Cross-posted from: https://lemmy.zip/post/18686329 (the first OPSEC community on Lemmy, feel free to join us)

Guide to Determining Your Threat Model

Creating a solid threat model is an essential step in improving your operations security (OPSEC). It helps you identify potential threats, assess their impact, and prioritize your defenses. Here’s a step-by-step guide to help you develop your own threat model.

1. Define Your Assets

First, list the things you want to protect. These might include:

• Personal Information: Name, address, phone number, Social Security number, etc.
• Financial Information: Bank account details, credit card numbers, financial records.
• Digital Assets: Emails, social media accounts, documents, photos.
• Physical Assets: Home, devices (computers, smartphones, etc.).

2. Identify Potential Threats

Next, think about who or what could pose a threat to your assets. Possible threats include:

• Hackers: Individuals or groups looking to steal data or money.
• Government Agencies: Law enforcement or intelligence agencies conducting surveillance.
• Corporations: Companies collecting data for marketing or other purposes.
• Insiders: Employees or contractors who might misuse their access.
• Physical Threats: Burglars or thieves aiming to physically access your assets.

3. Assess Your Vulnerabilities

Identify weaknesses that these threats could exploit. Consider:

• Technical Vulnerabilities: Unpatched software, weak passwords, outdated systems.
• Behavioral Vulnerabilities: Poor security habits, lack of awareness.
• Physical Vulnerabilities: Insecure physical locations, lack of physical security measures.

4. Determine the Potential Impact

Think about the consequences if your assets were compromised. Ask yourself:

• How critical is the asset?
• What would happen if it were accessed, stolen, or damaged?
• Could compromising this asset lead to further vulnerabilities?

5. Prioritize Your Risks

Based on your assessment, rank your risks by considering:

• Likelihood: How probable is it that a specific threat will exploit a particular vulnerability?
• Impact: How severe would the consequences be if the threat succeeded?

6. Develop Mitigation Strategies

Create a plan to address the most critical risks. Strategies might include:

• Technical Measures:

  • Use strong, unique passwords and enable two-factor authentication.
  • Keep your software and systems up to date with the latest security patches.
  • Use encryption to protect sensitive data.

• Behavioral Measures:

  • Be cautious with sharing personal information online.
  • Stay informed about common scams and phishing tactics.
  • Regularly review your privacy settings on social media and other platforms.

• Physical Measures:

  • Secure your devices with locks and use physical security measures for your home or office.
  • Store sensitive documents in a safe place.
  • Be mindful of your surroundings and use privacy screens in public places.

7. Continuously Review and Update

Your threat model isn’t a one-time project. Review and update it regularly as your situation changes or new threats emerge.

Example Threat Model

1. Assets:

   • Personal Information (e.g., SSN, address)
   • Financial Information (e.g., bank accounts)
   • Digital Assets (e.g., emails, social media)
   • Physical Assets (e.g., laptop, phone)

2. Threats:

   • Hackers (e.g., phishing attacks)
   • Government Agencies (e.g., surveillance)
   • Corporations (e.g., data collection)
   • Insiders (e.g., disgruntled employees)
   • Physical Threats (e.g., theft)

3. Vulnerabilities:

   • Weak passwords
   • Outdated software
   • Sharing too much information online
   • Insecure physical locations

4. Potential Impact:

   • Identity theft
   • Financial loss
   • Loss of privacy
   • Compromise of additional accounts

5. Prioritize Risks:

   • High Likelihood/High Impact: Weak passwords leading to account compromise.
   • Low Likelihood/High Impact: Government surveillance leading to loss of privacy.

6. Mitigation Strategies:

   • Use a password manager and enable two-factor authentication.
   • Regularly update all software and devices.
   • Limit the amount of personal information shared online.
   • Use a home security system and lock devices.

It all comes from Arizona. Ive never been to Arizona. My phone number isnt anywhere near Arizona. One year, I replied STOP to every text. Nothing stopped. Now I just cuss them out and block them, but it still persists. I wrote an email to the Arizona Republican's main office and demanded my number be removed from thier canvassing. Crickets. More spam. 3 today alone. I am so tired of this shit. It doesnt help that I think conservatives are pieces of shit and I am a member of a marginalized community that they are targeting with hate and discriminative laws.

I only just thought of this. I have the same cartoon-y profile pic from a foreign TV show on a bunch of my accounts, I wonder if its unique enough and worth tracking.

