r/opsec

▲ 5 r/opsec

locked down my digital life. forgot about my physical address being public.

i have read the rules

been working on my opsec for a while now. VPN, encrypted email, burner numbers, the whole thing felt pretty good about it . friend sent me a screenshot of my name on whitepages. full address phone number even my wifes name all just sitting there.

i never posted my address anywhere. but data brokers scrape public records like property tax and voter registration. doesn't matter how many layers of privacy you have online if someone can just look up where you sleep.

tried the opt out route. whitepages took me like 15 minutes and a phone verification. then i realized i need to do this for about 30 other sites. and even after all that, they relist you a few months later anyway because the public records never change.

anyone else here deal with this? feels like no matter how tight your opsec is, data brokers just bypass the whole thing.

reddit.com
u/Ill-Wing-5103 — 4 hours ago
▲ 1 r/opsec+1 crossposts

My holy opsec fsociety

I use Windows 11 with Proton VPN and Opera GX VPN so I can have double the layer of security. I also use multi tools from github to make my dns thing go to 8.8.8.8 to 1.1.1.1 every second 💀💀💀 super opsec

I have read the rules

reddit.com
u/Ecl1pt1c_V01d — 1 day ago
▲ 13 r/opsec+2 crossposts

GrapheneOS: Undocumented Google Connections and Privacy Risks

GrapheneOS is marketed as a privacy-hardened, "de-Googled" operating system. However, technical analysis by the Kuketz IT-Security Blog revealed that the OS automatically connects to Google-operated gstatic.com servers by default to perform Android's standard captive portal checks.This behavior is not documented in the official GrapheneOS FAQ, creating a transparency issue for users. From a strict privacy perspective, these automatic connections leak critical metadata, including the user's IP address, timestamp, and location data directly to Google, enabling potential tracking and device fingerprinting despite the absence of Google Play Services.

u/MindlessCry3444 — 2 days ago
▲ 43 r/opsec

EU Chat Control - how to circumvent with today’s available tools?

Hello Everyone,

As many will already have seen, it appears that some idiots in the EU are back on track to try and push the Chat Control regulation to pass. While chances that it passes as is appear slim, one is never safe from human brainmush moments.

I’d like to ask this sub what their suggestions may be regarding the matter.
There are still many ways to make one’s communications impossible to understand to an outsider, but i’d nonetheless like to keep as much layers between me and gov/hackers/malicious actors etc.

i have read the rules, i’m not someone who personally needs much OPSEC, my personal situation is just using macOS’s security, malwarebytes, a network filter (Little Snitch) and my routers security features. All my email is or privately hosted, not directly associated to my name, i have one nominative account for administrations with a well-known privacy focused company. All i do, i do over vpn.

reddit.com
u/ghostchihuahua — 4 days ago
▲ 6 r/opsec

How much does VPN jurisdiction actually matter in an OPSEC threat model?

When building an OPSEC strategy, I often see people focus on whether a VPN is based in a Five Eyes, Nine Eyes, or Fourteen Eyes country. But is jurisdiction really one of the most important factors, or do things like a provider's logging practices, independent security audits, open-source clients, payment options, and your overall threat model matter more?

I recently read a detailed explanation of how VPN jurisdiction and intelligence-sharing alliances work, and it made me rethink how much weight I should give to the provider's country versus its technical and legal protections. Just to reiterate, I have read the rules

thecybersecguru.com
u/NapierPalm — 3 days ago
▲ 18 r/opsec

Starting a youtube channel - OPSEC considerations for security and reducing probability of being doxxed?

Howdy all. New to this subreddit, but I've always been interested in the dynamics of OPSEC and personal information security. I have read the rules.

I've been thinking of starting a youtube channel for a while, with the hopes of providing some educational resources, reviewing some stuff, and hopefully building a small community if the interest is there.

The content I'm interested in making is 100% legal in my country, but the angle I want to approach it from has the very real potential to attract individual bad actors who may not agree and sometimes have a tendency to lash out against those they view as the opposition. Doxxing, threats, physical attacks, you get the idea.

In terms of threat modeling I'm not overly concerned about state actors; like I said the nature of the content is totally legal, and if they decide one day that it's not, there isn't much I could realistically do against a national security infrastructure.

