tuxwise<p>(19/N) Let's now turn to the third question of the <a href="https://mastodon.de/tags/ThreatModelingManifesto" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatModelingManifesto</span></a>: </p><p><strong>3. What are you going to do about it?</strong></p><p>It pays to first establish a few contraints for what you can do, in theory, by <a href="https://mastodon.de/tags/classifying" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>classifying</span></a> your <a href="https://mastodon.de/tags/assets" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>assets</span></a>. Again, for an individual human being, opposed to organizations or companies, it's nearly impossible to impose principles like <a href="https://mastodon.de/tags/ZeroTrust" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ZeroTrust</span></a> or <a href="https://mastodon.de/tags/NeedToKnow" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NeedToKnow</span></a> on personal relationships, the closer they get.</p><p>So, avoid recycling terms from popular, but less intuitive schemes: Fanciful intelligence labels like “top secret”, “confidential”, or “unclassified” do not tell you what goes into the respective box, and how to handle access to it.</p><p>Add another column to your assets spreadsheet, label it "Classification", and pick a more human-centered approach for its values, like:</p><ul><li>For Your Eyes Only (FYEO)</li><li>Intimate</li><li>None Of Your Business (NOYB)</li><li>Shared</li><li>Public</li></ul><p>Let's briefly go through these suggestions:</p><p><strong>For Your Eyes Only (FYEO)</strong></p><p>Assets that are only accessible to, and controlled by nobody but you, because they need to be resilient, even in the face of the closest of your close people misbehaving. Preferably, these assets are kept publicly undetectable and unknown. When <em>you</em> are gone, these assets will be gone, too. FYEO does not make a good default class, though.</p><p>Start of this thread:<br><a href="https://mastodon.de/@tuxwise/113503228291818865" translate="no" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">mastodon.de/@tuxwise/113503228</span><span class="invisible">291818865</span></a></p><p><a href="https://mastodon.de/tags/ThreatModeling" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatModeling</span></a> <a href="https://mastodon.de/tags/4D" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>4D</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.
Administered by:
Server stats:
278active users
shakedown.social: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.7
#threatmodelingmanifesto
0 posts · 0 participants · 0 posts today
tuxwise<p>(8/N) For now, leave your spreadsheet of assets alone and turn to the second question of the <a href="https://mastodon.de/tags/ThreatModelingManifesto" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatModelingManifesto</span></a>:</p><p><strong>2. What can go wrong?</strong></p><p>The answer usually includes a list of adversaries, so you can later consider which ones you stand a chance fighting, if you think it's worth it.</p><p>Again, this may be helpful for corporations, but not that much for individuals, since damage done to individuals can be much deeper, and last for much longer, even for life.</p><p>So, lets rather consider abstract categories of adversaries from a perspective of what their primary goals are, and what they usually do to achieve them. We don't bother with specific bad actors here, nor are we considering how to "help them" via psychotherapy, legislation, imprisonment or campaigning, at this point in time.</p><p>First, the list:</p><ul><li>🤷 You, and people like you</li><li>💰 <a href="https://mastodon.de/tags/Criminals" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Criminals</span></a></li><li>☝️ <a href="https://mastodon.de/tags/Ideologues" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Ideologues</span></a></li><li>🫳 <a href="https://mastodon.de/tags/Intruders" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Intruders</span></a></li><li>🦕 <a href="https://mastodon.de/tags/Business" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Business</span></a>(i)es</li><li>🏢 “<a href="https://mastodon.de/tags/They" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>They</span></a>”</li></ul><p>A few thoughts, on each category:</p><p><strong>🤷 You, and people like you</strong></p><p>You and others prefer to keep asset protection efforts to a minimum. You tend to take the integrity of your assets for granted, hoping that others will respect your boundaries, either out of respect for you or because of legal regulations and repercussions. Your attitude towards handling the assets of others is equally shortsighted and careless.</p><p>As a result, your digital assets stay exposed, and you're putting others at risk, too.</p><p>(to be continued)</p><p>Start of this thread:<br><a href="https://mastodon.de/@tuxwise/113503228291818865" translate="no" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">mastodon.de/@tuxwise/113503228</span><span class="invisible">291818865</span></a></p><p><a href="https://mastodon.de/tags/ThreadModeling" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreadModeling</span></a> <a href="https://mastodon.de/tags/4D" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>4D</span></a></p>
tuxwise<p>(2/N) The "<a href="https://mastodon.de/tags/ThreatModelingManifesto" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatModelingManifesto</span></a>" is a great framework for businesses and organizations. Applying it to a more private context becomes easier for me when I make its key questions more personal:</p><ol><li>What are you working on?</li><li>What can go wrong?</li><li>What are you going to do about it?</li><li>Did you do a good enough job?</li></ol><p>Next two posts will cover my answers to 1).</p><p><a href="https://www.threatmodelingmanifesto.org/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">threatmodelingmanifesto.org/</span><span class="invisible"></span></a></p><p>Note: Essentially, the <a href="https://mastodon.de/tags/4D" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>4D</span></a>s are my answers to 3).</p><p><a href="https://mastodon.de/@tuxwise/113503228291818865" translate="no" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">mastodon.de/@tuxwise/113503228</span><span class="invisible">291818865</span></a></p><p><a href="https://mastodon.de/tags/ThreatModeling" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatModeling</span></a> <a href="https://mastodon.de/tags/4D" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>4D</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload