OPSEC 101: What Does My Setup Look Like
As part of this series on OPSEC for researchers, I want to start by highlighting what are some of the workstation options that are available to researchers by using myself as an example. Over the years I have chosen to do two things 1) use a dedicated research laptop, desktop, or mobile device void of any personal information or 2) use a virtual machine (VM). There are other options such as the use of a virtual desktops ( remote desktops services or desktop-as-a-service) but I have not used these personally. The device (physical or virtual) that you choose to do your research on plays an important role in your operational security practices. There is no way to be 100% secure online, rather is about minimizing your vulnerabilities to a few potential points of failure, while you are doing your research. Though today I will be focusing on “tools”, OPSEC is a method and a mindset that needs to be applied consistently while you are doing your research. Now I am writing this for my peers in academia who focus on violent extremism and terrorism, this is applicable for others as well, but depending on the threat or threat actor you are focusing on, these might not be the best options for you.
1) Using a Dedicated Device
The first option is using a clean, dedicated device for doing your research and nothing else. This can be a device that you bought second hand, or an old device that you have wiped clean. Using a dedicated device takes some work to setup to “harden” your machine. The first is wiping the old devices, in particular if you are using old computers and phones if you are a device hoarder like I am, which is something I have done and still do to this day for certain projects. It is important to note that deleting files or formatting a drive does not mean the information is gone for ever. There are free tools that are available that makes information recoverable. You can only be certain that the data has been securely and permanently destroyed by overwriting it.
You also should consider taping you microphone and camera or installing software that blocks microphone or camera usage. If you are extremely paranoid about your safety you can also remove them from your devices. On a dedicated device you also should make efforts to mask your IP by using proxies or a VPN (I strongly recommend paying for a VPN).
The limitation of using a dedicated device is that it is less practical for those who which to have multiple fake profiles on a single device, or who are working on multiple research projects/investigations at the same time as you risk bleeding your profiles by accident and having to burn accounts and maybe your entire OS depending on the mistake you make (been there and done that several times).
2) Using a Virtual Machine
The alternative option, a more budget friendly, is the use of a VM and a popular OSINT VMs that are freely available. A popular and free option for a VM is VirtualBox, which is what I have used for many years. You can combine this with a simple Linux, Apple or Windows operating system, or prebuilt OSINT VMs like Tracelab, Tsuguri, Tails (yes its a container not a VM, but this is a 101 so sue me), Remnux, Kali, etc.
Personally, I am using VMs on a dedicated device to perform my research to completely isolate my personal information from my research, but you can use a VM on a personal device is that is all you have. You also should make sure to isolate your VM (which is limiting the resources your host device provides your VM). I like VMs as I can create a virtual environment for a dedicated persona, or a dedicated topic or research or project. Se below for examples of a VM setup I created.
I have also been able to use VMs to make it look like I live in a different country by spoofing my IP, location, time zone, the language of my OS and browser, so that I can take advantage of recommender algorithms or gather better data from research subjects in the part of the world they are form (this might also require to do your research at hours that match the day and night cycle of the place you are pretending to be, but that is a conversation for another time). While logged into a VM for research I always use a VPN. Not only does it protects me by encrypting browsing data and IP, it is also a useful tool to spoof a location. You can also use a VM to simulate a phone or a table to give you access to iOS or Android applications, which open up new avenues of research and experimentation.
VMs are also disposable, if you open things you should not, click on things you shouldn’t or have an account that gets burned, you can simply delete it and start fresh in a very short period of time. They are forgiving for those who are starting their OPSEC journey, as well as for veterans. VMs have protected me while doing the front facing research I love doing several times over the years.
Change Your Habits
For those of us researching violent extremism and terrorism, we should not be using our personal devices for research, nor should we use our personal emails and phone numbers in creating accounts for social media accounts or communication apps. It is easy to find personal identifiable information, and violent extremists and terrorists are on the lookout to identify and dox researchers and practitioners. It is also easy to make a mistake and expose your personal device to malicious files or links that can put you at risk. Further, the actors we research read our publications to find out who are in their ecosystems, and they are not shy to threaten researchers and their families. As I mentioned in my last piece on OPSEC, it is not only about your security, but that of your family as well, and that is something that we need to constantly keep in mind.