[Freedombox-discuss] What is our threat model?

Sandy Harris sandyinchina at gmail.com
Mon May 30 14:16:36 UTC 2011

One standard step in designing almost any security system is to define
a threat mode. What attacks are to be expected? What resources will
attackers have? What skills? What access to the system? And so on.

One common way for systems to fail is when someone attacks in
a way that is outside the threat model. The database system that
is heavily secured against outside intruders, but not adequately
against a dishonest admin or a trojan that takes over a manager's
machine. The bulletproof vest that does not stop a knife, etc.

It seems to me our model must be some sort of hybrid, because
there are quite a few threats.

One threat is commercial tracking, the whole mess involving
advertiser cookies, data collection by the major players
whether MSN messaging, Gmail, Facebook, Twitter, ...
There are already at least partial defenses against that:
TOR, browser settings, ...

A related issue is lack of user control. I cannot talk to my
friends via Facebook or Twitter without making that
conversation public in some ways. There's a whole set
of design problems there, which some people are
already tackling: Diaspora, StatusNet, etc. What can
the Box bring to that party?

Another related issue is forced disclosure. The US
government has been demanding Twitter records
in relation to WikiLeaks. Last I heard, that was
still before the courts. In another case, lawyers for
a UK football player claiming libel are demanding
records, via a US court.

Whatever the outcome in those particular cases, we
need to consider that class of threat, and not just
from the US gov't or British libel laws. There are
legal defenses against some of them in some
countries. In other places, legal resistance would
be futile or even dangerous.

The only technical defenses I know of are either to not
keep records in the first place or to routinely and
effectively delete them after a short time. Those affect
the ability to manage spam, which is a problem on
most social networks. I'm not sure what else they
affect either in general system administration or in
the specific tools we need for users to manage trust
and privacy.

The user's computers can be a threat. Consider
the average student at a Chinese university, one
of the ones I've taught English to. Her computer
is most likely a laptop running (a "pirate" copy of)
Windows XP. If there is an anti-virus product
installed, it is most likely the Chinese "Rising
Anti-Virus", with Kapersky a distant second and
no-one else in the running. There's about a 20%
chance she has none at all.

If she routinely uses the Box from that machine,
what are the additional threats? Perhaps we
cannot defend her data in that case, but can we
at least minimize the damage to other users of
that Box? Can we guarantee she cannot harm
users of other Boxes?

Governments cam be a threat. Right now, the
US government is chasing WikiLeaks with
considerable zeal. There are plenty of other
examples of governments getting quite
aggressive about things they deem threats to
national security.

There are also quite a few examples of people
being prosecuted for things they have said or
written that are just not allowed in some
country. Today's Slashdot mentions a case
in Thailand; the guy faces 15 years for each
count of insulting the royal family.

If a major government is disturbed enough
about something people are doing with the
Boxes, that is a serious threat indeed. At
that point, the attackers can be expected
to be professionals with huge resources
and enough time to research and plan
clever attacks.

More information about the Freedombox-discuss mailing list