The 73 Rules Of OPSEC | Ultimate Tips & Tricks

The greatest weapon a man or woman can bring to the type of community in which we are engaged is their hard common sense. The following notes aim at being a little common sense in applied form. Simple common sense crystallized by a certain amount of experience into a series of rules and suggestions.

  1. There are many virtues to be striven after. The greatest of them all is security. All else must be subordinate to that.

  2. Security consists not only in avoiding big risks. It consists in carrying out daily tasks and interactions with the painstaking remembrance of the tiny things that security demands. The little things are in many ways more important than the big ones. It is they which most often give the game away. It is consistent care in them that forms the habits of true security mindedness.

  3. In any case, the person who does not indulge in a daily security routine, boring and useless as it often appears, for example to boot into a system which takes minutes to load when a less secure option will be near-instant, or in shutting down a system safely and instantaneously, keeping in mind how RAM operates and how shutdown time can make all the difference in case of a bust, will be found lacking in the proper instinctive reaction when dealing with the bigger stuff.

  4. No matter how brilliant an individual, now matter how great their goodwill, no matter how exquisite the material they produce, if they’re lacking in security, they will eventually be more of a liability than an asset.

  5. Even if you feel someone had a good idea of who you are, never admit it. Keep on playing your part. It is amazing how easy it is to lead people to believe they’ve been mistaken. It is important that neither by admission nor implication do you let anyone connect you between your identity and your illegal activities.

  6. Security, of course, does not mean stagnation or being afraid to go after things, material or otherwise. It means going after things but reducing all risks to the minimum via hard work.

  7. Do not overwork your ‘cover’. Coming up with a long rationalization for the existence of Tor on your computer, or a bizarre container file, looks far more suspicious than just following point five, and diverting attention.

  8. Never leave things lying about unattended. For us, a perfect example of this would be leaving yourself booted into a secure system while not physically present at a machine. If you ever do have to destroy physical evidence, in particular a hard drive, do so thoroughly. Physically carry as little material that connects you to this world as possible, and for the shortest possible time, whether it is encrypted or not.

  9. The greatest vice in this game is carelessness. Mistakes can never be rectified. Nothing you publish will ever disappear in a way you can be completely confident of.

  10. The next greatest vice, perhaps greater than carelessness for the producers among us, is vanity. Its offshoots are many and malignant.

  11. The man with a swelled head, and here we mean his big head, even if swollen by love for his little lover or what he brings to a community, never learns. There is always a great deal to be learned, by everyone, at all times.

  12. Controlled substances are dangerous. They loosen the tongue, distort vision, and promote indolence. They provide grand weapons to an enemy.

  13. It has been proven time and time again: sex and business do not mix.

  14. In this world, there are no hours. Never let your guard down. This is your life and you can never drop your guard.

  15. Keeping in mind the above about ‘no hours’, but from a different perspective, you must delineate when you are in ‘this world’ and when you are not. Do not neglect your outside life to its extreme detriment. This draws attention.

  16. You should be able to balance your life outside the screen and life inside the screen. If you have real goodwill and enthusiasm for your communities, these two can be combined without either having to suffer.

  17. The desire for speed is the greatest curse of this world. Speed in interaction, downloads, communication. It is a constant temptation to slackness. Even if you have developed a strong penchant for patience, there is no guarantee that the other fellow has as well. Warn him. Act on the principle that the faster the promised ‘solution’, the more dangerous it is. Think about this before you download something off a Russian host, using your home IP and host system, because it was just taking too long to do it in your hardened system via Tor.

  18. Very rarely, for quite exceptional circumstances, it may be permissible to use pure clearnet as a channel of communication. Without exceptional reasons, it is to be completely avoided. It can be done safely, but there is never a good enough reason.

  19. When using pure clearnet, the more hops you have, the more trusted partners you can involve, and the more you can distance yourself from the communique, the better off you are. Anything communicated in pure clearnet must always be completely apparently innocent.

  20. Spend hours or even days rather than taking a risk like using pure clearnet to communicate, download a file, or anything else. Desiring speed is our greatest curse. Involving pure clearnet risks getting too elaborate - the great rule here, as in all else, is to be safe and natural.

  21. Never leave a computer open, in your host system or hardened system or otherwise, to something that could be even remotely identifiable.

  22. Choose your communities carefully. Be especially careful of the hosting solution. The story told to them should always depend on circumstances, and they should be selected due to personal connections, and have no part in the community that is not unavoidable.

  23. Be yourself. That is to say: be natural inside the setting you have cast for yourself. This is especially important when communicating with someone for the first time, whether in private or in public communities. Remember, the calm person attracts little attention. Never strain after an effect, you would not do so in ‘ordinary’ life. Look upon your participation in this setting as perfectly normal and natural.

  24. Look at other people, as little as possible and do not dawdle. Looks draw looks.

  25. Do not present yourself in a way that is calculated to draw attention or single you out easily, especially across multiple identities and sites.

  26. Be punctual, and expect punctuality from your contacts.

  27. Do not physically meet up with people who know you online. Do not give your online identity to someone you know in real life. There are no exceptions.

