What does a threat model look like?
Might sound a bit of a silly question. I see people talking about threat models, and privacy guides which say things like "if this is part of your threat model, do X Y Z". I'm just not sure if it's a general "this is what I want to protect myself against" or if there's more to it.
I look at more of how much privacy do I want and what am I willing to give up to get it.
The more you try and keep your data private the less user friendly things tend to get. You need to find a balance that suits you while satisfying your main privacy concerns.
But staying away from "big tech" as much as you can and using a good VPN (Proton or Mullvad) is a MUST for any threat model.
I gave up on my first attempt to go fully private because I tried to go as far as is possible. Now I have struck what I think is a good balance. No iCloud, No Google and absolutley no Facebook, Twitter or Reddit.
What are you scared of?
If you are worried your parents will see your browsing history, that is you threat model.
If your concern is government surveillance, you need to do more than just clear your browsing history.
Things that are in every threat model include, but are not limited to.
Surveillance from your internet provider and advertising companies its partnered with.
Surveillance from advertising companies partnered with websites you go to and online services you use.
People online who might try to doxx you if you say something they don't like or win too much in a game
The owner of a malicious website getting your IP address from visiting it by accident.
If your internet provider or anyone else gives you the third degree about using a VPN or any other privacy-friendly alternatives to anything, just say all but the first one
oh and be mindful of internet providers using AI to find patterns in the packets you're sending and receiving
Yeah that's basically it. Like if you're concerned about people physically stealing your laptop, use a cable lock and disk encryption, not a VPN. If you're concerned about the government ISP spying ang knocking on your door because of what you post online, use a VPN and don't say anything identifying, not switch from Chrome to Firefox or whatever.
I mean, if your using chrome, and worse, logged in to your google account, that's big paper trail for the government to trace back to you. VPN protection stops at your ISP.
So there's a formal/professional approach and there's an informal approach.
Formally, there are fields like Risk Management aka Risk Analysis; in these fields there are various frameworks and approaches for things like threat models and risk assessments. This is more than most of us need.
Informally “this is what I want to protect myself against” is indeed a good way of thinking about it. You can write something up for yourself, or you can just think it through. If the threat model helps you use your time / resources wisely, then it's a good threat model.
That's basically it. It's the things you either think are likely threats or the threats you want to be protected from.
It's why people often ask what's in someone's threat model, because each is individual. More security/privacy usually comes with tradeoffs, so just "do the most secure thing always" isn't necessarily the best solution for everyone.
a hot blonde with a knife
Ah, a stab wound... my only weakness
Threat plan.
Ask yourself the following:
What do you have that you want to protect?
Can be a person, place, thing, animal, mineral or vegetable.
A hierarchy of importance is good to develop.
Is your wife more important than your cat?
Is your fireproof safe full of legal documents more important than your computer?
Who do you want to protect it from?
Threats
Consider:
Actions taken by humans
Acts of nature (acts of your god?)
The passage of time
How likely is it that you will need to protect it?
Remember:
Privacy is important
Everything breaks down eventually, both man and machine, society and civilization
Will a hurricane demolish your mountaintop resort?
Will a landslide destroy your yatch?
Will looters ransack your home during an insurrection?
Historical weather and earthquake data is useful to know
How bad are the consequences if you fail?
What do you have to lose beyond possessions and people?
Reputation, freedoms, integrity, etc.
How much trouble am you willing to go through to prevent these consequences?
Will you go through worse if you don't prepare?
Will you have the courage to act when the time comes?
How many security cameras are needed to track a single cat? What about a married cat?
After you feel you have answered these sufficiently, you can begin to prepare to protect yourself!
Yes that’s the gist of it. You can even visualize it by using tables or charts. The goal is to identify the assets you want to protect and what threats you are protecting them against.
The basic way to do this is you respond to these three questions: What am I trying to protect? From whom? What are they able to do to get there?
I mean, yeah, it's the threats you're trying to protect against. Usually informed by which attackers are likely to go after you and what avenues they are likely to take, but you can decide based on whatever you like.