#OPSEC365 054/365
Surveillance teams work in cycles: Stakeout, Pick-Up, Follow, Housing.
Understanding how pro foot monitoring operates is the foundation of detecting it. The team boxes the target in Stakeout. The trigger gives warning of movement. The Pick-Up establishes the follow. Housing is when the target stops. This cycle repeats all day.
To detect foot surveillance, vary your departure time and route. Surveillance teams stakeout from fixed trigger positions near your home or office - parked vehicles, cafe windows, bus shelters. Jenkins notes: operators get bored and co-locate.
Every "Monero can't scale" argument from 2018 aged like milk after Bulletproofs++ went live.
#OPSEC365 052/365
Your email address reveals more than you think.
Firstname.lastname@company.com confirms your employer. A birth year in an address tells your age. College emails persist in breach databases long after graduation. HaveIBeenPwned indexes over 14 billion breached accountsโyour old address is almost certainly in one.
An email address is a key. Most people hand out copies to anyone who asks.
Compartmentalize by purpose: professional email for work, a separate address for accounts you don't trust, and a private address only trusted contacts know. SimpleLogin and AnonAddy generate per-service aliases (e.g., amazon@yourdomain.anonaddy.me) forward to your real inbox.
Return-to-libc attacks when stack protection made shellcode harder.
"Return-to-libc attacks allow code execution without injecting any code onto the stack."
- ๐๐๐ฝ๐ฎ๐๐๐ถ๐ป๐ด ๐ฆ๐๐ฎ๐ฐ๐ธ๐๐๐ฎ๐ฟ๐ฑ ๐ฎ๐ป๐ฑ ๐ฆ๐๐ฎ๐ฐ๐ธ๐ฆ๐ต๐ถ๐ฒ๐น๐ฑ by Bulba and Kil3r (2000)
Phrack
Bypassing StackGuard and StackShield
Click to read the article on phrack
#OPSEC365 051/365
Voter registration records are public in most states.
Your full name, home address, party affiliation, and voting history are available to political campaigns, researchers, journalists, and data brokers. Some states publish this online for free. Others sell it in bulk.
Voter registration data is public record in most states. Name, address, party, and voting history โ available to campaigns, researchers, and anyone else who asks.
Some states let you request confidentiality if you have a noted threat, but most don't. Address Confidentiality Programs exist for survivors of domestic violence. For everyone else, the best you can do is use a PO Box where allowed and know your registration is public regardless.
#OPSEC365 050/365
Your car's infotainment system remembers everywhere you've been.
Navigation history, paired phone contacts, call logs, text messages if connected via Bluetooth. Rental cars retain previous drivers' data. Used cars come with the previous owner's information. And when you sell or return your car, your data stays behind.
Factory reset your infotainment system before selling, trading, or returning a vehicle.
Every car handles this differently, but look for Reset or Factory Defaults in the settings menu. Don't just delete your phone from paired devices, wipe the entire system. For rental cars, avoid pairing your phone at all or use a clean burner phone for navigation instead.
HSBC's own ad copy explains exactly why Monero needs to exist
when someone controls your finances, they control you, and the only money that can't be controlled, frozen, or surveilled is the money they're trying to ban.
#OPSEC365 049/365
Every call you make is logged: number dialed, duration, cell tower, timestamp. Under Smith v. Maryland (1979), you have no Fourth Amendment protection over records you give a third party โ including your carrier.
A subpoena is all it takes. No warrant. No notification. The DEA calls toll records the backbone of phone-based cases.
Contact patterns matter as much as content. Who you called, how often, and from tower builds an investigative map without a single intercepted word. Investigators work call logs before seeking wiretaps.
#OPSEC365 048/365
Professional licenses are public records in most states.
If you're a doctor, lawyer, nurse, real estate agent, or hold any state-issued credential, your full name, license number, status, and sometimes disciplinary history are searchable online. Anyone can verify your credentials, which means anyone can verify you exist in profession.
Professional license databases are public. Your name, license number, status, and sometimes address are available to anyone who looks.
You can't hide your professional license, but you can be aware of what it reveals. For some professions, the address on file is public. Consider using a business address or registered agent instead of your home.
#OPSEC365 047/365
Your smart TV shares a network with your laptop, phone, and NAS. That's a compartmentalization failure.
