Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,570 --> 00:00:06,390 Let's go through my 10 OP set rules these are inspired by the awesome work of a gentleman called the 2 00:00:06,390 --> 00:00:09,410 group whose work I highly recommend. 3 00:00:09,450 --> 00:00:13,650 This is a blog here if you want to check out his work on OPSEC. 4 00:00:13,650 --> 00:00:20,310 So in no particular order and so may relate to each of these Lemont OPSEC rules for those who need serious 5 00:00:20,400 --> 00:00:24,150 anonymity and pseudo anonymity online. 6 00:00:24,150 --> 00:00:28,120 Rule number 1 Always keep your mouth shut. 7 00:00:28,140 --> 00:00:31,740 This means never revealing operational details. 8 00:00:31,770 --> 00:00:38,970 For example you don't tell people you use nest of ends and tails or Tor that you use a Debian laptop 9 00:00:38,970 --> 00:00:40,680 or you love iPhones. 10 00:00:40,920 --> 00:00:46,290 An example could be just simply messaging to your freedom fighter or associate and complaining that 11 00:00:46,290 --> 00:00:48,320 Tor is slow don't do it. 12 00:00:48,370 --> 00:00:53,550 You're revealing operational details never reveal plans of what you intend to do. 13 00:00:53,550 --> 00:00:56,680 Remember if you don't say it you don't have to encrypt it. 14 00:00:56,700 --> 00:01:02,630 You don't have to protect it in public places where you could be overheard or recorded. 15 00:01:02,640 --> 00:01:07,470 Never be explicit use code words or so called crypto names. 16 00:01:07,470 --> 00:01:08,600 Rule number 2. 17 00:01:08,820 --> 00:01:10,010 Trust no one. 18 00:01:10,080 --> 00:01:11,890 Use the zero trust model. 19 00:01:11,930 --> 00:01:18,040 When I talk about throughout the course I assume everything and every one cannot be trusted. 20 00:01:18,180 --> 00:01:25,380 Operate from this perspective by mitigating the risk through security controls and distributing trust 21 00:01:25,860 --> 00:01:29,310 information should be given out on a need to know basis only. 22 00:01:29,460 --> 00:01:32,360 The less you say to people the better you are. 23 00:01:32,520 --> 00:01:36,010 The smaller group of co-conspirators the better you are. 24 00:01:36,120 --> 00:01:38,870 Especially do not trust co-conspirators. 25 00:01:39,060 --> 00:01:44,480 Conspiracies can be turned to work for your adversary or may be your adversary. 26 00:01:44,490 --> 00:01:45,570 They are not friends. 27 00:01:45,570 --> 00:01:47,340 Do not treat them as friends. 28 00:01:47,340 --> 00:01:50,360 They will become criminal codefendants. 29 00:01:50,430 --> 00:01:56,580 If your adversary arrest them the less they know about you and all the operational activity the better 30 00:01:56,580 --> 00:01:56,780 . 31 00:01:56,820 --> 00:01:58,570 People don't keep their mouth shut. 32 00:01:58,590 --> 00:02:00,700 People won't go to prison for you. 33 00:02:00,750 --> 00:02:04,210 Watch for co-conspirators who disappear and then come back. 34 00:02:04,260 --> 00:02:05,550 All habits change. 35 00:02:05,550 --> 00:02:09,110 They could have been caught and are now under the control of your adversary. 36 00:02:09,210 --> 00:02:11,580 And beware of people offering to buy information. 37 00:02:11,580 --> 00:02:15,140 This is a common law enforcement agency tactic. 38 00:02:15,210 --> 00:02:19,400 If possible operate alone don't tell friends or family. 39 00:02:19,470 --> 00:02:24,080 Don't allow people to take power over you so it can be used against you. 40 00:02:24,090 --> 00:02:26,900 Never let anyone get in a position to blackmail you. 41 00:02:26,910 --> 00:02:31,260 Don't let people take control over your actions or life. 42 00:02:31,260 --> 00:02:35,440 Rule Number 3 Never contaminate identities. 