Practice Good OPSEC [Part 2

Practice Good OPSEC [Part 2] covers:

– SOFTWARE RECOMMENDATIONS
– DANGERS ABOUT SOFTWARE DEVS INSIDE 5, 9 AND 14 EYE COUNTRIES
– ABOUT ANY VPN SETTINGS
– FULL DISK ENCRYPTION IS NOT ENOUGH

Lingo:
Host OS = The OS you install and run bare-metal on your device
Guest OS = The OS you run within the host OS, for example – mostly referred to as the VM (Virtual Machine)
FOSS = Free and Open-Source Software
DE = Desktop Environment

Some people prefer to keep their host OS clean and only use VMs

So they will have multiple VMs, like one for storage, one for tor browser, one for sensitive apps, one for the passwords with the internet disabled

But some people’s PC isn’t really powerful to run VMs, so they’ll struggle and rely on their host OS

At the end of the day, it’s your choice

The safest consensus is Linux.

If you are new to Linux in general, you will find yourself distro hopping often, which is completely fine

The requirement a distro should have is:
– For the distro to mainly use Wayland instead of X11, since X11 is old and naturally gives access on every app to spy on each other’s screen contents and keyboard strokes (read up on it)
– No forced telemetry. There is no such thing as anonymized telemetry

As of March 2026, the desktop environments that:
– are most often seen with distros
– are using Wayland as the main compositor
– are stable
– are the easiest to use

Are KDE Plasma and Gnome

KDE looks like Windows, Gnome looks like MacOS

There are also window managers which run on Wayland, like Sway, i3, Hyprland, Niri and others, but I don’t recommend them for beginners

If you are a beginner, you shouldn’t overcomplicate Linux.

If you overcomplicate Linux, you will want to quit after 2 days of using it… so keep it simple. To have a smooth experience, stick with what feels the most familiar to the OS you’ve used the most, choose KDE or Gnome.

Distros are slowly replacing X11 for Wayland fully, so in the future there will be more distros with desktop environments (like Cinnamon and etc) that come with Wayland by default by the time you read this

Good distros:
– Debian-based ones
– Fedora based ones
– Parrot OS Home Edition (Debian-based)
– Kicksecure (Debian-based, Experimental LXQT Wayland)
– Whonix (Kicksecure-based, useful mostly in a VM)
– Secureblue (Fedora-based, Gnome/KDE/Sway, but has a learning curve, not for amaterus)
– Qubes OS (the most secure, but has a giant learning curve, not recommended as first distro)
– Other ones which are actively updated, and mainly use Wayland instead of X11.

Which Linux distros to not use?
– Distros with X11 (Linux Mint is great, but it’s still using X11, in the future it will start using Wayland)
– Don’t use the normal pure Ubuntu due to past controversies
– If you’re a beginner, don’t start with Arch Linux
– Don’t use Tails, use Whonix instead (reason below)

This might come across as controversial but I don’t recommend Tails due to their strict Tor-only design and amnesic file which will get annoying later down the line

Also, Whonix is a lot more secure then Tails due to the dual-VM architecture

And if you really need live mode that has no persistence, Whonix also provides you with that

Tails is good for high threat level people like journalists that are always traveling and need portability,
but for the everyday users at home that store files, use apps that need to be stored with memory,
even if you have persistent storage, you will miss some hidden file or folder and you’ll be mad, it’s just a mess,
for home users it’s just not a convenient design to use Tails

If you want something as secure and isolated, just use Whonix for a VM

At the end of the day, it’s your choice

– GrapheneOS (Phone)
Fully de-googled by default, can install google services if instant notifications are needed
learn to compartmentalize identities through creating other user profiles on it and run a VPN on the
sensitive profile/s from the very start of creating the profile, you will see this example with VMs
inside the OPSEC bible, but you can apply that same concept in Graphene

– LineageOS (Phone)
I only recommend it because you can natively hotspot/tether your VPN/proxy connection via settings, which is a good alternative if you don’t have a VPN router, don’t use as a main phone though.

A GUI to manage app permissions for Flatpak installed apps:
– Flatseal (install from flathub.org)

Firewalls:
– OpenSnitch (PC)
– Portmaster (PC)
– Netguard (Mobile) (you can’t use it if you already have another actively running VPN client)

Firewalls are for monitoring allowing and denyying every network request coming from your OS, apps and background services, just in case

If you have the money, learn set up a Pi-Hole firewall instead of relying on software

If you don’t have a Pi-hole, you can use software firewalls like the ones above

Virtual Machines:
– Virtual Machine Manager/KVM-QEMU/libvirtd for Linux
– VirtualBox

Offline/Local Encrypted Password/Info Vaults:
– KeePassXC
– Bitwarden

Browsers with real anti-fingerprinting / spoofing capabilities:

Those are the browsers you will use for regular anonymous use which don’t involve your personal life.

They are not for fraud operations.

