SlideShare a Scribd company logo

Threat modeling librarian freedom conference

ā€¢Download as PPTX, PDFā€¢
ā€¢
E
evacide

Slides from the Threat Modeling: Librarian Edition talk by Eva Galperin and Morgan Marquis-Boire at the Digital Rights in Librarian Conference, 2015.

Technology
1 of 83
Threat Modeling Library Freedom Edition Morgan Marquis-Boire & Eva Galperin @headhntr @evacide
Who are we?
What are we talking about? What the hell is threat modeling? How do you do it? What makes this trickier than it looks?
Librarians are doing it for themselves
How not to go crazy
What the hell is threat modeling? 111sdgisjfoisejfoijs11. What do you want to protect?kok 1. What do you want to protect? 2.1. What do you want to protect? ASSETS1. What do you want to protect 1. What do you want to protect?
What the hell is threat modeling? 111sdgisjfoisejfoijs11. What do you want to protect?kok 1. What do you want to protect? 2.1. What do you want to protect? ASSETS1. What do you want to protect 1. What do you want to protect? 2. Who do you want to protect it from?
What the hell is threat modeling? 111sdgisjfoisejfoijs11. What do you want to protect?kok 1. What do you want to protect? 2.1. What do you want to protect? ASSETS1. What do you want to protect 1. What do you want to protect? 2. Who do you want to protect it from? 3. How likely is it you will need to protect it?
What the hell is threat modeling? 111sdgisjfoisejfoijs11. What do you want to protect?kok 1. What do you want to protect? 2.1. What do you want to protect? ASSETS1. What do you want to protect 1. What do you want to protect? 2. Who do you want to protect it from? 3. How likely is it you will need to protect it? 4. How bad are the consequences if you fail?
What the hell is threat modeling? 111sdgisjfoisejfoijs11. What do you want to protect?kok 1. What do you want to protect? 2.1. What do you want to protect? ASSETS1. What do you want to protect 1. What do you want to protect? 2. Who do you want to protect it from? 3. How likely is it you will need to protect it? 4. How bad are the consequences if you fail? 5. How much trouble are you willing to go through in order to prevent those consequences?
What do you need to know? Assets Adversary Threat Capability Risk
Surveillance is magic.
VS
COST = $0
COST = $$
Replenishing the minibar? Or...
COST = $$$
COST = PRICELESS
Those are the types of actors, but who are the players?
High End FVEY - US / UK / CA / AU / NZ ISRAEL CHINA RUSSIA FRANCE etc etc etc etc
Artisanal, Small-Batch, Locally made, home grown...
Commercial Market ā— Law Enforcement ā— Intelligence agencies ā— Security companies
Pay for tools
Pay per job
Gotta get paid, yo
Attacker resources vs $$$$ vs target value
Surveillance Starts at Home
Stalkers
ā€œWhen we share information, we are building power of our own. Potential harassers may deterred by the thought that we are both capable of and willing to turn the eye of internet surveillance back on them.ā€ Liz Henry, Model View Culture Investigation Online: Gathering Information to Assess Risk
Amina Araaf: a gay girl in Damascus
Tom MacMaster: middle aged guy in Scotland
Domestic abuser
I smell a RAT
StealthGenie
Other kinds of criminals
ā€œBefore his gauche upload, he posted a picture of his lobster salad and tagged the restaurant.ā€ New York Post
Hey teacher, leave those kids alone
ā€œOne day soon, home room teachers in your local middle and high schools may stop scanning rows of desks and making each student yell out ā€˜Here!ā€™ during a morning roll call. Instead, small cards, or tags, carried by each student will transmit a unique serial number via radio signal to an electronic reader near the school door.ā€ AT&T advertising brochure
The blended threat landscape Not discrete categories: many delicious flavors!
Risk
Different appetites for risk
Meet the nihilists
Alaa Abdel Fattah says ā€œCome at me, bro.ā€
Meet the vegans
Further reading What Every Librarian Should Know About HTTPS: https://www.eff.org/deeplinks/2015/05/what-every-librarian-needs-know-about- https Surveillance Self Defense: https://ssd.eff.org. COMSEC: Beyond Encryption: https://grugq.github.io/presentations/COMSEC%20beyond%20encryption.pdf Digital First Aid Kit: http://digitaldefenders.org/digitalfirstaid/

