Operational Security

Tools don’t protect you. Habits do.

You can have the most encrypted, hardened, anonymized setup in the world—and blow it all by posting a photo that reveals your location, using your real name once, or clicking a phishing link.

Operational Security (OpSec) is the discipline of protecting information through consistent practices. It’s the difference between having security tools and actually being secure.

This final week ties everything together. You’ll learn the mindset, habits, and ongoing practices that make all your previous weeks of work actually effective.

The OpSec Mindset

Security Is a Process, Not a Product

Common mistake: “I installed a VPN, now I’m private.”

Reality: Privacy requires:

  • Consistent habits
  • Ongoing vigilance
  • Regular updates
  • Adapting to new threats
  • Understanding your threat model

No tool makes you automatically secure. Tools enable security; behavior determines it.

Think Like an Adversary

To protect yourself, ask: “How would someone try to attack me?”

Consider:

  • What information am I trying to protect?
  • Who might want that information?
  • What resources do they have?
  • What mistakes could I make?
  • What’s my weakest link?

Example: You use Signal for sensitive conversations. But your contact has iCloud backup enabled. Your messages are encrypted… until they’re backed up to Apple’s servers in plain text.

Your security is only as strong as its weakest point.

Common weak links:

  • Reused passwords (one breach = all accounts)
  • SMS for 2FA (SIM swap attacks)
  • Unencrypted backups
  • Trusting others with your security choices
  • Single point of failure (one device, one account)

Fix weak links before adding more tools.

Part 1: Identity Compartmentalization

Separate Your Identities

One identity for everything = complete correlation.

If you use the same email, username, and writing style everywhere, all your activity can be linked.

Compartmentalize:

  • Work identity: Professional email, LinkedIn, work-related accounts
  • Personal identity: Friends/family communication, social media
  • Anonymous identity: Sensitive research, activism, anonymous accounts
  • Shopping identity: E-commerce, deliveries, subscriptions

Practical Separation

Email (from Week 5):

  • Work: yourname@company.com
  • Personal: yourname@proton.me
  • Anonymous: random-alias@simplelogin.co
  • Shopping: shop-[store]@simplelogin.co

Browser containers (from Week 3):

  • Work container
  • Personal container
  • Banking container
  • Shopping container
  • Anonymous container

Physical separation:

  • Work device vs personal device
  • Different phone numbers for different purposes
  • Separate payment methods

Username Hygiene

Never reuse usernames across identities.

Your clever username cyber_ninja_42 on Reddit, GitHub, and that forum from 2010? All linked. Forever indexed.

For anonymous accounts:

  • Generate random usernames
  • Different for each service
  • No pattern (not anon_user_1, anon_user_2)

Writing Style (Stylometry)

Your writing has a fingerprint:

  • Word choice
  • Sentence length
  • Punctuation habits
  • Emoji usage
  • Common phrases

For truly anonymous writing:

  • Consciously vary your style
  • Use simpler vocabulary
  • Avoid distinctive phrases
  • Run text through paraphrasers (carefully)
  • Be aware this is extremely hard

Part 2: Digital Hygiene

Regular Security Maintenance

Weekly:

  • Check for system updates
  • Review password manager for weak/old passwords
  • Clear browser data if not auto-clearing
  • Check for unfamiliar logged-in sessions

Monthly:

  • Review connected apps/permissions on accounts
  • Check “Have I Been Pwned” for new breaches
  • Verify backup integrity
  • Review account list—close unused accounts

Annually:

  • Rotate critical passwords
  • Review and update threat model
  • Audit all accounts for 2FA status
  • Test backup restoration
  • Update emergency access plans

Software Updates

Updates fix security vulnerabilities. Delaying updates = leaving known holes open.

On Linux Mint:

# Check for updates
sudo apt update

# Install all updates
sudo apt upgrade -y

# Occasionally do full upgrade
sudo apt full-upgrade -y

Enable automatic security updates:

  • Update Manager → Edit → Preferences
  • Automation tab → Configure automatic updates

Account Hygiene

Close accounts you don’t use:

  1. List all accounts (check password manager)
  2. Identify unused accounts
  3. Download your data first (GDPR/CCPA rights)
  4. Delete accounts properly (not just “deactivate”)
  5. Remove from password manager

Every account is an attack surface. Fewer accounts = smaller attack surface.

