Introduction to Left-Wing Digital Operations Security

*Last Edited: 8/17/2018*

If you are reading this, you have probably been scolded countless times by a conrad about needing better OPSEC. I have been scolded enough that I realized that there is not an OPSEC guide online that is tailored to left-wing activists. Luckily, I am here to help fill the void. I will periodically add to this article over time.

OPSEC is short for operations security. Operations security (OPSEC) is the process of securing your information from enemy intelligence. For a left-wing activist, this could mean the securing of your communication channels of your local anti-fascist group so that fascists cannot read them. OPSEC is used to protect sensitive information from those who would use it against you. To have good OPSEC is to deprive the enemy (i.e Fascists) of valuable intelligence that could allow them to better counter or avoid anti-fascist actions or to hunt down and attack individual leftists when they are most vulnerable. OPSEC is about protecting your identity, your plans, and your communications. This guide will focus on digital OPSEC as most information gathered on leftists is gathered through electronic means.

Within the United States, we are experiencing a serious upswing in left-wing political activity. For many of the newly radicalized within the United States, they are unaware of the dangers of organizing. The United States does not have the same history of radicalism that other countries have, and as such, it is easy to fall into a state of lax OPSEC discipline. Being an outspoken Communist or Anarchist is not something to take lightly. Not long ago, being a Communist got you arrested, and do not think for a second that the government has changed their position. President Trump, and the Federal government, having previously destroyed Qaddafi’s Green Libya, is now actively trying to invade Socialist nations like Venezuela, Iran, and North Korea. In addition, the far-right has not lessened their desire to ruthlessly exterminate us. The left must learn good OPSEC or the Class Jihad, as a whole, will suffer as a result.

For those who are community organizers or anti-fascists, OPSEC is not merely a tool to prevent prying eyes but is a way to prevent being a victim of targeted political violence. Just as we have people to gather information, the right has their own. We must do everything in our power to frustrate their attempts at gathering information. After all, this is Class Jihad, and do not think for a second that the enemy would hesitate to hurt you or those around you. Perhaps your activist work is not really that militant, and this seems to be taking oneself too seriously, but it is not up to you whether they feel that you are a legitimate target. Our enemy prefers to attack those that are not an immediate threat. Perhaps you will do more militant work in the future, and if that is so, the actions you are taking right now could determine whether or not fascists will have information on you in the future. Things do happen. One person with bad OPSEC weakens everyone’s OPSEC. Personally, you can never have enough OPSEC, and there is no point where you are completely secure. I could use stronger OPSEC in many ways, as we all could.

In addition to protecting one’s personal safety, OPSEC is integral to the successful execution of organizational activities. Intelligence is not only gathered about individuals, but about the size and structure of left-wing parties and planned gatherings. If non-public meetings or gatherings are discovered, fascists may show up unannounced. Like with the Houston Anarchist book fair, fascists may arrive in force to disrupt the event through violence. Because of our success in driving the far-right underground, Fascists have begun to use more clandestine methods of organization, making OPSEC now more crucial than ever.

Fascist organizations have now learned the importance of OPSEC as our recent success is due very much in part to the previous ease of intelligence gathering. Recently in Knoxville, the fascists used superb counter-intelligence to feed disinformation concerning their time and location of arrival to anti-fascist intelligence that resulted in a confused black bloc that left before the Trogs (The Traditionalist Worker Party or TWP) underwhelmingly appeared. If the fascist’s OPSEC had been even slightly more lax, their contingent of 12 would have been thoroughly smashed. On the bright side, the Trogs got their van stuck in the entrance of a parking deck in their utter buffoonery.

Acknowledging the importance of operations security, we are left with how good OPSEC is attained. The first step is to develop a threat model. Threat modeling is the process of optimizing OPSEC by identifying vulnerabilities and then defining ways to address them. Threat modeling takes in consideration who is being protected against, and how one’s OPSEC can be improved to counteract that specific threat. To understand how to protect oneself, one must know what it is that is being protected against.

In developing a threat model, there are four questions that need to be asked.

  1. Who am I trying to conceal information from?
  2. What information am I trying to protect?
  3. How would the adversary gain access to this information?
  4. What security measures can be taken to prevent the aforementioned method?

