Privacy Ultras Meetup // OPSEC & Privacy Field Notes

OPSEC Rule #1

Do not open random links (especially Tor/onion links) without an isolated/disposable environment (e.g., Whonix VM or similar). Treat collaborative pads as untrusted.

General: Threat Modeling & OPSEC Privacy: Computer & Internet Systems: OS / Firmware / Encryption Software: Browsers / Messaging / Tools Private Services: VPN / Search / Hosting Real World: Money & Payments Logistics: Addresses & Numbers Travel Notes Further Reading Unsorted Links

General

Threat Modeling

Define your adversary, capabilities, constraints, and what “loss” looks like. Then pick controls that match your reality, not someone else’s checklist.

Identify assets (identity, location, devices, money, relationships).
Map exposure points (accounts, metadata, habits, comms paths).
Decide acceptable risk and operational budget.

OPSEC Principles

Reduce correlation. Reduce uniqueness. Reduce persistent identifiers. Avoid routine patterns that allow easy clustering.

Never be so unique that you’re easy to track.
Never answer the phone; only call back (reduce unsolicited exposure).
Assume observation; choose defaults that minimize leakage.

OPSEC “Bible” onion references (as shared)

Treat onion links as untrusted and open only in isolated environments.

opbible7nans45sg33cbyeiwqmlp5fu7lklu6jd6f3mivrjeqadco5yd.onion
jqibjqqagao3peozxfs53tr6aecoyvctumfsc2xqniu4xgcrksal2iqd.onion

Personal Security Checklist (GitHub)

Privacy: Computer & Internet

Phones: Practical Constraints

Modern society increasingly pressures proprietary, identity-linked mobile apps (health, banking, “exclusive discounts”, etc.). Your approach depends on threat model.

Banking app compatibility on custom ROMs: compat report
Consider whether living without a SIM is feasible for your use-case.
For mobile forensics resistance, Pixel + GrapheneOS was discussed as a pragmatic path.

Custom ROMs (Mobile OS)

Notes / Caveats

LineageOS may improve privacy, but security defaults and patch cadence depend on device/port.

Systems: Firmware, OS, Encryption

Firmware

Libreboot

Hardened OS

Torified / Anonymous OS

Avoid proprietary VM tooling where feasible; prefer audited stacks aligned with your threat model.

Disk Encryption

VeraCrypt
LUKS / dm-crypt
macOS FileVault
BitLocker was explicitly listed as “avoid”.

Software

Browsers

Tor Browser
Mullvad Browser
Firefox
uBlock Origin
Privacy Badger
LibreWolf (privacy defaults; patches may lag slightly)

Messaging

E2EE + Anonymous / Network-Anonymity

E2EE + Quasi-Anonymous

E2EE

PrivacyGuides Tools Directory

Private Services

VPNs (as discussed)

Common picks

Mullvad
IVPN (listed as privacy-focused)
WireGuard protocol (recommended as protocol choice)
Nym
Njalla
VPN Gate

The pad included debate and contested claims about some providers. Treat VPN choice as threat-model dependent.

Search Engines

DuckDuckGo Onion Service (get authentic link via DuckDuckGo’s official sources)
Kagi / Orion (mentioned for functionality, not privacy)
SearXNG (self-host)

Anonymous Hosting & Anonymity Networks

Hosting

OnionShare (Tor onion hosting for sites/files)
servers.guru (VPS listing)
kycnot.me
FlokiNET
Njalla

Anonymity Networks

Private Email

Spam tip from the pad: subaddressing (e.g., john+somesubaddress@gmail.com).

Replace Common Trackers

Service	Replace with
Spotify	Jellyfin, Spotube, Navidrome
Google Maps	OSM / osm.org

Real World: Money & Payments

P2P & KYC-Reduction (as listed)

kycnot.me (directory)
Bisq
Haveno
Peach was mentioned as P2P for Bitcoin (verify availability in your region).

Privacy-Focused Assets (as mentioned)

Zcash
Monero

Crypto Swap (as listed)

Logistics: Addresses & Phone Numbers

Ordering & Addresses (as discussed)

International delivery lockers and pickup networks were also mentioned (e.g., InPost / Mondial Relay depending on country).

Phone Numbers & SIM Notes (country-specific)

The pad listed non-KYC SIM availability by country, plus services for eSIM and SMS receiving. Treat this as rapidly changing; verify locally.

Recommended reading from the pad: “Kill the cop in your pocket” at anarsec.guide (see below).

PII Minimization: Basic Notes

Reduce unnecessary personal data in forms and accounts where legally and practically possible.
Be aware of name-recovery risks in payment rails (country-specific and evolving).
Separate identities by context; avoid reusing identifiers across contexts.

Travel Notes (Practical)

Tickets & ID Checks

Buying tickets at cash desks is becoming rarer, but was suggested as a lower-data option.
Some operators require ID checks matching ticket name. Example reference from the pad:
SNCF travel documents policy

Cars & Connectivity

Modern cars collect and transmit data; older vehicles were suggested as simpler from a data-minimization standpoint.
Be mindful of embedded connectivity; understand implications before modifications.

Hotels

Self-check-in models vary by country and provider.
Reference mentioned: Digitalcourage: Lichtbildausweis

Unsorted Links

Directories & References

Onion references (as listed)

Treat as untrusted; open only in isolated environments.

tortaxi2dev6xjwbaydqzla77rrnth7yn2oqzjfmiuwn5h6vsk2a4syd.onion
njallalafimoej5i4eg7vlnqjvmb6zhdh27qxcatdn647jtwwwui3nad.onion
kycnotmezdiftahfmc34pqbpicxlnx3jbf5p7jypge7gdvduu7i6qjqd.onion

Next Modules

Keep structure consistent across subpages (OPSEC, DARKWEB, RECON, etc.).

Threat Modeling Hardened OS Messaging Private Services Further Reading