opsec.md
1 # OPSEC Toolkit 2 3 A comprehensive guide to operational security tools and techniques. 4 5 ## Table of Contents 6 - [OPSEC Methods](#opsec-methods) 7 - [Content Obfuscation](#content-obfuscation) 8 - [Image Generation & Editing](#image-generation--editing) 9 - [Anonymity Tools](#anonymity-tools) 10 - [Trying TailsOS](opsec.md#to-try-tailsos-unsecure) 11 - [i2p with TailsOS](opsec.md#i2p-with-TailsOS-not-supported-but-is-amnesic) 12 - [Secure File Transfer (TailsOS)](opsec.md#secure-file-transfer-methods-in-tailsos) 13 - [Virtualization](#virtualization) 14 - [Privacy Protection](#privacy-protection) 15 - [Cryptocurrency](#cryptocurrency) 16 - [Data Destruction](#data-destruction) 17 - [Miscellaneous](#miscellaneous) 18 - [External Links](#external-links) 19 - [References](#references) 20 - back to [main guide](../README.md) 21 22 --- 23 24 ## OPSEC Methods 25 26 <p align="center"> 27 <img alt="OPSEC Methods" src="../img/png/graphs/OPSEC-methods.png" /> 28 </p> 29 30 ## Content Obfuscation 31 32 ### Text Rewriting Tools 33 - [Free Article Spinner](https://free-article-spinner.com/) - Basic and advanced paraphrasing. 34 - [RewriteTools](https://www.rewritertools.com/article-spinner) - Simple article spinner. 35 - [SEO Tool Station](https://seotoolstation.com/article-rewriter) - SEO-focused rewriter (use Tor after few attempts). 36 - [ChatGPT](https://chatgpt.com/) - "Rewrite this as..." prompt (censorship aware). 37 - [DeepSeek](https://chat.deepseek.com/) - Requires account (censored on sensitive topics). 38 - [Offline Version Guide](https://ihsoyct.github.io/r/AIAssisted/comments/1ibv6g8/how_to_run_deepseek_r1_offline_on_your_computer/). 39 - [LM Studio](https://lmstudio.ai/) - For running models locally. 40 41 Protip: Doesn't hurt to write genuinely, act human and be human if doing [HUMINT](./HUMINT.md). 42 43 ### Multilingual Tools 44 - [Google Translate](https://translate.google.com/) - For language conversion. 45 46 --- 47 48 ## Image Generation & Editing 49 50 ### Generation Tools 51 - [Stable Diffusion WebUI](https://github.com/AUTOMATIC1111/stable-diffusion-webui) - Local image generation. 52 - [Civitai Model Repository](https://civitai.com/models) - Use 1.5 models for older GPUs. 53 - [This Person Does Not Exist](https://thispersondoesnotexist.com/) - Quick face generation (has watermark). 54 55 ### Editing Tools 56 - [Free Inpaint](https://pincel.app/tools/inpaint) - Web-based inpainting 57 - Pair with [Upscale Media](https://www.upscale.media/) 58 - [IOPaint](https://github.com/Sanster/IOPaint) - Local CPU-based inpainting 59 - [Linux Launcher](https://github.com/airborne-commando/iopaint-launcher/) 60 61 ## Cloaking tools 62 63 [Fawkes](https://github.com/Shawn-Shan/fawkes) - a facial cloaking tool that can run locally on Linux/Windows. Was tested on arch. See issue [#191](https://github.com/Shawn-Shan/fawkes/issues/191). The only downside with Fawkes is that sometimes it doesn't detect a face or the face can get detected by AI programs anyway. 64 65 ### Meta Tools 66 - [ExifTool](https://exiftool.org/) - Metadata editing/stripping 67 - Installation: 68 ``` 69 # Debian/Ubuntu 70 sudo apt update && sudo apt install exiftool 71 72 # Fedora 73 sudo dnf install exiftool 74 75 # Arch 76 sudo pacman -S exiftool 77 ``` 78 79 --- 80 81 # Encryption 82 - [veracrypt](https://veracrypt.io/en/Beginner's%20Tutorial.html) - Container/drive encryption. 83 - [LUKS](https://guardianproject.info/archive/luks/) - Hard drive encryption. 84 - [keepassxc](https://keepassxc.org/) - Passwords and secure notes. 85 86 ## Anonymity Tools 87 - Ip Hiders and VPNS 88 - [Tor Project](https://www.torproject.org/) 89 90 **What is tor?