Data security threat models

A quick side note first: welcome to the newest resident of

circumlunar.space, moji! Moji already has a nice ASCII title page,

and got the first entry in their phlog[1] up in no time flat! The

next person to throw their gophery lot in with the Zaibatsu will have

the esteemed honour of being the fifteenth sundog! Will it be you?

Here is the promised followup to my earlier post[2], another

contribution to the "data security ratings" discussion which is going

around. I previously wrote that I didn't think the 1-10 rating scale

was an especially productive way to think about personal data security

(although, surely, it's a fun one!). Much more useful is a good

understanding of concrete threat models. It's better to think of your

personal data security in terms of concrete threats (events, or actors

with certain capabilities) which you have tried to protect yourself

against. Different threats have different degrees of possible damage

but also different likelihoods of actually happening to you. The only

rational approach (and I don't pretend to take a solely rational

approach to this, I find it a strange kind of fun "sport" to guard

against low-likelihood threats) is to expend your energy in proportion

to probable damage.

For the average person, probably the greatest threat to your personal

data security is simply the possibility of losing it due to sudden

hardware failure. The only antidote to this is a good backup scheme,

which is something almost every contributor to the converation has

admitted to not having, which is unsurprising. Backing up is not sexy

cypherpunk business, it's dull, but it's more likely to actually save

your bacon than Tor is.

I suspect the next most important threat to consider for the average

person comes from device theft. Having your phone or laptop stolen

obviously carries with it the consequence of losing data which hasn't

been backedup, but unlike device failure it carries the additional

risk of the thief ending up with access to data or credentials. Your

device very probably remembers e.g. the password to various online

accounts. The bare minimum countermeasure to address this is

configuring your device to automatically lock itself after a short

period of inactivity, and using a strong password for unlocking it.

Encrypting the underlying storage is a better solution.

I guess something should probably be said about "cybercrime" or

identity theft, but I'm not really sure what to say. This is

something the mainstream media is constantly insisting is on the rise,

but neither I nor anybody I know has ever had any personal experience

with it. I'm tempted to think it only happens to "level 0" users, but

I dunno. Ransomware gets a lot of media attention, but the answer to

that is simply a good backup scheme (notice a pattern here?). Staying

up to date on OS and especially browser updates, and generally not

being clueless about things like phishing are probably the primary

defences here.

A very salient point for the average person to consider is the risk of

data breaches against third party websites which hold their data. The

average person maintains lots of these, and each of them holds the

data for a lot of people, making them appealing targets for attackers.

I think this is a much more probable data threat for most people than

a targetted attack on their personal machines. The relevant machines

are completely out of your control here, so the only sensible strategy

you can take is to minimise the damage in the event of a breach. Not

reusing passwords is probably the most important thing here, so that

one account breach at a site which stores passwords in plaintext

(which, sadly, is not uncommon) does not lead to follow on breaches.

And, of course, providing the absolute bare minimum amount of personal

information in order for the service to be useful. If a service

doesn't actually need your genuine birthday for any legitimate reason,

give them your "internet birthday". If a site forces you to answer

"security questions" for password recovery, don't given truthful

answers to questions which would facilitate identity theft if they

were leaked (e.g. mother's maiden name). Make something up, and keep

a note of it written down somewhere so you can remember it later to

reset your password.

These are by no means the only threats most people face, but if you

sum over all threats, multiplying expected damage by probability of

occuring, I think the stuff above makes a larger contribution to the

total than everything else, for most people. In a practical sense,

somebody who takes steps to address all of the above is arguably

better off than a super 1337 VPN/GPG/Tor using "level 10" user who

hasn't backed up their shit in years.

How is this that different to thinking in terms of "ratings"? Can't

you just enumerate all the threats in order of how scary they are, and

rank people based on the scariest threat they have completely

protected themselves against (expanding beyond the threats above to

include surveillance companies like Facebook or Google and also

government surveillance)? Well, you could, and this probably makes

more sense than ranking people based purely in terms of practices,

with no consideration of which concrete threats the practices mitigate

and how well they do so. But the ranking of the threats is arbitrary,

as the important details of how likely you are to face them and how

much damage they can do is different for each user. I think the point

I wanted to make was that you shouldn't fixate on ideas like "this

year, I want to learn skills and take measures to make myself a rank

6!", but rather think in terms of "it would really suck if X happened

to me, and I don't think it's at all impossible that X might happen,

so I want to make changes so that if X happens, my suffering will be

as low as possible".

[1] gopher://circumlunar.space:70/1/~moji/phlog

[2] gopher://circumlunar.space:70/0/~solderpunk/phlog/data-security-ratings.txt