43 00:02:35,640 --> 00:02:43,980 This means do not share anything between aliases email addresses accounts friends IP addresses cookies 44 00:02:44,130 --> 00:02:51,750 browsers email client operating systems locations anything you shouldn't even have the same password 45 00:02:51,840 --> 00:02:52,950 among identities. 46 00:02:52,950 --> 00:02:55,080 This is total contamination. 47 00:02:55,080 --> 00:03:01,890 Don't use different identities at the same time e.g. don't post via your real identity on Facebook while 48 00:03:01,890 --> 00:03:06,690 logged into your freedom fighter identity in Tor Barnardo see Channel. 49 00:03:06,690 --> 00:03:08,310 This could be correlated. 50 00:03:08,310 --> 00:03:14,580 Don't visit sites and locations associated with other identities with other identities. 51 00:03:14,580 --> 00:03:20,170 I don't go into your personal Facebook account or real email while on tour. 52 00:03:20,250 --> 00:03:21,570 It's a different identity. 53 00:03:21,570 --> 00:03:23,090 This can be correlated. 54 00:03:23,130 --> 00:03:29,220 Never log into accounts as an anonymous identity through Tor or other such anonymising service that 55 00:03:29,220 --> 00:03:31,200 you were previously logged into. 56 00:03:31,220 --> 00:03:38,400 Without anonymizing your adversary could then associate an anonymous connection with a real IP. 57 00:03:38,430 --> 00:03:44,970 Don't make connections with those involved with operations relating to your or the aliases whenever 58 00:03:45,000 --> 00:03:46,120 possible. 59 00:03:46,200 --> 00:03:52,410 If you are using an offsite internet connection to protect your anonymity don't take any mobile phone 60 00:03:52,710 --> 00:03:56,640 associated with other identities or your real identity. 61 00:03:56,640 --> 00:04:02,090 This can be linked if your adversary is of significant means and the consequences are high. 62 00:04:02,100 --> 00:04:09,120 Don't use an internet connection at your house your home or location connected to your real identity 63 00:04:09,120 --> 00:04:09,480 . 64 00:04:09,490 --> 00:04:17,280 We cover more on this later in offsite connections but otherwise always use anonymising service as discussed 65 00:04:17,340 --> 00:04:18,520 in the course. 66 00:04:18,600 --> 00:04:25,620 Always use aliases separated through isolation and compartmentalisation in separate security domains 67 00:04:25,620 --> 00:04:25,860 . 68 00:04:26,010 --> 00:04:32,940 For example maybe a separate laptop or virtual machine VPN Tor browser configuration etc.. 69 00:04:33,180 --> 00:04:36,300 Or storing sensitive data encrypted in the cloud. 70 00:04:36,300 --> 00:04:37,960 We cover all this later. 71 00:04:38,130 --> 00:04:39,880 One phone for one identity. 72 00:04:39,900 --> 00:04:48,350 Don't call contact's of one identity with the phone of another rule number four be on interesting this 73 00:04:48,350 --> 00:04:51,770 means make everything as uninteresting as possible. 74 00:04:51,770 --> 00:04:53,350 Fly on the radio. 75 00:04:53,360 --> 00:04:54,760 Don't make a force. 76 00:04:54,770 --> 00:04:57,730 Don't be outspoken when it comes to technology. 77 00:04:57,740 --> 00:04:59,990 Use things like steganography. 78 00:04:59,990 --> 00:05:04,720 Hide your knowledge and conceal your use of security controls. 79 00:05:04,760 --> 00:05:11,680 Avoid high risk areas and actions for example don't hang around on a political forum making posts. 80 00:05:11,720 --> 00:05:17,330 If your political dissidents don't hang around on hacker forums if you're a hacker a freedom fighter 81 00:05:17,390 --> 00:05:23,470 if at all possible don't maintain accounts if at all possible and especially in high risk places. 