**: 91 92 >"TOR is developed and maintained by the The Tor Project, Inc. When you look at the Tor Project's About Page, you'll notice that its an entity labeled as a 501(c)3; this is a type of nonprofit organization. Information about nonprofits can be found in their own set of databases. Check out GuideStar Pro and search for the the Tor Project to learn more about the foundation developing this web browser."(Indiana University Bloomington, 2024)[^12] 93 94 - [Mullvad VPN](https://mullvad.net/en) 95 96 - [I2P](https://geti2p.net/en/) 97 - [More info about it here](https://geti2p.net/en/about/intro) 98 99 - [Freenet](https://hyphanet.org/) (See below for Vulnerabilities) 100 - A list of news articles listing vulnerabilities are within the [external links](#external-links) section below feel free to read. 101 102 103 According to *The Sacramento Bee* 104 105 >“the U.S. Attorney’s Office in Sacramento said two of them included a Lodi man, who was arrested for allegedly using the Freenet network to share child pornography, and a Solano County man, who was arrested for allegedly trafficking a 16-year-old girl who had been reported missing from Sacramento County” (The Sacramento Bee, 2025).[^9] 106 107 Tor Also faced Vulnerabilities from either: 108 109 - timing analyses[^13]. 110 - user error[^14]. 111 112 >"Tor does not protect all of your computer's Internet traffic when you run it. Tor only protects applications that are properly configured to send their Internet traffic through Tor." 113 114 --- 115 116 - Operating Systems 117 - [tails OS](https://tails.net/) - Live USB OS. 118 - [Whonix](https://www.whonix.org/) - VM-based anonymity OS. 119 120 121 - Phones 122 - Android 123 - **GrapheneOS** - GrapheneOS is a privacy and security-focused mobile operating system based on the Android Open Source Project (AOSP). Can only run on Pixel phones. 124 125 **Protip:** Not storing information on mobile devices is the best OPSEC. 126 127 --- 128 ## To try TailsOS (Insecure) 129 --- 130 131 - [ISO image](https://tails.net/install/download-iso/index.en.html) 132 - In conjunction you'll need to try one of these under [Virtualization](#virtualization) 133 134 Boot inside your favorite VM/Hypervisor and you should be good to go! 135 136 The reason why this isn't secure is that the host machine may be [compromised](https://tails.net/doc/advanced_topics/virtualization/index.en.html) 137 and it defeats the whole purpose of TailsOS if you do this instead of installing it inside a USB. Only use this if you want to try the OS. 138 139 >"Traces of your Tails session are likely to be left on the local hard disk. For example, host operating systems usually use swapping (or paging) which copies part of the RAM to the hard disk" (The Tails Project, n.d.). [^10] 140 141 142 --- 143 144 ## I2P with TailsOS (not supported but is Amnesic) 145 146 ## 🔧 Installation 147 148 1. **Download the script** from the GitHub repository: 149 ``` 150 git clone https://github.com/itsOwen/i2pd-tails-os.git 151 cd i2pd-tails-os 152 ``` 153 154 2. **Enable admin privileges** in Tails: 155 - At the Tails welcome screen, click "+" under "Additional Settings" 156 - Choose "Administration Password" 157 - Set a password and continue booting 158 159 3. **Run the script**: 160 - Open a Terminal (Applications > System Tools) 161 - Switch to root with: 162 ``` 163 sudo -i 164 ``` 165 - Navigate to the script directory and run: 166 ``` 167 ./install_i2pd.sh 168 ``` 169 170 4. **Wait for installation to complete** (5-10 minutes) 171 172 ## 🚀 Usage 173 174 After installation, you'll find these desktop shortcuts: 175 176 - **Enable I2P**: Activates I2P functionality. 177 - **Disable I2P**: Deactivates I2P and restores normal Tor-only operation. 