What is the best hands on way to learn privacy, security, and anonymity?

I want to learn more about privacy, security, and anonymity. I know Extreme Privacy is a book on the subject. But is there something I can do that’s a little more hands on? Occupy the Web mentioned learning OSINT and digital forensics to better understand it. Do you agree? I know a lot of people say OTW is fraudulent.

And is Extreme Privacy the only recommended resource on the subject? What do you recommend for a hands on learner?

Will HTB Sherlocks combined with OSINT training on KASE Scenarios do it?

There is no one best way to learn and no authority to claim the same. You learn what you can and how you can and try things out. The more you learn, the more you’ll know about the subject matter.

But is there another recommended source for it besides Extreme Privacy by Michael Bazel? And this doesn’t answer if studying OSINT and digital forensics will help either. The reason is I think watching videos about privacy, security, and anonymity will not help me in my case as much as something a little more hands on in order to reinforce the concepts. I learn by doing, so I’m looking for something that will teach me security, privacy, and anonymity that caters to that learning style.

I found Nathan House’s courses, but those are videos. Extreme Privacy is a book. Neither really caters to my learning style 100%. I know Michael Bazel has a hands on OSINT training platform and I know things like Hack the Box Sherlocks and KASE Scenarios exist is why I’m asking.

To be candid, the PG main site is built for people who want to get started applying privacy, which is what you are asking.

Go through recommendations; make a high level threat model. See where your weaknesses are. Use PG recommendations to mitigate those weaknesses. Don’t worry about being perfect. Ask questions here about specific road bumps you may encounter. By doing this you will learn.

Read documentation for the tools that you use

What is best depends on each person’s learning style, but I’ll give a suggestion.

1. Read up on privacy/security/anonymity and threats to those as much as possible.
2. Put privacy/security/anonymity measures you read about into practice in your own life.

For step 1, IIRC some starting points off the top of my head that I found useful for me, but may now be outdated, were

• Surveillance Self-Defense
• What is security culture?
• Digital Anti-Repression Workshop part 1 and part 2
• PRISM Break

Privacy Guides is useful up-to-date resource for learning about tools and practices that can keep us safe. Keeping an eye on relevant news, civil liberties advocacy groups’ activities (privacy, digital rights, human rights, marginalized groups and so on) and community forums (this forum for instance) helps too.

Since we’re talking about learning, step 2 doesn’t say relevant, appropriate or sustainable, but obviously measures would need to be implementable, bearable and considerate of its own risks (social isolation and criminal prosecution for instance).

Putting measures into practices requires learning the details of how to use tools, how to implement them in your life, how effective they are and what limitations they have, and how to verify and test. This includes inspecting source code, tool documentation (manpages for CLI tools), debug logs, security audit reports, blog posts, community forums etc as needed.

Henry from Techlore said he adopted an extreme privacy/security/anonymity approach (privacy and security?) and then tamed it to something more sustainable and relevant to his threat model later on. That may be a good way to learn, not just about how to implement and maintain privacy/security/anonymity measures but also how effective and sustainable those measures are.

I basically did the same thing but discovered my threat model is higher risk than I had originally thought. Further, my threat model (everyone’s actually) worsened over time with techno-authoritarian surveillance and control spreading worldwide. Thus I didn’t need to tame it very far, and I was lucky to go as extreme as I did from the beginning.

Hands on? Join the CIA.

What about learning OSINT and digital forensics? Will that help? What if I do that, then read Michael Bazel’s books? Or what if I do that and then do Nathan House’s courses?

Ok I will look at these soon.

Take on projects. Set yourself a goal such as monitoring DNS requests from different devices or apps on your home network to find out which ones are the most “noisy”. Then try to implement it and try out different things, e.g a pi-hole or a application firewall such as Portmaster or little snitch, NextDNS, Rethink DNS etc.

This will motivate you to actually have a use for all the theoretical information you learn and not just read-and-forget random IT sec snippets.