/d/OpSec icon

/d/OpSec

15,202 subscribers

Discussion about OpSec, Threat Models, Protection, Assessment and Countermeasures.

[GUIDE] Want Good OPSEC? Assess Your Risks! (Pinned post)

by /u/MunMunMun OPSEC Munderator · 60 votes · 2 years ago

So many users come here asking, "Is XYZ good opsec?" or, "What should I do to improve my OPSEC?"

Start from the beginning, and "Asses Your Risks." Threat Modelling is one of the most important steps in evaluating your OPSEC.

Working on your OPSEC without creating a threat model is like writing code for an app whose primary function is TBD. How can you know if your OPSEC is "good" if you don't know what your measure of "good" is? While many people here may have a similar threat model, there are differences in each of our situations that may call for a personalized threat model.

Here's a neat guide on "Assessing Your Risks" from the Electronic Frontier Foundation:

hxxps://ssd.eff.org/en/module/assessing-your-risks

In fact, while you're there, take a look at all of EFF's "Basics" guides:

hxxps://ssd.eff.org/en/module-categories/basics

Comments (59)
/u/wekhiu48 · 11 votes · 2 years ago · Link

https://www.whonix.org/wiki/Documentation

https://www.qubes-os.org/

The Qubes and especially Whonix documentation are additional crash courses in security and anonymity that would be beneficial for all users to read as well. :)

/u/napolyon · -2 votes · 2 years ago · Link

[removed]

/u/dogeatsgrass · 3 votes · 2 years ago · Link

literally the opposite of what its intended use is.

/u/orsinio · 8 votes · 2 years ago · Link

The problem with this generic advice is that few people really know what their risks are. Risks are hidden until something goes wrong. So unless you can learn from other people's experience, or you can repeatedly try something without catastrophic consequences, you remain ignorant of your true risks. Increasing your anonynmity is always better, but often you have to choose among risky actions with no rational means of evaluating the options. For example, you want to buy something on the dark web. Should you have it shipped to your own address under your own name? To a friend's house under their name? To an unoccupied house whose mailbox you will check? They each have different risks and no one really knows which is safest.

/u/MunMunMun OPSEC Munderator OP · 6 votes · 2 years ago · Link

This is a "Modeling" exercise. Uncertainty is a given. Risks are not hidden until something goes wrong. Risks are present to the capacity that you put thought into it. Assume the worst in every scenario and you'll be able to prepare to a great extent. Obviously, forecasting with certainty is not doable, doesn't mean you can't give it a good try.

/u/csanova · 1 votes · 1 year ago · Link

Just a thought. And a question.

Assuming the worst still requires prior knowledge, context, and comprehension- of which we all have our limits being that a person's imagination is terminable. Then, at some point, we come up against unknown unknowns. How do we peek around the corner without exposing ourselves to a kill shot? Moreso, how do we know which corners need looking around with such care and which with none at all?

/u/MunMunMun OPSEC Munderator OP · 2 votes · 11 months ago · Link

/u/orsinio alluded to it: learn from other people's experiences

They don't need to speak directly into your ear for you to glean knowledge from them. It helps to look at those that perform similar activities who have ended up where you do not want to go.

/u/fearnloathing · 6 votes · 2 years ago · Link

I just subscibed here but I have always carried in the back, and the front, of my mind whether or not Im doing enough or being smart enough or is all the extra time worth it. I think alot of people, myself at times included, may get stuck in a "Im not big enough, dont buy enough, dont sell enough, for them (LE) to even give me time of day" And that may be true in many cases but in some cases it may not. And you gotta ask yourself if you wanna risk years of freedom in hopes your right. You never know what casually unrelated circumstances can land you on the desk of someone with means and ability to now have their attention trained in your direction. Im still learning everyday and posts like these with guides I can read and digest and implement myself have been invaluable. So thanks for the opsec info and keep it flowing

/u/wowzers · 1 votes · 1 year ago · Link

well said

/u/MrWhiteHat · 5 votes · 2 years ago · Link

First step to a good OPSEC is to know how to defend yourself and prevent surveillance on yourself. Period.

