The Complete "Don't Get Pwned" OpSec Guide for Tor and Beyond
A no-bullshit, slightly sweary guide to not being a digital dipshitIntroduction: Why This Guide Exists
Look, I've seen too many people fuck up their OpSec in spectacular ways. This isn't some theoretical exercise - this is real shit that can save your ass. Whether you're a journalist, activist, researcher, or just someone who gives a damn about privacy, this guide will help you not be a complete muppet online.The Trinity: Anonymity, Privacy, and Security
Before we dive into the fun stuff, let's clear up the confusion between these three concepts because people mix them up all the goddamn time.Anonymity is about hiding WHO you are. Think of it as wearing a mask at a protest.
Privacy is about hiding WHAT you're doing. Like closing your curtains at home.
Security is about protecting yourself from attacks. It's your digital armor.
Here's the kicker: you need all three working together. Anonymity without security is like wearing a paper mask in a gunfight. Privacy without anonymity means they know who's behind those curtains. Security without the other two is just a really well-protected glass house.
How Tor Actually Works (Without the Academic Wank)
Tor is basically like passing notes through three random kids in class. Your message goes through three "nodes" (Entry, Middle, Exit), and each one only knows where it came from and where it's going next. The exit node sees your traffic but not who you are. The entry node sees you but not your traffic. The middle node? Poor bastard knows fuck all.But here's what most guides don't tell you: Tor is only as strong as your weakest OpSec habit. You can have perfect Tor setup, but if you log into your Gmail account, congratulations - you just defeated the entire purpose.
Operating Systems: The Foundation of Your Digital Life
Linux: The Chad Choice
I'm gonna be straight with you - if you're serious about OpSec, you need Linux. Windows is basically spyware with a pretty interface, and macOS isn't much better. Here's my take:Tails is your nuclear option. It's designed to leave no traces and routes everything through Tor by default. Use it for anything that could get you in serious trouble.
Qubes is for the paranoid (and I mean that as a compliment). It isolates everything in virtual machines. Your email VM can't talk to your browsing VM. It's beautiful.
Standard Linux distros like Ubuntu or Fedora are fine for daily use, but harden them properly. Disable telemetry, use full disk encryption, and for fuck's sake, don't use the default passwords.
Windows: The Necessary Evil
Sometimes you're stuck with Windows. I get it. Here's how to make it suck less:- Disable ALL telemetry (use tools like O&O ShutUp10)
- Use Windows Sandbox for sketchy stuff
- Full disk encryption with BitLocker (or better yet, VeraCrypt)
- Compartmentalize with VMs
macOS: The Pretty Prison
Apple pretends to care about privacy while building the most sophisticated surveillance apparatus ever created. If you must use macOS:- Turn off iCloud for everything sensitive
- Use Little Snitch to monitor network connections
- Disable Siri, analytics, and all that "helpful" bullshit
Mobile: The Pocket Betrayer
Android: The Lesser of Two Evils
Standard Android is Google's wet dream of data collection, but you can unfuck it:GrapheneOS is the gold standard. Pixel phones only, but it's worth it. No Google services, hardened kernel, and proper app sandboxing.
CalyxOS is more user-friendly but less hardened than Graphene.
LineageOS without GApps is decent but not as security-focused.
iOS: The Gilded Cage
iPhones are more secure against random malware, but Apple sees everything. They've got backdoors for governments and their own advertising network. If you're stuck with iOS:- Turn off analytics, Siri, location services for apps that don't need it
- Use Signal, not iMessage
- Don't trust iCloud with anything sensitive
Browsers: Your Window to the Digital World
Tor Browser: The Obvious Choice
Use the official Tor Browser Bundle. Don't be a smartass and try to configure Firefox yourself - the Tor Project knows what they're doing. Keep these settings:- Security level: Safest (unless you absolutely need JavaScript)
- Never maximize the window (fingerprinting)
- Don't install extensions (they fuck with anonymity)
- New identity for each sensitive session
For Clearnet Browsing
Firefox with hardening:- user.js from arkenfox project
- uBlock Origin (not AdBlock Plus - that shit is compromised)
- ClearURLs
- Decentraleyes
Brave is decent out of the box but still phones home to Brave's servers.
Chrome/Edge - just fucking don't.
Email: The Ancient Art of Digital Communication
Why ProtonMail Isn't the Messiah
Yeah, I said it. ProtonMail has issues:- Requires JavaScript (bad for Tor users)
- Swiss cooperation with law enforcement
- Centralized honeypot potential
- Marketing hype vs. reality
Better Options
Guerrilla Mail for throwaway accounts. It's temporary, requires no signup, works over Tor.Self-hosted is ideal if you know what you're doing. Postal or similar on a VPS you control.
Tutanota is less hyped but solid. Works without JavaScript.
For the love of all that's holy, use different email addresses for different identities. Your activist email shouldn't be the same as your work email.
