/r/opsec

Photograph via snooOG

OPSEC is the process and practice of Operations Security. Although it has roots in the military, OPSEC can be applied to any venture requiring secrecy and survival, from business security to personal safety. OPSEC is a mindset of critical thinking and safe habits. Read the sidebar below for more information!

What is OPSEC?

Operations Security, or OPSEC, OPSEC is about minimizing attack surfaces and single points of failure through proper habits and policies. It's a systematic and proven process that we can use to deny adversaries information they need to do us harm or interrupt our plans. It's also a mindset that can be applied to any mission or plan.

Although the term originated in the military, OPSEC is now used for so much more. This includes law enforcement, computer and network security, home safety, travel, and so much more.

OPSEC isn't a list of rules, and it's not as simple as using a VPN and keeping your mouth shut. It includes elements of INFOSEC, APPSEC, NETSEC, COMSEC[TRANSEC/SIGSEC/EMSEC], PHYSEC[PERSEC], and (CO)INTEL.

The OPSEC Process

1. Identify the information you need to protect
2. Analyze the threats
3. Analyze your vulnerabilities
4. Assess the risk
5. Apply countermeasures

Understand your own risk/threat model: Who is your adversary? What needs protecting?

The OPSEC Two-Step: Know what to protect and know how to protect it.

Important Posts

  • [The now-declassified history of OPSEC, released by the NSA under FOIA]

OPSEC Resources

SEC communities on reddit

  • /r/netsec - A community for technical news and discussion of information security and closely related topics.
  • /r/privacy - Dedicated to the intersection of technology, privacy, and freedom in the digital world.

Rules

  • Don't post without reading the rules thread or your post will be removed, and you may be banned.

  • Don't give advice without knowing the user's threat model first. If you proceed to give advice when the OP has not explained their threat model, you will be banned.

  • Don't offer single tool solutions (e.g. VPN, bitcoin, Signal) when the threat model isn't clear

  • Don't give bad, ridiculous, or misleading advice (e.g. "you can't get arrested if you use Tor")

  • Don't ask for help or help others in illicit and unlawful activities (e.g. "I want to buy drugs on the internet").

  • Don't post without mentioning your threat model, unless it's a post about how to threat model.

/r/opsec

48,941 Subscribers

10

Seeking Feedback: Privacy-Focused NO KYC eSIM for Secure Communication - Threat Models Welcome

Hello r/OpSec community,

I’m currently working on refining a privacy-first mobile service concept, and I’m seeking feedback from those who value secure communication. The service is designed for individuals with a strong focus on privacy and operates under the following core features:

Service Overview:

•	NO KYC requirement: No personal details, no documentation, and no data retention.
•	Encrypted eSIM: Delivered digitally, ensuring no physical SIM is needed.
•	Unlimited USA calls and texts, 60GB of high-speed 5G data, and hotspot capabilities.
•	Payment methods designed to protect privacy.
•	Quick swaps: Up to 3 number or eSIM swaps per month, completed in minutes.
•	Coverage in the USA and globally with over 800 network partners.

Core Philosophy:

•	Privacy is a human right: The service doesn’t store logs or cooperate with information requests from any source.
•	Built for threat models requiring anonymity in personal or professional communication.

I’m looking to better understand how this might fit into different threat models. Specifically:

1.	What kinds of threat models would this service address effectively?
2.	Are there additional features or adjustments that would make this more useful for individuals with specific privacy concerns?
3.	Does this align with operational security principles you value?

This is not a sales pitch—I’m genuinely looking for feedback to ensure the service aligns with the needs of privacy-conscious individuals. Your insights will help refine this concept to better suit practical threat models.

Thanks in advance for your input and yes I have read the rules!

8 Comments
2024/11/25
04:16 UTC

1

Really strange info in data request for Apple ID Account Information..Very little online

Really strange info in data request for Apple ID Account Information..Very little online

iCloud Cross Border ConsentApple Cross Border ConsentApple Regional Entity Consent

All now pending?

with ADP disclosure ON (previously always OFF)

Advanced Data Protection Data Collection Disclosure = ON

I have read the rules

Threat Model not something I've thought about, what should I start with?

3 Comments
2024/11/15
18:17 UTC

6

Compromise of physical device

Hypothetical question (I give my word as a stranger on the Internet). I'd appreciate answers about both state and federal LEO.

What exactly happens when a physical device (phone, computer) is seized? Is the access limited by the terms of a search warrant or is it free game?

Is it time limited or will they hold it until they can crack it?

