Crossposted using Lemmit.
Original post from /r/opsec by /u/FutureEchidna43 on 2023-06-10 14:05:20+00:00.
This is a throwaway account;I have read the rules. I have reason to suspect I could be targeted in the future by a well-funded organization.
Information to protect: I want to protect my own identity, as well as what actions I or peers plan to take. Ideally, I could remain fully anonymous, but certain areas require transparency, and I expect I’ll have to go public sometime in the future. So I want to allow for that possibility while still remaining safe.
Adversaries: The main threat is this organization, followed by its group of supporters. I don’t know how well-connected they are, but I know within my circles they are a strong force, and they keep tabs on opposing activity, so over time they might notice a pattern.
My activities aren’t illegal, so governments aren’t within my threat model. And I doubt the group could access the data hoarded by corporations, so for the most part those aren’t either.
Vulnerabilities: The main threat is the need to balance transparency with safety. There is an organization I’ll be working with, but it’s a non-profit and all their members are publically listed. If I want to work with them, I will likely need to do the same. Additionally, I will be working with lawmakers, and being secretive there would be a detriment to my work. I’ll do my best to make those fears known, but I think full anonymity isn’t on the table.
To a lesser extent, there is a risk of data breaches revealing my identity, but I think I’ve been careful enough to protect against that.
Risk: As far as I know, this group has never directly targeted opponents. However, that’s mostly because they haven’t had any major opponents. Their full capabilities are unknown, but their supporters are heavily invested, and certain of them might target me if my actions become known.
Countermeasures: I’ve taken care to partition off my work from the rest of my life. I use Qubes as a daily driver, and have a specific VM dedicated to it. I use a separate phone and email address for communication, and I only sign into those either on the VM or on a separate device.
Are there any blind spots I’m missing? Is this overkill?