search

audibleblink / cryptoparty

Collection of outlines, walkthroughs, and talks about communicating securely in a surveillance state
3 stars 0 forks source link

Threat Modeling Topic #6

Open sgharms opened 7 years ago

sgharms commented 7 years ago

I saw a really good presentation about threat modeling. I think that this repository needs to help the lay community understand how their understanding of threat model (although, let's shy away from being too jargon-laden) defines what appropriate precaution is.

I want them to know when to TOR or not, not go full-tinfoil-hat.

audibleblink commented 7 years ago

Is that something we can cover independently in the walkthroughs? (see 1st 3 sections of keybase walkthrough) I'm wondering if we can demonstrate the threat model in specific contexts (email, sms, phone conversations). Threat modelling is a great practice when you know your adversaries and/or your wanting to harden something you know is at risk. If this repo is for the layperson, I feel like we should speak to the reader and say 'this is how your specific actions are risk'.

Please do challenge me if you feel otherwise. I'm hoping to make something new here and not just another document dump that overwhelms newcomers but I'm just taking a pedagogical shot in the dark.

@tannerwelsh feel free to chime in also, I know this is your jam :)

sgharms commented 7 years ago

Keeping in mind that we're approaching a lay audience I want to avoid that they go home and encypt all the things and go full tinfoil hat.

Threat Modeling can be explained in a non-jargon way, I content, so that the "OMG I'M SO SCREWED" impulse gets tamed.

mathonsunday commented 7 years ago

The EFF Survellience Self Defense section on threat modeling is really good and accessible.

I think everyone is capable of creating their own threat model, even if there are gaps in their knowledge. Putting recommendations within the context of someone creating their threat model is really great for not making them feel like they have to do all the things.

I"m wary of you just integrating threat modeling into the other walkthroughs because if you are not a member of certain marginalized groups you will have huge blind spots as to what should go into someone's threat model. You can bring up some common scenarios (ex. geotagging in social media posts) if you don't want to put the onus on the reader to create their own threat model from scratch. But you would need to get a lot of feedback from people in your target audience on those common scenarios to make sure they are the right ones to focus on.