Mostly I'm trying to protect myself against private individuals or small groups who might not appreciate certain content and wish to do me harm in one form or another. As such my intent is to stay as anonymous as reasonably possible so I don't have some fash podcast listener showing up on my front door or place of work.

I feel reasonably competent in regards to the digital privacy side of things; using appropriately secure and private email services to create the account and such, not linking personal information to it, etc etc. Though I'm always happy for any advice that you all could offer in that realm.

Mostly I'm curious to hear what you all might recommend in terms of OPSEC considerations for producing the videos themselves. They're going to be almost entirely shot outdoors, but in an area without any easily identifiable locating signatures (it would be out in the middle of BFE nowhere, basically.)

Here's some potential ideas I had to muddy the waters:

- Obscuring/masking as much of my face as possible.

- Stripping all EXIF data from the video files obviously.

- Purposefully filming in locations that make it as difficult as possible to geolocate. No obvious landmarks, road signs, distinctive features, etc.

- Possibly digitally altering my voice to some extent, though I'm not certain if that's a reasonable step to take.

- Removing, blurring, or otherwise obscuring any personal identifiers or things that could be easily traced across platforms.

I've done online content before and have some limited experience in playing by the OPSEC rules, but this would be my first foray into actually appearing on camera so I'm trying to limit potential dangers as much as possible.

I would love to hear any advice that you all might have, and I'm happy to answer any questions if it helps. Thanks!

reddit.com
u/Sam-Sam657 — 4 days ago
▲ 3 r/opsec

ID Verification workarounds?

I’m curious to know what sort of workarounds might be possible as this ID verification process rolls out on an increasingly massive scale.

My current interpretation is some sites give you the option to send a selfie or participate in an automated “enable your web cam” process. I could see some early days circumvention here where you have a set of fake materials ready to fake this. I don’t think it’ll work forever though and will become increasingly more difficult.

The more problematic one is a requirement to submit a picture of your ID. I’m at a total loss here on how to get around this. The only two options I can come up with are blatantly illegal and probably also blatantly illegal. Making a fake ID or purchasing an account which is already authenticated with someone else’s ID. Theoretically the legal risk on the second one is likely lower but still not ideal. The first option, a fake ID, is absolutely 100% illegal and if you do it there’s a perfect paper trail documented internally at these verification companies that you possess a fake ID and have used it for verification.

Would love to hear some bypasses from others in case I’m overlooking something!

I have read the rules.

reddit.com
u/TeachingAway9654 — 5 days ago
▲ 6 r/opsec

How to get started

I have read the rules, and I'm interested in getting into opsec and setting up an old ThinkPad with this in mind, but I'm not sure where to start or how to learn.

I have an old ThinkPad with Windows 7 installed. I plan on wiping and installing Linux (if recommended). If so, what distro?

What steps do I need to take? I understand the behavior rules of not doing anything from my personal life on this device, but how do I learn the hardware ideas and know whether or not im installing the right things?

reddit.com
u/Tricky_Instruction63 — 4 days ago
▲ 15 r/opsec

Human rights activist: How can I make my desktop tamper-evident when others have full access to my room?

Hi everyone,

I am a human rights activist from Bangladesh. My work has been featured in UN thematic reports.

I have had photos taken on my mobile phone (without any cloud backup configured) somehow sent back to me by unknown Facebook accounts. I suspect I could have spyware on mobile and current laptop. Because of this, I need a secure computing setup.

My requirements are:

For my human rights work:

  • Video calls with lawyers in Geneva and other international contacts.
  • Communicating with UN mechanisms and human rights organizations.
  • Storing, organizing, and securely transferring evidence files.
  • Legal and evidentiary research using Google, Gemini, and ChatGPT.
  • Email and other day-to-day advocacy work.

For personal use:

  • Storing my own medical records and those of my family.
  • Medical research using Google, Gemini, and ChatGPT.
  • Attending support groups and occasional video consultations with doctors for a chronic medical condition.

My current idea is to build a desktop running Qubes OS. I don't fully trust laptops because I can't easily open them to inspect for potential hardware implants without risking damage. Also Tails cannot do video calls so its useless for me.