To better illustrate this concept, let us look at a threat model analysis for an active anti-fascist organizer concerned about being doxxed.

  1. Who am I trying to conceal information from?
    1. Local or regional fascists that have the desire to inflict bodily harm.
  2. What information am I trying to protect?
    1. Information regarding personal identity that could reveal where this antifa organizer lives, works, and frequents. This information could be their name, address, employer, and their preferred social venues, and all information that could lead to their discovery.
  3. How would the adversary gain access to this information?
    1. Fascist doxxers could look at this person’s social media, or the social media of their close friends and relatives, the voter registry, IP addresses, and even photographs taken by the individual.
  4. What security measures can be taken to prevent the aforementioned method?
    1. The privacy settings of the leftist, and their friends’, social media could be increased, and a conscious effort could be taken to remove, and abstain from writing, posts with any identifying information. that describe features of their town or the nature of their work. In addition, no photos should be posted that were taken by their cellular device, and, perhaps obviously, no photos showing political activities. The issue of an address being listed on a voter registry can only be solved by moving, and the IP address can be masked using methods that will be touched on later.

Throughout this guide, there will be continued references to encryption. Encryption is a core concept of modern OPSEC in electronic communications, and you should have a somewhat decent grasp of it. If you want your data to be secure, you need to encrypt it to maintain security. Data, like emails or documents, is encrypted to prevent anyone, but the intended recipient, from knowing its contents. Decryption is a special task that must be completed to return the data to a meaningful state. Without decryption, the data is a meaningless string of random letters and numbers. This is accomplished by having the encryption algorithm being simple to check, allowing the intended recipient to quickly decrypt and access the information, but simultaneously being incredibly difficult to complete. The whole process of encryption and decryption can be understood as a phone number. To call someone you need their number and typing in your friend’s number is simple and quickly results in a phone call. However, if you did not know the correct number, it is theoretically possible to just guess it, but that would be practically impossible.

Moving forward, the actual threats and methods of defense can be addressed in greater detail. The following will be organized by the type of information that is trying to be protected, and the threat that is trying to be protected against.

 

Doxxing

 

For many people, the most frightful weapon is doxxing. Doxxing is the process of gathering personal identifying information, and then publicly publishing it on the internet (dropping dox), or giving it to organizations that could use it as they see fit. For example, a person that is doxxed will have their home address, email, phone number, place of employment, and their various online accounts, posted below a picture of their face. You have probably seen someone share one of these documents on Facebook about a fascist or widely despised person of interest.

The reason doxxing is a concern is that people will use this information to harass or harm the person who was doxxed. This could take the form of continual death threats made to their phone, rocks or bullets sent flying through their home or car, attacking the person directly with, or without, the intent to kill, and particularly for those on the right, informing their place of employment so that they lose their jobs. After the 2017 Unite the Right rally in Charlottesville, on August 11th-12th, many fascists that participated in the tiki torch march had their photos taken, and with the tireless work of antifa doxxers, lost their jobs as result. Doxxing is a useful tool that can easily intimidate, and harm, the opposition. Doxxing is a central facet of the organizing scene in the 21st century, for both the left and the right. The most concerning aspect of doxxing is that you cannot prevent it, without taking extreme measures you can only minimize the risk of being doxxed. A good doxxer can dig up information on anyone, and up to this point, there is not a millennial that does not have vulnerabilities present on the internet that can be exploited. The idea is to make it as difficult as possible, and hopefully, prevent or discourage less than adequate doxxers from completing the job.

The countermeasure for doxxing is securing identifying information. They can only take what you give to them, and while some anti-dox OPSEC is easy to put into practice, there are many ways that you can give out information without being aware of it.

Social Media

The foremost concern in doxxing mitigation is social media. Through social media, even a low-tier doxxer can gather the necessary information or gather a few tidbits that can allow a better doxxer to find out what they need. Your first concern should be to lock down any social media using the features of the platform. For Facebook, Twitter, or Instagram, this means making your account private. There is no need for anyone with a wifi connection to look through your posts and pictures. On Facebook, you can set it up so that only your name, and your current profile and cover photo, are visible. Ideally, you do not want any identifying information online at all. If you are worried about doxxing, it should go without saying that you should not use your real name. In a specific incident where they were trying to dox me, they relied upon one of my aliases, and were thwarted that way.

