<h1>OPSEC: Using the right Technology and Behavior</h1>
<p>OPSEC, or Operational Security, is a process aimed at identifying if your actions can be observed by an adversary. In this context, how good your OPSEC is, determines the level of your privacy and anonymity. </p>
<imgsrc="2.png"class="imgRz">
<p>By default, if you're not careful with the technology you use, your very ability to have privacy and anonymity is not possible. And if your behavior isn't strictly controlled to protect your anonymity while using those technologies, that can also compromise both privacy and anonymity.</p>
<imgsrc="3.png"class="imgRz">
<p>If you wish to have Privacy and Anonymity online, you need to use the correct technologies, and to have the correct behavior when using them.</p>
</div>
</div><!-- /row -->
</div><!-- /container -->
</div><!-- /grey -->
<!-- +++++ Second Post +++++ -->
<divid="anon3">
<divclass="container">
<divclass="row">
<divclass="col-lg-8 col-lg-offset-2">
<h2><b>Improve your OPSEC using Technology</b></h2>
<p>The first and foremost step when you wish to protect your OPSEC, is to use the correct technologies that will let you have Privacy (lack of surveillance), and Anonymity (lack of identification). Be sure of one thing; <b>You will never have privacy, nor anonymity until you use the right techonologies</b>.</p>
<p>We're going to cover 6 scenarios into which Bob tries to be anonymous online, as you will see, Bob's level of privacy and anonymity will vary greatly, based on what technologies he uses to access and use his account on nowhere.com</p>
</br></br>
<p><b>Scenario 1: Closed source software, and no protection</b></p>
<imgsrc="4.png"class="imgRz">
<u>Technology used:</u>
<ol>
<li><p>Host OS: Windows (closed source)</p></li>
<li><p>Web Browser: google chrome (closed source)</p></li>
<li><p>Internet Connection: direct connection via his Internet service provider</p></li>
</ol>
<u>Actions:</u>
<ol>
<li><p>Bob uses his windows OS to open his web browser</p></li>
<li><p>Bob uses the google chrome web browser to access nowhere.com</p></li>
<li><p>Bob goes on nowhere.com and creates an account </p></li>
<li><p>Bob logs on his account and posts a comment</p></li>
</ol>
<u>Consequences:</u>
<ol>
<li><p>Microsoft is aware of everything that Bob did with his windows OS</p></li>
<li><p>Google is aware of everything that Bob did with his chrome web browser</p></li>
<li><p>Bob's ISP is aware that Bob went on nowhere.com </p></li>
<li><p>the nowhere.com admins sees that Bob's home IP address logged into the account and posted a comment</p></li>
</ol>
<p><u>Summary:</u> Bob posted a comment on nowhere.com <b>and Microsoft; Google; his ISP; and the nowhere.com admins are all aware that it is Bob that did it. Bob has no privacy, and no anonymity whatsoever.</b></p>
</br></br>
<p><b>Scenario 2: Closed source software, and using a VPN</b></p>
<imgsrc="5.png"class="imgRz">
<u>Technology used:</u>
<ol>
<li><p>Host OS: Windows (closed source)</p></li>
<li><p>Web Browser: google chrome (closed source)</p></li>
<li><p>Internet Connection: using a VPN</p></li>
</ol>
<u>Actions:</u>
<ol>
<li><p>Bob uses his windows OS to open his vpn connection</p></li>
<li><p>Bob, once connected via his VPN, opens his google chrome web browser</p></li>
<li><p>Bob uses the google chrome web browser to access nowhere.com</p></li>
<li><p>Bob goes on nowhere.com and creates an account </p></li>
<li><p>Bob logs on his account and posts a comment</p></li>
</ol>
<u>Consequences:</u>
<ol>
<li><p>Microsoft is aware of everything that Bob did with his windows OS</p></li>
<li><p>Google is aware of everything that Bob did with his chrome web browser</p></li>
<li><p>Bob's ISP is only aware that Bob connected to his VPN provider. </p></li>