  28. Avoid visiting sites where you will be noticeable. For example, the first avid viewers of cooldaddy’s videos on motherless soon found themselves in great trouble. Make yourself fit in with the background, and do not be part of a correlatable crowd.

  29. Your time zone is your business. Do not comment that it is dark out or light out, midnight or noon.

  30. Do not try to meet people in chat rooms, excepting those that operate fully over Tor without the need for potentially dangerous scripting. Chat rooms are part of the ‘speed’ issue. Instant communication is nice, but speed should never trump security.

  31. If you are not in control of the medium used to communicate with someone (TorChat, TorBox, etc), and you must communicate with them, try to eliminate as much risk as you possibly can with the choices you make. Ensure you must communicate with them.

  32. Never provide a chance real-life acquaintance with information that could even partially link you to an online identity. Always consider how you are increasing the pool of people who will recognize you in the future. Consider Ross Ulbricht, and the many people appearing to speak to what they knew of him, little as it may have been.

  33. Always be polite, but not exaggeratedly so. There is a certain class of persons who have proven useful to you. However, do not be overly ‘polite’ or ‘giving’ with them in the material sense, as that kind of stimulus will make you stick in their minds.

  34. Confidence does not come easily to all of us. It must be assiduously cultivated. Not only because it helps you personally, but because it cultivates the same in those you speak to.

  35. Never be dramatic or intense with someone before you have quietly assured them of your ultimate level-headedness.

  36. When building relationships, always leave a line of retreat, socially, open to yourself.

  37. Never take a person for granted. Very seldom judge any person at any level of any community to be above suspicion. We live by deceiving as much as by trusting. Others live by deceiving us, from the lowly LEA agent to the high-level Sabu-esque mole. The other, the adversary, has people as clever as us. If they can be deceived, so can we.

  38. Above all do not lie to yourself. Do not decide another person is alright because you yourself want it that way. You are dealing in people’s lives, not just your own.

  39. When you have made a strong contact, before you are absolutely sure of them and perhaps even then, be a small but eager intermediary. Have a “They” in the background for whom you act. If “They” are harsh, if “They” decide to break things off, it is never any fault of yours. Indeed, you can pretend to have a personal grievance about it.

  40. Try to find people who do not work for attention alone, but out of conviction. Remember, however, that we cannot live by conviction alone. Dispense attention as they need it, and avoid the idealists whose heads are forever in the clouds.

  41. Become a real friend to people. We all have a human side, so take an interest in the affairs of others. But never let your friendship overshadow your sense of duty to your own security. That must remain forever impervious to any sentimental considerations. Otherwise your judgement will be affected, and you may become lax and thus endanger yourself, him, and others.

  42. Gain the trust of those around you, but be wary of giving away more of yourself than is necessary. Someone may fall away, may fight with you, and you may need to get rid of him yourself. In that case, obviously, the less information he possesses the better. Equally, obviously, if a friend runs the risk of falling into the hands of the enemy (which we all do), it is unfair to him and to you for him to be in possession of more information about you than he need know.

  43. If you have a bizarre schedule that randomly prohibits your ability to be here, this is a good thing. Do not get so wrapped up in this world that you lose sight of the other.

  44. Teach new people at least the barest elements of security. Do not leave it to the newbie’s best judgement, though eventually you must and can then only hope for the best. Insist, at least, on an expectation for security which requires the person to adhere strictly to the basest of principles. Praise this person when they do well, admonish them when they err.

  45. Do not be afraid to be harsh if it is your duty to be so. You are likewise expected to be so with yourself. When matters of necessity arise, neither the feelings of you nor any other matter. Only the community, the security and safety of that which has been entrusted to you, is what counts.

  46. You have no right to expect of others that which you are not prepared to do yourself. On the other hand, do not rashly expose yourself in an act of personal courage, no matter how important it may appear to be. It takes moral courage to ask another fellow to do a dangerous task rather than do it yourself, but if this is the proper course, then you must follow it.

  47. If you have a person within your circle of friends or community who is either very important to you personally, essential to your community, or both, do not let them know this. Infer, without belittling, that there are other lines and other, bigger groups in the shadows, and that while this person matters they are but part of a larger mosaic.

  48. Never let the excitement of a contact drag you unwillingly behind. You can always fall back on the “They” for whom you act.

  49. However, if a friend knows the community or scene in which you are operating better than you, listen to their advice and consult them. The person on the spot is the one who can judge.

  50. If you get directives from someone, no matter how important their role in a community, if you believe they are ill-advised, do not be afraid to oppose them. Particularly so if there is a grave danger to security without a real corresponding boon.

  51. If you are part of several communities, keep your identities separate unless the moment comes where bringing them together is a matter of necessity. Keep these lines firmly drawn and, within the bounds of reason, strengthen them further. Each line of separation minimizes the danger of total loss if one part of your world is brought down by the adversary.

  52. Never start something, big or small, before you know the details. Do not count on luck. Or only on bad luck.

  53. Obfuscate the true nature of any ‘exchange’. Tor does this for you, but still keep it in mind and ensure you understand exactly how the Tor system protects you.

