MastodonTech.de

Paco Hope wishes ill for JK RowlingMaybe someone wants to explain the value of stupid AI prompts like the one in <a href="https://arxiv.org/pdf/2503.09586" rel="nofollow noopener" target="_blank">this paper</a>. They write:<blockquote>As a highly experienced threat modeler practitioner with over 20 years of experience, you have worked for one of the largest financial institutions in the world. </blockquote>First off, this is a classic <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a> mistake: assuming that (a) security is the same everywhere, so what one firm does well, everyone should do the same, and (b) "financial institutions" have the best security, so if you want to have the "best security," you should do what they do.Secondly, I don't get the point of including this fictional 20 years of experience in the prompt. Is that making a material difference? Why not tell it that it has a bazillion years of experience? Why not omit that? Do you want it threat modelling like we did "over 20 years ago" in 2002?Third, this prompt will steer you toward threat models that are very wrong for some orgs. A non-profit, or an educational institution, or a low-stakes governmental agency (like parks & rec) will have very different <a href="https://infosec.exchange/tags/ThreatModeling" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatModeling</a> needs.Lastly, the thing that all <a href="https://infosec.exchange/tags/ThreatModel" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatModel</a> AI systems get wrong is they lack any notion of skepticism. Did the architecture diagram not make sense? Did they imply something exists but omit it from the description? Do some aspects of the documentation contradict each other? It never considers the possibility that any inputs are wrong or incomplete, either through ignorance or omission.The advent of LLMs makes everyone think they can do expert-level work in fields where they have no expertise, all because they think they are the first person to try applying an LLM to problems in that domain.

The New OilDigital <a href="https://mastodon.thenewoil.org/tags/ThreatModeling" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatModeling</a> Under <a href="https://mastodon.thenewoil.org/tags/Authoritarianism" class="mention hashtag" rel="nofollow noopener" target="_blank">#Authoritarianism</a><a href="https://www.schneier.com/blog/archives/2025/09/digital-threat-modeling-under-authoritarianism.html" rel="nofollow noopener" translate="no" target="_blank">https://www.schneier.com/blog/archives/2025/09/digital-threat-modeling-under-authoritarianism.html</a><a href="https://mastodon.thenewoil.org/tags/politics" class="mention hashtag" rel="nofollow noopener" target="_blank">#politics</a> <a href="https://mastodon.thenewoil.org/tags/privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#privacy</a> <a href="https://mastodon.thenewoil.org/tags/ThreatModel" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatModel</a> <a href="https://mastodon.thenewoil.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a>

morgandawnThreat Model offers a free Covid safety list..."Covid is airborne: it is in the exhaled breath of infected people. Vaccines and treatments are your last lines of defense. Post-infection immunity shortened to 28 days. 1 in 3 infected people are pre-symptomatic or show no symptoms. Long Covid usually comes from reinfections, most often “mild” infections. There is no limit to how many times you can catch Covid-19. The AMA wants people to know that getting reinfected is “akin to playing Russian Roulette.” Rapid tests can miss asymptomatic infections. "<a href="https://www.patreon.com/posts/huge-free-covid-86871700" rel="nofollow noopener" translate="no" target="_blank">https://www.patreon.com/posts/huge-free-covid-86871700</a><a href="https://sfba.social/tags/ThreatModel" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatModel</a> <a href="https://sfba.social/tags/covid" class="mention hashtag" rel="nofollow noopener" target="_blank">#covid</a>

Lisi HockeHad a <a href="https://mastodon.social/tags/ThreatModel" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatModel</a> session with two engineering teams today. A real extensive one, where preparation included a full review of what's already there. A tech stack we haven't touched on at this company yet. A model where I could really build on my past experience, and still felt I worked for way too long. And yet, it paid off. Had an insightful conversation with folks, we all learned from each other, and we paved the way for future small, lean modeling sessions. Huge win! 🎉 <a href="https://mastodon.social/tags/AppSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#AppSec</a> <a href="https://mastodon.social/tags/ProdSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#ProdSec</a>