Even if something is set to private, doxxers can still get around it to find what they need. This issue also lends itself to more formal sites like LinkedIn. Furthermore, search out and delete any accounts you made back when you were younger on the nostalgic sites that you have long abandoned. This could mean MySpace, DeviantArt, web forums, or even any weird sites that your school or work required you to sign up for. A casual Google search of your name could reveal a lot of vulnerabilities that you do not remember. They will, so you might as well do it too.

After a social media account is stripped down, and any readily available identifying information is purged, there is still the issue of what you post. For the many shitposters among us, text posts can still give clues as to your identity. You do not have to post your town or employer for it to be ascertained. Be careful what you write. Maybe you have mentioned a certain bar or activity that is popular, or exclusive, to where you live. If you talk about how often you eat at Pat’s or how much you love to ski, your location can be narrowed down to be near Philadelphia or near some major skiing region like Colorado. This is something to be cognizant of, and it would not hurt to go back and delete any such posts. The right loves to make sock accounts (fake accounts) to try and get added by leftists to spy on them.

A side note, with specifically Facebook, is the event feature. Many of us remember how western media extolled how protesters used social media to organize during the Arab Spring, in 2011. However, Facebook events, even if they are private, provide a neat list of active activists in an area. The same goes for Facebook groups.

Finally, for social media, there is the issue of photographs. A photo taken on a digital camera or phone contains EXIF data. This data contains information like GPS coordinates of where the photo was taken, information regarding the make of the camera that took it. If you have uploaded a mobile photo, then you have likely uploaded your GPS coordinates that many programs can determine. There are also programs that can check and clear the EXIF data for you, and a casual online search will reveal them. Like a file converter or Youtube video ripper, there are ample choices to choose from.

The other issue with photos, and videos, is their content. Is there a horizon or a night sky visible? Are there any identifiable landmarks as simple as a cluster of trees or a dilapidated building? The alignment of the stars or a plane flying overhead can reveal where it was taken. Doxxers can act like sailors of old and read the stars, or they can review flight schedules to see where flights were at the time it was posted. The color of the soil, or any visible foliage, is also a dead giveaway. You would be surprised by what a large swarm of 4chaners can figure out from a simple photo or video. A famous case happened with Shia Lebeouf, where they continually determined where he would set up his anti-Trump livestream and go and take it down. There is nothing too insignificant for a good team, and, unfortunately, basically any picture is compromised.

It should go without saying that there should not be any photograph of you attending a protest or political action.

One reason that the left needs to tighten their OPSEC is that, even if you use all the previously discussed methods, you can be undone by the poor OPSEC of those around you. If they cannot find any information from your social media accounts, they can find out about you from the accounts of those connected to yours. If a perusal through your friend’s list finds that many of them live in Kentucky, then it can be assumed that, you too, live in Kentucky.  The same goes for relatives. If John Smith lists you as their relative, then it can be inferred that your surname is Smith, and the location of John, could be your location too. Other people’s actions affect your safety. If you are tagged in a photograph, and your grandmother mentions your name, then you have just lost your alias. OPSEC needs to be adopted across the board by everyone. Even if your semi-political friends do not fear doxxing, their loose OPSEC could result in your doxxing. We must hold each other responsible for the greater good of the movement.

IP Addresses

In addition to social media, your location can be determined through your IP address. An IP (Internet Protocol) address is the address, represented by a string of numbers, that an Internet Service Provider (ISP) assigns to a connection. An IP address is like a domain name for non-human interfacing. When connecting to this website, for example, it has a domain name (classjihad.com), and an IP address. Both represent the location of one point of a connection. A domain name is like a street address, and an IP address is like the coordinates in longitude and latitude. A street address, like 123 Main Street, is made for human comprehension, while an IP address is designed to be used by computers. An internet connection is like using a route on Google Maps, and at each point, there is an address. When connecting to this website, your computer is searching for the address of the site, and, consequently, the address of the network connecting to it is also known.

