Meine Datenschutz und Privatsphäre Übersicht 2025, für Jedermann

Teilen er­be­ten !

als PDF Datei:

https://cryptpad.digitalcourage.de/file/#/2/file/8os68Lk8YMPfPi1UvHYtTTQI/

 #DSGVO #TDDDG ( #unplugtrump )
#Datenschutz #Privatsphäre #sicherheit #Verschlüsselung
#encryption #WEtell #SoloKey #NitroKey #Email #Cybersecurity #Pixelfed #Massenűberwachung #Leta
#Google #Metadaten #WhatsApp #Threema #Cryptpad #Signal
#Hateaid #Cyberstalking #Messenger #Browser #Youtube #NewPipe #Chatkontrolle #nichtszuverbergen #ÜberwachungsKapitalismus #Microsoft #Apple #Windows10 #Linux #Matrix #Mastodon #Friendica #Fediverse #Mastodir #Loops #2FA #Ransomware #Foss #VeraCrypt #HateAid #Coreboot #Volksverpetzer #Netzpolitik #OpenAndroidInstaller
#Digitalisierung #FragdenStaat #Shiftphone  #OpenSource #GrapheneOS #CCC #Mail #Mullvad #PGP #GnuPG #DNS #Gaming #linuxgaming #Lutris #Protondb #eOS #Enshittification
#Bloatware #TPM #Murena  #LiberaPay #GnuTaler #Taler #PreppingforFuture
#FediLZ #BlueLZ #InstaLZ #ThreatModel
#FLOSS #UEFI #Medienkompetenz

Looking at some #AI generated #threatmodel output and it listed stealing a user's credentials and using them in the "Spoofing" category. I was uncertain. Is that spoofing or elevation of privilege. So I wander over to a #microsoft page on #stride.

They say it's spoofing, which is fine. It's reasonable. I don't care as long as we all agree.

But in that table, that's literally the only example of spoofing. There are a LOT of other kinds of things that could be called spoofing. If you're gonna have only one example of spoofing, I don't think stealing credentials is the best example.

I have seen a lot of efforts to use an #LLM to create a #ThreatModel. I have some insights.

Attempts at #AI #ThreatModeling tend to do 3 things wrong:

1. They assume that the user's input is both complete and correct. The LLM (in the implementations I've seen) never questions "are you sure?" and it never prompts the user like "you haven't told me X, what about X?"
2. Lots of teams treat a threat model as a deliverable. Like we go build our code, get ready to ship, and then "oh, shit! Security wants a threat model. Quick, go make one." So it's not this thing that informs any development choices during development. It's an afterthought that gets built just prior to #AppSec review.
3. Lots of people think you can do an adequate threat model with only technical artifacts (code, architectuer, data flow, documentation, etc.). There's business context that needs to be part of every decision, and teams are just ignoring that.

1/n

Meine Datenschutz und Privatsphäre Übersicht 2025, für Jedermann

Teilen er­be­ten

als PDF:

https://cryptpad.digitalcourage.de/file/#/2/file/iLDoTt03wkGUL3dA39ScX6hV/

 #DSGVO #TDDDG ( #unplugtrump )
#Datenschutz #Privatsphäre #sicherheit #Verschlüsselung
#encryption #WEtell #SoloKey #NitroKey #Email #Cybersecurity #Pixelfed #Massenűberwachung
#Google #Metadaten #WhatsApp #Threema #Cryptpad #Signal
#Hateaid #Cyberstalking #Messenger #Browser #Youtube #NewPipe #Chatkontrolle #nichtszuverbergen #ÜberwachungsKapitalismus #Microsoft #Apple #Windows #Linux #Matrix #Mastodon #Friendica #Fediverse #Mastodir #Loops #2FA #Ransomware #Foss #VeraCrypt #HateAid #Coreboot #Volksverpetzer #Netzpolitik #Digitalisierung #FragdenStaat #Shiftphone  #OpenSource #GrapheneOS #CCC #Mail #Mullvad #PGP #GnuPG #DNS #Gaming #linuxgaming #Lutris #Protondb #eOS #Enshittification
#Bloatware #TPM #Murena  #LiberaPay #GnuTaler #Taler #PreppingforFuture
#FediLZ #BlueLZ #InstaLZ #ThreatModel
#FLOSS #UEFI #Medienkompetenz