Bi—zaar<a href="https://todon.eu/tags/FediHelp" class="mention hashtag" rel="nofollow noopener" target="_blank">#FediHelp</a> I need to talk with someone skilled about <a href="https://todon.eu/tags/threatModel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatModel</a> (digital side) specifically about 'downloads' / archiving / wget (mirroring) and online/offline for field activities (logistics / investigation ) and activist groups (water, mud, soil investigation within sampling and DIY analysis & data production)I need to talk so do not point me any NGOs (I already now them). And I've been there too.It's about holistic security approach in this very specific nudge. Downloading things, offline access first, sharing (see Kiwix and kiwix itw at APC.org) Being up to a mountain or down to a river or sewers system or so. Or around floods in streets / towns / cities / lands. Radio (SDR) scanning in the field and emergency data transmission / copy.If it's not a clear and not understandable claim, I'm so sorry and please feel free to bake he with your asking and thoughts.Very very important: carbon-mascu-male alpha-stupid-surviving-boyz are not welcome in this discussion and I'm sure you get the point my dear fedizens (no techbro / no cryptobro and more away)cc <a href="https://infosec.exchange/@DigiDefenders" class="u-url mention" rel="nofollow noopener" target="_blank">@DigiDefenders</a> <a href="https://mstdn.social/@rysiek" class="u-url mention" rel="nofollow noopener" target="_blank">@rysiek</a> <a href="https://chaos.social/@onepict" class="u-url mention" rel="nofollow noopener" target="_blank">@onepict</a> <a href="https://mastodon.social/@APC" class="u-url mention" rel="nofollow noopener" target="_blank">@APC</a> <a href="https://post.lurk.org/@iffybooks" class="u-url mention" rel="nofollow noopener" target="_blank">@iffybooks</a> <a href="https://kolektiva.social/@hackstub" class="u-url mention" rel="nofollow noopener" target="_blank">@hackstub</a> <a href="https://toot.aquilenet.fr/@lacontrevoie" class="u-url mention" rel="nofollow noopener" target="_blank">@lacontrevoie</a>

Sam BentBatman's threat model. Be like Batman and make a threat model. <a href="https://mastodon.social/tags/threatmodel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatmodel</a>

kcarruthersTime to update your threat models people: AI's the end of the Shell as we know it and I feel fine | <a href="https://arvr.social/@mpesce" class="u-url mention" rel="nofollow noopener" target="_blank">@mpesce</a> is scaring us all <a href="https://infosec.exchange/tags/cyber" class="mention hashtag" rel="nofollow noopener" target="_blank">#cyber</a> <a href="https://infosec.exchange/tags/threatmodel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatmodel</a><a href="https://www.theregister.com/2025/06/11/opinion_column_mcp_von_neumann_machine/" rel="nofollow noopener" translate="no" target="_blank">https://www.theregister.com/2025/06/11/opinion_column_mcp_von_neumann_machine/</a>

Paco Hope wishes ill for JK RowlingLooking at some <a href="https://infosec.exchange/tags/AI" class="mention hashtag" rel="nofollow noopener" target="_blank">#AI</a> generated <a href="https://infosec.exchange/tags/threatmodel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatmodel</a> output and it listed stealing a user's credentials and using them in the "Spoofing" category. I was uncertain. Is that spoofing or elevation of privilege. So I wander over to a <a href="https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats" rel="nofollow noopener" target="_blank">#microsoft page on #stride</a>.They say it's spoofing, which is fine. It's reasonable. I don't care as long as we all agree.But in that table, that's literally the only example of spoofing. There are a LOT of other kinds of things that could be called spoofing. If you're gonna have only one example of spoofing, I don't think stealing credentials is the best example.