The only setting I advise you to change to avoid getting your IP leaked through javascript is WebRTC

Here’s some browser recommendations

– Tor (PC)
Change these settings (if you plan to use it without with JavaScript enabled):
– Disable WebRTC (media.peerconnection.enabled)

– Mullvad Browser (PC)
Change these settings:
– Disable WebRTC (media.peerconnection.enabled)
– Security level/slider (the shield icon on top right): Set it to Medium if you plan to use it without JS enabled (more on that in Practice Good OPSEC Part 3)

If you’re curious to learn what Mullvad browser does differently than other browsers exactly, you can read their article here:
https://mullvad.net/en/browser/hard-facts

– I would think twice before using Librewolf (PC)
It’s alright, but:
– Letterboxing isn’t turned on by default
– NoScript isn’t installed by default (very important)
– Limit cross-origin referers isn’t on by default
– WebRTC is turned on by default (just like in mullvad)

Installing NoScript manually or adjusting those settings to the correct values just makes you stick out more to fingerprint analyzers, since most users who regularly use librewolf won’t adjust any settings.

——

There aren’t any capable anti-fingerprinting browsers for mobile yet, so I don’t recommend using mobile browsers.

And it’s uncomfortable to browse on a little screen, so you might as well just stick to using a PC

But if you REALLY REALLY have to use a mobile browser, here is a recommendation:

– IronFox (Mobile)
Change these settings:
– Disable Javascript JIT if you accidentally enabled it at the start
– Disable cross-origin referers
– Spoof timezone to -0 UTC
– Disable all overrides that relax fingerprinting
– Disable WebRTC

– Don’t use Vanadium yet (Mobile)
Yes, it’s secure but not great at preventing fingerprinting fully yet, Graphene devs have said they’ll focus on that aspect more in the future

– Don’t use Brave (PC/Mobile)
Only use it for personal life stuff, it has a great integrated adblocker, but it’s bloated and it lies about being anti-fingerprint, WebRTC is on by default, it doesn’t spoof anything,, your WebGPU visible, WebGL hash is not spoofed, just terrible

To those who say that changing internal settings will make you stick out a bit more as a fingerprint

While that is true, there is no better option for mobile YET.

On mobile, it’s better to stick out a bit more with your fingerprint but still remain anonymous and have a reduced attack surface, then to not stick out and risk getting your IP deanonymized by some malicious JS exploit or other potential vulnerabilities.

——

You can check what type of information your browser is leaking via javascript through ⚠️fingerprint checkers⚠️

——

Storage/File/Disk Encryption:
– VeraCrypt (PC) (useful for plausible deniability when combined with hidden storages)
– LUKS (full disk encryption option when installing just about any linux, always enable it so your data is safe at rest)
– DroidFS (Mobile)
– ZipXtract (Mobile)
– S.S.E., Secret Space Encryptor (PC/Mobile)
– Kleopatra (PC) (more for PGP messages, but can also encrypt files with PGP)
– OpenKeychain (Mobile) (more for PGP messages, but can also encrypt files with PGP)

PGP software for PGP encrypted messages, communications and etc:
– Kleopatra (PC)
– OpenKeychain (Mobile)

2FA Codes apps:
– Aegis (Phone)
– I wouldn’t use that “2fa” app yet in Accrescent, it’s still beta and has bugs, people on github report issues that their keys just randomly disappeared one day

NON-CUSTODIAL WALLETS RECOMMENDATIONS:

I myself like multi-coin non-custodial & open-source wallets such as
– Cake Wallet (Mobile)
– Stack Wallet (Mobile)
– Unstoppable Wallet (Mobile)

Some Monero-only wallets include:
– Monero GUI (PC only)
– Featherwallet (PC only)

Lots of people use Exodus or Trust Wallet, I don’t recommend them because:
– both are closed-source
– Trust Wallet never added Monero support
– Exodus removed support for Monero since August 2025, Trust never had support for Monero

So it’s safe to say Exodus bent over to regulations from the law, and are anti-privacy, as you would expect from something that is closed-source and claims it’s “non-custodial”…

Instant messengers:
– Session (getsession.org)
– SimpleX (simplex.chat)
– Signal (signal.org) (sign up with temp number obtained anonymously with clean coins and a VPN)
– Element (element.io) (a bit of a learning curve)

Real no-log VPNs:
– Mullvad VPN (mullvad.net)
– IVPN (ivpn.net)
– NYM VPN (nym.com)
– Xeovo VPN (xeovo.com)
– Obscura VPN (obscura.net)

E-mails:
– Cock.li (cock.li)
– Tuta Email (tuta.com)

App Stores:
– Droid-ify (a better looking F-Droid client full with all types of FOSS apps from repos like F-Droid and IzzyOnDroid)
– Accrescent (small but private FOSS app store, endorsed by GrapheneOS, can be installed through Graphene’s app store)
– Aurora Store (lets you get Google Play apps without a Google account)

———————————-

First, learn about what the 5, 9 and 14 eye countries are:
https://tuta.com/blog/fourteen-eyes-countries

Dangers of gag orders for software developers in the USA
Watch at minute 31:57
https://youtu.be/bxFQvOyTolg?t=1917

