Threat modeling nihilists v. vegans

1. <location, date> What the Hell is Threat Modeling Anyway? Eva Galperin/Parker Higgins eva@eff.org/parker@eff.org @evacide/@xor Electronic Frontier Foundation
2. <location, date> What the hell is a threat model?
3. <location, date> 1. What do you want to protect?
4. <location, date> 1. What do you want to protect? 2. Who do you want to protect it from?
5. <location, date> 1. What do you want to protect? 2. Who do you want to protect it from? 3. How likely is it you will need to protect it?
6. <location, date> 1. What do you want to protect? 2. Who do you want to protect it from? 3. How likely is it you will need to protect it? 4. How bad are the consequences if you fail?
7. <location, date> 1. What do you want to protect? 2. Who do you want to protect it from? 3. How likely is it you will need to protect it? 4. How bad are the consequences if you fail? 5. How much trouble are you willing to go through to prevent those consequences?
8. <location, date> ASSETS This is what you want to protect. Passwords Money Files Conversations Meta-data
9. <location, date> ADVERSARY This is what you want to protect your assets from. NSA Your classmates Your parents The police Advertisers
10. <location, date> THREAT Hackers hijack your Twitter account Your brother reads your diary Your boss sees your browser history Criminals steal your credit card numbers Adversary reads your communications Adversary deletes or alters your communications
11. <location, date> CAPABILITY Attacker could file a subpoena Attacker could break into your house Attacker could spy on your wifi network Attacker could put a tracking device on your car Attacker could force you to give up your passwords Attacker could torture your friends/family for info Attacker could shoulder-surf your phone password
12. <location, date>
15. <location, date> Then there’s this guy
16. <location, date> RISK
17. <location, date> People have different appetites for risk
18. <location, date> Privacy Nihilists
19. <location, date> Privacy Vegans
20. <location, date> Security is a process, not a product • Tools are not enough to protect your privacy • Build a threat model, then figure out what tools/processes are appropriate • Your threat model may change over time
22. <location, date> You don’t have to a nihilist or a vegan
27. <location, date> Thanks! Laura Poitras Bruce Schneier Jonathan Stray

Editor's Notes

So you’ve just heard a bunch of scary stuff and I bet you’re wondering how to make sense of it. Should you be using Tor for all your browsing? Should you be using a VPN? Should you be sending all over your email using PGP? Should you throw your phone off a cliff?

Trying to protect everything from everyone all the time is exhausting. But you probably don’t have to do that. And if you want to figure out what tools and procedures you should be using to give yourself meaning privacy for the things that are important to you, you need to learn to threat model.
What’s meta-data?
As you can see, this is not all about bad guys hacking into your computer.

Legal attacks. Social attacks. Physical attacks.
Assessing capability is HARD: you have to make a guess about what resources your attacker has and how far they’re willing to go to attack your assets.

When you’re thinking about your physical assets, that may seem simple. You lock your doors. You put your important papers in a safe. You can see if you’re being physically followed. But the Internet doesn’t work the way it appears to most people. The same goes for courts. So in order to understand legal attacks, you talk to a lawyer. In order to understand, attacks over the Internet, you talk to hackers.
Snowden leaks taught us a lot about NSA and 5-Eyes capabilities up to until very recently. But remember that capabilities are constantly changing. New laws get passed. New technologies are invented. New bugs are discovered and exploited. This work is never done.
How likely is a particular threat against a particular asset?

Related to capability: sure, your telco has access to all of your call data, but the risk that they will publish this publicly in order to harm your reputation is low.

Threat is important to distinguish from risk. A threat is a bad thing that can happen. The risk is how likely it is that it will occur.

There’s a threat that your house will collapse. But this is more likely to happen in San Francisco, where earthquakes are common, than Stockholm, where they are not.
Conductive a risk analysis is a very subjective process. Not everyone has the same priorities or views threats the same way. Many people find certain threats (like the government spying on their internet traffic) unacceptable no matter what the risk. Other people disregard high risks because they don’t view the threat as a problem. For example, if I might not care so much if someone steals my credit card numbers because the credit card company will just reverse the charges.
Want advice about threats/capabilities/tools? Check out SSD. Available in Arabic, English, French, Thai, Vietnamese, Spanish, and Urdu.

Threat modeling nihilists v. vegans

You are reading a preview.

Check these out next

Threat modeling nihilists v. vegans

More Related Content

Similar to Threat modeling nihilists v. vegans (20)

Recently uploaded (20)

Threat modeling nihilists v. vegans

Editor's Notes

Threat modeling nihilists v. vegans

You are reading a preview.

Threat modeling nihilists v. vegans

Recommended

More Related Content

Similar to Threat modeling nihilists v. vegans (20)

Recently uploaded (20)

Threat modeling nihilists v. vegans

Editor's Notes