I have read the rules

19 Comments
2024/11/14
00:29 UTC

18

Dealing with hackers

I have read the rules

A hacker tried to hack my website and they found some vulnerabilities. I didn’t ask them to hack my website. They told me about these vulnerabilities and now they want me to pay them for the information. They are also blackmailing me saying they will disclose the information online if I don't pay. What should I do?

7 Comments
2024/11/12
12:28 UTC

25

is buying a used laptop a security risk

obviously i'll wipe the ssd/flash bios but will that be enough and are there other things i could do to be extra sure.

my threat model is mostly not being watched/have my files viewed/be doxxed/ by the previous owner or authors of whatever software he/she downloaded. i'm mostly looking to have a more secure/private system next to my PC which i mostly use for gaming.

buying a new laptop is also an option though.

i have read the rules.

31 Comments
2024/11/09
17:13 UTC

8

How can I identify my threat level and remove any potential hard to detect malware?

Hi, I have read the rules. I'm not very tech savvy so excuse my ignorance. I've been concerned about malware for some time. An ex friend I had told me that a family member of theirs had synced another family members phone to their own. I had a feeling they were spying on me before this and had texted someone about it. Then a month or two later, the ex friend jokey claimed I accessed their youtube account and sent a screenshot of their youtube search page which, amongst their searches, featured an obscure youtuber I had searched for earlier in the day. I checked on my google account for any unfamilar devices and I couldn't see any and ru An a malware scan which said I was okay. I cut then off for other reasons and over a year has passed and i've since switched to another device. I had forgot about this until recently when I noticed something strange. I was on tiktok and pressed on the add account button and there, I found an unfamilar account which said 'google' underneath it. I'm the only person that I know of who has access to my gmail and other accounts. I searched the unfamilar account username up and it was active. I screenshotted my findings of the account on my 'add account' list. I tried clicking on the account to see if I could login ( i couldnt, it just took me to a page where it said 'choose your account'). A few days later, I clicked back on the 'add account' button to see if the account was still there and only a ghost of the account remains. I re-searched the account and it has totally disappeared off the site. If the account hadnt disappeared after the I screenshotted the account on my own 'add accounts' I wouldnt be so suspicious. I wonder if you know any ways of how I can identify really sophisticated malware (as my ex friend was very very good with technology) and help me ascertain my threat level? Maybe I'm worrying too much!

1 Comment
2024/11/07
19:14 UTC

7

Threat analysis and help please

i have read the rules

Hello guys first of all my goal is to criticising government or using bad words against people at various social media platfroms like Instagram, X but mainly Instagram.
My threats are the government (3rd world country) and potentially Instagram (they would give my IP to government)
My threat is the government because using bad words is illegal in my country.
But I dont know if the government or Instagram will give the same attention to people that use bad words with people that commit serious crimes like murder so my threat level could vary.
My current countermeasure is Tails and im open for suggestions.
You can learn my country by surfing my profile.

7 Comments
2024/10/26
22:04 UTC

3

OSINT help required

Threat model: Person is actively doxxing me on really weird subreddits/sites. Hello! Some time ago by accident i found, that my personal photos and information are shared on reddit subredits for perverts<i guess that's how you describe them> and on not really known porn sites. I have a guess who that is, and i found some connections in let's say methodology of writing a posts and style of this person. But i need a big proof. So i used pull push io for old archived reddit posts(this person added literally hundreds of posts about me) and i found all of this person nicks. I checked suspect mail on haveibeenpwned and found out that it's mail is leaked on cutoutpro leak but i cant really use this(I don't know how to move on darkweb). What is worth to add is that this person used kik/telegram/teleguard/files.fm so he was probably giving more info about me that could be potentially not legal. Lastly, Police in my country police doesn't handle such a situations. I have some OSINT/linux experience, so my question is for advice, what would you do? I don't want to be useless and i am ashamed and scared what this person shared about me. I know and understand that this person is close to me, but i need a proofs like photos this person used, because on pullpush io search i only found links to photos(they looked like reddit.com/gallery/something, but everytime i entered this photos were deleted). Do you know any stronger osint tools, and better search engines(better than idk sherlock, and yandex/bing)? And could you give me any adivce how to search on clear/darknet for phrase(i would search exactly the same phrase that was on reddit in engine, and see if maybe this person left some traces). I have read the rules

3 Comments
2024/10/26
17:51 UTC

2

Email Scam for Subscription Services - Looking for OpSec recs

I just got two emails that I thought were phishing attempts, one from Scentbird and one from Starz. I never signed up for either of these things, so I deleted them. Then I received a subscription confirmation email from Scentbird. I only opened the emails in gmail, I did not click any links.