Recommended

Threat modeling nihilists v. vegans
Threat modeling nihilists v. vegansThreat modeling nihilists v. vegans
Threat modeling nihilists v. vegans
evacide
Ā 
An Imposter's Journey Into InfoSec
An Imposter's Journey Into InfoSecAn Imposter's Journey Into InfoSec
An Imposter's Journey Into InfoSec
Stu Hirst
Ā 
Dynamic Risk Assessment, March 2013
Dynamic Risk Assessment, March 2013Dynamic Risk Assessment, March 2013
Dynamic Risk Assessment, March 2013
David Webster
Ā 
Making Ethical Tech: Fulfilling Obligations to Your Users, Your Staff and You...
Making Ethical Tech: Fulfilling Obligations to Your Users, Your Staff and You...Making Ethical Tech: Fulfilling Obligations to Your Users, Your Staff and You...
Making Ethical Tech: Fulfilling Obligations to Your Users, Your Staff and You...
YTH
Ā 
The #1 Thing That Goes Wrong In Client Projects Even When You're Doing Everyt...
The #1 Thing That Goes Wrong In Client Projects Even When You're Doing Everyt...The #1 Thing That Goes Wrong In Client Projects Even When You're Doing Everyt...
The #1 Thing That Goes Wrong In Client Projects Even When You're Doing Everyt...
Followbright
Ā 
Starting with Yes: How Lawyers Can Become Early Adopters of Technology
Starting with Yes: How Lawyers Can Become Early Adopters of TechnologyStarting with Yes: How Lawyers Can Become Early Adopters of Technology
Starting with Yes: How Lawyers Can Become Early Adopters of Technology
Jules Miller
Ā 
An Imposter's Journey Into InfoSec
An Imposter's Journey Into InfoSecAn Imposter's Journey Into InfoSec
An Imposter's Journey Into InfoSec
Stu Hirst
Ā 
Where Americans Don't Lock Their Doors [Survey] | Eyewitness Surveillance
Where Americans Don't Lock Their Doors [Survey] | Eyewitness SurveillanceWhere Americans Don't Lock Their Doors [Survey] | Eyewitness Surveillance
Where Americans Don't Lock Their Doors [Survey] | Eyewitness Surveillance
Ashley Stryker
Ā 

