Medieval peasants kept more of their harvest than you keep of your paycheck.
Sam Bent
contact@sambent.com
npub1y7rv...d0r3
Journalist | OSINT & OPSEC Specialist | Darknet Expert (Ex Vendor & DNM Admin) | DEFCON/SANS Speaker | Youtuber | Social Engineer | Author | Paralegal
#OPSEC365 008/365
Everyone has an adversary, whether they realize it or not.
It might be an ex who won't let go, a competitor digging for leverage, a scammer building a target list, or a future employer searching your name. The question isn't whether someone wants information about you, it's who and why.
Write down the three most likely people or groups who might want to know more about you than you'd want them to.
Your adversary determines your threat model, and your threat model determines what precautions make sense.
The White House app ships with a sanctioned Chinese tracking SDK,
the FBI app serves ads,
and FEMA wants 28 permissions to show you weather alerts.
Sam Bent
Fedware: 13 Government Apps That Spy Harder Than the Apps They Ban
The White House app ships with a sanctioned Chinese tracking SDK, the FBI app serves ads, and FEMA wants 28 permissions to show you weather alerts.
Monero devs have never once suggested building backdoors for law enforcement,
Zcash's founder suggested it publicly then asked you to memory-hole his own words.
#OPSEC365 007/365
Security questions aren't secure. They're public records and social media trivia.
Your mother's maiden name is on genealogy sites. Your first pet's name is in a Facebook post from 2012. Your high school mascot is one Google search away. Anyone doing basic research on you can answer these questions as easily as you can.
Go check what security questions protect your most important accounts and ask yourself who else could answer them.
Treat security questions like additional passwords. Give false answers that only you would know, store them in a password manager, and never use real information that could be researched. Mother's maiden name can be a random phrase if you remember to save it.
#OPSEC365 006/365
Posting vacation photos while you're still on vacation tells everyone exactly when your home is unoccupied.
The timestamp, the location tag, and the caption all confirm you're hundreds of miles away and won't be back for days.
Save the photos. Post them when you're home. See if you can resist the urge to broadcast your absence in real time.
If you have to post during travel, strip location data and avoid revealing details that pin down your specific location or how long you'll be gone. General photos without landmarks are harder to geolocate than a poolside shot with a resort logo visible in the background.
> builds a GRUB replacement in 2016
> spends 5 years breaking GRUB piece by piece
> strips LUKS encryption from /boot "for security"
> proposes to remove: btrfs, xfs, zfs
> keeps SquashFS, two CVEs, one rated 7.8 HIGH
> controls the signing keys for all of it
> Canonical promoted him.
Sam Bent
Canonical's GRUB Saboteur Has a 10-Year Plan
Julian Klode has been systematically stripping features from GRUB since 2021, and he built the replacement a decade ago.
If you have to ask permission it was never a right in the first place, it was a privilege they can revoke.
Tails 7.6 uses domain fronting to hide Tor bridge requests from censors,
\replaces KeePassXC with GNOME Secrets for accessibility,
and catches up on 18 months of Electrum releases.
Sam Bent
Tails 7.6 Hides Bridge Requests Behind CDN Traffic
Tails 7.6 uses domain fronting to hide Tor bridge requests from censors, replaces KeePassXC with GNOME Secrets for accessibility, and catches up on...
#OPSEC365 005/365
What's visible through your front window right now?
Packages with your name on them, expensive electronics, a daily routine playing out on a predictable schedule. Anyone walking by can see it, and the ones paying attention are taking notes.
Go look at your home from the outside like a stranger casing it, and see what you've been advertising.
Simple fixes make a difference. Move valuables out of sightlines, vary your visible routine, and don't let delivered packages sit on the porch broadcasting that you're not home. The goal is to look like a harder target than the house next door.
The enemy is at the gates.
Do you see where this is going?
Red = Removing
Chainalysis can stare at this diagram all day and still only see question marks where your identity should be.
#OPSEC365 004/365
The people closest to you are your biggest OPSEC liability.
Your mom posts photos of family gatherings with location tags. Your friend checks you in at bars without asking. Your ex still knows your passwords, your routines, and the answers to all your security questions.
Make a mental list of the five people who could expose the most about you without even trying.
You can't control what others post, but you can control what you share with them and whether you're tagged in their content. Most platforms let you review tags before they appear on your profile, and some relationships warrant a direct conversation about what's off-limits.
#OPSEC365 003/365
Your credit card company knows where you eat, what you buy, when you travel, and what time you usually shop. So does anyone who gets access to that data through a breach, a subpoena, or a curious employee.
Log into your bank and scroll through last month's transactions like you're a stranger trying to learn about you.
The patterns are obvious once you look.
Cash leaves no transaction record tied to your identity. For purchases you'd rather not have logged, cash or Monero are the only options that don't create a permanent entry in a database you don't control.
GM sold your data to LexisNexis.
Toyota shared telematics with Progressive.
Allstate embedded hidden tracking in apps like Sirius XM 40 million connections tracked every 15 seconds.
This is already happening.
The kill switch just makes it worse.
Microsoft's "Fix" for Windows 11:
Flowers After the Beating...
Microsoft spent four years stuffing Windows 11 with ads, forced Copilot integrations,
and bloatware, now they want applause for promising to remove it.
The dining cryptographers problem.
Unconditional sender and recipient untraceability.
"We describe a protocol by which a group of cryptographers can determine whether one of them paid for dinner, without revealing who paid."
The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability by David Chaum (1988)
The Dining Cryptographers Problem
#OPSEC365 002/365
If someone watched you for a week, they'd know exactly when your house is empty.
You leave for work at the same time every day, grab coffee from the same place, take the same route home, and park in the same spot. That pattern is a schedule you're broadcasting to anyone paying attention.
Pick one part of your daily routine and change it tomorrow just to prove you can.
Predictability is a vulnerability because it lets someone plan around you. Varying even small things like your commute time, parking spot, or which entrance you use makes surveillance harder and forces anyone watching to invest more time and resources.
#OPSEC365 001/365
That selfie you texted last week included the exact GPS coordinates of where you were standing when you took it.
Pull up any photo in your camera roll, swipe up on iPhone or tap Details on Android, and see the map pinpointing the location baked into the file.
Now think about every photo you've ever sent to someone you shouldn't fully trust.
To stop this at the source, turn off location for your camera app. On iPhone go to Settings, Privacy, Location Services, Camera, and set it to Never. On Android open Camera settings and disable location tags.
Kill switch infrastructure in every vehicle means geo-fencing, speed limit enforcement, no-drive zones all at the push of a button.
An algorithm you can't challenge decides if your car operates.
You still pay for it.
Absolute insanity.