OpSec as Sovereign Architecture
Selective Visibility Under Adversarial Observation

0. The Map: Where the Synthetic Stack Watches

Start with the adversary’s sensor grid: seven telescopes continuously pointed at you.

1. Device / OS telescope — smartphones, laptops, baseband radios, firmware, telemetry back to vendors. Even “idle” phones emit identifiers and metadata frequently. R01 Leith
2. Network telescope — ISPs, IXPs, national taps: IPs, timing, volumes; sometimes destinations even when content is encrypted.
3. Browser telescope — fingerprinting via fonts, canvas/WebGL, screen, locale, behavior. R21 Tor FP
4. Cloud & push telescope — iCloud/Drive/OneDrive; push systems (APNs/FCM) correlating device↔app↔timing. R33 APNs R34 FCM
5. Financial telescope — KYC rails, banks, card networks, on-chain analytics: transparent graphs.
6. Physical telescope — cameras, plate readers, access systems, RF beacons, towers.
7. Legal telescope — subpoenas, MLATs, regulatory compulsion that can force the other telescopes to speak.

1. Threat Modeling: Define the War, then Pick Weapons

Per role, not per “person,” define assets, adversaries, capabilities, and surfaces. Output is not “maximum security.” Output is an explicit trade:

1.1 Assets

• Capital — Bitcoin keys, wallet seeds, infra keys.
• Identity — legal name, location, biometrics, long-term pseudonyms.
• Relationships — who you work with, who you pay, who you protect.
• Intelligence — strategy, code, research, long-horizon plans.

1.2 Adversaries

• Data brokers, ad-tech, “free” platforms.
• Big tech platforms (OS vendors, cloud, social).
• Criminals (phishing crews, SIM-swappers, physical thieves).
• States (local LEA, intelligence agencies, foreign services).

1.3 Capabilities

• Observe a lot of network traffic (ISP/IXP/national taps).
• Compromise devices (malware, supply chain, zero-days).
• Compel access (subpoenas, raids, MLATs).
• Exploit humans (phishing, extortion, manipulation).

1.4 Surfaces

Devices, networks, browsers, cloud, finance, physical world, law.

2. Compartmentalization: Shrink the Blast Radius

We never have “one identity.” We have roles.

2.1 Roles as micro-universes

• Civil identity (“passport human”).
• Public persona (visible builder).
• Pseudonymous research identity.
• Capital operator / key steward.
• Infra admin / node operator.

Each serious role should have its own email(s), handles, avatars; its own network path; its own key hierarchy; ideally its own device or hardened, isolated profile.

2.2 Hard vs soft links

• Hard links (never across critical roles): phone numbers reused; shared recovery email; same device/IP for every persona.
• Soft links (must be controlled): stylometry; time zone/posting schedule; contact-graph overlap; shared infra.

Decide which roles are allowed to be linkable. Make forbidden links expensive to prove: analysis, not database joins.

2.3 Compartment sanity check

• Device: dedicated device or hardened profile?
• Network: consistent path per role (Tor/mixnet/VPN) vs naked IP?
• Identity: email/handle/recovery unique?
• Keys: separate key material, or subtle reuse?

3. Devices & OS: If the Host Is Owned, Everything Above Is Theater

Crypto, Tor, mixnets, secure messaging—irrelevant if your box is hostile. The device layer sets the ceiling on everything else.

3.1 Smartphones: hostile by default

• Baseband radios with opaque firmware.
• OS telemetry: iOS/Android transmit identifiers and data frequently even when idle. R01 Leith
• Always-on sensors (GPS, accel, mic, camera, Wi-Fi, Bluetooth).

3.2 Laptops / desktops

• Full-disk encryption, strong passphrase, hardened OS updates.
• Boot chain protected (secure/verified boot) vs “inject anywhere.”
• Amnesic environments where appropriate (live OS with minimal traces).

