Q&A: Understanding Threat Modeling
Added 2024-11-06 18:00:11 +0000 UTCQ&A202: How can people better understand threat modeling? What are security concerns for custom Android ROMs? What are our favorite episodes of Darknet Diaries? Have we ever seen a website remove our 2FA without telling us?
Video Version: https://youtu.be/1_eKi1-CSA0
00:00 Introduction 01:09 Threat Modeling & Expertise 06:40 Security Concerns on Custom OS's 10:15 Favorite Episodes of Darknet Diaries 11:13 Listener Comments
---
🙋 Go ahead and leave some questions below for us to look at for SR203 this weekend! (Note: We record on Friday nights in the US, so it's highly recommended to leave all questions by noon on Friday in the US)
It can be about a specific story, a general question about privacy/security, a question about the world, a question you tried last week, or anything else. Due to time restraints we can't promise that we'll get to yours, but we appreciate all of them!
To receive these posts via RSS, get your own custom link using these instructions.
Comments
What do you think of Consumer Reports' new app for data privacy? Stack Overflow just covered it: https://stackoverflow.blog/2024/11/22/the-app-that-helps-you-exercise-your-privacy-rights/
M
2024-11-22 15:10:44 +0000 UTCDo you guys have any recommendations for syncing and backing up your contacts? I figure most people just use the Apple or Google ecosystems to do this, but using a custom Android ROM and Proton Mail leaves me with two different sets of contacts. It would be nice to have a single source of truth in regard to my contacts. I know Proton has a backup feature built into their Mail app to back up your phone contacts, but it doesn't sync your proton contacts to your phone. Any suggestions on this?
Coffee Horse
2024-11-14 14:29:32 +0000 UTCA couple of questions prompted by your prior content: In Nate's 2021 post "Staying informed without big tech", only 2 privacy-respecting RSS options are listed: Tiny Tiny RSS and Thunderbird. Do you think this still applies today, or has the selection expanded since? Also, per the same blog post, do you think Nitter is still the best way to privately view Twitter content? It seems that as a result of a "vendor lock-in" of sorts, many leading cybersecurity professionals still remain on the platform because of the following they've built up on it in prior years. One or both of you sometimes say "mass surveillance does not work". Could you clarify how you believe it fails? It is a mechanistic assessment, such as that it produces vast amounts of inconclusive data that are not of sufficient quality to develop into actionable "tip-offs" for authorities to act on? Or is it an empirical assessment that, to the extent comparison free of confounding factors is possible, scope and scale of mass surveillance do not correlate with reduced criminality? Or is it that underlying structural factors remain despite mass surveillance, giving rise to more criminal activity to replace the one thwarted by surveillance, resulting in a whack-a-mole cycle instead of a more permanent reform-driven solution? Or is it something else?
David Johnson
2024-11-13 11:14:36 +0000 UTCHi SR Crew! I’ve been staying away from using voice assistants. I did not trust them to keep my voice data private and we’ve seen a few companies break their promises in this regard. Recently I learned that smartphones can do many of the voice assistant tasks on device. 1. How donuts see the space, currently? Which of the well known services are private and which are not? 2. Are there ways to use Apple’s Siri in a private manner? How to set this up?
Frank S
2024-11-12 20:08:55 +0000 UTCOne of the most prevalent issues I have encountered with how privacy is approached sometimes is the mindset many have, and admittedly sometimes I have unfortunately of "Well they have everything anyways at this point, so what can I even do about it now" which is sort of a sunk cost fallacy. I have been watching Techlore and other privacy / security channels since I was a late teen, however I still made mistakes and use Google and Windows primarily because of how long I've been in those ecosystems and it feels like leaving wouldn't matter as much as I would want it to. (not to mention the difficulty of doing so now) I would ideally want to be able to cleanup my tracks from the past mistakes and sort of get somewhat of a fresh start knowing what I know now. I guess what I'm getting at is in saying all of this is two questions. What would be the argument against the mindset where you feel like you're too deep in to meaningfully take control of your data? And secondly, what steps can you take to cleanup past mistakes in how you treated your data and is there any guides for doing so with common platforms / ecosystems?
Ken
2024-11-07 14:15:56 +0000 UTCTwo contrasting questions connected to "security through obscurity". 1. What is your opinion of "security by being different from the majority of users" variety of "security by obscurity" and what do you think are good ways to employ it for computer privacy/security? An example of this at the obviously worthwhile end of the spectrum would be changing default credentials such as U:"admin" PW:"admin". At the opposite end of the spectrum would be using some very obscure and untested tools or trying to build your own where thoroughly tested private and open-source ones are already available (e.g. Signal). The old argument of "macs don't get viruses" (because far more abundant Windows PCs offer higher returns on investment for exploit developers) would fall in the same category. The same dispute would apply to the "MTProto" encryption scheme of Telegram that has not been subject to as many researchers' cryptanalytic attacks as those of Signal for example. Overall, it seems that if you are not relying on the most common configuration and hardware/OS/software choices, you are less susceptible to automated data-stealer and malware-implanting scripts employed by cybercriminals en masse to streamline exploitation of the most typical software choices and configurations. On the other hand, uncommon tools will have received less scrutiny and have more (or more easily discoverable) unpatched vulnerabilities. Thus, it seems like a trade-off of not getting a lot of scrutiny from either attackers or defenders. What is your opinion of this category of strategies, and how do you or other people in the privacy/security community whom you know and respect use it? 2. What is your opinion on and approach towards the opposite of the interpretation of "security by obscurity" as not standing out from the majority; let's say "scrutiny by mutiny" if there isn't a term for it already? In other words, there are no-brainer extreme examples like using Western technology platforms in North Korea or the non-criminal use of An0m-like honeypots in the West that are sure to get one undeserved and unwanted scrutiny. However, there are occasional far milder examples; for instance, one of the earlier SR episodes mentioned French authorities describing the use of mainstream E2EE messengers in itself as amounting to something of a "probable cause". (By, the way, the EU seems to present an contrasting pairing of a greater support for privacy coupled with a greater hostility to encryption than the US; do you agree with this assessment based on your reporting, and, if so, why do you think that is so? Do you think the former comparatively hamstrings EU authorities in their ability to circumvent the latter by tapping the corporate data store?) Obviously, this aspect of threat modeling will be very different for someone living under a totalitarian regime, but do you worry about unwanted scrutiny as you progress further and further on your legitimate privacy journey in the US without breaking any laws? And if so, what do are you concerned about most and what do you think the best ways to avoid it are?
David Johnson
2024-11-07 11:14:49 +0000 UTC