There is another challenge. As many people familiar with South Asian households may understand, when I'm away from home for 16 hours or so, family members often enter my bedroom, move things around, and sometimes bring in guests, electricians, or domestic help. If I had a separate room where I could keep a desktop with a CCTV camera pointed at it 24/7, that would be ideal, but I can't afford that. The only place I can keep something expensive as a desktop is in my bedroom.

So I'm looking for an alternative. How can I make a desktop computer tamper-evident while keeping it in my bedroom, so that I can tell if someone has physically accessed or opened it while I was away?

I'd really appreciate any practical suggestions.

PS: I have read the rules.

reddit.com
u/Experimentalphone — 6 days ago
▲ 18 r/opsec

Threat-modeling your already-published post history: the adversary is a cheap AI that reads all of it

Most OPSEC threat modeling looks forward: what do I post carefully from now on. This is about the half prevention can't reach, and the threat model people tend to miss.

Threat model. Asset: years of ordinary public posts on a pseudonymous account (Reddit/X). Adversary: someone motivated to link that pseudonym to your real identity (a harasser, an employer, a hostile party in a dispute), now armed with an off-the-shelf LLM. What changed: re-identification used to need a human spending hours; a model now reads your whole history cheaply and notices the intersection you can't feel from inside your own feed. Staab et al (ICLR 2024) measured roughly 85% top-1 on inferred attributes from plain Reddit text.

The mechanism is the mosaic. Re-identification rarely comes from one careless post. It stacks weak signals (a commute, a slang word, a posting-time slot that betrays your timezone) until they intersect at one person. Judge each finding by risk contribution, not by how revealing it feels alone: twenty-eight posts mentioning a neighborhood landmark are worse than one post naming your employer once, because the twenty-eight intersect.

How to actually work it:

- Pull your export (Reddit: request a copy; X: download archive) and read it adversarially, by category (location, employer, family, schedule, identity links). Ask "does this narrow who I am," not "is this embarrassing."

- On X the leak is usually metadata, not words: the self-set location field, posting-time concentration, image EXIF/GPS, outbound links, the reply graph. A text-only mental model is dangerous reassurance.

- Remediate generalize-first, not mass-delete. Deletion is not erasure (caches, archives, screenshots persist), and removing one post rarely removes the pattern. Edit the highest-contribution items and change what you publish next.

The trap specific to this crowd: the obvious way to run the audit is to paste your history into a capable AI and ask what it reveals. If the account is a pseudonym you keep apart from your legal name, and the AI is logged into your real-name account, you just handed one provider both halves of the link you were protecting. For a strictly-anonymous account, keep the analysis local and offline.

Happy to get into any category, or the local-versus-cloud trade-off.

i have read the rules

reddit.com
u/cypherpunkguide — 5 days ago
▲ 41 r/opsec

Human rights activist here. Suspecting spyware. Can't afford a Pixel. How can I secure my smartphone?

Hi everyone,

I am a human rights activist from Bangladesh. My work has been cited in UN thematic reports and by international human rights organizations. I can provide proof via private message if needed.

I have experienced several digital security incidents. For example, photos I took on my phone were later sent back to me by unknown Facebook accounts. Because of incidents like this, I suspect that my laptop and Android smartphone may be compromised with spyware.

For now, I'd like to focus on the smartphone.

I need it for my day job, where clients contact me via WhatsApp, so I need to stay connected to the internet throughout the day. I cannot afford a Pixel phone, and second-hand Pixels are both rare and expensive in Bangladesh. So switching to a Pixel or GrapheneOS is unfortunately not an option.

I already use a camera slider to cover the rear camera.

My questions are:

  1. What is the best way to protect the selfie camera without damaging it? I still need to use it occasionally for selfies and video calls.
  2. What can I do about the microphone? Is there any practical way to block or disable it when I'm not using it?
  3. What are the most practical ways to improve location privacy, given that I need mobile data and internet access all the time for work?

Please suggest practical, realistic solutions. For example, recommendations such as "only use headphones," "permanently disable the camera and microphone," or "stop using a smartphone and quit your job" are not practical for my situation. I'm looking for measures that can realistically be implemented while continuing to use my phone for everyday work.

Thank you!

