More important questions than “Which tools and services are you going to use?”, are these:
“Who do you think might be after you?”
“Why do you think they are after you?”
“What do you think their capabilities are?”
There are a spectrum of online threats and determining which ones you might face is the first step. Here are some example threats in increasing order of severity:
- trolls – typically boys fifteen to twenty five, with a sprinkling of middle aged people, more women than men, and these older ones are often dealing with mental illness, substance abuse, and character disorders.
Identity theft/fraud rings – online crime evolves at internet speed. Any banking or assets managed via a web interface are prized targets, and if your health care provider gets cracked you may face serious identity theft issues.
Extortion rings – revenge pornography is almost always a thin cover for an extortion racket. The recent intrusion at Ashley Madison puts millions of wandering spouses at risk for attention from fraudsters. Malware such as Crypto Locker brings hundreds of millions of dollars from businesses that can't afford to lose data they didn't have backed up.
Corporate security – if you've been involved in any sort of protest you may be facing paid professionals using tactics similar to trolls, but with much greater diligence in information gathering and far better judgment in what will/will not work on others.
MPAA/RIAA & related litigation – movie and music sharing with Bittorrent and other services that provide gray or black market entertainment data have long been targets for copyright troll law firms.
Law enforcement – there are a range of activities from 1st Amendment protected protest to drug trafficking that might get you attention from your local, regional, or national law enforcement.
Intelligence agencies – if you are an aggressive activist or involved in criminal activity, particularly that which intersects with terror funding, you might just find yourself elevated from the general surveillance dragnet to a point where you are receiving personal attention.
Many of these entities leave clear tracks – the extortion and identity theft oriented groups are either using your personal information or approaching you wanting a payoff of some sort. While these are all criminal, unless there is a lot of money involved, you can assume law enforcement is going to treat your problem about as seriously as a graffiti complaint.
If you are the subject of a law enforcement investigation, you presumably know what you do that gives your exposure. Occasionally this is not the case. As an example, some times troll attention is calculated to put innocent individuals in harm's way. This is one of those sticky situations where less if more – if you've got problems like this, drop everything and wait for them to go away. Problems like that start in internet time but they fade slowly, taking from months to years.
It might seem strange at first, but trolls to corporate security to intel agencies are a continuum all on their own. A competent troll crew will have capabilities far beyond most police departments. Corporate security will sometimes employ trolls to do their dirty work. A large corporation will be able to bring more resources to a conflict than a small nation state. All of them leave intentionally confusing trails, not wanting the consequences of being discovered.
Applying Adversary Resistant Computing & Networking to such problems is always going to lead to some improvement no matter which problem you have, but you could probably also use some Adversary Resistant Wetware. The peace of mind that comes from having an intentionally hardened environment is good, but if you're constantly look over your shoulder you will likely develop some induced paranoia.
Once you've identified your opponent(s) and the underlying motivations, you need to get a clear idea of what they can and can not do. This is something that you should do, put it down in writing, and keep it handy. If you're hyper-alert you will find patterns where others will just see random noise, so the assessment keeps you from over-reacting to coincidences. Journaling is a good counter tactic and few things that happen in internet time online are truly urgent – make a point to sleep on complex problems, and jack out early enough that you get quality sleep. As a rule of thumb, jack out an hour before you lay down for the night.
While we have tools that protect computers and their network traffic, protecting the minds those who operate in a high threat area is dramatically more difficult. One of the very first things you can do is reducing the amount of attack surface you expose. If you've read this far, you might just have some real problems, and sweeping your real social media presence clear is a good first step.
So, what exactly can these opponents do?
All of them, except the MPAA/RIAA type civil litigation things, make a habit of taking over the computers of those they target. You need an adversary resistant OS, but you also need some serious thought here, especially the further down the spectrum you go. Are you really such a lightning rod that you might be facing a nation state actor? If you don't have a lot of money, a lot of political pull, or a history of dropping secret government docs, this is probably not a problem for you. The FBI gets invoked a lot and they are a big problem for activists, but nobody is investigating perceived threats via social media, unless the target is government, elected officials, or very large corporations.
A bigger problem for most people are the smaller fish, who have more time on their hands, but they have much less access, so they subsist on spearphishing and watering hole attacks. They can hang around and keep obsessively trying until they get some results.
The nation state actor can insert malware on the fly if you are in their jurisdiction. Cryptostorm takes steps to filter that out at the service level, while Tor only conceals your public IP, any clearnet access is at risk. The little fish have the time to root your machine and play a careful, longterm game against you.
The ultimate technical solution is QubesOS, perhaps with Whonix for when Tor is appropriate, and a mixture of Tor and Cryptostorm somewhere between the NetVM, ProxyVMs, and AppVMs. This only solves the technical issues. If your judgment is impacted by too much time jacked in, you may find that all you accomplish with a more sturdy system is putting yourself into an even higher risk position than when you started.