Recommended

Threat modeling nihilists v. vegans
Threat modeling nihilists v. vegansThreat modeling nihilists v. vegans
Threat modeling nihilists v. vegans
evacide
Ā 
An Imposter's Journey Into InfoSec
An Imposter's Journey Into InfoSecAn Imposter's Journey Into InfoSec
An Imposter's Journey Into InfoSec
Stu Hirst
Ā 
Dynamic Risk Assessment, March 2013
Dynamic Risk Assessment, March 2013Dynamic Risk Assessment, March 2013
Dynamic Risk Assessment, March 2013
David Webster
Ā 
Making Ethical Tech: Fulfilling Obligations to Your Users, Your Staff and You...
Making Ethical Tech: Fulfilling Obligations to Your Users, Your Staff and You...Making Ethical Tech: Fulfilling Obligations to Your Users, Your Staff and You...
Making Ethical Tech: Fulfilling Obligations to Your Users, Your Staff and You...
YTH
Ā 
The #1 Thing That Goes Wrong In Client Projects Even When You're Doing Everyt...
The #1 Thing That Goes Wrong In Client Projects Even When You're Doing Everyt...The #1 Thing That Goes Wrong In Client Projects Even When You're Doing Everyt...
The #1 Thing That Goes Wrong In Client Projects Even When You're Doing Everyt...
Followbright
Ā 
Starting with Yes: How Lawyers Can Become Early Adopters of Technology
Starting with Yes: How Lawyers Can Become Early Adopters of TechnologyStarting with Yes: How Lawyers Can Become Early Adopters of Technology
Starting with Yes: How Lawyers Can Become Early Adopters of Technology
Jules Miller
Ā 
An Imposter's Journey Into InfoSec
An Imposter's Journey Into InfoSecAn Imposter's Journey Into InfoSec
An Imposter's Journey Into InfoSec
Stu Hirst
Ā 
Where Americans Don't Lock Their Doors [Survey] | Eyewitness Surveillance
Where Americans Don't Lock Their Doors [Survey] | Eyewitness SurveillanceWhere Americans Don't Lock Their Doors [Survey] | Eyewitness Surveillance
Where Americans Don't Lock Their Doors [Survey] | Eyewitness Surveillance
Ashley Stryker
Ā 
ComputerSecurity-Brochure
ComputerSecurity-BrochureComputerSecurity-Brochure
ComputerSecurity-Brochure
Benjamin Vevang
Ā 
WALT be Cyber smart
WALT be Cyber smartWALT be Cyber smart
WALT be Cyber smart
wiggit
Ā 
Incredibly efficient but lesser known fighting systems for street defense
Incredibly efficient but lesser known fighting systems for street defenseIncredibly efficient but lesser known fighting systems for street defense
Incredibly efficient but lesser known fighting systems for street defense
Adam Quirk
Ā 
Selling Elephant Whistles
Selling Elephant WhistlesSelling Elephant Whistles
Selling Elephant Whistles
jaysonstreet
Ā 
AI-based rumor & fake news detection algorithm on Twitter
AI-based rumor & fake news detection algorithm on TwitterAI-based rumor & fake news detection algorithm on Twitter
AI-based rumor & fake news detection algorithm on Twitter
Meeyoung Cha
Ā 
Machine learning how not to lose the user
Machine learning how not to lose the userMachine learning how not to lose the user
Machine learning how not to lose the user
Nuritps
Ā 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
Eoin Keary
Ā 
SQL injection
SQL injectionSQL injection
SQL injection
Akash Panchal
Ā 
Introduction to SQL Injection
Introduction to SQL InjectionIntroduction to SQL Injection
Introduction to SQL Injection
jpubal
Ā 
Sql injection
Sql injectionSql injection
Sql injection
Sasha-Leigh Garret
Ā 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
Napendra Singh
Ā 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
Stacy Watts
Ā 
Sql Injection Attacks Siddhesh
Sql Injection Attacks SiddheshSql Injection Attacks Siddhesh
Sql Injection Attacks Siddhesh
Siddhesh Bhobe
Ā 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
RajKumar Rampelli
Ā 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
Ā 
Sql Injection and Entity Frameworks
Sql Injection and Entity FrameworksSql Injection and Entity Frameworks
Sql Injection and Entity Frameworks
Rich Helton
Ā 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injection
avishkarm
Ā 
Sql injection
Sql injectionSql injection
Sql injection
Hemendra Kumar
Ā 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasures
Cade Zvavanjanja
Ā 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Marios Siganos
Ā 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
Ā 
SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
Ā 

More Related Content

What's hot

ComputerSecurity-Brochure
ComputerSecurity-BrochureComputerSecurity-Brochure
ComputerSecurity-Brochure
Benjamin Vevang
Ā 
WALT be Cyber smart
WALT be Cyber smartWALT be Cyber smart
WALT be Cyber smart
wiggit
Ā 

What's hot (6)

