Tuesday, January 5, 2021

OPSEC for COMSEC

There have been a number of questions and comments about yesterday's post regarding COMSEC for the new year.  These seem to me to be related to OPSEC - Operational Security which as I mentioned is very hard to pull off flawlessly.  But it's terribly important and so I'd like to talk at least briefly about them.

Toirdhealbheach Beucail mentioned that TOR is difficult to use, which is God's Own Truth.  This makes it easy to screw up, which can expose bread crumbs that can lead the Federales back to you.  Use of a VPN and a privacy enhanced browser (like Brave which I recommend) are Very Good Things Indeed, but a VPN will also shine the light of suspicion on you.  Also, you have to ask yourself just how much you trust your VPN provider not to, say, comply with warrants and National Security Letters and such.  In short, a healthy paranoia is worthwhile and VPN won't replace what I was talking about yesterday.

Chuck Pergiel mentioned that Ross Ulbricht (the Dread Pirate Roberts who ran The Silk Road) was caught because a one-time user account only needed for the initial setup of something leaked out and let the Feds trace back to him.  Ross was said to be particularly good about OPSEC and this still happened.  Basically, he had to be perfect every single time he was online and the Feds only needed a single screw up.  I'll post tomorrow about an OS-on-a-stick and how to use it securely, but the important thing is that you can't use anything from your public OS on the private one, and vice-versa.

Jonathan H mentioned Eschelon which was a blast from the past.  He also mentioned using fax with handwritten messages.  I'm not so sure here, for a couple reasons.  Firstly, optical character recognition is advancing every year and this seems like an area where machine learning may end up able to read even doctor's handwriting, and secondly the public fax services may save copies of your transmissions.  There are lots of questions here.

Stefan points us to Pixelknot for Android.  Android is a problem, for a couple of reasons.  Google is the funder of Android and while it is Open Source, there are millions and millions of lines of code.  Google's revenue model is based on collecting data on users and I just don't trust the OS not to do that to me.  Also, if you run this on a mobile phone there will be geolocation data added to user data that is collected.  No bueno.

Paranoia runs deep - at least it should.

5 comments:

Toirdhealbheach Beucail said...

Borepatch - Thanks for the very helpful comment. I actually use NordVPN, which is (in theory) based outside of the US (your mileage may vary, of course, as to their ability to ignore any government orders). To be frank, I just like the additional layer of security.

I have been using Brave now for about two months (when I procured a new laptop) and have been very happy with it. I would also recommend Ghostery for another level of protection and blocking trackers.

ASM826 said...

If I want to protect myself from someone stealing my passwords or watching my browsing, all this is fine. If we are talking about .gov surveillance, assume any electronic device is compromised, every keystroke or spoken word is recorded. There is no privacy. None. The last vestiges of privacy died with the Patriot Act and there wasn't much left then.

Act accordingly.

The Neon Madman said...

ASM826 - This, absolutely. Add to it, if you are in an urban area, you are on camera.

Jonathan H said...

I don't think of faxes these days, but (poorly) scanned handwritten documents, especially if most of the document is legitimate, will take time and effort to examine - effort that is unlikely to be made until you are 'on the radar' for something else, especially if you routinely send scanned handwritten documents, like old books or deeds.

Bear Claw Chris Lapp said...

And who helped write the patriot act? Oh yeah, mr. kavanaugh in the bush younger administration. kavanaugh you say, oh he is on the supreme court now. Same court bush put souter on.