PS: I have read the rules.

reddit.com
u/Experimentalphone — 7 days ago
▲ 48 r/opsec

Deep dive: what Windows 11, macOS, Linux, Tails, Whonix, and Qubes OS actually collect and expose (and what they don't tell you)

I got tired of OS security comparisons that are either superficial ("Linux is more private") or so platform-specific they miss the architecture. Here is what I found after going through each one carefully, including some details that do not make it into most coverage.

WINDOWS 11

The telemetry situation is worse than most people realize. Microsoft officially divides collection into "required" and "optional", but required data cannot be disabled on Home or Pro editions: hardware configuration, device identifiers, error and stability reports, update and driver data. These transmit to Microsoft regardless of your privacy settings.

The 24H2 update added three layers that deserve more attention:

Windows Recall takes a screenshot every five seconds and builds a searchable local timeline of everything done on the machine. It is enabled by default. It can be disabled, but the access rights it uses can be extended by other applications.

Copilot transmits every query to Microsoft servers, including the screenshots and context of open applications it has access to.

Defender Cloud Protection sends hashes of suspicious files and behavioral data to the Microsoft cloud for analysis, not just to a local engine.

The conclusion from multiple independent technical sources: fully disabling Windows 11 telemetry on Home and Pro is not possible through settings alone. It requires Enterprise or Education edition plus group policies, or third-party tools like O&O ShutUp10++ or WPD, with stability trade-offs.

MACOS

Apple's privacy marketing is not false, but it is incomplete. macOS collects significantly less than Windows by default, but two mechanisms are worth understanding:

OCSP verification: every time you open an application, macOS performs an online check with Apple servers to verify the app has not been revoked. This request transmits the name of the application and the device's IP address. There is no native setting to disable this without breaking the security chain (Gatekeeper depends on it). Security researchers have documented this since at least 2020. The workaround is a per-app firewall like LuLu (open source and free) or Little Snitch.

Apple application telemetry: Maps, Siri, and App Store each maintain their own collection with rotating identifiers, independently of the system analytics toggle in preferences.

The Apple Silicon chips add genuinely strong hardware security (Secure Enclave, Kernel Integrity Protection), but the audit problem remains: the source code is not publicly available. Trust is delegated entirely to Apple and US jurisdiction.

LINUX (GENERAL PURPOSE)

The headline is accurate: no major distribution forces non-disableable data collection. The source code is publicly auditable. No corporate jurisdiction controls the kernel.

The honest limitation most comparisons skip: no general-purpose Linux distribution protects against a compromised application spreading across the entire system. If malware gets onto your Debian or Arch machine with your user privileges, it can access your home directory, your browser profile, your SSH keys. Isolation between applications is not enforced at the OS level without additional tools (Firejail, Bubblewrap, or upgrading to a compartmentalized system like Qubes).

Distribution notes: Debian is the cleanest baseline (no telemetry, non-profit governance, conservative update policy). Ubuntu added Amazon search integration in 2012 (removed since), still includes Snap from Canonical-controlled repositories. Arch: zero telemetry, rolling updates, requires more expertise. Linux Mint: Snap absent by default, no added telemetry, good migration path from Windows.

TAILS OS

Tails solves a specific problem: high-sensitivity sessions on hardware you might not control, where you need zero forensic trace afterward.

Architecture: runs entirely from USB (8 GB minimum), operates entirely in RAM. On shutdown: no temporary files, no history, no credentials, no forensic artifacts on the host machine's hard drive. The host disk is never touched.

All network traffic is routed through Tor without exception. If an application attempts a direct connection bypassing Tor, Tails blocks it.

What this protects against: forensic disk analysis after seizure (total protection), network surveillance via Tor (strong, depends on Tor's robustness), persistent malware on the host at software level (bypassed entirely).

Honest limitations:

  • BIOS/UEFI firmware implants: Tails cannot protect against firmware-level compromise of the host machine
  • Human error: logging into a personal account (Gmail, social networks) cancels anonymity regardless of Tor
  • Not suitable for daily use: no persistence means reconfiguring the environment on every boot (optional encrypted persistent storage exists for specific files)
  • Technical note: Tails 7.7 added a notification for outdated Secure Boot certificates (Microsoft 2011 keys expiring June 2026). Machines with unpatched UEFI firmware may not be able to boot Tails.

