Hey all - I'm curious to know about the threat models you've identified for yourselves. The more I browse the forums and after seeing some of the relatively lax setups that some have, the more curious I get about what's actually perceived as a "threat" by the community at large. As for me, I adhere to an attacker-centric threat model and my primary concern is with data brokers and surveillance dragnets. I'm sure it sounds a little odd, but I'm not especially concerned with 'illicit' hackers per se (I don't have any assets worth exploiting from a criminal perspective, haha). Counterintuitive though it may seem, to me, your average hacker represents a subset of aggressors against whom we have relatively greater protection and less to fear. The more insidious threats (IMHO) are the legally sanctioned data brokers and shadowy gov't entities with no direct accountability or appreciable transparency -- and against whom we effectively have no means of recourse. They're black boxes full of "unknown unknowns" that reach further into our lives on a minute-by-minute basis, regularly undermining users' privacy and eroding trust by poking persistent holes in ubiquitous and "trusted" software. Not only do they enjoy the benefit of protection under the law, but the key difference is that their pervasive integration throughout all facets of life puts them in a unique position to really do some serious damage to a person's life or credibility if so motivated. And it's only getting worse. It's this undue influence that I find particularly troubling. I'm much more concerned about the ramifications that such a chilling effect has on discourse than I am about having to order a new debit card or dispute a purchase. Given the recent global trend toward authoritarian ideologies, I think this concern takes on a renewed urgency. How 'bout you?
Yep, excellent question, and one that logically needs to be clarified before talking about controls (which is the natural tendency for techs). I'll return later, but I would observe that, aside from the run-of-the-mill malware threats, I am increasingly concerned with problems arising from mass-surveillance and false-positives which are the inevitable consequence of sifting the haystack. This is particularly problematic due to the erosion of the rule of law enshrined in laws such as the Investigatory Powers Act (UK), and basics like needing symmetrical information in order to have legal standing (and not getting it), and especially in the UK, having limited recourse for wrongful accusations, arrest or rubbish in databases and basically no damages. Plus, having the over-collection of records which have been and will increasingly be misused, lost or stolen. In addition, industrialisation of state-level mass-hacking tools increases the risk that your facilities will be attacked by one's beloved government, let alone anyone else's. And they can lock you up.
Well spoken. I'ld like to respond in very simple turns - metaphorically! Threat models are severely underestimated. Back to the metaphor. If you were to ask a small Impala getting a drink at an African waterhole what his risk was, he might say (if he could talk) these flies are driving me nuts I wonder how risky it would be to come back tonight when its dark (no flies)? But what he never saw coming was the Lion in the bushes for which he paid the ultimate price with his underestimation of his current threat model. The metaphor's simplicity is laughable on one hand, but spot on in real life. When you assess your threat model with virtual disregard of consequence,should you be wrong, you will lean to the Cinderella version of how it plays out. Remember that most think the pouncing Lion always happens to the other guy.
I will expand later when I have time but my guess would we (as we who post about privacy/anonymity) would be classified as medium level risk. I'm pretty sure the spooks are very likely listening to what we have to say on privacy forums. I have no doubt they do listen. But I don't think the spooks are going to use zero day exploits on us. Not just yet anyway.
I'm more concerned that it's the spook's algorithms, based on grotty "targeted" selectors that will be listening AND pronouncing judgement. Without any human involvement at all (which is where the common-sense would hopefully prevail). And that as a consequence, if, for example, you have an interest in a certain female Egyptian deity, that's a flag which could lead you to face (probably in conjunction with other erroneous flags) - listing on various databases which could then lead you to suffer real world harm and damage - employment prospects, credit ratings, ability to fly, excluded from countries or regions, being stopped and questioned.... No accountability or proper redress. Even worse, I fully expect them to automate attacks based on those ratings or selectors - it doesn't have to be zero-day, probably most of us are vulnerable to something or other, and the resources and industrialised automation (on top of their insider knowledge of you) would be hard to protect against, it just takes the once. It takes no real effort on their part to over-reach, and they're not the ones suffering the damage from the over-reach.
Yes the classification of people automatically resulting in being blacklisted for work or services is my main concern. Along with the loss of personal details that can be used for identify theft.
deBoetie your concerns are valid. I suspect we all have a file on some LEA network about our online behavior. And it would be easy to exploit our systems with malware if they wanted to do it. But I think they are more interested in listening in and gathering intel at this stage rather than pwn our systems. We are still tin foil hat wearers to most of society. We have now become somewhat accepted since Snowden.