  54. The benefit of encrypting communication always outweighs the trouble. Look at Tormail.

  55. The ingredients you should consider when you become part of any new community or circle are serious considerations of the technical security aspects, the personal suggestions of friends already within, the nature of obfuscation you will use for your identity to protect it from even those you already know within, and more. This applies especially in the case of exploring a completely new technology (eg - Tor, I2P, Freenet).

  56. What you should always be aiming for is not a quick result but rather a series of results which will keep growing. Does this mean more friends, more material, more communities, or something else entirely? With the proper protective mechanisms, this growth, no matter the kind, need carry no fear of discovery.

  57. Serious groundwork is more important than rapid action. Running the Tor Browser Bundle off your desktop may get you quick results, but skipping the groundwork of truly protecting yourself misses the whole point.

  58. Remember that others viewing you will immediately label you, and the process of gaining or losing trust has already begun. People only with difficulty change their sizing-up of a person once they have made it. They have to be truly jolted out of it. If someone places a negative label on you but you prove yourself to be, dramatically but safely (remembering the stupidity of personal bravery) trustworthy, you can change their mind. In the same vein, if someone places a positive label on you it takes one act of incredible stupidity to lose everything you have worked towards. Even then do not accept that all is lost, but go back to the drawing board and build yourself up again.

  59. The role you choose to play has to do with where you want to be. Administrator, host, moderator, producer, writer, advisor, lurker, hoarder, reader, trader - you must school yourself to not do any wishful thinking, and do not persuade yourself that what you want to do is what you ought to do.

  60. Your appearance should meld smoothly with the character you present. There should not be too much of a strain in keeping up appearances, imprint who you are on the minds of others. When you come up in conversation, others should know something concrete about you that all can agree on, outside of your direct interference.

  61. Where you choose to place the system that allows you entrance to this world is a thorny problem. In a private study, bedroom, or office, there are always security concerns with any physical location. Work hard to reduce the risk of discovery by others as much as possible, from the simple action of turning your screen away from a window, to the larger action of understanding how your keyboard can work against you.

  62. If you are in a relationship, the presence of your significant other must be remembered and accounted for at all times. Locked doors and tapping keyboards raise suspicion, and the possibility of attempted intrusion almost more than anything else.

  63. Should you tell your significant other about this world? It is taken for granted that anyone who has read this far has both discretion and judgement. If you think your partner is to be trusted, you may certainly tell them about this world without necessarily including particular details of specific communities or identities. It would not be fair to keep a partner in the dark without serious reasons demanding it. At this point, a partner would have to be coached in the same way the new person would be.

  64. Among your friends, never know too much. Do not be too knowledgeable about anything. Often this means biting down on your own vanity when you wish to show off what you know or possess. This is especially difficult when you hear incorrect assertions or misstatement of irrefutable fact.

  65. Not knowing too much does not mean not knowing anything. Unless there is special reasoning behind it, it is not good to be seen as an idiot or a person without discretion. This does not invite others to trust you.

  66. Show your intelligence, but be quiet about things that brush the edge of that which could identify you, either between identities, or to your real-world persona. Talk about a model and what you know about her, but don’t say something about being friends with the producer. Discuss a community and its benefits or drawbacks without mentioning you are also on staff there. Be seen as a good person anxious to pass along useful information or good material in the hope that it may prove beneficial.

  67. When you think a friend possesses certain knowledge, or material, that may be of use to you or of particular interest, remember that praise is acceptable to the vast majority of people. When honest praise is difficult to phrase, flattery will do equally well.

  68. Within the limits of your principles, be all things to all people. But don’t betray your principles. The strongest force in your world is you. Your sense of right, your sense of respect for yourself, others, and especially children. It is your responsibility to bend circumstances to your will, not to let circumstances bend or twist you.

  69. In this world, always be in harmony with your own conscience. Put yourself periodically in the ‘dock’ for ‘cross-examination’. You can never be better than your best, but only your best is good enough in security matters both social and technical.

  70. This is one of the most special worlds to exist in, our little corner of Tor, no matter how small your part may appear to be. Countless people would give anything to be where you are. Remember that and appreciate the privilege. No matter what others do or say, play your part well.

  71. Never get into a rut and never rest on your laurels. There are always new lines around the corner, new challenges to address, new changes and variations to be introduced. Unchanging habits in security lead to carelessness. Keep up with how things develop, and do not become complacent, not ever.

  72. If anything, overestimate the adversary. Never underestimate them. But do not let that lead to nervousness or lack of confidence. Don’t get rattled and know that with hard work, calmness, and by never irrevocably compromising yourself you can always best them.

  73. Lastly, and above all, REMEMBER SECURITY.

The above points are not intended for a cursory or even mildly interested glance. They all deserve and even require serious attention and at least occasional re-reading.

It is probable also that dotted here and there are claims that have particular present application. Act on them right away.

Credit to nulled @p4r4d0xadmin

Happy learning!

Thanks to Chief @SaM for assigning the post!

3 Likes