It's been the morning and I'm drinking coffee that's gone cold twice. Thirty years in security has taught me one thing worth saying out loud: most of you are walking around digitally naked and you don't know it. Not because you're stupid. Because the people selling you devices and services have spent billions making sure you never look behind the curtain.

So let's look behind the goddamn curtain.

This isn't a manifesto. It's a field manual. The threat model is whatever scares you — corporate surveillance, an ex who won't stop, a government that doesn't recognize your right to exist, or just the mundane horror of identity theft on a Tuesday morning. The tools are mostly the same. The discipline is the same. The mindset is the same.

You ready? Good. Sit down.

Here's what nobody tells you. Security is not a product. You cannot buy it. You cannot install it. You cannot subscribe to it for $9.99 a month and get back to scrolling.

Security is a practice. Like running. Like learning a language. Like grief. You do it daily or it does not work.

Three rules to tattoo somewhere you'll see them.

Trust nothing by default. Verify. Yes, it sounds paranoid. The word "paranoid" was invented by people who wanted you to stop noticing things. Notice things.

Everything you do leaves a trace. Every search. Every login. Every charging cable in every airport. Your job isn't to disappear — that's a fantasy and the people selling it are usually grifters or feds. Your job is to minimize the traces that matter and make peace with the rest.

You are the weakest link. Not your software. You. The cleverest encryption in the world cannot save you from typing your real name into the wrong window at 2 AM because you were tired. I have done this. So have you.

The point of OpSec is not perfection. The point is to make yourself expensive enough to attack that the attacker moves on to someone easier. Someone easier is always there. Don't be them.

Your passwords are bad. I know they are. Don't write to me explaining how yours are different.

Get a password manager. Today. Right now, if you're reading this on a desktop. Bitwarden if you want cloud sync that's been audited to hell and back. KeePassXC if you want it offline and don't trust anyone, ever. 1Password if you have money and want it to feel like a normal app.

The password manager does three things you cannot do:

One master passphrase. Make it long. Make it weird. Four random words from a dictionary you can actually picture — moss-cathedral-ferret-glove — beats P@ssw0rd2024! every time, and your fingers will love you for it.

Then turn on multi-factor authentication. Everywhere. Yesterday.

Not SMS. SMS is a screen door on a submarine — a phone-number takeover takes one bored teenager and a phone store with a tired clerk. Use an authenticator app instead. Aegis on Android. Raivo or 2FAS on iOS. Authy if you need cross-device and accept the trust trade-off. Print your backup codes. Put them somewhere your future self in a panic can find. A safe. A locked drawer. Not your email.

For the accounts that matter — your password manager itself, your primary email, your bank — buy a hardware key. YubiKey. Two of them, because if you only have one and you lose it you'll cry. About sixty bucks well spent. The day someone tries to phish you and the key just refuses to work because the URL is wrong by one letter, you'll understand why

Most messaging apps are surveillance products with a chat interface bolted on. The exceptions are worth knowing.

Signal. End-to-end encrypted by default. Open source. Independently audited. Run by a nonprofit. Almost no metadata. Set disappearing messages on every conversation that isn't grandma's recipe exchange. Make it your default SMS app on Android while you still can.

Session. No phone number required. Decentralized routing. Useful when you can't or won't tie a number to your identity. The trade-off is a smaller network and slower delivery. Worth it for some threat models. Not for others.

Matrix (with Element, FluffyChat, etc as the client). Federated. Self-hostable if you're that kind of person. End-to-end encryption when you turn it on, which you should. Good for groups that want infrastructure they control.

What to avoid, because pretending otherwise is malpractice: regular SMS, Facebook Messenger, Telegram's default chats, anything from a company whose business model is your attention. Telegram's "secret chats" are fine. Almost no one uses them. That should tell you something.

Email is fundamentally broken from a privacy standpoint. The protocol is older than I am and it shows. ProtonMail and Tutanota encrypt what they can — between users on the same service, it's actually private. Between you and gmail.com, it's a postcard with a paper sleeve. PGP exists if you want to learn it. You probably don't. Most people who claim to use PGP daily are lying or weeping.

A few rules anyway: separate emails for separate purposes. Aliases for newsletters and one-time signups (SimpleLogin, AnonAddy, Apple's Hide My Email). Never click a link in an email and then enter credentials on the page that loads. The bank never sends that email. Neither does the IRS. Neither does your boss at 11 PM.

Tor is misunderstood by both its evangelists and its critics. Let me try to be honest about it.

