Conversation

Notices

1. Embed this notice
   Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Tuesday, 26-Mar-2024 17:00:16 JST Ryan Castellucci :nonbinary_flag:

   Developers should make "abuser stories" a thing.

   "As an stalker,

   I want to track my ex's every move,

   so that I can 'coincidentally' run into them at any time."

   "As a thief,

   I want to be able to reset passwords using SMS verification,

   so that I can compromise any account by bribing a telco employee."

   • Embed this notice
     Aris Adamantiadis :verified:💲Paid (aris@infosec.exchange)'s status on Tuesday, 26-Mar-2024 17:15:09 JST Aris Adamantiadis :verified:💲Paid

     in reply to

     @ryanc isn't that basically how we do threat modeling? Except we use third person, it's weird otherwise

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Tuesday, 26-Mar-2024 17:21:18 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Aris Adamantiadis :verified:💲Paid

     @aris It is, but this distills it down to something that is easy to understand by most people.

     Who is the threat actor?

     What do they want?

     Why do they want it?

   • Embed this notice
     Jan D (simulo@hci.social)'s status on Tuesday, 26-Mar-2024 17:37:29 JST Jan D

     in reply to

     @ryanc seems similar to https://simplysecure.org/designunderpressure/#methods !

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Tuesday, 26-Mar-2024 17:37:29 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Jan D

     @simulo Oh, I like these. "Miscreant" is a term of art used in some circles to cover basically the same sorts that "persona non grata" is being used describe.

   • Embed this notice
     David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)'s status on Tuesday, 26-Mar-2024 17:41:47 JST David Chisnall (*Now with 50% more sarcasm!*)

     in reply to

     @ryanc Are there developers that don’t do this already? I suppose that explains the poor security of a lot of products.

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Tuesday, 26-Mar-2024 17:45:54 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • David Chisnall (*Now with 50% more sarcasm!*)

     @david_chisnall It's not just security - I included the stalker for a reason.

     People have a "how would my partner's creepy ex use this" conversation for major features.

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Tuesday, 26-Mar-2024 17:50:17 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Graham Sutherland / Polynomial

     @gsuberland This is why I get paid enough to pick fights in court with entities which have thirteen figure annual budgets.

   • Embed this notice
     Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Tuesday, 26-Mar-2024 17:50:19 JST Graham Sutherland / Polynomial

     in reply to

     @ryanc decent way to distill threat models down to the bare minimum needed to convey the idea. I like it.

   • Embed this notice
     David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)'s status on Tuesday, 26-Mar-2024 19:53:04 JST David Chisnall (*Now with 50% more sarcasm!*)

     in reply to

     @ryanc I'd include that under the heading of security. It's closely related to the 'can an attacker leak information from my smart device that tells them when my house is unoccupied' threat.

     I'm still waiting for an organised crime syndicate to provide a service that aggregates a load of data from Facebook and similar to tell petty criminals which houses near them are unoccupied.

   • Embed this notice
     Daniel Fisher(lennybacon) (lennybacon@infosec.exchange)'s status on Wednesday, 27-Mar-2024 04:43:53 JST Daniel Fisher(lennybacon)

     in reply to

     @ryanc Uhhh, I really like that. Few years ago I coined the term Breakstorming, where ppl sit together and verbally discuss how to break a piece of software. Abuser Stories complement them very well!

   • Embed this notice
     PaleManBates (jacksonbates@aus.social)'s status on Wednesday, 27-Mar-2024 06:44:10 JST PaleManBates

     in reply to

     • Schroedinger
     • Aris Adamantiadis :verified:💲Paid

     @SteveClough @ryanc @aris this framing is an excellent conversation starter with the product team though, especially when it's the ironic flipside to a feature request.

     PM: let's add location tracking!
     You: so, "As a stalker I..."

   • Embed this notice
     Schroedinger (steveclough@metalhead.club)'s status on Wednesday, 27-Mar-2024 06:44:12 JST Schroedinger

     in reply to

     • Aris Adamantiadis :verified:💲Paid

     @ryanc @aris But if you do threat modelling properly, you do that. You identify the sort of people who might want to gain access.and why.

     I see your point about making them easier to understand, but I worry that they can be too simple.

     Also so often, a threat model identifies areas of threat. The threat actors can and will change. Security dev always needs to be flexible and changeable - in weeks/months, not years.

     Ryan Castellucci :nonbinary_flag: repeated this.
   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Wednesday, 27-Mar-2024 06:47:31 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • 7heo

     @7heo I probably stole it from somewhere, go wild.

   • Embed this notice
     7heo@mastodon.sdf.org's status on Wednesday, 27-Mar-2024 06:47:32 JST 7heo

     in reply to

     @ryanc actually more a tool for defensive security. But definitely a great idea. Can I steal?

   • Embed this notice
     Mathaetaes (mathaetaes@infosec.exchange)'s status on Wednesday, 27-Mar-2024 10:53:12 JST Mathaetaes

     in reply to

     @ryanc we do this. We just call them misuse cases, and we have a team of assholes we call offensive engineers to come up with them.

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Wednesday, 27-Mar-2024 16:59:14 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Ulf

     @ulf Of a sort, yes. I posted a more fleshed out version that said as much on linkedin a few minutes after I posted here.

   • Embed this notice
     Ulf (ulf@chaos.social)'s status on Wednesday, 27-Mar-2024 16:59:16 JST Ulf

     in reply to

     @ryanc that is called threat modeling #threatmodeling

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Wednesday, 27-Mar-2024 17:09:33 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Werner

     @worldwidewerner Yeah, it's threat modeling, but it's a very limited form of threat modeling, and it's also other things.

   • Embed this notice
     Werner (worldwidewerner@mastodon.social)'s status on Wednesday, 27-Mar-2024 17:09:34 JST Werner

     in reply to

     @ryanc
     I see people in the comments here talk about using this as threat modeling, but as a developer who think philosophy class was my most valuable subject, I see this as a useful tool for ethics in sysdev.

     Less can I do this and more should I do this.

   • Embed this notice
     Thomas Reed (thomasareed@infosec.exchange)'s status on Thursday, 28-Mar-2024 01:49:56 JST Thomas Reed

     in reply to

     @ryanc @PwnieFan I now desperately want to use that for any user story I disagree with! 😄