#threatmodel

learn.microsoft.comThreats - Microsoft Threat Modeling Tool - AzureThreat category page for the Microsoft Threat Modeling Tool, containing categories for all exposed generated threats.

Looking at some #AI generated #threatmodel output and it listed stealing a user's credentials and using them in the "Spoofing" category. I was uncertain. Is that spoofing or elevation of privilege. So I wander over to a #microsoft page on #stride.

They say it's spoofing, which is fine. It's reasonable. I don't care as long as we all agree.

But in that table, that's literally the only example of spoofing. There are a LOT of other kinds of things that could be called spoofing. If you're gonna have only one example of spoofing, I don't think stealing credentials is the best example.

#microsoft #stride

Continued thread

**Paco Hope #resist** @paco@infosec.exchange · May 2

Lastly, there's the training data. I work for #AWS (so these are strictly my personal opinions). We are opinionated about the platform. We think that there are things you should do and things you shouldn't. If you have deep knowledge of anything (Microsoft, Google, NodeJS, SAP, whatever) you will have informed opinions.

The threat models that I have seen, that use general purpose models like Claude Sonnet, include advice that I think is stupid because I am opinionated about the platform. There's training data about AWS in the model that was authored by not-AWS. And there's training data in the model that was authored by AWS. The former massively outweighs the latter in a general-purpose, trained-on-the-Internet model.

So internal users (who are expected to do things the AWS way) are getting threats that (a) don't match our way of working, and (b) they can't mitigate anyway. Like I saw an AI-generated threat of brute-forcing a cognito token. While the possiblity of that happening (much like buying a winning lottery ticket) is non-zero, that is not a threat that a software developer can mitigate. There's nothing you can do in your application stack to prevent, detect, or respond to that. You're accepting that risk, like it or not, and I think we're wasting brain cells and disk sectors thinking about it and writing it down.

The other one I hate is when it tells you to encrypt your data at rest in S3. Try not to. There's no action for you to take. The thing you control is which key does it and who can use that key.

So if you have an area of expertise, the majority of the training data in any consumer model is worse than your knowledge. It is going to generate threats and risks that will irritate you.

4/fin

#AI #AppSec #ThreatModel

Continued thread

**Paco Hope #resist** @paco@infosec.exchange · May 2

Threat models evolve over time, the same as your software does. Nobody is building a save/load feature into their AI powered threat model. Getting deterministic output from consumer-grade LLMs is not a given. So even if you DO create save/reload capability, it's imperfect.

All the tools I've seen start every session from a blank sheet of paper. So If you're revisiting an app that you threat modeled before, because you want to update your model, you're going to start from scratch.

3/n

#AI #AppSec #ThreatModel

Continued thread

**Paco Hope #resist** @paco@infosec.exchange · May 2

Related to this, nobody seems to account for the fact that LLMs bullshit sometimes. If you pin someone down and say "the user of your AI-powered threat modeller: do they know how to do a threat model without AI?" Many people will say "yes." Because to say "no" is to admit that the people will be blindly following LLM output that might be total bullshit.

The goal, however, of many of these systems is to make threat modeling more accessible to people who don't know how to do it. To do that, though, you'd have to be more skeptical about your user, and spend some time educating them. Otherwise, they leave the process no smarter than they began.

Honestly, I think a lot of people think the threat model is going to be done entirely by the AI and they want to build a system where the human just consumes and uses it.

2/n

#AI #AppSec #ThreatModel

**Paco Hope #resist** @paco@infosec.exchange · May 2

I have seen a lot of efforts to use an #LLM to create a #ThreatModel. I have some insights.

Attempts at #AI #ThreatModeling tend to do 3 things wrong:

They assume that the user's input is both complete and correct. The LLM (in the implementations I've seen) never questions "are you sure?" and it never prompts the user like "you haven't told me X, what about X?"
Lots of teams treat a threat model as a deliverable. Like we go build our code, get ready to ship, and then "oh, shit! Security wants a threat model. Quick, go make one." So it's not this thing that informs any development choices during development. It's an afterthought that gets built just prior to #AppSec review.
Lots of people think you can do an adequate threat model with only technical artifacts (code, architectuer, data flow, documentation, etc.). There's business context that needs to be part of every decision, and teams are just ignoring that.

