Leuchtturm @leuchtturm

2 posts2 participants0 posts today

@c_th1@digitalcourage.social · 1d

Meine Datenschutz und Privatsphäre Übersicht 2025, für die Allgemeinheit

Teilen erbeten

als PDF:

https://cryptpad.digitalcourage.de/file/#/2/file/NdmBgSYkRCto8B+JmJkE9mQ4/

#DSGVO #TDDDG ( #unplugtrump )
#Datenschutz #Privatsphäre #sicherheit #Verschlüsselung
#encryption #WEtell #SoloKey #NitroKey #Email #Cybersecurity #Pixelfed #Massenűberwachung
#Google #Metadaten #WhatsApp #Threema #Cryptpad #Signal
#Hateaid #Cyberstalking #Messenger #Browser #Youtube #NewPipe #Chatkontrolle #nichtszuverbergen #ÜberwachungsKapitalismus #Microsoft #Apple #Windows #Linux #Matrix #Mastodon #Friendica #Fediverse #Mastodir #Loops #2FA #Ransomware #Foss #VeraCrypt #HateAid #Coreboot #Volksverpetzer #Netzpolitik #Digitalisierung #FragdenStaat #Shiftphone #OpenSource #GrapheneOS #CCC #Mail #Mullvad #PGP #GnuPG #DNS #Gaming #linuxgaming #Lutris #Protondb #eOS #Enshittification
#Bloatware #TPM #Murena #LiberaPay #GnuTaler #Taler #PreppingforFuture
#FediLZ #BlueLZ #InstaLZ #ThreatModel
#FLOSS #UEFI #Medienkompetenz

**Paco Hope #resist** @paco@infosec.exchange · 3d

Paco Hope #resist @paco@infosec.exchange

Some of my colleagues at #AWS have created an open-source serverless #AI assisted #threatmodel solution. You upload architecture diagrams to it, and it uses Claude Sonnet via Amazon Bedrock to analyze it.

I'm not too impressed with the threats it comes up with. But I am very impressed with the amount of typing it saves. Given nothing more than a picture and about 2 minutes of computation, it spits out a very good list of what is depicted in the diagram and the flows between them. To the extent that the diagram is accurate/well-labeled, this solution seems to do a very good job writing out what is depicted.

I deployed this "Threat Designer" app. Then I took the architecture image from this blog post and dropped that picture into it. The image analysis produced some of the list of things you see attached.

This is a specialized, context-aware kind of OCR. I was impressed at boundaries, flows, and assets pulled from a graphic. Could save a lot of typing time. I was not impressed with the threats it identifies. Having said that, it did identify a handful of things I hadn't thought of before, like EventBridge event injection. But the majority of the threats are low value.

I suspect this app is not cheap to run. So caveat deployor.
#cloud #cloudsecurity #appsec #threatmodeling

A typical AWS serverless architecture from the blog that I linked to. It shows a very large box representing an AWS account, and bunch of smaller boxes containing icons, with each box representing a capability (like file upload, users and authentication, etc). Inside each of those boxes are some icons representing services, like Lambda, IAM, Cognito, S3, etc.

An screen capture of a list of things in a web browser. The table header is labeled "Flows" and it lists flows like the following:

End users authenticate through web browsers or mobile devices via Amplify and CloudFront to Cognito User Pools, potentially using External Identity Provider integration. Source: End Users, Target: Cognito User Pools

Authenticated users make API requests through CloudFront and API Gateway to access backend services. Source: End Users. Target: API Gateway

API Gateway routes authenticated requests to appropriate Lambda functions for processing. Source: API Gateway. Target: Lambda Functions

An screen capture of a list of things in a web browser. The table header is labeled "Assets" and it lists things like the following:

End Users: Users that access the application through web browsers or mobile devices, interacting with the frontend interfaces

External Identity Provider: Third-party authentication service integrated with Cognito for user authentication and authorization

API Gateway: Manages all API requests, acts as the primary entry point for backend services, controls access to Lambda functions and business logic

A screenshot of a table in a web page. The header is labeled "Trust Boundary" and it contains items like:
Public-to-private network boundary separating internet users from AWS cloud resources. Source: End Users. Target: CloudFront Distribution

Authentication boundary validating user identity before allowing access to backend resources. Source: End Users. Target: Cognito User Pools

External authentication service integration boundary. Source: Cognito User Pools. Target: External Identity Provider

#ai #threatmodel

**Quixoticgeek** @quixoticgeek@v.st · Feb 25

Feb 25

Quixoticgeek @quixoticgeek@v.st

Fediverse. I need your magic. Please tell me your most amusing and wtf #ThreatModel fails.

