type: guide
title: "OPSEC — COMSEC (Communications Security)"
parent: "[[manual-paranoid-opsec]]"
source: "cyber-intelligence-toolkit/manuals/paranoid-opsec-manual.md"
tags:
  - topic/opsec
  - method/review
processed: true
status: seedling

OPSEC — COMSEC (Communications Security)

Sub-nota atomica del manual maestro manual-paranoid-opsec. Cada capitulo es una nota propia para consulta directa por dominio operativo.

8. Communications Security (COMSEC)

8.1 Threat Landscape

Communication metadata is often more dangerous than content. Even with encryption, adversaries can learn:

Who talks to whom, when, and how often.
Device identifiers (IMEI, IMSI, MAC).
Location through cell towers, Wi-Fi, or timing correlation.
Patterns of activity that reveal persona overlaps.

8.2 Principles of Secure Communication

Confidentiality: protect message content with strong encryption.
Anonymity: avoid linking messages to real identity.
Plausible deniability: ensure you can credibly deny authorship.
Ephemerality: minimize persistence of communications.

8.3 Messaging Tools

Signal: strong end-to-end encryption, but tied to phone numbers.
Wire: supports pseudonymous registration, strong encryption.
Session: onion-routed messaging with no central metadata.
Briar: peer-to-peer over Tor or Bluetooth/Wi-Fi direct, no central servers.
Element (Matrix): decentralized, strong encryption, but servers may log metadata.

⚠️ Rule of thumb: if the app requires your phone number, it leaks metadata.

8.4 Voice & Video

Use encrypted apps (Signal, Wire, Jitsi with E2EE).
Be mindful of voice biometrics: adversaries can fingerprint your speech.
Consider voice changers or text-to-speech in sensitive ops.
Avoid landlines and unencrypted VoIP providers.

8.5 Email

Use providers with strong privacy policies (ProtonMail, Tutanota).
For high-risk, use self-hosted mail with Tor hidden services.
Always use PGP or age for sensitive content, but remember: PGP does not hide metadata.
Avoid reusing recovery emails across personas.

8.6 Metadata Minimization

Disable read receipts, typing indicators, and online status.
Use burner accounts created over Tor with disposable emails.
Avoid group chats that mix multiple personas.
Strip EXIF and headers from file attachments.

8.7 Key Management

Use strong passphrases for encryption keys.
Rotate keys regularly; never reuse across personas.
Store master keys offline on hardware tokens (e.g., YubiKey, Nitrokey).
Distribute keys via out-of-band channels (QR codes, paper slips, encrypted removable media).

8.8 Ephemeral Practices

Prefer apps with disappearing messages (Signal, Session, Wire).
Manually delete logs and caches after sensitive conversations.
Use burner phones for temporary comms and destroy them after use.
Assume all cloud backups of chats are hostile.

🔥 Extreme Practices (Optional)

Eliminate all persistent messaging platforms: use one-time communication channels only, then destroy keys and devices.
Pre-share one-time pads (OTPs) or keys on air-gapped devices before operations.
Communicate via encrypted containers (e.g., VeraCrypt, age) exchanged offline via sneakernet or air-gapped transfer.
Employ steganography: hide encrypted messages inside images, audio, or video.
Use voice masking or text-to-speech to prevent biometric voiceprint collection.
For high-risk contacts, establish multi-channel communication redundancy (e.g., one channel for urgent signals, one for fallback, one as decoy).
In extreme cases: use non-digital communication (dead drops, coded signals, couriers) to eliminate all electronic traces.
Treat every communication channel as compromised by default; rotate frequently and assume metadata is logged indefinitely.

Themes

tema-opsec-completo-analista