/u/lolchosendude · 3 votes · 2 years ago · Link

I have never known there was so much opsec to take seriously. I appreciate the information homie

/u/Sharingan · 2 votes · 2 years ago · Link

Nice one

/u/mushcanada · 1 votes · 2 years ago · Link

Nice

Read the Surveillance self defense - Your security plan while I was there

https://ssd.eff.org/en/module/your-security-plan

/u/WhatIzThis0 · 1 votes · 2 years ago · Link

I also really like a way, remember this "Talk to and treat a person as you would talk to a law enforcement"

This is golden rule, now of course this may not apply for all cases, depends what type of activity you are doing, but this is really good for the beginning.

You'll also need to cut off your previous identities, fucking wipe your own computer and never come back to it.

Well you technically can but Fully Isolated.

Changing grammar is also good thing.

The process is pretty hard to get this right in your own head but once you fully understand it, it goes hand by hand, it's easy and even funny if you create another persona.

Social engineering is also a really fun thing to play with.

You should always use linux but by you don't have to use Whonix for your opsec, that's just a plus point for privacy and so on.

Depends how do you take your opsec serious and to what point you want to maintain it.

Super easy, don't trust anyone, fuck people. Trick them. Never say more then necessary.

Never socialize.

/u/sobjective · 2 votes · 5 months ago · Link

you really need to set up a hierarchy where you only talk to a certain few and so on, but anyway, Talking.. get together in person with your trusted few, develop a legal code name for every drug, a legit but completely misleading codename for locations for meets, quantities are usually like times but that can get confusing if you're discussing when to meet as well, so I would discuss legal but related to the code, names for different quantities. Even people in your organization.. give all of them nicknames... for the extra paranoid.. give them all two nicknames, one you use in person around other people that aren't in the inner circle, and one you use in the inner circle, never using their real name. never mention anything more than necessary. Someone asks you where you're at? ..that can be a red flag depending on situation and people invovlved.. that's something they don't need to know, because wherever you're going to meet them, is not going to be where you're currently at.

If you're a dealer.. never tell people you're the dealer. fame, brings death/prison. tell them you might be able to help, tonight at this time, or tomorrow, etc. Depending how well you know them.. send one of your guys to drop it off and have them get in touch with your guy if they like it/want more. They really should never talk to you. Never tell someone you have something on deck, in the car, at the house, in your pocket.. whatever.. instead, even if it's in your pocket.. tell them you'll need to go get it, or depending on your status, that you'll have to send someone to pick it up and meet the person. they should never had any idea that you're the one. never brag, never confirm "I can get you any and everything you may ever need":... at the most say "I might be able to help, I know a guy who knows a guy." never tell somebody it's in your pocket.

tell them you'll have to go see. and when you come back, depending on the trust level.. I would not come back with it on your person (or in your vehicle if this person is capable of setting you up and taking your keys), hide it somewhere close / safe / with someone you can trust. just iniu case it's a bust you'll be completely clean. in fact, you probably shouldn't even be at that meet, you should have one of your boys handle it. *assuming this is some new person you don't know* Never tell them a soul where you get it from, even if theyre your wife, your doctor, your lawyer, someone your forced to sign an NDA.. your best friends. Never sell to people you don't know, and neither should your upper echelon... If your best friend introduces you to somebody(already suspicious in business mode) and they mention business..... "respectfully sir, I dont know you and I don't know what the fuck you're talking about". then you immediately leave, later teach your "friend" a lesson and I would separate from him because CI's don't usually introduce UC's until they're fucked. Telling him, you don't meet strangers, you send other people to do it...this fucking person shouldn't even know your friend, let alone you, new people get handled by the lightweights that don't even know you... But in the future if it happens again, your friend is either dumb, greedy, or he's in so deep that his only way out is selling you out. Cut him off. He don't listen, he ain't your friend. your entire organization should be built around protecting you, and your identity. Nobody should even know your nickname let alone your real name, although the oldest heads are going to find out a nickname but those are people you can work with. You should NEVER have been brought up to anyone new, let alone introduced to someone new. That's what they do, they flip someone to be a CI, and then the CI introduces to the undercover, who then makes the 3 controlled buys. No matter how much of a "best friend" they are, staring down the barrel of ANY kind of sentence, they don't give a fuck about you (unless you've been through this and they've proven themselves.. but then you wouldnt be reading this).