82 00:05:23,510 --> 00:05:29,740 If you have to post on forums keep the business to hand and no chat about anything else. 83 00:05:29,750 --> 00:05:32,020 Don't post questions if you can help it. 84 00:05:32,060 --> 00:05:38,270 Don't draw the attention of a well resourced adversary whenever possible don't perform actions that 85 00:05:38,270 --> 00:05:41,270 could shine a light on you for further investigation. 86 00:05:41,270 --> 00:05:46,940 For example don't get caught breaking the law by doing something silly like speeding which results in 87 00:05:46,940 --> 00:05:53,420 a house search which results in you getting sent to jail for your counter of material discovered. 88 00:05:53,420 --> 00:05:57,720 Establish an average identity a believable identity. 89 00:05:57,740 --> 00:06:01,360 Don't make yourself a 6:46 lesbian with red hair. 90 00:06:01,490 --> 00:06:05,280 A three year old Joanie Camden is much better. 91 00:06:05,280 --> 00:06:07,160 Don't know anything longer than you have to. 92 00:06:07,160 --> 00:06:12,260 The longer you do something the more likely it can be correlated. 93 00:06:12,260 --> 00:06:13,530 Rule Number 5. 94 00:06:13,610 --> 00:06:17,540 Be paranoid now instead of when you get caught. 95 00:06:17,630 --> 00:06:19,320 Be actively paranoid. 96 00:06:19,430 --> 00:06:24,400 If you have an active adversary and you know it then they are out to catch you. 97 00:06:24,500 --> 00:06:26,180 You should be paranoid. 98 00:06:26,180 --> 00:06:28,030 Always consider all the angles. 99 00:06:28,040 --> 00:06:33,950 Spend time thinking about all the possible angles from your adversaries perspective. 100 00:06:33,950 --> 00:06:37,750 Your adversary will always try the easiest route to catching you. 101 00:06:37,850 --> 00:06:40,230 So tighten up the simple things first. 102 00:06:40,270 --> 00:06:45,470 Like patching a laptop before you worry about bouncing your traffic around the world through all possible 103 00:06:45,470 --> 00:06:47,970 transports and nest VPN. 104 00:06:48,110 --> 00:06:50,390 Be aware at all times. 105 00:06:50,450 --> 00:06:53,550 Plan for things going wrong and how you mitigate risk. 106 00:06:53,600 --> 00:07:00,530 When they do if they do plan for a knock at the door and being arrested you fail safe or fail. 107 00:07:00,530 --> 00:07:04,200 Close technology like VPN kill switches. 108 00:07:04,280 --> 00:07:08,800 If something fails most fail in a way that continues to protect you. 109 00:07:09,200 --> 00:07:16,940 If you don't use them disable or remove wireless Bluetooth webcams or cover the webcam with tape disable 110 00:07:16,940 --> 00:07:17,950 the microphone. 111 00:07:17,960 --> 00:07:23,930 Don't use a wireless keyboard mouse or monitor if you can get away with not using all of those. 112 00:07:23,930 --> 00:07:27,260 Don't use them if you talking about anything sensitive. 113 00:07:27,260 --> 00:07:33,260 Move the battery out of your phone or as a minimum turn it off switch off all the electric devices such 114 00:07:33,260 --> 00:07:39,740 as tablets smartphones TVs when using someone else's Wi-Fi or network. 115 00:07:39,740 --> 00:07:41,810 Assume everything is logged. 116 00:07:41,870 --> 00:07:48,230 Maintain all the same security privacy and an empty security controls that you would normally at a minimum 117 00:07:48,230 --> 00:07:48,270 . 118 00:07:48,290 --> 00:07:53,830 The IP will tie to a physical location and time and that could be enough to identify you. 119 00:07:53,930 --> 00:07:59,960 Never leave your devices on attended and the screens unlocked preferably store them in physically secure 120 00:07:59,960 --> 00:08:01,640 or hidden places. 121 00:08:01,640 --> 00:08:06,920 Power off your devices especially if you're using whole disk encryption and you should be using whole 122 00:08:06,920 --> 00:08:08,040 disk encryption. 123 00:08:08,060 --> 00:08:12,770 We cover that and it's N.S. if possible against your real identity. 