#OPSEC vs "realistic" user experience

It depends on who your researching, and whos interested in you

I would recommend just thinking about it. Who would be unhappy with what you publish?

I would also say opsec is not a thing you can follow. Opsec is a thing you think about- operational security as a whole(which is different from personal security, etc).
Military and government people got told that not posting about what they were doing was part of opsec- and it was. They were keeping their operations secure, by not leaking where they were and what they were doing. But that doesn't mean that not posting about where you live or keeping work and personal profiles seperate is "opsec".
Security, at it's broadest, is the process of doing things you want to despite other things trying to stop you- mostly we talk about people/organisations/social forces/etc trying to stop you, but the classic example is food security, where things like the weather may threaten your food supply.
With that basis, aproach thinking about your security logically and carefully, not as a set of dogma to follow. Ask:

• What am I trying to do?
• What do I need to do the thing? (and it's inverse, what will stop me doing the thing?) How much will it matter.
• Who is trying to stop me doing the thing?
• How can they deprive me of the things I need to do the thing? What would it cost them to do that?

The first question requires thinking critically about what you actually want to do, and defining it quite carefully. You probably want to add in a lot of caveats like "while remaining free from harrassment/libel suits/state persecution/ill mental health effectd". Or maybe you don't- some people are willing to get arrested for certain causes, for example.
The next one also requires careful thinking- Maybe you need a platform to report from, and access to XYZ tools, but you also need things like food and a roof over your head. If your adverseries can get you fired, or your benifits attacked, you're in trouble. Think about these in terms of how much they matter to you- Attacks on your livleyhood are probably important, attacks on your health(mental and physical) also important. Attacks on your ego can be dealt with.
The third requires being calm. Most people immediatly jump to "what if NSA tailored access operations are after me". Probably TAO don't care. The NSA as a whole probably don't care. Your most dangerous adversaries may be unexpected- familiy members, a random opposing organiser, etc. Think carefully and calmly. Consider state agencies which aren't three letters- what about your local police department? Your tax people, if you take donations. Etc.

The fourth requires research. What actual tools do your adversaries have to deprive you of the things you need, and how much will it cost to use them.
For example, everyone worries about malware(and rightly) but most of us are not worth spending zero days on(bearing in mind they cost millions to buy, every time they're used increases the chance that they're spotted and patched, and commerical tools often cost in the tens or hundreds of thousands of dollars a use).

If you're a high profile osint researcher/human rights activist working on palestine, it's possible someone will pay NSO group that cash to know what you're up to.
But for most of us, that's not a realistic threat. Worry about police raiding your home, finding the weed you have for personal use and banging you up on drugs charges, or getting swatted, or a smear campaign.

Mostly thinking about this stuff requires practice and familiarity with the space- if you're seriously worried about it, pay a good security consultant(I'm sure there's recomendations if you ask around) to walk through it with you, or spend time actually getting to know the space.
Consider mundane things that people don't focus on(Mental health impact from harrassment, getting swatted, a phone campaign to your work to get your fired) before you begin to worry about three letter agencies trying to target you like you're OBL.

this is really well written, Ada

I explain this about once a week for activists, I've got my patter down

So, I do my fair runs with OPSEC and something I've continously noticed is that the public kind of just skips the entire process and jumps to "implement countermeasures"

If you want to do actual OPSEC, there is a cycle it follows. The *first part *of the cycle is you define "critical information" - critical information is separate from Essential Elements of Information. To visualize that, a piece of critical information can be comprised of multiple pieces of EEFI. Critical information is what you want to protect.

After that you do a threat analysis. A threat is defined by capability + intent in this context (towards the identified Critical Information). The threat analysis past that is pretty on par for what it is.

You then assess vulnerabilities to that information, based off your threat analysis (ie Bob based out his basement trying to get your banking info presents an entirely different threat field than organized actors like the example given above with NSO Group, etc)

You then take that assessment of the vulnerabilities and assess the risk from specific actors and other adverse events towards those vulnerabilities.

That informs you what measures and countermeasures to apply.

Generally measures and countermeasures in the public context here are going to be split into two effect categorizations; Deny and Deceive. People generally just think of "deny". Deny may work for Bob in his basement above but things like NSO Group or actual state actors, no, there's ways around all of that. Frequently mentioned measures are generally going to be inefficient if used for Deny effect with organized actors.

The reality for most of what is talked about is, deny is near useless, you're largely putting yourself in a circle of response based measure implementation.

I would also note if you're not following the actual OPSEC cycle, you're not conducting OPSEC. You're conducting rudimentary personal security informed partly by OPSEC practices.

Also within the measures and countermeasures part there, it can split into a few different practices, they all come with their specifics to them. Administrative Signature Management would be what you'd be applying towards actual project details such as staff. internal policies, etc. Digital Signature Management would encompass a lot of what people talk about in re digital signatures such as social media profiles, identity references, etc. Those all also come with their own little ways in how you do things.