Meine Datenschutz und Privatsphäre Übersicht 2025, für die Allgemeinheit

Teilen er­be­ten

als PDF:

https://cryptpad.digitalcourage.de/file/#/2/file/NdmBgSYkRCto8B+JmJkE9mQ4/

 #DSGVO #TDDDG ( #unplugtrump )
#Datenschutz #Privatsphäre #sicherheit #Verschlüsselung
#encryption #WEtell #SoloKey #NitroKey #Email #Cybersecurity #Pixelfed #Massenűberwachung
#Google #Metadaten #WhatsApp #Threema #Cryptpad #Signal
#Hateaid #Cyberstalking #Messenger #Browser #Youtube #NewPipe #Chatkontrolle #nichtszuverbergen #ÜberwachungsKapitalismus #Microsoft #Apple #Windows #Linux #Matrix #Mastodon #Friendica #Fediverse #Mastodir #Loops #2FA #Ransomware #Foss #VeraCrypt #HateAid #Coreboot #Volksverpetzer #Netzpolitik #Digitalisierung #FragdenStaat #Shiftphone  #OpenSource #GrapheneOS #CCC #Mail #Mullvad #PGP #GnuPG #DNS #Gaming #linuxgaming #Lutris #Protondb #eOS #Enshittification
#Bloatware #TPM #Murena  #LiberaPay #GnuTaler #Taler #PreppingforFuture
#FediLZ #BlueLZ #InstaLZ #ThreatModel
#FLOSS #UEFI #Medienkompetenz

Fediverse. I need your magic. Please tell me your most amusing and wtf #ThreatModel fails.

Redundant systems is not waste or inefficiency. It is protection from threats known and unknown. We are now seeing this on a national and global scale.
#threatModel #infoSec
#zeroTrust?

Playing with phanpy.social, it seems that authorizing new apps to access mastodon doesn't require a two factor auth code.

While I haven't fully threat modeled it (you're already logged into the browser, so someone with browser access may not represent a shift in trust boundary, it feels off.

Does your threat model include your employee's cat?

https://www.theregister.com/2023/10/05/hospital_cat_incident/

Giving Your Cloud Credentials to Another Cloud Provider
~~
ACM.323 How does this affect your quantifiable risk score?
~~
#AWS #Azure #DevOps #Could #Security #Credentials #Roles #Risk #ThreatModel

https://medium.com/cloud-security/giving-your-cloud-credentials-to-another-cloud-provider-738f2a368164

Handling Credentials Generically in a Custom Lambda Runtime
~~
ACM.307 Also, threat modeling use of local credentials in relation to the LastPass breach
~~
#lambda #credentials #runtime #testing #attack #threatmodel #lastpass #breach

https://medium.com/cloud-security/handling-credentials-generically-in-a-custom-lambda-runtime-750b3580dba8

#passkeys #fidokeys #passwords #threatmodel what is the actual difference #fido2 #yubikey

Thinking Differently About Passkeys New Threats Require a New Threat Model

https://www.youtube.com/watch?v=mxGczv1-XlE

Anyone have "vendor can't make payroll because of bank run" in their table top threat exercises?

It should be part of a Disaster Recovery plan for business, but I can see some interesting CyberSecurity angles to it.

I may just be overly paranoid, but seeing QR codes in TV Advertisements just triggers my InfoSec brain on a whole different level. We've spent so long training people not to open random files and emails and such and then we start seeing marketing people just throw random codes on a screen and expect people to scan away...