124 00:08:12,860 --> 00:08:19,760 Never promote or discuss security privacy in an unlimited matters don't share your PTG peaky mentioned 125 00:08:19,760 --> 00:08:27,970 Tor VPN or anything that would raise a slight fly that you're interested in these topics run on 6. 126 00:08:27,980 --> 00:08:29,770 Know your limitations. 127 00:08:29,960 --> 00:08:32,660 Operate at the level of your abilities. 128 00:08:32,690 --> 00:08:37,500 If you don't fully understand what you're doing then either stop what you are doing. 129 00:08:37,520 --> 00:08:42,650 Until you do or accept the risk that your lack of knowledge could get caught. 130 00:08:42,650 --> 00:08:47,380 Stick with technology and processes you understand and can effectively implement. 131 00:08:47,450 --> 00:08:53,070 Keep it as simple as possible so not to introduce complexity that can get you caught. 132 00:08:53,240 --> 00:08:58,080 Physical security domains can be simpler when things become too complex. 133 00:08:58,220 --> 00:08:59,170 They go wrong. 134 00:08:59,360 --> 00:09:07,220 For example it can be easier to have a separate secure USP stick with tails on it than engage in complex 135 00:09:07,250 --> 00:09:11,860 virtualization for compartmentalisation as described in this course. 136 00:09:12,050 --> 00:09:14,970 If you just don't understand it enough. 137 00:09:15,020 --> 00:09:16,160 Rule number 7. 138 00:09:16,370 --> 00:09:18,170 Minimize information. 139 00:09:18,200 --> 00:09:21,310 No logs equals no crime. 140 00:09:21,320 --> 00:09:28,040 Avoid logging anything if you can keep operational information that you need but destroy everything 141 00:09:28,040 --> 00:09:31,070 else browser history for example is not required. 142 00:09:31,160 --> 00:09:32,120 So where possible. 143 00:09:32,120 --> 00:09:33,740 Don't leave evidence. 144 00:09:33,800 --> 00:09:38,240 Is better to not leave it than encrypt it and leave it if it is not needed. 145 00:09:38,240 --> 00:09:45,650 Don't keep it especially not tied to your real identity on your laptop logs browser history etc.. 146 00:09:45,770 --> 00:09:49,850 Minimize what people can find even if it's fully protected. 147 00:09:49,850 --> 00:09:53,240 Send as little information as possible in communications. 148 00:09:53,240 --> 00:09:59,000 The less said the better you see perfect examples of this on the TV show The Sopranos. 149 00:09:59,000 --> 00:10:01,410 They say things-I bring the thing in. 150 00:10:01,430 --> 00:10:02,700 Meet you at the place. 151 00:10:02,750 --> 00:10:08,190 Don't forget to tell the guy instead of I'll bring the bag of drugs to but. 152 00:10:08,220 --> 00:10:13,430 And don't forget to tell Tony or whatever it is they might say is easy for your defense later. 153 00:10:13,460 --> 00:10:17,160 If you are they don't send clear text messages. 154 00:10:17,270 --> 00:10:20,570 Everything should be encrypted even if it's non-sensitive. 155 00:10:20,600 --> 00:10:26,870 If you only encrypt what is sensitive than that in itself gives a way that it's sensitive never leave 156 00:10:26,870 --> 00:10:29,480 anything behind that might be traced back to you. 157 00:10:29,540 --> 00:10:36,710 Your real identity environment and security domain associated with you should have no contraband and 158 00:10:36,710 --> 00:10:40,100 be evidence free and don't leave a money trail. 159 00:10:40,100 --> 00:10:41,310 Rule number 8. 160 00:10:41,360 --> 00:10:42,800 Be professional. 161 00:10:42,980 --> 00:10:49,460 If your adversary is professional and the consequences are high for you then you must also act equally 162 00:10:49,520 --> 00:10:50,490 professional. 163 00:10:50,510 --> 00:10:52,170 Don't be an amateur and get caught. 164 00:10:52,250 --> 00:10:59,240 You must treat your OPSEC security privacy and NMT with the seriousness it requires. 165 00:10:59,240 --> 00:11:01,120 A man must know his limitations. 