nicecrew-opsec-guide/safety.html

233 lines
30 KiB
HTML

<link rel="icon" type="image/x-icon" href="../../favicon.png">
<img src="/instance/media/ncd_banner_new_v2-3_small.png" style="display: block; width: 100%; height: auto;" alt="NiceCrew Banner">
<style type="text/css">
body {
display: block;
}
a, a:hover {
color: orange;
}
.section {
display: block;
}
p, li {
margin-left: 0.75rem;
margin-right: 0.75rem;
}
.title {
text-align: center;
text-decoration: underline;
font-weight: bold;
margin: 2rem 0 2rem 0;
}
.section-title {
text-align: center;
text-decoration: underline;
font-weight: bold;
margin: 1.25rem 0.75rem 1.25rem 0.75rem;
}
.changelog, .changelog-title {
opacity: 0.4;
}
.changelog-section ol {
height: 300px;
overflow: scroll;
}
.disclaimer {
opacity: 0.6;
font-style: italic;
}
</style>
<div>
<h1 class="title">The Layman's Guide to OPSEC</h1>
</div>
<div class="introduction section">
<h2 class="section-title">Introduction</h2>
<p>
So, you want to learn about OPSEC. The first thing you have to learn is what OPSEC <i>means</i>. In literal terms, OPSEC is <a href="https://en.wikipedia.org/wiki/Operations_security" rel="noopener noreferrer" target="_blank">a process or standard</a> in which a group, individual, entity, enterprise, et cetera follows in order to maintain security within their operations - short for <strong>OP</strong>erational <strong>SEC</strong>urity. Hence the <i>portmanteau</i> - OPSEC. If you've stumbled across this page, chances are you're an individual who enjoys typing the spicy things in to the word box on the internet, you don't like pedophiles or can't stop noticing certain coincidences. OPSEC is talked about frequently in dissident circles, but truthfully, its implementation is everywhere. Banks, schools, social services, emergency services, government, military, non-profit organizations and more <i>all</i> apply OPSEC.
</p>
<p>
While most of us who have been on the internet for awhile grasp the importance and application of operational security, you may not. This isn't meant to be condescending or demeaning, but not everyone understands every risk of being on the internet in [current year]. For many people, this guide will be telling you things you already know. It's by no means a comprehensive guide, meant to cover every facet of every avenue or risk, but it should be enough to get you on the right track. The sooner you apply the principles set here, the better. This page will be updated with new guidelines as time goes on, and as my own knowledge increases. Take everything you learn and read here with a grain of salt as OPSEC is a fluid concept. What may work today may not work tomorrow, but the fundamentals always apply.
</p>
<p class="disclaimer">
** All information in this article is based solely on my opinion and experience and should be treated as such. Find what works best for you. I'm just some moron on the internet. **
</p>
</div>
<div class="tldr section">
<h2 class="section-title">TL;DR</h2>
<ol>
<li>OPSEC is a portmanteau for Operational Security.</li>
<li>Always use a VPN.</li>
<li>Understand the risks of being online in [current year].</li>
<li>The public doesn't need to know everything about you.</li>
<li>Use a password manager and generate random passwords for each account.</li>
<li>Never use your real name as your username, display name or in your email.</li>
<li>Your data is never 100% safe, no matter what.</li>
<li>Disasters and data breaches are a matter of <strong>WHEN</strong>, not <strong>IF</strong>.</li>
<li><strong>YOUR DATA IS NEVER 100% SAFE, PERIOD.</strong></li>
<li>Use application based multi-factor authentication wherever possible.</li>
<li>Always use encrypted communications.</li>
<li>Don't overestimate the anonymity of cryptocurrency.</li>
<li>Be aware of what EXIF data is in the media you upload.</li>
<li>The government has infinite resources and will "get" you if they want to.</li>
<li>Have a plan.</li>
</ol>
</div>
<div class="presence section">
<h2 class="section-title">Presence</h2>
<p>
The fact that you're here reading this means a lot of things - some of which we will get in to further down in this guide. You probably got here from a link that someone shared with you on Gab, NCD or the greater fediverse. This means you have an account on one, two, or more of these platforms. One of the best OPSEC methodologies is <i>limiting your presence.</i> In short, if you aren't online, you're at far less risk. But, that's not quite as fun, is it?
