Assist an Independent Journalist in Thriving
(it can be hard to notice the S and extra N if not careful.)
Welcome to the real deal.
Please bookmark this link — the other sites have simply copy/pasted our html and don’t actually have any cards to sell.
They can be easy to fall for if you aren’t cautious!
4 thoughts on “Assist an Independent Journalist in Thriving”
Congratulations on your first post in r/opsec! OPSEC is a mindset and thought process, not a single solution — meaning, when asking a question it’s a good idea to word it in a way that allows others to teach you the mindset rather than a single solution.
Here’s an example of a bad question that is far too vague to explain the threat model first:
> I want to stay safe on the internet. Which browser should I use?
Here’s an example of a good question that explains the threat model without giving too much private information:
> I don’t want to have anyone find my home address on the internet while I use it. Will using a particular browser help me?
Here’s a bad answer (it depends on trusting that user entirely and doesn’t help you learn anything on your own) that you should report immediately:
> You should use X browser because it is the most secure.
Here’s a good answer to explains why it’s good for your specific threat model and also teaches the mindset of OPSEC:
> Y browser has a function that warns you from accidentally sharing your home address on forms, but ultimately this is up to you to control by being vigilant and no single tool or solution will ever be a silver bullet for security. If you follow this, technically you can use any browser!
If you see anyone offering advice that doesn’t feel like it is giving you the tools to make your *own* decisions and rather pushing you to a specific tool as a solution, feel free to report them. Giving advice in the form of a “silver bullet solution” is a bannable offense.
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/opsec) if you have any questions or concerns.*
You might want to use gimp or more privacy friendly alternatives. Adobe suit inherently is a privacy invasive ~~software~~ service. You are only making your life much difficult than it has to be by using this. For example it’s very possible it fingerprints devices for piracy and data collection. Even if you contained it vm, to get any decent performance you’ll need to passthrough a gpu, at this point Adobe has your gpu hardware ids.
You will also need to make sure that in the container/vm each software you install is a Spyware out to get you. So do not contaminate your aliases by using your personal Adobe subscription. Heck don’t even evert type your real email name or any other info in this vm.
You will so need to learn about data forensics. For example, did you know if you use windows snipping tool to take a screenshot and save your image as jpeg instead of png, it’ll include your windows user name in the image metadata which in most cases your real name. All these stupid quirks would be very hard to defect against. So you should 100% try to minimize non plain text content that you publish. Or find forensics resistant content/file types and stick to them.
Remember two deadly sins of opsec is alias contamination, and a loud mouth. Check out defcon conferences on YouTube for more info.
Use FDE with boot drive encryption (most oses don’t do this by default). Use a long password and use a yubikey in static mode to add another variable to it. Turn off your system whenever you are not using it. Carry your yubikey with your at all times.
Hardware gets seized, they will need password that you only know and yubikey that you only have (which hopefully you have destroyed on the first sign of trouble)
Also go on hardwareswap sub reddit and buy hardware with cash just to be sure even if shit goes wrong they don’t have your real purchases.
An opsec is no opsec if you don’t have contingency plan. Make plans for when opsec has failed you and your next steps.
VPN > Tor > VPN is not a good idea. You should stick to Tor only if it is allowed in your country. If VPNs are allowed in your country but not Tor you should use mullvad or a different well trusted privacy VPN to connect to Tor or you should use bridges on public wifi. Consider reading r/TorwithVPN and the Tor developers discussion on this.
Qubes is a good idea. You should consider reading through the entirety of [https://www.whonix.org/wiki/Documentation](https://www.whonix.org/wiki/Documentation) in my opinion. If not, you should read the sections on metadata and staying anonymous at a minimum. You should also under no circumstances be using non freedom software for anything you are doing. Other users have given you some good suggestions so I wont reiterate.
https://github.com/freedomofpress/dangerzone has been a great tool to use as an added layer of defense. Definitely check out this users other projects as you can tell by the users name that they are made for journalists.
Good luck and stay safe.