last week while i was procrastinating, i decided to share some opsec tips on twitter. this post is an effort to clean that thread up a little, and hopefully flesh out some ideas a bit further. please note this is not intended to be a comprenhensive list, and to hackers, everything here may be obvious or sound like common sense, but if you can encourage your friends and family, who might not be into computers, to do these things, they can also better protect their privacy.
some people question the importance of opsec. to me, it is important because you should be in control of your personal data. i, for one, do not want big corporations to get wealthier by data mining my information without my permission. another reason is that it helps me feel safer. unfortunately, there are some people who act strangely online, and by better protecting my identity, it makes it more difficult for any creepy people to find me in real life.
something to keep in mind when it comes to opsec is that you shouldn't let perfect become the enemy of good. having perfect opsec is damn near impossible. nobody is perfect, and even apts have opsec fails. but don't let that stop you from taking steps to protect your privacy. some people might think why bother, when a determined attacker with a lot of resources and time could still find out your information or identity. well, here is where you should threat model. for most people, most of the time, you are not going to deal with that level of threat actor, so by making things harder, it will hopefully deter someone who is casually snooping around. and my life philosophy is that you should always go down fighting.
anyway, without further ado, here are my opsec tips. personally, i think it's worth focusing on things that are easy or low effort first, because then you're more likely to do them. and in reality, most people don't think about this kind of thing, so by even making an effort, you will be better off.
search engine queries can contain a lot of private information about a person. for example, in the past, i have searched online for health information. i recommend using duckduckgo as a search engine, because they are much more respectful of privacy. for the vast majority of my searches, the results are good enough. in the few situations that i am not satisfied with the results, only then do i use google search. the goal is to minimize the amount of information google collects about you through your search queries.
my browser of choice is firefox, since this is another place where a google product can be easily avoided. however, there are certain settings that should be tweaked before using it. under Preferences -> General -> Files and Applications -> Downloads, select "Always ask you where to save files". this helps prevent you from unwanted files being automatically downloaded, because the browser will now prompt you before it downloads a file.
another setting that is good to enable is dns over https. this minimizes the amount of plain text traffic that your isp can snoop on. under Preferences -> General -> Network Settings, click on the Settings button. check the box "Enable DNS over HTTPS". you can use the default provider, cloudflare. while cloudflare isn't without its own issues, i would definitely trust them over my isp or university network. you can test here that dns over https is working properly.
it is important to be mindful of what information can be found about you on the internet. if you are a student at a university, your school likely has a student directory that may contain your name, email address, and other contact information. at my school, opting out was easy, just unchecking a box in an online form. depending on where you work, your name, picture, or other information about you may be on your company's website or other online presence. it might not always be possible to have it removed, but asking nicely never hurts.
on social media, it is usually best to avoid using your actual full name. try to avoid posting photos of your face, because sketchy companies can scrape it and use it in their facial recognition products without your permission. it also makes it more difficult for creepy people to find you in real life if they don't know what you look like. however, what's past is already past. people have posted photos of me on social media in the past, even sometimes without my permission. i can't change that, but moving forward, i can control what i choose to put on the internet.
linkedin can help people to find jobs, but it also gives out a lot of easily searchable and potentially sensitive information about you, such as where you work. it publicly associates your name with your employer, which is probably not ideal. in my opinion, it makes you a lot more doxxable. here you have to weigh the benefits and risks. for me, in my field of infosec, i haven't found linkedin to be much use at all, so i do not list my current employment on my profile and have deleted my work history from it.
my cellphone follows me everywhere i go, and i use it constantly. so it's probably a good idea to try to make it a little more secure. i like to put a sticker over the front facing camera. if you use a very small laptop sticker, it will last a long time, and you can easily remove it when you want to take a selfie.
on my cellphone, i disable location and bluetooth when i am not using them. in your phone settings, go through the list of installed apps, and uninstall those that you do not recognize or use anymore. review your app permission settings, and pay attention to the permissions you are giving to each app. if it doesn't look right (for example, a calculator app shouldn't need your location) or you are not using that feature, revoke the permissions. some permissions to look out for include: body sensors, location, camera, calendar, microphone, storage, contacts, phone, and sms. consider encrypting your phone, so in case you lose it, your data will be protected. don't use biometrics to protect your phone, use a password or pin. in the united states, courts have ruled that a password is protected under the 4th amendment, but not a biometric form of authentication such as a fingerprint.
it is good to use encrypted messaging apps. end to end encryption means no one in the middle will be able see the contents of your messages. i do not recommend whatsapp because it is a facebook product, and facebook will certainly find ways (sometimes not very ethical) to collect information about you if you use any of their products. i recommend signal because it is very easy to use, but keybase is pretty nice too.
consider encrypting the drive in your laptop in case of theft, especially if you travel with it. remember that the encryption only works if you power off your machine, however. use a webcam cover, so if your laptop gets malware on it, it won't start taking pictures of you. keep your operating system up to date so that security patches will be installed.
i pay cash for my purchases whenever possible. cash is anonymous and pretty much untrackable. since you can learn a lot about a person and their habits by their purchasing/transaction history, cash is often the best way to pay. however, keep in mind that paying in large denominations like 100 dollar bills can look suspicious, so when i go to the bank i ask for my cash in 20's.
if you use a debit card, consider opening a secondary bank account and don't keep too much money in it. only use the debit card of this secondary account to make purchases. that way, if your debit card number gets stolen, you will be out less money while the bank investigates. i only use the debit card of my main bank account inside the bank itself when possible, or at the atm machines that are right outside the bank. use paypal for online purchases when it is offered as an option. sure, paypal isn't ideal, but by using paypal, the vendors won't see your credit or debit card information, lowering the risk of it being compromised.
finally, this is very important. if you only remember one thing from this entire blog post, make it this. if you are ever questioned by police, shut the fuck up and ask for a lawyer! it is your right!
i hope you find these tips useful. and remember that everyone has a different threat model, and that's okay. never judge people for caring about their privacy and safety. i think if more people did, we would be in a better place. thank you for reading!