Basic Threat Modeling and Opsec for Activists

Submitted by ymir in security_culture (edited )

Realistic Threat Modeling for Activists.

Many important battles have been won since Charlottesville. Two major Neo-Nazi websites, Daily Stormer and Info Stormer have been removed from the internet, the latter being amusingly defaced to depict kittens... Lots and lots of kittens. However, we are still learning some lessons about opsec, that we should have learned a long time ago. Particularly about Threat Modelling.

For most people, the biggest threat to your privacy might be your nosey neighbor, or your boss that checks your facebook page, etc. In those scenarios where you have, "nothing to hide," or at least you think you have nothing to hide, there are few actual steps you need to take to protect your identity and I will not really get into that here. I am more focused on threat modeling for activists, who actually do have things to hide, even if they feel they shouldn't have to.

I want to make some important distinctions here. Leftist activists have nothing to hide, in the sense that they are not actually doing anything reprehensible or destructive to society by and large(with the exception of some tankies). The idea that taking part in political activism means you require more scrutiny is a narrative contrived by the state and isn't based on anything factual. However, just because I believe that you have nothing to hide, doesn't mean you shouldn't be hiding to some extent. The idea that if you have nothing to hide, you have nothing to fear comes from a really poor understanding of one's threat model. The fact is that everybody has something, in fact many things that they don't want the world to know about and every single one of those things can be exploited by an adversary to justify your incarceration, should you find yourself in a political climate that doesn't favor your beliefs as we do currently in the United States.

What is Threat Modeling? Threat Modeling is the process of analyzing likely threats to your security. As Leftist organizers of all kinds, we have to recognize many more elements of society as an existential threat. We face oppressive crackdowns from our government. We are at risk of being placed on hit websites belonging to Neo-Nazi groups. We might loose our jobs or be exiled from out communities in some very important ways. We cannot afford to loose any more resources and as such it is important that we get a better idea of our threat model and we learn to protect ourselves and our loved ones.

I think it is important that we examine some recent news to get an accurate idea of our threat model. Exhibit A( We need to understand that we now live under a regime that wishes to repress dissidents. There are many ways that repressive regimes attack their citizens, one might be criminalizing them and then taking away their voting rights. If you jail all of your dissidents, they cannot vote against you and furthermore, if society at large believes the narrative that they are criminals, they will look the other way as you torture, or otherwise mistreat them. For people not anonymizing their IP Address, through a service like TOR or I2P, they may now be suddenly investigated for, "criminal activity," that took place at the inauguration, regardless of ones participation in any actual "criminalized activity." The implications here are huge, seeing as this Subpoena has to do with a case where some of the defendants are facing up to 75 years in prison if convicted on felony rioting charges, despite the fact that there seems to be no evidence directly tying any of the defendants to any specific crime. Furthermore, we need to also recognize the hypocrisy here. When white supremacists stabbed people in Sacramento, the police claimed that they couldn't tie any specific white supremacist to the specific stabbings. In considering our threat model, we should also consider the fact that extreme right wing terrorist groups will never be scrutinized and infiltrated and prosecuted the way that even the most peaceful leftist organizations will.

It is important that we remain out of prison, so that we can continue effective organizing in the community. In some cases, jail time will become unavoidable and for those cases we really need to build a strong prisoner solidarity network, writing letters and sending good reading material to political prisoners all over the United States to make their confinement a little more bearable.

We have a much greater need for anonymity than the community wants to recognize, which is why we must do a lot of the things described below. For any activist planning to go to a leftist rally of any kind, even where you don't intend to engage in any activity the state has criminalized, please consider taking some of the following steps. Keep in mind that good opsec doesn't just protect you, but your comrades as well and we will all be much more effective this side of a jail cell than we would from within one.

Consider masking up. Don't show your face. It isn't just the state you have to protect yourself from, but the alt-right has people that go to rallies for the sole purpose of taking pictures to doxx people. Protect yourself by covering identifying features of your face as well as possible.

Wear non-descript, disposable clothing. Don't wear your crusty battle vest, though you want to show it off to a crowd of comrades. You will be easily identified based on the patches, band logos, etc.

Get some form of body armor to wear under your clothes. As leftists, we cannot expect the police to jump in our behalf, they will only jump in if we have the advantage, otherwise they will stand there twiddling their thumbs while Nazis romp on you like they did in Charlottesville. Skate pads can be pretty helpful, so can custom larping armor. Decide how involved in street confrontation you want to get and prepare accordingly.

