What the [insert word here] is OpSec

The sooner you start practising OpSec, the less you’ll need to shovel/do in the future.

You’ve read the definition, right? Here it is again…

Information is like a car, it can get you places or it can be used to run someone over.

OpSec is a process where you:

  1. Review your information
  2. Identify what information could be used against you.
  3. Take steps to make sure that information is tucked away or will never see the light of day.
  4. Rinse/repeat

OpSec is not cheap but there are ground rules depending on your appetite for risk.
Remember: OpSec can be used for good and for evil, have good karma, use this information for good.


A few definitions

OpSec: Operational Security: an art used to stop/limit pieces of the target’s information that can be collected by The Enemy.
Enemy: Anyone with intent of making your life a living hell
Information: Piece of a puzzle that can be used by The Enemy to come up with a profile about you. Could be personal information or information that can be used to help narrow down a search.
Hell: extortion, fraud, stalking, harassment, and any other bad thing you can think of
Target: you, your family, friends, etc
Consequence: stress, recovery, damage control, any appropriate mop up operation
Risk: level of comfort one can take before going crazy
Burn ‘stuff’: Communication devices that you can toss if you are experiencing too much heat in the kitchen.
SocEng: Social Engineering: Tech term for a person with good communication skills (or good hacker) or con artist (or bad hacker) to get information for some sort of gain.
White Hat: Good hacker
Grey Hat: Somewhat in the middle hacker
Black Hat: Bad hacker
Motive: a personal goal, depends on how bad you are. Badness varies on scale to bad to oh s..t!
Targeted Attack: an attack tailored specifically for you.

This list is updated regularly, stay tuned for more.

Intro: Laymans guide to OpSec

The first blog is always the sweetest.

Q: Why are you doing this blog?
A: Dealing with these situations first hand and having the battle scars, is enough to get this show on the road. If this blog is able to help someone sleep at night, it brings me good karma.
We live in the times where anonymity/abstraction is easily accessible, freedom of information is encouraged along with a strong lack of ownership equates to the mishandling/abuse to what used to be our right to privacy.

Organizations that want to use our personal information, should take steps to protect it.

As individuals, we should/must also be responsible of our personal information just as much as we would be cautious with where we put our cash.

Q: What is OpSec
A: OpSec: Also known as Operational Security: an art used to stop/limit pieces of the target’s information that can be collected by The Enemy. The aim is to make it very very difficult to find, trace, track, etc you.

Q: Why OpSec and not some other things like Anti Virus, etc.
A: OpSec is a *preventative* measure. Once someone knows where you live, unless if you live in a motor home, you can’t just ‘move house’. If there are ways to limit the flow of information, it makes it *harder* for The Enemy to find you. Anti Virus, etc is ‘part’ of a much bigger solution.

Q: How  does OpSec tie in with the bigger picture:
A: You -> information -> disclosure -> enemy -> recon -> target -> old school crime/issue (harassment, theft, etc) -> pain and suffering for target -> loss of sanity. OpSec starts at the information stage.

Q: Care to share some stories?
A: I would but only in person, I’ve had loved ones where in hindsight, could have been spared the pain through communication and awareness about the importance of ‘information management’. Stalking, theft and harassment are some of the cases I’ve worked on.

Q: Information blah, so what, I don’t work for a big company, doesn’t apply to me?
A: hummm…yes it does. Let’s have a (overly simplistic) quick example, if your pet’s name is ‘rocky’ and your password is ‘rocky’ and *everyone* knows that you have a pet named ‘rocky’, it’s not much of a password, is it?
This extends to other things (not just passwords) with online services and mobile apps being the big ones. Now, if you use the same password between a ‘low’ importance (eg: social media) and a ‘high’ importance site (eg: bank), you get the idea.
Takeaway: If you are of any value or have something of value to someone, information becomes a commodity. Don’t take my word for it, just ask the NSA.
Takeaway 2: If you are a big fish, you better get specialist advice.

Q: It’s all too hard?
A: It does depend on how much of a risk you see yourself to be in. Truth be told, if you have no cash, don’t intend to be big and famous, no dependencies, have nothing to lose then you are not at risk. High risk people *may* require more work but there are many ways to deal with it.

Q: I’m young, I can worry about this later…
A: …and if you plan to be big in this world, doing this later will cause you a lot of pain. OpSec is a habit that does not need to become a chore.

Q: I don’t want to shelter myself from the world and live in fear. This is not for me.
A: Actually, OpSec is about managing the flow of information and not suppressing it. In other words, it is about being aware and smart about what information you disclose. Be socialable but be smart.