So I went to their site, and did a password reset. They sent me an email with a magic link and I logged in. Someone used my email to sign up for a perfume subscription. Shipping to a house in Cleveland, fake name, and credit card I don't recognize.

So then I go to Starz .com b/c that was the other email. Do the same process. They used a different name and signed up for a subscription with them using the same credit card.

I have already gone and changed my gmail password, and logged out of all devices. Already use LastPass and will be deep diving that to change anything thats still a duplicate. Plus I will be using googles dark web service to make sure all that information is not actionable. 2FA via passkey/email/sms/auth app is set up for most things, but i'll be double checking all that today.

Anything else I should do? I have a VPN but only use it sometimes. Any specific services ppl like for Opsec?

I have read the rules.

5 Comments
2024/10/24
13:51 UTC

17

A person or a group is actively trying to inflict as much damage as possible to my mothers accounts

I have read the rules .

Hi, I need some help.

Threat model: Possibily hackers who already gained acess to many of her accounts.

She constantly gets SMS tokens for password change even though she didnt ask for anything. We have already changed all her passwords but the passwords keep getting broken. Once I checked her google account activity and I saw at least 3 other suspicious mobile phones and devices connected to her account. I instantly removed them.

Here is my train of thought: Maybe they got ahold of her phone number and they are able to change her password through SMS tokens. Considering that they have already compromised government accounts, they know her data, email and adress so all it takes is a SMS token. I will set a 2FA authenticator for her tonight. I hope this solves it.

I dont know if that helps but she uses a regular iPhone 11 and I made those password changes on a MacBook.

They eventually stole over $20k from her bank accounts a few months ago and not even the banks know how they did it. I live in Brazil and unfortunately banks are not held accountable for scams like this.

What else can I do?

  1. Change passwords
  2. Set up 2FA for everything
  3. Change phone number

The thing that worries me is that this has been going for MONTHS. This person or group is very much dedicated to inflict as much damage as possible. She already went to the police but they said they cant do anything.

18 Comments
2024/10/09
21:06 UTC

7

Smart tv mac spoofing

So I've got this Android smart TV with real debrid and stremio in my dorm, and I've been using it a lot. The problem is, I'm worried that the network manager is gonna catch on and blacklist my TV from the network because of all the data I'm using. Do you know any way to spoof my TV's MAC address? I was thinking of getting a Raspberry Pi to connect to the network and then spoof the mac adress at a regular interval. Let me know if you have any ideas.

I have read the rules

4 Comments
2024/10/08
18:13 UTC

5

Personal devices and Gmail security hiccup--Threat level analysis pls.

Hello all!

TLDR; I want to to ensure my account was not accessed by a bad actor and prevent future opsec failures. I have read the rules, so tried to keep this very on point.

I received a death threat from someone months ago and in the threat they said "I know you see these messages, your phone hack got unhacked"

They did not share any data with me that was solid proof of their access to my account. Vague talks about my reengagement with our old businesses. Nothing confirmable.

I then made a list of my points of control over my iPhone.

iCloud: 2FA by design, newly changed password, no signs of weird use. No physical access to my devices at any time. Checekd iPhone settings and had no VPN set up, no unusual use of my data or power. No find my weird device or set up.

Google: Unfortunately no 2FA, password was old used on a couple other sites but not widely, never leaked password.

So for Google, I got paranoid and decided to further my diligent review.

1- I checked my log in notices one by one from my google gmail inbox VS my recovery email, nothing fishy.

2-I went back to each log in date and double checked for my own activity, (they all checeked out.)

3-I looked at the devices log on my account security, (ONE COUNT OF LOG IN FROM AN AREA I DIDNT RECOGNIZE. However, this was from four months prior to receiving the threat the location was unusual, i checked the log in date, and then checked my activities they all matched up. I had made a restaurant reservation on that date that used google log in. the log in email and reservation email were 3 minutes apart. Other than that, nothing.)

4- Checked my google critical security alerts, found none.

5-Checked my inbox, my IMAP was on but I had no emails added in forwarding.

6-No emails in trash or spam.

7-In the past, I had received critical security alerts but it was years ago and a confirmation that my google would have sent me security alerts.

8-My google drive log didnt show any recent uses that I didnt recognize.

6 Comments
2024/10/06
14:53 UTC

19

How to identify my threat level and purge bad opsec?