ComputerSecurity-Brochure
ComputerSecurity-BrochureComputerSecurity-Brochure
ComputerSecurity-Brochure
Ā 
WALT be Cyber smart
WALT be Cyber smartWALT be Cyber smart
WALT be Cyber smart
Ā 
Incredibly efficient but lesser known fighting systems for street defense
Incredibly efficient but lesser known fighting systems for street defenseIncredibly efficient but lesser known fighting systems for street defense
Incredibly efficient but lesser known fighting systems for street defense
Ā 
Selling Elephant Whistles
Selling Elephant WhistlesSelling Elephant Whistles
Selling Elephant Whistles
Ā 
AI-based rumor & fake news detection algorithm on Twitter
AI-based rumor & fake news detection algorithm on TwitterAI-based rumor & fake news detection algorithm on Twitter
AI-based rumor & fake news detection algorithm on Twitter
Ā 
Machine learning how not to lose the user
Machine learning how not to lose the userMachine learning how not to lose the user
Machine learning how not to lose the user
Ā 

Viewers also liked

Introduction to SQL Injection
Introduction to SQL InjectionIntroduction to SQL Injection
Introduction to SQL Injection
jpubal
Ā 
Sql Injection and Entity Frameworks
Sql Injection and Entity FrameworksSql Injection and Entity Frameworks
Sql Injection and Entity Frameworks
Rich Helton
Ā 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
Dmitry Evteev
Ā 

Viewers also liked (20)

03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
Ā 
SQL injection
SQL injectionSQL injection
SQL injection
Ā 
Introduction to SQL Injection
Introduction to SQL InjectionIntroduction to SQL Injection
Introduction to SQL Injection
Ā 
Sql injection
Sql injectionSql injection
Sql injection
Ā 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
Ā 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
Ā 
Sql Injection Attacks Siddhesh
Sql Injection Attacks SiddheshSql Injection Attacks Siddhesh
Sql Injection Attacks Siddhesh
Ā 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
Ā 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Ā 
Sql Injection and Entity Frameworks
Sql Injection and Entity FrameworksSql Injection and Entity Frameworks
Sql Injection and Entity Frameworks
Ā 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injection
Ā 
Sql injection
Sql injectionSql injection
Sql injection
Ā 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasures
Ā 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Ā 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Ā 
SQL Injection
SQL Injection SQL Injection
SQL Injection
Ā 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
Ā 
Sql injection
Sql injectionSql injection
Sql injection
Ā 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
Ā 
Sql injection
Sql injectionSql injection
Sql injection
Ā 

Similar to Threat modeling librarian freedom conference

Stopping Child Sexual Abuse Before it Happens
Stopping Child Sexual Abuse Before it HappensStopping Child Sexual Abuse Before it Happens
Stopping Child Sexual Abuse Before it Happens
Keith Gregory
Ā 
Stopping Child Sexual Abuse Before it Happens
Stopping Child Sexual Abuse Before it HappensStopping Child Sexual Abuse Before it Happens
Stopping Child Sexual Abuse Before it Happens
KeithGregory19
Ā 
How To Survive The Zombie Apocalypse
How To Survive The Zombie ApocalypseHow To Survive The Zombie Apocalypse
How To Survive The Zombie Apocalypse
elbryan108
Ā 
Verbal martial arts. Teaching Conflict Skills to Incarcerated Adults
Verbal martial arts. Teaching Conflict Skills to Incarcerated AdultsVerbal martial arts. Teaching Conflict Skills to Incarcerated Adults
Verbal martial arts. Teaching Conflict Skills to Incarcerated Adults
Sharon Durgin Campbell, MS
Ā 

Similar to Threat modeling librarian freedom conference (20)