The issue that arises is that IP addresses are tied to a geographic location. They are assigned to an ISP which categorizes them by geographic region. It is not assigned to your specific computing device, but more to the location of the internet router that is being used. The same computer connecting to this site could be shown as being in San Francisco today, and New York City tomorrow. The reason why IP addresses are an OPSEC vulnerability becomes clear when you realize that your rough geographic region, like Billings, Montana, can be viewed by anyone who obtains your IP. A simple Google search of an IP address can reveal where it is from. Even further, an even more specific location can be gained from tricking the respective ISP. Catching someone on a bad day, or an ISP with shitty security, can reveal to a doxxer which specific account is tied to an IP address. If the account is revealed, the address of the account holder, where it is being used, is revealed to the doxxer.

Obtaining an IP address is as easy as having someone click a link. If your online friend tells you to check out a video of dancing pigs, and you click it, you have done their work for them. One should pay particularly close attention when visiting right wing sites. You may want to see what the Fascists are saying on their forum, or official site, but in doing so, you are revealing your location.

There are two main ways to prevent your location from being revealed. The first is the simplest. Use someone else’s internet. Go to a coffee shop, or a McDonald’s, and use their internet. At least, if they obtain your IP, they cannot find their way to your home. There are so many people using free wifi at public locations, that there is no real way to tell who is who.

The second way to prevent your location from being revealed is far more complicated. You can mask your IP address using a Virtual Private Network (VPN) or using The Onion Router (Tor) network. A VPN allows you to use the IP of another network, for a fee, specifically of a company. When using a VPN, your computer requests that the company’s computer contact the address you wish to see, from their network, and send the results back to your computer. In this way, you are technically not contacting the site in question from your IP, but from the IP, and its different geographic location, of the VPN company. All the sites, like classjihad.com, will see is that someone connected from Poland, or wherever the company did it from.

Alternatively, you can use Tor, which happens to be free. It is much like the VPN, but instead, it decentralizes, and anonymizes, the connection. While using a VPN, the listed IP is the IP from the company. With Tor, instead of contacting to the VPN, your computer encrypts the request, and then sends it onwards to another computer using Tor. This computer, the entry node, decrypts the request enough, and then sends it to a Tor exit node, which is the one that contacts the site desired. The advantage of this process is that the IP listed on the site you contacted is varied, for not only did it pass through another computer, as there are many exit nodes that are located all over the world. A server that was contacted by a Tor exit node cannot possibly tell from where the original request came. A VPN company can, as its requests came straight from your computer. The main flaw in the Tor network is that if the exit and entry nodes are themselves compromised, your original IP is revealed. The United States government has set up their own Tor nodes and uses them to crack down on activity they deem illegal, like child pornography or drug trafficking. However, this is not an issue if you are only using Tor to contact white supremacist websites, and while there is always a chance your data could go through a government node, the chances are not high. Nodes change frequently, and if you were to use a government node, it would likely not be used long enough to actual identify you. The only exception is if you use both a government entry and exit node, and this government is actively searching for you specifically.

Miscellaneous

Finally, for mitigating the risks of doxxing, there are voter rolls. In some states within the US, the voter registry is not private, and doxxers can obtain the information from the voter rolls. As you give an address, your real name, and your telephone number, when you register to vote, this can be a potential vulnerability. It varies from state to state, so I would recommend Googling the rules regarding how your state handles the privacy of the voter rolls.

If you live in a state where the voter registry is easily accessed, the only real way to prevent being compromised is to either move, and do not re-register, or provide information that will not compromise your security. This could using be an online number, instead of your personal cell phone.

 

Communications OPSEC

 

Aside from the safety of the individual, communications OPSEC is the second main concern. Communications (comms) form the lifeblood of any leftist organization. Without proper, safe, and efficient, channels of communication, an organization cannot function. What is organizing but the use of comms? Comms are used to discuss strategy, conduct education, create and execute plans, and relay valuable information regarding new, and ever changing, threats to the anti-capitalist movement. Without reliable comms, an organization will collapse. How are cadre, or fellow workers, going to stay informed on the state of the organization, and give and receive orders or directives? Particularly when participating in an anti-fascist action, the safe and efficient flow of information is necessary if different fire teams, affinity groups, and organizations are to stay informed on the location and activities of Fascists. Communications are important, and I personally believe that comms do not receive the adequate attention they need to function as they should.