Use pseudonyms. It has been estimated that 1 in 5 people in leftist activism communities is actually working for the feds. Don't use your real name, consider meeting and strategizing masked up. Don't meet at your home if you can avoid it. Don't reveal any personal information to your comrades as much as you may feel the desire to. We have to compartmentalize. It sucks. Maybe one day we can come out in the open more, but we cannot do so currently.

Consider engaging in different tactics that you have a better chance of winning with, by getting in and getting out quickly and effectively. Whatever your mission is, get in formation, execute and get out. If that requires too much discipline, then activism may not be for you. Staying in one place makes you an excellent target for law enforcement. If a confrontation with the police cannot be avoided, keep the line strong. You may be able to break through the police line and avoid arrest using this tactic. This tactic is also effective when approaching Nazi lines, though keep in mind that they have a lot more people with military training and they will likely be even more brutal than the police when you engage with them. If this is something that makes you very uncomfortable, you may want to take some time to reconsider your choice of tactics. I fully support those who choose to be part of the Black Bloc, but I also support my comrades that choose not to engage in those tactics as well. We need comrades of all types and nobody should be turned away just because they don't feel comfortable with street confrontation. It takes a special kind of person, one that we are always in short supply of.

In the digital age, opsec is not just concerned with how we behave in a physical space, but it has just as much to do with how we behave on the internet. It is important to note that even in the United States, "land of the free," where we supposedly value free speech, dissidents are being targeted using what they say and what websites they visit on the internet. As aforementioned above, the ip address of anybody that has visited the website of a group involved in organizing the protest to Donald Trumps inauguration has been subpoenaed in an investigation surrounding people that participated in the Black Bloc there. It is very important to note that even many who didn't participate in the Black Block were kettled in by police and charged with Felony Rioting charges. Having visited a website that investigators believe to be involved in organizing what they are calling riots(despite being a far cry from actually being riots), might now put you in jeopardy. An IP address is a series of numbers that helps computers route data to the right place on the internet. As such, your IP address is usually tied to your physical location. The data moving to and from the network identified by your ip address can be monitored, your physical address can be monitored, and all of this because you visited a website.

You are not prostrate to defend yourself against such government intrusion. You can and should be using the TOR browser bundle, available here: It is absolutely essential that you become familiar with this software. TOR encrypts your traffic and creates a series of connections to other computers and routes your traffic through them, removing a layer of encryption at each hop, until your unencrypted traffic exits the network at one of TOR's exit nodes. It is very difficult to determine the origin of traffic routed through the TOR network. Government adversaries can use expensive traffic analysis tactics to attempt to de-anonymize you, but it is very expensive for them and not very reliable. TOR is absolutely worth using for any activist. I implore you to learn to use this tool safely and effectively. I will post more information about advanced tor configurations here in the future as I am sure others in the community will do as well.

Another great tool, based off the ideas established with TOR is I2P. I2P is similar but different than TOR in some key ways. I2P creates a separate encrypted tunnel for both inbound and outbound traffic. This make traffic analysis a lot harder. I think as I2P gains more exit nodes, it will eventually become the gold standard and will replace TOR. It has not had as much research dedicated to it as TOR has however and that is something to consider in your threat model. It is another tool and one that I think can offer a lot of great features to dissidents in the future.

As an aside, If you are not involved in any activity that might already make you a target, operating a TOR bridge would be a great service to the community. A TOR bridge is a server that allows people to connect to TOR through non-standard ports in cases where your ISP or oppressive government has blocked TOR.

The TOR browser bundle is a modified Firefox browser and as such, there are many plugins you can use. You may want to consider downloading and installing some of the following:

Privacy Badger or arguably Ghostery(to block trackers and ads) HTTPSEverywhere(which forces your browser to use a secure connection when available) Decentraleyes(Helps you to rely less on CDN providers to download content, which helps avoid being profiled) Self Destructing Cookies(deletes cookies when you close a tab) User Agent Switcher(Helps you to control what identifying information your browser leaks to the outside world) NoScript(Javascript blocker that can be configured for advanced use cases, also helps block things like cross site scripting attacks, which could be used to leak personal information such as your IP Address.

