[Ach] 30C3 talk "The Internet (Doesn't) need another security guide"

arne renkema-padmos arne.renkema-padmos at cased.de
Tue Jan 14 21:36:26 CET 2014

On 14/01/14 11:06, Andreas Mirbach wrote:
>> 2. Threat modelling: Eva mentioned that most guides first focus on a threat 
>> model. We don't really do that so much in ours.
>> Are we missing something here?
> I Don't think that we need a Threat model because it shrinks the focus onto this 
> model. Everything else is left out.
> I Think we should provide an overall preventive security configuration and not 
> how to defend specific threats. (Maybe there can be smaller document with 
> different threats that can be referenced)

>From what I understood the problem wasn't so much that they do / don't
include a threat model, but that they don't include the concept of
threat modelling, and determining what advice is and is not relevant in
the readers context. AFAIK, these guides start off with a specific
threat model, and don't discuss the concept of threat modelling.

There was also some talk about how persecuted groups generally tend to
have a good model of the threats that they are up against. How this maps
to security technology is another matter, and what's missing from any
guides. I guess administrators must also have quite some experience with
different kinds of threats, which is what a threat modelling section
could build on.


Arne Renkema-Padmos
@hcisec, secuso.org
Doctoral researcher
CASED, TU Darmstadt

More information about the Ach mailing list