For comms, a breach in OPSEC means that the enemy has gained the upper hand, and the safety of those using the comprised comms is put at risk. Comms cannot afford to be breached. Think about all the varied topics and information discussed with your fellow organizers and activists. It would include real names, addresses of homes, times and locations of meetings, and the details of upcoming planned actions. If Fascists gained access to sensitive communications, there is the strategic threat that goes along with knowing what your adversary knows, thinks, and as is not aware of.

The most important thing to remember about comms OPSEC is that the more data moves from one location to another, and the more it interacts with the internet, the more vulnerable it is.

For comms OPSEC, there is also threat modeling involved. As before, there are four questions that need to be asked.

  1. Who would want to intercept communications?
  2. What information would be found strategically valuable to the adversary?
  3. Where in the lines of communication could information be intercepted?
  4. What can be done to secure vulnerable links in the lines of communications?

For the purposes of this guide, the lines of communication (LOC) refer to the entire path that information travels, and every way that information can be communicated. An example of a LOC would be an online group chat used for organizing purposes like Signal or Facebook Messenger (which you should abstain from using entirely). The LOC would include the phone, the location of the phone, those around when the phone is being used, the wifi or mobile data connection, the messaging app itself, and the people included in the chat. The LOC contain every possible variable that is involved in the communication process. This also includes methods of communication like documents, which also communicate and store information for the use of an organization.

For an example of a comms OPSEC threat model, we will use a prominent black-bloc member who is organizing a group to flank a Fascist contingent at an anti-fascist action.

  1. Who would want to intercept communications?
    1. Fascist organizations that will be present at the rally, and who are planning to directly fight anti-fascists
  2. What information would be found strategically valuable to the adversary?
    1. The knowledge of the planned flaking maneuver, when and where it will take place, how many will be involved, and where the assembly and fallback points are.
  3. Where in the lines of communication could information be intercepted?
    1. Overhearing someone talk about it at a bar, undercover informant, compromising physical communication devices, and middle-maning unencrypted comms.
  4. What can be done to secure vulnerable links in the lines of communications?
    1. Restricting information to only those who require it, and instituting stricter vetting procedures, particularly when dealing with sensitive operations. Protecting against malware attacks, and either securing wifi networks, or avoiding them entirely.

The section regarding comms OPSEC will be broken down to discuss the messaging LOC, securing devices and documents, and then a section on infiltrators. Infiltrators are one of the greatest threats to OPSEC and cannot be overlooked.

Messaging

The most basic form of communications is messaging. Messaging includes all forms of electronic communication that involves conversations between live actors. This includes online messaging apps, SMS (texting), phone calls, and email. Messaging is something we all do every day. It is a commonplace activity, and it is easy to treat it without the reverence it deserves, even within the organizing sphere. Unless you are a person who is particularly worried about the government overhearing your calls, many of us do not exhibit the necessary discipline and forethought that comms OPSEC requires.

The messaging LOC is complex and involves a lot of moving parts. Nowhere else within the comms of an organization can so much go wrong at so many different points. Messaging involves a lot of moving data that moves from one phone to another, and each time passing through a different internet network. At each point the data is at risk of being intercepted. OPSEC for the messaging LOC involves looking at every part of the online messaging process. Starting with the phone and your surroundings, then moving on to securing network connections, and then to the end location of the information being sent. The most important thing to remember is that you can never be too careful, and that the methods of casual messaging are not the best methods for communicating about left-wing activities. This means no ordinary texting and voice calls will do.

Starting at the very beginning, when engaged in sensitive communications, be cognizant of your surroundings. Where are you and who is around you? Are you sitting at a bar, with two fellows sitting close to you on both sides? At that point, it would not be the best time to discuss important topics. Unless you have a specific tool on your phone to prevent people from looking over, and reading your phone, then your comms are being put at risk. Get up and walk away. There is no telling who they are, and what they will do after reading sensitive information. Cops and Fascists go out for a drink at the bar too. The same goes for voice calls. Minimize people overhearing your conversations.