166 00:11:01,190 --> 00:11:03,940 But if you have limitations that create risk. 167 00:11:04,010 --> 00:11:05,870 You need to educate yourself. 168 00:11:05,870 --> 00:11:07,990 This course will help you do that. 169 00:11:08,000 --> 00:11:11,930 Take a logical and systematic approach to what you're doing. 170 00:11:11,930 --> 00:11:13,650 Treat it as a business. 171 00:11:13,730 --> 00:11:16,030 Don't make it a pursuit of pleasure. 172 00:11:16,040 --> 00:11:22,790 Make it a business and treat it as one rule them and 9 employ anti profiling. 173 00:11:22,790 --> 00:11:30,140 This means avoid revealing personal information or stories about yourself as it can be used for profiling 174 00:11:30,140 --> 00:11:30,290 . 175 00:11:30,290 --> 00:11:37,340 This includes in chat discussions voice calls for and post private messages encrypted messages everywhere 176 00:11:37,460 --> 00:11:39,210 even if you think these are private. 177 00:11:39,230 --> 00:11:40,610 They are not. 178 00:11:40,610 --> 00:11:47,570 Never reveal your real gender location jobs hobbies hair color height weight physical attributes where 179 00:11:47,570 --> 00:11:53,810 you were born your favorite sports team the car you drive or what tattoos you have. 180 00:11:53,810 --> 00:11:59,810 Nothing no personal information do not even include personal information in your online identity your 181 00:11:59,810 --> 00:12:05,460 nickname your username your handle or even a similar name don't even indicate your gender. 182 00:12:05,540 --> 00:12:10,910 Do not reveal anything that can reveal your location or time zone. 183 00:12:10,910 --> 00:12:18,020 Like talking about location references where the political events entertainment events or by using special 184 00:12:18,020 --> 00:12:21,270 characters from a keyboard related to your language. 185 00:12:21,350 --> 00:12:27,370 Avoid keeping regular hours as this can reveal a time zone and a geographic location if you do. 186 00:12:27,470 --> 00:12:35,590 If you can don't keep regular routines habits or methods being consistent and unpredictable used misinformation 187 00:12:35,600 --> 00:12:38,110 to mislead change your time zones. 188 00:12:38,150 --> 00:12:40,340 Speaking of language not your own. 189 00:12:40,340 --> 00:12:44,120 If you know them use alternative spellings if you can. 190 00:12:44,120 --> 00:12:51,710 For example if you are from the US UK spellings Australian spellings and words as part of a UK alias 191 00:12:52,100 --> 00:13:00,140 maybe and metor data to photos and documents snottily pointing to your fake identity to provide misinformation 192 00:13:00,530 --> 00:13:03,380 provide misinformation to your co-conspirators. 193 00:13:03,440 --> 00:13:10,250 If they ask you any question answers your alias and use authorship recognition evasion methods that 194 00:13:10,250 --> 00:13:11,590 we'll discuss later. 195 00:13:11,690 --> 00:13:13,490 And the final rule will attend. 196 00:13:13,490 --> 00:13:14,870 Protect your assets. 197 00:13:14,900 --> 00:13:18,150 Don't send data without encryption. 198 00:13:18,170 --> 00:13:25,070 Use the security controls tools technologies processes highlighted in this course to enable your security 199 00:13:25,070 --> 00:13:29,210 privacy and anonymity protect your assets and your secrets. 200 00:13:29,210 --> 00:13:35,390 Based on your level of risk acceptance your adversary and the consequences you need to choose the right 201 00:13:35,390 --> 00:13:37,950 technology and configure it correctly. 202 00:13:38,030 --> 00:13:41,150 This course will help guide you through that process. 203 00:13:41,210 --> 00:13:43,270 Protect what matters most. 204 00:13:43,280 --> 00:13:44,840 You'll know if it worked. 205 00:13:44,900 --> 00:13:46,370 If you don't get a knock at the door 20906