/u/isuckatnames · 1 votes · 2 years ago · Link

Is it possible to use tails os off a usb while the laptop being used has an open source os (pureos) based of Linux?

/u/MunMunMun OPSEC Munderator OP · 1 votes · 2 years ago · Link

Yes. Tails is a Live OS. It runs off the USB in the system's RAM, so the base OS of the laptop has no impact.

/u/isuckatnames · 1 votes · 2 years ago · Link

Best BTC wallet for anonymity?

/u/MunMunMun OPSEC Munderator OP · 4 votes · 2 years ago · Link

Just use electrum. There is no "best BTC for anonymity." There are wallets that provide extra features that supposedly increase your anonymity but 9 times out of 10 when coin is linked to a real life identity it is because of failure in RL OPSEC, not because someone chose the wrong wallet.

/u/Vendeta · 2 votes · 1 year ago · Link

Yes, electrum is a good start becsuae it comes defualt on TAILS. If you use a good bitcoin mixer, which just takes some prayer the first time, the goverment cant trace you. Minded that you use a .onion bitcoin mixer but hey now your a rock star? Use monero, goverment is curently putting out contracts for millon dollars to crack monero... not so fast my boys in blue... monero is and will be untraceable for many years to come. You can use Monero as a bitcoin mixer, although it is more difficult, just transfer your dirty/attached to your PII bitcoins into monero and then back into a tails electrum wallet. Cheers

/u/MunMunMun OPSEC Munderator OP · 1 votes · 1 year ago · Link

If you use a good bitcoin mixer, which just takes some prayer the first time, the goverment cant trace you.

False.

/u/isuckatnames · 1 votes · 2 years ago · Link

What about buying BTC converting to xmr then send it to another wallet then another then convert into currency and cash out?

/u/MunMunMun OPSEC Munderator OP · 1 votes · 2 years ago · Link

I'm done spoon feeding you information. Do the research. All of your questions are answered 1000x over.

/u/isuckatnames · 1 votes · 2 years ago · Link

???? ok k

/u/[deleted] · 1 votes · 2 years ago · Link

I would use blockchain wallet and electrum

/u/[deleted] · 1 votes · 2 years ago · Link

dude do your research, when you purchase btc on your regular OS you need a btc wallets and electrum, it needs to go into the btc wallet first then electrum. Take the seed put it into electrum on tails and always clear the electrum on the regular OS when done and just seed when you need to buy

/u/napolyon · 2 votes · 2 years ago · Link

[removed]

/u/[deleted] · 1 votes · 2 years ago · Link

Yes you are right

/u/dingus420 · 1 votes · 8 months ago · Link

Use No BTC, for anonymity, TBH. Even if you're forced to pay via BTC you can first go through another crypto like XMR, then change it through a service which will also typically tumble on they way through. This might also be flawed, I just think better than BTC only

/u/napolyon · 1 votes · 2 years ago · Link

[removed]

/u/simple · 2 votes · 2 years ago · Link

mullvad is one of the most reliable and the single most stable VPN clients around.

They have their own DNS servers running on each server and their quality is outstanding enough to provide a non logging/leaking DNS server for everyone for free even.

Mullvad provide IPv6, don't block Bittorrent seeds like e.g. NordVPN and Swedish law grants Mullvad that at no matter whatever will be will never be forced to ever keep logs, although they are based in a 14 eyes country.

If the Swedes want something special in EU legislation and they don't receive it, they just say fuck you to the other members and if they are being sued by the EU, they couldn't care less.

