Receiving a noteworthy tip is an achievement in itself, but it's almost never the end of the story. Where does your Signal application live? How can you safely share and store leaked documents? Oh, and what if they are -- gasp --malware? This is where the concept of OPSEC (Operational Security) comes into play.
However, discussing OPSEC practices can sometimes feel too detached from the reality of a working journalist. In this session, we will strive to make things more grounded. We'll conduct a live simulation of a leak throughout its lifecycle. We'll discuss OPSEC in practice and demonstrate how to use:- a hardened phone and PC OS (GrapheneOS / QubesOS), and- some lesser-known security and privacy tools (e.g., Dangerzone, Orbot, BlinkComparison) Finally, we'll go beyond mere tool usage and share tips and lessons learned from past OPSEC failures and wins.
This is an intermediate session on the subject of security hygiene. We don't assume any background in engineering or security, and it should be approachable to anyone familiar with some basic concepts (encryption, anonymity, threat modeling) and tools (Signal, Tor), which we will use as the foundation for the rest of the demonstration.
