http://grugq.github.io/presentations/COMSEC beyond encryption.pdf Edit: Also http://www.slideshare.net/grugq/opsec-for-hackers
Sound but vague advice at points for sure, though mixed with 90% meme level pictures and "humor" which works against its meaning of being a guide your life could depend upon. The vague rundown of operating systems is painful. The end is just "LOOK AT ALL THESE FUNNY PICTURES I FOUND ON THE INTERNET". Stuff like that is good though ^ Along with threat modeling and idea of worst case consequence. Of course, maybe I'm too spoiled on mirimir quality guides.
I was mostly pleased to see someone pushing compartmentation Or is it compartmentalization? I guess that it depends on whether I'm pretending to be American or British. Could someone please help me out a little here?
That was an interesting "read". Started out by throwing linux under the bus though. One man's opinion. I personally really took notice of the pgp discussion regarding wide circulation of keys. I have always shared their opinion on that one! Mirimir - I would go with compartmentalization in my "world". My personal addition: this would be a tough one for many of us here. Purely from a opsec vantage; it would be prudent to "shed" psuedo's quite often and start fresh. If you started a new one every month or two and became somewhat deliberate in changing the personality of the new psuedo, it would add strength to your opsec. You would sacrifice your "following" because folks wouldn't know someone like Mirmir, they would see the "new kid on the block". That new kid would blend in and the real person behind Mirimir might just be safer. Same for me, and several others here. Just a notion that has pretty much merit if you ask me.
Mirimir is one of my few long-term personas. I've tried using only short-term personas, and it's hard to accomplish anything. Nobody pays much attention to what you say. So for me it's a trade-off. But then, Mirimir also has many personas The author is clearly an Apple fanboy
I can totally relate to the "nobody pays attention" thing. At another site I was a "staffer" on encryption and like you the established persona could get stuff through the pipe and put into play. It got to the point I was fearful of compromise so that persona died. Changed computers, vpns, everything. I spent the next few years there lurking in the shadows and posting content relevant to hundred post member conversations. So, I totally get your dilemma.
I think that for something like posting on a forum, nobody is going to put in a huge effort tracing you down unless you say things that are going attract the wrong kind of attention like advocating for violence or whatnot. But if you're doing much more than forum posting, the smartest route seems changing you're moniker as frequently as possible and not maintaining any steady contacts. Most of the OPSEC described there was sound but pretty basic. I'd venture to guess that if Sabu or the others in Lulzsec used the chained VPN setup and didn't discuss personal information (or only provided disinformation which may be better), they'd be free. Or better yet, work as a lone wolf.
Thanks, not relevant for me, but a useful mindset. I particularly liked the point about reducing expectations of immediacy/low latency. My feeling is that browsers are a form of posh dumb terminal, designed to suck you into central services you cannot trust and sophisticated enough that they are tracking magnets. So IM and browser-based communication would be vulnerable. Probably people underestimate the planning and discipline required to run different personas well. I remember reading about some WW2 deceptions, which required teams of people to run the fake.
I've become all too familiar with latency I sometimes use hosted servers that I reach so indirectly (via VPNs and Tor) that latency gets to be 0.5 to 1 second, or more. But these are fast servers, with fast uplinks. And packet loss isn't bad. So I've had to learn patience. And to recycle old skills from the days of systems with slow CPUs and little RAM.
