Skip to main content

Wouldn't you like to know?

Privacy⁉️

Or, If I See One More Snowden LARPer I WILL Cry

I really should stop letting people live in my head rent free but if I did you would stop getting spicy blog posts from me, so…

Anyway, threat models and risk measurement, eh?

A disclosure I guess?

I’m going to base this on the knowledge gained through my degree and what I’ve seen online. Anything that may be related to employment I hold will not be discussed here because that would be unethical :)

Threat? like right-wing extremis-

The basic thing you use if you care about privacy and security is a threat model. You need to know what you’re protecting, what the consequences are if you fail to protect that, and what is likely to be a threat against the thing you’re protecting. Put this all together in a matrix or spreadsheet or whatever format, and you have a threat model. This is where a lot of people stop reading and start wildly speculating that they’re going to be attacked by chinese/russian/north korean/american hackers who will totally target them.

Obviously you need to be realistic about the threats you’re likely to encounter and how likely each possible threat is. Honestly, I don’t know how a Joe Average is meant to know this without actual cybersec knowledge; I guess you can follow some bigger names within the cyber industry on mastodon or god forgive me for uttering this website name… twitter 🤢 but some of them are also full of shit if you Know Things so..

Sites like PrivacyGuides sometimes actually go through and give examples, but again, not sure how you’re supposed to extrapolate ranking CVE-SomeRandomNumbers in terms of how likely someone will use it against you from “your cellular provider has a lot of visibility into your text messages but is unlikely to use your SMSes to slander you”.

Solutions?

I’m going to propose a couple solutions instead of just complaining because I’m nice like that

“You’re Not Special”

The simple one and most cynical is to just start telling people who seem prone to Snowden LARP that they are not, in fact, famous American whistleblower Edward Snowden. If you start from the premise that you aren’t that special, you begin to realise that hey actually, having some OPSEC hygiene and making sure my shit is up to date is often good enough. Add an adblocker on top of that and you’re probably covering all the lowhanging fruit. Bam, threat model done

“Instead of telling people to threat model, give them a threat model”

Okay stay with me here, what if, get this. We just. (sorry screenreader users) Tell people what their threat model is. For 90% of people that go on e.g., privacyguides or grapheneos on Matrix, their threat model is going to be pretty much the same because they are Not Eddie Snowden. People in represive regimes, journalists, and subversive people need more specific advice anyway that a general site could never give.

Conclusion

Idk man, I think giving people the tools but not actually teaching them to use them is kinda cringe, and doesn’t really counter the Snowden LARPing that really pisses me off. There is some balance to be had where you educate people enough that they go to experts for help but not enough that they get to that juicy point of knowing enough to fuck shit up but not enough to know to not fuck shit up. People that want to learn more will do the reading, but people that just want to feel like they have some control of their life shouldn’t be expected to, in order to get that feeling because they kinda don’t need to they just need to unionise and establish mutual aid networks outside the unjust hierarchies that bind them

https://blog.arachnid.pink/posts/privacy-influencers-and-their-consequences/ riley