Difference between revisions of "Threat modeling the quick and dirty way"

From Gender and Tech Resources

m (Journalist, observer or sousveillant in europe)
m
 
(21 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
 
== Basic choreography ==
 
== Basic choreography ==
 
+
Steward Brand: Build a room
=== Step 1. Set up a table ===
+
=== Set up a table ===
 
The first column contains a short description of the threat, the second the likelihood of it occurring, the third what impact it would have if it did happen, and the fourth an assessment (grade) of the time and energy you would need to protect yourself from the threat (for instance you can have no stars denote that there is no protection from that threat, hence it will cost nothing (except for the cost of the impact if it did happen).
 
The first column contains a short description of the threat, the second the likelihood of it occurring, the third what impact it would have if it did happen, and the fourth an assessment (grade) of the time and energy you would need to protect yourself from the threat (for instance you can have no stars denote that there is no protection from that threat, hence it will cost nothing (except for the cost of the impact if it did happen).
  
=== Step 2. Fill in the table ===
+
=== Fill in the table ===
I recommend doing a brainstorm on threats as initial filling of the threat columns in the table, before thinking about the other columns.
+
I recommend doing iterative brainstorming on "known and experienced threats" as initial filling of the first column in the table, before thinking about the other columns.
 +
 
 +
=== Reorder the list according to your set of priorities ===
 +
Choose your ordering strategy carefully. Several strategies are possible.
 +
* If this is a learning experience or you are a fan of "only time for putting out fires" cultures, no need for ordering.
 +
* In a low risk environment (no immediate death threats) an "on demand" strategy works well. In this strategy you can use "low hanging fruit" and set up protection for items with a big impact and/or high likelihood of occurrence first.
 +
* In a high risk environment or if any of the items in the list of possible impacts reads " loss of life" or some life-altering experience or you have turned procrastination into an art, best choose an "anticipating strategy", meaning do more research and detailed [[scenario planning]] (food for thought) to find possible [[Threats, detection, protection and (counter) moves|threats and solutions]] overlooked (food for gut).
 +
 
 +
== Examples ==
 +
 
 +
=== Silicon Valley first world problems ===
  
 
{| class="wikitable sortable"
 
{| class="wikitable sortable"
Line 29: Line 39:
 
|}
 
|}
  
=== Step 3. Reorder the list according to your set of priorities ===
+
=== Journalist, observer or sousveillant in europe ===
Choose your ordering strategy carefully. Several strategies are possible.
+
A general counter strategy against police misconduct, abuse and brutality has been recording what happens during a protest. This of course, has gotten the police to target (citizen) journalists and observers overtly and covertly. And it is not just the police and government that are interested in us and our data.  
* If this is a learning experience or you are a fan of "only time for putting out fires" cultures, no need for ordering.
+
* In a low risk environment (no immediate death threats) an "on demand" strategy works well. In this strategy you can use "low hanging fruit" and set up protection for items with a big impact and/or high likelihood of occurrence first.  
+
* In a high risk environment or if any of the items in the list of possible impacts reads " loss of life" or some life-altering experience or you have turned procrastination into an art, best choose an "anticipating strategy", meaning do more research and detailed scenario planning to find possible [[Threats, detection, protection and (counter) moves|threats and solutions]] overlooked.
+
 
+
== Examples ==
+
 
+
=== Protesting in the united states ===
+
  
 +
The below threats, if happens, make for loss of trust and reputation and that translates to loss of effectiveness as independent observer.
 