Paco Hope wishes ill for JK RowlingLastly, there's the training data. I work for <a href="https://infosec.exchange/tags/AWS" class="mention hashtag" rel="nofollow noopener" target="_blank">#AWS</a> (so these are strictly my personal opinions). We are opinionated about the platform. We think that there are things you should do and things you shouldn't. If you have deep knowledge of anything (Microsoft, Google, NodeJS, SAP, whatever) you will have informed opinions. The threat models that I have seen, that use general purpose models like Claude Sonnet, include advice that I think is stupid because I am opinionated about the platform. There's training data about AWS in the model that was authored by not-AWS. And there's training data in the model that was authored by AWS. The former massively outweighs the latter in a general-purpose, trained-on-the-Internet model.So internal users (who are expected to do things the AWS way) are getting threats that (a) don't match our way of working, and (b) they can't mitigate anyway. Like I saw an AI-generated threat of brute-forcing a cognito token. While the possiblity of that happening (much like buying a winning lottery ticket) is non-zero, that is not a threat that a software developer can mitigate. There's nothing you can do in your application stack to prevent, detect, or respond to that. You're accepting that risk, like it or not, and I think we're wasting brain cells and disk sectors thinking about it and writing it down.The other one I hate is when it tells you to encrypt your data at rest in S3. Try not to. There's no action for you to take. The thing you control is which key does it and who can use that key.So if you have an area of expertise, the majority of the training data in any consumer model is worse than your knowledge. It is going to generate threats and risks that will irritate you.4/fin<a href="https://infosec.exchange/tags/AI" class="mention hashtag" rel="nofollow noopener" target="_blank">#AI</a> <a href="https://infosec.exchange/tags/AppSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#AppSec</a> <a href="https://infosec.exchange/tags/ThreatModel" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatModel</a>

Paco Hope wishes ill for JK RowlingI have seen a lot of efforts to use an <a href="https://infosec.exchange/tags/LLM" class="mention hashtag" rel="nofollow noopener" target="_blank">#LLM</a> to create a <a href="https://infosec.exchange/tags/ThreatModel" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatModel</a>. I have some insights. Attempts at <a href="https://infosec.exchange/tags/AI" class="mention hashtag" rel="nofollow noopener" target="_blank">#AI</a> <a href="https://infosec.exchange/tags/ThreatModeling" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatModeling</a> tend to do 3 things wrong:<ol><li>They assume that the user's input is both complete and correct. The LLM (in the implementations I've seen) never questions "are you sure?" and it never prompts the user like "you haven't told me X, what about X?"</li><li>Lots of teams treat a threat model as a deliverable. Like we go build our code, get ready to ship, and then "oh, shit! Security wants a threat model. Quick, go make one." So it's not this thing that informs any development choices during development. It's an afterthought that gets built just prior to <a href="https://infosec.exchange/tags/AppSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#AppSec</a> review.</li><li>Lots of people think you can do an adequate threat model with only technical artifacts (code, architectuer, data flow, documentation, etc.). There's business context that needs to be part of every decision, and teams are just ignoring that.</li></ol>1/n

QuixoticgeekFediverse. I need your magic. Please tell me your most amusing and wtf <a href="https://social.v.st/tags/ThreatModel" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatModel</a> fails.