178 - **I2P Console**: Opens the I2P router admin interface. 179 180 To use I2P: 181 182 1. Click the **Enable I2P** desktop shortcut 183 2. Start the Tor Browser and Browse .i2p sites: 184 - For known sites: `http://site.i2p` (never use https:// only http://) 185 - For more reliable access: Use .b32.i2p addresses 186 187 To monitor I2P status: 188 - Open the I2P console at `http://10.200.1.1:7070` 189 190 [Usage and Considerations](https://github.com/itsOwen/i2pd-tails-os?tab=readme-ov-file#-usage). 191 192 [With I2P support, Install Docs](https://github.com/itsOwen/i2pd-tails-os?tab=readme-ov-file#-installation). 193 194 --- 195 196 ## Virtualization 197 198 **Virtualization** Virtual machines running a full operating system.(Yale University, 2014)[^3] 199 200 ### How It Works 201 202 * **Virtual Machines (VMs)**: Simulated systems that run independently on shared hardware or on the cloud. 203 * **Hypervisor**: Software that manages VMs, directly on the CPU.[^3] 204 205 * **Type 1** runs directly on hardware (e.g., VMware ESXi).[^4] 206 * **Type 2** runs on an OS, typically a server.[^4] 207 208 209 How secure are **Virtual machines?** 210 211 As stated on **The University of Tennessee's** webpage: 212 213 >"While virtual machines offer valuable flexibility, they can also create security vulnerabilities if they are not properly configured" (University of Tennessee Office of Information Technology, n.d., para. 1).[^2] 214 215 It can also depend on the host system. In an example the system gets compromised either physically or by a virus and the Virtual Machine is not secured inside a LUKS drive. 216 217 For LUKS, the user needs to enter the password typically in order to mount said drive so the Virtual Disk would be safe. 218 219 ### Types 220 221 * **Server**: It is designed to operate on machines made of bare metal (The Linux Foundation).[^6] [^5] 222 * **Desktop**: Centralized desktops delivered to users, think amazon web service.[^7] 223 - Can also be local use like virt-manager/KVM **Hypervisors**. 224 225 >"(Local desktop virtualization allows running a virtualization stack on a system physically accessible by the hypervisor, enabling the use of software on a specific OS without installing that OS by creating a virtualized instance)"[^8].(Veeam, n.d.) 226 227 * **Network**: Virtual network channels. 228 * **Storage**: Unified storage from multiple devices. 229 * **Application**: Apps run independently of the OS. 230 231 ### Benefits of a remote virtual machine 232 233 * Better resource use. 234 * Lower hardware costs. 235 * Easy scaling. 236 * Improved security. 237 * Simplified backups and recovery. 238 239 240 ### Downsides of a remote VM: 241 242 * Security risks. 243 * Internet access only. 244 245 246 ### Use Cases 247 248 Core to cloud computing and enterprise IT, enabling efficient, scalable infrastructure management. 249 250 251 ### Benefits of a local virtual machine 252 253 * Better Security. 254 * Ease of Access. 255 256 ### Downsides of a local VM: 257 258 * Hardware costs. 259 * Single point of failure. 260 261 ### Use Cases 262 263 Personal use cases, such as videogames to isolation of a user environment. 264 265 --- 266 267 - [Libvirt](https://virt-manager.org/) - Advanced Linux virtualization. 268 - [VirtualBox](https://www.virtualbox.org/) - Cross-platform solution. 269 270 --- 271 272 ## Privacy Protection 273 274 ### Email Services 275 - [User/Email Generator](https://github.com/airborne-commando/user-email-gen) - For ProtonMail/cock.li 276 - PROTIP: For Proton, you'll probably want to use a VPN as TOR will get flagged; use Mullvad. Cock.li is back up but you'll need to use an email client, use the ones suggested below. 