Is there case work of threat models that have failed? Perhaps the case work not being generally available because they kept it secret is what's lacking in the ability to model the design of a secure system.
I suggest that this case work information is a viable currency and that if owned would not be spent and exchanged willy nilly with all those that ask or look for it. A case in point might be the rumors of a Chinese Cyber Warfare development entity. While many have suggested its existence I have found no proof of any of its projects or attacks.
Does that mean I cannot understand the threat they present? I gather yes is the answer, if I'm the one who they would attack. Logically there is no entity that will be attacked by the Chinese Cyber Warfare team because no attack has been detected.
Email and the profile of the users are a strange thing indeed. So while Mafia and CIA might take email as unusable due to the electronic record, it might be fine for Mr. White Collar Criminal who does not expect any monitoring, so email makes sense. Is the user one that might expect to be investigated? What might the user be investigated for and by whom? What is the risk versus reward for the activity being conducted using email?
All these questions need to be asked to judge the cost of protection. If it is a question of habit versus proper assesment for the user then that itself is a threat model. Habits dictate the behavior rather than rational analysis of the user's situation and purpose for usage. The best way to play the Security Threat Model is the creation of FUD. FUD will break the habits and might spark some rational thought as to the proper usage, given the terms and conditions the user establishes.
I know people that are so concerned they never return and email.
Posted by Jim at June 12, 2004 08:10 AMI now think of it as "What're Your Threats, Mate ?!"
Posted by JPMay at June 12, 2004 12:11 PMLOL! That's a classic solution - if we aren't clear what the target audience is, let's conveniently settle on our mates, and hope nobody notices. I mean, what are mates for?
Posted by Iang at June 12, 2004 06:20 PMAgain I want to go back to the idea of a signing device that can receive and display any arbitrary bit of text on a small screen, allow users to attach any of several response codes and sign and return it to sender. The response codes may be obvious things like (1=sent,2=acknowledgedreceipt,3=accepted,4=denied,5=other) http://ledgerism.net/STR.htm
The following could be out of scope and/or unnecessary on P2P commerce: Protection against DOS for either the initiator, or the respondent, and how either party verifies the counterparty's public key.
There has to be a fundamental principle "Let the reader of the signed document beware". "caveat anagnostes" or maybe "caveat perlego" http://www.nd.edu/~archives/latin.htm The alternative is big brother, confirming everything for us, and imposing the whole range of costs and snooping and control, or, abandoning electronic networks for another generation.
So, the threat models are almost completely limited to physical or network attacks to get inside the handheld device and mess up the data or steal the key(s). These risks should be modest if the device is simple. The MeT device had two areas; an area for application software, and, the security element which was the keys and low level software objects for signing etc.
I believe the world is ready for a signing device, based on something like webfunds with chat, and a fixed document size for the signed, encrypted message payload. The payload would be any simple thing like XML-X that was small and simple enough to write software without holes,
Todd
Posted by Todd at June 12, 2004 06:22 PM