Anti. 🐘COVID News Pandemic LongCOVID

Todd A. Jacobs | Pragmatic Cybersecurity<a href="https://infosec.exchange/tags/DuckDuckGo" class="mention hashtag" rel="nofollow noopener" target="_blank">#DuckDuckGo</a> is now offering free, <a href="https://infosec.exchange/tags/anonymized" class="mention hashtag" rel="nofollow noopener" target="_blank">#anonymized</a> access to a number of fast <a href="https://infosec.exchange/tags/AI" class="mention hashtag" rel="nofollow noopener" target="_blank">#AI</a> <a href="https://infosec.exchange/tags/chatbots" class="mention hashtag" rel="nofollow noopener" target="_blank">#chatbots</a> that won't train in your data. You currently don't get all the premium models and features of paid services, but you do get access to privacy-promoting, anonymized versions of smaller models like GPT-4o mini from <a href="https://infosec.exchange/tags/OpenAI" class="mention hashtag" rel="nofollow noopener" target="_blank">#OpenAI</a> and open-source <a href="https://infosec.exchange/tags/MoE" class="mention hashtag" rel="nofollow noopener" target="_blank">#MoE</a> (mixture of experts) models like Mixstral 8x7B.Of course, for truly sensitive or classified data you should never use online services at all. Anything online carries heightened risks of human error; deliberate malfeasance; corporate espionage; legal, illegal, or extra-legal warrants; and network wiretapping. I personally trust DuckDuckGo's no-logging policies and presume their anonymization techniques are sound, but those of us in <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> know the practical limitations of such measures.For any situation where those measures are insufficient, you'll need to run your own instance of a suitable model on a local AI engine. However, that's not really the <a href="https://infosec.exchange/tags/threatmodel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatmodel</a> for the average user looking to get basic things done. Great use cases include finding quick answers that traditional search engines aren't good at, or performing common AI tasks like summarizing or improving textual information. The AI service provides the typical user with essential AI capabilities for free. It also takes steps to prevent for-profit entities with privacy-damaging <a href="https://infosec.exchange/tags/TOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#TOS</a> from training on your data at whim. DuckDuckGo's approach seems perfectly suited to these basic use cases.I laud DuckDuckGo for their ongoing commitment to privacy, and for offering this valuable additional to the AI ecosystem.<a href="https://duckduckgo.com/chat" rel="nofollow noopener" translate="no" target="_blank">https://duckduckgo.com/chat</a>

Blobster<a href="https://kind.social/@aleidk" class="u-url mention" rel="nofollow noopener" target="_blank">@aleidk</a> I replaced “mobile phone account“ with “mobile phone provider account” to be clearer about what I meant.For banks (in the EU), AFAIK there is a strong reason why they never even mention FIDO2: for a transaction at least, the device where validation is performed must give basic info on the transaction: seller and amount.Another point: the software support depends on site, browser (e.g., Firefox desktop != Firefox mobile), type of key, physical communication protocol (like USB vs. NFC). I made a lot of tests with various sites and my USB-A and USB-C keys, sometimes using NFC, other times USB. Some combinations don't work, or worked at some point and not later (or worked with Chrome but not Firefox, etc.). This can be quite stressful or even dangerous if this is for an important account and you have no backup plan (⇒ don't). And if the backup options are 1) exploitable in your threat model and 2) not very secure, this obviously reduces or nukes the advantage of using a security key in the first place.A typical backup option which is not insecure from my POV if well handled is a set of recovery codes, but for this you need to store them very carefully, safely... and not forget how to access them in x years! In these conditions, setting up a new account requires “some work”.And I say all this despite wishing FIDO2 great success, 'cause SIM swapping attacks in particular are quite scary given how much important stuff still depends on codes sent by SMS. 😐<a href="https://infosec.exchange/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#FIDO2</a> <a href="https://infosec.exchange/tags/SecurityKeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#SecurityKeys</a> <a href="https://infosec.exchange/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#authentication</a> <a href="https://infosec.exchange/tags/threatModel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatModel</a>

boredsquirrel<a href="https://social.heise.de/@ct_Magazin" class="u-url mention" rel="nofollow noopener" target="_blank">@ct_Magazin</a> Threat Modelling ist hier extrem relevant.Tails hat ein bestimmtes <a href="https://tux.social/tags/ThreatModel" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatModel</a> - amnesic - live - incognitoDa ist kaum etwas mit Prozessisolierung, wie es <a href="https://tux.social/tags/Flatpak" class="mention hashtag" rel="nofollow noopener" target="_blank">#Flatpak</a> und <a href="https://tux.social/tags/Bubblejail" class="mention hashtag" rel="nofollow noopener" target="_blank">#Bubblejail</a> tun, und <a href="https://tux.social/tags/QubesOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#QubesOS</a> meistertUnd dass man damit auf einem beliebigen PC sicher sein kann ist leider auch ein falsches Versprechen. <a href="https://tux.social/tags/Coreboot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Coreboot</a> ist essentiell weil es minimal ist. Auf unterster Ebene sollte kaum Code laufen. Intel ME sollte aus sein. <a href="https://tux.social/tags/Heads" class="mention hashtag" rel="nofollow noopener" target="_blank">#Heads</a> ist auch wichtig.<a href="https://fosstodon.org/@3mdeb" class="u-url mention" rel="nofollow noopener" target="_blank">@3mdeb</a> <a href="https://mastodon.online/@novacustom" class="u-url mention" rel="nofollow noopener" target="_blank">@novacustom</a> <a href="https://infosec.exchange/@tlaurion" class="u-url mention" rel="nofollow noopener" target="_blank">@tlaurion</a>

