threat modeling librarian freedom conference
TRANSCRIPT
Threat ModelingLibrary Freedom Edition
Morgan Marquis-Boire & Eva Galperin@headhntr
@evacide
Who are we?
What are we talking about?
What the hell is threat modeling?
How do you do it?
What makes this trickier than it looks?
Librarians are doing it for themselves
How not to go crazy
What the hell is threat modeling?
111sdgisjfoisejfoijs11. What do you want to protect?kok1. What do you want to protect?
2.1. What do you want to protect? ASSETS1. What do you want to protect
1. What do you want to protect?
What the hell is threat modeling?
111sdgisjfoisejfoijs11. What do you want to protect?kok1. What do you want to protect?
2.1. What do you want to protect? ASSETS1. What do you want to protect
1. What do you want to protect?
2. Who do you want to protect it from?
What the hell is threat modeling?
111sdgisjfoisejfoijs11. What do you want to protect?kok1. What do you want to protect?
2.1. What do you want to protect? ASSETS1. What do you want to protect
1. What do you want to protect?
2. Who do you want to protect it from?
3. How likely is it you will need to protect it?
What the hell is threat modeling?
111sdgisjfoisejfoijs11. What do you want to protect?kok1. What do you want to protect?
2.1. What do you want to protect? ASSETS1. What do you want to protect
1. What do you want to protect?
2. Who do you want to protect it from?
3. How likely is it you will need to protect it?
4. How bad are the consequences if you fail?
What the hell is threat modeling?
111sdgisjfoisejfoijs11. What do you want to protect?kok1. What do you want to protect?
2.1. What do you want to protect? ASSETS1. What do you want to protect
1. What do you want to protect?
2. Who do you want to protect it from?
3. How likely is it you will need to protect it?
4. How bad are the consequences if you fail?
5. How much trouble are you willing to go through in order to prevent those consequences?
What do you need to know?
AssetsAdversaryThreat CapabilityRisk
Surveillance is magic.
VS
COST = $0
COST = $$
Replenishing the minibar? Or...
COST = $$$
COST = PRICELESS
Those are the types of actors, but who are the players?
High End
FVEY - US / UK / CA / AU / NZISRAELCHINARUSSIAFRANCEetc etc etc etc
Artisanal, Small-Batch, Locally made, home grown...
Commercial Market
● Law Enforcement
● Intelligence agencies
● Security companies
Pay for tools
Pay per job
Gotta get paid, yo
Attacker resources vs
$$$$ vs
target value
Surveillance Starts at Home
Stalkers
“When we share information, we are building power of our own. Potential harassers may deterred by the thought that we are both capable of and willing to turn the eye of internet surveillance back on them.”
Liz Henry, Model View Culture Investigation Online: Gathering Information to Assess Risk
Amina Araaf: a gay girl in Damascus
Tom MacMaster: middle aged guy in Scotland
Domestic abuser
I smell a RAT
StealthGenie
Other kinds of criminals
“Before his gauche upload, he posted a picture of his lobster salad and tagged the restaurant.”
New York Post
Hey teacher, leave those kids alone
“One day soon, home room teachers in your local middle and high schools may stop scanning rows of desks and making each student yell out ‘Here!’ during a morning roll call. Instead, small cards, or tags, carried by each student will transmit a unique serial number via radio signal to an electronic reader near the school door.”
AT&T advertising brochure
The blended threat landscape
Not discrete categories:many delicious flavors!
Risk
Different appetites for risk
Meet the nihilists
Alaa Abdel Fattah says “Come at me, bro.”
Meet the vegans
Further reading
What Every Librarian Should Know About HTTPS: https://www.eff.org/deeplinks/2015/05/what-every-librarian-needs-know-about-https
Surveillance Self Defense: https://ssd.eff.org.
COMSEC: Beyond Encryption: https://grugq.github.io/presentations/COMSEC%20beyond%20encryption.pdf
Digital First Aid Kit: http://digitaldefenders.org/digitalfirstaid/