</p>
<p>
You may not think much about it, but your account display name and handle gives any potential enemy a few clues as to how to track your activities. There's not much to say about this other than if you use the same account name/handle/display name across multiple platforms, all of those activities can be linked together to build a profile on you. There are OSINT (Open Source Intelligence) tools that can be used to discover if you have an account on a variety of platforms. For example, if you maintain an account on Gab under the handle <strong>@billybob1776</strong> and you create an account with the same handle on a fediverse instance, obviously those two accounts can be reasonably assumed to be managed by the same user. If <strong>@billybob1776</strong> says some spicy things on Gab and people find out that Billy has an Instagram account, well then Billy now has a big problem. The takeaway from this is: if you're going to create accounts on multiple services, use different handles and display names. Your normie accounts, if you have them, should be separated completely in both name and application. If you want to enjoy free speech on the internet, while we still have it (to some extent), you must segregate those two personas completely.
</p>
</div>
<div class="zero-trust-risk section" id="zero-trust-risk">
<h2 class="section-title">Zero Trust and Risk Assessment</h2>
<p>
One of the most important concepts in data security is <i><a href="https://www.crowdstrike.com/cybersecurity-101/zero-trust-security/" rel="noopener noreferrer" target="_blank">zero trust</a>. </i>While <i>zero trust</i> in the information technology field means something more technical, the same concepts can be applied to your OPSEC protocols. In short, the less information you give out to people, the safer you are. The public does not need to know where you shop, what you do for a living, how many siblings you have, how many children you have, what their names are, how old they are, how old you are, what you look like, how many tattoos you have, where you have them, what color your hair is or anything of the sort. Each bit of identifying information you give out helps build an idea of who you are. While this concept goes against my personal goals of building a cohesive, self reliant, cancel-proof community, it's important to highlight the fact that there are bad actors that seek to destroy you. We aren't quite at the point where we can be so lackadaisical with the information we give out. The less information you give people, the better. This isn't to say that you shouldn't make friends. I have many friends I've met online who I'm very close with, but it takes time to build that sort of relationship. There is risk in everything you do - you just have to decide if the risk is worth it. Even I question what the hell I'm doing sometimes, but seeing people happy makes it worth it. Plus, I really fucking hate communists.
<p>
¯\_(ツ)_/¯
</p>
</p>
<p>
Ultimately, being online in any form, even as a normie, carries an inherent risk. There is no way to guarantee 100% that all your data will always be safe. That is the nature of the internet and online services. Always assume that whatever you put on the internet will be there forever, regardless of whether or not you delete it.
</p>
</div>
<div class="account-security section">
<h2 class="section-title">Account Security</h2>
<p>
Let me be frank with you: at some point, one or more of the services I provide will be breached by someone who has never seen a vagina up close in their life. Whether that happens in a day, week, month, year, decade, century or millenium, it <i>will</i> happen. The reason I say this is because no matter what, data breaches are a matter of <i>when</i>, not <i>if.</i> Dissident circles are a prime target, not only for federal agencies, but for the NGOs they employ such as ANTIFA and BLM. Even if this community isn't a target by those groups, there are bad actors who would seek to exploit a <a href="https://www.techtarget.com/searchsecurity/definition/zero-day-vulnerability" rel="noopener noreferrer" target="_blank">zero day vulnerability</a>, or any other vulnerability, for their own nefarious purposes.
</p>
<p>
Vulnerabilities can vary greatly in both scope and vector. For example, the most recent vulnerability in fediverse software allowed a bad actor to steal user emails and direct messages, some of which contained sensitive information. However, vulnerabilities are not relegated only to fringe microblogging sites. For example, Experian, a multinational data analytics and consumer credit reporting agency <a href="https://krebsonsecurity.com/2023/01/experian-glitch-exposing-credit-files-lasted-47-days/" rel="noopener noreferrer" target="_blank">suffered data breaches</a> in 2015, 2020 and 2021. Facebook suffered a <a href="https://www.fdazar.com/practice-areas/class-action/facebook-data-breach/" rel="noopener noreferrer" target="_blank">massive data breach</a> in 2018 in which bad actors utilized a similar attack vector to the recent fediverse security breach to gain access to people's accounts. The point of this section is to help you understand that no matter how much money a company throws at a security team, there will <i>always</i> be risk of a data breach. The question you must answer is <i>what data</i> you'd be comfortable with a bad actor having.