So Sweden is actually a good place for VPN services and it's no coincidence, that Mozilla and Mullvad joint forces.

PS: That does only apply to Swedish VPN companies, if you use an off-shore VPN to connect to Sweden, it's a different thing.

PPS: YOU DIDN'T E.A.R.N. your coins, you stole them from addicts...

/u/Vendeta · 1 votes · 1 year ago · Link

Well, NordVPN is based in Panama and Panama has no extradition to the US, my American friends. For the love of God, lets not put that sleeping dead man Biden in office... cough cough Russia

"We really stole life from the world itself" #alienlife

/u/dubai_shawarma · 1 votes · 2 years ago · Link

Nothing is 100% fool proof. but this is good enough imho.

I use almost the same setup because i don't have nothing much going on right now.

But keep in mind the following:

1) If host operating system is Windows, be informed that Windows does log lots of information without our knowledge

2) If the virtualization software used is something like VMware, it is a proprietary software. Something like VirtualBox ensures much more anonymity.

3) After all, if someone plans APT(Advanced persistent threat) on us, we are fucked no matter what we do!!!

/u/Vendeta · 1 votes · 1 year ago · Link

Cool info, its just a bitch how virtual box passes through your internet connection as a wired connection, would be much more convienient if your VM could connect to a network seperate from your host, I mean only your VM connects without your host connecting at all. This post actually has some meat though!

/u/Richard_Bachman_Versus · 1 votes · 2 years ago · Link

As a moderator for The Versus Project myself & the others I work with use Qubes-Whonix. It is the most secure OS that is available to us as users of the dnm system. Qubes works best with a SSD hd.

Also you need to use BleachBit & scrub your machine at least once a week. I do this every 3 days.

Never install Wickr in Qubes or Whonix as that is advised not to. TOX & Wire are both included & work very well in a Linux based distro.

Never use a machine that has Windows installed on it for any DNM task as that is one of the biggest OPSEC no-no's out there.

RB

/u/Vendeta · 1 votes · 1 year ago · Link

Very cool to meet an actual admin, I stay pretty much in my own mind and in the shadows. The problem with Qubes and carders is that it just isnt that pragmatic. A windows user could just download TAILS and use rufus to burn it to an 8gb flash drive and your good assuming you update TAILS when it asks but fraudsters need to get down on the clear net and thats where windows gets tempting because all of your needed software is windows based. Windows VM on Quebes is not an easy thing to achive live fraud. PM me sometime dude and Gods speed stepping

/u/n3rve · 0 votes · 2 years ago · Link

So you are saying that if ANY computer has Windows preinstalled, I shouldn't use that device? Tails doesn't affect the actual device, it runs on the RAM. What would be the problem then.

p.s. I have no idea wtf im talking about, but why not use any windows device

/u/Richard_Bachman_Versus · 1 votes · 2 years ago · Link

This will explain all of your questions.

https://www.privacytools.io/

https://restoreprivacy.com/

/u/Vendeta · 1 votes · 1 year ago · Link

well, you should probably encrypt your entire hard drive using veracrypt and then boot tails live but its probably overkill, tails works and ya this person is right, using tor on DNM from a regular winodws OS is stupid, department of home land security will give you a courtisy call haha.

/u/crashycrash · 1 votes · 2 years ago · Link

Where would one go if they were a researcher? I need info on some sites and software I would need to find out info on people. Background etc

/u/whatsinaname3 · 1 votes · 2 years ago · Link

Helpful guide, thanks.

/u/potter33 · 1 votes · 1 year ago · Link

What's the best & secure hosting platform for dark web server?

/u/sphinxfd · 1 votes · 1 year ago · Link

Amazon, ovh, hostpoint

/u/hitman606 · 1 votes · 6 months ago · Link

Best hosting to get behind bars.

/u/dread0 · 1 votes · 7 months ago · Link

very well written

/u/dogwood · 1 votes · 5 months ago · Link

What about the physical stuff, like burying your stash or hiding it off your property? People say "clean your house" but what do you do with shit you want to keep? I imagine a search warrant covers the property and structures, probably not the neighbor's property or a nearby abandoned undeveloped land.

