#OPSEC365 010/365 Your phone logs every call you make, every text you send, and the duration of each conversation. Even with encrypted messaging, your carrier knows who you contacted, when, and for how long. Pull up your call history and imagine someone trying to map your relationships based purely on who you talk to and how often. The connections are already logged. Content can be encrypted, but metadata often can't. Who you call, when, and how often creates a pattern that reveals relationships, habits, and associations without anyone reading a single message. The structure of your communications tells its own story.

Anon, Feds hate you, it's not just a meme. 𝗔𝗹𝗶𝗰𝗲 𝗠𝗮𝗿𝗶𝗲 𝗝𝗼𝗵𝗻𝘀𝗼𝗻 | 𝗟𝗶𝗳𝗲 𝘄𝗶𝘁𝗵𝗼𝘂𝘁 𝗽𝗮𝗿𝗼𝗹𝗲 + 𝟮𝟱 𝘆𝗲𝗮𝗿𝘀 Relaying phone messages in a cocaine conspiracy. First arrest ever. 𝗪𝗲𝗹𝗱𝗼𝗻 𝗔𝗻𝗴𝗲𝗹𝗼𝘀 | 𝟱𝟱 𝘆𝗲𝗮𝗿𝘀 Three sales of $350 worth of marijuana with an alleged ankle holster. No prior record. 𝗗𝗶𝗰𝗸𝘆 𝗝𝗼𝗲 𝗝𝗮𝗰𝗸𝘀𝗼𝗻 | 𝗟𝗶𝗳𝗲 𝘄𝗶𝘁𝗵𝗼𝘂𝘁 𝗽𝗮𝗿𝗼𝗹𝗲 Transported meth on his truck route to pay for his dying toddler's $250,000 bone marrow transplant after insurance dropped them. 𝗚𝗲𝗼𝗿𝗴𝗲 𝗠𝗮𝗿𝘁𝗼𝗿𝗮𝗻𝗼 | 𝗟𝗶𝗳𝗲 𝘄𝗶𝘁𝗵𝗼𝘂𝘁 𝗽𝗮𝗿𝗼𝗹𝗲 Pleaded guilty to drug charges expecting 40-54 months per the prosecution's own recommendation. The judge gave him the maximum to pressure him into snitching on the Philly mob. 𝗧𝗶𝗺𝗼𝘁𝗵𝘆 𝗧𝘆𝗹𝗲𝗿 | 𝗟𝗶𝗳𝗲 𝘄𝗶𝘁𝗵𝗼𝘂𝘁 𝗽𝗮𝗿𝗼𝗹𝗲Mailed LSD to a Grateful Dead concert friend. Two prior nonviolent drug offenses triggered the federal three-strikes provision. 𝗙𝗮𝘁𝗲 𝗪𝗶𝗻𝘀𝗹𝗼𝘄 | 𝗟𝗶𝗳𝗲 𝘄𝗶𝘁𝗵𝗼𝘂𝘁 𝗽𝗮𝗿𝗼𝗹𝗲 Acted as a $5 middleman in a $20 crack sale to an undercover cop in Shreveport, Louisiana. 𝗖𝗼𝗿𝘃𝗮𝗶𝗻 𝗖𝗼𝗼𝗽𝗲𝗿 | 𝗟𝗶𝗳𝗲 𝘄𝗶𝘁𝗵𝗼𝘂𝘁 𝗽𝗮𝗿𝗼𝗹𝗲 Federal marijuana conspiracy. Never touched the product, no violence. Sentenced under the federal three-strikes drug law. 𝗣𝗮𝘁𝗿𝗶𝗰𝗸 𝗠𝗮𝘁𝘁𝗵𝗲𝘄𝘀 | 𝗟𝗶𝗳𝗲 𝘄𝗶𝘁𝗵𝗼𝘂𝘁 𝗽𝗮𝗿𝗼𝗹𝗲 Stole tools from a shed in Slidell, Louisiana. Enhanced by prior nonviolent convictions under habitual offender laws.

SSL/TLS ecosystem analysis showing pervasive implementation failures. "We systematize knowledge about SSL/TLS and present a comprehensive analysis of its security." - 𝗦𝗼𝗞: 𝗦𝗦𝗟 𝗮𝗻𝗱 𝗛𝗧𝗧𝗣𝗦: 𝗥𝗲𝘃𝗶𝘀𝗶𝘁𝗶𝗻𝗴 𝗽𝗮𝘀𝘁 𝗰𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲𝘀 𝗮𝗻𝗱 𝗲𝘃𝗮𝗹𝘂𝗮𝘁𝗶𝗻𝗴 𝗰𝗲𝗿𝘁𝗶𝗳𝗶𝗰𝗮𝘁𝗲 𝘁𝗿𝘂𝘀𝘁 𝗺𝗼𝗱𝗲𝗹 𝗲𝗻𝗵𝗮𝗻𝗰𝗲𝗺𝗲𝗻𝘁𝘀 by Jeremy Clark and Paul C. van Oorschot (2013) https://www.ieee-security.org/TC/SP2013/papers/4977a511.pdf

#OPSEC365 009/365 Your trash tells a story about you every week. Prescription bottles with your name and medications, bank statements with account numbers, shipping labels with your address, and receipts that show where you shop and what you buy. Anyone willing to go through your garbage can build a detailed profile without breaking any laws. Before your next trash day, look through what you're throwing out and see what you'd learn about yourself. A cross-cut shredder handles paper, but don't forget about labels on packaging and prescription bottles. Peel them off, shred them, or black them out with a marker before they go in the bin. The few seconds it takes is cheaper than the identity theft it prevents.