</p>
<p>
There is no reason for you to ever use your <strong>firstnamelastname(at)domain.tld</strong> email account for any service, especially in dissident friendly or free speech environments. Always use a burner email to sign up for any service that you would not want traced back to you in the event of a data breach. If you've signed up for a service that you'd like to, or have to receive constant correspondence from (whether it's password reset, newsletter, account activation, et cetera), you can use a free encrypted email provider such as <a href="https://protonmail.com" rel="noopener noreferrer" target="_blank">Protonmail</a>.
</p>
<p>
<a href="https://proton.me/blog/what-is-two-factor-authentication-2fa" target="_blank" rel="noopener noreferrer">Two factor authentication</a>, also known as multi-factor authentication (2FA/MFA for short) is a <i>must use</i> service that many modern service providers offer to help limit the ability of a bad actor to breach your account. In short, 2FA requires an end user to not only input their username and password as normal, but to also include a pseudo-randomly generated code. You've probably seen this if your bank has 2FA enabled when the website doesn't recognize where you're logging in from or if you're using a different computer or browser. 2FA codes for most services are sent to your phone via SMS. However, if you're able to use a 2FA application such as <a href="https://authy.com/" rel="noopener noreferrer" target="_blank">Authy</a>, I'd strongly recommend that over SMS. Authy allows you to sync your 2FA codes across multiple devices and is simple to use. This way, if someone knows or is able to brute force your password, they won't be able to access your account unless they also have access to your 2FA code. It's an extra step to take, but the risk mitigation is absolutely worth it.
</p>
<p>
<a href="https://www.security.org/how-secure-is-my-password/" rel="noopener noreferrer" target="_blank">Password security</a> is an often overlooked concept simply because people believe that every website they log in to, sign up for or use is inherently secure. A service may tout how they use "military grade encryption" to make sure your data is safe. Sure, SSL is pretty cool and encrypts your data in transit, but if someone circumvents security restrictions imposed by a server and gains access to a database where passwords are stored, unhashed and unsalted, well then it doesn't matter how much your data is encrypted in transit. We've seen numerous data breaches over the last several years where bad actors were able to utilize a vulnerability in a service's security in order to gain access to people's accounts, <a href="https://www.forbes.com/sites/daveywinder/2020/07/08/new-dark-web-audit-reveals-15-billion-stolen-logins-from-100000-breaches-passwords-hackers-cybercrime/?sh=7c150c8c180f" rel="noopener noreferrer" target="_blank"> dump the passwords to a repository on the "dark web"</a> or sell the data at a high price to other criminals. You can use a free service such as <a href="https://haveibeenpwned.com/" rel="noopener noreferrer" target="_blank">HaveIBeenPwned</a> to discover whether or not a password or email that you have previously used has ended up in one of these breaches.
</p>
<p>
Pro-tip: if you use the same password between your dissident accounts and your normie accounts, you can cross reference the password between those two accounts easily. Suddenly, <strong>hitlerwasright1488(at)domain.tld</strong> could easily be linked to <strong>FirstnameLastname(at)domain.tld</strong>. It's pretty easy to see the problem here. Using a password manager such as <a href="https://1password.com/" rel="noopener noreferrer" target="_blank">1Password</a>, <a href="https://bitwarden.com/" rel="noopener noreferrer" target="_blank">Bitwarden</a>, <a href="https://keepass.info/index.html" rel="noopener noreferrer" target="_blank">KeePass</a> or others is a <strong>must</strong> for security. Choose the password manager that's right for your use case - except for <a href="https://lastpass.com" rel="noopener noreferrer" target="_blank">LastPass</a> who suffered a <a href="https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/" rel="noopener noreferrer" target="_blank">data breach</a> in August of 2022. Password managers can automatically create and save very complex, random passwords that are near impossible to <a href="https://www.crowdstrike.com/cybersecurity-101/brute-force-attacks/" rel="noopener noreferrer" target="_blank">brute force</a> while giving you completely different, easy to manage passwords across the services that you use. Most password managers support all modern operating systems, mobile devices and browsers, but do your research to find out which one is best for you.