1/n

**c_th1** @c_th1@digitalcourage.social · Apr 20

Apr 20

https://cryptpad.digitalcourage.de/file/#/2/file/iLDoTt03wkGUL3dA39ScX6hV/

Meine Datenschutz und Privatsphäre Übersicht 2025, für Jedermann

Teilen erbeten

als PDF:

#DSGVO #TDDDG ( #unplugtrump )
#Datenschutz #Privatsphäre #sicherheit #Verschlüsselung
#encryption #WEtell #SoloKey #NitroKey #Email #Cybersecurity #Pixelfed #Massenűberwachung
#Google #Metadaten #WhatsApp #Threema #Cryptpad #Signal
#Hateaid #Cyberstalking #Messenger #Browser #Youtube #NewPipe #Chatkontrolle #nichtszuverbergen #ÜberwachungsKapitalismus #Microsoft #Apple #Windows #Linux #Matrix #Mastodon #Friendica #Fediverse #Mastodir #Loops #2FA #Ransomware #Foss #VeraCrypt #HateAid #Coreboot #Volksverpetzer #Netzpolitik #Digitalisierung #FragdenStaat #Shiftphone #OpenSource #GrapheneOS #CCC #Mail #Mullvad #PGP #GnuPG #DNS #Gaming #linuxgaming #Lutris #Protondb #eOS #Enshittification
#Bloatware #TPM #Murena #LiberaPay #GnuTaler #Taler #PreppingforFuture
#FediLZ #BlueLZ #InstaLZ #ThreatModel
#FLOSS #UEFI #Medienkompetenz

Meine Datenschutz und Privatsphäre Übersicht 2025, für die Allgemeinheit

**LegallyAbigail** @LegallyAbigail@dair-community.social · Apr 12

Apr 12

LegallyAbigail @LegallyAbigail@dair-community.social

Julie Angwin is working on a #privacy #threatmodel for authoritarianism.

https://buttondown.com/JuliaAngwin/archive/a-threat-model-for-opposing-authoritarianism/

Updates from Julia · Apr 12A Threat Model for Opposing Authoritarianism By Updates from Julia

**Paco Hope #resist** @paco@infosec.exchange · Mar 31

Mar 31

Some of my colleagues at #AWS have created an open-source serverless #AI assisted #threatmodel solution. You upload architecture diagrams to it, and it uses Claude Sonnet via Amazon Bedrock to analyze it.

I'm not too impressed with the threats it comes up with. But I am very impressed with the amount of typing it saves. Given nothing more than a picture and about 2 minutes of computation, it spits out a very good list of what is depicted in the diagram and the flows between them. To the extent that the diagram is accurate/well-labeled, this solution seems to do a very good job writing out what is depicted.

I deployed this "Threat Designer" app. Then I took the architecture image from this blog post and dropped that picture into it. The image analysis produced some of the list of things you see attached.

This is a specialized, context-aware kind of OCR. I was impressed at boundaries, flows, and assets pulled from a graphic. Could save a lot of typing time. I was not impressed with the threats it identifies. Having said that, it did identify a handful of things I hadn't thought of before, like EventBridge event injection. But the majority of the threats are low value.

I suspect this app is not cheap to run. So caveat deployor.
#cloud #cloudsecurity #appsec #threatmodeling

A typical AWS serverless architecture from the blog that I linked to. It shows a very large box representing an AWS account, and bunch of smaller boxes containing icons, with each box representing a capability (like file upload, users and authentication, etc). Inside each of those boxes are some icons representing services, like Lambda, IAM, Cognito, S3, etc.

An screen capture of a list of things in a web browser. The table header is labeled "Flows" and it lists flows like the following:

End users authenticate through web browsers or mobile devices via Amplify and CloudFront to Cognito User Pools, potentially using External Identity Provider integration. Source: End Users, Target: Cognito User Pools

Authenticated users make API requests through CloudFront and API Gateway to access backend services. Source: End Users. Target: API Gateway

API Gateway routes authenticated requests to appropriate Lambda functions for processing. Source: API Gateway. Target: Lambda Functions

An screen capture of a list of things in a web browser. The table header is labeled "Assets" and it lists things like the following:

End Users: Users that access the application through web browsers or mobile devices, interacting with the frontend interfaces

External Identity Provider: Third-party authentication service integrated with Cognito for user authentication and authorization

API Gateway: Manages all API requests, acts as the primary entry point for backend services, controls access to Lambda functions and business logic

A screenshot of a table in a web page. The header is labeled "Trust Boundary" and it contains items like:
Public-to-private network boundary separating internet users from AWS cloud resources. Source: End Users. Target: CloudFront Distribution

Authentication boundary validating user identity before allowing access to backend resources. Source: End Users. Target: Cognito User Pools

External authentication service integration boundary. Source: Cognito User Pools. Target: External Identity Provider

#ai #threatmodel

**c_th1** @c_th1@digitalcourage.social · Mar 25 *

Mar 25 *

https://cryptpad.digitalcourage.de/file/#/2/file/NdmBgSYkRCto8B+JmJkE9mQ4/

Meine Datenschutz und Privatsphäre Übersicht 2025, für die Allgemeinheit

Teilen erbeten

als PDF:

**c_th1** @c_th1@digitalcourage.social · Mar 23

Mar 23

https://cryptpad.digitalcourage.de/file/#/2/file/NdmBgSYkRCto8B+JmJkE9mQ4/

Meine Datenschutz und Privatsphäre Übersicht 2025, für die Allgemeinheit

Teilen erbeten

als PDF:

Meine Datenschutz und Privatsphäre Übersicht 2025, für die Allgemeinheit Feedback erwünscht

**c_th1** @c_th1@digitalcourage.social · Mar 2 *

Mar 2 *

#DSGVO #TDDDG ( #unplugtrump )
#Datenschutz #Privatsphäre #sicherheit #Verschlüsselung
#encryption #WEtell #SoloKey #NitroKey #Email #Cybersecurity #Pixelfed #Massenűberwachung #Sicherheitspaket
#Google #Metadaten #WhatsApp #Threema #Cryptpad #Signal
#Hateaid #Cyberstalking #Messenger #Browser #Youtube #NewPipe #Chatkontrolle #nichtszuverbergen #ÜberwachungsKapitalismus #Microsoft #Apple #Windows #Linux #Matrix #Mastodon #Friendica #Fediverse #Mastodir #Loops #2FA #Ransomware #Foss #VeraCrypt #HateAid #Coreboot #Volksverpetzer #Netzpolitik #Digitalisierung #FragdenStaat #Shiftphone #OpenSource #GrapheneOS #CCC #Mail #Mullvad #PGP #GnuPG #DNS #Gaming #linuxgaming #Lutris #Protondb #eOS #Enshittification
#Bloatware #TPM #Murena #LiberaPay #GnuTaler #Taler #PreppingforFuture
#FediLZ #BlueLZ #InstaLZ #ThreatModel
#FLOSS #UEFI #Medienkompetenz

Meine Datenschutz und Privatsphäre Übersicht 2025, für die Allgemeinheit

Teilen erbeten

https://cryptpad.digitalcourage.de/file/#/2/file/hfzvE2FX7wKg8kbtUScqrvqI/

**Quixoticgeek** @quixoticgeek@v.st · Feb 25

Feb 25

Quixoticgeek @quixoticgeek@v.st

Fediverse. I need your magic. Please tell me your most amusing and wtf #ThreatModel fails.

**KSev** @severud@infosec.exchange · Feb 22

Feb 22

KSev @severud@infosec.exchange

Redundant systems is not waste or inefficiency. It is protection from threats known and unknown. We are now seeing this on a national and global scale.
#threatModel #infoSec
#zeroTrust?

**c_th1** @c_th1@digitalcourage.social · Feb 5

Feb 5

#DSGVO #TDDDG #Datenschutz #Privatsphäre #sicherheit #Verschlüsselung
#encryption #WEtell #Email #Cybersecurity #Pixelfed #Massenűberwachung
#Google #Metadaten #WhatsApp #Threema #Cryptpad #Signal
#Hateaid #Cyberstalking #Messenger #Browser #Youtube #NewPipe #Chatkontrolle #nichtszuverbergen #ÜberwachungsKapitalismus #Microsoft #Appel #Windows #Linux #Matrix #Mastodon #Friendica #Fediverse #Mastodir #Loops #2FA #Ransomware #Foss #VeraCrypt #HateAid #Coreboot #Volksverpetzer #Netzpolitik #Digitalisierung #FragdenStaat #Shiftphone #OpenSource #GrapheneOS #CCC #Mail #Mullvad #PGP #GnuPG #DNS #Gaming #linuxgaming #Lutris #Protondb #eOS #Enshittification #Bloatware #TPM #Murena #Shiftphone
#LiberaPay #GnuTaler #Taler #PreppingforFuture #FediLZ #BlueLZ #InstaLZ #ThreatModel
#FLOSS #UEFI #Medienkompetenz

Meine Datenschutz und Privatsphäre Übersicht 2025, für die Allgemeinheit

Teilen erbeten

( Ich bitte euch außerdem um > #niewiedercdu #noAFD )

https://cryptpad.digitalcourage.de/file/#/2/file/hfzvE2FX7wKg8kbtUScqrvqI/

**c_th1** @c_th1@digitalcourage.social · Feb 3

Feb 3

https://cryptpad.digitalcourage.de/file/#/2/file/EjjovZQgmtn6MZGqAKbJY1uO/

Meine Datenschutz und Privatsphäre Übersicht 2025, für die Allgemeinheit

Teilen erbeten

( Ich bitte euch außerdem um > #niewiedercdu #noAFD )

( neuer link )

**c_th1** @c_th1@digitalcourage.social · Jan 19

Jan 19