all repos — site @ 40f93d1be10c58d89c99bb65420ac932669fd099

source for my site, found at icyphox.sh

pages/txt/ig-opsec (view raw)

  1---
  2date: '2019-12-02'
  3subtitle: Operational security for the average zoomer
  4title: Instagram OPSEC
  5url: 'ig-opsec'
  6---
  7
  8Which I am not, of course. But seeing as most of my peers are, I am
  9compelled to write this post. Using a social platform like Instagram
 10automatically implies that the user understands (to some level) that
 11their personally identifiable information is exposed publicly, and they
 12sign up for the service understanding this risk---or I think they do,
 13anyway. But that's about it, they go ham after that. Sharing every nitty
 14gritty detail of their private lives without understanding the potential
 15risks of doing so.
 16
 17The fundamentals of OPSEC dictacte that you develop a threat model, and
 18Instgrammers are *obviously* incapable of doing that---so I'll do it for
 19them.
 20
 21Your average Instagrammer's threat model
 22----------------------------------------
 23
 24I stress on the word "average", as in this doesn't apply to those with
 25more than a couple thousand followers. Those type of accounts inherently
 26face different kinds of threats---those that come with having a
 27celebrity status, and are not in scope of this analysis.
 28
 29-   **State actors**: This doesn't *really* fit into our threat model,
 30    since our target demographic is simply not important enough. That
 31    said, there are select groups of individuals that operate on
 32    Instagram[^1], and they can potentially be targetted by a state
 33    actor.
 34
 35```{=html}
 36<!-- -->
 37```
 38-   **OSINT**: This is probably the biggest threat vector, simply
 39    because of the amount of visual information shared on the platform.
 40    A lot can be gleaned from one simple picture in a nondescript
 41    alleyway. We'll get into this in the DOs and DON'Ts in a bit.
 42
 43-   **Facebook & LE**: Instagram is the last place you want to be doing
 44    an illegal, because well, it's logged and more importantly---not
 45    end-to-end encrypted. Law enforcement can subpoena any and all
 46    account information. Quoting Instagram's [page on
 47    this](https://help.instagram.com/494561080557017):
 48
 49> a search warrant issued under the procedures described in the Federal
 50> Rules of Criminal Procedure or equivalent state warrant procedures
 51> upon a showing of probable cause is required to compel the disclosure
 52> of the stored contents of any account, which may include messages,
 53> photos, comments, and location information.
 54
 55That out of the way, here's a list of DOs and DON'Ts to keep in mind
 56while posting on Instagram.
 57
 58### DON'Ts
 59
 60-   Use Instagram for planning and orchestrating illegal shit! I've
 61    explained why this is a terrible idea above. Use secure comms---even
 62    WhatsApp is a better choice, if you have nothing else. In fact, try
 63    avoiding IG DMs altogether, use alternatives that implement E2EE.
 64
 65-   Film live videos outside. Or try not to, if you can. You might
 66    unknowingly include information about your location: street signs,
 67    shops etc. These can be used to ascertain your current location.
 68
 69-   Film live videos in places you visit often. This compromises your
 70    security at places you're bound to be at.
 71
 72-   Share your flight ticket in your story! I can't stress this
 73    enough!!! Summer/winter break? "Look guys, I'm going home! Here's
 74    where I live, and here's my flight number---feel free to track me!".
 75    This scenario is especially worrisome because the start and end
 76    points are known to the threat actor, and your arrival time can be
 77    trivially looked up---thanks to the flight number on your ticket.
 78    So, just don't.
 79
 80-   Post screenshots with OS specific details. This might border on
 81    pendantic, but better safe than sorry. Your phone's statusbar and
 82    navbar are better cropped out of pictures. They reveal the time,
 83    notifications (apps that you use), and can be used to identify your
 84    phone's operating system. Besides, the status/nav bar isn't very
 85    useful to your screenshot anyway.
 86
 87-   Share your voice. In general, reduce your footprint on the platform
 88    that can be used to identify you elsewhere.
 89
 90-   Think you're safe if your account is set to private. It doesn't take
 91    much to get someone who follows you, to show show your profile on
 92    their device.
 93
 94### DOs
 95
 96-   Post pictures that pertain to a specific location, once you've moved
 97    out of the location. Also applies to stories. It can wait.
 98
 99-   Post pictures that have been shot indoors. Or try to; reasons above.
100    Who woulda thunk I'd advocate bathroom selfies?
101
102-   Delete old posts that are irrelevant to your current audience. Your
103    friends at work don't need to know about where you went to high
104    school.
105
106More DON'Ts than DOs, that's very telling. Here are a few more points
107that are good OPSEC practices in general:
108
109-   **Think before you share**. Does it conform to the rules mentioned
110    above?
111-   **Compartmentalize**. Separate as much as you can from what you
112    share online, from what you do IRL. Limit information exposure.
113-   **Assess your risks**: Do this often. People change, your
114    environments change, and consequentially the risks do too.
115
116Fin
117---
118
119Instagram is---much to my dismay---far too popular for it to die any
120time soon. There are plenty of good reasons to stop using the platform
121altogether (hint: Facebook), but that's a discussion for another day.
122
123Or be like me:
124
125![0 posts lul](/static/img/ig.jpg)
126
127And that pretty much wraps it up, with a neat little bow.
128
129[^1]: https://darknetdiaries.com/episode/51/---Jack talks about Indian
130    hackers who operate on Instagram.