ACR runs by default on Vizio, Samsung, and LG โ fingerprinting your viewing. A TV with a vulnerable update path is a lateral pivot into your LAN.
Cronk's SEPARATE strategy: partition contexts with different trust levels. Your TV needs internet. It has no need to see your other devices.
VLAN your IoT tier. Your TV doesn't need to know your NAS exists.
Implementation: create an isolated IoT VLAN with internet-only egress, no routing to your primary LAN. A smart TV's legitimate function requires only outbound streaming access โ zero visibility into personal devices.
Every atomic swap is another transaction that never touched Coinbase, Kraken, or any compliance department.
#OPSEC365 046/365
The return address on your outgoing mail tells everyone where you live.
Every letter, bill payment, or package you send broadcasts your home address to anyone who handles it along the way. That includes postal workers, mail room staff, and whoever opens it at the destination.
Your home address on outgoing mail is a permanent record of where you live, delivered directly to whoever receives it.
A PO Box costs around twenty dollars per month and gives you an address that isn't your home. You can also rent private mailboxes from UPS Store or similar services that provide a street address format. The goal is keeping your physical location out of places you don't control.
I built pq-ratchet: Forward secrecy + quantum resistance in one Rust crate.
Signal's Double Ratchet gives every message its own key steal one, you decrypt nothing else.
ML-KEM-768 (NIST FIPS 203) layered on top of X25519 means quantum computers can't break it either.
crates.io/crates/pq-ratchet
sambent.dev/sam/pq-ratchet
github.com/DoingFedTime/pq-ratchet
sambentamhhtuyazvbsfi2zoia346x3d7gdn6e52av23qn5v4wqwpiqd.onion/sam/pq-ratchet
#OPSEC365 045/365
OPSEC doctrine defines a vulnerability as existing only when three conditions are simultaneously true: adversary has collection capability, observable indicators are present, and the adversary can act before you react.
Remove any one condition and the vulnerability collapses. Most people only focus on hiding information. Doctrine also targets adversary capability and reaction time.
NTTP 3-13.3 defines a mission-related weakness as existing when an adversary has the capability to collect indicators, correctly analyze them, and take timely action. This means if your adversary lacks analytical capability to connect the dots, your indicators may be irrelevant.
Format string vulnerabilities discovered and documented.
"Format string bugs are a new class of software vulnerability discovered around June 2000."
- ๐๐ผ๐ฟ๐บ๐ฎ๐ ๐ฆ๐๐ฟ๐ถ๐ป๐ด ๐๐๐๐ฎ๐ฐ๐ธ๐ by Tim Newsham (2000)
Bugtraq: Format String Attacks
#OPSEC365 044/365
Rental applications require a complete financial strip search.
Social security number, bank statements, employer contact information, pay stubs, previous addresses, references. Landlords and property management companies collect this data, often share it with screening services, and rarely have strong security.
Ask how your rental application data is stored and when it will be deleted.
You can't avoid providing this info if you want to rent, but you can ask questions. Does the screening company retain your data? Is it encrypted? Will it be deleted after the decision? Most won't answer satisfactorily, but the question itself signals you're paying attention.
Twelve years of public school and they never once taught you what agorism, counter-economics, or voluntary exchange means. That wasn't an accident.
#OPSEC365 043/365
That conference badge has your full name, company, and role printed on it.
You wear it around the venue where everyone can see it, photograph it, or use it as an opening to social engineer you. After the conference, those badges end up in photos, on social media, and in the trash where anyone can grab them.
A badge with your name, photo, employer, and title is a social engineering starter kit.
Some people use first name only badges when registration allows. Others flip badges to hide details when not actively networking. Shred or destroy badges after events rather than tossing them intact. The goal is controlling who gets your professional information and when.
Secure means your funds can't be seized without your keys,
private means no one sees your balance or transactions,
untraceable means chain analysis is useless,
Monero is the only cryptocurrency that delivers all three by default.
#OPSEC365 042/365
Job applications ask for everything short of a DNA sample.
Social security number, full address history, salary expectations, professional references with contact info, sometimes even social media handles. Companies collect this data, store it insecurely, and rarely delete it after rejecting you.
Required fields are marked. Everything else is optional, regardless of what the form implies.
Leave optional fields blank. Provide salary history only when legally required or clearly in your interest. Ask how long they retain applicant data and request deletion if not hired. Some companies will comply, others won't, but the request costs nothing and sometimes works.
