#OPSEC365 060/365 The ABC system is how surveillance teams avoid burning their operators. In mobile surveillance: A is the eyeball vehicle directly behind the target, B follows in a covering position, C works parallels. Handovers rotate who has direct visual, preventing any single operator from being seen too long. Counter-surveillance principle: one sighting of a person or vehicle proves nothing. The threshold is two independent sightings at non-coincidental locations. In a well-run ABC team, no operator holds the eyeball long enough to trigger threshold alone.

Much of your paycheck goes to people who did nothing to earn it, and opting out is a felony.

#OPSEC365 059/365 Your utility bills reveal when your house is occupied. Electricity spikes when you're home, drops when you're away. Water usage follows your schedule. A data breach or a curious utility employee can see your occupancy patterns clearly from usage graphs. Smart meter granularity is fine enough to identify when you wake up, when you leave, and when you come back. Some people use smart plugs and timers to create artificial usage patterns during vacations. Others keep baseline loads running to flatten the curves. The threat depends on who your adversary is, but knowing utility data reveals patterns is the first step to deciding if you care.

Kernel exploitation techniques for Linux. "Exploiting the kernel is fundamentally different from exploiting userspace applications." Linux Kernel Exploitation by Jon Oberheide (2009) https://jon.oberheide.org/files/infiltrate12-thestateoflinuxkernelexploitation.pdf

#OPSEC365 058/365 Every business card you hand out is a data collection opportunity. Name, title, company, phone number, email address, sometimes personal cell and LinkedIn. You give these freely to strangers at networking events, and those cards end up in databases, on desks of people you don't remember meeting, or in piles sold to data brokers. Most business cards contain more information than any single recipient needs. Some people use cards with only their name and email, nothing else. Others use QR codes that link to a contact form instead of giving direct numbers. The point is deciding what you want someone to have before handing over a printed summary of how to reach and identify you.

#OPSEC365 057/365 The address on your checked luggage tag tells every stranger who sees it where your empty home is. Baggage handlers, airport workers, hotel lobby staff, taxi drivers, the person behind you in the rental car line — anyone with eyes on your bag at the carousel can read your name and street address. The same tag is proof you are not at that address right now and won't be for a known number of days. Use a covered tag or write only initials and a phone number. #OPSEC365 Some carriers will accept a work address or a PO box at check-in. If you must use a home address, fold the tag inward so it has to be lifted to read. A frequent flyer number on the outside is harmless — it identifies you only to people who already have access to airline systems, which is a much smaller threat surface than "anyone standing near your bag".

The most respected cypherpunk in Bitcoin's history told you transparent ledgers are designed to harm individual privacy, and the Bitcoin community pretends they never heard him, Monero is what Hal was actually describing.

#OPSEC365 056/365 People can identify your location from tiny background details in photos. A GeoGuessr player found a streamer's exact location from a photo of her ceiling. Power line styles, vegetation types, store signs, and even the angle of shadows narrow down where you are. Determined people treat this like a game, and they're very good at it. Look at your recent photos and ask what background details could reveal where you live. Unique architectural features, visible street signs, store logos, and distinctive plants all provide clues. Even indoor photos can reveal window views or reflections. If you're concerned about location privacy, photograph against plain backgrounds or in nondescript settings.

Civil disobedience is only celebrated when it's old enough to be in a textbook.

#OPSEC365 055/365 Your family members mention you online without thinking. Mom's birthday post with your full name and age, your sibling's throwback photo from the house you grew up in, your spouse's check-in at the restaurant where you're celebrating your anniversary. Each one leaks information you might prefer stayed private. Have a conversation with close family about what you'd rather they didn't post. This isn't about controlling family, it's about asking for consideration. Most people will honor reasonable requests if you explain why it matters. A simple ask like avoiding location tags or using nicknames instead of full names goes a long way without damaging relationships.

#OPSEC365 054/365 Surveillance teams work in cycles: Stakeout, Pick-Up, Follow, Housing. Understanding how pro foot monitoring operates is the foundation of detecting it. The team boxes the target in Stakeout. The trigger gives warning of movement. The Pick-Up establishes the follow. Housing is when the target stops. This cycle repeats all day. To detect foot surveillance, vary your departure time and route. Surveillance teams stakeout from fixed trigger positions near your home or office - parked vehicles, cafe windows, bus shelters. Jenkins notes: operators get bored and co-locate.

