A case of inverted OPSEC

[TWP]

This site: http://urbanprepperchick.blogspot.com/
has some great information and I absolutely enjoy reading the material.

The problem (mine) is the limitation on website contact options...

The only way to reach the author is via one of the "Social Media" (SM) sites,
like Facebook etc.  There is no email address, that I can find anyway, and
no built-in contact form.  All reader/viewer contact is done through SM.
I acknowledge that this may be a limitation imposed by the site hosting
company who may not even allow the use of email contact via their software

Since I refuse to use the SM due to their very dangerous privacy
( or non-privacy ) policies, I cannot maintain my OPSEC and still reach the
author to comment on her great website and articles.  I have posted links,
on the NNPG forum, to articles from her website, and these links were
recognized by the site author, so I know she reads this site or has found the
links via search engines.  It's a case of one-way communication.

Let me re-iterate, I really like the content of Urban Prepper Chick's website and
I check it daily.

[rant on]
I design websites and reader contact / feedback is a vital part of all my designs.
Yet I advise my clients to avoid using SM links even if they represent an income
channel.  My opinion is that the real loss of privacy out-weights any possible
monetary benefit. YMMV...
[rant off]

So, the question to you is:

I don't know how many of you (NNPG members and lurkers) share my distrust
of the SM sites although several of you have your own website.  Even if  you don't have
your own site, I would like to hear your feedback on handling contact with readers.

[redrocker]

One of the most-difficult things that I have had to deal with in the INFOSEC and OPSEC discussions that I have had with people, who have come from outside the intelligence collection community, is to get them to realize two things and act on those two things:  (a)  Everything Snowden leaked and said was entirely accurate (everything sent through an open Internet channel of any kind is recorded forever and it WILL be used against you if you displease the government) and (b) sometimes there is just no practical way to communicate to persons over the Internet... period.  Sometimes, you simply must forego ever making any contact if the only way you could do so would be through social media such as Facebook.

There are ways that you can use the US Postal Service to send very secure communications, at the moment.  At some time in the future, however, I expect the surveillance state to put video cameras on all the mailboxes, like the Stasi and the KGB did, so then even that channel of communication will become risky.

I have offered to work with two other individuals (one in Missouri and one in Oregon) to put together an OPSEC guide, since they retired from the intelligence community, but after starting on the project, both became afraid and stopped work.  In the meantime, I can only recommend that you think through each step of your prospective communication process and how it might be effectively intercepted, and then decide whether or not to attempt to make the contact with your prospective correspondent.

Remember:  In the totalitarian surveillance state, everyone is guilty and there is no way to prove your innocence -- and -- think like a Russian.  "George, he's Russian.  He thinks even the butterflies are spying on him,"  Toby Esterhase to George Smiley in Smiley's People.

[TWP]

Redrocker, 

Your viewpoint is further into the realm of the tin foil hat than I typically encounter with website design..

While the specific case I cited is not as bad as it could be, in the sense that I am still willing to use email.  The problem (as cited) is that the social media are simply not secure, in any sense, and there is no alternative offered for communication.   I read this as poor design practice.  The fact that such designs exist and are in use is just evidence that sheeple really do exist.

Red, that is not to imply that what you reference is untrue (I too can fold a tin foil hat in 30 seconds...) and I also carry a spare pair of underwear in case things get really off-center...

I would like to hear opinions re social media usage on websites.  As I stated, I don't think the monetary/social gains from SM are worth the cost in personal privacy.

[redrocker]

With respect to Facebook, in particular, you can create an Avatar for yourself that is anonymous if you do all of the following:

1.  Establish an anonymous email account.  Since unseen.is is free, it has become very popular.  However, unseen.is has a home-brewed trust chain stack, including modifications "around the edges" of PGP, and has not published their source code.  Most security experts worry that they could have security weaknesses, although they cannot prove it at the moment.  There are other services out there ... just do an Internet search using DuckDuckGo.  They all charge a fee.  (The one I use is around $80 a year, but they get paid in Bitcoin, so the amount varies with the current Bitcoin exchange rate).

2.  You buy a junker computer for cash, somewhere locally, and you never, ever turn it on until you have downloaded an burned an ISO image of the TAILS system onto a DVD on your regular computer, first.  Then, boot your junker ("burn") computer from that DVD, then hook it up to the Internet, then ...

3.  Using the TOR browser through TAILS, sign up for your anonymous email account, and then ...

4.  Sign up for a Facebook account using the TOR browser through TAILS, and use your anonymous email account as the contact information.

At one time Facebook was trying to block TOR exit nodes and demanding a cell phone number in order to create a new account.  They quickly backed off of those means of user authentication. 

The above should work. 

[TWP]

Redrocker,

The ultimate point of communication though a commercial website is to allow customers to reach you, the site owner, and vice-verse.  This implies secure transaction processing and, in my mind, private communication limited to the site owner and customer.  This is where social media (SM) fails (IMNSHO).

Yes, what you describe can give you some semblance of anonymity on the internet, but it requires that one "jump through hoops" to engage in commerce.  My contention is the the use of SM in this case (commerce) is inviting the wolf into your home, letting the wolf know that you have goodies worth chasing and allowing that wolf to keep a record of your business communication.  Inverted OPSEC.

To be clear, I'm NOT talking about communication between individuals who want to "chat" at each other while trying to remain anonymous in a crowd of people...  That expectation borders on being oxymoronic, and deserves another thread.  It also doesn't contribute to maintaining OPSEC,  a desirable prepper attribute.

So, who out there uses the SM for commerce and how do you feel about your business privacy?

[redrocker]

It is my belief that it is literally impossible to conduct ecommerce anonymously and securely unless Bitcoin (BTC) is used as the means of settlement and the BTC are run through a tumbler first (anonymizer) and the entire transaction is conducted over an anonymous trust chain.  Given all of the above, the illegal drug trade community has proven that ecommerce can be conducted anonymously and securely, until one idiot in your trust chain allows their computer network to become compromised, that is.

There is no way to avoid jumping through all those hoops and remain secure and anonymous.  There is a trade between convenience and security.  You can have only one at a time.

Social media (SM) is the exact opposite of secure.  Directly, in the user licenses to which you must agree to get an account, the site operator tells you directly and unambiguously that your information is not secure.

If Facebook were to be secure, then it would not be free.  It must be insecure for the Facebook advertising model to work.

Anonymity is a different matter than transaction and message security, altogether.  It is possible to be anonymous (as outlined in my earlier message) and yet have all the transactions be public.

In most respects, a person probably should not care if their transactions are public, if they are anonymous.  But, that requires a great deal of faith that your veil of anonymity will not, at some future time, be pierced.

One last note:  If you take all the steps I outlined above for the use of TAILS, but you run TAILS from a thumb drive instead of the original DVD that you burned, then you have compromised your anonymity.  Specifically, the first time that you create any sort of web-based transaction or or interaction, such as posting on this forum, with TAILS run from read/write memory, your computer will be "fingerprinted" and associated forever after with all the details of your web transaction.  So, for example, if I had logged onto this forum using a regular computer or a computer running TAILS from a thumb drive, my computer's identity would forever be linked, now, in the future, and IN THE PAST with my forum name "redrocker."  Extend that concept to the purchase of something over the Internet, and you can see how quickly your full name, shipping address, billing address, and form of payment will be permanently and forever associated with your computer, now, in the future and IN THE PAST.

INFOSEC requires a great deal of discipline and maturity of thinking, but it can be maintained. 

One slip up, and you are toast, however.