[OPSEC/Computer] Using public wifi

1 Lets talk opsec for a minute cause I have a few questions. I always see tor>vpn is better but why. I use vpn(with shared ip's)>TOR just in case Tor leaks my ip somehow then they just get my vpn, plus my isp can't see that I'm using TOR.

2 If I were to take my laptop and do stuff at a public wifi (withouth TOR) how trackable is my computer, I know public wifi logs your MAC address but don't know what else. Would it be safe to then bring my laptop home and use as normal or can it be tracked somehow aside from lojack?

I'm under the impression all the can really track is where a MAC address connected

Should I just spoof my mac everytime I connect anywhere? Does it make a diff if I'm connected to the same vpn at public wifi as I am from home?

Someone please educate me.


Comments


[3 Points] None:

[deleted]


[2 Points] Talk_With_Words:

Woah sorry about the bold, I'm a reddit noob


[2 Points] youcrap:

Interesting, hope here comes an professional answere soon.


[1 Points] DELICIOUSCOCK:

I suggest spoofing your mac. Assuming you use linux you can add a line to your .bashrc or other default login script to generate a new mac on boot. Secondly you should use Tails.

Yes it matters if you connect to the same VPN assuming you don't want any connections at all between your activities.


[1 Points] hreupuqht0:

There are a lot of 'depends' here. And I'm no expert, so take what I say with a grain of salt. Read these guides, which will help you implement anything ranging from 'passable' to 'anal-shit paranoid' online opsec (separate from physical opsec, though it covers some of that as well).

1: This is better opsec than just Tor alone, if your VPN provider is more 'trustworthy' than your ISP (who won't be able to tell you are using tor in a vpn > tor setup). So choose a good VPN that doesn't keep logs, that you can purchase access to using anonymous bitcoin (from an internet connection that can't be linked back to you e.g. public library, coffee shop wifi with no surveillance cameras etc.). Bonus if they are incorporated and operate servers in 'US LE unfriendly' jurisdictions (e.g. Panama, I think...).

2: Lots of 'depends' here too. Are there surveillance cameras in this public wifi area? LE could, in theory, look at the footage during the time the transaction occurred to get a short list of suspects (which would include you). Also, while using this public wifi, if you, a program on your computer, or a browser extension access a service/website that can be linked back to your identity, then the 'bad' transaction could be easily linked to your identity (as the 'identifying service/website access' would be linked to the same session and MAC address as the 'bad' transaction in the wifi AP logs, whether you are using a spoofed MAC address or not).

Like a few have said already, it all depends on your threat model. I feel that VPN -> Tor is sufficient 'online opsec' for a buyer, especially if the VPN cannot be linked back to your real identity (this also means: don't do something like log-in to your personal gmail/facebook/whatever with through your VPN, to protect against a logging VPN provider co-operating with LE). If your VPN account could be linked to your real ID in some way, you're then relying on the VPN provider not keeping logs, or not co-operating with LE, or LE simply deciding it's not worth the effort to work back through the chain to your real ID (held by your ISP, if you're arranged your VPN access correctly).

And remember, 'Physical opsec' is a separate concern that must be dealt with separately. So we're mostly talking stuff that mitigates the threat of a LE physical search (e.g. HDD encryption, hiding illegal 'stuff' in places a search won't find, mail delivery arrangements etc.).