</p>
</div>
<div class="data-security section">
<h2 class="section-title">Data Security</h2>
<p>
When you access the internet, each request that your device sends to a server has an identifier called an IP address. Think of an IP address as your house number on a street. Service providers often keep logs of visitor IP addresses and may use your IP's geolocation to load balance or provide advertisements that would be relative to your IP's geolocation. If you want to see what I mean, you can get a basic idea of how much information your IP address gives about you by using <a href="https://www.ip2location.com/demo/" rel="noopener noreferrer" target="_blank">IP2Location's</a> demo service. Creepy, right? Let's talk shortly about VPNs.
</p>
<p>
If you've visited this page, I have your IP address. Does that mean I know who you are? No, but if you visit my website from several different locations within your area, I can reasonably surmise that you frequently reside within this general geographical location. Put that together with what you read earlier in the <strong>Presence</strong> section of this guide. You can see where I'm going with this.
</p>
<p>
VPNs, short for <a href="https://www.kaspersky.com/resource-center/definitions/what-is-a-vpn" rel="noopener noreferrer" target="_blank">Virtual Private Networks</a> are services that you can use to mask your real IP address from any web site or internet service you use. These services encrypt their data in transit and are most often run on servers that utilize the volatility of RAM (Random Access Memory) to help ensure that in the event of a security breach, simply power cycling the server will clear what little data they have about your connections. Of course, most VPNs are paid services because these things require infrastructure to run, but the fees are manageable. If you're a real nerd, you can even set up your own VPN using virtual servers, but that's far beyond the scope of this guide. There are <a href="https://www.cnet.com/tech/services-and-software/best-vpn/" rel="noopener noreferrer" target="_blank">many options</a> to choose from, so pick one that's best for you. I would strongly recommend against using any free VPN service. My personal litmus test for VPN services is simple:
</p>
<ol>
<li>Is the company headquartered outside of the <a href="https://vpnoverview.com/privacy/anonymous-browsing/5-9-14-eyes/" rel="noopener noreferrer" target="_blank">14 Eyes Alliance?</a></li>
<li>What payment options do they provide?</li>
<li>Have they been through one or more third party security audits?</li>
<li>How long have they been in business?</li>
<li>Are they a subsidiary of a larger, less friendly company?</li>
<li>How many server/location options do they provide?</li>
<li>Do I trust them with my data?</li>
<li>Have they ever handed over someone's data to any government entity or NGO?</li>
<li>How strict is their privacy policy?</li>
<li>How much bandwidth do I get versus a non-VPN internet connection?</li>
<li>Does their software implement a safety kill switch?</li>
<li>How reliable is their service?</li>
</ol>
<p>
No matter what, you must understand that even though you are using a VPN, all your data is being sent through <i>their</i> servers. They could, at their leisure, intercept your data, decrypt it and read everything you're doing. But, if that was the case, they probably wouldn't be in business for long. No matter what you do, there is always some sort of risk involved. You are always trusting someone else with your data, regardless of how you look at it. From the moment you power on your computer (and even while it's off), data is being sent and received in some capacity. But, you can always take additional steps to limit the impact of a breach.
</p>
</div>
<div class="encrypted-communications section">
<h2 class="section-title">Encrypted Communications</h2>
<p>
As many people on the fediverse recently learned, your DMs are not encrypted here. If you're utilizing internet services to communicate with others and sharing sensitive information, doing so using an unencrypted service is a disaster waiting to happen. Remember - disasters are a matter of <i>when</i>, not <i>if</i>. I provide an <a href="/about/chat" target="_blank">encrypted Matrix server</a> to give people the ability to communicate through text, voice and video as safely as I can provide. If you don't want to use my services, you can sign up for an <a href="https://element.io" rel="noopener noreferrer" target="_blank">element.io</a> (Matrix.org) account and just as easily communicate with anyone that uses my services. No matter what you do, it's important to apply the same account and data security concepts as listed above.
</p>
<p>
There are several communications services you can use. Telegram, Signal, Element/Matrix, XMPP, et cetera. All of these services have their advantages and disadvantages. For example, Telegram purports to be an E2E (end to end) encrypted chat service, but the feature has to be manually enabled via the "secret chat" option and does not persist between devices. Signal is a lot like Telegram, but does offer E2E encryption out of the box. However, both Signal and Telegram require you to sign up using a phone number. Obviously, a phone number can be used to easily verify your identity. Matrix/Element are self hosted solutions, but often times the integrations and performance of the service leaves much to be desired, especially when scaled. Matrix servers are a pretty big pain in the ass to deploy from an administration standpoint as well. Figure out what service makes the most sense for you to use, and start using encrypted communications.
