Request for comment on a usable OPSEC matrix

It's next-to-impossible to find usable opsec guides out there, given most of the discussion tends to happen in high end use cases and focus on mainly the most advanced setups.

I am concerned this creates unintended consequences whereby users cannot discern practical advice from theoretical best practices and thus disguard advice entirely. (sure, let's buy off the clearnet! x_x)

I've had a go at putting together a first draft for 'go-to' advice about levels of security based on typical buyer profiles and operation sizes. I've not provided detailed links and citations on every element at this stage, but a final version would be fully referenced.

Thoughts?

Personal market buyer Small scale reseller Medium scale vendor Market operator or large vendor
Browser Tor browser bundle Tor browser bundle Any FOSS browser with a Tor proxy Any FOSS browser with a Tor proxy
Network Optional VPN Recommended VPN Tor isolating proxy and VPN Tor isolating proxy and VPN, administration-only servers
Operating system Any Tails or Whonix/Qubes OS Tails or Whonix/Qubes OS Tails, separate machine
Comms Recommended PGP Mandatory PGP Mandatory PGP, secure email service Mandatory PGP, secure email service
Payments Via online local bitcoins or tumbler Via online local bitcoins or tumbler Via in-person local bitcoins or through mules Via in-person local bitcoins or through mules


Comments


[3 Points] octomarvel:

Once on pcp, I wrote a manual called building empires for dummies.

This is a much much better version of that.

=)


[2 Points] lordredvampire:

Qubes OS - you can create a TOR-isolated network interface and have the rest of the program use that TorVM network interface. This is great if you wanna host DNM. Whonix is ram-limited, great for buyers and vendors alike; Tail OS is for buyers, vendors, and small-scale distribution. Large scale should go Tails OS, but Qubes OS is recommended due to their security design.


[2 Points] heyfreshhhhh:

PGP should be mandatory even for a personal buyer.


[2 Points] Bbmcisrightyoufools:

Why would you recommend a DNM operator/large vendor to not use TBB? It is a FOSS browser (Based on Firefox too), with anti-fingerprinting protections and allows a user to easily reduce their attack surface with the slider.

Addendum: money laundering advice

For a market operator/large vendor, you'll need a legitimate reason for the income and it being in bitcoin. Offshore shell corporations in places with good banking secrecy laws (think BTC accepting accenting website incorporated in Nevis/The Seychelles) as the first layer and then get creative as to how you can transfer this money to yourself without it seeming suspicious. Consider a contractor doing jobs for companies and being paid an hourly rate. Get creative.


[1 Points] orevilo:

Ehh, I'd say that that PGP is mandatory regaurdless of who you are, and TAILS is recommended for everyone, not just the bigger players.


[1 Points] benintulatechsupport:

Whats a FOSS browser and a isolating proxy? And how would you setup these things?


[1 Points] cryptocreepo:

Re: "Via in-person local bitcoins or through mules",

You should still tumble.

You can't trust these exchanges 100%. Some people believe that some of the exchange points are either run by or monitored by LE.


[-1 Points] None:

Nothing wrong with clearnet if you do it right