Browser Hygiene

Regular cleanup:

  • Clear cookies weekly (or use auto-clear from Week 3)
  • Review and remove unused extensions
  • Check extension permissions
  • Reset browser profile periodically for fresh start

Email Hygiene

Regularly:

  • Unsubscribe from unnecessary newsletters
  • Review email forwarding rules (attackers add hidden forwards)
  • Check connected apps with email access
  • Archive or delete old sensitive emails

Part 3: Physical Security

Device Security

Lock your devices:

  • Strong screen lock (not 4-digit PIN)
  • Short auto-lock timeout (30 seconds - 1 minute)
  • Require password on wake from sleep

When leaving devices:

  • Lock screen manually (Super+L on Linux)
  • Never leave unlocked in public
  • Consider privacy screens in public places

At borders/checkpoints:

  • Power off devices (encryption only protects when off)
  • Know your rights (varies by country)
  • Consider travel devices with minimal data

Physical Document Security

Shred sensitive documents:

  • Financial statements
  • Medical records
  • Anything with account numbers
  • Pre-approved credit offers

Cross-cut shredder recommended (strips can be reconstructed).

Secure Workspaces

At home:

  • Position monitor away from windows
  • Secure sensitive documents in locked container
  • Use privacy screens if others in household

In public:

  • Sit with back to wall
  • Use privacy screen
  • Be aware of shoulder surfers
  • Don’t discuss sensitive topics aloud

Device Disposal

Before disposing of devices:

Computers:

  1. Backup important data
  2. Encrypt the drive if not already
  3. Wipe drive securely:
    # Overwrite with random data (time consuming but thorough)
sudo dd if=/dev/urandom of=/dev/sdX bs=4M status=progress
  4. Physical destruction if extremely sensitive

Phones:

  • Factory reset (encryption makes this more effective)
  • Remove SIM and SD cards
  • Physical destruction if necessary

USB drives:

  • Full overwrite (not just format)
  • Physical destruction if sensitive data was stored

Part 4: Social Engineering Awareness

The Human Element

Most breaches involve social engineering—manipulating people rather than hacking systems.

Common attacks:

  • Phishing: Fake emails/sites that steal credentials
  • Pretexting: Attacker poses as authority figure
  • Baiting: Malware disguised as useful software
  • Quid pro quo: “I’ll help you if you give me access”

Recognizing Phishing

Check before clicking:

  • Hover over links—does URL match expected domain?
  • Check sender’s actual email address (not display name)
  • Look for urgency (“Your account will be closed!”)
  • Grammar/spelling errors (though AI has improved phishing quality)
  • Requests for sensitive information

When in doubt:

  1. Don’t click links in email
  2. Navigate directly to the official site
  3. Contact company through official channels
  4. Ask someone you trust

Verify Requests

Someone claiming to be support/authority?

  1. Don’t give information immediately
  2. End the conversation
  3. Contact the organization directly using official number/email
  4. Ask if they initiated contact

Remember: Legitimate organizations rarely ask for passwords or full account details over email/phone.

Secure Communication Verification

For sensitive communications:

  1. Verify identity through separate channel
  2. Use pre-established code words
  3. Verify Signal safety numbers (Week 7)
  4. Meet in person for highly sensitive matters

Part 5: Metadata Awareness

Metadata Is Data

Metadata = data about data:

  • Photo EXIF data (camera model, GPS location, timestamp)
  • Document properties (author, organization, edit history)
  • Email headers (IP addresses, routing information)
  • File timestamps (creation, modification, access times)

Even without content, metadata reveals:

  • Where you were
  • When you were there
  • What device you used
  • Who you communicated with

Photo Metadata

Check EXIF data:

# Install exiftool
sudo apt install libimage-exiftool-perl

# View all metadata
exiftool photo.jpg

Strip metadata before sharing:

# Remove all metadata
exiftool -all= photo.jpg

# Or use MAT2 (Metadata Anonymisation Toolkit)
sudo apt install mat2
mat2 photo.jpg

Document Metadata

PDF and Office documents contain:

  • Author name
  • Organization
  • Software used
  • Edit history
  • Comments (even “deleted” ones)

Clean documents:

# For PDFs
mat2 document.pdf

# For LibreOffice documents
# File → Properties → Reset Properties
# Then export as PDF

Screenshot Safety

When taking screenshots:

  • Avoid capturing browser tabs (reveals browsing)
  • Crop out username/email displays
  • Check for sensitive info in background windows
  • Strip metadata before sharing

Part 6: Threat Modeling Review

Revisit Your Threat Model

From Week 1, you identified:

  • What you’re protecting
  • Who you’re protecting it from
  • Consequences of failure

Has anything changed?

