Hacker News new | past | comments | ask | show | jobs | submit login

dude, opsec is really really hard, the slightest mistake and it's over.



It's only that hard if the person in question is dumb enough to be using a pseudonym instead of opting for anonymity, since having a name opens up your attack surface and chance to fail. Hosting a site or some kind of infrastructure that you have to actively interface with also counts towards this.


opsec is really really really hard. because you don't get used to it as time goes by, you get tired of it. you will discover that sooner or later


The point of my comment was that, if [actor] is not using any pseudonym but is instead nameless, then there is almost no active way to pursue that actor, aside from its adversary running malware on every machine in the world and scanning the disk/memory for relevant data- and even then, the machine can be encrypted/wiped and airgapped. An action can be taken and then once completed, as long as it was properly anonymized on a technical level (easier) and social level (harder) against a given adversary, there is no more heat.

The actor never needs to interface with anything related to their activity ever again in any way, and can only screw themselves if they deliberately tell people what they did. And even if a nameless actor does 1000 things and gets caught for only 1, because they had no name/common set of characteristics, those 1000 things cannot be tied together. They're just caught for the one thing.

So opsec is hard... if you have a big huge ego or want to maintain some kind of central infrastructure.


Anonimity is more than just using a pseudonym.


No you don't seem to understand. I am saying that using a pseudonym is NOT helpful to anonymity. It only hurts your anonymity to use any common set of characteristics, like a name, timezone, linguistic quirks, etc. I am saying that even using a name like we do here on HN is bad for someone who is trying to be anonymous, because it ties multiple actions together under a particular identity, and could easily expose more attack surface than necessary, allowing adversaries to target you.

Anyway, yes, I know there is more to it- considering who your adversary is, the limitations of your tools, and what configurations of tools are required to raise the cost of retroactive deanonymization above the capacity of your adversary. Every adversary that exists can be outwitted with some effort, if we're talking in terms of the internet and not physical security. Then there's the can of worm that is security. . .




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: