Personal Threat Modelling

[Shoalsteed]

Who do you want to protect?

• Yourself and personal identity
• Your family
• Your team
• Clients if self employed
• Online personas

What do you want to protect?

• Reputation ( self and work)
• Privacy and control over what is accessing your data and traffic
• development environment
• crypto transactions
• crypto wallet
• laptop/ computer/ devices
• content held on machines/ devices connecting and communicating with network and properties
• online accounts and passwords
• collaborative work

Who are you protecting this from?

• ISP
• network observers ( Big Data, Government agencies)
• online abusers (trolls, hackers, adversaries)
• online phishing meant to steal or subvert information or finances
• people who could physically access your connected machine/ device
• people/ a person whom you have an abusive personal relationship with who is trying to harm/ control/ access your information.

What do you stand to lose and how severe would that loss be?

• What are you willing to do to prevent or reduce these consequences?
• Do you have support?
• What do you have in place to protect online assets? (two factor, PGP for identity)

Trust of Individuals

• Who do you communicate with?
• What are circumstances? What do you share - do you maintain a nym?
• If you work in a hostile situation, how are you managing trust among your group?
• What platform do you use? Does that platform have proper security or protections for private communication?
• Consider risk scale for different scenarios ( ie friends, strangers on forums, workplace)
• Have you had any reasons to worry about your online activities or your devices?

[Shoalsteed]

Encryption is the process of making data unreadable and prevent unauthorized access.

No encryption Any third party can intercept data and read it as-is. Often called "plaintext."

Standard encryption: Data is encrypted so that third parties cannot read it, but the platform being used to send the data can decrypt, and read it. The platform may also hand the data to courts or government agencies if ordered to do so.

End-to-end encryption Only the original sender and receiver can read the data. The platform being used to send the data only has the encrypted, unreadable version. If courts or government agencies order the platform to hand over the data, there is nothing useful to hand over.

Metadata Metadata is the information available in data. For example, the metadata for a phone call includes the number called and the length of the call, photos include EXIF data. If enough metadata is available, an adversary can gain insight into a persons location, interests, and more.

[Shoalsteed]

Is Using I2P Illegal?

I2P routers blindly route traffic, and your ip address showing up on a criminal's machine doesn't incriminate you. If routing "illegal" traffic were a crime, then every internet router on earth is guilty.

"Most times you would have to worry about running i2p is when you're already on the radar of powerful political adversaries and they need an excuse to go after you. i2p could be held up as "this guy has something to hide" and make you a target for further investigation. But running i2p alone is not a crime and I would expect any attempts to claim it is one, to be very few in Europe/US."

Encryption

https://www.gp-digital.org/world-map-of-encryption/

Content Illegal activity is illegal activity. Keep in mind that if you are distributing content that is illegal, jump service operators will most likely not connect people to your content. People operating these services do not want their service associated with illegal content. The community does not seek to be further targeted by poor reputation.

[Shoalsteed]

added to git book , keeping open until that section is complete

[Shoalsteed]

Add Community Threat Modelling section

[Shoalsteed]

Community Threat Modelling

Online community spaces are a challenge to moderate. Moderators often need to take the running with scissors approach of using reactive measures dealing with abuse of forums, trolling, harassment of contributors or dealing with AI bot spam.

When done properly - where resources and proper dialogue and management among community facilitators occurs, strong, resilient and welcoming places for project adoption and growth occurs. However, when people are not capable of proper communication or are management averse, problems escalate, forums take on the dominant or incumbent voice, and people who desire and understand proper management of spaces or expect it will not participate or create their own space, leading to lost input, time lost and splintering of community. Especially in FOSS projects, it is important to ensure that community resources are created to maximize the diversity of contributors required to create technically sound, well designed and usable software with coordinated security and user outreach.

Forum and Dialogue Strategy and Tools Projects in overlay network spaces need to work dogfooding into community strategy so that they can test network functions. In some cases, community members only wish to communicate in these spaces.

Projects need to take into the account that there will always be new participants, they also should evaluate the technical capacity - and resource capacity limits that relying on strict dog fooding options present. Projects should not present new participants with a challenge and reward system so that they can be included. This approach will not work for most people who need a more barrier free way to communicate, or who require proper accessibility tools for sight, mobility. Also, FOSS relies on volunteers, so taking into account ease of access and a platform that includes some sort of persistence for scollback built in, feedback loops, and media to encourage greater capacity for engagement is preferred. Mobile friendly is a huge asset as well. Broader benefits include the ability to use video or do stage talks ( as Discord allows). Privacy and anonymity communication can not always limit itself to nyms and text. Relationship building still has dependencies on face to face interactions. I have personally had greater success and the most productive opportunities when participating face to face with people. I also have had people tell me that they are not comfortable with anonymous online forums because all to often there are trust issues with conduct. There is no technical substitute that will ever replace actual trust building mechanism that are innate to survival, take into account cultural norms or plain old gut reactions.

I include these things in a threat model topic because it is proven that without proper handling, maintaining and retaining contributors is difficult, and projects will silo dialogue in its community pipeline. This will over time further silo and in worst cases, create hostile opportunities for bad actors to gain influence in a small space. Just like ecosystems require a diverse requirement of species, minerals, bacteria, and seasonal rotation to thrive, so do our community spaces.

There is also a comment to be made about the throttling of in development that will occur via "works for me logic" - people not making use of new or popular communication options cannot consider building better accessibility into their own applications. And circling back, as feedback loops become tighter and more siloed, output does also. Sustainability issues in FOSS will point first at funding, but I will say from experience that providing evidence of healthy thriving diverse communities that are actively influencing development roadmaps affects adoption and the ability to attract funding. There is also a shift happening away from funding code first and the requirement to produce a code of conduct to ensure that funded people will have a positive experience, and that projects are actively doing outreach to include user research.

Where people can see that there is no place for them in a dialogue, where people can see that other contributors are harassed or bullied, where people can see that communities respond with assumption rather than curiosity and strike back with hostility over usability, FOSS projects will stagnate.

Productivity Nothing hurts productivity more than allowing bad actors to take over community spaces with drama, abusive language and targeted harassment. It is also important to balance motives and idealism in a way that also challenges motives and idealism. For example, if privacy function on a technical level is maximized by having as many people participating as possible, communities need to support and promote workflows for popular OS's. Calling people names, or implying that a person does not deserve privacy because they are not using specific tooling is a great way to make people go away and never come back.