Again on threat models

I’ve read many people over the past few months referencing James Mickens’s article on threat models. Given I wrote last year about a similar thing in regard to privacy policies, one would expect me to fall in line with said article fully. They would be disappointed.

While I agree with the general gist of the article, I think it gets a little too simplistic. In particular it downplays a lot the importance to protect yourself against two separate class of attackers: people close to you and people who may be targeting you even if you don’t know them. These do seem at first sight to fit in with Mickens’s categories, but they go a little further than he’s describing. And by painting the categories as “funny” as he did I think he’s undermining the importance of security.

Let’s start with the first threat model that the article points out to in the “tl;dr” table;

Ex-girlfriend/boyfriend breaking into your email account and publicly releasing your correspondence with the My Little Pony fan club

Is this a credible threat? Not really, but if you think about it a little more you can easily see how this can morph into disgruntled ex breaking into your computer/email/cloud account and publicly releasing nude selfies as revenge porn. Now it sounds a little more ominous than being outed out as a fan of My Little Pony, doesn’t it? And maybe you’ll call me sexist to point this out, but I think it would be hypocrite not to point out that this particular problem sees women as much more vulnerable to this particular problem.

But it does not have to strictly be an ex; it may be any creepy guy (or gal, if you really want to go there) who somehow gets to access your computer or to guess your “strong” password. It’s easy to blame the victim in these situations but that’s not the point; there are plenty of people ready to betray the trust of their acquaintances out there — and believe me, people trust other people way too easily, especially when they are looking for a tech-savvy friend-of-a-friend to help them fix their computer, I’ve been said tech-savvy friend-of-a-friend, and it didn’t take many times doing the kind of usual recovery to realize how important that trust is.

The second “threat model”, that is easily discounted, is described as

Organized criminals breaking into your email account and sending spam using your identity

The problem with a similar description of the threat is that it’s too easy for people to discard it with “so what?” People receive spam all the time, why would it matter whose identity it’s sent as? Once again, there are multiple ways to rephrase this to make it more ominous.

A very simple option is to focus on the monetary problem: organized criminals breaking into your email account looking for your credit card details. There are still plenty of services that will request your credit card numbers by email, and even my credit card company sends me the full 16-digits number of my card on the statements. When you point out to people that the criminals are not just going to bother a random stranger, but actually are going after their money, they may care a significant bit more.

Again this is not all there is, though. For a security or privacy specialist to ignore the issues of targeted attacks such as doxxing, coming up with the harassment campaigns that are all the rage to date is at the very least irresponsible. And that does not involve only the direct targets of harassment: the protection of even the most careful person is always weak to the people they have around, because we trust them, with information, or access, and so on.

Take for instance Facebook’s “living will” for users — if one wanted to harass some person, but their security was too strong, they could go after their immediate family, hoping that one of the would have the right access to close the account down. Luckily, I think Facebook is smarter than this, and so it should not be that straightforward, but many people also use member of the family’s addresses as recovery addresses if they were to lose access to their own account.

So with all this in mind, I would like to point out that at the same time I agree and disagree with Mickens’s article. There are way too many cryptographers out there that look into improbable threat models, but at the same time there are privacy experts that ignore what the actual threats are for many more users.

This is why I don’t buy into the cult of personalities of Assange, Snowden or Appelbaum. I’m not going to argue that surveillance is a good thing, nor I’m going to argue that there are no abuses ever – I’m sure there are – but the focus over the past two years have been so much more on state actions that malicious actors like those I described earlier.

I already pointed out how privacy advocates are in love with Tor and they ignore the bad behaviours it enables, and I once again I do wonder why they are more concerned about the possibility of obscure political abuses of power, rather than the real and daily abuse of people, most likely a majority of which women.

Anyway, I’m not a thought leader, and my opinions are strictly personal — but I do think that the current focus on protecting the public from possibly systemic abuse from impersonal organisations such as the NSA is overshadowing the importance of protecting people from those they are most vulnerable from: the people around them.

And let’s be clear: there are plenty of things that the crypto community can and should do to protect people in these situations: HTTPS is for instance extremely important, as it does not take a huge effort for a disgruntled ex to figure out how to snoop cleartext traffic to find the odd password or information that could lead to a break.

Just think twice, next time you decide to rally people up against a generic surveillance society phantom, or even to support EFF — I used to, I don’t currently and while I agree they have done good things for people, I do find they are focusing on the wrong threats.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s