277 - [Temp-Mail](https://temp-mail.org/en/) - Temporary email. 278 - [Username Generator](https://jimpix.co.uk/words/username-generator.php). 279 - [cock.li](https://cock.li/register.php). 280 - [ProtonMail](https://proton.me/mail). 281 282 ### email clients 283 284 - [thunderbird](https://www.thunderbird.net/en-US/). 285 286 ### Android 287 - [k-9 mail](https://k9mail.app/). 288 289 290 ### Data Broker Opt-Out 291 - [Big Ass Opt-Out List](https://github.com/yaelwrites/Big-Ass-Data-Broker-Opt-Out-List). 292 293 --- 294 295 ## Cryptocurrency 296 - [Monero (XMR)](https://www.getmonero.org/) - Privacy-focused cryptocurrency. 297 298 --- 299 300 ## Data Destruction 301 - [DBAN](https://dban.org/) - HDD wiping; VM. Not good for SSD's. 302 - [Arch Linux Wipe Guide](https://wiki.archlinux.org/title/Securely_wipe_disk) Shows how to effectively wipe an SSD. 303 - [NVMe/SSD/HDD Nuke Script](https://gist.github.com/airborne-commando/6a690bd0644a9f1d76bc8c585d9ee969) may brick your drives, trust me. 304 - [physical destruction](physical-destruction.md) last ditch effort, may be costly. 305 306 --- 307 308 ## Miscellaneous 309 - [PrivacyTools.io](https://www.privacytools.io/) - Privacy software/resources. 310 - [crypt.fyi](https://www.crypt.fyi/new) - "Secure" data sharing, I say "Secure" because it's not safe on screenshots. 311 - [One-Time Pad Implementation](https://github.com/airborne-commando/one-time-pad-truly-random). 312 - [Mouse-R](https://gist.github.com/airborne-commando/105e4c77598aab9662bca833ee944379) - use with veracrypt for mouse entropy. 313 314 **Zip** 315 - [Random Address](https://zip.postcodebase.com/randomaddress) - Zip code gen for the US. 316 317 **Credit Card** 318 - [Card Generator](https://www.creditcardvalidator.org/generator#) - Card Gen for fake numbers, you won't buy anything. 319 - [Privacy](https://www.privacy.com/) - Virtual Card, you can set limits. **Do not commit fraud and get sent to collections.** 320 321 Example from [paypal](https://developer.paypal.com/tools/sandbox/card-testing/), which also generates some fake numbers but gives you an idea. Still cannot buy anything. 322 323 --- 324 325 # Secure File Transfer Methods in TailsOS 326 327 ## Recommended Methods 328 1. **Encrypted USB Drives** 329 - Physical transfer with encryption 330 - No internet required 331 332 2. **OnionShare (Built-In)** 333 - Anonymous sharing via Tor 334 - Generates onion links 335 336 3. **Tailscale Taildrop** 337 - Encrypted P2P between devices 338 - Requires Tailscale setup 339 340 4. **Persistent Storage** 341 - Encrypted storage across sessions 342 - Optional VeraCrypt containers 343 344 ## Comparison Table 345 | Method | Encryption | Anonymity | Internet | Best Use Case | 346 |------------------------|------------|-----------|----------|------------------------| 347 | Encrypted USB | Yes | No | No | Offline transfers | 348 | OnionShare | Yes (Tor) | Yes | Yes | Anonymous sharing | 349 | Taildrop | Yes | No | Yes | Personal device sync | 350 | Persistent Storage | Yes | N/A | No | Secure local storage | 351 352 ## Security Notes 353 - Always wipe metadata 354 - Never transfer deanonymizing files 355 - Avoid cross-OS transfers on same device 356 - Protect encryption passphrases 357 358 ## OPSEC Pipeline for secure files 359 360 | Database | Human Password | Database | Generated Password | VeraCrypt (db2.kdbx) | Generated Password | 361 | ----------|------------------|------------|----------------------------------------------------------|-----------------------|-------------------------------------------------- | 362 | db1.kdbx | `password123` | db2.kdbx | `ipri0-3ri-03ir-03ir0-3ir0-3wqirw3ir-0wi3ri0-w3ir-iw3-0` | VeraCrypt container | `fjeipfjopefjkpoewjf9pjepwujf9euf9wejfe9-fu90uefu`| 363 364 What I tend to do is save this in private notes inside simplex, I'd also recommend not saving your password as `password123`. 