8. What the hell is threat modeling?
111sdgisjfoisejfoijs11. What do you want to
protect?kok
1. What do you want to protect?
2.1. What do you want to protect? ASSETS1. What
do you want to protect
1. What do you want to protect?
9. What the hell is threat modeling?
111sdgisjfoisejfoijs11. What do you want to
protect?kok
1. What do you want to protect?
2.1. What do you want to protect? ASSETS1. What
do you want to protect
1. What do you want to protect?
2. Who do you want to protect it from?
10. What the hell is threat modeling?
111sdgisjfoisejfoijs11. What do you want to
protect?kok
1. What do you want to protect?
2.1. What do you want to protect? ASSETS1. What
do you want to protect
1. What do you want to protect?
2. Who do you want to protect it from?
3. How likely is it you will need to protect it?
11. What the hell is threat modeling?
111sdgisjfoisejfoijs11. What do you want to
protect?kok
1. What do you want to protect?
2.1. What do you want to protect? ASSETS1. What
do you want to protect
1. What do you want to protect?
2. Who do you want to protect it from?
3. How likely is it you will need to protect it?
4. How bad are the consequences if you fail?
12. What the hell is threat modeling?
111sdgisjfoisejfoijs11. What do you want to
protect?kok
1. What do you want to protect?
2.1. What do you want to protect? ASSETS1. What
do you want to protect
1. What do you want to protect?
2. Who do you want to protect it from?
3. How likely is it you will need to protect it?
4. How bad are the consequences if you fail?
5. How much trouble are you willing to go through in
order to prevent those consequences?
13. What do you need to know?
Assets
Adversary
Threat
Capability
Risk
53. “When we share information, we are building power of
our own. Potential harassers may deterred by the
thought that we are both capable of and willing to turn
the eye of internet surveillance back on them.”
Liz Henry, Model View Culture Investigation Online:
Gathering Information to Assess Risk
67. “One day soon, home room teachers in your local
middle and high schools may stop scanning rows of
desks and making each student yell out ‘Here!’ during
a morning roll call. Instead, small cards, or tags,
carried by each student will transmit a unique serial
number via radio signal to an electronic reader near the
school door.”
AT&T advertising brochure
68.
69.
70.
71. The blended threat landscape
Not discrete categories:
many delicious flavors!
83. Further reading
What Every Librarian Should Know About HTTPS:
https://www.eff.org/deeplinks/2015/05/what-every-librarian-needs-know-about-
https
Surveillance Self Defense: https://ssd.eff.org.
COMSEC: Beyond Encryption:
https://grugq.github.io/presentations/COMSEC%20beyond%20encryption.pdf
Digital First Aid Kit: http://digitaldefenders.org/digitalfirstaid/
Editor's Notes
On January 12, 2010, the same day as Google announced about the aurora targeted attacks, it was announced that gmail traffic would be encrypted by default. Since that time, facebook, twitter, and recently Yahoo have moved to using HTTPS traffic by default. Skype has provided encypted voice calls for many years.
In addition to this, people like The Tor Project, The EFF’s HTTPS Everywhere plugin, Whisper Systems providing encrypted voice and text messaging means that passive sniffing of traffic has started to yield less interesting results. It’s still useful, in order to surveill persons of interest that have decent security understanding, active targeting becomes necessary.
Computer viruses were just something that happened to computers and people shrugged their shoulders and figured they’d have to reinstall. Now this is fine if malware isn’t targeted and indeed, you’ve become part of a viagra spam botnet, however, it’s problematic for people that discover that they’ve been targeted by a nation-state.
Because...
Computer viruses were just something that happened to computers and people shrugged their shoulders and figured they’d have to reinstall. Now this is fine if malware isn’t targeted and indeed, you’ve become part of a viagra spam botnet, however, it’s problematic for people that discover that they’ve been targeted by a nation-state.
Because...
Cyber mercenaries using the police tools sold to repressive governments
In fact the Turkmenistan secret service and the Australian police use the same tool!
only sell to military
Computer viruses were just something that happened to computers and people shrugged their shoulders and figured they’d have to reinstall. Now this is fine if malware isn’t targeted and indeed, you’ve become part of a viagra spam botnet, however, it’s problematic for people that discover that they’ve been targeted by a nation-state.
Because...
Hammad Akbar was fined $500k by the district court in Virginia in December of last year for selling and distributing “StealthGenie.”
'Please Rob Me' aggregates and streams location check-ins into a list of 'all those empty homes out there,' and describes the recently-shared locations as 'new opportunities.'
a Texas school district just begun implanting the devices on student identification cards to monitor pupils’ movements on campus, and to track them as they come and go from school.
Tagging school children with RFID chips is uncommon, but not new. A federally funded preschool in Richmond, California, began embedding RFID chips in students’ clothing in 2010. And an elementary school outside of Sacramento, California, scrubbed a plan in 2005 amid a parental uproar. And a Houston, Texas, school district began using the chips to monitor students on 13 campuses in 2004.
Cyber mercenaries using the police tools sold to repressive governments
In fact the Turkmenistan secret service and the Australian police use the same tool!
Cyber mercenaries using the police tools sold to repressive governments
In fact the Turkmenistan secret service and the Australian police use the same tool!