There are many other's you may wish to consider using, but this is a good short list to start with.

If you are a more advanced user, you may want to consider downloading and configuring firejail so you can prevent jailed programs such as the TOR browser from accessing important information elsewhere on your computer.

You may also want to consider getting an onionmail email for activism purposes. You can learn more about this at This is not a solution that should be used by itself. You will also want to download Thunderbird and GnuPG so you can PGP encrypt your email. Never communicate about anything important in clear text. Tor will help you remain anonymous to anybody on the receiving end, whether that be the recipient or an attacker that is listening in on your connection. PGP allows you to encrypt messages for the recipient and sign them so that the recipient knows with certainty that you are the one that sent the message. Again I will post more information about how all of this works in the future, but if you are a self guided and motivated learner, the information is out there.

You may also want to look into how you can use steganography to protect important communications. Steganography is considered "security by obscurity," and should never be the only layer used to protect you, but is a great tool if you know how to use it.



You must log in or register to comment.

aiwendil wrote

I have mixed feelings about browser add-ons. I think some of them probably do more harm than good, but some of them are very helpful. Making sure they are open source will probably help to vet them in the future. Stego is really interesting though. Do you know of any good stego tools currently available?


[deleted] wrote (edited )


ymir OP wrote

While, I think you might have a point with ghostery, I think it works better than Privacy Badger in a lot of cases. How would Self Destructing Cookies, Decentraleyes and User Agent help to profile you? Carrying cookies, especially third party cookies from site to site is one way trackers can build a profile on you. In fact I would say that is how most trackers work. So I absolutely advocate Self Destructing Cookies, you should delete any cookie you don't currently need. Decentraleyes is great for a lot of use cases also. I think not requesting recourses from Facebook or Google's CDN's as much as is possible is a great way to avoid being profiled. If the resource exists locally on the server you are hitting, that is where you should procure it, not from a CDN that is building a profile on your media consumption, which the NSA likely has access to. Also User Agen Switcher is yet another way to obscure your identity, if you change it frequently, your browser cannot easily be finger printed based on a consistent and relatively unique user agent. I absolutely stand by all three of those as a way to help mitigate your risk of being identified online.

I think as far as things like flash and java, you should absolutely turn those plugins off. The goal I would say is to make content on the internet as static as possible. Any content that is dynamically served, requires conditional logic provided often times by javascript or java or flash and should be avoided as much as possible.

It may also be a good idea for people to have one browser they use for activism, which is locked down and jailed to a certain directory that doesn't leak personal information and another browser for any other activity, which you may want to consider also jailing so it cannot see anything your other browser is doing. That is a much more advanced configuration though.

Whonix's documentation is really one such guide, of which there are many great ones. Whonix also offers a great product, but it can be difficult to use for people just getting acquainted with opsec.

What I wrote is really a straight forward guide that will tackle most of the basics and establish a baseline. I think making things too complicated is one way we convince people to not do anything at all. A lot of firefox plugins are a matter of preference, but there are a lot of good ones that help to protect privacy and should be used by people seeking to protect their privacy.


[deleted] wrote (edited )


ymir OP wrote

So if you check out panopticlick on the eff website, I think the strategy as far as fingerprinting goes, is that you try to blend in, with inaccurate information. I think switching your user agent is a much different thing than randomizing your user agent. I don't think you should randomize it, you switch between other very common user agents. I actually have a script that I use to get the most common user agents from a site that records them and I update my user agent based on the most common user agents. So to really get granular here, it is best for people to throw their browser through something like burp proxy every now and again and see what your browser is leaking. If you are blocking javascript, then there is no known way to determine what other plugins you are using unless they are leaking information themselves, which ghostery may very well be doing. If that is true, then it probably is better to use another solution, but from what I have read, ghostery respects your opting out of data collection. Again, if it were open source we could really vet that.

I don't think people should worry about plugins/add-ons creating a profile too much unless they are using javascript consistently, in which case everything else you do for privacy is kind of moot. I really appreciate that this site is 100% usable without enabling javascript. I think we need to start coding that way more frequently. If a site needs javascript, you better really trust them. But even something like jquery which is maintained by google and is pretty ubiquitous across the web, is really a bad idea.