What it does: routes your traffic through three encrypted hops, hiding your IP from the destination and your destination from your ISP. Useful. Sometimes essential.

What it does not do: make you anonymous. Make you safe from yourself. Make HTTP magically secure (the exit node sees plaintext — and yes, three-letter agencies absolutely run exit nodes, that's not paranoia, that's documented). Protect you when you log into your real Gmail and then post on a forum under your pseudonym from the same session, which is how nearly everyone who gets caught gets caught.

Use Tor Browser. Don't resize the window. Don't install extensions. Don't enable JavaScript on sketchy sites. Don't torrent over Tor — you're hogging volunteer bandwidth and announcing your real IP to the swarm anyway. Keep it updated like your life depends on it, because for some people, it does.

VPNs are a different tool with a different purpose. Read me carefully here, because there's a lot of marketing bullshit in this space and I want you to think clearly.

A VPN does not make you anonymous. It moves your trust from your ISP to your VPN provider. That can be an upgrade. It can also be a sidegrade or a downgrade. Choose like you mean it.

What to look for: independently audited no-logs policy (Mullvad, IVPN, ProtonVPN have all done this). Jurisdiction outside Five Eyes — Switzerland, Panama, Iceland. Anonymous payment options including cash by mail (Mullvad does this, and it's beautiful). WireGuard support. A working kill switch. No-account models where possible — Mullvad just gives you a number, no email, no name.

What to run from screaming: any free VPN. Any VPN with a celebrity sponsorship and a YouTube ad budget that exceeds the GDP of a small country. Any VPN headquartered in the US, UK, Australia, Canada, or New Zealand. The legal regime in those countries lets agencies issue gag orders alongside data requests, which means the company is legally required to hand over your data and legally required to lie to you about it. That's not a bug. That's the design.

The geography matters. Switzerland has actual privacy law with teeth. Panama doesn't recognize US warrants. Iceland's constitution has data protection baked in. Your VPN's flag is part of its threat model. Treat it that way.

The operating system is the floor. If the floor is rotten, nothing you build on top of it will hold.

Tails. A Linux distribution that boots from a USB stick, routes everything through Tor, and forgets you existed when you shut it down. The right tool for journalists, dissidents, anyone in a hostile environment. Slow. Sometimes annoying. Saves lives.

Qubes OS. Compartmentalization through virtualization — every task runs in its own isolated VM, color-coded by trust level. Banking in one VM, browsing in another, email in a third. The learning curve is real. The security model is the best on a desktop right now and it's not particularly close.

Linux (Fedora, Debian, Pop!_OS, take your pick). No telemetry. Full control. The desktop is fine in 2026, finally — I say that as someone who fought through the dark years. Pick something boring and well-maintained. Update it.

GrapheneOS for your phone if you can manage it. It's Android with the Google removed and the security cranked up. Runs on Pixel devices. Yes, the irony of using Google's hardware to escape Google is not lost on me. The hardware security module on those phones is genuinely best in class, and GrapheneOS is what you do with it.

Encrypt your disk. All of it. LUKS on Linux. FileVault on macOS. BitLocker on Windows. VeraCrypt for portable encrypted containers. The passphrase needs to be a passphrase — long, weird, memorable to you and no one else. If your laptop gets stolen and the disk is encrypted, you've lost a laptop. If it's not, you've lost everything that was ever on it, and so has every person whose data was on it.

Back up. Encrypted. Off-site. Test the restore — an untested backup is a prayer, not a plan. I have watched people lose decades of work because they assumed the cloud sync was a backup. The cloud sync is not a backup. It's a synchronized way to delete the same file in three places.

Your phone is the most surveilled device you own. It knows where you sleep, who you call, what you Google at 3 AM, and how often you check on the person you're not supposed to be checking on. Treat it accordingly.

GrapheneOS, as I said. Failing that, an iPhone is a defensible choice for most people most of the time — Apple's threat model is at least somewhat aligned with yours, in that they don't sell ads against you. They cooperate with governments more than they admit, but the device-level security is real.

Either way: audit your app permissions every couple of months. Why does the flashlight need your contacts. It doesn't. Revoke it. Use F-Droid for open-source apps when you can. NetGuard or LockDown to firewall apps that won't behave. Disable the radios you're not using — Bluetooth and WiFi when you're walking around, NFC when you're not paying for things. A Faraday bag for the phone when you're going somewhere you don't want it to be. They're cheap. They work.

Never plug your phone into an unknown USB port. The data lines are right there next to the power lines. A USB data blocker — sometimes called a USB condom, which is the kind of name only engineers come up with — strips the data pins out and only passes power. Five bucks. Carry one.

