Spyware Saga 7 — Building a Surveillance-Proof Strategy

The co-working space was empty, the city outside a blur of sodium lights. On the whiteboard: boxes, arrows, and one sentence underlined twice — “We don’t chase threats. We shape the field.” Adrian V. held the marker. Beside him, Mara K. folded her arms. “Tonight,” she said, “we stop playing defense and build your doctrine.”

Doctrine: Deny • Detect • Disrupt

• Deny clean collection with OS hardening, segmentation, and meeting rules.
• Detect anomalies fast with baselines, logs, and simple, repeatable checks.
• Disrupt operator workflows with firewalls, lock-down modes, and hot-zone routines.

Threat Model Snapshot (Adrian V.)

The Playbook: 8 Pillars

1) People & Roles

• Who needs what? Map sources, editors, lawyers, family. Assign least-privilege channels.
• Verification phrases: Rotate simple verbal passphrases out-of-band. Never reuse across teams.

2) Devices & Segmentation

• Clean Device Banking, 2FA, password manager only. Keep sparse.
• Work Device Messaging, notes, research. No finance apps.
• Travel/Hot-Zone Minimal apps; Lockdown-style mode; Faraday pouch for meetings.

3) Communications Matrix

4) Data Lifecycle (Create → Store → Move → Destroy)

• Create: Draft sensitive notes offline; avoid cloud autosave for raw source data.
• Store: Full-disk encryption (BitLocker/FileVault/LUKS); separate vault for source identities.
• Move: Prefer peer-to-peer or courier for the most sensitive material; verify checksums.
• Destroy: Use secure wipe for temp files; physical destruction for expired media when lawful/appropriate.

5) Travel & Field Protocol

• Before: Update; prune data; sign out of non-essentials; prep a travel profile/device.
• During: Minimal powered-on time; known networks; wired audio; Faraday during meetings.
• After: Reboot; rotate critical passwords from a clean machine; review logs/anomalies.

6) Meeting Protocol

• No-phone rooms when possible; if not, powered off & physically separated (shielded when lawful).
• Check for active electronics; control who can hear; avoid repeated “anchor phrases.”

7) Monitoring & Baselines

• Weekly: battery/CPU/network snapshot when idle; compare against prior weeks.
• Router/Pi-hole DNS glance for unusual domains during idle hours.
• Keep an Evidence Log (see template in Saga 2) for persistent anomalies.

8) Incident Response & Recovery

• Freeze: Airplane mode; disable radios; don’t factory reset.
• Record: Times, screenshots/photos, what changed.
• Contain: Move sensitive tasks to the clean device; rotate passwords with a hardware key.
• Escalate: Contact trusted IR/digital-rights support if high-risk.

Readiness Drills & Metrics

• Monthly drill (30 min): Simulate a suspected incident; practice freeze → record → contain.
• Quarterly: Permissions audit; revoke anything you don’t use; review comms matrix.
• Score yourself: 0–2 per pillar (deny/detect/disrupt). Improve the lowest score first.

TEAM / DATE:
ROLES: (Editor, Source A, Lawyer, Family...)
VERIFICATION PHRASE (rotates monthly):

DEVICES
- Clean Device: (model)  | Apps: (bank, 2FA) | Notes:
- Work Device: (model)   | Apps: (chat, notes, research) | Firewall: (Y/N)
- Travel Device: (model) | Profile: (Lockdown/Minimal) | Faraday: (Y/N)

COMMS MATRIX
- Low: (email/phone) -> Rules:
- Medium: (Signal/Matrix on Work Device) -> Rules:
- High: (No-phone meeting + paper) -> Rules:

MEETING PROTOCOL
- Phones: (off/separated) | Room check: (done) | Recorder risk: (mitigated)

TRAVEL PROTOCOL
- Before: (update/prune/logout) | During: (known networks) | After: (reboot/rotate)

MONITORING (weekly)
- Idle battery/CPU baseline: ___ | Data anomalies: ___ | DNS glance: ___

INCIDENT MICRO-PLAN
- Freeze -> Record -> Preserve -> Contain -> Escalate (contacts here)

NOTES
    

Endgame: Owning the Field

They wiped the whiteboard clean. The doctrine stayed. Adrian looked at the empty glass wall and saw a city that could still be reported on — carefully, precisely, relentlessly. “We don’t disappear,” Mara said. “We make them work for every frame.” He smiled. “Let them.”