Medieval peasants kept more of their harvest than you keep of your paycheck.

#OPSEC365 008/365 Everyone has an adversary, whether they realize it or not. It might be an ex who won't let go, a competitor digging for leverage, a scammer building a target list, or a future employer searching your name. The question isn't whether someone wants information about you, it's who and why. Write down the three most likely people or groups who might want to know more about you than you'd want them to. Your adversary determines your threat model, and your threat model determines what precautions make sense.

The White House app ships with a sanctioned Chinese tracking SDK, the FBI app serves ads, and FEMA wants 28 permissions to show you weather alerts.

Sam Bent

Fedware: 13 Government Apps That Spy Harder Than the Apps They Ban

The White House app ships with a sanctioned Chinese tracking SDK, the FBI app serves ads, and FEMA wants 28 permissions to show you weather alerts.

Monero devs have never once suggested building backdoors for law enforcement, Zcash's founder suggested it publicly then asked you to memory-hole his own words.

#OPSEC365 007/365 Security questions aren't secure. They're public records and social media trivia. Your mother's maiden name is on genealogy sites. Your first pet's name is in a Facebook post from 2012. Your high school mascot is one Google search away. Anyone doing basic research on you can answer these questions as easily as you can. Go check what security questions protect your most important accounts and ask yourself who else could answer them. Treat security questions like additional passwords. Give false answers that only you would know, store them in a password manager, and never use real information that could be researched. Mother's maiden name can be a random phrase if you remember to save it.

#OPSEC365 006/365 Posting vacation photos while you're still on vacation tells everyone exactly when your home is unoccupied. The timestamp, the location tag, and the caption all confirm you're hundreds of miles away and won't be back for days. Save the photos. Post them when you're home. See if you can resist the urge to broadcast your absence in real time. If you have to post during travel, strip location data and avoid revealing details that pin down your specific location or how long you'll be gone. General photos without landmarks are harder to geolocate than a poolside shot with a resort logo visible in the background.

> builds a GRUB replacement in 2016 > spends 5 years breaking GRUB piece by piece > strips LUKS encryption from /boot "for security" > proposes to remove: btrfs, xfs, zfs > keeps SquashFS, two CVEs, one rated 7.8 HIGH > controls the signing keys for all of it > Canonical promoted him.

Sam Bent

Canonical's GRUB Saboteur Has a 10-Year Plan

Julian Klode has been systematically stripping features from GRUB since 2021, and he built the replacement a decade ago.

If you have to ask permission it was never a right in the first place, it was a privilege they can revoke.

Tails 7.6 uses domain fronting to hide Tor bridge requests from censors, \replaces KeePassXC with GNOME Secrets for accessibility, and catches up on 18 months of Electrum releases.

Sam Bent

Tails 7.6 Hides Bridge Requests Behind CDN Traffic

Tails 7.6 uses domain fronting to hide Tor bridge requests from censors, replaces KeePassXC with GNOME Secrets for accessibility, and catches up on...

#OPSEC365 005/365 What's visible through your front window right now? Packages with your name on them, expensive electronics, a daily routine playing out on a predictable schedule. Anyone walking by can see it, and the ones paying attention are taking notes. Go look at your home from the outside like a stranger casing it, and see what you've been advertising. Simple fixes make a difference. Move valuables out of sightlines, vary your visible routine, and don't let delivered packages sit on the porch broadcasting that you're not home. The goal is to look like a harder target than the house next door.

The enemy is at the gates. Do you see where this is going? Red = Removing

Chainalysis can stare at this diagram all day and still only see question marks where your identity should be.

#OPSEC365 004/365 The people closest to you are your biggest OPSEC liability. Your mom posts photos of family gatherings with location tags. Your friend checks you in at bars without asking. Your ex still knows your passwords, your routines, and the answers to all your security questions. Make a mental list of the five people who could expose the most about you without even trying. You can't control what others post, but you can control what you share with them and whether you're tagged in their content. Most platforms let you review tags before they appear on your profile, and some relationships warrant a direct conversation about what's off-limits.

#OPSEC365 003/365 Your credit card company knows where you eat, what you buy, when you travel, and what time you usually shop. So does anyone who gets access to that data through a breach, a subpoena, or a curious employee. Log into your bank and scroll through last month's transactions like you're a stranger trying to learn about you. The patterns are obvious once you look. Cash leaves no transaction record tied to your identity. For purchases you'd rather not have logged, cash or Monero are the only options that don't create a permanent entry in a database you don't control.

GM sold your data to LexisNexis. Toyota shared telematics with Progressive. Allstate embedded hidden tracking in apps like Sirius XM 40 million connections tracked every 15 seconds. This is already happening. The kill switch just makes it worse.

Microsoft's "Fix" for Windows 11: Flowers After the Beating... Microsoft spent four years stuffing Windows 11 with ads, forced Copilot integrations, and bloatware, now they want applause for promising to remove it.