(13/N) The sixth, and last, category of adversaries:

“They”

“They” want to define boundaries and acceptable behavior for the masses, as well as monitor compliance on a large scale, and enforce it on an individual level.

As a consequence, permanent mass #surveillance of all types of assets is a means of monitoring the compliance of the majority, and of detecting deviant behavior. Legalizing more and more monitoring options becomes a goal, including international partnerships on information exchange. Depriving you of your assets, temporarily or permanently, is a means of enforcing your compliance or obedience. The mere threat of this can be sufficient to create a #ChillingEffect.

State-sponsored actors (such as hacker groups) and nation-state threat actors (in the form of intelligence services, law enforcement, censorship offices, and other #government agencies) fall into this category. It also includes #companies that have either a monopoly, or a significant share of an oligopolistic market, or portfolio of services specifically targeted at the public sector.

While the entities in this category may seem wildly heterogeneous at first, remember that there are #RevolvingDoors between them, for swapping their respective “ex” members. Beyond lobbying, there is also a complex, ongoing collaboration between many of them, which has been described as “grey intelligence”, “grey policing”, “public-private partnership”, etc.

Start of this thread:
https://mastodon.de/@tuxwise/113503228291818865

(12/N) A fifth category of adversaries:

Business(i)es

#Business​(i)es want to extract #profit from you. Preferably, but not necessarily in legal, sustainable, and the cheapest possible ways.

Your assets are seen as levers to generate more profit, because they betray what is meaningful to you, and worth investing into, in your eyes.

Businessies disguise their factual indifference towards your specific assets by enthusiastically pretending to "care" as much for them as you do, to achieve the "Nessie effect": on the surface, always appear likeable, despite your size, and in spite of what you are actually pursuing under the surface.

This category is the widest of all. Nearly all businessies participate in #SurveillanceCapitalism, either by directly aggregating every tidbit of your data in a #profile, in return for a service that is allegedly "free" – and later selling targeted access to you; or by paying #DataBrokers for access to potential customers that fit very specific criteria.

(to be continued)

Start of this thread:
https://mastodon.de/@tuxwise/113503228291818865

(11/N) A fourth category of adversaries:

Intruders

#Intruders want to ignore your #boundaries at will, and their related actions to be unrestricted and without repercussions, for as long as possible. Additionally, satisfaction might be derived from any ineffective responses to their actions.

Controlling your assets at will, and having unrestricted access to them is their goal. Some are fantasizing about a relationship with you that would somehow entitle them to it. Sometimes, their actions include damaging, or destruction of, your assets, to inflict suffering upon you, or for revenge, or to gain notoriety.

This is a wide category that includes attention-getters; #narcissists and #stalkers; abusive, vengeful and jealous people; starstruck individuals seeking #parasocial interaction; thrill seekers; script kiddies; "OSINT" wannabees; swatters; vandals; and sometimes even potential employers.

(to be continued)

Start of this thread:
https://mastodon.de/@tuxwise/113503228291818865

(10/N) A third category of adversaries:

Ideologues

#Ideologues want to push you to do the right thing, or to punish you for doing the wrong thing. They may also want to eliminate you, physically or metaphorically, when they can't achieve their goal: Maybe you just won't learn, or are incorrigible, as such.

The assets that you are "entitled" to are considered a reward, for conforming to the respective ideology. The portion of your assets that you aren't "entitled" to is usually the target of relentless denial, even destruction.

Entitlement is always conditional, and temporary: In case you seem to be going astray, and appeals to your conscience do not seem to have enough effect, your assets may be withdrawn or destroyed.

Hacktivists, campaigners, protagonists or minions of gender-based violence, lobbyists, racists, and terrorists fall into this category.

Not: I am not judging how "just" the respective "causes" are, I'm talking about behaviors.

(to be continued)

Start of this thread:
https://mastodon.de/@tuxwise/113503228291818865

(9/N) A second category of adversaries:

Criminals

Criminals want valuable resources that you happen to possess, at the moment.

From that point of view, seemingly valuable assets are to be pried from your hands, while your “junk” assets may be ignored, at best. At worst, they’ll be carelessly destroyed in the process, or the threat of their destruction will be weaponized against you.

Typical activities of criminals are scams, ransomware attacks, or identity theft. There's a dedicated "eCrime ecosystem" with crime infrastructure providers; marketplaces for stolen, private information; illegal access brokers selling credentials; and even “big game hunters” executing targeted attacks on large corporations, as a paid service.

BTW, calling these adversaries "cybercriminals" instead is just a dumb court curtsy.

(to be continued)

Start of this thread:
https://mastodon.de/@tuxwise/113503228291818865

(8/N) For now, leave your spreadsheet of assets alone and turn to the second question of the #ThreatModelingManifesto:

2. What can go wrong?

The answer usually includes a list of adversaries, so you can later consider which ones you stand a chance fighting, if you think it's worth it.

