all repos — site @ ad28962572b038bc5c79f825a30acc21fc6772b3

source for my site, found at icyphox.sh

pages/blog/ig-opsec.md (view raw)

  1---
  2template:
  3title: Instagram OPSEC
  4subtitle: Operational security for the average zoomer
  5date: 2019-12-02
  6---
  7
  8Which I am not, of course. But seeing as most of my peers are, I am
  9compelled to write this post. Using a social platform like Instagram
 10automatically implies that the user understands (to some level) that
 11their personally identifiable information is exposed publicly, and they
 12sign up for the service understanding this risk---or I think they do,
 13anyway. But that's about it, they go ham after that. Sharing every nitty
 14gritty detail of their private lives without understanding the potential
 15risks of doing so.
 16
 17The fundamentals of OPSEC dictacte that you develop a threat model, and
 18Instgrammers are _obviously_ incapable of doing that---so I'll do it
 19for them. 
 20
 21## Your average Instagrammer's threat model
 22
 23I stress on the word "average", as in this doesn't apply to those with
 24more than a couple thousand followers. Those type of accounts inherently
 25face different kinds of threats---those that come with having
 26a celebrity status, and are not in scope of this analysis.
 27
 28- **State actors**: This doesn't _really_ fit into our threat model,
 29since our target demographic is simply not important enough. That said,
 30there are select groups of individuals that operate on
 31Instagram[^ddepisode], and they can potentially be targetted by a state
 32actor.
 33
 34[^ddepisode]: https://darknetdiaries.com/episode/51/---Jack talks about Indian hackers who operate on Instagram.
 35
 36- **OSINT**: This is probably the biggest threat vector, simply because
 37of the amount of visual information shared on the platform. A lot can be
 38gleaned from one simple picture in a nondescript alleyway. We'll get
 39into this in the DOs and DON'Ts in a bit.
 40
 41- **Facebook & LE**: Instagram is the last place you want to be doing an
 42illegal, because well, it's logged and more importantly---not
 43end-to-end encrypted. Law enforcement can subpoena any and all account
 44information. Quoting Instagram's 
 45[page on this](https://help.instagram.com/494561080557017):
 46
 47>a search warrant issued under the procedures described in the Federal 
 48>Rules of Criminal Procedure or equivalent state warrant procedures 
 49>upon a showing of probable cause is required to compel the disclosure 
 50>of the stored contents of any account, which may include messages, 
 51>photos, comments, and location information.
 52
 53That out of the way, here's a list of DOs and DON'Ts to keep in mind
 54while posting on Instagram.
 55
 56### DON'Ts
 57
 58- Use Instagram for planning and orchestrating illegal shit! I've
 59explained why this is a terrible idea above. Use secure comms---even
 60WhatsApp is a better choice, if you have nothing else. In fact, try
 61avoiding IG DMs altogether, use alternatives that implement E2EE.
 62
 63- Film live videos outside. Or try not to, if you can. You might
 64unknowingly include information about your location: street signs,
 65shops etc. These can be used to ascertain your current location.
 66
 67- Film live videos in places you visit often. This compromises your
 68security at places you're bound to be at.
 69
 70- Share your flight ticket in your story! I can't stress this enough!!!
 71Summer/winter break? "Look guys, I'm going home! Here's where I live,
 72and here's my flight number---feel free to track me!". This scenario is
 73especially worrisome because the start and end points are known to the
 74threat actor, and your arrival time can be trivially looked up---thanks
 75to the flight number on your ticket. So, just don't.
 76
 77- Post screenshots with OS specific details. This might border on
 78pendantic, but better safe than sorry. Your phone's statusbar and navbar 
 79are better cropped out of pictures. They reveal the time, notifications
 80(apps that you use), and can be used to identify your phone's operating
 81system.  Besides, the status/nav bar isn't very useful to your screenshot 
 82anyway.
 83
 84- Share your voice. In general, reduce your footprint on the platform
 85that can be used to identify you elsewhere.
 86
 87- Think you're safe if your account is set to private. It doesn't take
 88much to get someone who follows you, to show show your profile on their
 89device.
 90
 91### DOs
 92
 93- Post pictures that pertain to a specific location, once you've moved
 94out of the location. Also applies to stories. It can wait.
 95
 96- Post pictures that have been shot indoors. Or try to; reasons above.
 97Who woulda thunk I'd advocate bathroom selfies?
 98
 99- Delete old posts that are irrelevant to your current audience. Your
100friends at work don't need to know about where you went to high school.
101
102More DON'Ts than DOs, that's very telling. Here are a few more points
103that are good OPSEC practices in general:
104
105- **Think before you share**. Does it conform to the rules mentioned above?
106- **Compartmentalize**. Separate as much as you can from what you share
107online, from what you do IRL. Limit information exposure.
108- **Assess your risks**: Do this often. People change, your environments
109change, and consequentially the risks do too.
110
111## Fin
112
113Instagram is---much to my dismay---far too popular for it to die any
114time soon. There are plenty of good reasons to stop using the platform
115altogether (hint: Facebook), but that's a discussion for another day.
116
117Or be like me:
118
119![0 posts lul](/static/img/ig.jpg)
120
121
122And that pretty much wraps it up, with a neat little bow.
123