3.3 A sane three-machine pattern

• Daily workstation — normal work; no master keys.
• Hardened OpSec machine — minimal apps; role-specific use only.
• Air-gapped machine — permanently offline; key generation + signing.

4. Network Layer: Tor, VPNs, Mixnets as Cost-Shaping

4.1 Tor: useful, but not a god

Tor routes traffic through relays with layered encryption. Entry sees you, exit sees destination, middle just passes ciphertext. Tor is designed to resist many observers—not a global passive adversary who can correlate traffic everywhere. Tor’s own docs and discussions make this explicit. R17 Tor Design R19 Tor Netflows R20 SE R22 Survey

4.2 VPNs: trade one watcher for another

• Hide your IP from local observers (ISP/landlord/café).
• Concentrate trust in the VPN operator (logs + legal compulsion exposure).
• Does not fix browser fingerprinting or application-layer identity leaks.

4.3 Mixnets: cover traffic and delay as armor

Where Tor is low-latency and vulnerable to sophisticated traffic analysis, mixnets trade latency for stronger metadata privacy: Poisson mixing + cover traffic + stratified nodes. Loopix targets resilience even under strong observation models. R24 Loopix R26 Nym R28 Sphinx

5. Browser & Fingerprinting: Your IP Can Change, Your Fingerprint Follows

Adversaries fingerprint fonts, language, plugins, screen, canvas/WebGL/audio, and behavior. Even over Tor/VPN, a unique fingerprint can track you.

• Over Tor: use Tor Browser as shipped. Don’t add plugins; don’t “customize” into uniqueness. R23 Plugins
• For high-risk roles: dedicated browser context per role; never cross-login into personal accounts.
• Minimize “special settings” that create uniqueness; understand the trade-off between blocking and standing out.

6. Secure Messaging: Moxie, Trevor, Ian and the Ratchets

Content vs metadata: content is message bodies; metadata is who/when/which device/network. Secure messaging is content armor. Metadata needs its own armor.

6.1 Double Ratchet and OTR lineage

The Double Ratchet combines a DH ratchet and a symmetric-key ratchet so each message uses fresh keys, delivering forward secrecy and post-compromise security. R31 DR OTR pioneered forward secrecy and deniable authentication. R35 OTR

6.2 Metadata reality

• Phone numbers are strong identifiers.
• Address book uploads expose relationship graphs.
• Push infrastructure leaks timing and device-use graphs. R33 APNs R34 FCM
• Server logs can link IPs, registration, device models.

7. Cloud, Push, and Platform Chokepoints

Cloud backups and push infrastructure are convenience and attack surface. Architect so platform vendors lack anything critical to hand over.

• Cloud backups: auto-sync screenshots, chats, documents, photos.
• Push (APNs/FCM): app↔device timing graphs. R33 APNs R34 FCM
• Platform accounts: Apple ID / Google account as central identity.

8. Financial Privacy: Zooko, Zcash, and Bitcoin Graphs

Zcash demonstrates that public consensus and private transaction details can coexist via zero-knowledge proofs. In Bitcoin-centric reality: on-chain graphs are identity mirrors. Money flows are OpSec.

• Privacy is not “a feature.” It is the graph-geometry of your life.
• Optional privacy shrinks to the subset that uses it; sparse usage collapses real anonymity sets.
• KYC rails are adversarial telescopes: treat as such in threat models.

9. Keys, Hardware, Multi-Sig, and Backups: Your Life in a Few Bits

Everything collapses if keys leak. Treat “make it easier” as “where did I duplicate the secret?”

9.1 Threats

• Remote: malware, clipboard stealers, injected JS.
• Local: stolen devices, “evil maid,” shoulder surfing.
• Compulsion: seized devices, forced unlock (jurisdiction-dependent).
• Stupidity: seeds in cloud notes; photos of seed phrases; plaintext exports.