Im a relative beginner to practicing good opsec. My main goal is to achieve a level of privacy online that denies information tracking and data harvesting to large companies like apple and google or any other potential adversaries. Ive been using a total of three gmail accounts for anything and everything I did online for most all of my life. All of my accounts and activity are probably linked to these gmail accounts. I have just recently made a Protonmail account and begun switching important services that I use over to my new proton mail account. I am planning on switching my phone to a samsung s24 ultra from using my iphone all my life and am excited for the seemingly fresh slate I will be starting with as far as my mobile opsec goes. I want to purge all my old unused accounts and services moving forward with the new phone. I use a macbook at home with firefox + ublocker as my browser. Going forward, how can I fully asses my threat level and understand my opsec priorities, purge my old bad opsec (gmails + associated accounts), implement optimal opsec on my new phone, and re situate my personal macbook to match my new phones opsec standards. I have read the rules and thank you kind folk in advance for your help.

7 Comments
2024/09/27
04:34 UTC

19

What's the best way to make yourself 'invisible'?

Well. I am already not invisible to anybody. A government, my ISP, but still... How do I make myself invisible? It's a tough political situation on where I live, and I want to spread my thoughts without a fear of getting caught and imprisoned after. Any advice on how to make it possible?

Should I stop using Windows, routers that do not support OpenWRT and all that stuff? Thank you.

i have read the rules

27 Comments
2024/09/24
10:17 UTC

1

Someone is using my gmail wihout access to the account (which I hopefully assume) to order things.

It has been a total of three times that I have got email to confirm purchase or order. I had email regarding OYO hotel bookings by an Indian person in the past month, and three days before today, a McAfee product invoice and another McAfee product invoice the day later. I constantly check the access and have two step verifications on. It worries me everytime such email pops up. Does anyone have any idea about this phenomenon?

I contacted the OYO mail and got no satisfactory response.

I have read the rules thoroughly.

13 Comments
2024/09/20
13:57 UTC

39

Deanonymization - from Tor to Monero compromises!

Recently we've been seeing many cases of deanonymization that are raising concern. Is it mishaps in user OpSec? or are they new vulnerabilities exploited by LE agencies?

Lets begin with

TOR De-anonymization

Let us begin with a refresher, when connecting to TOR, your information and data packets are routed through 3 random servers otherwise called "Relays". Each of these relays encrypts traffic with its own keys, which theoretically makes deanonymizing a user extremely difficult.

Tor connections are made in the 3 Relay order mentioned above. which can also be detailed as:
Entry Relay (Guard)
Mid Relay
Exit Relay

The way tor relays are usually exploited by scammers is via exit relays, although a very complex and sophisticated process, theoretically an attacker can poison the exit relays and manipulate certain data packets, such as XMR addresses and other sensitive financial entries. Again, possible but very complex and sophisticated. According to tor metrics 28% of tor Relays are based in the USA and Germany, and with 10% being in germany it makes sense with the recent deanonymization that occured.

The way we can identify state actors is usually by looking at a single entity running a high volume of entry relays on tor, which would virtually allow them to expose user information.
So we see German LE de-anonymizing users, and we also see heavy relay hosting in germany. to me it only makes sense to assume that German LE is taking that route.

The safest route to take for users in that said region is to host their own relays and not rely on a random connection. as there's a possibility for the german user to be laying in LE's lap 1 out of 10 times.

Monero De-anonymization

Chainanalysis is running large amount of poisoned Monero nodes through their world-wide operation and their own admins. Running these said nodes like the defunct node.moneroworld.com allows them to collect sensitive metadata like IP addresses, Transaction volumes, fees and much more. They then forward the said information to LE and Crypto exchanges to fight privacy enthusiasts using the network. The only feasible way to avoid such a threat at the moment is to run your own node instead of using a remote node and while using your own node, utilizing Dandelion++.

An example of the combined deanonymization attack against the Monero users – who is Joe:

Joe sits at home and connects to Tor from his home router. He believes this is not an issue, because in his country the Tor is not illegal. He opens up his Monero wallet and connects to the Monero remote node, waits for the sync from the remote node and once ready, he sends the transaction to his business partner as usually. It is April 1st 2024, 12:00:01AM. The transaction is 120kB in size. The remote node he connects to is run by the Chanalysis and it is poisoned but he is not aware of it. The financial flows of his whole operation is closely monitored and it is largely transparent. He makes 5 such transactions per day with different time stamps and transaction sizes.

While he uses remote nodes, there is a high chance that many of his transactions are not as anonymous as he thought it to be. His RingCT in those poisoned transactions is not 16:1 as by default in Monero now, but 1:1 now as he was served the poisoned, spent decoys by the poisoned remote node and his transactions are, for the adversary, completely transparent now. He is not suspicious and he continues his business as usual.