365 366 367 **Desktop** 368 - `db1.kdbx` (human-memorable password) 369 - Grants access to: 370 - `db2.kdbx` 371 - VeraCrypt container 372 373 **VeraCrypt Container** 374 - `db1.kdbx` (machine-generated password inside the DB) 375 - Grants access to: 376 - Sensitive files 377 - `db2.kdbx` 378 379 **SimpleX** 380 - Securely transfers `db2` password 381 - After transfer: run `wipe` to remove residuals on desktop (HDD) for SSD use an encrypted drive or container. 382 - Can upload/download from encrypted container. 383 384 385 Then if i need, I share it with another simplex note on my phone by connecting my own phone instance and the desktop as a chat. Then forwarding it to private notes. 386 After that is done, I delete the convo for both but keep private notes for both adding in redundancy. just save inside simplex and desktop to reduce data remnants. 387 388 For SSD's I'd recommend using LUK's or a container as securely erasing in traditional means is basically useless if you want to format the entire drive.[^1] 389 390 You may also just send things to RAM with tmpfs and do a shutdown as it lets normal users write into it: 391 392 >"Tmpfs is a file system which keeps all files in virtual memory. Everything in tmpfs is temporary in the sense that no files will be created on your hard drive. If you unmount a tmpfs instance, everything stored therein is lost" ("Tmpfs is a file system," 2001).[^11] 393 394 However tmpfs maybe an insecure method without dm-crypt/LUKS due to SWAP.[^15] 395 396 And there is the multi-user issue, can be solved with this line in fstab.[^16] [^17] 397 398 tmpfs /www/cache tmpfs rw,size=1G,nr_inodes=5k,noexec,nodev,nosuid,uid=user,gid=group,mode=1700 0 0 399 400 --- 401 402 403 **Remember:** The best OPSEC sometimes means not interacting with your target at all to avoid alerting them. 404 405 **You also [Didn't Have to Post That](https://www.youtube.com/watch?v=AkQaL9SU2BY)**. 406 407 --- 408 409 ## External Links: 410 411 * [Virtualization via Virtual Machines - blog post, September 18, 2017](https://www.sei.cmu.edu/blog/virtualization-via-virtual-machines/) 412 * [The Linux Kernel Archives — tmpfs (August 23, 2024)](https://www.kernel.org/doc/html/latest/filesystems/tmpfs.html) 413 * [Ramfs, rootfs and initramfs — Linux Kernel documentation (October 17, 2005)](https://www.kernel.org/doc/html/latest/filesystems/ramfs-rootfs-initramfs.html#ramfs-rootfs-and-initramfs) 414 * [tmpfs(5) manual page — Arch Linux Man Pages (updated Sep 21, 2025, Linux man-pages 6.16)](https://man.archlinux.org/man/tmpfs.5) 415 * [DMCrypt - cryptsetup Wiki](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/DMCrypt) 416 * [cryptsetup - GitLab repository](https://gitlab.com/cryptsetup/cryptsetup) 417 * [cryptsetup(8) manual page — Arch Linux Man Pages(updated Aug 13th, 2025, Linux man-pages 2.8.1-1)](https://man.archlinux.org/man/core/cryptsetup/cryptsetup.8.en) 418 * [Chapter 29 Section 2 - Encrypting block devices using dm-crypt/LUKS - redhat documentation (2025)](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/5/html/installation_guide/ch29s02) 419 * [dm-crypt - Archlinux Wikipedia (Updated on 21 June, 2025)](https://wiki.archlinux.org/title/Dm-crypt) 420 * [GrapheneOS: Frequently Asked Questions - supported devices](https://grapheneos.org/faq#supported-devices) 421 * [Using Tor Safely – Tor Browser Best Practices](https://support.torproject.org/tor-browser/security/using-tb-safely/) 422 * [Timeless Timing Attacks and Preload Defenses in Tor’s DNS Cache](https://www.usenix.org/system/files/sec23summer_458-dahlberg-prepub.pdf) 