{| class="wikitable sortable"
 
{| class="wikitable sortable"
 
|-
 
|-
 
! Threat !! Likelihood !! Impact !! Protection
 
! Threat !! Likelihood !! Impact !! Protection
 
|-
 
|-
| || || ||  
+
| Metanoia & Paranoia || low || Metanoia (safety delusion) makes us sitting ducks and paranoia renders us ineffective. ||
|}
+
 
+
=== Protesting in the westbank and gaza strip ===
+
 
+
{| class="wikitable sortable"
+
 
|-
 
|-
! Threat !! Likelihood !! Impact !! Protection
+
| Physical attacks || medium ||  Physical damage/intimidation
 +
||   
 
|-
 
|-
| || ||  ||
+
| Arrest: That might include direct approaches such as intimidation and asking for information on sources. || medium ||  Physical danger to those sources.||
|}
+
 
+
=== Blogging from egypt ===
+
 
+
=== Journalist, observer or sousveillant in europe ===
+
A general counter strategy against police misconduct, abuse and brutality has been recording what happens during a protest. This of course, has gotten the police to target (citizen) journalists and observers overtly and covertly. And it is not just the police and government that are interested in us and our data.
+
 
+
The below threats, if happens, make for loss of trust and reputation.
+
{| class="wikitable sortable"
+
 
|-
 
|-
! Threat !! Likelihood !! Impact !! Protection
+
| Some contacts are named in reports, and some wish to remain anonymous. If we’re not careful, we might unintentionally disclose contact details or their location http://thenextweb.com/insider/2012/12/03/vice-leaves-metadata-in-photo-of-john-mcafee-pinpointing-him-to-a-location-in-guatemala/
 +
* Phishing
 +
* Guess/hack password
 +
* Metadata
 +
* Mobile trail
 +
|| high || Intimidation/attack/imprisonment of sources. ||*
 
|-
 
|-
| Paranoia and metanoia || medium || Metanoia (safety delusion) makes us sitting ducks and paranoia renders us ineffective. || The mental health charity "mind" describes fears as paranoid "when they are exaggerated and there is no evidence that they are true". The key to avoiding slipping into paranoia – and safety delusions – is to ensure that we have a realistic understanding of the risks involved in our role. These will vary, but there will always be risks.   
+
| Correspondence with contacts includes all sorts of information that we do not want others to know about.
 +
* Phishing
 +
* Guess/hack password
 +
|| medium || Sensitive information can be accessed. This information can be used to try to coerce us into not releasing and/or publishing information. Can also be used for smear campaigns and to sue us or our sources.
 +
|| **
 
|-
 
|-
| Some contacts are named in reports, and some wish to remain anonymous. If we’re not careful, we might unintentionally disclose contact details or their location http://thenextweb.com/insider/2012/12/03/vice-leaves-metadata-in-photo-of-john-mcafee-pinpointing-him-to-a-location-in-guatemala/ || high || Physical, social or economic danger to those sources, e.g. losing employment, losing privacy, criminal proceedings, assault. ||
+
| Email, social media accounts, websites, communication tools, a pile of passwords. Our passwords may be a used to attack others in our "organisation", and access information we don’t directly hold.
 +
* Phishing emails can be sent from our email or social media accounts to others.  
 +
* Passwords can be guessed.
 +
|| high || Followers on social media and people on mailinglists can get spammed.
 +
|| ****
 
|-
 
|-
| Correspondence with contacts includes all sorts of information that we do not want others to know about || high || Sensitive information can be accessed.
+
| All work-in-progress, files and documents which we couldn’t publish for all sorts of reasons (space, legality, protection of others).
<nowiki> </nowiki>Physical, social or economic danger to those sources, e.g. losing employment, losing privacy, criminal proceedings, assault.
+
* Where are they? What forms do they have? Is there a security related documentation policy? Hey who is that man walking out the door with those files?
|| 
+
|| medium || Sensitive information can be accessed. This information can be used to try to coerce us into not releasing and/or publishing information. Can also be used for smear campaigns and to sue us or our sources.
|-
+
 
| Email, social media accounts, websites, communication tools, a pile of passwords || high || Our passwords may be a means to attack others in our "organisation", and access information we don’t directly hold.
+
Intimidation/attack/imprisonment of sources.
<nowiki> </nowiki>Phishing emails can be sent from our email or social media accounts to others.
+
|| *
||
+
|-
+
| All work-in-progress, files and documents which we couldn’t publish for all sorts of reasons (space, legality, protection of others) || high || Sensitive information can be accessed.  
+
<nowiki> </nowiki>Physical, social or economic danger to those sources, e.g. losing employment, losing privacy, criminal proceedings, assault.  
+
||  
+
 