Chanalysis is monitoring his transactions closely and can identify and track down high percentage of his transactions and link them together. They can see the exit IP of his transactions is the Tor exit node, because by using the Monero remote node he cannot utilize the Dandelion++ feature and sends the transaction directly to the poisoned remote node and the node knows this is the real exit IP address.

Chanalysis contracted the US and German ISPs and they send them their required data from April 1st 2024, 12:00AM and they focus on Tor users, which is nicely visible. By contracting the US and Germany, Chanalysis gets the data flows from about 50% of the existing Tor nodes. They check the first transaction from the April 1st, if any of the Tor users was online at that time, sent a packets close to the Monero transaction. There are 20 people with the similarity. They check the 2nd Joe’s transaction from the day that took place at 12:20:01AM. Now only 2 people are return similarities. They get the 2rd transaction from 12:40:27AM and after few transactions and days they are quite confident that the origin of the poisoned transactions is the IP address that is registered on Joe Naive, exposed Street 1, App 1Z, Soonlot.

So as users with the evolution of our threat model, we should improve our OpSec, we should start running our own nodes, relays and continuously evaluate our own flaws. if we continue to evolve, we will only make things harder for them, they have the state level funding, they have the time, but we should have the will to stand against them!

I have read the rules

1 Comment
2024/09/19
11:49 UTC

7

Need Help with a BlackHat

I have read the rules-if this isn't the best place to ask then feel free to let me know.

Ok folks, gonna try to keep this as to the point as I can but it will be a bit to read so please bear with me and point/direct me to other better pages if this isn't the right place. Basically, I've got a person who's got access to all of our family info and is constantly messing with stuff, sending harassing texts gloating about how they own us, they listen to our convos and comment on what we talk about etc. Full on stalking.

They have bragged saying, "I have access to everything bud and if you think you've got me, you dont. Everything goes back to (spouse). You cant find me."

Now, I'm not gonna say I'm a pro at OPSEC, but I run a pretty tight ship. I'm going to post in bullet points what I do for my personal security and then go further into whats going on.

  1. I am fully compartmentalized. I use at least 10 different emails and half a dozen different email providers including proton and tutanota that separate my personal, gaming, social, business, finance etc.
  2. For any of my sensitive accounts like finances, I use long passphrases that I DONT ever save to clipboard, I use face recognition and 2 factor via my secure emails.
  3. I dont stay connected to internet unless Im actively using it. Otherwise its disconnected and/or shut down. Laptop is BIOS passlocked as well as fingerprint locked.

All my account info is only kept 2 places, handwritten and with me in my bookbag at all times, and Dashlane which is locked behind a massive passphrase, 2 factor, and tutanota email, and is only locally on my pc. Its not shared with any devices and nobody has had physical access to my laptop as I work 24hr shifts and it goes with me, when I'm home its by the nightstand. I don't home without it either so no breakins would even get to it.

  1. Phone...ugh. I use IOS due to the alleged better security(YES i know its not private I want security). Apple ID is secured using long passphrase that I change every couple months, its 2 factored to my Tutanota email which has NEVER been broken into.

I run my phone/ipad under strict security as best I can, no info or analytics are shared, locations turned off, nothing is shared. No passphrases are saved to them.

  1. I also use KeyScambler on my laptop which keeps any possible keylogging from getting what I type but I also copy paste my account info a lot from dashlane so rarely ever type it out.

Alright, now we return to my dilemma, this person isn't just goofing off and trying to act badass. They have actively gotten into my bank account and turned my alerts off, they've managed to link my account to other cards causing overdrafting etc. They read texts between me and my spouse, they listen in like I said. Its a person with NO LIFE at all if you consider that this has been going on for a couple of years and law enforcement is useless. I do not know how they're getting into any of my accounts as I don't ever get alerts to un authorized or unrecognized access.

Problem here is I think and have to assume they're taking advantage of my spouses vulnerabilities. Spouse has been sick for awhile recovering from serious illness, lotta stress and sleep apnea on top of it so brain fog and just lack of mental sharpness are expected. I dont know if this person is somehow monitoring our web traffic and just swiping info like that, or if they're actively inside one of our apple ID accounts just getting any info like that. My spouse has literally changed account info and had their stuff broke back into within a short time.

So to conclude, is this a matter of shutting everything off, disconnecting it all, and resetting our stuff or will that even matter if our network is compromised? I'm not savvy as to how to look at our network traffic and even see if there's unauthorized usage.

