onsecret
FREN

Threat models

A device is only useful against a defined adversary. For each profile below we state the adversary, what our builds help against, and — with the same weight — what they do not cover.

Journalist

Adversary Actors trying to identify your sources: targeted surveillance, device seizure, metadata analysis.

What helps

  • Phone on GrapheneOS: app sandboxing, separate profiles, verified boot with your keys.
  • Coreboot + Heads laptop: firmware tampering detection at boot time.
  • OpenWRT router: a gateway you control, optional Tor VLAN to compartmentalise sessions.

What it does NOT cover

  • Does not protect network metadata unless you route through Tor.
  • Does not protect your sources if they are not protected themselves.
  • Seizure of an unlocked device exposes its contents.

Activist

Adversary State or organisational surveillance, arrest, exploitation of crowd movements.

What helps

  • Multiple profiles and, depending on configuration, a duress option to compartmentalise sensitive use.
  • Full-disk encryption at rest.
  • Fast security updates through the upstream OS.

What it does NOT cover

  • Does not protect against physical coercion or a legal duty to unlock in some jurisdictions.
  • Does not hide your presence on a cellular network (the baseband stays proprietary).
  • Does not replace operational hygiene (who you call, when, from where).

Traveller

Adversary Border checks, hostile Wi-Fi networks, theft or device copying while travelling.

What helps

  • Amnesic (Tails) or compartmentalised (Qubes OS) laptop: no persistent trace, or strict isolation.
  • Anti-tamper seal and measured boot to detect hardware manipulation.
  • Firewall-level VPN kill-switch on the router.

What it does NOT cover

  • A border search may require unlocking; we do not circumvent the law.
  • Measured boot detects some tampering, it does not prevent all of it.
  • Hardware out of your sight remains at risk (the “evil maid” attack).

Executive

Adversary Economic espionage, targeted intrusion, interception of corporate communications.

What helps

  • Reduced software attack surface (hardened, de-Googled OS).
  • Work/personal separation through profiles.
  • A controlled network gateway with an encrypted tunnel.

What it does NOT cover

  • Does not protect against a compromise of your counterparties or your servers.
  • Does not cover social engineering or insider leaks.
  • Security depends on configuration and on maintaining it over time.