rate my opsec! : OpSec | Torhoo darknet markets
yeah, as the title says: i am asking you to rate my opsec setup.
if you find an issue or flaw, tell me in the comments and provide with a possible solutions. any responses are welcome :3
computer security: veracrypt full disk encryption, veracrypt encrypted volume, LUKS encrypted volume inside whonix. i also take out the battery out of my laptop after every shutdown. and i use non-qubes whonix
phone security: pixel 9 with calyxOS - de-googled android but still usable unlike grapheneOS (might be a better choice though), 1 hour auto reboot timer, never storing sensitive information on phone (heard it is unsafe, plus sometimes LE might compel you into unlocking it)
communication security: PGP encryption with GnuPG (Curve25519, 256-bit key, 2-years expiration timer). All other cases are Telegram - secret chats with short self-destruct timers (mostly ranging from one hour to one day), registered on a burner phone number (purchased with xmr). and yeah, i know, i know, telegram's privacy policy just screams "FEDDED!" - but just for the notice, i live in a country which has not responded to the government requests.. yet..
financial security: mostly cash for large amounts, and online i use XMR (bought with card from a no-KYC exchange, surely is not a problem, since XMR itself is built it to be untraceable. but still - i would not fully trust it)
backups: i use an external HDD with a veracrypt volume inside - i mount it both from host and on whonix. then, inside whonix, i mount a LUKS volume with the sensitive files inside. the encryption algorithm for veracrypt is Serpent(AES), PIM value is the default (got kinda lazy, heh. might be a flaw)
passwords: mostly 32 or 64 characters, generated and stored in KeePassXC
and finally, about my threat model.. currently i have no active threats. but the general ones are: doxers, big data, and maybe federal agencies.
that's it i guess.
EDIT: added "passwords" section due to me not including it before and being asked about it in the comments.
thanks for reading and write a response please >.<
What does that mean? You should consider all the illicit things you done in the past as potential threats, the previous mistakes can very well be your future fall.
Where are you using the illicit phone? If close to your personal devices all your devices might be interlinked. And have you considered positions for using the phone? See this /post/cb37ccc4d9184ebd5396
Everything you read/write on Telegram you should consider volatile and if under surveillance it's safely stored at LE's facilities regardless of any "self-destruct timers".
How do you connect to Internet? Please read this /post/f12b38fc9337bce6ae34
If you have sensitive data you should consider offline computers, same for backups (you need 3 backups at separate locations).
by "currently i have no active threats" im implying i am not being actively searched or under federal scrunity. but it is best to always prepare, because when i will be wanted, it will already be too late.
i mostly use the "illicit phone" on the street or at school without a SIM (i mostly ask my gf or friends for a hotspot), and always have a mullvad vpn connection or tor running through orbot. not to mention, i never keep any sensitive data on my phone except tor browser, telegram, and simplex.
as for backups, currently i have got the hard drive i described in this post and a small flashdrive (also encrypted with veracrypt)