Posted inCyber Security Stuff OpSec for Writers

OpSec for Writers – Intro/Why Does it Matter?

No Comments
OpSec for Writers – Intro/Why Does it Matter?
Photo by RoonZ nl on Unsplash

This is the first in a series of posts sharing some guidelines/best practices writers can use to keep themselves and their stories safe!

Remember the simpler days, when you were told not to share your real name on Club Penguin? Now, there’s an expectation that you constantly share every facet of your life with the world. Meanwhile, companies–and hackers–are swapping, sharing, and selling your info without your knowledge or consent.

Writers share even more information with the world; they might get paid for it! Which is more than the average Facebook user can say. But sharing information can be dangerous, which is why writers should take OpSec into consideration when they write, publish, and promote themselves.

What Even is OpSec?

Loose lips sink ships, you know.

OPerational SECurity (OpSec) is the concept that information, even seemingly-benign information, can be used by bad guys to cause harm. Turning off all the lights at night so German bombers won’t know where cities are is a form of OpSec. Not telling people online what school you go to or your real name on Neopets is a form of OpSec.

OpSec can take many different forms, depending on the information, how it can be acquired, and what can happen if it falls into the wrong hands. If someone finds out your computer password, the capability for a bad guy to do bad things is minimal if all you do is play Minesweeper. If it’s the password to your work computer, your job might be at risk.

But if you work at a hospital, or a bank, or the government, the damage can be catastrophic. A home computer network being shut down can be a huge pain to fix. A hospital computer network being shut down can kill people. Bad guys know this, so they target hospitals and [hold their computer systems hostage in exchange for a ransom]. The hospital–or, more likely, [their insurance]–will pay the ransom quickly, and the hackers move on to their next target.

The hospital is a valuable target, so the steps they take to protect their computers and the information stored on them will look very different than what, say, a fruit stand or dog groomer might do, because the risks they face–and their consequences–are so different.

Why Writers Face Unique Risks

We writers, ultimately, are in the business of putting ourselves out there. Even if we’re not writing memoir, readers can glean a lot of information from us by our stories. It’s expected that we share a biographical statement about ourselves and maybe even a photograph. We’ll be asked about what inspired a story, what real-life events we drew from and how that informs our craft.

Creating art is an act of vulnerability. Our stories can be about how we grew up in a different culture, or faced certain challenges, or that we’re members of specific communities. We have opinions about systems of power and oppression, and our writing can highlight the injustices of the world.

And, since we do that, we run the risk of drawing the attention of people who want to cause us harm. Being queer, neurodivergent, or a person of color can draw the attention of trolls, who want nothing more than to cause us grief. Speaking out against those in power is reason enough for the powers that be to keep an eye on you.

Threat actors (aka “hackers” aka bad guys) can be anything from government spy agencies to a nosy coworker looking for dirt to get you fired. The amount of effort, skills, and resources different individuals and/or groups are willing to spend on you can vary widely, but there’s a lot you can do to protect yourself.

A (kinda mean) adage in security is, “You don’t need to run faster than the bear, only your friend.” The average threat actor is like a pack of velociraptors: they’re looking for the weakest member of the herd. Sure, they could try the triceratops with the biggest horns and frill, but the chance they’ll succeed is much lower. Why waste all that effort for the same amount of meat?

Granted, I would love if we lived in a world where no one is trying to put malware onto your computer, or steal your bike, or scam you out of your money. But we don’t, so we need to protect ourselves in the world we currently live in.

What This Will Be

To give you an idea, here are some general topics I’d like to go over in this series:

  • How not to give away answers to all your secret questions
  • Backing up, archiving, and accessing your writing
  • Author websites/web presences
  • Maybe don’t set that to “anyone with the link can view”
  • Pen names vs common names vs and legal names

If you really want to distill it, securing information falls under one (or more) of three core concepts: confidentiality, integrity, and availability.

A triangle illustrating the CIA triad of information security. The three legs are confidentiality, integrity, and availability.
Image via NIST

In other words:

  • Are the only people who can access the information people who need to?
  • Is the information unaltered/undamaged?
  • Is the information accessible when it needs to be?

Being doxxed violates confidentiality. An unscrupulous editor rewriting your story violates integrity. The website hosting your story going under violates availability.

For the purpose of this series, “information” will include both things about you (your “real” name, street address, employer, etc) and your writing (drafts, research/notes, ARCs/proofs) and writing-related stuff (contracts, communications with editors/agents, books/magazines/websites/podcasts of your published work).

I will do my best to be both technology and genre agnostic. Making “physical” backups might look very different if most of your writing is in podcast or interactive fiction form, but the reasons why you should will be the same.

What This Won’t Be

The goal of these posts is to refrain from general security concepts or things you probably already know. Making your password not be “password” and not leaving your laptop alone in a cafe when you go to the bathroom isn’t writer-specific.

I also don’t want to bog you down in technical details, because this isn’t intended for a highly-technical audience. You don’t need to know the difference between SSL and TLS versions 1.1, .2, and .3, only that you should flip a switch on your web hosting dashboard to enable it. You’re free to do additional research, of course, and I’ll link to information/resources when I can.

Drilling down into specific technology also runs the risk of becoming outdated. Archival has always been important, but telling you to specifically use ZIP drives would be silly. Instead, I would tell you to consider putting files onto physical media you can safely store someplace that isn’t on/in your main computer (and can throw into your bug out bag, if needed).

Security is, ultimately, a balance of effort on your part and the risks you specifically face. If you’re a relative unknown, the chance someone will go through a months-long campaign to get into your Dropbox account to steal that novel you’ve been working on the past 13 years is nearly 0. But, if you’re a world-famous author and have a highly-annoyed fanbase because the tv adaption totally bungled your series’ ending…then you’ll have to take more drastic steps. But if you don’t use cloud storage at all, and live in a shed on top of a mountain no one can find and have no Internet, you can probably get away with having a weak password for your computer.

I also will not cover things that are more like “scams targeted at writers.” [Writer Beware] does an excellent job covering that, and there’s not much I can add to that.

I will never tell you to stop writing, or to stop writing certain topics. I don’t want you to stop writing erotica, or op-eds, or critiques of current politics. I want you to feel empowered to speak up and speak out.

Caveats

I a’int being called down to the courthouse anytime soon to be an Expert Witness for cybersecurity, or even writing/publishing. I am just one guy who lives in America who loves these two subjects (and wants to do them more in a professional context) and wants to help people.

If someone wants to hack you badly enough, they’re going to find a way, and you can’t control how other places handle your information. You might have as close to perfect OpSec as possible today, but if the editor of Secure Science Fiction gets hacked, a threat actor can find your legal name on a contract you signed a decade ago. If a government-backed group finds and then exploits a [zero-day vulnerability] in your device’s operating system, or [deploys mass-surveillance devices], or even [your own government demands encryption backdoors], well…there’s always messenger pigeons. I’ve yet to see a publication say they won’t take submissions submitted by bird.

In Conclusion…

Some professions and hobbies are riskier than others. Just as much as you probably would never want to scuba dive in a tight, dark, unexplored cave because of all the ways things could go wrong, there’s plenty of people who would never want to reveal their deepest hopes, dreams, fears, and traumas by putting their art into the world. As a writer you know these risks and have accepted them as part of the craft.

But there’s plenty of things you can do to mitigate the risks inherent to being a writer. Whether that’s keeping your personal life separate from your authorial persona or ensuring you can look at all your publications decades from now, keeping your information safe, secure, and accessible is possible.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.