This first principle also applies to meetings. Do them in private and remove any device from the area that could visually, or audibly, record the meeting. Turn off, and stow away, all phones and computers in a different room. This also goes for Amazon Echo, Google Home, and any similar device. Even further, unplug your wifi router to prevent unwanted people from using the wifi to access any device in the meeting space. If you are super concerned about being surveyed, place a vibrating object, like a dildo, on all the windows to prevent any groups from using devices that record conversations by measuring the vibrations on windows.

One should also practice good internet safety to prevent any malware being placed onto your devices that could compromise your security. Do not torrent from sites you have never heard of before, be cautious on streaming sites, and always keep your devices up to date. I know updates are annoying, and they always come at the worst time, but they need to be installed. Vulnerabilities are constantly being discovered, and those who wish to gain access to sensitive information are aware of this.

Avoid using social media for communications like the plague. There is absolutely no excuse for using Facebook Messenger, or using a Facebook group, to conduct business. Sites like Facebook are incredibly insecure. Facebook is so heavily monitored that writing something on that platform is essentially giving a written note to the government and any Fascist that can post low-tier Stalin memes. For example, Facebook has a key-logger so that everything you type, even if you backspace and delete it, is captured and stored on their servers. If you are typing a message but feel it might not be the safest thing to say, and backspace it all away, it is already sent away to the company notorious for selling away, abusing, and collaborating against, privacy. People get visits by law enforcement for things they post on Facebook, even in private. Facebook Messenger does have a “hidden conversations” feature that is encrypted, but I would not trust it. Even if a Facebook message is encrypted, the recipient is still on their site. There are better alternatives. One of these better alternatives is Signal.

Signal is an instant messaging and webphone app for mobile phones that uses end-to-end encryption (E2EE). E2EE means that only the communicating users can read the message. E2EE is useful because if the conversations are intercepted, the interceptor will be unable to decipher them. While this would not stop a serious government intrusion, it provides extra barriers against them, as not even Signal knows the contents of the conversations. Any government request for the details of a conversation would produce list of random characters. As a testament to the quality of Signal for comms OPSEC, Edward Snowden leaked NSA (National Security Agency) documents stating that Off-the-Record Messaging (OTR), now called the Signal Protocol, constituted a serious challenge to their surveillance operations

E2EE also defends well against a middle-man attack. A middle-man attack is when communications are secretly intercepted, and the information can be altered and read. These attacks could happen easily if an adversary had a wifi pineapple. A pineapple is a router that masquerades as another wifi network. All wifi enabled devices continually announce what wifi networks they have ever connected to. A pineapple then assumes the identity of one of these networks. Even if you do not mistakenly connect to it, assuming it to be the same router you have always used, your phone could automatically connect as it cannot distinguish between them.

What this means for comms OPSEC is that, if you were using FB Messenger, a Fascist could use a wifi pineapple to intercept the messages, which travel via the internet. As Signal, also relying upon the internet, has E2EE, the hacker could not read the messages. In addition to seeing what information is being sent over the network, gaining control over someone’s access to the internet allows you to direct their connection away from a real site and towards a fake one. You could sign into your bank account, on a replica of your banking website, and then be sent to the correct window on the real site. For all intents and purposes, you have just accessed your bank account, but you have given your login information away in the process.

While pineapples are an ideal tool to conduct a middle-man attack, they are still only routers. Anyone who controls a router can do the same thing. Do not assume that just because you are connecting to a public wifi network that you are not vulnerable to an attack.

Beyond instant messaging and calling, there is email. Email still has its uses, one of which will be discussed in the next section. While Gmail is very convenient, Google should also be avoided if you can. While Google is not as bad as Facebook, which is not very hard to do admittedly, it is still insecure. Like FB, anything typed into Google, and Google products, like Chrome, is recorded and sent to their servers. One good thing is that if you delete your history using a Google product, they will delete it off their servers as well. I would recommend doing this. If you are planning on using email, I would recommend ProtonMail. ProtonMail is an encrypted email service based out of Switzerland. For most services that you use, you can find an encrypted equivalent.