Would it be possible to lock it all down if i boot everyone off the network, and then only allow certain MAC addresses? Just not sure how to do this especially with a family that has the attitude of "we're not doing anything wrong so who cares". Which is insanely frustrating considering our finances are being fucked with but they prefer convenience over security. Now dont get me wrong, the spouse is pretty damn secure minded too, buuut I think with the whole being out of it and the more relaxed view of security is leaving us open.

So can anyone tell me a good newbie way to monitor web traffic to possibly pin point unauthorized usage or devices and any other good suggestions? Thank you all for reading this.

18 Comments
2024/09/18
21:19 UTC

0

How do I get good at opsec?

i have read the rules. I want to get a better opsec online how do I go around doing that?

10 Comments
2024/09/16
17:14 UTC

16

Getting super into cybersecurity where do i start with OPSEC/creating a threat model?

i have read the rules. Im super into cyber security i already use bitcoin for purchases, im playing around with virtual machines, i use hardened firefox to browse ect ect ive gotten super into OSINT and i guess OPSEC is the natural opposite but also something completely knew to me ive searched around and most of the info i find is aimed at large corporations rather than personal security, does anyone have an useful resources that they used to start there OPSEC journey wikis,books,videos anything that gets straight to the point, preferably something that for exmaple has different stages/levels of security from the average internet user up to Anonymous level and maybe a step by step of how to develop a threat model. Thanks for the help!

10 Comments
2024/09/11
23:05 UTC

7

Biggest challenges with Opsec?

What are the biggest challenges with OpSec today?

I have read the rules

15 Comments
2024/09/10
16:49 UTC

7

How to mitigate state surveillance and harassment (if at all possible)

In this post, I'll be using few fake names to refer to real people.

Alice (not their real name) is involved in underground activism, and was forcibly by state agents. Bob (not their real name) is one of Alice's loved ones, and Bob will get help from local and international human rights groups to pressure the state into surfacing Alice. This move, we're expecting, will likely increase surveillance and/or harassment by the state agents toward us. Now, Bob is my (OP) partner, and I have met Alice in person multiple times.

We're planning to install CCTV camera/s pointing to the street to check for and have a record of suspicious people surveiling our residence. By suspicious people, I mean person/s who are surely not from our neighborhood and is/are looking at our home from the street for an uncomfortable amount of time. With regards to the CCTV, is it better to store the footage in the cloud (some cctv products offer this) or on premises (i.e., in a micro-SD/HDD in our house)? What better way to secure the CCTV cameras and/or the footages?

With the likelihood of state surveillance, how should Bob and I behave when in public? I realize that this is a vague ask, but I haven't been targeted by the state at all. Top of my head, we would avoid talking to state agents and would direct them to our lawyers.

Should we start worrying about being listened to from afar, like via long-range mic? Or is this unnecessary paranoia?

We're also making our social media accounts accessible only to people with trust. We have been using Signal before all this happened, so instant messaging is covered.

Anything else I should look into?

Both Bob and I are personally not involved in any underground activism. My interest in opsec comes from my participating in privacy rights.

I have read the rules.

8 Comments
2024/09/01
10:24 UTC

9

Shortcut to wipe/lock data

Threat model: I'm a private investigator in Seaport, NY, and have sensitive work-related data I want to protect against a disgruntled ex-client or investigation subject confronting me at my office and physically taking my computer. The lock screen pin (quickly hitting control-alt-delete) seems like flimsy protection, because I will usually be logged into my browser password manager, with external hard drives 'unlocked' (e.g. bitlocker or veracrypt password having been entered), and email accounts logged into, etc.

Is there a way to create a keyboard shortcut (say, pressing and holding an unusual key combination for 3 seconds) that can wipe cookies from multiple browsers simultaneously (including "forgetting" the accounts, so they require MFA to re-login), re-lock the encrypted external drive(s), and engage the lock screen (or turn off the computer if that's better)?

I have read the rules.

10 Comments
2024/08/30
12:37 UTC

20

Activist organizing in a hostile environment?

Say hypothetically I'm an activist in an environment with increasingly concerning levels of surveillance. Threat model adversaries include the authoritarian employer, and we have good reason to believe local and federal law enforcement also have eyes on some of our members due to certain political actions gaining far more visibility than expected (some of our organizers have been suspended from their schools or arrested during protests or have done interviews on international news networks to raise awareness about the political suppression).

The added surveillance (a ton of new cameras indoors and outdoors, microphones indoors, and employer has also been caught using indoor cams to spy on employees he finds suspicious) makes activist organizing difficult to do securely.