CIA attempts to backdoor Telegram
Watch at minute 17:57
https://youtu.be/1Ut6RouSs0w?t=1077

Session moves out of Australia to Switzerland:
https://theguardian.com/australia-news/2024/nov/05/session-encrypted-messaging-app-developer-moves-out-of-australia-police-visit-switzerland

This is why you should be wary of apps that are actively developed inside of the 5, 9 and 14 eyes

Yes, unfortunately that includes Signal since it’s being actively developed in the USA

I don’t give a shit that it’s NIST approved, or if it’s been funded by the CIA, or if Edward Snowden says he uses it

Use with caution

———————————-

– Always enable killswitch + an extra kill switch (if that option exists)
– Always enable multihop
– Always enable a traffic noise option, like DAITA
– Always connect to a different IP everyday
– Always enable any extra anonymity features such as quantum-resistence or etc

—–WHY KILLSWITCH?—–
Sometimes it just so happens that your system/router randomly decides to disconnect from the VPN

When that disconnect happens, if a killswitch isn’t present,
the system doesn’t care and immediately starts using your real internet connection,
which could lead to OPSEC trouble later down the line if that website or app you were on
was secretly logging IPs and you were doing illegal shit on there

A killswitch prevents this by prohibiting your device from instantly using your real connection,
and resumes traffic when you connect to a vpn server again

—–WHY MULTIHOP?—–
Most VPN providers have server IPs that are are SHARED,
which means that if the VPN is popular, hundreds or thousands of people
could be using that one server at the same time

Which is good for anonymity, since everyone using that VPN server
appears as the same IP to websites, making it harder to individually trace you

But, your ISP sees and stores which VPN server IP you’re connected to

And if it so happens that, for e.g. there is a database leak of an illegal forum,
which you were active inside of, and that forum was secretly logging your IP,
and your VPN IP is on there

There is a slight chance you could potentially be associated
with your profile on there, which deanonymizes you

Of course, there is a very slight chance of this happening,
since law enforcement would need to spend WAY too much time and resources
subpoenaing every single ISP to reveal who was connected to that same server IP
around the world

But why take that little chance? Just enable multi-hop.

There is a reason why Tor uses 3 hops before you connect to the site.

—–WHY TRAFFIC NOISE / DAITA?—–
To make it significantly harder for ISPs to do deep packet inspection and traffic fingerprinting

—–WHY CONNECT TO DIFFERENT SERVER EVERY DAY?—–
This just prevents long-term IP profiling/correlation when you use the internet

That’s called cross-tracking

Connecting to a different server often makes it harder for whoever is onto you to cross-track you,
and build a profile on you.

If you stay on the same IP for weeks or even months,
it makes it easier for whoever is targeting you to cross-connect your activities by IP,
such as profiles, logins, searches, purchases, content consumed under that 1 IP

—–WHY THE EXTRA PRIVACY OPTIONS?—–
To anonymize and secure yourself even further and reduce your attack surface

———————————-

I came to this realization as I was reading nihilist1’s opsec bible, because he indirectly hinted at this while teaching people how to compartmentalize their drives with Veracrypt.

Think about this for a second:
What about all the unlawful shit corrupt cops do behind closed doors with no witnesses?

Imagine what they could do if they ever busted into your place.

You are a digital ninja, so the first thing they’ll do is go for your RAM so they can cold boot it later and they will also go for all of your drives

“My storages are encrypted with full-disk encryption, they can’t crack it”
“I can’t give you my decryption key, that’s not the law”
“It’s not the law so they can’t do shit”

Very cool information, but guess what motherfucker, corruption exists

Yeah, that encryption protocol is strong and cops can’t crack it, but they can easily break into it if they start fucking smashing your face and ribs with violence

So when they start beating the life out of you while demanding that key or pincode

You will be begging for your life screaming out of pain, and in the end, you will give your key up to end your suffering

Not everyone is Rambo

And if all your sensitive information is only behind that password

You’re fucked

So you need to compartmentalize.

You should have a simple FDE password at first which you can give out to feds so they can unlock your OS

So when they unlock your first line of defense, they see nothing but useless information

For them to get to the real juicy information, they need to find your Veracrypt cointainer which lives on your unmounted HDD

And if they do end up finding it, you will just give them the password for the non-hidden part of your Veracrypt container, since Veracrypt offers hidden partitions inside 1 container. Inside that non-hidden part they will just find some useless files which you stored there.

There are also some hardcore ways you can hide your sensitive files

For example you can split that veracrypt container into multiple variable size “dummy” looking files (with some advanced file splitter/combiner tools)

Then you can hide those dummy files within fully functional and viewable pictures, documents or videos by using some FOSS steganography tools

But of course, this is overkill and causes inconvenience. The hidden Veracrypt container should be enough.

Though I really wish that something more simple existed, such as full-disk encryption with the possibility to have 2 OSes, and boot up 1 OS with one FDE password and boot the other OS with another password. It’s possible but it requires a lot of GRUB work and etc.