|-
 
|-
| If we use computers in any way (including phones and even photocopiers) we can safely assume we are being recorded || high ||  Identification of sources through other data, e.g. your location, phone or email records
+
| If we use computers in any way (including phones and even photocopiers) we can safely assume we are being recorded. Can lead to identification of sources through other data, our location, phone or email records.
||  
+
* Metadata
 +
* Computer forensics
 +
|| high ||  Intimidation/attack/imprisonment of sources.
 +
|| *
 
|-
 
|-
 
| It may not be our activities they are interested in, but our reach. An example of this was the Syrian Electronic Army targeting E! Online http://ohnotheydidnt.livejournal.com/77479774.html || medium ||  Publication of hoax information on content management systems (the news website) and social media accounts
 
| It may not be our activities they are interested in, but our reach. An example of this was the Syrian Electronic Army targeting E! Online http://ohnotheydidnt.livejournal.com/77479774.html || medium ||  Publication of hoax information on content management systems (the news website) and social media accounts
||  
+
|| ***
 
|-
 
|-
| Legal attacks: That might include direct approaches such as subpoenas demanding that you reveal a source or court orders to pass over footage, but increasingly it might also include indirect approaches, to companies holding your information.
+
| Legal attacks include direct approaches such as subpoenas demanding that we reveal a source, or court orders to pass over footage, and increasingly might also include indirect approaches, to companies and organisations holding your information.
  || medium ||  Physical, social or economic danger to those sources, e.g. losing employment, losing privacy, criminal proceedings, assault.
+
  || medium ||  Physical, social or economic danger to those sources, e.g. losing employment, losing privacy, criminal proceedings, assault.
||  
+
|| **
 
|}
 
|}
  
Line 97: Line 99:
 
* [[Timeline merchants of death]]
 
* [[Timeline merchants of death]]
 
* [[Threats, detection, protection and (counter) moves]]
 
* [[Threats, detection, protection and (counter) moves]]
 +
 +
== References ==

Latest revision as of 14:40, 9 October 2015

Dystopia.gif

Basic choreography

Steward Brand: Build a room

Set up a table

The first column contains a short description of the threat, the second the likelihood of it occurring, the third what impact it would have if it did happen, and the fourth an assessment (grade) of the time and energy you would need to protect yourself from the threat (for instance you can have no stars denote that there is no protection from that threat, hence it will cost nothing (except for the cost of the impact if it did happen).

Fill in the table

I recommend doing iterative brainstorming on "known and experienced threats" as initial filling of the first column in the table, before thinking about the other columns.

Reorder the list according to your set of priorities

Choose your ordering strategy carefully. Several strategies are possible.

  • If this is a learning experience or you are a fan of "only time for putting out fires" cultures, no need for ordering.
  • In a low risk environment (no immediate death threats) an "on demand" strategy works well. In this strategy you can use "low hanging fruit" and set up protection for items with a big impact and/or high likelihood of occurrence first.
  • In a high risk environment or if any of the items in the list of possible impacts reads " loss of life" or some life-altering experience or you have turned procrastination into an art, best choose an "anticipating strategy", meaning do more research and detailed scenario planning (food for thought) to find possible threats and solutions overlooked (food for gut).

Examples

Silicon Valley first world problems

Threat Likelihood Impact Protection
Having to drink medium Developer will drop dead within a week, deadline will not be made.

The human body needs water to survive. The maximum time an individual can go without water seems to be a week — an estimate that would certainly be shorter in difficult conditions, like broiling heat.

* Blend together half a gallon of water, three and a half tablespoons of macadamia nut oil and a 16-ounce bag of powder called Schmoylent. Then pour the beige beverage into jars and chill them before bringing the containers to work the next day http://timesofindia.indiatimes.com/tech/jobs/No-time-to-eat-Silicon-Valley-drinks-its-meals/articleshow/47424226.cms
Having to eat food high Developer will drop dead within three weeks, deadline will not be made.

