Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
mastodon.ie is one of the many independent Mastodon servers you can use to participate in the fediverse.
Irish Mastodon - run from Ireland, we welcome all who respect the community rules and members.

Administered by:

Server stats:

1.8K
active users

mastodon.ie: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#threatmodel

2 posts2 participants0 posts today
Public
🌻

Meine Datenschutz und Privatsphäre Übersicht 2025, für die Allgemeinheit 🕵️‍♂️

Teilen er­be­ten ‼️ :BoostOK:

als PDF:

cryptpad.digitalcourage.de/fil

 #DSGVO #TDDDG ( #unplugtrump )
#Datenschutz #Privatsphäre #sicherheit #Verschlüsselung
#encryption #WEtell #SoloKey #NitroKey #Email #Cybersecurity #Pixelfed #Massenűberwachung
#Google #Metadaten #WhatsApp #Threema #Cryptpad #Signal
#Hateaid #Cyberstalking #Messenger #Browser #Youtube #NewPipe #Chatkontrolle #nichtszuverbergen #ÜberwachungsKapitalismus #Microsoft #Apple #Windows #Linux #Matrix #Mastodon #Friendica #Fediverse #Mastodir #Loops #2FA #Ransomware #Foss #VeraCrypt #HateAid #Coreboot #Volksverpetzer #Netzpolitik #Digitalisierung #FragdenStaat #Shiftphone  #OpenSource #GrapheneOS #CCC #Mail #Mullvad #PGP #GnuPG #DNS #Gaming #linuxgaming #Lutris #Protondb #eOS #Enshittification
#Bloatware #TPM #Murena  #LiberaPay #GnuTaler #Taler #PreppingforFuture
#FediLZ #BlueLZ #InstaLZ #ThreatModel
#FLOSS #UEFI #Medienkompetenz

meine IT Sicherheits Liste !!!
Public
Paco Hope #resist

Some of my colleagues at #AWS have created an open-source serverless #AI assisted #threatmodel solution. You upload architecture diagrams to it, and it uses Claude Sonnet via Amazon Bedrock to analyze it.

I'm not too impressed with the threats it comes up with. But I am very impressed with the amount of typing it saves. Given nothing more than a picture and about 2 minutes of computation, it spits out a very good list of what is depicted in the diagram and the flows between them. To the extent that the diagram is accurate/well-labeled, this solution seems to do a very good job writing out what is depicted.

I deployed this "Threat Designer" app. Then I took the architecture image from this blog post and dropped that picture into it. The image analysis produced some of the list of things you see attached.

This is a specialized, context-aware kind of OCR. I was impressed at boundaries, flows, and assets pulled from a graphic. Could save a lot of typing time. I was not impressed with the threats it identifies. Having said that, it did identify a handful of things I hadn't thought of before, like EventBridge event injection. But the majority of the threats are low value.

I suspect this app is not cheap to run. So caveat deployor.
#cloud #cloudsecurity #appsec #threatmodeling

A typical AWS serverless architecture from the blog that I linked to. It shows a very large box representing an AWS account, and bunch of smaller boxes containing icons, with each box representing a capability (like file upload, users and authentication, etc). Inside each of those boxes are some icons representing services, like Lambda, IAM, Cognito, S3, etc.
An screen capture of a list of things in a web browser. The table header is labeled "Flows" and it lists flows like the following: End users authenticate through web browsers or mobile devices via Amplify and CloudFront to Cognito User Pools, potentially using External Identity Provider integration. Source: End Users, Target: Cognito User Pools Authenticated users make API requests through CloudFront and API Gateway to access backend services. Source: End Users. Target: API Gateway API Gateway routes authenticated requests to appropriate Lambda functions for processing. Source: API Gateway. Target: Lambda Functions
An screen capture of a list of things in a web browser. The table header is labeled "Assets" and it lists things like the following: End Users: Users that access the application through web browsers or mobile devices, interacting with the frontend interfaces External Identity Provider: Third-party authentication service integrated with Cognito for user authentication and authorization API Gateway: Manages all API requests, acts as the primary entry point for backend services, controls access to Lambda functions and business logic
A screenshot of a table in a web page. The header is labeled "Trust Boundary" and it contains items like: Public-to-private network boundary separating internet users from AWS cloud resources. Source: End Users. Target: CloudFront Distribution Authentication boundary validating user identity before allowing access to backend resources. Source: End Users. Target: Cognito User Pools External authentication service integration boundary. Source: Cognito User Pools. Target: External Identity Provider
#ai#threatmodel
Public
Emory

