If you consider yourself a target of a high risk threat, you should do the below. This will be a repost of a past post. However, I updated this. This list is also far from a complete scope of what you should or could do.

Device / OS security:

- Use the most recent device you possibly can.

- Upgrade your device to the newest generation as soon as possible if you can comfortably afford to.

- Use the latest version of your operating system as soon as possible.

- Use full disk encryption.

- Use a long, secure, unique passphrase for your device. Ensure they are unique between all devices.

- Never leave your devices unattended. Keep in your proximity or in a safe place.

- Turn your device off in a tense situation or when not in use for many hours.

- Do not plug devices into unknown ports or with unknown cables.

- Never download unknown apps or files.

- Uninstall preinstalled applications and disable services you do not use.

- Disable WiFi, Bluetooth, NFC etc. when not in use.

- Use airplane mode and/or take out your SIM card as much as possible to minimise cellular network tracking.

Network / Web browsing:

- Only use encrypted protocols i.e. HTTPS, SSH, SFTP and more. You can enable certain applications like Web Browsers to always use HTTPS. Manually type in the https:// part of the URL.

- Use a VPN or an anonymity network like Tor if you are concerned about web sites knowing your IP address or wish to obscure traffic from the ISP of your connected network. Understand you are shifting trust by moving your traffic into other servers.

- Disable JavaScript just-in-time (JIT) compilation for a significant attack surface reduction. Disabling JS is a massive attack surface reduction, but may cause you to stand out and make web browsing unsustainable.

- Disable web browser features you do not need.

- Use an ad blocker if your browser doesn't have one.

- Use the least amount of extensions as possible.

- Use feed readers.

Communication:

- Communicate only over secure messaging apps.

- Only message people you trust or know.

- Do not open unknown attachments.

- Enable scheduled deletion of messages.

- Remember in a private message your communications are as secure as the least secure person there.

Accounts:

- USE MULTI FACTOR AUTHENTICATION. TOTP is secure, and a hardware MFA like U2F keys are most secure. Avoid SMS or email-based MFA where possible.

- Use unique passwords for accounts.

- Use email aliases or burners. Not everything needs to be attributed to you.

- Lie. If a service isn't required to know about your real world identity, like applying for a passport or deliver a product, then don't use real details.

- Delete accounts you don't use. Make new ones when you need services again.

- Assess whether signing up for something is necessary.

Opsec:

- Search yourself on Google, Bing, Yandex, etc.

- Post more of what you want everyone to know, not what only certain people should know.

- Don't create an incentive for people to try and uncover you or misuse your trust. Be private but not mysterious. Don't be a bad actor people will and target you for.

- AI face search / reverse image search yourself.

- Do not post pictures of interiors or locations unless you want everyone to know you was at the location at some point.

- Opt out of data brokers and public indexes.

- If you know too much or too little about something, it's better not to talk about it at all.

- Decide whether you want fame or you want privacy, and stick to that. Regret is a mental toll that will distract you.

- Use common sense and rationale. Be diligent but do not be paranoid. Growing an obsession over a tiny detail leaves you vulnerable to being distracted by a red herring, attention that could be used to uncover a flaw in your approach.

- Learn to concede. Find the answers sources tell you, not the answers you want to hear. Unless you are a professional, then you are not a reliable source.

- Disassociate with data. Learn to only keep files or other data as long as it is necessary. If they serve no use, delete. If they serve a future use, then back it up and encrypt.

- Remember that you are only as secure as the people you trust. If they do not meet your safety or security requirements, don't enable them to do things that could cause trouble.

GrapheneOS users:

- Toggle on enabling hardening like memory tagging, Dynamic Code Loading restrictions and disabling WebView JIT by default.

- Use a strong diceware passphrase if you are concerned about a sophisticated actor with physical access.

- Use user profiles or private spaces if you need something uniquely compartmented or their own VPN.

- Set automatic reboot time to the lowest time you have comfort with.

- Enable duress password. Make it something easy to trigger but difficult to misfire.

- Use your duress password just before shit hits the fan, not when it already has.

- Use two-factor fingerprint unlock with PIN scrambling. to prevent shoulder surfing your primary passphrase credential to decrypt the device when BFU.

- Use the right USB-C port control setting for you.

- Enable LTE only mode for attack surface reduction if you choose to use the cellular network.

- Use Storage Scopes and Contact Scopes for apps more often.

Switzerland sadly is one of the most corrupt countries

#DivestOS development has ended

Starshield: Situational Awareness for the Star Labs StarBook

Check all of this out 🫡