Thus far, we've found a room without mics and cams (other than a few desktop computers which we unplugged). We've asked that members do not bring electronics to meetings, but provide faraday bags if they bring electronics anyway. I'm thinking we should put the faraday bags in a separate room in case anyone's phone has malware installed so it can't record audio of our meetings. I also check the room for hidden mics before the meeting starts. Notes are taken on paper, then transfered to cryptpad after the meeting to share to the signal thread (a group of 5 or so trusted organizers).

What are some main holes in this procedure? (I know the faraday bags are one, and shouldn't be in the same room as the meeting, but it's like pulling teeth trying to get ppl to separate from their phones for an hour). What should be improved upon? I know there's always the chance we get caught and fired (or possibly arrested bc of the anti-activism laws where we live), and we all knowingly consent to this risk, but i would love to do everything in my power to try to avoid these negative outcomes.

I have read the rules.

25 Comments
2024/08/28
23:55 UTC

5

An example of very bad Opsec

1 Comment
2024/08/28
16:01 UTC

1

Help me ascertain the potential depth of security breach by my roommate

So, last week I made a detailed post that listed the clues to what I suspected a potential remote security breach on my mobile device. Here's a link to that post if you are keen on taking a deeper look into the situation. However, I have summarized that post concisely (below the link) with the help of chatGPT for the readers' convenience.

https://www.reddit.com/r/opsec/s/S91GHoYVWM

Summary of the Reddit Post:

  • Issue: User experienced a data breach with fraudulent transactions on their savings account.
  • Initial Incidents: Unauthorized Interac e-transfers of $499 and $963; suspicious draft email and browser tabs noticed on their Samsung Galaxy S24.
  • Actions Taken: Reset passwords, reported to banks, followed bank instructions to reset the phone.
  • Further Incidents: 10 days later, further attempts to access banking accounts and Remitly app; transactions declined by the bank and the app.
  • Bank's Investigation: Determined the incident occurred from the user's phone and IP address.
  • Uncertainty: User seeks help in understanding whether their banking credentials are compromised or if their phone is hacked despite resetting everything.

Now, I have had experienced further developments which essentially makes the cause crystal clear. Turns out, it was my roommate all along. I moved into this residence just this month. As days passed living with him, I noticed that he takes some kinds of drugs too. Owing to my innocent nature and absence of an encounter with any malevolent individual in my 23 years of life, I foolishly told him my phone and laptop passwords when he asked for them on separate occasions. I have learned the lesson the hard way now by losing out 1500$. Besides, I would like you to not diverge on educating me on my lack of sense of security (already recieved alot), and focus on the more important part written ahead that I would appreciate your feedback on.

So, as explained in the summary, I had changed my passwords and reset the mobile phone and increased my security as much as I could (2FA, strong random generated passwords not saved anywhere, removed biometrics etc.) As a result, the following two-three attempts after the initial attempt were unsuccessful by him.

Now, last night he again tried to access my phone while I was sleeping. By god's grace i got up from sleep at around 3:30 pm when he was in probably in the middle of his process as he was doing something on his iPhone. As soon as I woke up, he went to sleep and told me that my phone was making a sound (he panickedly just said this to divert my attention).

Nevertheless, the new revealing thing that I noticed is that since my phone was locked, the only thing that I, and he probably, could see on notification screen was some notifications. It was just text SMS messages from an unknown number. The content of each of the 5-6 messages was just a plain dot (period). I checked notifications history log for the messages app from settings and found that those messages were sent minutes apart between 2:20 AM and 2:56 AM. The logs also contained something titled 'custom app notification' and the content was 'Messages is doing work in the background'.

Now this is essentially the crux of my post and curiosity that what kind of technique is this? And what's the depth of breach he could do in this way? Relieving news is I have made the homeowners aware of the incidents and have told him to evict the place before this month ends. I have numerous subtle and concrete proofs too, which can be used to get him punished. But I am refraining to file a police report for now in consideration of his future as an international student here in Canada.

[I have read the rules]

2 Comments
2024/08/27
20:10 UTC

2

Question about securing cheap android box

Hey guys, hope you can help me out here, and apologies if this isn't the right place for this. I used to run an android box years ago and recently just bought a cheap box from China for use on our bedroom TV. The box is a Transpeed 8K, Rockchip RK3528 supposedly running Android 13. Now, i know fine well that security wise these things aren't great, but had intentions to run burner accounts with no other uses by myself (hence no personal information). What i didn't realise until just today was the huge Malware concern with these boxes (i have been away from the boxes for years). And so, reading about potential access to all devices on my local network has left me wondering what i could do to try and 'lock it down' and best prevent any unwanted access to my network besides the apps i willinstall personally. My intentions were to run a VPN, private DNS (blocking any extra traffic i don't recognise)/Firewall and if possible, source some alternative firmware if there are any available. So really my question is, would the VPN and firewall be enough to counter these malware claims if i don't use any apps that are preinstalled on this box? Or is there anything further i can do to prevent the box from seeing other devices on my network?

