📚 Just completed the 'Basics of Personal Threat Modeling' course by @privacyguides 🛡️
Threat modeling is crucial because it helps identify and prioritize the most probable security and privacy risks. It enables focused resource allocation, tailored defenses, and heightened awareness.
I recently saw a conversation between two people I respect that ended poorly. This being a social platform, shortage of mutual understanding is not surprising. Most of the time, I just back away slowly, but this time, the topic is important enough, and I think I can see a framing that can help make conversations about it less antagonistic.
Global social networks with algorithmic feeds make #disinfo 10x worse.
A lot of people underestimate how bad it is, for the same reason people underestimated COVID: humans have no intuition for exponents, mechanical metaphors like weight and velocity really don't work for epidemiology.
In a race of exponents, a 0.1% advantage takes only 700 iterations to grow into a 2x advantage. On a platform with a billion users, a 0.1% difference can make one narrative overtake another in hours. 6/
The main threats to democracy are #war and #disinfo. Mitigating the risk of war has never been as straightforward as today: arm #Ukraine, arm #Taiwan, and let their resistance deter fascist empires from invading their neighbors.
Disinfo is a harder problem. Like cancer, it exploits freedom of speech and other essential aspects of democracy to turn a society against itself. Like with cancer, any treatment has to walk a careful balance to eradicate the disease without killing the host. 5/
I spelunked into steganography to create a new feature in https://www.deciduous.app/ that lets you reimport PNGs and SVGs of your decision trees to derive the underlying YAML.
Deciduous now also sports a CLI (so you can #npm install it), and a bunch of lil things @shortridge and I added towards the goal of fast, easy, collaborative #threatmodeling of potential failures.
Today we worked on comments (some were toughies) from 8 readers/reviewers of our LLM architectural risk analysis (ARA) draft. BIML plans to release this work 1.24.24
I can't believe that this is still a thing, but if your risk model is noticeably impacted by the adversarial capability of writing an email in the English language then I'm pretty sure your threat model is already broken.
To prove the point that users will continue to click links, regardless of how obvious it is that they shouldn't, I worked with the person in charge of the monthly phishing trainings at $dayjob last month. Historically, they have used the hated ruses like fake gift cards, and I wanted to try to get away from that, especially during the holidays. We ended up using something to the effect of the following:
Hello <first name>,
Happy Holidays. This is the monthly phishing test. Yes, really. It's not a trick. Use the <phishing reporting function> to report this as phishing. If you do not know how to use <phishing reporting function>, feel free to ask a colleague. If you still have questions, search for <phishing reporting function> on <internal docs site>.
Do not click the following link as it is there for metrics and will cause you to be assigned phishing awareness training: <phishing training 'malicious' link>
Sincerely,
IT Security Team
I don't know how well it was received by users, but I do know that we still had more clicks than two other months in 2023, despite being explicitly told not to click the link. Users will always click links with their link-clicking machines. Relying on their discretion is either ignorant, or I expect in some cases, malicious in that there will always be a scapegoat to blame for the inevitable breach.
The #MATCH webinar will begin in 5 minutes:
Machine learning #ML
Artificial intelligence #AI
Threat modeling #threatmodeling
Compliance
How the heck these link together #MLsec#swsec
I plan to "live toot" this morning's #MLsec#swsec#ML#AI#threatmodeling webinar beginning at 11am NY time (4pm London time) with my @cigitalgem identity. Feel free to follow along using the hashtag #MATCH.
With the rise of AI, ML, and increasing compliance demands, the future holds exciting challenges. While we may not have a crystal ball, we've assembled a panel of experts to share their thoughts including Dr Gary McGraw, Stephen de Vries, Siebe De Roovere & Neil Serebryany
Join our webinar to learn just how the heck all of this fits together! https://lnkd.in/eq23dZ8M
I just remembered that @thegrugq let me rant into a larger void about poor #AI#threatmodeling a while back and I should just tap the sign now and then instead of wasting cycles on repeating myself.
I had a great time with Chris Romeo on his podcast, “The Threat Modeling Podcast.” I’m honored to be featured on one of his first episodes and would highly recommend anyone with an inkling of an interest in threat modeling check out his work.
We dive deep into the Four Questions framework and explore the meaning and purpose, simplifying the threat modeling process.
Lean into these four questions, and you might just become a threat modeling Jedi! ⚔️