  • New job or role?
  • New location?
  • New relationships?
  • New online activities?
  • Changed political/social situation?

Update your threat model annually or after major life changes.

Matching Security to Threats

Don’t overdo it:

  • Average person doesn’t need Tails OS
  • Not everyone needs hardware security keys everywhere
  • Maximum security has usability costs

Don’t underdo it:

  • If your threat model includes state actors, VPN alone isn’t enough
  • High-value targets need more than default security
  • Activists, journalists, and public figures face elevated threats

Accepting Residual Risk

Perfect security doesn’t exist.

After implementing reasonable precautions:

  • Accept some risk remains
  • Don’t let paranoia prevent living
  • Focus on most likely threats
  • Periodically reassess

Part 7: Ongoing Practices

Daily Habits

  • Lock devices when stepping away
  • Verify sender before clicking email links
  • Use password manager for all logins
  • Check for VPN connection before sensitive browsing
  • Verify safety numbers for new Signal contacts

Security News Awareness

Stay informed about:

  • New vulnerabilities in software you use
  • Data breaches at services you use
  • New attack techniques
  • Privacy law changes

Sources:

Teaching Others

Privacy is more effective when others practice it too:

  • Help friends/family with basic security
  • Don’t be preachy (leads to resistance)
  • Start with easy wins (password managers)
  • Respect others’ threat models

When Things Go Wrong

Signs of compromise:

  • Unexpected password reset emails
  • Unfamiliar logins to accounts
  • Friends receiving strange messages “from you”
  • Antivirus alerts
  • Unexplained account lockouts

Response:

  1. Don’t panic
  2. Assess what might be compromised
  3. Change passwords (starting with email)
  4. Check and revoke suspicious sessions
  5. Enable 2FA if not already
  6. Monitor for further suspicious activity
  7. Report to affected services
  8. Consider identity monitoring if serious

Part 8: The Privacy Mindset

Privacy Is a Right

You don’t need a reason to want privacy. You have a right to:

  • Private thoughts and communications
  • Control over your personal information
  • Freedom from surveillance
  • Autonomy over your digital life

“I have nothing to hide” is a trap. Privacy isn’t about hiding wrongdoing—it’s about maintaining personal autonomy and preventing abuse of power.

Privacy Is Incremental

You don’t need to be perfect:

  • Some privacy is better than none
  • Every step matters
  • Perfect is the enemy of good
  • Start where you are

Progress over perfection.

Privacy Is Social

Your privacy affects others:

  • Photos you post may reveal others’ locations
  • Contact lists expose your social graph
  • Insecure communications compromise both parties
  • Group chat members see each other’s numbers

Consider others when making privacy choices.

Privacy Is Political

Individual privacy practices matter, but systemic change requires:

  • Supporting privacy-respecting companies
  • Advocating for privacy legislation
  • Opposing mass surveillance
  • Educating others
  • Using tools that demonstrate demand for privacy

Every encrypted message is a vote for a more private world.

What’s Next?

You now have the operational security mindset. But having tools and habits isn’t enough—you need to make them work together seamlessly.

Week 12 brings everything together into your complete privacy workflow.

Continue Learning After Week 12

Cypherpunk School 101 (our advanced course) covers:

  • Deep cryptography (GnuPG, key management)
  • Advanced anonymity (Tails, Whonix)
  • Secure systems administration
  • Applied cryptographic protocols
  • Self-sovereign identity
  • And more…

Other resources:

Summary

This week you:

  • Adopted the operational security mindset
  • Learned to compartmentalize identities
  • Established ongoing security maintenance habits
  • Understood physical security considerations
  • Learned to recognize social engineering
  • Became aware of metadata dangers
  • Reviewed and updated your threat model
  • Embraced the privacy mindset

You now have the operational security mindset and habits that make all your privacy tools actually effective. The final week brings everything together into a complete workflow.

💻 Ready for the command line? Cypherpunk 101 takes OpSec further with compartmentalization, virtual machines, Whonix, and Tails for isolating your identities: Cypherpunk 101 Week 8: Compartmentalization & VMs →

← Back to Week 10: Two-Factor Authentication

Continue to Week 12: Integration →