The OpSec Manual
Operator? Get me long distance
Hi gang. It’s been a hot minute since my last post, so I thought I would share something that’s very important for us anonymous folks. Today we will discuss Operational Security also known as opsec.
If you really care about opsec, I would bookmark this post. It is a bit autistic in detail.
What
Opsec is the act of maintaining security while on any sort of social platform, this includes, but is not limited to, social media, social publications (like this one), forums, even in-person events.
There are levels of opsec that are required depending on the user’s need. I, for example, aim to be as anonymous as possible, yet I must share some things that I know in order to A: draw a following and B: draw a profit. Therefore, I need to be extra careful about my opsec when it comes to what I share, namely, what I do for a living and what I learn from it.
Opsec breaches come from 2 ways. You either do it on purpose to either be a part of a conversation or to share something interesting, or you do it by accident e.g. by falling for some lame social engineering scheme. I’ll provide an example of the latter when we get to the actual manual part of this post because I’m assuming that you’re reading this because you want to be safe and anonymous on the internet.
Opsec breaches can sometimes be harmless given how you behave on the internet. If you’re a sweet old woman who shares her life stories, I don’t think anyone would ever want to hurt you if you share your name and where you live. Just don’t poke the hornets nest of politics Twitter, ever.
I’ll break anonymity down into 3 real “groups”.
Group 1
Group 1 is the kind of people that share absolutely nothing about themselves or what they do. They share 1, maybe 2 fields of information from their niche, but other than that, they share zero personal information. It’s only business for them There are several BowTied people that fall in this group. To list a few, there is BowTiedMahi, BowTiedUM/BowTiedBiohacker, BowTiedHitman, and of course BowTiedBull.
Group 2
Group 2 is similar to group 1, yet they oftentimes share personal stories, anecdotes, and similar. You might know what state they live it or at least their region, perhaps at least their time zone, maybe even their first name. They opt to remain anonymous yet leak out a few personal bits of information that may or may not be identifiable. They also might also offer services that involve addresses/postage, and you might know what region/state/city they’re from, even if they use a PO box nearby.
Group 3
Group 3 is anonymous people that don’t seem to care much about the anonymity part. They share what happened at work yesterday, what they do for a living, what state their in, maybe even their city, and they also share photos of places nearby. In most cases that I’ve observed, these people are harmless and don’t usually share anything that might alert the letter people, however they are running a high risk of being identified by angry people on the internet. Given enough time and effort, Group 3 people can be identified, but they might not be too worried about that.
The Manual
Here I will list as many avenues of Personal Identified Information (PII) that can be accidentally or intentionally given out. I will also list a risk factor for each bit or group of bits on a scale of 1-10, with 10 being very bad. This will be in order of autism, starting with the least.
Note that breaking just 1 of these is not a death sentence. Each nugget of information that you give out synergizes with the next and shrinks the pool of people that you could possibly be.
Before I begin, quick disclaimer:
This opsec guide and associated risk factors are my opinion. I am not responsible for any opsec breaches that you or someone you know might induce after reading this. You are responsible for your own security on the internet. Please be careful 😇.
Your Age
No one needs to know how old you are. That isn’t interesting. No one (who is in your best interest) really cares, unless they want to see if you’re just a stupid kid in which case they’ll disregard you anyways.
Do not fall for these awful attempts at social engineering:
No one cares about that! Look at all the comments!!! One of those is even an advertisement 😢.
To addend to this, avoid sharing your birthday as well. I did the math for you here.
https://twitter.com/BowTiedCrawfish/status/1688204536446357504?s=20
Do not share birthdays (8/10) and avoid sharing your age (5/10).
Age ranges are less concerning since that muddies the waters a bit. You should still try to avoid that, but do be careful if you do. If we’re going on a 10-year range (e.g. 20-30), this is more of a 3/10.
Your Name
I can understand this one if you have a weird or crazy username or you want your followers/readers to have a more personal relationship with you, but do try to avoid this if you can. This is also worse if you have a cool/unique name such like “Callonetta” or “Bartholomew”. This also works in tandem with your age/birth date.
Ryan, born 8/25/1993
Not very many people named Ryan born on that exact date, yaknow.
First (and/or middle) are a 6/10.
