OpSec for Porn Bloggers

DRAFT DOCUMENT SUBJECT TO CHANGE

Operations security (OPSEC) is a term originating in U.S. military jargon, as a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information.

GPS metadata

Photos taken by your phone can sometimes contain very accurate GPS location data by default. If you send someone these photos directly it’s like you’re giving them your home address. This is because “Location Services/Reporting” is typically enabled by default on the phone, you can turn it off, but it makes it difficult to do navigation or anything else requiring GPS coordinates.

Instead you can use various tools to strip data from photos or examine existing ones to see what data leaks from them:

Facebook URLs

I know a lot of guys like to share their girlfriend and wife’s photos online, but you want to be very careful about the links you send to people.

If you send a photo link directly from Facebook, you might as well be sending their Profile page because the Photo ID exists in the filename from Facebook, for example this photo has the following filename: 54510_489325434424176_1790623374_o.jpg that middle number 489325434424176 is the Facebook Photo ID number, which if the photo is public, https://www.facebook.com/489325434424176will link you directly to the Facebook Photo Page with the user’s name and everything.

It’s recommended to download the photo and upload it to Imgur since it will give you a completely random filename that can’t be reversed directly, they also remove any image metadata, but Facebook does that automatically to image uploads as well, I believe.

Generally Google does not index Facebook photos so most of the time you won’t be able to find Facebook or Instagram photos in Google Reverse Image Search. The only time they’ll usually come up is if they’re been uploaded elsewhere, like LinkedIn or one of the multitude of Instagram scraped sites that try to clone Instagram.

IRC

IRC is a serious vulnerablity, seriously, this is #clubgoon as well, guys. Your IP address is visible to anyone who cares to look at it and by default all your messages are sent in clear text, so if an attacker in on your wifi and you don’t have it using WPA, they can read anything you’re saying.

If I have your IP address, I can use a tool like IPLocation to get a rough idea where you live and sometimes I can find your IP on Shodan to see if you have any IOT devices running on your network.

I could go through the litany of things you could do to protect yourself, using an SSL port, securing your nick and cloaking your IP through a VPN/VPS, but if you’re reading this, you probably just want the easiest way to protect yourself.

Put simply: use IRCCloud.

When you use IRCCloud your IP isn’t connected to the IRC server, IRCCloud’s is, and your connection to IRCCloud is encrypted with SSL, meaning the only thing someone on your network can see is that you’re connected to www.irccloud.com, they can’t see inside your session as long as you’ve got https in the address bar.

I can’t suggest these guys enough, you have to create an account and they’ll try to upsell you to their $5/mo plan, but it’s not required and I’ve been using their free tier for months without an issue.

Signal

Signal is sweet for messaging and calling, it just recently passed its security audit. This is the technology inside of Facebook Messenger, WhatsApp and Google Talk, it’s secure and pretty bad ass, Moxie Marlinspike is a steely-eyed missile man.

Get it, use it, love it.

There’s also Ricochet for Anonymous Messaging.

Email

It should go without saying but you should have a separate account for stuff you don’t want to be connected to your real life account. Guys got blackmailed because they were using their personal or work email addresses for AshleyMadison. This is very bad, don’t do this. If you don’t want something tied to your real name, don’t use your normal email for it.

One of the most secure secondary email providers I can suggest it Protonmail, it’s based in Switzerland and encrypts your mail at rest on their servers. You have to remember two passwords but for security, I’m a big fan. A big benefit is that you don’t require a phone verification number and you can leave off the recovery email as well, so you can have it completely separate from your personal identity.

VPN

A VPN can be an awesome tool to keep yourself anonymous and prevent anyone else on your own network from seeing what you’re accessing on the internet. It’s a Virtual Private Network, which encrypts your traffic on your local machine and sends it to the endpoint, wherever the VPN server is, so it looks like the traffic is being requested from that machine instead of your machine. The only thing someone on your network can see is that you’re accessing a VPN and sending data back and forth, there’s no way to see what that traffic is. So checking your IP address will show you the remote server as your original IP instead of the one you’re actually using.

There are lots of VPN server options, you want a “no logging” one in a country with strong privacy protections. I personally use IPVanish, but there are many others out there.

Passwords

Storing unique passwords for every site you use is a good habit to get into, unless you use random strings, the passwords you use can give away who you are.

Let’s say you have an account with LinkedIn and an account with Tumblr, both have been hacked in the past. Different email addresses to protect your identity, but you use the same supersecurepassword password on both sites. How long do you think it would take to correlate the two emails addresses together? If you think there’s no way anyone else could be using the same super secret password, then it’s even less likely the two accounts using the same password could be doing so by chance.

I’ve seen people bruteforce 70% of a database’s password hashes in under a day, people aren’t nearly as random as they think they are.

The bottom line is that you should be relying on a computer to be random for you.

Use a Password Manager!

LastPass is decent

Payment

Coming soon

Tor

Coming soon

TorBrowser