Might sound a bit of a silly question. I see people talking about threat models, and privacy guides which say things like “if this is part of your threat model, do X Y Z”. I’m just not sure if it’s a general “this is what I want to protect myself against” or if there’s more to it.

  • xylogx@lemmy.worldEnglish
    5·
    1 day ago

    What are you scared of?

    If you are worried your parents will see your browsing history, that is you threat model.

    If your concern is government surveillance, you need to do more than just clear your browsing history.

  • Sergio@slrpnk.netEnglish
    14·
    2 days ago

    So there’s a formal/professional approach and there’s an informal approach.

    Formally, there are fields like Risk Management aka Risk Analysis; in these fields there are various frameworks and approaches for things like threat models and risk assessments. This is more than most of us need.

    Informally “this is what I want to protect myself against” is indeed a good way of thinking about it. You can write something up for yourself, or you can just think it through. If the threat model helps you use your time / resources wisely, then it’s a good threat model.

  • catloaf@lemm.eeEnglish
    18·
    2 days ago

    Yeah that’s basically it. Like if you’re concerned about people physically stealing your laptop, use a cable lock and disk encryption, not a VPN. If you’re concerned about the government ISP spying ang knocking on your door because of what you post online, use a VPN and don’t say anything identifying, not switch from Chrome to Firefox or whatever.

    • kat@orbi.camp
      5·
      2 days ago

      I mean, if your using chrome, and worse, logged in to your google account, that’s big paper trail for the government to trace back to you. VPN protection stops at your ISP.

      • catloaf@lemm.eeEnglish
        22·
        2 days ago

        Yes, if you store sensitive info in your Google account and the government can compel Google to provide that info, which they don’t always do.

  • Mr. Zeus@feddit.orgEnglish
    7·
    2 days ago

    Things that are in every threat model include, but are not limited to.

    Surveillance from your internet provider and advertising companies its partnered with.

    Surveillance from advertising companies partnered with websites you go to and online services you use.

    People online who might try to doxx you if you say something they don’t like or win too much in a game

    The owner of a malicious website getting your IP address from visiting it by accident.

    If your internet provider or anyone else gives you the third degree about using a VPN or any other privacy-friendly alternatives to anything, just say all but the first one

    oh and be mindful of internet providers using AI to find patterns in the packets you’re sending and receiving

  • Telorand@reddthat.com
    111·
    2 days ago

    That’s basically it. It’s the things you either think are likely threats or the threats you want to be protected from.

    It’s why people often ask what’s in someone’s threat model, because each is individual. More security/privacy usually comes with tradeoffs, so just “do the most secure thing always” isn’t necessarily the best solution for everyone.

  • lattrommi@lemmy.mlEnglish
    72·
    2 days ago

    Threat plan.

    Ask yourself the following:

    What do you have that you want to protect?

    Can be a person, place, thing, animal, mineral or vegetable.

A hierarchy of importance is good to develop.

    Is your wife more important than your cat? 

    Is your fireproof safe full of legal documents more important than your computer?

    Who do you want to protect it from?

    Threats 

    Consider:

        Actions taken by humans

        Acts of nature (acts of your god?)

        The passage of time

    How likely is it that you will need to protect it?

    Remember:

    Privacy is important

    Everything breaks down eventually, both man and machine, society and civilization

        Will a hurricane demolish your mountaintop resort? 

        Will a landslide destroy your yatch? 

        Will looters ransack your home during an insurrection?

    Historical weather and earthquake data is useful to know

    How bad are the consequences if you fail?

    What do you have to lose beyond possessions and people?

    Reputation, freedoms, integrity, etc.

    How much trouble am you willing to go through to prevent these consequences?

    Will you go through worse if you don't prepare?

Will you have the courage to act when the time comes?

How many security cameras are needed to track a single cat? What about a married cat?

    After you feel you have answered these sufficiently, you can begin to prepare to protect yourself!

  • j4k3@lemmy.worldEnglish
    4·
    2 days ago
    As an example, the Fediverse and Lemmy, like the whole public internet, are scraped for all possible reasons.

    There are many levels of objections to this behavior. Some may choose to remove comments after a given amount of time, although that is rather pointless. Any company can setup an instance and use the initial synchronization of federated instances to capture all data.

    Some people might simply avoid sharing any personal information that can dox them or correlate them with other profiles.

    Then there are people like myself. I do not really care about how this account is correlated. I am only here for the human social connectedness. I object to all collection of personal data and view the trade of such data as digital slavery and a gross violation of fundamental human rights.

    My personal threat model is that I avoid any potential situation where my dwell time, and page views are monitored and used to manipulate and exploit me. I’m particularly concerned with how the best and brightest psychology majors have been getting into social media and marketing jobs. I noticed a pattern of how I was motivated to make frivolous purchases over time when I engaged with corporate media sources. I have never responded to ads directly, but when I shopped on a platform, suddenly I encountered more content relative to that platform. After many projects I started asking myself why I chose to do x/y/z, and it was usually due to some suggested content I had watched.

    Around the time I came to Lemmy, I disconnected from all corporate social media. I won’t even run most apps if they are connected to the internet. I do most stuff in a browser only. I separate social media from any shopping. I also run a whitelist firewall for most of my devices.

    I am protecting myself from any viewer retention algorithms that might directly or indirectly use the human propensity for masochistic negative attraction and attachment. I found this damaging on platforms like FB in the first years of my physical disability a decade ago.

    So one might say, my actionable threat model is direct manipulation based concerns.

  • OneMeaningManyNames@lemmy.mlEnglish
    2·
    2 days ago

    The basic way to do this is you respond to these three questions: What am I trying to protect? From whom? What are they able to do to get there?

  • edric@lemm.ee
    2·
    2 days ago

    Yes that’s the gist of it. You can even visualize it by using tables or charts. The goal is to identify the assets you want to protect and what threats you are protecting them against.

  • communism@lemmy.ml
    1·
    2 days ago

    I mean, yeah, it’s the threats you’re trying to protect against. Usually informed by which attackers are likely to go after you and what avenues they are likely to take, but you can decide based on whatever you like.