<li><p>the VPN provider sees that Bob's home IP address connected to the service, and that Bob connected to nowhere.com</p></li>
<li><p>the nowhere.com admins sees that the VPN IP address logged into the account and posted a comment</p></li>
</ol>
<p><u>Summary:</u> Bob posted a comment on nowhere.com and Microsoft and Google are aware that it is Bob that did it, the VPN provider knows that Bob connected to nowhere.com, and the nowhere.com admins see that a VPN IP logged on the account and posted the comment. <b>Bob has only managed to gain privacy from his ISP, but he has only shifted the issue to his VPN provider. Bob still has no privacy, and no anonymity whatsoever.</b></p>
<p></p>
</br></br>
<p><b>Scenario 3: Open source software, and a VPN</b></p>
<li><p>Bob uses his debian OS to open his vpn connection</p></li>
<li><p>Bob, once connected via his VPN, opens his firefox web browser</p></li>
<li><p>Bob uses the firefox web browser to access nowhere.com</p></li>
<li><p>Bob goes on nowhere.com and creates an account </p></li>
<li><p>Bob logs on his account and posts a comment</p></li>
</ol>
<u>Consequences:</u>
<ol>
<li><p>Only Bob can know what he did with his linux OS</p></li>
<li><p>Only Bob can know what he did with his firefox web browser</p></li>
<li><p>Bob's ISP is only aware that Bob connected to his VPN provider. </p></li>
<li><p>the VPN provider sees that Bob's home IP address connected to the service, and that Bob connected to nowhere.com</p></li>
<li><p>the nowhere.com admins sees that the VPN IP address logged into the account and posted a comment</p></li>
</ol>
<p><u>Summary:</u> Bob posted a comment on nowhere.com, his VPN provider knows that he connected to nowhere.com, and the nowhere.com admins are aware that someone used a VPN to do it. <b>Bob has managed to gain privacy from his ISP, but also from the companies that spied on him while he was using closed source software</b> (microsoft and google in this case), however <b>Bob is still being spied on by his VPN provider, and he has no anonymity whatsoever.</b></p>
</br></br>
<p><b>Scenario 4: Open source software, and Tor</b></p>
<imgsrc="7.png"class="imgRz">
<u>Technology used:</u>
<ol>
<li><p>Host OS: Linux (open source)</p></li>
<li><p>Web Browser: Tor browser (open source)</p></li>
<li><p>Internet Connection: direct via ISP</p></li>
</ol>
<u>Actions:</u>
<ol>
<li><p>Bob uses his debian OS to open his tor web browser</p></li>
<li><p>Bob uses the tor web browser to access nowhere.com</p></li>
<li><p>Bob goes on nowhere.com and creates an account </p></li>
<li><p>Bob logs on his account and posts a comment</p></li>
</ol>
<u>Consequences:</u>
<ol>
<li><p>Only Bob can know what he did with his linux OS</p></li>
<li><p>Only Bob can know what he did with his tor web browser</p></li>
<li><p>Bob's ISP is only aware that Bob used Tor. </p></li>
<li><p>The tor entry node sees that Bob's home IP has connected, but cant tell where he tried to connect. </li></p>
<li><p>The tor middle node doesn't know who's connecting, nor where it's connecting. </li></p>
<li><p>The tor exit node doesn't know who's connecting, but knows that the traffic is going to nowhere.com (There is a very low chance that all 3 tor nodes (entry, middle and exit) collaborate to see that Bob's home IP address connected to nowhere.com)</p></li>
<li><p>the nowhere.com admins sees that a Tor exit node IP has logged into the account and posted a comment</p></li>
</ol>
<p><u>Summary:</u> Bob posted a comment on nowhere.com, and there is only a very low chance that an adversary knows that he connected to nowhere.com, and the nowhere.com admins are only aware that someone used Tor to do it. <b>Bob has managed to gain privacy, and has posted the comment anonymously. Bob's ISP knows that he used tor, but he doesn't know what he did with it.</b> the nowhere.com admins know that someone used tor to post a comment, but they don't know who did it.</p>