**Kernel Bob** @kbob@chaos.social · Feb 1

Feb 1

Kernel Bob @kbob@chaos.social

Yesterday we got the new gate installed on our back deck. It has a key lock to keep extremely nonathletic intruders out.

A wintry outdoor scene. In the foreground, a wooden deck is bounded by an iron rail about 1 meter tall. There is a staircase down to the ground, and at the top is an iron gate, also about 1 meter tall. The gate has a lock and keyhole.

#ThreatModel

Continued thread

**Anti.** @antiaall3s@chaos.social · Jan 16

Jan 16

Anti. @antiaall3s@chaos.social

COVID News Pandemic LongCOVID

Replied in thread

**boredsquirrel** @Rhababerbarbar@tux.social · Nov 24, 2024 *

Nov 24, 2024 *

boredsquirrel @Rhababerbarbar@tux.social

@ct_Magazin

Threat Modelling ist hier extrem relevant.

Tails hat ein bestimmtes #ThreatModel
- amnesic
- live
- incognito

Da ist kaum etwas mit Prozessisolierung, wie es #Flatpak und #Bubblejail tun, und #QubesOS meistert

Und dass man damit auf einem beliebigen PC sicher sein kann ist leider auch ein falsches Versprechen. #Coreboot ist essentiell weil es minimal ist. Auf unterster Ebene sollte kaum Code laufen. Intel ME sollte aus sein. #Heads ist auch wichtig.

@3mdeb @novacustom @tlaurion

**Areskul** @jean_dupont@mastodon.social · Nov 5, 2024

Nov 5, 2024

Areskul @jean_dupont@mastodon.social

- lock bios
- disable root account
- encrypt storages with luks2
- shutdown on unrecognized devices plugging (udev-rules)

Is there something more I can do to protect myself from an evil maid?

#linux
#cybersecurity
#threatmodel

**Wizards Anonymous** @crft@mastodon.social · Nov 2, 2024

Nov 2, 2024

Wizards Anonymous @crft@mastodon.social

Adding #Google as a #ThreatActor to your #ThreatModel seems like a great way to understand #CyberSecurity / #InfoSec. Look at what happened to #LTT.

**OWASP Foundation** @owasp@infosec.exchange · Sep 4, 2024

Sep 4, 2024

OWASP Foundation @owasp@infosec.exchange

Get ready for #AppSec Days #Singapore! Interested in getting more engaged? Join us as a volunteer and help make this conference unforgettable! Check out our volunteer openings NOW: https://owasp.wufoo.com/forms/z7wfrfl07e63af/ #cybersecurity #devsecops #AI #threatmodel #infosec

**OWASP Foundation** @owasp@infosec.exchange · Sep 3, 2024

Sep 3, 2024

OWASP Foundation @owasp@infosec.exchange

Excited about attending #AppSec Days #Singapore? Want to be more involved? Volunteer and support the event staff at this incredible conference! Explore our volunteer opportunities TODAY: https://owasp.wufoo.com/forms/z7wfrfl07e63af/

#cybersecurity #devsecops #AI

**Emory** @emory@soc.kvet.ch · Jun 19, 2024

Jun 19, 2024

Emory @emory@soc.kvet.ch

okay @obsidianmd after a ton of scrolling around for the last week i hearby endorse Smart Second Brain for integrating local AI into your notetaking and #PKM practices.

https://github.com/your-papa/obsidian-Smart2Brain

it can use #ollama and any models you fetch for it are available to Obsidian, as are the new embeddings models for doing RAG. i've forked a vault of #threatmodel cards i use and am about to get weird /flex