OpSec people forget the body. The body is where it ends.

A privacy screen on your laptop. The person behind you on the train can read your email and you'll never know they did. Don't leave devices on tables in coffee shops while you go to the bathroom — yes, even for a minute, yes, even in that nice neighborhood. Don't have sensitive conversations in Ubers. Don't have them near smart speakers. Don't have them on the phone if you can have them in person.

Cameras are everywhere. Your face is a password you can't change. Plan accordingly.

I keep a small piece of black electrical tape over the camera on my laptop. Not because I think someone is watching right now. Because the cost is nothing and the day someone is, I will be glad. Same logic as a smoke detector. The day you need it, you needed it three years ago.

This is the part that's hard. Not technically hard. Hard like flossing.

Different identities for different contexts. Your real name on your bank. A pseudonym on the activist forum. A different pseudonym on the hobby forum. Different email addresses. Different browsers, or at least different browser profiles. Different VPN servers. Never the same password. Never the same security questions (and lie on the security questions anyway — your mother's maiden name is whatever VeraCrypt random-stringed for you).

The streams must not cross. Once they cross, they stay crossed. No uncrossing them later.

Data hygiene matters too. Files named clearly enough that you know what they are, but not so clearly that the filename leaks the content if someone glances at your screen. Regular secure deletion of things you don't need. A retention policy in your head: this email after 30 days, that document after a year, that conversation never. Not because you're hiding something. Because the data you don't have can't be subpoenaed, leaked, or used against you.

I keep a list, on paper, of accounts I can never remember I have. I update it once a year. I sit at the kitchen table on a Sunday in February, the cat doing her impression of a loaf of bread on the chair next to me, and I write down what I have and what I owe. It feels archaic. It is the most modern thing I do.

It will. Plan for it.

Have an offline list of who to call. Lawyer if you have one. Trusted friend who will not panic. Bank's fraud line. The hosting provider for your website. The phone company. The credit bureaus. Print this. Put it in a folder. Put the folder somewhere you'll find it when your phone is dead and your laptop is encrypted and you can't remember your own birthday because the adrenaline ate your prefrontal cortex.

Know your rights where you live. They're different from where you don't live. They're different from what cops will tell you they are. The EFF has guides. Read them before you need them.

If a device is compromised, assume it's compromised completely. Not "I'll just remove the malware." Wipe. Reinstall. Restore from a backup made before the compromise, if you can identify when that was. Change every password from a clean device. Rotate every key. This is brutal and exhausting and it's the only thing that works.

If an account is compromised, change the password from a different device, then change it again, then revoke all sessions, then check the recovery email and phone, then check what was sent from it, then check what permissions were granted to third-party apps, then warn everyone you know who might have received something from "you." In that order. Don't skip steps because it's tedious. The tediousness is the work.

I want to tell you that if you do all this, you're safe. I can't tell you that. No one who's honest can tell you that.

What I can tell you: you'll be in the top one percent of people on the internet for personal security, which means most attackers will pass you by for someone easier. You'll catch problems earlier. You'll have backups when other people don't. When something goes wrong — and something will go wrong — you'll have a plan, and the plan will mostly work, and the parts that don't will teach you the next thing.

That's the deal. That's the only deal there is.

Stay paranoid in a healthy way. Update your shit. Trust verification over trust. Be kind to the people who are still figuring this out — most of us were them not so long ago, and the goal isn't to feel superior, it's to make the network safer for the next person.

If you remember nothing else: OpSec is only as strong as your weakest practice. Don't let that weak link be you.

The cat's awake. The coffee's gone. Go lock something down.

Every tool, service, and reference mentioned in this piece. Verified working as of writing. The internet rots — if a link breaks, search the project name plus "official" and you'll usually land on the right place.

Guides and reading

Password managers

Two-factor authentication apps

Hardware security keys

Encrypted messaging

Encrypted email

Email aliasing

VPNs

Tor

Operating systems

Disk encryption

Mobile firewalls and app sources

Wendy the Druid. Find her if you can. She'll know it's you.

The voices woven into this work:

🌿 Poetry and Feelings: thepoetmiranda.com
🌿 Personal Queer Journey: thistleandfern.org
🌿 Life Banter: brandonellrich.substack.com
🌿 Lisa's Porch Talk: wuzzittoya.org / wuzzittoya.substack.com
🌿 Presence Not Permission: presencenotpermission.beehiiv.com

Become a member: thistleandmoss.com/upgrade