now if you'll excuse me i have a #threatModel workshop to run. bbl <4 #infosec #security #dearDiary

i am back from traveling all over the place with children and it's very depleting. so i also took today off to not unpack anything, attend a call at work, play #diablo4 (seasonal rogue is coming into focus), and i am delighted that my replacement UPSen all worked great in my absence.

only one cyberpower unit remains. i don't even think i want to deal with having them serviced. i am that annoyed and disappointed. i'll be working tomorrow, have a
#privacy #threatmodel tomorrow!

It seems that someone stole a third of the solar panels from the roof of the solar energy collective that I’m part of. This was not in my threat model. #threatmodel #solarpower #solar

OK, #threatModel time.

our team does not like being asked for "templates" or “outlines" of our workshops. each TM is different in terms of where we spend our time.

we know the areas that must be covered in #security and #privacy #threatmodels, and i've been writing a play/runbook (pattern?) for the format of our workshops that is becoming training material.

but i don't want it to be a #template. what would you use? agenda? areas of interest? pattern? outline?

happy wednesday, #infosec!

Yes! Systems Theoretic Process Analysis (STPA) explicitly calls out the need to *analyze the mitigations* "for new hazards or causal scenarios" Security people don't tend to do this...

"Every solution for a safety problem usually has its own drawbacks and limitations and therefore they will need to be compared and decisions made about the best design given the particular situation involved. "

#ThreatModel your #security mitigations!!

@jacksonbarker We're on YouTube publishing public content. Nothing that happens in the public-facing part of what we're doing involves any layer of privacy. #threatmodel

TB is pretty necessary for us, as it's the only way we can mass-update our links/descriptions for all 400+ videos without doing it manually. Lots of other nice tools for creators in the suite.

@al1r4d It's a common mistake to think of "security" as a binary quantity, as something that something either has or doesn't have. Security is rather a set of continuums; something which is secure against some threat for some degree of effort may be completely ineffective against additional effort, or against another threat. Which is why, if you want an answer to "is X secure?", you absolutely have to start out by at least roughly defining your #ThreatModel. #infosec #cybersecurity #security

i think there's a lot of hype around this whole protests and strike thing at #feedly but if they would have done a #threatModel workshop it would have been avoided about 70 minutes in when i start making a list of possible abuses and misuse of the system. #infosec

@maayanroth @mekkaokereke the day i accepted a job at #ComcastNBCU (#threatmodel ✊) the "People You Might Know" on LinkedIn were a brady-bunch wall of women. first time that happened. they weren't even in HR! <4

hello, #security #architects. i would be interested in your opinions on something i do that people sometimes have strong opinions about:

i call our participants in #threatmodel workshops "constituents". we're not auditors, we aren't pentesters, we're architects that improve the security of the amazing things being built at #Comcast.

i've been in operations orgs where internal teams are "customers" but i want something that sets a different relationship. yay/nay/other? #infosec.

i'm riding shotgun on a #threatmodel that our counterparts in UK are running as an emotional support architect and the lead of that team just suggested something and i am so annoyed i haven't been doing.

i log findings for systems that aren't requiring #TLS 1.3 or higher. but i talk about this as an infra weakness. she just asked about requiring 1.3 in their code, so that even if someone flips it back to 1.2 it won't establish connections with weak encryption in-flight.

do BOTH. code+infra.🤦‍♂️

Good morning to everyone except the breathless threat modelers who think that that cross-registering a security key with a partner or close friend (for U2F/FIDO) is never acceptable for ordinary users, because it's ... "too risky".

You know what's risky? Properly maximizing the protection of FIDO (with "key-only" models like Google's Advanced Protection Program or Apple's new "all or nothing" key strategy) ... without sufficient redundancy.

If your partner or friend has your only-factor spare house or car key, but you're freaking out about using their everyday-carry second-factor security key as a tertiary key (for which they'd also have to intercept your password) ... your threat-modeling skills suck.

You're far more likely to DoS yourself than to get betrayed.

#fido2 #yubikey #threatmodel

@pseudonym There's a personal aspect to it as well. Does your personal #ThreatModel include your own daily-use #bank having serious issues even just for a few days? Card & electronic payments fail, online banking is unavailable, ... Can you manage? Now suppose this happens as important bills are due to be paid. Can you still manage? Sure, it's probably a fairly low-probability threat, but the consequences can be severe, so spending a little time thinking about the possibility might be worth it.

ENDLICH die #LastPass
- Hack Details!

(Es sieht nicht gut aus)

https://piped.sp-codes.de/watch?v=XgRO6QBGJcs

#ThreatModel
#Passwortmanager
#Sicherheitslücken
#sicherheit
#staatshacker ??

@kpwn If the #ThreatModel assumes an active attacker willing to modify traffic in transit, as would be required for a downgrade or SSL Stripping attack, and that the initial request is over HTTP, then the attacker can strip out (and handle themselves, so it's transparent to the user; HTTP to HTTPS proxying wouldn't be hard) the initial redirection. Hence concepts like HSTS preloading and (the recent addition at least in Firefox of a configuration setting for) defaulting to HTTPS instead of HTTP.

Awesome talk on developer driven security in high-growth environments.

https://youtu.be/-D5ZnDjAMHY

#security #cybersecurity #appsec #applicationsecurity #productsecurity #devsecops #devops #riskassessment #sdlc #ssdlc #threatmodel

@TechNews

That #opinion is ignoring a person's #threatmodel
There are #privacy focused #vpn services. #Mullvad #ivpn and #proton

things have been a lot of fun at work lately and our team is hiring another security architect for our #threatmodel and secure design consult team.

you can ask me for a referral if you're interested, public link is https://jobs.comcast.com/jobs/description/tpx-jd-template?external_or_internal=External&job_id=R354787

i didn't know i could be doing #threatmodeling all the time until i met this team and our program is very mature, we've started privacy threat model workshops in late 2021. still time make it amazing with us!

#infosec #jobs #security #securityArchitect

I may just be overly paranoid, but seeing QR codes in TV Advertisements just triggers my InfoSec brain on a whole different level. We've spent so long training people not to open random files and emails and such and then we start seeing marketing people just throw random codes on a screen and expect people to scan away...

#ThreatModel #InfoSec

@psychoframe @_L1vY_ that Friends of Dorothy story is part of my stage patter in my threat model workshops 🌈
i love it. i also always think of sir elton john's goodbye yellow brick road when i tell the story 🎶
#threatmodel #tradecraft #