In the browser, i didn't login in the google account, and I didn't accept the cookies on that site. Using privacybadger that supposedly should block the 3rd party spyware like that

Mainstream platforms such as Meta and X have accumulated a near-universal audience that is the root of all their evil. From sentiment analysis mass experiments to propagandistic political advertising. Things are worse in third countries where they are even less moderated. So I was thinking that as long as FOSS/Privacy is just geeky and elitist they just keep doing business as usual, from enshitification to fascism. Additionally, people have moved their political posting, scheduling, discussion online, so this gives them more power. Like seeing anarchist groups on Facebook is cringe, but some insist that "that is where the mass is, perhaps we move to Instagram to get to more Zedders". Whaaaat? Questions: What tactics could be used to move people en masse away from mainstream platforms, and more generally, do you think there is a point in it?

cross-posted from: https://lemmy.zip/post/18581354

Privacy measures apparently helping criminals evade capture

The Spanish government has a plan to prevent kids from watching porn online: Meet the porn passport.

Officially (and drily) called the Digital Wallet Beta (Cartera Digital Beta), the app Madrid unveiled on Monday would allow internet platforms to check whether a prospective smut-watcher is over 18. Porn-viewers will be asked to use the app to verify their age. Once verified, they'll receive 30 generated “porn credits” with a one-month validity granting them access to adult content. Enthusiasts will be able to request extra credits.

You have to request more porn credits from the government if you need more? Don't want the government to be tracking this data of you. This is a privacy issue

Couple of months prior, I read an article on Mozilla, where they did a research on automakers and found none comply to good privacy measures. I am planning to buy a used car. I want to know how the data is collected and transmitted.

The car comes with a connected app though I am not planning to use it. It also has apple car play and android auto. Should I use those? The article states some manufacturers even records sexual activities. How are they transmitting these informations? Through connected phones?

My use is fairly basic, I want to use the Bluetooth audio system in the car for listening to music on my phone. I use maps on my phone.

What about car servicing? Can they access stored information?

By data I mean anything / everything: telemetry, contents in emails and files, and other user data. My school uses Google Workspace and I don't like the idea of having to depend on it but I can't change that. Give me tips and advice.

I can't find any articles or posts talking about this anywhere, so I just wanted to share a post about it. I received an email on July 2 from Afterpay about an upcoming change to the privacy policy which will take affect on August 1, 2024. I used a website to compare the text of the old policy with the text of the new, and found that they are now introducing targeted advertising. They harvest personal information about you and share them with third-parties and partners in order to serve you with personalized ads within the Afterpay app. They track information such as your spending habits and how you interact with their marketing messages, and they now also combine all of your personal information they have collected about you to profile you, they also get information about you from third-parties. Quoted from the updated policy:

Information from third parties about you, such as identity, preferences and inferences about you...

Just wanted to share this, since I can't find any discussion of it online. Here's a link to the policies if you want to check it out. These are Wayback Machine links.

Current Policy (As of April 2, 2024)

Upcoming Policy (Effective Aug 1, 2024)

https://github.com/umutcamliyurt/TimeLockCrypt

So many people here will go though great lengths to protect themselves from fingerprinting and snooping. However, one thing tends to get overlooked is DHCP and other layer 3 holes. When your device requests an IP it sends over a significant amount of data. DHCP fingerprinting is very similar to browser fingerprinting but unlike the browser there does not seem to be a lot of resources to defend against it. You would need to make changes to the underlying OS components to spoof it.

What are everyone's thoughts on this? Did we miss the obvious?

https://www.arubanetworks.com/vrd/AOSDHCPFPAppNote/wwhelp/wwhimpl/common/html/wwhelp.htm#href=Chap2.html&single=true

So, Telegram has launched horrible ads that look a lot like spam to me. At least in my channels it's typically some crypto bullshit. So, I wonder if people know about alternatives to the subscription service for blocking them? Sadly, Forkgram won't offer that option and it doesn't seem to be allowed. However, I wonder if there are still forks out there which block the ads? Or do people know of alternative options?

Some talk about the privacy of the digital euro has been made. Some people said that your transactions are going to be tracked. Should an european worry about it? Would GNU Taler be a possible solution?

And it's not like the digital euro is some dream, it will become reality soon.

I'd like to track hurricanes. All the apps I see collect all kinds of personal data. I just go to NOAA to see the advisories, but wondering if there is something better.

Edit: OS is Android 14 Edit: looking for radar (probably) or some other feature to track hurricanes (I don't know what tools there are besides radar, but if there's something else I'm interested).

Curious What folks think about Banks Bill Pay feature?

My thoughts, some Banks use third parties to service bill payments, and request ebills. Seems like end user would be opening themselves to data harvesting by third party. Additionally, in my experience when one disables ebill requests, there is no confirmation sent from ebill payee that data is no longer shared with the third party.

I like Techlore (https://www.techlore.tech if you don't know) and I usually regard them as one of the most impartial and most trustworthy Youtubers out there. But for the past few months, I couldn't help noticing their somewhat heavy bias towards some of their video sponsors. Still, everybody has to eat right?

This time though, it looks like Synology flew them over to Taiwan, and if you watch their video at the event, it's wall-to-wall Synology shilling. I'm really disappointed.