</div>
</div><!-- /row -->
</div><!-- /container -->
</div><!-- /white -->
<divid="anon2">
<divclass="container">
<divclass="row">
<divclass="col-lg-8 col-lg-offset-2">
<h2><b>Improve your OPSEC with your behavior</b></h2>
<p>Now, you are Bob, and you have decided that you would maintain your anonymity online for your use of nowhere.com as detailed in scenario 6 above: you use open source technology, and you use the tor browser.</p>
<p>You have implemented all the correct technologies as explained above and you have created your account on nowhere.com anonymously.</p>
<p>But still, <b>you may deanonymize yourself by having the wrong behavior with your actions!</b></p>
<imgsrc="8.png"class="imgRz">
</br></br>
<p><b>Scenario 1: Self-Identification</b></p>
<imgsrc="9.png"class="imgRz">
<p>Situation: Bob has an account on nowhere.com</p>
<ol>
<li><p>Bob registered his account via Tor on nowhere.com</p></li>
<li><p>Bob mentionned his real life name into the information of his account</p></li>
<li><p>Bob mentionned where he lived on the account information too.</p></li>
</ol>
<p><u>Summary:</u> Bob deanonymized himself by his actions, despite using the correct technology. He identified himself (or KYC'd himself) on nowhere.com</p>
</br></br>
<p><b>Scenario 2: Pseudonymity</b></p>
<imgsrc="10.png"class="imgRz">
<p>Situation: Bob has an account on nowhere.com</p>
<ol>
<li><p>Bob registered his account via Tor on nowhere.com</p></li>
<li><p>Bob uses a pseudonym into the information of his account</p></li>
<li><p>Bob mentionned that his pseudonym lived in wonderland.</p></li>
</ol>
<p><u>Summary:</u> Bob used the right technology, and then on the website he uses a pseudonym, and mentionned random useless information about his pseudonym. For now his anonymity is preserved.</p>
</br></br>
<p><b>Scenario 3: When pseudonymity goes wrong</b></p>
<imgsrc="11.png"class="imgRz">
<p>Situation: Bob has an account on nowhere.com</p>
<ol>
<li><p>Bob registered his account via Tor on nowhere.com</p></li>
<li><p>Bob uses a pseudonym into the information of his account</p></li>
<li><p>Bob used this account to talk into many conversations over the years, and has built up a big reputation.</p></li>
<li><p>Bob is drunk one night, and accidentally mentionned his real life name online.</p></li>
</ol>
<p><u>Summary:</u> Bob used the right technology, and then on the website he used a pseudonym successfully for a few years, his anonymity was preserved all this time up until he got drunk and accidentally revealed who he was. From there, Bob can no longer be anonymous using that pseudonym.</p>
</br></br>
<p><b>Scenario 4: Anonymity: when reputation doesn't matter</b></p>
<imgsrc="12.png"class="imgRz">
<p>Situation: Bob has an account on nowhere.com</p>
<ol>
<li><p>Bob regularly registers accounts via Tor on nowhere.com</p></li>
<li><p>Bob enters different random names into the information of his accounts</p></li>
<li><p>Bob stricly uses those accounts only for specific purposes.</p></li>
<li><p>Bob talks into many conversations over the years, but using different accounts every week/month.</p></li>
<li><p>Bob is never drunk when in front of the keyboard, and he is always careful to reveal nothing about his real life identity.</p></li>
</ol>
<p><u>Summary:</u> Bob uses the right technology, and then on the website he preserves his anonymity by never revealing who he is, and by keeping multiple accounts on the same service for specific usecases, and only for limited amounts of time. In this case, Bob maintains anonymity without getting popular.</p>