Example Of Introduction In. Online assignment writing service.
Example Of Introduction In. Online assignment writing service.Example Of Introduction In. Online assignment writing service.
Example Of Introduction In. Online assignment writing service.
Ā 
Essay Questions On The Cherry Orchard. Online assignment writing service.
Essay Questions On The Cherry Orchard. Online assignment writing service.Essay Questions On The Cherry Orchard. Online assignment writing service.
Essay Questions On The Cherry Orchard. Online assignment writing service.
Ā 
Stopping Child Sexual Abuse Before it Happens
Stopping Child Sexual Abuse Before it HappensStopping Child Sexual Abuse Before it Happens
Stopping Child Sexual Abuse Before it Happens
Ā 
Stopping Child Sexual Abuse Before it Happens
Stopping Child Sexual Abuse Before it HappensStopping Child Sexual Abuse Before it Happens
Stopping Child Sexual Abuse Before it Happens
Ā 
How To Survive The Zombie Apocalypse
How To Survive The Zombie ApocalypseHow To Survive The Zombie Apocalypse
How To Survive The Zombie Apocalypse
Ā 
Deadly Viruses Essay
Deadly Viruses EssayDeadly Viruses Essay
Deadly Viruses Essay
Ā 
Verbal martial arts. Teaching Conflict Skills to Incarcerated Adults
Verbal martial arts. Teaching Conflict Skills to Incarcerated AdultsVerbal martial arts. Teaching Conflict Skills to Incarcerated Adults
Verbal martial arts. Teaching Conflict Skills to Incarcerated Adults
Ā 
Essay Jedi Review. Online assignment writing service.
Essay Jedi Review. Online assignment writing service.Essay Jedi Review. Online assignment writing service.
Essay Jedi Review. Online assignment writing service.
Ā 
Assignment 1.2 Conflicting Viewpoints Essay - Part Ii
Assignment 1.2 Conflicting Viewpoints Essay - Part IiAssignment 1.2 Conflicting Viewpoints Essay - Part Ii
Assignment 1.2 Conflicting Viewpoints Essay - Part Ii
Ā 
Borders With Leaves - Leaves Png Images Trans
Borders With Leaves - Leaves Png Images TransBorders With Leaves - Leaves Png Images Trans
Borders With Leaves - Leaves Png Images Trans
Ā 
Princess Writing Paper. Online assignment writing service.
Princess Writing Paper. Online assignment writing service.Princess Writing Paper. Online assignment writing service.
Princess Writing Paper. Online assignment writing service.
Ā 
How Would You Start Off A Persuasive Essay
How Would You Start Off A Persuasive EssayHow Would You Start Off A Persuasive Essay
How Would You Start Off A Persuasive Essay
Ā 
Imposter Syndrome (Kurt Madsen at LunchUX)
Imposter Syndrome (Kurt Madsen at LunchUX)Imposter Syndrome (Kurt Madsen at LunchUX)
Imposter Syndrome (Kurt Madsen at LunchUX)
Ā 
Corn Syrup Essay. Online assignment writing service.
Corn Syrup Essay. Online assignment writing service.Corn Syrup Essay. Online assignment writing service.
Corn Syrup Essay. Online assignment writing service.
Ā 
To Kill A Mockingbird Lesson Plan For Laws Of Life Essay Writing Character Map
To Kill A Mockingbird Lesson Plan For Laws Of Life Essay Writing Character MapTo Kill A Mockingbird Lesson Plan For Laws Of Life Essay Writing Character Map
To Kill A Mockingbird Lesson Plan For Laws Of Life Essay Writing Character Map
Ā 
The Lighthouse Essay Agnes Owens
The Lighthouse Essay Agnes OwensThe Lighthouse Essay Agnes Owens
The Lighthouse Essay Agnes Owens
Ā 
American Dream Essay Contest Wyoming
American Dream Essay Contest WyomingAmerican Dream Essay Contest Wyoming
American Dream Essay Contest Wyoming
Ā 
001 Essay Example In Citation Mla Format For Quotes Quotesgram Examples
001 Essay Example In Citation Mla Format For Quotes Quotesgram Examples001 Essay Example In Citation Mla Format For Quotes Quotesgram Examples
001 Essay Example In Citation Mla Format For Quotes Quotesgram Examples
Ā 
What Can We Learn from the Unabomber?: Nothing.
What Can We Learn from the Unabomber?: Nothing.What Can We Learn from the Unabomber?: Nothing.
What Can We Learn from the Unabomber?: Nothing.
Ā 
How To Write A My Best Friend Essay In 5 Simple Steps.
How To Write A My Best Friend Essay In 5 Simple Steps.How To Write A My Best Friend Essay In 5 Simple Steps.
How To Write A My Best Friend Essay In 5 Simple Steps.
Ā 