Areskul- lock bios - disable root account - encrypt storages with luks2 - shutdown on unrecognized devices plugging (udev-rules)Is there something more I can do to protect myself from an evil maid?<a href="https://mastodon.social/tags/linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#linux</a> <a href="https://mastodon.social/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://mastodon.social/tags/threatmodel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatmodel</a>

OWASP FoundationGet ready for <a href="https://infosec.exchange/tags/AppSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#AppSec</a> Days <a href="https://infosec.exchange/tags/Singapore" class="mention hashtag" rel="nofollow noopener" target="_blank">#Singapore</a>! 🎉 Interested in getting more engaged? Join us as a volunteer and help make this conference unforgettable! Check out our volunteer openings NOW: <a href="https://owasp.wufoo.com/forms/z7wfrfl07e63af/" rel="nofollow noopener" translate="no" target="_blank">https://owasp.wufoo.com/forms/z7wfrfl07e63af/</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/devsecops" class="mention hashtag" rel="nofollow noopener" target="_blank">#devsecops</a> <a href="https://infosec.exchange/tags/AI" class="mention hashtag" rel="nofollow noopener" target="_blank">#AI</a> <a href="https://infosec.exchange/tags/threatmodel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatmodel</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a>

OWASP FoundationExcited about attending <a href="https://infosec.exchange/tags/AppSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#AppSec</a> Days <a href="https://infosec.exchange/tags/Singapore" class="mention hashtag" rel="nofollow noopener" target="_blank">#Singapore</a>? Want to be more involved? Volunteer and support the event staff at this incredible conference! Explore our volunteer opportunities TODAY: <a href="https://owasp.wufoo.com/forms/z7wfrfl07e63af/" rel="nofollow noopener" translate="no" target="_blank">https://owasp.wufoo.com/forms/z7wfrfl07e63af/</a><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/devsecops" class="mention hashtag" rel="nofollow noopener" target="_blank">#devsecops</a> <a href="https://infosec.exchange/tags/AI" class="mention hashtag" rel="nofollow noopener" target="_blank">#AI</a> <a href="https://infosec.exchange/tags/threatmodel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatmodel</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a>

Adam Shostack :donor: :rebelverified:Playing with phanpy.social, it seems that authorizing new apps to access mastodon doesn't require a two factor auth code.While I haven't fully threat modeled it (you're already logged into the browser, so someone with browser access may not represent a shift in trust boundary, it feels off.<a href="https://infosec.exchange/tags/mastodon" class="mention hashtag" rel="nofollow noopener" target="_blank">#mastodon</a> <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a> <a href="https://infosec.exchange/tags/accidentalpentest" class="mention hashtag" rel="nofollow noopener" target="_blank">#accidentalpentest</a> <a href="https://infosec.exchange/tags/sbd" class="mention hashtag" rel="nofollow noopener" target="_blank">#sbd</a> <a href="https://infosec.exchange/tags/threatmodel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatmodel</a>

Dissent Doe :cupofcoffee:Does your threat model include your employee's cat?<a href="https://www.theregister.com/2023/10/05/hospital_cat_incident/" rel="nofollow noopener" translate="no" target="_blank">https://www.theregister.com/2023/10/05/hospital_cat_incident/</a><a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/wfh" class="mention hashtag" rel="nofollow noopener" target="_blank">#wfh</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/riskassessment" class="mention hashtag" rel="nofollow noopener" target="_blank">#riskassessment</a> <a href="https://infosec.exchange/tags/threatmodel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatmodel</a>

Frühere Suchanfragen

Suchoptionen

Verwaltet von:

Serverstatistik:

#threatmodel