Last names are a 10/10. Seriously, what are you thinking putting your last name? Maybe if it was “Smith” or something, I might be okay with it, but still. What the heck?
Pictures
This is pretty obvious but from I’ve seen some people do a decent job of redacting what needs to be redacted (e.g. “post fizeek”).
Opsec breaches can vary severely depending on the type of photo that’s taken. If you are on a trip and share a photo of where you are, such as Rome, Italy, then your opsec breach is more for your acute safety, rather than a long-term security breach (e.g. your neighborhood). The security breach also varies depending on what is in the photo. I’ll list as many PII as I can think of here.
Note that photos can be geotagged (!), but this appears to be disabled by default in most phones.
Identifiable information from pictures:
People, places, things
Faces can be recognized, so can places, even things! This kind of sums it all up, so I’ll be more specific. Redact as much as you can if you’re sharing a photo.
People
Even if you “emoji-out” your face, you still have a lot present that can acutely identify you. Namely, your clothes, your body structure, and also your jewelry.
If it’s a video, you can even be identified based on the way you walk. Casino CCTVs do this to identify individuals who enter/exit their buildings.
Street signs and buildings
If you’re in a popular intersection of Chicago, someone might know exactly where you are given your photograph. Whereas, if you’re on a street called “Oak Street” you might be in the clear. It truly depends on the popularity/business of the area.
Please don’t share a picture of your house or anywhere in your immediate neighborhood.
Don’t forget license plates!
Celestial navigation
If you take a picture of the sunset over the water on a beach, then you are either in 1 of 2 (3) places.
California
West coast Florida (most likely near Tampa)
Not America
This is because the sun sets in the west, right? A most likely unintentional opsec breach.
Add in some nearby buildings, and you might be in trouble.
You can identify the approximate longitudinal location of pictures if you know the approximate/exact time it was taken, which is often present in image metadata (we discussed this once before) and figure out the approximate angle of the sun. This one is for the true autists.
Grass
I will refuse to elaborate and instead link this.
Photo PII work in tandem similar to opsec PII as a whole, but it’s difficult to gauge a risk factor of photos in general. Yet, you should now know the dangers of what you are leaking on the internet (???/10).
Your Job
I think you all know that I’m a software engineer, but if you have a more niche job or you share a lot about what happens at your job, you might be leaking too much PII.
You can of course share stories if they’re common/harmless/could happen to anyone, but as always, be careful.
Your behavior on the internet matters the most here. If you’re a complete asshole in one of your “work stories” the backlash could be bad. Don’t badmouth your job or your coworkers anonymously on the internet. Even if you don’t get caught, karma is a thing yaknow.
Job sharing is more of a problem after you get a bad opsec breach/doxed. Because then the doxer can go right up to your employer and get you sacked. Not good.
Also, do not violate your NDA anonymously on the internet.
Your job can get you identified if you frequently share stories around the same time in which they happen. Someone can think “hey wait, I heard my buddy Troy talking about this at his job the other day”. All it takes is a loose-lipped local to get you doxed through your work.
The danger of sharing work PII varies, but, on average, no one needs to know about Becky from HR or how your intern misspelled your name on his report. Those stories really aren’t that necessary to share (4/10).
Time
Time is on your side, or is it?
In acute security instances, you should always live in the past. I know you want to share that picture of Times Square, but you should wait until after you get back from your trip to do so. Even if someone figures out where you are (were) from a photo or story from your trip, you won’t be in danger since you aren’t there anymore.
Time is also a double-edged sword. Over the course of months and years, you can leak a small, small amount of PII, but it adds up over time. If someone is truly dedicated and is archiving everything you say, they could eventually dox you. The hard part about this is that if your social media posts are being archived, deleting them won’t do you any good.
Time works in tandem (once again) with everything that I’ve mentioned before this.
Fun fact: moving to a new city is a great opsec move 😁.
Business
I briefly mentioned this at the beginning of this post, but to work a business online, you need to expose quite a bit of PII to get things to work (and to keep things legal).
If you want an anonymous business, get an anonymous LLC in a state that allows it and have a different person register it.
If you deal with anything physical (i.e. shipping), get a PO box. Or don’t put a return address? I guess you can do that.
(???/10)
This post was a bit heavy. But maybe you learned a thing or 2.
Go!
-BowTiedCrawfish