Messaging: Talking Without Getting Fucked
Signal: The Gold Standard
Signal is good, but use it right:- Disappearing messages always on
- Different phone numbers for different identities
- Don't link to your real phone if going anonymous
What to Avoid
Session sounds good in theory, but the metadata handling is questionable, and the small user base makes you stand out.Telegram is not encrypted by default. Secret chats are better, but still not great.
WhatsApp is Facebook spyware with pretty encryption.
The Underground Options
Briar for truly decentralized messaging. Works over Tor, no servers.Element/Matrix can be good if you pick the right homeserver (preferably your own).
Ricochet Refresh for anonymous contact without phone numbers.
Identity Management: Being Multiple People Without Losing Your Mind
This is where most people fuck up. You need strict compartmentalization:The Golden Rules
- Never cross the streams - Don't mix identities EVER
- Different browsers for different identities - Use separate browser profiles or VMs
- Different writing styles - Your anonymous persona shouldn't write like your real self
- Time zone obfuscation - Don't post at predictable times
- Different interests - Your anonymous identity shouldn't have the same hobbies
Practical Implementation
Use VMs or separate devices for each major identity. I run:- Daily driver for normal shit
- Activist VM for sensitive political stuff
- Research VM for deep dives
- Burner VM for truly sketchy investigations
Encryption: PGP vs AGE (The Heavyweight Fight)
Why PGP is a Fucking Nightmare
PGP is like that brilliant professor who can't explain anything clearly:- Key servers leak metadata
- Complex web of trust bullshit
- Implementation bugs everywhere
- Timing attacks galore
- UI/UX from the stone age
AGE: The New Hotness
AGE is what PGP should have been:- Simple key format (just a string)
- Modern crypto (X25519, ChaCha20-Poly1305)
- No metadata leakage
- Smaller attack surface
- Actually usable by humans
Use age for file encryption, rage for the Rust implementation. Generate keys with age-keygen, encrypt with age -r <recipient>, decrypt with age -d -i <private_key>.
Habits: The Devil in the Details
Traffic Analysis Resistance
Don't be predictable:- Vary your online times
- Use random delays between actions
- Don't always connect from the same location
- Mix real activity with cover traffic
Digital Hygiene
- Separate devices for separate identities
- Regular security audits of your setup
- Keep software updated (yes, even on Tails)
- Practice good password hygiene (use a manager, for fuck's sake)
Social Engineering Defense
- Never give real info when you don't have to
- Lie consistently within each identity
- Don't overshare (even anonymously)
- Trust no one completely
Physical Security: Meatspace Still Matters
Your OpSec is worthless if someone can physically compromise your devices:- Full disk encryption on everything
- Secure boot if possible
- Physical security keys (Yubikey, Nitrokey)
- Tamper-evident seals on devices
- Secure disposal of old hardware (DBAN isn't enough for SSDs)
Beyond Tor: The Dark Web Landscape
I2P: The Other Onion
I2P is designed for hidden services rather than clearnet access. It's slower but potentially more secure for peer-to-peer stuff. The network is smaller, which can be good or bad depending on your threat model.Freenet: The Persistent Network
Freenet stores encrypted data across the network. It's more about censorship resistance than anonymity, but worth knowing about.Other Networks
- Lokinet (from Loki/Session team)
- Yggdrasil for mesh networking
- RetroShare for friend-to-friend networks
Extensions and Tools: The Supporting Cast
Browser Extensions (Use Sparingly)
On clearnet browsers only:- uBlock Origin - blocks ads and trackers
- ClearURLs - removes tracking parameters
- Decentraleyes - protects against CDN tracking
Never use extensions in Tor Browser - they fuck with your anonymity.
Command Line Tools
- age/rage for encryption
- yt-dlp for downloading videos safely
- curl/wget for HTTP requests
- nmap for network scanning (legal targets only)
- Wireshark for traffic analysis
Threat Modeling: Know Your Enemy
Different threats require different approaches:Corporate surveillance: Focus on privacy tools, ad blockers, VPNs
Government surveillance: Full anonymity stack, Tails, Tor, proper compartmentalization
Criminal actors: Security focus, updated software, secure communications
Stalkers/harassment: New identities, careful social media hygiene
Authoritarian regimes: Everything at once, plus physical security
Final Thoughts: Stay Paranoid, Stay Safe
OpSec isn't a one-time setup - it's a lifestyle. The tools and techniques change, but the principles remain:- Assume everything is compromised until proven otherwise
- Defense in depth - layer your protections
- Compartmentalization is your best friend
- Regular audits of your setup and habits
- Trust but verify - and mostly just verify
Remember: the goal isn't perfect security (impossible) or perfect anonymity (also impossible). The goal is raising the cost of surveillance high enough that you're not worth the effort for your particular threat model.
Stay safe out there, you beautiful paranoid bastards.