Intro to OpSec (Part 2)#

Metadata can identify you#

If you share files publicly (or they are intercepted), an adversary can analyze metadata to identify where, when, and how the file was created. Even if the content is harmless, metadata may still reveal your identity or workflow.

Metadata is everywhere: file names, file sizes, connection logs, Wi-Fi and cellular records, and messaging patterns all create metadata. You cannot eliminate metadata entirely, but you can reduce and control it.

Removing metadata using MAT2#

MAT2 is a popular command-line tool for removing metadata. The basic workflow is:

1. Install the mat2 package for your Linux distribution.
2. Check a file for metadata:

1
mat2 --show filename

3. Remove metadata:

1
mat2 filename

MAT2 does not edit in place by default. It creates a new file with .cleaned in the name, leaving the original intact.

Removing metadata in Tails (Metadata Cleaner)#

Tails includes a GUI app called Metadata Cleaner, which uses MAT2 under the hood. The workflow is simple:

1. Open Metadata Cleaner.
2. Drag and drop your file(s).
3. Click Clean and use the cleaned output.

Cellphones#

Cellular networks generate cell-site location information (CSLI). This data can be used to approximate a phone’s location, and using multiple towers can improve accuracy through triangulation.

Standards require that emergency calls be supported even without a SIM (subject to regulation), which means the phone’s radio can still interact with the network in some cases. As a result, simply removing the SIM is not always a guarantee that the phone will never talk to cell towers.

Laptops and Wi-Fi tracking#

Wi-Fi networks can identify devices using MAC addresses. To reduce tracking, many operating systems support MAC randomization, and NetworkManager can randomize or “stable-randomize” MAC addresses per network.

Virtual machines#

Virtual machines run software in isolated environments. If a VM is compromised, the host and other VMs can remain safe if the system is properly configured and fully updated. Misconfigurations or outdated virtualization software reduce this benefit.

Qubes OS#

Qubes OS applies isolation at the OS level by running most activities in separate VMs (“qubes”). The design assumes software will eventually be compromised, so it limits the blast radius of any single compromise.

Whonix#

Whonix uses two VMs: Gateway (runs Tor) and Workstation (runs applications). This isolates network routing from user activity and forces all traffic through Tor.

”Tor is funded by the US government, so it’s not secure”#

The Tor Project is funded by multiple sources including US federal agencies, private foundations, and individual donors. Funding does not equal control. Tor is open source and transparent about funding.

”Telegram is end-to-end encrypted by default”#

Telegram uses end-to-end encryption only in Secret Chats. Regular cloud chats are stored on Telegram’s servers and are not end-to-end encrypted by default.

”100% anonymity exists”#

No system guarantees perfect anonymity. You can only reduce risk and raise the cost for an adversary.

”Proton Mail is anonymous”#

Proton Mail provides end-to-end encryption for message content, but subject lines are not end-to-end encrypted. Proton can also be legally compelled to provide certain account data under Swiss law.

Believing in 100% security#

Security is a moving target. Aim for reasonable security, keep systems updated, and use layered defenses where they actually help.

FUD and anecdote-driven conclusions#

A single failure story does not prove a tool is “broken.” Evaluate versions, configurations, and threat models before changing your stack.

Overlooking other vectors#

If you encrypt email but ignore subject lines, you leak data. If you secure a browser but reuse identities, you leak data. Always look for side channels and metadata.