I've updated the OPSEC guide to include a section on EXIF (metadata), the government, cryptocurrency, what to do if you have poor OPSEC and a TL;DR for people who have ADHD. Please read through it and let me know what you think. Thanks!
https://nicecrew.digital/about/safety
https://nicecrew.digital/about/safety
@matty Not a bad guide but here's some important shit I've learned online.
The most important rule of Opsec IMO is to always have some sort of fear. Don't get too cocky like the idiot on Poast who made the post with all his alts. In fact if you want to really be paranoid here's a good trick: make every post as if it'd have your real name and photo attached to it even though you're not in this case. If you have a career that could be on the line from posting, think twice about posting or posting anything like real life experiences.
To add to this, if you think "oh there's no way XYZ will come for me what do I have to hide", you're exactly the kind of low hanging fruit that would use your email to ask for help running a darkweb market or showing up at a political protest without a mask AND carrying your cell phone or something.
It should be added in that Encrypted messaging apps won't save you from two different scenarios. The first is you're sloppy with opsec and talking to someone who is baiting you into saying dumb shit or ratting you out behind the scenes (this is how Vertias was good at getting results). The second is the thing the XKCD comic on encryption that techbros keep posting satirized. Recently the FBI got a court order to unlock the phone of a pedophile using Wickr using his face. Or maybe they'll do the same with the other guy's phone.
Doxing is game of putting together a puzzle and they will use anything to dox you. People bring up photos all the time in this thread but I'll add another, one very common thing that feds and amateurs have used online are timestamps, such as using it to identify if the writer of malware is Russian, Chinese, American, or Israeli. The theory that 4chan is flooded by Israeli shills is fueled by the timestamps of when the people post or how when Israel was getting shelled posting slowed down. This is also what federal agents do as well to unmask people online, they take advantage of every single slip up. For example:
Don't just strip one piece of EXIF data but all pieces of it. I know the UK caught one notorious pedophile as well by using Flickr to see what photos were taken with a specific model of an Olympus camera in a country. Maybe also use a different camera for posting online to avoid being traced back with say, dead sensor pixels/dust spots in the sensor.
Big tech will dox you, and the same goes with your cell phone. See the guy who sent Kurt Eichenwald the famous gif. But I can go one better.
NEVER TRUST GOOGLE! Aside from numerous leaks, a Wired article talked about how Google has helped create political prisoners out of boomers. In 2018 it was revealed Google monitors location data when it's set to "off". Even Google Employees don't get their own settings or trust Google, and think Chrome's private mode is a joke. That's not even getting into the political stance of the company which is that they hate you and think it's funny.
The most important rule of Opsec IMO is to always have some sort of fear. Don't get too cocky like the idiot on Poast who made the post with all his alts. In fact if you want to really be paranoid here's a good trick: make every post as if it'd have your real name and photo attached to it even though you're not in this case. If you have a career that could be on the line from posting, think twice about posting or posting anything like real life experiences.
To add to this, if you think "oh there's no way XYZ will come for me what do I have to hide", you're exactly the kind of low hanging fruit that would use your email to ask for help running a darkweb market or showing up at a political protest without a mask AND carrying your cell phone or something.
It should be added in that Encrypted messaging apps won't save you from two different scenarios. The first is you're sloppy with opsec and talking to someone who is baiting you into saying dumb shit or ratting you out behind the scenes (this is how Vertias was good at getting results). The second is the thing the XKCD comic on encryption that techbros keep posting satirized. Recently the FBI got a court order to unlock the phone of a pedophile using Wickr using his face. Or maybe they'll do the same with the other guy's phone.
Doxing is game of putting together a puzzle and they will use anything to dox you. People bring up photos all the time in this thread but I'll add another, one very common thing that feds and amateurs have used online are timestamps, such as using it to identify if the writer of malware is Russian, Chinese, American, or Israeli. The theory that 4chan is flooded by Israeli shills is fueled by the timestamps of when the people post or how when Israel was getting shelled posting slowed down. This is also what federal agents do as well to unmask people online, they take advantage of every single slip up. For example:
Don't just strip one piece of EXIF data but all pieces of it. I know the UK caught one notorious pedophile as well by using Flickr to see what photos were taken with a specific model of an Olympus camera in a country. Maybe also use a different camera for posting online to avoid being traced back with say, dead sensor pixels/dust spots in the sensor.
Big tech will dox you, and the same goes with your cell phone. See the guy who sent Kurt Eichenwald the famous gif. But I can go one better.
NEVER TRUST GOOGLE! Aside from numerous leaks, a Wired article talked about how Google has helped create political prisoners out of boomers. In 2018 it was revealed Google monitors location data when it's set to "off". Even Google Employees don't get their own settings or trust Google, and think Chrome's private mode is a joke. That's not even getting into the political stance of the company which is that they hate you and think it's funny.
Furries are the worst offender at this IMO.