#smart2Brain seems to be the safest and easiest which hardly ever happens. well done. #obsidian

GitHubGitHub - your-papa/obsidian-Smart2Brain: An Obsidian plugin to interact with your privacy focused AI-Assistant making your second brain even smarter!An Obsidian plugin to interact with your privacy focused AI-Assistant making your second brain even smarter! - your-papa/obsidian-Smart2Brain

**Emory** @emory@soc.kvet.ch · Apr 18, 2024

Apr 18, 2024

Emory @emory@soc.kvet.ch

friends, rivals, luminaries of #infosec: i had a #threatModel recently involving an #LDAP service and the team has a challenge. they don't have a great way to throttle or limit the volume of requests they answer, and when someone's running a credential stuff against a service there can be as many as 100s of millions of invalid requests over a couple of hours and they just have to soak it up and i don't like seeing that.

obviously we could use a WAF for the web services but what about LDAP?

Replied in thread

**Coach Pāṇini ®** @paninid@mastodon.world · Feb 2, 2024

Feb 2, 2024

Coach Pāṇini ® @paninid@mastodon.world

@Lightfighter @darcher @dannotdaniel @BeAware @noondlyt

I think one failure of societal vision, across business and governance, was applying the concept of “#ThreatModel” to the #InformationSuperhighway.

Replied in thread

**Abraxas3d** @abraxas3d@defcon.social · Jan 4, 2024

Jan 4, 2024

Abraxas3d @abraxas3d@defcon.social

@aeva the best part was the level of preparation and understanding of the #threatmodel

"The neighbor told BVPD that the pipe bombs were for sharks and pirates and he had liquor for the Russians, according to the affidavit."

**Adam Shostack** @adamshostack@infosec.exchange · Dec 7, 2023

Dec 7, 2023

Adam Shostack @adamshostack@infosec.exchange

Playing with phanpy.social, it seems that authorizing new apps to access mastodon doesn't require a two factor auth code.

While I haven't fully threat modeled it (you're already logged into the browser, so someone with browser access may not represent a shift in trust boundary, it feels off.

#mastodon #security #accidentalpentest

**Emory** @emory@soc.kvet.ch · Oct 17, 2023

Oct 17, 2023

Emory @emory@soc.kvet.ch

alright #infosec what do i need to know about software #HSM versus hardware modules when considering the challenges both present? i ordinarily favor hardware but as a pragmatic #threatmodel architect i need to be aware of the possible shortcomings of either and i think i have a good understanding, but the requirements from #3gpp are somehow less helpful than pci-dss when it comes to design decisions cc: @ducksauz

**nemo™** @nemo@mas.to · Oct 1, 2023

Oct 1, 2023

nemo™ @nemo@mas.to

#DoINeedAVPN is an #opensource #tool that helps people decide if they need a commercial #VPN
. The tool is designed to #help #users determine whether a VPN is #necessary for their privacy and security needs e.g. #threatmodel

https://www.doineedavpn.com/

www.doineedavpn.comDo I need a VPN?Share your privacy and security concerns, and we help you decide whether you need a commercial VPN. In some cases you don't, or Tor might be a better choice for you.

**Teri Radichel** @teriradichel@infosec.exchange · Sep 28, 2023

Sep 28, 2023

Teri Radichel @teriradichel@infosec.exchange

Giving Your Cloud Credentials to Another Cloud Provider
~~
ACM.323 How does this affect your quantifiable risk score?
~~
#AWS #Azure #DevOps #Could #Security #Credentials #Roles #Risk #ThreatModel

https://medium.com/cloud-security/giving-your-cloud-credentials-to-another-cloud-provider-738f2a368164

**Teri Radichel** @teriradichel@infosec.exchange · Sep 25, 2023

Sep 25, 2023

Teri Radichel @teriradichel@infosec.exchange

Handling Credentials Generically in a Custom Lambda Runtime
~~
ACM.307 Also, threat modeling use of local credentials in relation to the LastPass breach
~~
#lambda #credentials #runtime #testing #attack #threatmodel #lastpass #breach