</p>
</div>
<div class="crypto section">
<h2 class="section-title">Cryptocurrency</h2>
<p>
<a href="https://www.investopedia.com/terms/c/cryptocurrency.asp" rel="noopener noreferrer" target="_blank">Cryptocurrency</a> is often used in communities that many of us enjoy as a means of "anonymously" paying for goods and services, or to make donations to a cause one may support. It's a really neat alternative payment method, despite its issues with volatility and support on a mainstream scale, but the number one reason people use it is for anonymity. Unfortunately, cryptocurrency is not nearly as anonymous as people believe it is. Each transaction you make is available for public view on the blockchain explorer. Some cryptocurrencies like <a href="https://www.getmonero.org/" rel="noopener noreferrer" target="_blank">Monero (XMR)</a> attempt to mitigate this issue by implementing certain security safeguards that mask the wallet addresses and denying public view of transacted funds without a transaction key. I would personally recommend Monero if you want something more resilient and anonymous than cryptocurrencies that are supported by exchanges like <a href="https://coinbase.com" rel="noopener noreferrer" target="_blank">Coinbase</a> or <a href="https://binance.us" rel="noopener noreferrer" target="_blank">Binance</a>. Running your own <a href="https://freedomnode.com/blog/how-to-install-and-set-up-full-monero-node-on-linux/" rel="noopener noreferrer" target="_blank">Monero Node</a> is also a fun little project and helps to make the Monero network more resilient and improve performance.
</p>
<p>
Mainstream exchanges like Coinbase and Binance implement a policy known as <a href="https://www.idnow.io/regulation/what-is-kyc/" rel="noopener noreferrer" target="_blank">KYC</a> or <strong>Know Your Customer</strong>. When you sign up for an exchange that allows purchasing cryptocurrency with fiat currency (cash), the institution is required to verify your identity and connect your bank account or debit card. While you may be able to send and receive cryptocurrency pseudo-anonymously for services, a simple subpoena would be all it takes to find out who you are based on your transactions. Alternatively, if you have really poor OPSEC and use the same account/wallet for standard services and dissident services, someone who knows your real identity and your wallet address can easily make the connection between your private and public personas.
</p>
<p>
I like cryptocurrency. I think it's a great idea and fun in application, but I would warn against putting all of your stock in it as an alternative payment method. I'm not saying not to use it, but you should set reasonable expectations and be apply strong OPSEC principles to it.
</p>
</div>
<div class="exif section">
<h2 class="section-title">Multimedia Metadata (EXIF)</h2>
<p>
Every time you take a picture or video with your smartphone or really any modern camera, it automatically appends certain information, known as <a href="https://en.wikipedia.org/wiki/Exif" rel="noopener noreferrer" target="_blank">EXIF data</a> to the file. If you've ever noticed that your phone automatically creates albums or "stories" based on your travels to different places, it's because you allow your phone to tag your pictures with location data. If you're curious about what data your camera appends to each picture, you can use a service like <a href="https://www.pic2map.com/" rel="noopener noreferrer" target="_blank">Pic2Map</a> to find out what location data, if any, is included. Alternatively if you'd rather see a more detailed/raw form of your EXIF data, you can use something like <a href="https://exifdata.com/" rel="noopener noreferrer" target="_blank">ExifData</a> to get a more comprehensive view.
</p>
<p>
As ubiquitous as online services are, you probably don't think that much about this sort of thing. Many services, including my <a href="https://nicecrew.digital" target="_blank">fediverse instance</a> automatically strip as much EXIF data from your uploads as possible. My <a href="https://nicecrew.digital/about/chat" target="_blank">Matrix server</a>, however does not, which is why there is a massive warning in the guide. Always be careful where you're uploading pictures/videos, and make sure they're stripping the file metadata. Please note that other file types are not exempt from this. PDFs, XML, Word, Excel, PowerPoint, et cetera all contain some sort of file metadata that could be used against you if you're not careful.