Used by Glenn Greenwald and Laura Poitras to process Snowden documents. Recommended by EFF, Freedom of the Press Foundation, and the Tor Project.

WHONIX

Whonix addresses a different threat than Tails: structural IP leak protection in a persistent working environment.

The architecture: two isolated VMs. The Whonix-Gateway runs only the Tor daemon and serves as the network gateway. It is the only VM with internet access. It runs no user applications. The Whonix-Workstation runs your browser, email client, development tools. It has no direct internet access; it connects to the internet only through the internal virtual network pointing to the Gateway.

The fundamental guarantee: even if malware compromises the Workstation with root privileges, it cannot find the real IP address because the Workstation never has access to it. It only sees the internal IP of the Gateway.

Additional mechanisms: stream isolation (separate Tor circuits for different applications), sdwdate (time sync via Tor onion servers rather than NTP, preventing IP leaks from time queries), AppArmor profiles for critical applications.

Deployment: can run in VirtualBox or KVM on any host OS (convenient but security is limited by host OS integrity), or natively inside Qubes OS as templates, which is the configuration both projects recommend. In Qubes, the isolation relies on the bare-metal Xen hypervisor rather than software virtualization.

Honest limitation: Whonix is persistent by default (unlike Tails). If the machine is seized and disk encryption is absent or weak, VM data can be recovered.

QUBES OS

Qubes starts from a different premise than all the others: some component will eventually be compromised. The question is whether that compromise can spread.

Architecture: the Xen hypervisor runs directly on hardware, below any OS. On top of it, lightweight VMs called qubes handle different contexts: work, personal, banking, untrusted (for opening suspicious attachments), disposable (disappear on closure). Isolation between qubes is enforced at the hardware level via Intel VT-x/VT-d or AMD-Vi (IOMMU). A compromised qube cannot access the memory of another qube.

dom0 is the privileged management domain. It runs the desktop manager and has no network connection and no user applications. It cannot be used for browsing.

PCI passthrough: each physical device (network card, USB controller) is assigned to a dedicated qube. A compromised network driver cannot reach data in other qubes.

Whonix integration: Qubes natively includes Whonix templates, so the traffic of any qube can be routed through Tor transparently. This is considered the most robust available combination for a daily-use anonymous working environment.

Honest limitations:

  • dom0 compromise breaks the entire model. Xen vulnerabilities do exist (QSB-115, June 2026, XSA-491, now patched)
  • No isolation within a single qube: two apps in the same qube are not isolated from each other
  • Hardware requirements: VT-x/VT-d required, 16 GB RAM minimum (32 recommended), no Apple Silicon support
  • Real learning curve: copy-paste between qubes requires a conscious action, software installation goes through templates

HOW THEY COMBINE

Qubes + Whonix: compartmentalization plus structural network anonymity. The most robust configuration for high-security daily use currently available.

Qubes + Tails: some advanced users run Qubes as their primary OS and boot a Tails qube for particularly sensitive one-off sessions.

Linux + Whonix in VMs: a more accessible entry point into structural network anonymity without the full complexity of Qubes.

QUICK REFERENCE

Windows 11: telemetry high and partially non-disableable, no anonymity, weak app isolation macOS: telemetry moderate (OCSP non-disableable), no anonymity, moderate isolation Linux (Debian): no telemetry, no built-in anonymity, moderate isolation Tails: no telemetry, strong anonymity via Tor, amnesic by design Whonix: no telemetry, structural IP anonymity, persistent Qubes: no telemetry, anonymity via Whonix integration, maximum compartmentalization

The choice is not binary. It is an alignment between your actual threat model and the trade-offs in usability you are willing to accept. Most people do not need Qubes. Most people are also running an OS that knows significantly more about them than they realize.

Happy to go deeper on any specific layer, especially the Whonix architecture or Qubes qube design patterns, if that is useful.

(i have read the rules)

reddit.com
u/Arpokrat_Team — 9 days ago
▲ 19 r/opsec

OPSEC Check please

I have read the rules.

I’m new to Tails/Tor and want to check whether my setup makes sense from an OPSEC perspective.

Threat model:

I want to reduce linkability between this browsing activity and my daily identity/devices. I mainly want protection against tracking, data brokers, accidental account linking, local network observers, and my ISP seeing that I use Tor. I am not claiming this makes me “untraceable”.