> When doing threat modeling from here on out, it is now unfortunately important to consider the question "Am I a moron?"

derisking morons is something i do for a living if anyone is hiring for that. i also turn software engineers into security and privacy resources. triple multiplier right here 🖐️

#infosec #threatModel #morons
apple.news/Ay6s_pSlzRrGicmqMVS

apple.newsWhen Your Threat Model Is Being a Moron — 404 MediaNo phone, no app, no encryption can protect you from yourself if you send the information you’re trying to hide directly to someone you don’t want to have it. One of the most basic tenets of cybersecurity is that you must “consider your threat model” when trying to keep your data and your communications safe, and then take appropriate steps to protect yourself. This means you need to consider who you are, what you are talking about, and who may want to know that information (potential
Public
Emory

i have debilitating #imposterSyndrome 😆 25y experience in #security, but i know for a fact that i am unusually good at facilitating a #threatmodel. you have to get people to trust you enough to tell you things they don't feel great about or would do differently after we meet but that's the thing— together we create remediation plans that let people do their best work & they weave security and privacy into their work and when you meet again you can see how much better things are, it's parade time

Continued thread
Public
Emory

it's lucky for some team out there that i find few things are as satisfying as transmogrifying a team of 3 into a team of 9. or 90 into 270.

even i know that's good math! they start spotting problems before they get in front of me for their second and third #threatmodel.

i have experience in managed services, vuln management, IR, forensics, cloud architectures, saas vendors, HPC, docsis/fiber/firewalls/ids/ips/MFA/u2f/pki🤷 🤓

#jobsearch#threatModeling#privacy
Public *
Emory

that #seaArt site is starting to become a real problem. I'm seeing entirely too many prompts for Cute Things paired with age ranges and of you select the right lora or checkpoint it's very easy to generate a pile of images of all kinds including ones that would look a lot like Abuse Material and i know some legislatures have been adding laws about preventing that scenario and the irony of an AI self-policing itself is too much.

i wonder if they've been running a #threatmodel quarterly? 😬 #ai

Public
Todd A. Jacobs | Pragmatic Cybersecurity

#DuckDuckGo is now offering free, #anonymized access to a number of fast #AI #chatbots that won't train in your data. You currently don't get all the premium models and features of paid services, but you do get access to privacy-promoting, anonymized versions of smaller models like GPT-4o mini from #OpenAI and open-source #MoE (mixture of experts) models like Mixstral 8x7B.

Of course, for truly sensitive or classified data you should never use online services at all. Anything online carries heightened risks of human error; deliberate malfeasance; corporate espionage; legal, illegal, or extra-legal warrants; and network wiretapping. I personally trust DuckDuckGo's no-logging policies and presume their anonymization techniques are sound, but those of us in #cybersecurity know the practical limitations of such measures.

For any situation where those measures are insufficient, you'll need to run your own instance of a suitable model on a local AI engine. However, that's not really the #threatmodel for the average user looking to get basic things done. Great use cases include finding quick answers that traditional search engines aren't good at, or performing common AI tasks like summarizing or improving textual information.

The AI service provides the typical user with essential AI capabilities for free. It also takes steps to prevent for-profit entities with privacy-damaging #TOS from training on your data at whim. DuckDuckGo's approach seems perfectly suited to these basic use cases.

I laud DuckDuckGo for their ongoing commitment to privacy, and for offering this valuable additional to the AI ecosystem.

duckduckgo.com/chat

Replied in thread
Public *
Blobster

@aleidk I replaced “mobile phone account“ with “mobile phone provider account” to be clearer about what I meant.