</p>
<p>
Finally, you must consider even the <strong>name</strong> of the file you're uploading. If the file you're uploading has a title like <strong>john-doe-birthday-2023-04-19_1832.mp4</strong> that isn't sanitized/randomized by the service you're uploading it to, anyone who downloads that file will know that you know someone by the name of John Doe, whose birthday was on April 19, 2023 and the video was taken at 18:32. That's a lot of information! Always test all services by uploading a dummy file, then downloading it back from the service and seeing if the EXIF data and filename was changed/sanitized in any way. You can also turn off location services on your phone, or disable location data being appended to your media using your device but always double check.
</p>
</div>
<div class="government section">
<h2 class="section-title">The Government</h2>
<p>
If the government wants to get you, they will. That doesn't mean you should make it easy and abstain from applying strong OPSEC protocols to your shitposting career though. Don't do illegal stuff, regardless of whether or not you have a VPN, use TOR, are absolutely sure your OPSEC is air tight, whatever. All of your data travels through your ISP's infrastructure and you better bet your ass the government has inroads with them. If you own any modern device, the federal government has a back door to it at the BIOS level. If your device supports Wake-On-LAN, Intel IME or AMD's equivalent, it is always "online", even when it's "off". Turning location services off and using incognito mode is not going to hide you from the government.
</p>
<p>
All of us carry surveillance devices with us at all times in our pockets. Encrypt your data as much as you can both locally and remotely, but never ever assume that you are going to get one up on them. Sure, the government appears stupid to the point of obscenity but they also have infinite resources and the power to put you in a box for the rest of your life. Don't give them a reason to. Be smart, be vigilant, stay away from glowfags, don't fedpost, don't put the gasoline in the jar, don't post about how you installed a giggle switch in your Glock. We live in a time where even constitutionally protected speech can be used against you in a court, and the federal government has a ~95% conviction rate for a reason.
</p>
<p>
<strong>Do not be a fucking retard.</strong>
</p>
</div>
<div class="fuckup section">
<h2 class="section-title">What If I Have Poor OPSEC?</h2>
<p>
If you've maintained poor OPSEC up to this point and aren't sure what to do, consider the following, but keep in mind that <strong>everything you put on the internet is there forever.</strong>
</p>
<ol>
<li>Change your registration email, username, handle and password, if possible.</li>
<li>Delete your accounts and start over while applying these OPSEC principles.</li>
<li>Delete your accounts and stay offline.</li>
<li>Don't give a shit what people think about you.</li>
</ol>
<p>
Honestly, people aren't likely to really care much about who you are if you don't make yourself out to be a "public figure". That does not mean that you shouldn't assume there isn't someone watching you though. Unfortunately, due to the nature of the internet, there really isn't much that can be done besides galvanizing yourself and being prepared for the future. If someone wants to "expose" you, they'll continue to dig until they get what they want, or they decide it's not worth their time. The sooner you understand and apply the principles in this guide, the better off you'll be. That's not to say nothing bad will ever happen to you, but coming to terms with the fact that something bad <strong>could</strong> happen to you and preparing for it will help ease your mind. You're never going to be 100% prepared for every hardship you'll face in your life. All you can do is learn as you go along and pass your knowledge on to others.
</p>
</div>
<div class="conclusion section">
<h2 class="section-title">Conclusion</h2>
<p>
I sincerely hope that you consider everything you've read here, and check back every so often to see if more has been added. As stated earlier, this isn't a comprehensive list. There's a lot more that you can do to keep yourself as safe as possible online, but I wanted to lay out a couple of pointers for those who may not have known where to start. If you enjoy or appreciate what I'm doing here, please consider <a href="/about/support" target="_blank">making a donation</a> to keep these services running and maybe buy me a case of beer. If you wish to reach out to me for any reason, you can message me on Matrix/Element at my handle <strong>@matty:chat.nicecrew.digital</strong> or on the fediverse <a href="https://nicecrew.digital/@matty" rel="noopener noreferrer" target="_blank">here</a>. Thank you, and stay safe!
</p>
</div>
<div class="changelog section">
<h2 class="changelog-title">Changelog</h2>
<ol>
<li>06/03/2023 - Initial posting</li>
<li>06/03/2023 - Fixed some verbiage and formatting</li>
<li>06/07/2023 - Fixed some typographic errors and clarified some concepts</li>
<li>06/07/2023 - Fixed phrasing in some places</li>
<li>06/09/2023 - Added sections for EXIF, cryptocurrency, government and poor OPSEC. Added TL;DR section. Fixed some typographic errors. Made some light formatting changes.</li>
</ol>
</div>