#OPSEC365 042/365
Job applications ask for everything short of a DNA sample.
Social security number, full address history, salary expectations, professional references with contact info, sometimes even social media handles. Companies collect this data, store it insecurely, and rarely delete it after rejecting you.
Required fields are marked. Everything else is optional, regardless of what the form implies.
Leave optional fields blank. Provide salary history only when legally required or clearly in your interest. Ask how long they retain applicant data and request deletion if not hired. Some companies will comply, others won't, but the request costs nothing and sometimes works.
#OPSEC365 041/365
The NSA defines elicitation as "the subtle extraction of information during an apparently normal and innocent conversation." Nobody asks you to sign a disclosure. You're just talking.
The collector already knew what they wanted before you said a word. You were being interrogated throughout. Elicitation doesn't look like an attack because it isn't designed to.
The tell is in the pattern: someone is unusually curious about operational specifics - timelines, personnel, locations - while appearing to make small talk. Real small talk meanders. Elicitation follows a collection plan. Notice when questions keep returning to one subject.
#OPSEC365 040/365
Your clipboard holds a copy of everything you've cut or pasted.
Passwords you copied from password managers, addresses, phone numbers, sensitive text from private conversations. Some devices keep clipboard history across apps, and some apps can access it without asking.
Clear your clipboard after pasting sensitive information, especially on shared or work devices.
On iPhone the clipboard clears when you copy something new, but keyboard apps may log history. On Android clipboard history can persist and sync. Windows keeps history if enabled.
Monero Research Lab publishes peer-reviewed cryptography papers while other projects publish marketing decks.
#OPSEC365 039/365
Court records are public, and they contain more than you'd expect.
Divorce filings with financial details, lawsuits naming parties and allegations, bankruptcy records listing assets and debts. Search tools like PACER for federal courts and state court websites make these accessible to anyone willing to look.
A dismissed case, an old civil filing, a lien โ all still indexed in state court databases years after resolution.
You can't seal records since they're embarrassing, but you should know what exists. Some people proactively search themselves before job interviews or business deals so they're not surprised.
Your bank works for the government. Monero works for you.
#OPSEC365 038/365
Property records are public in most jurisdictions.
Your home address, purchase price, the name on the deed, property taxes owed. Anyone can search county records and find where you live, how much you paid, and when you bought. Some states make this searchable online for free.
Your name, address, transaction history, and assessed value are in your county assessor's database, searchable for free by anyone.
LLCs and trusts can hold property instead of your personal name, but they add complexity and cost. Some people use nominee services for privacy. The simplest approach is knowing what's public and adjusting other behaviors accordingly.
Privacy and cryptography as political tools against surveillance.
"I argue that the field of cryptography is political, and that cryptographers should attend to the political consequences of our work."
- ๐ง๐ต๐ฒ ๐ ๐ผ๐ฟ๐ฎ๐น ๐๐ต๐ฎ๐ฟ๐ฎ๐ฐ๐๐ฒ๐ฟ ๐ผ๐ณ ๐๐ฟ๐๐ฝ๐๐ผ๐ด๐ฟ๐ฎ๐ฝ๐ต๐ถ๐ฐ ๐ช๐ผ๐ฟ๐ธ by Phillip Rogaway (2015)
https://web.cs.ucdavis.edu/~rogaway/papers/moral-fn.pdf
#OPSEC365 037/365
Your voice is a biometric you can't change.
Banks use voice verification, smart assistants recognize you by speech patterns, and deepfake technology can clone your voice from a few seconds of audio. That podcast appearance, that YouTube video, that voicemail greeting all provide samples.
Every call made through a VoIP carrier was processed by servers that logged it.
Voice authentication is convenient but vulnerable. Unlike passwords, you can't change your voice after it's compromised. Some people opt out of voice verification entirely and use alternative authentication. Others limit how much audio of themselves exists publicly.
#OPSEC365 036/365
Someone behind you at the coffee shop can watch you type your password.
Shoulder surfing is low-tech and effective. ATM PINs, phone unlock codes, laptop passwords. All it takes is the right angle and a few seconds of attention while you assume nobody is looking.
Next time you enter a password in public, check what's behind you first.
Position yourself with your back to a wall when possible. Tilt screens away from observers. Use biometrics for quick unlocks and save complex passwords for private settings. Some people use password managers with auto-fill to avoid typing passwords where others can see.
Monero devs spent years quietly building FCMP++
while Zcash devs spent years lobbying regulators and tweeting about compliance
one project shipped privacy,
the other shipped press releases.
#OPSEC365 035/365
Anti-surveillance is what you do yourself. Counter-surveillance is what someone does for you.
Anti-surveillance manoeuvres are deliberate actions to draw out a monitoring team and confirm you are being followed. Counter-surveillance is when a third party monitors your route to identify the team independently.
Anti-surveillance drills force a reaction: an unexpected turn, entering a building with multiple exits, reversing direction. The goal is identification, not evasion. If you evade without confirming, you do not know whether you successfully broke contact.
#OPSEC365 034/365
Parents post an average of 1,500 photos of their child online before the kid turns five.
First day of school with the school name visible, sports uniforms with team and league info, birthday posts with exact ages. By the time kids are old enough to control their own digital presence, they already have one built by their parents.
Children documented online from birth have no say in the digital footprint they inherit.
Consider what your children would want documented publicly when they're adults. Some families use private channels like shared albums instead of public posts. Others simply don't post children's faces at all.
#OPSEC365 033/365
Someone calls pretending to be your bank, your IT department, or the IRS. They already know your name and enough details to sound legitimate.
Social engineers don't hack computers, they hack people. A convincing voice with a few accurate facts can talk their way into account access, password resets, or sensitive information you wouldn't give to a stranger.
Next time someone calls asking you to verify information, hang up and call the official number yourself.
Pretexting attacks rely on urgency and authority. They create pressure so you act before thinking. Any legitimate organization will let you hang up and call back through their official channels. If they resist that, they're not legitimate. Train yourself to pause when pressured.
"Privacy doesn't matter" from people who would never post their credit card statements publicly.
#OPSEC365 032/365
Your mailbox is a treasure chest for anyone willing to look inside.
Bank statements, medical bills, credit card offers with preapproved limits, jury summons with your full legal name. Physical mail reveals your financial situation, health status, legal matters, and relationships.
A PO Box costs $20 a year. Mail theft in the US runs at roughly 7 billion pieces annually.
A locking mailbox from companies like Epoch or Mail Boss costs under two hundred dollars and bolts to your existing post. USPS Informed Delivery lets you see scans of incoming mail before it arrives, also alerts you if something goes missing.
"No money in the budget" only applies to things that help you.
Cops ticket you for flashing your brights to warn other drivers about a speed trap, then claim it's "obstructing an investigation."
Federal court (Elli v. Ellisville, 2014) shot that down as a First Amendment violation. Ohio 1976, NJ 1999, TN 2003, PA Supreme Court, all same ruling: protected speech.
If warning drivers to slow down was really about safety, the cop's job would be done.
#OPSEC365 031/365
That account you made in 2008 and forgot about still has your data.
Old forums, abandoned social networks, services you tried once. Those accounts still exist with your email, your photos, maybe payment info. When those services get breached, your old data gets dumped alongside everyone else's.
Try logging into accounts you haven't touched in years and delete what you can.
HaveIBeenPwned.com lets you search your email to see breaches you're already in. JustDelete.me maintains a directory of deletion links for thousands of services. Some accounts require emailing support, others make it intentionally hard.
