Data security threat models

Data security threat models
---------------------------

A quick side note first: welcome to the newest resident of
circumlunar.space, moji! Moji already has a nice ASCII title page,
and got the first entry in their phlog[1] up in no time flat! The
next person to throw their gophery lot in with the Zaibatsu will have
the esteemed honour of being the fifteenth sundog! Will it be you?

Here is the promised followup to my earlier post[2], another
contribution to the "data security ratings" discussion which is going
around. I previously wrote that I didn't think the 1-10 rating scale
was an especially productive way to think about personal data security
(although, surely, it's a fun one!). Much more useful is a good
understanding of concrete threat models. It's better to think of your
personal data security in terms of concrete threats (events, or actors
with certain capabilities) which you have tried to protect yourself
against. Different threats have different degrees of possible damage
but also different likelihoods of actually happening to you. The only
rational approach (and I don't pretend to take a solely rational
approach to this, I find it a strange kind of fun "sport" to guard
against low-likelihood threats) is to expend your energy in proportion
to probable damage.

For the average person, probably the greatest threat to your personal
data security is simply the possibility of losing it due to sudden
hardware failure. The only antidote to this is a good backup scheme,
which is something almost every contributor to the converation has
admitted to not having, which is unsurprising. Backing up is not sexy
cypherpunk business, it's dull, but it's more likely to actually save
your bacon than Tor is.

I suspect the next most important threat to consider for the average
person comes from device theft. Having your phone or laptop stolen
obviously carries with it the consequence of losing data which hasn't
been backedup, but unlike device failure it carries the additional
risk of the thief ending up with access to data or credentials. Your
device very probably remembers e.g. the password to various online
accounts. The bare minimum countermeasure to address this is
configuring your device to automatically lock itself after a short
period of inactivity, and using a strong password for unlocking it.
Encrypting the underlying storage is a better solution.

I guess something should probably be said about "cybercrime" or
identity theft, but I'm not really sure what to say. This is
something the mainstream media is constantly insisting is on the rise,
but neither I nor anybody I know has ever had any personal experience
with it. I'm tempted to think it only happens to "level 0" users, but
I dunno. Ransomware gets a lot of media attention, but the answer to
that is simply a good backup scheme (notice a pattern here?). Staying
up to date on OS and especially browser updates, and generally not
being clueless about things like phishing are probably the primary
defences here.

A very salient point for the average person to consider is the risk of
data breaches against third party websites which hold their data. The
average person maintains lots of these, and each of them holds the
data for a lot of people, making them appealing targets for attackers.
I think this is a much more probable data threat for most people than
a targetted attack on their personal machines. The relevant machines
are completely out of your control here, so the only sensible strategy
you can take is to minimise the damage in the event of a breach. Not
reusing passwords is probably the most important thing here, so that
one account breach at a site which stores passwords in plaintext
(which, sadly, is not uncommon) does not lead to follow on breaches.
And, of course, providing the absolute bare minimum amount of personal
information in order for the service to be useful. If a service
doesn't actually need your genuine birthday for any legitimate reason,
give them your "internet birthday". If a site forces you to answer
"security questions" for password recovery, don't given truthful
answers to questions which would facilitate identity theft if they
were leaked (e.g. mother's maiden name). Make something up, and keep
a note of it written down somewhere so you can remember it later to
reset your password.

These are by no means the only threats most people face, but if you
sum over all threats, multiplying expected damage by probability of
occuring, I think the stuff above makes a larger contribution to the
total than everything else, for most people. In a practical sense,
somebody who takes steps to address all of the above is arguably
better off than a super 1337 VPN/GPG/Tor using "level 10" user who
hasn't backed up their shit in years.

How is this that different to thinking in terms of "ratings"? Can't
you just enumerate all the threats in order of how scary they are, and
rank people based on the scariest threat they have completely
protected themselves against (expanding beyond the threats above to
include surveillance companies like Facebook or Google and also
government surveillance)? Well, you could, and this probably makes
more sense than ranking people based purely in terms of practices,
with no consideration of which concrete threats the practices mitigate
and how well they do so. But the ranking of the threats is arbitrary,
as the important details of how likely you are to face them and how
much damage they can do is different for each user. I think the point
I wanted to make was that you shouldn't fixate on ideas like "this
year, I want to learn skills and take measures to make myself a rank
6!", but rather think in terms of "it would really suck if X happened
to me, and I don't think it's at all impossible that X might happen,
so I want to make changes so that if X happens, my suffering will be
as low as possible".

[1] gopher://circumlunar.space:70/1/~moji/phlog
[2] gopher://circumlunar.space:70/0/~solderpunk/phlog/data-security-ratings.txt