If you're a high profile osint researcher/human rights activist working on palestine, it's possible someone will pay NSO group that cash to know what you're up to.
let's hope me and some others here are not high profile enough lmao

else they can read some great searches about how to not overcook a chicken

I mean, they pull NSO level stuff off mid level human rights NGO employees phones all the time. If you've got any contacts who'd be in danger for what they send you(I know, osint means no contacts but also lots of people have people who send them tips etc) then it should probably be at least something you think about.

on a side note, are there are any "easy" ways to check(/safeguard) for things like this. I have actually thought about it (the bugging possibility) a little bit and do the standard things like vpns/password safety/secure messaging, but never went so far as to look at actual bugging

even though i do realise i'm kind of an edge case where theoretically it's thinkable as possibiltity

Checking for it is very very hard. Normally people find out when stuff is patched and detected. Keeping your phone up to date(and ideally from a large manufacturer with a big security budget- Apple, Google, Samsung) and random apps off of it is a good place to start(especially no random apks/third party app stores)
Also proper 2fa on your core accounts(email etc). The google "advanced protection program" is a good place to start (requires two u2f keys. Yubico are the gold standard but anything is better than SMS etc if you can't afford).

https://landing.google.com/advancedprotection/

Sorry you asked about NSO and I gave you what is partially phishing (and antivirus) advice but if someone is after you there's a good chance they'll try phishing first. If they're spending zero click exploits on you then you're not going to find them without a dedicated corporate/org security team.

Also keep your phone in sight and in your control. Much cheaper to install something if you let someone borrow it, especially unlocked.

Also the more locked down the system is the less you can install evil stuff accidentally. Chromebooks, properly locked down, don't let you mess about with arcane settings or install random apps but. They also don't let anyone else do that.

Your threat is probably more "lurker(or active member)in the osint friend group chat" though- if you've ever seen an antifascist infiltration happen, think about someone doing that to you. Consider posting less. Always good advice.

no worries, too much info is rarely a problem. Thanks!

And yeah makes sense

That's already why i cared a little less. The only people who could even remotely bother really looking at my phone would be the Israelis and i seriously doubted i'd ever even notice that lol

standard stuff like doxxing from online trolls i never cared much about because even with just my first name you could already figure out who I am and with my journalism credits/bylines including my last name you'd really immediately know

so thanks!

Also unrelated note, OPSEC generally from a military perspective is just a joke sometimes to be honest. Yes some countries are great at hiding information when it's relevant. But jesus christ they really have no understanding of what they're actually doing sometimes. I had this research methodology which i set up for I/P a way back that would geolocate videos. But instead of finding a video and trying to find the coordinates it would just give you the coordinates of random videos. I saw standard stuff like videos from soldiers with locations (everyone knows some soldiers suck at keeping things secret this way), but i also saw videos from official Russian, Ukrainian, Israeli (and other) governmental accounts. At one point a Hezbollah video showed up with the coordinates for one of their secret bunker launch sites (and god only knows how many Russian military positions on the frontline)

whereas anyone with a brain could come up with the idea that someone would be able to do this and how, and prevent it in the future within 2 seconds per video

Institutional struggles where intelligence just doesn't communicate enough with other branches maybe, but wow. They really have no clue about dealing with unusual vulnerabilities

The issue with OPSEC isn't really that it, in itself is a joke, it's that usually it's hard to get everyone that needs to be on board, on board

Most people also have a horrid understanding of what military/government "OPSEC" is, most things we call OPSEC breaches in this community aren't really OPSEC breaches

They're "OPSEC breaches" if you have a, not very robust understanding of that specific termed concept

We tend to look at relatively linear examples also which are ones where the frequency would inevitably bring more par statistic exposures than otherwise. Not really good to compare Billy jumping to Step 5 and ignoring the rest and going balls to the wall paranoia level OPSEC to protect against everything (which is a recognized do not do that in opsec, it's what the entirety of step 1 is about), and a regiment sized group of dudes trying to do SIGMAN to prevent critical information (NOT EEFI) about movements being released.

As an example, if you take the US at least since all countries differ a bit in how they formulate concepts - troop movements generally aren't really a thing blanketed under OPSEC unless there is a specific intent to use that group in a manner where something such as Surprise is an intended effect and OPSEC would be required to enable that effect to happen. It's still not a good thing to go willy nilly posting pictures but in a lot of cases it isn't really an OPSEC violation. The reason why that is, is because, if you follow the rest of the steps to formulate your OPSEC plan, that could be irrelevant to the vulnerabilities of and the threats to the CI you want to protect.

Yeah ofc

But it shows a pretty horrible awareness of potential risks when you’re a government agency posting videos of active artillery positions without removing metadata

Just assuming the social media platform will automatically remove it lol

This is kinda what I mean though and where it'll probably be hard to pair

When a govt agency is doing that there's a whole analytical process doing risk, threat, and vulnerability assessments

What is drawn out there is very refined and catered to such

I'd say horrible awareness could absolutely apply still but in any given case you'd have to factor in some things they may be thinking of