In this tutorial we're going to explore how you can audit your own level of Operational Security (also known as opsec), using the following 6 parameters:Complexity, Transparency, Surveillance, Centralisation, Onymity, and Deniability. The goal is to determine the level of Privacy, Anonymity and Deniability of your operations online to determine what you can do safely.
Based on those, we are able to determine the most appropriate Internet use.
Auditing your own OPSEC is an essential skill that you must possess, we're going to audit the 4 different setups below, to be able to determine where they fit.
To do so, we are going to simplify it down to 4 OPSEC levels: Public, Private, Anonymous and Sensitive.
Sidenote: If your setup is suitable only for public internet use, you CANNOT use it for any private use, and so on.
Complexity: Bob didn't put any effort. He bought his PC and windows was pre-installed, and he used it as it was.
Transparency: Bob uses windows as a host OS, and google chrome as his web browser. Both are closed-source, he does not know what his software is doing.
Surveillance: Since bob uses closed-source software, he is under constant surveillance while using his computer.
Centralisation: Bob uses popular services that are centralised in nature, he depends on the goodwill of others to use their services
Onymity: Because there is no privacy, anonymity is impossible for Bob.
Deniability: Bob cannot deny anything that he's doing on his computer, as he is under constant surveillance, without any possibility of anonymity.
Conclusion: Bob's setup is suitable only for Public internet use, as he is under constant surveillance while using it.
Complexity: Alice has put some effort to get her current setup, she is willing to go out of her comfort zone to improve her OPSEC.
Transparency: Alice only uses open source software (Linux and Firefox) she can see from the sourcecode that it only does what it should do.
Surveillance: Alice has verified that the open source software that she was using wasn't spying on her
Centralisation:Alice is starting to move away from centralised services, she's looking at other alternatives, but they are still centralised.
Onymity: Alice is exploring anonymity, but through a pseudonym online, she is not anonymous yet.
Deniability: Alice cannot deny that she has used her current setup
Conclusion: Alice's setup is suitable for Private use, as she managed to remove surveillance from her setup.
Complexity: Charlie is willing to go at great lengths to improve his OPSEC
Transparency: Charlie only uses open source software, that way he knows that the software he uses only does what he wants it to do.
Surveillance: Charlie has verified that the software he is using, is not surveilling what he's doing
Centralisation: Charlie has moved away from centralised services, and is using their decentralised counterpart from the fediverse
Onymity: Charlie is anonymous online, thanks to it's use of the tor network through Whonix and tor browser
Deniability: Charlie, thanks to his use of anonymity technologies, may be able to deny that he has used this setup depending on the context. However if an adversary gets physical access to his computer, he won't be able to deny that he has ever used it.
Conclusion: Charlie's setup is suitable for Anonymous use, as he managed to implement anonymity technologies into his setup.
Complexity: Dave is willing to go at great lengths to improve his OPSEC
Transparency: Dave only uses open source software, that way he knows that the software he uses only does what he wants it to do.
Surveillance: Dave has verified that the software he is using, is not surveilling what he's doing
Centralisation: Dave has moved away from centralised services, and is using their decentralised counterpart from the fediverse
Onymity: Dave is anonymous online, thanks to it's use of the tor network through Whonix and tor browser
Deniability: Dave can deny that he has commited any anonymous activity, because the VM he uses is inside a veracrypt hidden volume, that he can deny the existance of.
Conclusion: Dave's setup is suitable for Sensitive use, as he managed to implement plausible deniability on top of anonymity technologies into his setup.
Now as you can see, the higher the opsec level, the more complexity one must be willing to bear with, in order to increase their own operational security.
Take the 6 parameters into account before trying to use a specific setup for an inappropriate internet usage. If you want to have all of those 4 setups at once, check out my tutorial on VM-based internet usage segmentation
Until there is Nothing left.
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nowhere.moe (PGP)