Every "Monero can't scale" argument from 2018 aged like milk after Bulletproofs++ went live.

#OPSEC365 052/365 Your email address reveals more than you think. Firstname.lastname@company.com confirms your employer. A birth year in an address tells your age. College emails persist in breach databases long after graduation. HaveIBeenPwned indexes over 14 billion breached accounts—your old address is almost certainly in one. An email address is a key. Most people hand out copies to anyone who asks. Compartmentalize by purpose: professional email for work, a separate address for accounts you don't trust, and a private address only trusted contacts know. SimpleLogin and AnonAddy generate per-service aliases (e.g., amazon@yourdomain.anonaddy.me) forward to your real inbox.

Return-to-libc attacks when stack protection made shellcode harder. "Return-to-libc attacks allow code execution without injecting any code onto the stack." - 𝗕𝘆𝗽𝗮𝘀𝘀𝗶𝗻𝗴 𝗦𝘁𝗮𝗰𝗸𝗚𝘂𝗮𝗿𝗱 𝗮𝗻𝗱 𝗦𝘁𝗮𝗰𝗸𝗦𝗵𝗶𝗲𝗹𝗱 by Bulba and Kil3r (2000)

Phrack

Bypassing StackGuard and StackShield

Click to read the article on phrack

#OPSEC365 051/365 Voter registration records are public in most states. Your full name, home address, party affiliation, and voting history are available to political campaigns, researchers, journalists, and data brokers. Some states publish this online for free. Others sell it in bulk. Voter registration data is public record in most states. Name, address, party, and voting history — available to campaigns, researchers, and anyone else who asks. Some states let you request confidentiality if you have a noted threat, but most don't. Address Confidentiality Programs exist for survivors of domestic violence. For everyone else, the best you can do is use a PO Box where allowed and know your registration is public regardless.

#OPSEC365 050/365 Your car's infotainment system remembers everywhere you've been. Navigation history, paired phone contacts, call logs, text messages if connected via Bluetooth. Rental cars retain previous drivers' data. Used cars come with the previous owner's information. And when you sell or return your car, your data stays behind. Factory reset your infotainment system before selling, trading, or returning a vehicle. Every car handles this differently, but look for Reset or Factory Defaults in the settings menu. Don't just delete your phone from paired devices, wipe the entire system. For rental cars, avoid pairing your phone at all or use a clean burner phone for navigation instead.

HSBC's own ad copy explains exactly why Monero needs to exist when someone controls your finances, they control you, and the only money that can't be controlled, frozen, or surveilled is the money they're trying to ban.

#OPSEC365 049/365 Every call you make is logged: number dialed, duration, cell tower, timestamp. Under Smith v. Maryland (1979), you have no Fourth Amendment protection over records you give a third party — including your carrier. A subpoena is all it takes. No warrant. No notification. The DEA calls toll records the backbone of phone-based cases. Contact patterns matter as much as content. Who you called, how often, and from tower builds an investigative map without a single intercepted word. Investigators work call logs before seeking wiretaps.

#OPSEC365 048/365 Professional licenses are public records in most states. If you're a doctor, lawyer, nurse, real estate agent, or hold any state-issued credential, your full name, license number, status, and sometimes disciplinary history are searchable online. Anyone can verify your credentials, which means anyone can verify you exist in profession. Professional license databases are public. Your name, license number, status, and sometimes address are available to anyone who looks. You can't hide your professional license, but you can be aware of what it reveals. For some professions, the address on file is public. Consider using a business address or registered agent instead of your home.

#OPSEC365 047/365 Your smart TV shares a network with your laptop, phone, and NAS. That's a compartmentalization failure. ACR runs by default on Vizio, Samsung, and LG — fingerprinting your viewing. A TV with a vulnerable update path is a lateral pivot into your LAN. Cronk's SEPARATE strategy: partition contexts with different trust levels. Your TV needs internet. It has no need to see your other devices. VLAN your IoT tier. Your TV doesn't need to know your NAS exists. Implementation: create an isolated IoT VLAN with internet-only egress, no routing to your primary LAN. A smart TV's legitimate function requires only outbound streaming access — zero visibility into personal devices.