Recently uploaded

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
Ā 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel AraĆŗjo
Ā 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
Ā 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
Ā 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
Ā 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
Ā 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
Ā 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
Ā 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
Ā 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
Ā 

Recently uploaded (20)

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Ā 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Ā 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Ā 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Ā 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Ā 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Ā 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Ā 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Ā 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Ā 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Ā 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Ā 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
Ā 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Ā 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
Ā 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Ā 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Ā 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Ā 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Ā 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
Ā 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Ā 

Threat modeling librarian freedom conference

  • 1. Threat Modeling Library Freedom Edition Morgan Marquis-Boire & Eva Galperin @headhntr @evacide
  • 3. What are we talking about? What the hell is threat modeling? How do you do it? What makes this trickier than it looks?
  • 4. Librarians are doing it for themselves
  • 5.
  • 6.
  • 7. How not to go crazy
  • 8. What the hell is threat modeling? 111sdgisjfoisejfoijs11. What do you want to protect?kok 1. What do you want to protect? 2.1. What do you want to protect? ASSETS1. What do you want to protect 1. What do you want to protect?
  • 9. What the hell is threat modeling? 111sdgisjfoisejfoijs11. What do you want to protect?kok 1. What do you want to protect? 2.1. What do you want to protect? ASSETS1. What do you want to protect 1. What do you want to protect? 2. Who do you want to protect it from?
  • 10. What the hell is threat modeling? 111sdgisjfoisejfoijs11. What do you want to protect?kok 1. What do you want to protect? 2.1. What do you want to protect? ASSETS1. What do you want to protect 1. What do you want to protect? 2. Who do you want to protect it from? 3. How likely is it you will need to protect it?
  • 11. What the hell is threat modeling? 111sdgisjfoisejfoijs11. What do you want to protect?kok 1. What do you want to protect? 2.1. What do you want to protect? ASSETS1. What do you want to protect 1. What do you want to protect? 2. Who do you want to protect it from? 3. How likely is it you will need to protect it? 4. How bad are the consequences if you fail?
  • 12. What the hell is threat modeling? 111sdgisjfoisejfoijs11. What do you want to protect?kok 1. What do you want to protect? 2.1. What do you want to protect? ASSETS1. What do you want to protect 1. What do you want to protect? 2. Who do you want to protect it from? 3. How likely is it you will need to protect it? 4. How bad are the consequences if you fail? 5. How much trouble are you willing to go through in order to prevent those consequences?
  • 13. What do you need to know? Assets Adversary Threat Capability Risk
  • 15. VS
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 30.
  • 31.
  • 34.
  • 36. Those are the types of actors, but who are the players?
  • 37.
  • 38.
  • 39. High End FVEY - US / UK / CA / AU / NZ ISRAEL CHINA RUSSIA FRANCE etc etc etc etc
  • 41.
  • 42. Commercial Market ā— Law Enforcement ā— Intelligence agencies ā— Security companies
  • 44.
  • 46.
  • 49.
  • 50.
  • 53. ā€œWhen we share information, we are building power of our own. Potential harassers may deterred by the thought that we are both capable of and willing to turn the eye of internet surveillance back on them.ā€ Liz Henry, Model View Culture Investigation Online: Gathering Information to Assess Risk
  • 54. Amina Araaf: a gay girl in Damascus
  • 55. Tom MacMaster: middle aged guy in Scotland
  • 56.
  • 58. I smell a RAT
  • 60.
  • 61. Other kinds of criminals
  • 62.
  • 63. ā€œBefore his gauche upload, he posted a picture of his lobster salad and tagged the restaurant.ā€ New York Post
  • 64. Hey teacher, leave those kids alone
  • 65.
  • 66.
  • 67. ā€œOne day soon, home room teachers in your local middle and high schools may stop scanning rows of desks and making each student yell out ā€˜Here!ā€™ during a morning roll call. Instead, small cards, or tags, carried by each student will transmit a unique serial number via radio signal to an electronic reader near the school door.ā€ AT&T advertising brochure
  • 68.
  • 69.
  • 70.
  • 71. The blended threat landscape Not discrete categories: many delicious flavors!
  • 72. Risk
  • 75. Alaa Abdel Fattah says ā€œCome at me, bro.ā€
  • 76.
  • 77.
  • 79.
  • 80.
  • 81.
  • 82.
  • 83. Further reading What Every Librarian Should Know About HTTPS: https://www.eff.org/deeplinks/2015/05/what-every-librarian-needs-know-about- https Surveillance Self Defense: https://ssd.eff.org. COMSEC: Beyond Encryption: https://grugq.github.io/presentations/COMSEC%20beyond%20encryption.pdf Digital First Aid Kit: http://digitaldefenders.org/digitalfirstaid/