Current setup:

- separate used old laptop

- fresh reset, no personal accounts on it

- Tails booted from a 16 GB USB stick

- no persistent storage enabled

- Tor Browser inside Tails

- no personal logins, no Gmail, no WhatsApp, no social media

- no browser extensions

- no downloads unless I fully understand what I’m doing

- webcam covered

- I shut Tails down after use instead of saving anything locally

I understand the basic OPSEC rules: don’t log into personal accounts, don’t reuse identities, don’t install extensions, don’t open random files, don’t mix this setup with my normal life, and don’t randomly change Tor Browser settings.

My questions:

  1. For the threat model above, is this a reasonably solid beginner setup?

  2. What are the biggest remaining linkability risks if I actually follow these rules?

  3. If Tails is used without persistent storage, what traces, if any, remain on the laptop after shutdown?

  4. Are bridges worth using if I mainly want to hide Tor usage from my local network/ISP?

  5. What types of downloads are especially dangerous from an OPSEC perspective?

I’m trying to understand the limits of this setup and avoid beginner mistakes.

reddit.com
u/Financial_Bonus_4606 — 7 days ago
▲ 12 r/opsec

Where to start off as an extreme beginner?

Every day I see more and more overreach and spying all over the world, and I think that I should probably start becoming a more secure and private person sooner rather than later. The problem is I have no idea where to start. The most I’ve seen are videos about tracking flock cameras or making your own router. But I think I should focus on the basics. Are there any resources that would be helpful for this? I have read the rules.

reddit.com
u/Epic-man-boy — 8 days ago
▲ 7 r/opsec

Starting a youtube channel

I want to start a youtube channel that cannot be traced to my identity. The channel itself won't use video or anything like that. I can create a Proton mail account seperate from others. But my question is, youtube requires that you verify your email address. But Proton mail won't let you register with third party services without having a recovery method (another email or number) and disposable mail is blacklisted. I bought a Sim for my phone but it only allows one Sim per device. Do I really need a seperate device for all of this? Will any of this prevent people from figuring it out? If someone wants to doxx me will they just figure it out? I have read the rules

reddit.com
u/askgbjfvj — 9 days ago
▲ 1.0k r/opsec+1 crossposts

FCC's “Know-Your-Customer Requirements” outlaw private phone numbers

Source

https://www.cnet.com/news/privacy/if-the-fcc-bans-burner-phones-it-could-be-a-privacy-nightmare/

TL;DR

The Federal Communications Commission is poised to begin forcing the country’s telecom companies to collect names, addresses and government identification numbers for every cellphone customer. The proposal is called “Know-Your-Customer Requirements,” and the FCC is framing it as a way to stop robocalls and scammers.

If adopted -- a likely outcome given the FCC’s current Republican majority who support it -- the rules would effectively outlaw burner phones, devices that aren't specifically tied to identifying data, allowing the privacy-minded to maintain their anonymity.

cnet.com
u/JagerAntlerite7 — 13 days ago
▲ 40 r/opsec+11 crossposts

Whatsapp Clone... With P2P Messaging Without Installation or Registration

https://positive-intentions.com

This is intended to introduce a new paradigm in client-side managed secure cryptography. We can avoid registration of any sort. A fairly unique offering for a messaging app.

No need for things like phone numbers, email or registering to any app stores. There are no databases. Allowing users to send E2EE messages; no cloud, no trace.

Features:

  • PWA
  • P2P
  • End to end encryption
  • Signal protocol
  • Post-Quantum cryptography
  • Multimedia
  • File transfer
  • Video calls
  • No registration
  • No installation
  • No database
  • TURN server

I started off with an open source version here: https://github.com/positive-intentions/chat

MVP Demo: https://chat.positive-intentions.com

The open source version is largely created manually (without AI agents). I am a software developer and creating webapps is my profession. I created it open source because it helps to be able to discuss details online. I think the core-concepts around client-side managed cryptography is demonstrated, but unfortunately open source isnt sustainable. So its unfortunate i have to consider introducing close-source components into the project (, so that i can maintain a competative advantage).

Components now close source:

I still keep some components open source for its importance in transparancy.