I think decentraleyes is just as useful when using tor as it is otherwise. I personally block facebook and google in my hosts file and when not using tor, I never have a problem with content loading at this point because I am retrieving it locally instead of from a cdn. It works the same way via tor, but my hosts file never enters into the equation with tor since all of my dns requests are going through tor exclusively. However, if you run a session through burp with decentraleyes enabled and disabled, you will see an incredible amount of third party traffic without it. I prefer to control that and it is my belief that in so doing I have become more difficult to profile. I don't think that making fewer cdn requests is something that can really be used to profile you. It might be helpful with traffic analysis, but if that is happening to you, you are already in trouble and whether you make fewer cdn requests or not will not really make any difference. I don't think it is going to single you out though.

I think killing cookies when you close a tab automatically is really great for somebody that has their browser always open. It isn't much different than clicking new identity, except that it is not creating a new tunnel. The fact that it is automated is really important because most people get lazy, myself included. We need to make these good security practices as automatic as possible instead of leaving it in the users hand. It is just good practice to delete cookies and doing it without having to close your browser is a really handy feature. It might be one you find extraneous and others can make that call for themselves, but there really is no way to fingerprint somebody based on that occurring or not if they are already going through tor since your connection is already anonymized and it would be difficult to tell what other websites your were visiting at the same time. If anything, this practice prevents traffic analysis by collection of third party cookies or cookie staining, which was an attack that was recently demonstrated at defcon. To me that is an absolutely crucial plugin.

As I said in the post, these are plugins you may want to consider and I can make a good case for all of them. Ultimately Tor browser is setup pretty well for the average user, but these are things you can do to enhance the security. I think there are some other things I would like to see Tor Browser be a little more strict about, like blocking ssl versions that have known vulnerabilities. There is still a lot left up to the user that can mess you up. What ever the case, I think you should always take the time to record some sessions in burp proxy before you use your browser for something that you need a high level of anonymity for. If you are the average activist, you are probably good with just the tor browser bundle and you can consider the plugins that I mentioned or not.

It is also a good idea to run your browser through panopticlick with javascript enabled so you can see what is being leaked. I use a lot of those plugins specifically because they do better on the panopticlick test.


[deleted] wrote (edited )


ymir OP wrote

Are you talking about anonymizing within the network or performing traffic analysis from two endpoints? I think within the tor network, unless the crypto is broken, nobody should be able to see your user agent at all. I am sure most of the traffic leaving the network would definitely be Tor browser bundle, but since you are encrypted from the first hop to the entry node even, determining who you are from your user agent being unique seems hard unless you are doing other non-tor activities with the same browser. Traffic staining seems like a much bigger deal to me than analysis of user agent. I think it would be better to look like something other than tor at the endpoint you are trying to reach, so they would have to look up your IP to even determine that you were using TOR. If your user agent says it right off the bat, they don't even have to do a modicum of research to figure out that you are attempting to anonymize your traffic. I guess again it depends on your threat model. To me, maintaining my anonymity from the website I am visiting seems paramount, I assume an adversary capable of traffic analysis is going to be able to do traffic staining or other attacks quite easily and de-anonymize me quickly anyway. If that was my assumed adversary I might try to blend in a little more.


[deleted] wrote (edited )


ymir OP wrote (edited )

So, while I am sure you are right, but that profile goes out the window as soon as you switch user agents again. There are enough people on Tor that do switch user agents that I don't really think profiling you based solely on the fact that you are switching user agents and going through tor is particularly useful. I think if even more people did so, it would be even less useful, but that is just my perspective. I have worked on systems that use IP and User Agent together to build profiles, but should a user switch either of those things, the profiling has to start together. Connecting those profiles together would require a lot of data and a lot of guesswork, the accuracy of which is largely debatable. I believe I've already said this and I would stick with this, you shouldn't change tor browser unless you know what you are doing and the potential consequences. I know the potential consequences and I would prefer to make lots and lots of useless profiles on my usage that cannot be connected together easily, also making it harder to profile Tor users in general, than fit totally into the box of other tor users. Like I said previously if the NSA wants your history, they will just do a man in the browser attack or stain your traffic to at least correlate it to your original IP. For most adversaries that is impossible. If the NSA was my adversary I would rather run an ssh hidden service on a compromised machine somewhere and tunnel through that as well as changing my user agent to a very common one. I understand the risks of changing a user agent, but honestly I think doing so frequently as well as changing your tor identity frequently will ultimately make it harder to build any lasting profile on you.