Editor's Notes

  1. On January 12, 2010, the same day as Google announced about the aurora targeted attacks, it was announced that gmail traffic would be encrypted by default. Since that time, facebook, twitter, and recently Yahoo have moved to using HTTPS traffic by default. Skype has provided encypted voice calls for many years. In addition to this, people like The Tor Project, The EFFā€™s HTTPS Everywhere plugin, Whisper Systems providing encrypted voice and text messaging means that passive sniffing of traffic has started to yield less interesting results. Itā€™s still useful, in order to surveill persons of interest that have decent security understanding, active targeting becomes necessary.
  2. Computer viruses were just something that happened to computers and people shrugged their shoulders and figured theyā€™d have to reinstall. Now this is fine if malware isnā€™t targeted and indeed, youā€™ve become part of a viagra spam botnet, however, itā€™s problematic for people that discover that theyā€™ve been targeted by a nation-state. Because...
  3. Computer viruses were just something that happened to computers and people shrugged their shoulders and figured theyā€™d have to reinstall. Now this is fine if malware isnā€™t targeted and indeed, youā€™ve become part of a viagra spam botnet, however, itā€™s problematic for people that discover that theyā€™ve been targeted by a nation-state. Because...
  4. Cyber mercenaries using the police tools sold to repressive governments In fact the Turkmenistan secret service and the Australian police use the same tool!
  5. only sell to military
  6. Computer viruses were just something that happened to computers and people shrugged their shoulders and figured theyā€™d have to reinstall. Now this is fine if malware isnā€™t targeted and indeed, youā€™ve become part of a viagra spam botnet, however, itā€™s problematic for people that discover that theyā€™ve been targeted by a nation-state. Because...
  7. Hammad Akbar was fined $500k by the district court in Virginia in December of last year for selling and distributing ā€œStealthGenie.ā€
  8. 'Please Rob Me' aggregates and streams location check-ins into a list of 'all those empty homes out there,' and describes the recently-shared locations as 'new opportunities.'
  9. a Texas school district just begun implanting the devices on student identification cards to monitor pupilsā€™ movements on campus, and to track them as they come and go from school. Tagging school children with RFID chips is uncommon, but not new. A federally funded preschool in Richmond, California, began embedding RFID chips in studentsā€™ clothing in 2010. And an elementary school outside of Sacramento, California, scrubbed a plan in 2005 amid a parental uproar. And a Houston, Texas, school district began using the chips to monitor students on 13 campuses in 2004.
  10. Cyber mercenaries using the police tools sold to repressive governments In fact the Turkmenistan secret service and the Australian police use the same tool!
  11. Cyber mercenaries using the police tools sold to repressive governments In fact the Turkmenistan secret service and the Australian police use the same tool!