There have been a number of questions and comments about yesterday's post regarding COMSEC for the new year. These seem to me to be related to OPSEC - Operational Security which as I mentioned is very hard to pull off flawlessly. But it's terribly important and so I'd like to talk at least briefly about them.Toirdhealbheach Beucail mentioned that TOR is difficult to use, which is God's Own Truth. This makes it easy to screw up, which can expose bread crumbs that can lead the Federales back to you. Use of a VPN and a privacy enhanced browser (like Brave which I recommend) are Very Good Things Indeed, but a VPN will also shine the light of suspicion on you. Also, you have to ask yourself just how much you trust your VPN provider not to, say, comply with warrants and National Security Letters and such. In short, a healthy paranoia is worthwhile and VPN won't replace what I was talking about yesterday.
Tuesday, January 5, 2021
OPSEC for COMSEC
Chuck Pergiel mentioned that Ross Ulbricht (the Dread Pirate Roberts who ran The Silk Road) was caught because a one-time user account only needed for the initial setup of something leaked out and let the Feds trace back to him. Ross was said to be particularly good about OPSEC and this still happened. Basically, he had to be perfect every single time he was online and the Feds only needed a single screw up. I'll post tomorrow about an OS-on-a-stick and how to use it securely, but the important thing is that you can't use anything from your public OS on the private one, and vice-versa.
Jonathan H mentioned Eschelon which was a blast from the past. He also mentioned using fax with handwritten messages. I'm not so sure here, for a couple reasons. Firstly, optical character recognition is advancing every year and this seems like an area where machine learning may end up able to read even doctor's handwriting, and secondly the public fax services may save copies of your transmissions. There are lots of questions here.
Stefan points us to Pixelknot for Android. Android is a problem, for a couple of reasons. Google is the funder of Android and while it is Open Source, there are millions and millions of lines of code. Google's revenue model is based on collecting data on users and I just don't trust the OS not to do that to me. Also, if you run this on a mobile phone there will be geolocation data added to user data that is collected. No bueno.
Paranoia runs deep - at least it should.