For banks (in the EU), AFAIK there is a strong reason why they never even mention FIDO2: for a transaction at least, the device where validation is performed must give basic info on the transaction: seller and amount.

Another point: the software support depends on site, browser (e.g., Firefox desktop != Firefox mobile), type of key, physical communication protocol (like USB vs. NFC). I made a lot of tests with various sites and my USB-A and USB-C keys, sometimes using NFC, other times USB. Some combinations don't work, or worked at some point and not later (or worked with Chrome but not Firefox, etc.). This can be quite stressful or even dangerous if this is for an important account and you have no backup plan (⇒ don't). And if the backup options are 1) exploitable in your threat model and 2) not very secure, this obviously reduces or nukes the advantage of using a security key in the first place.

A typical backup option which is not insecure from my POV if well handled is a set of recovery codes, but for this you need to store them very carefully, safely... and not forget how to access them in x years! In these conditions, setting up a new account requires “some work”.

And I say all this despite wishing FIDO2 great success, 'cause SIM swapping attacks in particular are quite scary given how much important stuff still depends on codes sent by SMS. 😐

#FIDO2#SecurityKeys#authentication
Replied in thread
Public *
boredsquirrel

@ct_Magazin

Threat Modelling ist hier extrem relevant.

Tails hat ein bestimmtes #ThreatModel
- amnesic
- live
- incognito

Da ist kaum etwas mit Prozessisolierung, wie es #Flatpak und #Bubblejail tun, und #QubesOS meistert

Und dass man damit auf einem beliebigen PC sicher sein kann ist leider auch ein falsches Versprechen. #Coreboot ist essentiell weil es minimal ist. Auf unterster Ebene sollte kaum Code laufen. Intel ME sollte aus sein. #Heads ist auch wichtig.

@3mdeb @novacustom @tlaurion

Public
Reclaim Your Tech

reclaimyour.tech/posts/technic

In this post, I describe #privacy #threatmodeling by using the excellent privacyguides.org site as a primary resource.

I give an example threat model with strengths and weaknesses. I encourage readers to tweak it to better suit their needs.

Reminder: Replies to this toot will appear in the link's comment section.

Reclaim Your TechPrivacy Threat ModelingA key responsibility involved in owning your own digital infrastructure is privacy threat modeling. What is Privacy Threat Modeling? According to priv…
#security#capitalism#enshittification
Public
Emory

that #privacy threat modeling workshop presentation is underway and feel free to stick your head in i guess, it's a little light on details though.
mitre.zoomgov.com/j/1611729413

Zoom VideoJoin our Cloud HD Video MeetingZoom is the leader in modern enterprise video communications, with an easy, reliable cloud platform for video and audio conferencing, chat, and webinars across mobile, desktop, and room systems. Zoom Rooms is the original software-based conference room solution used around the world in board, conference, huddle, and training rooms, as well as executive offices and classrooms. Founded in 2011, Zoom helps businesses and organizations bring their teams together in a frictionless environment to get more done. Zoom is a publicly traded company headquartered in San Jose, CA.
#infosec#threatmodel
Public
Emory

okay @obsidianmd after a ton of scrolling around for the last week i hearby endorse Smart Second Brain for integrating local AI into your notetaking and #PKM practices.

github.com/your-papa/obsidian-

it can use #ollama and any models you fetch for it are available to Obsidian, as are the new embeddings models for doing RAG. i've forked a vault of #threatmodel cards i use and am about to get weird /flex

#smart2Brain seems to be the safest and easiest which hardly ever happens. well done. #obsidian

GitHubGitHub - your-papa/obsidian-Smart2Brain: An Obsidian plugin to interact with your privacy focused AI-Assistant making your second brain even smarter!An Obsidian plugin to interact with your privacy focused AI-Assistant making your second brain even smarter! - your-papa/obsidian-Smart2Brain
ExploreLive feeds
About