SamSuka
The Hated One
The Hated One

patreon


I need you to destroy this script

I am struggling with finishing this. Let me know what's wrong, incomplete, buggy, unclear, or just sucks. 


Threat source

Privacy is a different goal then security so keep that in mind when thinking about your adversaries – who you are protecting your data from. LINDDUN considers three main threat sources:

Unlike with security threat actors, privacy adversaries can be people with authorized and legitimate access to your data because they are providing you a service you signed up for.

LINDDUN documents these threat sources alongside the seven threat categories. We will use these categories as our threat list to define what we are protecting our data from.

Threat list

We will first identify these threats and then map them against our data assets. We can approach each with a knowledge-base or by asking a set of questions.

Linkability

The first LINDDUN threat is linkability. It’s the ability of an attacker to find the link between two items of interest, even without knowing the actual identity of the subject. Linkability can lead to identifiability and inference and is impacted by data minimization and anonymization.

Linkability can be affected by your credentials, actions, personal data, metadata, shared data and stored data.

The questions you want to ask are:

Identifiability

Identifiability is the ability of an adversary to identify a subject within a data set. It happens when you can’t hide the link between an item of interest and your identity. Identifiability leads to severe privacy violation. It is impacted by data minimization and linkability and it’s mitigated by anonymization.

Identifiability questions include:

Non-repudiation

LINDDUN considers non-repudiation to be a privacy threat. Non-repudiation means not being able to deny a claim. In terms of privacy, it’s the opposite of plausible deniability. Plausible deniability is required when the communication is sensitive, such as during whistleblowing. However, non-repudiation is required for payment systems, as holding a purchase receipt is usually desirable.

Non-repudation questions are as follows:

Detectability

In some cases, severe privacy violation can occur just by discovering an item of interest exists, without necessarily having access to its content. E.g. if a celebrity has a file in a rehab facility, without knowing the contents of their health record, you can infer they have an addiction problem. LINDDUN calls this threat detectability and it can be found by answering this set of questions:

Due to the nature of the internet, detectability is a very persistent threat. External adversaries will almost always be able to detect contextual data. Detectability leads to inference and is impacted by data anonymization.

Disclosure of information

Security is a prerequisite for privacy. You shouldn’t compromise your security in the hopes of becoming more private. Bad recommendations will tell you to root or jailbreak your device or install custom software with a broken security model. These solutions are made without a threat model and they break system security properties, resulting in severe exposure.

LINDDUN recommends to do a full security analysis alongside privacy threat modeling. This is necessary to address the threat of disclosure of information. The threat model of choice is STRIDE. STRIDE is a mnemonic for spoofing, tampering, repudiation, information disclosure, denial of service and elevation of privilege.

Disclosure of information happens as a breach of confidentiality, authentication or authorization. A threat actor could gain access to sensitive information if encryption is improperly implemented, they acquired privileged access to a system, or compromised credentials or secrets. Other attempts can include spoofing, where a phishing website or app would try to trick you into submitting personal or login data to the attacker. The severity of this threat depends on the skills of your adversary, ease of vulnerability exploitation and reward level. The higher the value of the target data, the more likely this threat is to occur and the stricter security controls need to be implemented.

Unawareness

LINDDUN considers unawareness to be a privacy threat. Users are often unaware of the impacts of data sharing. But this can be influenced by lack of transparency and bad data practices at the service provider. You need to carefully evaluate the following:

Non-compliance

The last threat to identify with software systems is non-compliance. Organizations or malicious employees can often violate regulations and corporate policies. Non-compliance is more severe the more data is collected.  Ask these questions about a service:

Mapping table

For every service in our data inventory, we can shuffle between the LINDDUN Go cards and answer the questions from each threat category. You will know how to answer these questions, because your inventory documents privacy policies of all the services that have your data.

Create a mapping table for each service with all privacy threats organized into rows and data flow components in columns. Make a mark in the mapping table for the relevant threat and component whenever an answer to a privacy question leads to a threat. Iterate over all LINDDUN Go cards for every service until you have done this for all systems in your data inventory.

This is the most productive part of threat modeling. You can do it with a group of friends or family members and help each other find threats to each others private data.

LINDDUN will also give you a consistent methodology to choose which privacy invasive services to replace with respecting alternatives.

Mitigation Strategies & Privacy Enhancing Techniques

To be continued...

Comments

If this is to be for beginners, then I feel that a portion of the script (mainly the beginning) should be focused on introducing the concept of threat modeling. Something that is not anecdotal but more of a laying out foundational terms and going into detail about the relationships between privacy and security. And then it can lead to the "Threat Source" section. The ideas you have in the section would flow better this way in my opinion. In addition, I think there are some lines and paragraphs in the script that may fall under this potential introductory section, such as the first paragraph under "Disclosure of information." Also, side comment to that section, but I think there needs to be a reordering of ideas and paragraphs, which is just having the third paragraph go before the second one. I also think it would help to have in mind who the beginner is and what stage they're in with their journey through privacy and security. I think this script works well for those of us who already have a good understanding of privacy, security, anonymity, the ethics and the methodologies surrounding them, but this may not work for the absolute beginner, who is bound to get lost with the level of vocabulary and speech we see from you and doesn't have the level of critical thinking that we've all developed. Though, I wouldn't be able to tell you how to accomplish writing and speaking with simplicity and tangibility.

Petrified

Great information. I did note that I (personally) did not recall what exactly the acronyms meant, so repeating that may be helpful. One thing to think about: What level of understanding does each viewer have when they see the information? People progress (roughly) from: - having awareness of the idea of privacy - to hearing their first horror stories - to embracing the need for privacy - to learning the impact on them personally - to hearing recipes for the time and cost of a solution (anti-virus, privacy phones, etc) - to taking early action with imperfect results (wasted time/money) - to finding solutions (probably recipes again for most people) - to getting enough failures and horror stories to motivate them to deeper analysis - to searching for a pre-built deeper analysis - to being unhappy with completeness or applicability of the pre-built deeper analysis - to learning about deeper analysis techniques (i.e. the script you posted) - to personally doing a deeper analysis - to researching/actioning/implementing self customized solutions So your script is for quite advanced and/or motivated people. To expand the script's appeal (i.e. views), you could consider adding threat examples (more horror stories). Also, solution suggestions integrated early in the script, or pointing out --early in the script-- that solutions are coming later in the script. Those changes keep people motivated, and add more interest for people who have not progressed as far in my list. (Since there are more and more people at earlier and earlier stages in the list.) Horror stories people have not heard of (i.e. deatils from snowden/binney/vault7/etc) also grip viewers with the value of continuing both in the video, and with your content channels. Of course, as is, the script is already an interesting and informative read!

Peter

I just wanna make really sure that this is comprehensible and applicable for a beginner to privacy who wants to be serious about this.

The Hated One

Woa that's a load of info. For me, the only thing missing was the actual How, but that's where you stopped, so it's coming. The rest from my pov seems solid, loaded, but solid. If you asked us, that means you have your doubts, can you tell us a little more where you feel it's off?

EudaemonicRob


More Creators