Devices and Documents

Onto securing devices and documents, which, for more formal and structured organizations, is critically important. If your organization keeps reports, or any sensitive information in a digital document, there are steps to ensure that from the point of its creation, to its eventually retirement in the organizational archives, that it is secure. Documents are useful as they provide a wealth of information that can be readily accessed by anyone who needs them. Documents, however, are a double-edged sword. There are ways to ensure they are more secure than any other form of information, but there is also a greater risk associated with having documented evidence of political activities or group member composition.

I have found documents to be an asset in organizing, as having records that go back years allows the experience to be drawn upon. Keeping notes of meetings ensures responsibilities are not forgotten, as a written record provides a tangible reminder of who was responsible for each task. Having written bylaws protects an organization from straying away from its core organizational structure. No one can capitalize on a group member’s ignorance of protocol, if the protocol can be looked at freely.

When it comes to the document LOC, there are three main aspects to keep in mind. These are the creation of documents, the access of documents, and the document storage devices. Like messaging, documents must be protected from all angles.

When creating documents, the first priority is the platform used in its creation. While it may seem that half of the guide’s suggestions for comms OPSEC involves the use of a different program, when so much of the digital sphere is dominated by tech giants and a police state, switching to a more secure platform is half of the battle. For document creation, the key is working offline. It may seem convenient to use Google Docs to create a document, and then quickly share it, but the problems of using an easily intercepted program that assists in massive state surveillance outweighs such considerations every time. Ideally, for the document to be fully protected, there needs to be as little risk of intrusion and interception as possible. The most secure way is to create the document locally offline.

Taking this principle to its extreme, a document can be created and stored on an air gaped computer. An air gaped computer is a computer that is completely incapable of connecting to the internet or receiving any signal. What this means is that the information stored upon the air gaped computer is completely secured against any outside surveillance, so long as no one has physical access to the device. There is no way to middle-man the data as it never travels, and no adversary can gain remote access to your computer through your internet connection. An air gaped computer is immune to this and is effectively hack proof. The only weakness to this method is an evil maid attack. An evil maid attack is when someone gains physical access to your computer and, for our example, plants a device within it. This device could send signals that allow the computer to be accessed remotely.

Air gaping a computer is considered an extreme measure by many, but the computer would still be able to do anything that an offline computer could do. If the goal is securing documents, then air gaping is the logical method. Air gaping is a fairly easy process that requires little technical knowledge and tools. The goal is to remove the network card. On many laptops the network card is easily accessed beneath a panel on the bottom. Simply unscrew some panels, and when you find the network card, pull, or cut, it out. On a desktop, it is a little more complicated as you must disassemble the tower, but if you are being careful to not damage any components, it should be an easy process. If your computer has Bluetooth capabilities, you should remove that card as well. If you are curious, you can search online to find how to find to find the network card on your specific computer model.

If air gaping a computer is not a viable option, you can use ProtonMail as an encrypted storage. You can use a ProtonMail address to send an email attachment back to yourself. In this way, it is stored on an encrypted server. It may not be ideal, but it can work in a pinch.

Taking document OPSEC a step further, you can manually encrypt files. A good method to use is PGP (Pretty Good Privacy) encryption. PGP operates by creating two keys for the newly encrypted document in question. Much like a lock and key, there is a public key and a private key. The public key is self-evident and is the “lock” added to the file. To access the file, the lock needs to be decrypted using the “key”, the private key. The public key can only be decrypted using the private key. So long as you can protect your private key, documents will be secured against evil maid attack as well. Even if the computer was physically compromised, the encryption would provide another layer of defense. The private key can be shared with those who need to access the document. If you desire to change the keys, you can always re-encrypt the document with a new public and private key. The program you use for PGP is GPG (GNU Privacy Guard).

The creation of documents presents a unique challenge when paired with the need to have a collective effort in their creation. This is an issue I have come across countless time while organizing. There are plenty of times when there was a collaborative project that required the input of several members at once. Examples would be bylaws or committee propositions. For collective editing, abstain from Google Docs, and instead use Pirate Pad. Pirate Pad is similar in functionality to the collective editing capable in Google Docs, but this program is, not surprisingly, encrypted and erases after 30 days.

