Operational security is about protecting bits and pieces of information in your operation (be it journalistic or military) so that other people can’t get their hands on it and see the bigger picture. In modern terms, it means protecting your information from eavesdroppers, secret services, industrial spies, hackers and social engineers.
The first and most important rule of operational security is to learn to keep your mouth shut. The less you say and comment the better, especially don’t say what you are doing!
The tor network, encryption technologies, cybersecurity and all other related topics are none of your business and you don’t know anything about any of them. Most hackers get caught in a stupid and human mistake, so common that it is the number one rule. They always talk too much about personal information, no matter how technically you have very good setups, knowledge, if you talk too much you are done.
Never reveal your identity. Many people pay attention to this, but they just choose different nicknames or register on many different forums with one nickname. Your nicknames must be different for each forum and must be irrelevant.
Don’t say anything about yourself that could help build a profile. Don’t talk about your hair color, height, country, gender, where you were born, what you like, etc. If you must talk, create a fake profile using a fake identity, fake gender, fake country, use another language if you can. Change the email address you use, IP address, your geographical location, the time of your posts, which can be used to determine your time zone, change it every time. Don’t always be on your favorite forum at 20:00.
Be careful not to use special letters that only exist in your language. Likewise, do not use accents that only exist in your language. If you can speak another language, use that language. Modify the metadata of the files you upload to create a false trail to follow and use stealth-based operating systems if possible. I have used “Qubes Operating System” for about 9 months and if you care about your privacy, feel free to use it as your main operating system and ask me questions if you are stuck, I plan to examine it in detail in a different article in the future.
Another thing, don’t trust anyone, including anyone you can think of. Everything is a threat to operational security. Don’t let people dominate you, if you can act alone, do it alone, don’t make physical mistakes.
Stay under the radar, hide your technical knowledge. Avoid forums if you can. The less presence you have online the better, but there may be situations where you will need to communicate. In such cases, minimize your messages by being subtle, as most drug and arms traffickers and their derivatives do.
"Samet, I brought the computer and hard disks, let's meet at your house at 11."
"Dude, I brought the stuff, meet me at the same place at the same time as last time."The difference is clear.
There is never a clear text.
Be paranoid, if you are wondering after this, if you have committed or are thinking of committing any crime, you must be paranoid. Assume that your entire network is under constant surveillance. How prepared are you if your house is raided in a few minutes? Is every bit of data encrypted on all technological devices, usb devices, hard disks, etc. in your room or house?
Always encrypt everything on your hard drives, even if it is difficult during reboots. This way you are sure that even if a hard disk is accidentally leaked, no one will be able to read it.
And don’t even think about drilling holes in the hard disk or firing a gun. Drilling against state-level actors is probably insufficient because the card of most hard disks keeps the engine away from the disks. That’s why they are rectangular and not square. You won’t damage the board by drilling into the disk, but you can destroy the arm of the head. In addition, hard disks have air in them or you can’t open them without forcing them too hard, and they even have a breathing hole with a filter. Open one and you will see.
A determined forensic scientist or state-level actors can open the disk cleanly, replace the damaged heads if necessary, reconstruct the data and read most of it. If you really want to destroy the drive’s data, just use the Gutmann method. Then run the drive under a strong electromagnet. The alternative is to melt the drives. In this case, data recovery is not possible in all cases. For SSDs it is different, for normal attack vectors a “secure erase” (usually included in your SSD management software) is usually sufficient. TRIM does not erase the data on the SSD, it only marks it as empty and ready for reuse.
Otherwise, both defragmentation and disk encryption are good options.
Another important thing is to know your limits. Realistically manage what you can do, your technical knowledge. If there are parts you don’t know about what you’re doing, stop doing it or face the risk that your ignorance could land you in jail. Keep it as simple as possible. Complexity is the enemy of security, especially where you are incompetent. In short, a complex nested multi-layered setup that can create more attack vectors is not for everyone. You will be better off with a simple setup where you have a high level of control.
If any of these seem overkill, you probably don’t need them for your required level of anonymity, or you don’t understand the seriousness of intelligence. Intelligence can be derived from any kind of data. Background wall paint, rug motifs, windows, objects with local language writing on them, etc., when combined, create a unique numeric or visual identifier for that location and perspective.
If you really want to be safe and anonymous, operational security is definitely the most important thing to learn and do, but it is also the thing that people forget the most and end up making some stupid mistakes, especially when you start to trust yourself.
Take your time, learn and understand what you need and act professionally 🙂
I plan to write an article about operational security and past mistakes. You will learn about past mistakes and most of the time you will think that it was just a mistake, but when you see how it was a small mistake and how it had a big impact and how everything ended, you will care more about operational security and it will probably make you paranoid.
Yes, care about operational security and be paranoid. That’s the basics.
Home 