9.2 Patterns

1. Hardware security — hardware wallets, security keys, hardware-backed keystores.
2. Key separation — auth vs encryption vs identity signing vs custody.
3. Multi-sig & thresholds — separate devices/vendors/locations; threshold shares where appropriate.
4. Backups as a designed system — encrypted, multiple sites; runbooks; recovery + revocation paths.

10. Human Layer: People Are Easier to Hack Than Protocols

Most compromises begin with a human, not a kernel exploit.

• Phishing: fake login pages, scam wallets, malicious attachments.
• Consent phishing: “approve this OAuth app / wallet transaction.”
• Password reuse: one breach → many services.
• Emotional manipulation: urgency, fear, flattery, tribal appeal.

11. Physical & Jurisdictional Surfaces

You have a body. The system has buildings, cameras, towers, and courts.

11.1 Physical trail

• Cameras (streets, shops, ATMs, offices).
• RF (Wi-Fi association logs, Bluetooth beacons, cell towers).
• Transactions (cards, transit, ride-share, hotels).

11.2 Jurisdiction

• Different regimes: retention laws, compulsion powers, crypto regulation.
• Design questions: where are you; where are servers; where are signers; which jurisdictions must not collocate?

12. Advanced Threats: Side-Channels, Supply Chain, AI, Post-Quantum

12.1 Side-channels

Power/EM/acoustic leaks exist. Practical adjustment: don’t do high-stakes key operations in untrusted physical environments.

12.2 Supply chain

Hardware/firmware can be compromised before unboxing. Avoid monocultures; verify signatures/checksums; treat firmware updates as untrusted code.

12.3 AI as meta-adversary

AI amplifies correlation: graph linkage across leaks, stylometry between pseudonyms, tailored phishing. Assume anything public can be fed into models for correlation.

12.4 Cryptographic agility & long-term secrecy

Protocols are evolving toward hybrid post-quantum components (e.g., Signal PQXDH and SPQR). R32 PQXDH R60 SPQR

13. From Solo Node to Team / Org

Org-level OpSec primitives scale compartments.

• Least privilege — access only to what’s needed.
• Role-based secrets — rotate keys when roles change.
• Shared secret protocols — multi-sig, thresholds, auditable vault access.
• Onboarding/offboarding rituals — accounts/devices/keys issued and revoked cleanly.

14. Synthesis: OpSec as Civilizational Infrastructure

Tie it together as four layers:

1. Identity layer — roles, compartments, keys; protects who is who.
2. Comms layer — Tor, mixnets, secure messaging, browsers; protects who talks to whom.
3. Capital layer — Bitcoin custody, multi-sig, privacy routing; protects who owns what and how value moves.
4. Anchor layer — devices, OS, hardware, jurisdictions, physical spaces; the meat and metal where everything lands.

15. Doctrine: What You Actually Remember

Strip it to executable law:

1. Define threat models per role. Assets, adversaries, capabilities, surfaces.
2. Compartment everything that matters. Separate devices, networks, identities, keys. Design for limited blast radius.
3. If the device is hostile, everything is hostile. Harden OS/hardware; airgaps and dedicated machines for critical ops.
4. Use Tor/VPN/mixnets as instruments, not magic. Pick per use-case and threat model.
5. Browser fingerprinting is an identity. Tor Browser as shipped for anonymity; dedicated contexts per role elsewhere.
6. Secure messaging is content secrecy, not full privacy. Handle metadata separately.
7. Cloud and push are chokepoints. Architect so platform vendors lack critical material.
8. Keys are your life. Hardware, multi-sig, threshold shares, designed backups.
9. People are easier to hack than crypto. Anti-phishing reflexes; minimal disclosure.
10. Physical world and law are part of the model. Movement, co-location, jurisdictional leverage.
11. AI is a meta-adversary. Assume global correlation on anything public.
12. Red-team yourself by default. Assume breach; rehearse recovery; redesign where your own answers scare you.