The close-source version of the app isnt finished enough to compare to existing tools like Simplex, Signal and WhatsApp. The goal is for it to be at least as secure as the Signal messaging app with their Signal protocol.

Take a look at some of the technical docs which ive updated to answer questions i frequently recieve in previous posts.

Technical breakdown and roadmap: https://positive-intentions.com/docs/technical/p2p-messaging-technical-breakdown

The optimistic long-term goal (if its even possible), is to create the "worlds most secure messaging app". If you really want to see how to achieve that goal, you can take a look at the more comprehensive docs here: https://positive-intentions.com/docs/technical

Frequently asked questions: https://positive-intentions.com/docs/technical/p2p-messaging-technical-breakdown/#frequently-asked-questions

u/Accurate-Screen8774 — 13 days ago
▲ 28 r/opsec

Data poisoning tactics against tech company mass surveillance?

Why yes I have read the rules, thank you Mr Popup. My threat model is widespread data harvesting on the part of corporations for the purpose of being sold. I don't anticipate any governments or tech companies to consciously take a personal interest in me.

​

I already do a few things to lightly corrupt the value and usability of any of my data being gathered. I go into my google account profile and fill it all the way out with realistic sounding but false information.

​

Fake but realistic sounding name. Realistic sounding fake birthday. Home address listed as a real apartment building I have never lived at close to where google probably already knows I live. Work address is a business 20 minutes away from that apartment. Fill out the bio section with lies about my career, education, religious and political beliefs, hobbies, etc. My custom gender is British.

​

I also periodically use google services in ways to imply false information about me. Spend ten minutes every week or so playing videos on YouTube about hobbies I don't care about, shop for products I have no need for, imply I own a different kind of vehicle than what I really have, and stuff like that.

​

Have also had conversations with ChatGPT where I tell it lies about me.

​

Another idea I've had is to upload to google drive documents recording fake passwords and crypto keys.

​

Any other data poisoning ideas worth knowing?

​

My threat model is widespread data harvesting, mostly on the part of tech companies for the purpose of selling to data brokers. I don't expect any government or tech company to be taking a conscious interest in me personally.

reddit.com
u/Wallsworth1230 — 12 days ago
▲ 10 r/opsec

my two "separated" browser profiles had identical canvas and audio fingerprints

I have read the rules.

Threat model: adversary is commercial tracking and fingerprinting infrastructure. Asset is identity separation between two Firefox profiles for different research contexts, each routed through a separate proxy. Goal is preventing any passive observer from linking profile A to profile B.

I set up both profiles with separate containers, separate proxies, resistFingerprinting enabled, WebRTC disabled in about:config, DoH on different resolvers per profile. Thought I was probably fine, but I realized I had never actually tested any of it. I found an open source eight surface scanner on GitHub, read the source to confirm fingerprint checks run locally, and pointed both profiles at it.

WebRTC was bad. One profile had an extension that silently re enabled peerconnection. The STUN probe returned my real IP behind the proxy. HTTP was routing correctly so nothing else surfaced it.

Canvas and audio were worse in a way. Both profiles produced identical Canvas 2D hashes and identical AudioContext signatures. resistFingerprinting was on. Did not matter. Enough to link both profiles to one machine. I honestly do not know how to fix the audio surface without breaking playback.

DNS leaked on one profile because the OS resolver grabbed DoH fallback before Firefox did. Font enumeration, WebGL, automation flags, and egress ASN all came back clean.

Three of eight surfaces were quietly burning my separation model and I had no idea until I measured.

reddit.com
u/nona_jerin — 11 days ago
▲ 23 r/opsec

The OpSec Bible is now available for download and offline browsing with Kiwix

The Bible is about Privacy, Anonymity and Deniability and describes a set of rules and good practices for OpSec-minded people.

Kiwix is a FOSS reader that allows people to download copies of websites and browse their content without being connected to the internet (think: Wikipedia offline, stored on your phone or computer as a single file). While the primary use case is educational (rural schools, refugee camps, etc.), there's a significant use case in OpSec circles and we occasionally provide related content in our library.

Long story short, the OpSec Bible is now available as a ZIM file that people can download here or directly via their Mobile or Desktop Kiwix app. I have read the rules (and cleared this post with the mod team).

reddit.com
u/The_other_kiwix_guy — 13 days ago