A human can go for more than three weeks without food (Mahatma Gandhi survived 21 days of complete starvation)

* Blend together half a gallon of water, three and a half tablespoons of macadamia nut oil and a 16-ounce bag of powder called Schmoylent. Then pour the beige beverage into jars and chill them before bringing the containers to work the next day http://timesofindia.indiatimes.com/tech/jobs/No-time-to-eat-Silicon-Valley-drinks-its-meals/articleshow/47424226.cms
Needing sleep high Like breathing, sleep is essential to humans. It has even been said that one could survive three times longer without food than one could without sleep. One of the better known experiments on this subject, found that depriving rats entirely of sleep resulted in their death, or near-dying state, within 11-32 days (Everson et al. 1989). ** No long term alternatives known, but the deadline is still four weeks off. We tried adding coffee and coke to the Schmoylent in the previous development cycle.
Bathroom breaks high How many times do people go to the bathroom per day? Loads, and all those little breaks can add up to an hour or two per developer per day. ***** Implanting stomata. Costly. Management has suggested we need more surveillance equipment to study the problem of the breaks.

Journalist, observer or sousveillant in europe

A general counter strategy against police misconduct, abuse and brutality has been recording what happens during a protest. This of course, has gotten the police to target (citizen) journalists and observers overtly and covertly. And it is not just the police and government that are interested in us and our data.

The below threats, if happens, make for loss of trust and reputation and that translates to loss of effectiveness as independent observer.

Threat Likelihood Impact Protection
Metanoia & Paranoia low Metanoia (safety delusion) makes us sitting ducks and paranoia renders us ineffective. *
Physical attacks medium Physical damage/intimidation
Arrest: That might include direct approaches such as intimidation and asking for information on sources. medium Physical danger to those sources.
Some contacts are named in reports, and some wish to remain anonymous. If we’re not careful, we might unintentionally disclose contact details or their location http://thenextweb.com/insider/2012/12/03/vice-leaves-metadata-in-photo-of-john-mcafee-pinpointing-him-to-a-location-in-guatemala/
  • Phishing
  • Guess/hack password
  • Metadata
  • Mobile trail
high Intimidation/attack/imprisonment of sources. *
Correspondence with contacts includes all sorts of information that we do not want others to know about.
  • Phishing
  • Guess/hack password
medium Sensitive information can be accessed. This information can be used to try to coerce us into not releasing and/or publishing information. Can also be used for smear campaigns and to sue us or our sources. **
Email, social media accounts, websites, communication tools, a pile of passwords. Our passwords may be a used to attack others in our "organisation", and access information we don’t directly hold.
  • Phishing emails can be sent from our email or social media accounts to others.
  • Passwords can be guessed.
high Followers on social media and people on mailinglists can get spammed. ****
All work-in-progress, files and documents which we couldn’t publish for all sorts of reasons (space, legality, protection of others).
  • Where are they? What forms do they have? Is there a security related documentation policy? Hey who is that man walking out the door with those files?
medium Sensitive information can be accessed. This information can be used to try to coerce us into not releasing and/or publishing information. Can also be used for smear campaigns and to sue us or our sources.

Intimidation/attack/imprisonment of sources.

*
If we use computers in any way (including phones and even photocopiers) we can safely assume we are being recorded. Can lead to identification of sources through other data, our location, phone or email records.
  • Metadata
  • Computer forensics
high Intimidation/attack/imprisonment of sources. *
It may not be our activities they are interested in, but our reach. An example of this was the Syrian Electronic Army targeting E! Online http://ohnotheydidnt.livejournal.com/77479774.html medium Publication of hoax information on content management systems (the news website) and social media accounts ***
Legal attacks include direct approaches such as subpoenas demanding that we reveal a source, or court orders to pass over footage, and increasingly might also include indirect approaches, to companies and organisations holding your information. medium Physical, social or economic danger to those sources, e.g. losing employment, losing privacy, criminal proceedings, assault. **

Related

References