies from visited pages.

Adobe Flash[edit]

Try not to use Flash, which is insecure but is on its way out. Most browsers disable Flash content by default, and thus it can only be played if you click on it and press "Allow" in the dialog box.

JavaScript[edit]

JavaScript has many vulnerable libraries, and a large chunk of websites use these — as of 2017, 87% of the top 75,000 websites as ordered by Alexa Internet.[1] Besides unintentional vulnerability, JavaScript can also be used to track users through a variety of methods. It also enables the use of evercookies, which are difficult to delete since a couple different places have to be cleared at once or else the evercookie will respawn to all of them, as long as one source keeps it. JavaScript can be disabled by default through an extension like uMatrix, through which any code that needs to be enabled can be done so manually.

VPN[edit]

thatoneprivacysite.net has a chart comparing a lot of different VPNs so you can choose a decent one. The following VPNs have a history of logging and cooperating with US/UK law enforcement, so do not use them:

  • HideMyAss
  • PureVPN
  • IPVanish
  • RiseupVPN
DNS[edit]

Set your DNS server to 1.1.1.1, which is a service run by Cloudflare. Even if you use a VPN, your computer will still give away what domains you're connecting to since that part of the message isn't encrypted, as DNS servers have to be able to read in cleartext what domain to connect you to. By default, Firefox uses Cloudflare as its DNS provider, but make sure this is the case in the Connection Settings dialog box in Preferences.

Fully encrypt your storage device[edit]

Use an encryption password that is, at a minimum, 20 characters long and consists of random letters, numbers, and symbols. Alternatively, use a passphrase/sentence. Do not use anything from song lyrics or pop culture when using a passphrase. Use at least six words (consisting of at least five letters each) in the phrase, which should be nonsense and not found anywhere on the internet or in pop culture. These are much easier to memorize and therefore can be much, much longer, which is good. Your encryption password should be as long as is possible and therefore as hard to crack as possible, but you still need to remember it. True full-disk encryption requires either Coreboot/Libreboot with a payload like SeaBIOS or GRUB as the first-stage bootloader or putting the bootloader on some kind of removable medium. Normal UEFI/BIOS is unable to read encrypted EFI partitions/MBR and thus you cannot do full-disk encryption with it. An unencrypted bootloader partition is a point of vulnerability.

Phones[edit]

Phones continuously send out signals to cell towers to identify their location, thus giving away your location if you have it at you. If this is a concern, take out its battery or put it in a Faraday cage. Furthermore, the microphone and camera can be remotely activated without you knowing it, so consider getting a cover slider for cameras and a microphone blocker for microphones — this applies to any other electronics with such. Default operating systems like Android or iOS are also best replaced with something like LineageOS, although devices with iOS often do not allow their OS to be replaced. Google Play services is also untrustworthy, however you can still download apps from Google Play without having to deal with its spyware by using an APK downloader, where you can provide the URL of the app you want to download and it will fetch you the downloadable link for the APK package.

Extra security[edit]

If it's necessary, you can do all your browsing within a virtual machine, using the aforementioned tools and practices, and reset it every single time. This is basically the equivalent of using a new computer every time you use the Internet, destroying the previous ones, so most unique identifiers tagged on that machine are useless — unless of course it relates to IP addresses or content that could still be used to identify you. A Live USB (or CD, or DVD) can also be used, which saves nothing to the disk when the computer is shut down.

Additional resources[edit]

Two websites for determining your browser fingerprint, or basically how much you stand out among other users:

Various privacy tools:

See also[edit]

References[edit]