Again, this may be helpful for corporations, but not that much for individuals, since damage done to individuals can be much deeper, and last for much longer, even for life.

So, lets rather consider abstract categories of adversaries from a perspective of what their primary goals are, and what they usually do to achieve them. We don't bother with specific bad actors here, nor are we considering how to "help them" via psychotherapy, legislation, imprisonment or campaigning, at this point in time.

First, the list:

• You, and people like you
• #Criminals
• #Ideologues
• #Intruders
• #Business(i)es
• “#They”

A few thoughts, on each category:

You, and people like you

You and others prefer to keep asset protection efforts to a minimum. You tend to take the integrity of your assets for granted, hoping that others will respect your boundaries, either out of respect for you or because of legal regulations and repercussions. Your attitude towards handling the assets of others is equally shortsighted and careless.

As a result, your digital assets stay exposed, and you're putting others at risk, too.

(to be continued)

Start of this thread:
https://mastodon.de/@tuxwise/113503228291818865

(7/N) You should now have a spreadsheet filled with a list of all of your data and device "assets" (that you were able to remember, so far).

BTW, that spreadsheet is stored on encrypted media only, isn't it?

Now, for each asset, verify again that you have set all appropriate category checkmarks in the columns described under (4/N):

https://mastodon.de/@tuxwise/113521613245140566

Then, considering not just quantifiable damage like a potential loss of money, but also the abstracts assets listed under (3/N) …

https://mastodon.de/@tuxwise/113514249877671549

… reflect a little, per specific asset, how bad the consequences would be if it were disclosed, destroyed, or deanonymized. If you wish, track the consequences in an additional column, possibly using a qualitative range like: … … … …

Unlike with traditional, or "corporate" threat modeling, I find it less helpful to try and merely quantify such an assessment of potential damages. I also find it not helpful to consider various types of bad actors already, at this stage.

Since everything in our asset list relates to us, individually and personally, measurable damage like a potential loss of money is only a part of the impact.

As humans, we can't just (more or less) gracefully disappear [*], like a business, or an organization. We also don't get much relief from claiming we've been as diligent as mandated by regulations or policies, since we won't be merely held "accountable" for damages, but will actually suffer from them, physically and psychologically, possibly for life.

Start of this thread:
https://mastodon.de/@tuxwise/113503228291818865

#ThreadModeling #4D

[*] No, not even in countries with moderate tracking of the whereabouts and names of their citizens.

(5/N) A final set of prompts, for three more categories. Add the related data "assets" that come to your mind to your spreadsheet:

#Geospatial data

Current #position
Place of residence
GNSS-precision tracks
Appointment #calendars
#Ticket purchases
Room #reservations
…

#Infrastructure

#Internet access
#Router
Network neutrality
Hardware
Software
Means of #payment
…

#Accounts and #handles

Email & Messaging (including content)
Social media
Cloud
Pseudonyms & personas
…

Remember many data "assets" will fall into multiple categories. For every asset, leave a checkmark in all applicable category columns.

Start of this thread:
https://mastodon.de/@tuxwise/113503228291818865

(5/N) A few more prompts, for two categories. Add the related data "assets" that come to your mind to your spreadsheet:

Social graphs - which of your data betrays them?

Contacts
Follows & follower
Interactions (like, repost etc.)
Chats & communication metadata
Workflows & handovers
Workplace hierarchies
…

Data and metadata

Your documents & databases
Multimedia, photos, videos
Journals & notes
Invoices, receipts, billing statements, transaction records
Server logs, call lists
…

Start of this thread:
https://mastodon.de/@tuxwise/113503228291818865

(4/N) Having reflected a bit on your abstract assets, try to brainstorm as many of your related data and device assets as possible. Most of them will fall into one or more of the following categories:

Personally Identifiable Information (#PII)
Social graphs
Data and metadata
#Geospatial data
Infrastructure
#Accounts and #handles

For instance, your smartphone photo collection "asset" probably contains geospatial data (#GPS coordinates in #EXIF); data and metadata (phone brand and model, in EXIF); potentially also information about your social graph, in case your family, friends or acquaintances are on your photos.

It's probably best to track your data and device assets in a spreadsheet, with the above categories as additional columns, so you can place a checkmark, where appropriate. I'd also suggest to add a column to track where the data is stored / the device is located.

Here's a little list of Personally Identifiable Information (PII), to get you started (other categories in next posts):

Any kind of identity document
Dates of significant life events
#Biometric data
#Health data
#DNA test results
#Genealogy data
…

Start of this thread:
https://mastodon.de/@tuxwise/113503228291818865