The final step to device security involves creating a tough password, and this also applies to any online account. We have all heard a million times before about the need to create a strong password. The best way to create a strong password is to create a password using a diceware list. Essentially, there is a long list of words corresponding to a series of five numbers. You roll five six-sided die and use the results to pick a word. You will repeat this process until you have at least six words. Naturally, the more words you have, the more secure your password is. It is a common misconception that a random string of characters is the most secure, a computer can use brute processing power to figure it out. A phrase containing a selection of random words is much harder to crack. You can find a good diceware list, and instructions, on the Electronic Frontier Foundation website (https://www.eff.org/dice).

Infiltration

The final section in this guide concerns infiltration of leftist spaces by the adversary. I understand why people feel the need to provide a space that is as open and inclusive as possible. Left unity is making some progress in the American leftist scene. However, left unity does not mean just letting anyone into anti-capitalist and anti-racist spaces. Infiltration is not as unlikely as some would think. I have heard about several cases in the past few months. It is a real threat, and it must be dealt with as such. An infiltrator puts everyone at serious risk, and stunts the whole organization, and the Class Jihad, as they reveal personal identities, sensitive plans, and occasionally work to spread disunity, distrust, and drama among leaders in the community. The best defense against infiltration is through strict vetting and being aware of sketchy behavior that could indicate a person is not what they claim to be.

Vetting is the first line of defense that organizations and affinity groups have against infiltrators. Vetting is the process of interviewing and researching a potential new member. Vetting is essential, and it should not be taken lightly if an organization wants to be secure. Under no circumstances should someone be let into private spaces and given access to comms if they have not been thoroughly vetted. I have known this to happen, and one of these unvetted “comrades” was asking around to try and find out my personal information. This is just one anecdotal example of why vetting should never be skipped. Who knows what their real motives were? As the old saying goes, “They might not be a cop, but they might as well be.”

A vetting process can vary greatly from group to group. Different groups have different needs and have a different character. Each group is looking for certain qualities, and what might be disqualifying for one, could be encouraged in another. For example, someone with a serious passion for passing gun control legislation would be out of place in the John Brown Gun Club but would likely be readily accepted into the DSA. A different praxis requires different needs. This is a reason why you should not accept another group’s vetting process, without doing your own.

Regardless of group praxis, there are some good best practices that could benefit any vetting process. Have several meetings before introducing them to the group. Make sure to ask enough questions that you can create a rough ideological and psychological profile. Find out their life story and do some research to see if they are really from Bay Area and be cautious of people who have no identifiable presence. It may be funny to say that in an OPSEC guide, but more-or-less everyone has something that can validate who they are.

You would be surprised at what can be revealed with just a little research. For example, would you want a sex offender in your organization? A person with a history of child abuse can be easily black-mailed and become a mole. You cannot hide everything about yourself.

Looking at their behavior, do they refuse to engage in organizational activities? Best case scenario, they are an undisciplined organizer. Worst case scenario, they are simply in the organization to get information from the communication channels.

At the end of the day, the only way to be completely safe from infiltrators is to have a closed group of one. There is a healthy degree of paranoia, but any successful leftist organization with have infiltrators. It goes along with territory, as an organization grows, and becomes a serious political player, adversarial groups will try harder and harder to gain access. The goal is to try and mitigate as much damage as possible. Consider adopting pseudonyms or restricting access to certain information to only the most vetted and trusted individuals. There is no reason to give out everything to everyone. People should only have the information they need to do their duties.

 

At this point, the guide is concluded. Hopefully, such a long document left you with something, or reinforced previous best practices. If at any point, new developments arise that negate anything said in this guide, I will go back an edit it accordingly. If you feel like any information in this guide is incorrect, do not hesitate to contact me at classjihad@protonmail.com. At the end of the day, this article is meant to be an asset to the leftist community. In addition, if you feel like there is something that should be included, do not hesitate to reach out either.

Last Edited: 8/17/2018

 

Be the first to comment

Leave a Reply

Your email address will not be published.


*