423 * [Police plants own computers in Freenet, log IPs, makes arrest – Hacker10](https://hacker10.com/internet-anonymity/police-plants-own-computers-in-freenet-makes-arrest/) 424 * [Police departments tracking efforts based on false statistics – Hyphanet](https://www.hyphanet.org/police-departments-tracking-efforts-based-on-false-statistics.html) 425 * [A De-anonymization Attack against Downloaders in Freenet IEEE – 2024 Publication (IEEE Xplore)](https://ieeexplore-custom.ieee.org/document/10621209?reload=true) 426 427 428 ## References: 429 430 [^1]: "Layered Security." *ScienceDirect*, Elsevier B.V., 2025, www.sciencedirect.com/topics/computer-science/layered-security. Accessed 22 Sept. 2025. 431 432 [^2]: University of Tennessee Office of Information Technology. (n.d.). *Protecting your virtual machines*. University of Tennessee. https://oit.utk.edu/security/learning-library/article-archive/protecting-your-virtual-machines 433 434 [^3]: Yale University. “Virtualization.” yale, 17 June 2014, www.cs.yale.edu/homes/aspnes/pinewiki/Virtualization.html. 435 436 [^4]: Kelley, Karin. “Cloud Computing Tutorial: Virtualization, Hypervisors, and VMware Workstation - Caltech.” pg-p.ctme.caltech.edu, 24 June 2024, pg-p.ctme.caltech.edu/blog/cloud-computing/virtualization-hypervisors-and-vmware-workstation. 437 438 [^5]: Vanderbilt University. “Virtual Servers.” Vanderbilt University, tdx.vanderbilt.edu/TDClient/33/Portal/Requests/ServiceDet?ID=147. Accessed 26 Sept. 2025. 439 440 [^6]: The Linux Foundation. “XCP-ng Documentation.” Xcp-ng, docs.xcp-ng.org. Accessed 26 Sept. 2025. 441 442 [^7]: GeeksforGeeks. “What Is Hosted Virtual Desktops (HVD)?” GeeksforGeeks, 23 July 2025, www.geeksforgeeks.org/cloud-computing/what-is-hosted-virtual-desktops-hvd/#. 443 444 [^8]: Veeam. (n.d.). Local desktop virtualization. Veeam. https://www.veeam.com/glossary/desktop-virtualization.html 445 446 [^9]: The Sacramento Bee. (2025, May 7). *Lodi man arrested in federal child pornography case, Solano suspect accused of trafficking teen*. The Sacramento Bee. https://www.sacbee.com/news/local/crime/article305942121.html 447 448 [^10]: The Tails Project. (n.d.). *Virtualization*. Tails. Retrieved October 4, 2025, from https://tails.net/doc/advanced_topics/virtualization/index.en.html 449 450 [^11]: Rohland, C. (Original work published 2001, December 01). Tmpfs - a file system which keeps all files in virtual memory. Updated by Dickins, H., & Kosaki, M. (2010). Retrieved November 10, 2025, from https://research.cs.wisc.edu/adsl/Software/tratr/.scripts/tratr/Documentation/filesystems/tmpfs.txt 451 452 [^12]: “Library Research Guides: Digital Privacy: Digital Privacy Practices.” Indiana University Bloomington, wayback machine, 7 July 2025, https://web.archive.org/web/20250208104257/https://guides.libraries.indiana.edu/c.php?g=1325689&p=9771453. 453 454 [^13]: Irwin, K. (2024, September 20). *Tor dark web browser users reportedly unmasked by police*. PCMag. https://www.pcmag.com/news/tor-dark-web-browser-users-reportedly-unmasked-by-police 455 456 [^14]: Tor Project. (n.d.). *Tor Browser best practices*. Retrieved December 1, 2025, from https://support.torproject.org/tor-browser/security/using-tb-safely/ 457 458 [^15]: FreeBSD Documentation Project. (n.d.). Encrypting swap. FreeBSD Handbook. https://docs-archive.freebsd.org/doc/13.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/swap-encrypting.html 459 460 [^16]: The Linux Kernel Archives. (2025, May 17). tmpfs(5) - a virtual memory filesystem. Linux man-pages. https://man7.org/linux/man-pages/man5/tmpfs.5.html 461 462 [^17]: ArchWiki. (2025, September 28). tmpfs. https://wiki.archlinux.org/title/Tmpfs