Meine Datenschutz und Privatsphäre Übersicht 2025, für Jedermann

Teilen er­be­ten

als PDF:

https://cryptpad.digitalcourage.de/file/#/2/file/fQoTfTZJu7LScr1Jus5csQn2/

 #DSGVO #TDDDG ( #unplugtrump )
#Datenschutz #Privatsphäre #sicherheit #Verschlüsselung
#encryption #WEtell #SoloKey #NitroKey #Email #Cybersecurity #Pixelfed #Massenűberwachung #Leta
#Google #Metadaten #WhatsApp #Threema #Cryptpad #Signal
#Hateaid #Cyberstalking #Messenger #Browser #Youtube #NewPipe #Chatkontrolle #nichtszuverbergen #ÜberwachungsKapitalismus #Microsoft #Apple #Windows #Linux #Matrix #Mastodon #Friendica #Fediverse #Mastodir #Loops #2FA #Ransomware #Foss #VeraCrypt #HateAid #Coreboot #Volksverpetzer #Netzpolitik #Digitalisierung #FragdenStaat #Shiftphone  #OpenSource #GrapheneOS #CCC #Mail #Mullvad #PGP #GnuPG #DNS #Gaming #linuxgaming #Lutris #Protondb #eOS #Enshittification
#Bloatware #TPM #Murena  #LiberaPay #GnuTaler #Taler #PreppingforFuture
#FediLZ #BlueLZ #InstaLZ #ThreatModel
#FLOSS #UEFI #Medienkompetenz

The #encryption topic in #InstantMesaging is popular again recently. As usual there's a lot of misunderstanding and little discussion of a #ThreatModel when giving recommendations.
If the private key is backed up with Apple or Google from your phone, then your messages may as well not be encrypted I've again seen this indirectly with contacts changing phones and their keys are the same as on their old device. Due to automatic backups I guess.
Doesn't matter if it's #WhatsApp, #Signal or #XMPP

Some of my colleagues at #AWS have created an open-source serverless #AI assisted #threatmodel solution. You upload architecture diagrams to it, and it uses Claude Sonnet via Amazon Bedrock to analyze it.

I'm not too impressed with the threats it comes up with. But I am very impressed with the amount of typing it saves. Given nothing more than a picture and about 2 minutes of computation, it spits out a very good list of what is depicted in the diagram and the flows between them. To the extent that the diagram is accurate/well-labeled, this solution seems to do a very good job writing out what is depicted.

I deployed this "Threat Designer" app. Then I took the architecture image from this blog post and dropped that picture into it. The image analysis produced some of the list of things you see attached.

This is a specialized, context-aware kind of OCR. I was impressed at boundaries, flows, and assets pulled from a graphic. Could save a lot of typing time. I was not impressed with the threats it identifies. Having said that, it did identify a handful of things I hadn't thought of before, like EventBridge event injection. But the majority of the threats are low value.

I suspect this app is not cheap to run. So caveat deployor.
#cloud #cloudsecurity #appsec #threatmodeling

> When doing threat modeling from here on out, it is now unfortunately important to consider the question "Am I a moron?"

derisking morons is something i do for a living if anyone is hiring for that. i also turn software engineers into security and privacy resources. triple multiplier right here

#infosec #threatModel #morons
https://apple.news/Ay6s_pSlzRrGicmqMVSr65w

Fediverse. I need your magic. Please tell me your most amusing and wtf #ThreatModel fails.

#IAB #RFC7624 - #Confidentiality in the Face of Pervasive #Surveillance: A #ThreatModel and Problem Statement

Confidentiality in the Face of Pervasive Surveillance: A Threat Model and Problem Statement
#ietf

https://datatracker.ietf.org/doc/html/rfc7624

In the return of #threatmodel thursday, I look at work by @rmogull and Chris Farris in their Universal Cloud Threat Model

https://shostack.org/blog/universal-cloud-threat-model-threat-model-thurs/

friends, rivals, luminaries of #infosec: i had a #threatModel recently involving an #LDAP service and the team has a challenge. they don't have a great way to throttle or limit the volume of requests they answer, and when someone's running a credential stuff against a service there can be as many as 100s of millions of invalid requests over a couple of hours and they just have to soak it up and i don't like seeing that.

obviously we could use a WAF for the web services but what about LDAP?

Playing with phanpy.social, it seems that authorizing new apps to access mastodon doesn't require a two factor auth code.

While I haven't fully threat modeled it (you're already logged into the browser, so someone with browser access may not represent a shift in trust boundary, it feels off.

Does your threat model include your employee's cat?

https://www.theregister.com/2023/10/05/hospital_cat_incident/

#DoINeedAVPN is an #opensource #tool that helps people decide if they need a commercial #VPN
. The tool is designed to #help #users determine whether a VPN is #necessary for their privacy and security needs e.g. #threatmodel

https://www.doineedavpn.com/

#passkeys #fidokeys #passwords #threatmodel what is the actual difference #fido2 #yubikey

Thinking Differently About Passkeys New Threats Require a New Threat Model

https://www.youtube.com/watch?v=mxGczv1-XlE

On LLM and passphrases ...

The thought has occurred that given that large language models are trained on texts, which one presumes includes not only Internet sources by scanned-in copies of published books and articles ...

... there's a strong probability that any given published word sequence appears within such a corpus ...

... and that given even a small sampling of a passphrase which is itself drawn from a similar corpus ... LLMs should be really good at guessing a given passphrase.

(How might it get a small sampling? Oh, say, shoulder-surfing, or acoustic signatures of typed characters, or leaks from inadvertently-entered phrases in the wrong dialogue, or other cues from context.)

Upshot: if you're relying on a single phrase from any published set of works ... as a long secret key ... you might want to reassess your threat model.

(I don't know that combining phrases from multiple sources might be an improvement ... though there are reasons to suspect that might also be at increased risk.)

(Oh, and by "you", I also mean "all the systems you're relying on, directly or indirectly". That would include, say, corporate, institutional, or governmental systems to which someone's previously relied on what they'd thought would be a long and hence difficult-to-crack phrase.)

(I also suspect that state-level actors will have first capabilities in this manner, but that that threshold will rapidly fall to far less-capable entities.)

(Many moons ago discussing security issues with a corporate user, I suggested that phrases from, oh, say, Alice in Wonderland would not be especially secure. Their passphrase was based on, of course, Jabberwocky.)

Edit: Markup.

Anyone have "vendor can't make payroll because of bank run" in their table top threat exercises?

It should be part of a Disaster Recovery plan for business, but I can see some interesting CyberSecurity angles to it.

I may just be overly paranoid, but seeing QR codes in TV Advertisements just triggers my InfoSec brain on a whole different level. We've spent so long training people not to open random files and emails and such and then we start seeing marketing people just throw random codes on a screen and expect people to scan away...

It arrived! I'll be stealing quotes from it for months

@adamshostack

Sparsely populated instances may inadvertently leak their users' follower list; even if users have opted to hide their social graph.

This happens because users who have opted to hide their social graph aren't opted-out of their incoming posts being displayed in the social graph.

This can be mitigated. Admins can disable unauthenticated access to the instances federated timeline.

https://www.justinmcafee.com/2022/11/mastodon-privacy-for-small-instances.html