Assuming they are going to knock and search you, how much random shit are they going to find tucked away you may have even forgot about. How thorough are they? Do they dissect the firewood pile examining each piece of wood? Are they flipping over every rock in the yard? I have no idea.

/u/pinkslipperytabl · 2 votes · 4 months ago · Link

CLeaning your house and getting it buried or stored will help evade detection, but I will say this: Getting it off of your property and into a hidden tree/ditch/abandoned car/hole, the law still defines that as being in your possession.

Check your own local laws, but that is how it is here.

/u/Anonymous645765 · 1 votes · 4 months ago · Link

More About Security 2021

Turn mic into Speaker * Risk

All file ,video , pdf , .txt , .7z . image etc Can be a Virus Hide or Virus with Ultrasound who can locate All tor user or Even make you sick With the Ultrasound.

http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/06ed9a09e0655345df30

/u/thebailopan · 1 votes · 4 months ago · Link

Great advice ;-)

/u/Anonymous645765 · 1 votes · 4 months ago · Link

use whonix and learn how is working ..

they speak about Speaker is a problem need to be removed , Microphones into computer , the song into video is a problem . Possible virus into Each file Can be a virus .. Camera can be a problem need to be removed , wlan card the wifi adapter is a problem need to be removed .. etc !

/u/opsecopsec · 1 votes · 3 months ago · Link

[removed]

/u/AutoModerator M · 1 votes · 3 months ago · Link

/u/munmunmun /u/cocainebrain racial slur

This comment was posted automatically by a bot. All AutoModerator settings are configured by individual communities. Contact this community's Moderators to have your post approved if you believe this was in error.

/u/Maqbull · 1 votes · 3 weeks ago · Link

A good OPSEC will allow you to defend yourself .

/u/Onehandwashes__ · 1 votes · 2 weeks ago · Link

Damn I just read this whole thread and I know I fucked up off the jump being so eager To Honestly provide at very lest researched, tested, the best of the best of my knowledge quality service, throw out and burn every1 lyin out there hurting good people regardles of their habbit, (very sick of funeral) Also some exta didnt hurt while trying to make up for lost time as an addict myself but no greed. Every1 can eat and every1 else can have the opportunity to say no tomrrow whcih so many have been un lucky in having that opportunity.

Anyway eagrnes lead to mistakes time will tell who pays the piper or not. Have since been very much more on top of things but apparently still not there yet. See a lot of how to 'cash out' here but really nothing to cash in. The obvious answer is work backwards from cash ot but PM with a litle point in tbe right direction would b appreciated. I am no slacker I do my hw I only sleep every other night, work all day, computer all night learning anything I can to stay safe and keep others safe as well.

There is a question in there, easy coin anonocoin, trusted p2p-In, etc.

Thanks guys Much love, stay safe!!

/u/[deleted] · 0 votes · 2 years ago · Link

FYI....I have guides on how to scam hot moms' out of their panties if anyone is interested.

Me :-)

/u/thecalmpenguin · 1 votes · 1 year ago · Link

ahahah lol

/u/bluedodger · -1 votes · 2 years ago · Link

To cut through a lot of this stuff above.

Qubes is equal first with TAILS (for its persistence) They both different things with a different philosophy.

I run Qubes with a Parrot VM and within Parrot is a hidden veracrypt folder with some things I need in it.

Qubes is encrypted, so is Parrot, so is Veracrypt. A reasonably secure system. I use the Anonsurf function in Parrot and route the VM via the default-firewall.

That's it. If you want to learn Qubes you won't regret it. If not run TAILS with persistence if you want. I used to have it install extra software so I could use my nitrokey in TAILS. Probably a bit more secure than the persistent volume in TAILS.

/u/dread0 · 1 votes · 7 months ago · Link

i plan to learn about this but have a LOT of reading to do first