In summary, due to the appearance of malware from Chinese companies, i'm looking to avoid unnecessary data leakage if possible through locking down this device. I am also worried about other devices on my network being accessed (such as cell phones) and crucial information being stolen. I know i've started in the worst place by purchasing one of these 'cheap' boxes but i see it as a kind of project. Especially as i will only be using it very infrequently.

Thanks in advance.

I have read the rules

Edit: added more context of threat model/what i am looking to avoid.

10 Comments
2024/08/27
17:54 UTC

0

Mobile Carrier Claims no Logs - use with VPN question?

I recently filed a SAR to Vodafone. They provided all contract data but I specifically asked for everything regarding data usage.

They replied with the following:

‘Please be advised, Vodafone does not record or store information on which sites or how data was used. Vodafone does also not record IP address due to this being on the device used’

I posted this into the GDPR sub and it was confirmed by a Vodafone network employee.

https://www.reddit.com/r/gdpr/s/tenoW7YpwM

What I’ve been wondering is that if the mobile company actually claims to keep no logs, then what’s the point using a VPN at all? And also if you was to use a VPN over the connection, would they have a record of this if data is not stored.

Found it interesting! What do you think?

I have read the rules

10 Comments
2024/08/21
06:01 UTC

0

Help

i have read the rules, Hi everyone needed some help from you guys

i have read the rules, yesterday i received google alert that someone is trying logging in my google account but stopped f2a and today i received an otp on my phone for mobile wallet which i never used in my life, Is someone seriously trying to scammed me or what?

3 Comments
2024/08/21
03:00 UTC

4

Unable to ascertain the cause and resolution of severe data breach

About a couple of weeks ago, I found out after waking up that there have been fraudulent transactions on my savings account. I opened my emails and saw that there were two informative emails saying that the interac e-transfer requests amounting to $499 and $963 have been successfully deposited.

This is the text:

"The $499.81 (CAD) you sent to Gigadat Inc at gigadat1@orderdeposit.com has been successfully deposited."

Context: Location is Canada. Device is Samsung galaxy S24. The financial institutions involved are Royal Bank of Canada and Canadian Tire Bank. I use the former as my primary bank and the latter one for my credit card.

Other clues that I could find on my Samsung galaxy s24:

  • I noticed a draft email that contained my credit card e-statement. The title was 'I am sending this to you'. I deleted this email hurriedly without being mindful to notice the receipient it was intended for.

*When I opened my chrome browser's tab view I noticed a couple of new tabs. The thumbnail was just plain white so I couldn't see what's the webpages were. But the title was something gibberish and the favicon icon was the interac e-transfer symbol. Again, I quickly deleted those tabs. I still have the browsing history though.

After I concluded that my digital security has been compromised, I reset all my Gmail passwords, banking passwords etc. I went to the bank; they started a formal investigation behind the scenes and told me to get my phone reset. I did as instructed and got my account working the next day.

Now, fast forward to about 10 days, again at around 2 am somebody tried to access both of my banking accounts and the Remitly app (Used for international money transfer). My primary bank system automatically declined them access ( the perpetrators supposedly tried to workaround since my password was changed). I went to the bank branch and got my account working again after a third time changing the password. The perpetrators also tried to log into my Credit card's online banking system but supposedly they couldn't login past the OTP part.

Now this morning, again I saw two emails in my account:

The payment from (my name) to Gigadat Inc for $999.37 on 2024-08-20 was declined - 02-6070.

I called the bank to report it and they said our investigation as of now has determined that the incident happened from your phone and your IP address.

I also noticed that my credit card was added into the Remitly international transfer app and the perpetrators tried to send $670 to some account in India but the Remitly app or my credit credit declined the transaction.

All in all, I cannot determine what exactly am I dealing with. Are my banking credentials compromised. If that's the case, how could they gain access after I reset my passwords and all. OR is my phone hacked or something? I called in Samsung's customer care and the representative basically walked me through a normal device care scan from the phone's settings and since it concluded that there isn't any vulnerability in my phone, the device is fine.

Thus, my propose for this post is that people with relevant knowledge can help me ascertain what is exactly that I am dealing with and what should I do?

[ I have read the Rules ]

13 Comments
2024/08/20
17:52 UTC

Back To Top