The Threats to Our Community by Avi Douglen

[Music] [Applause] [Music] [Applause] so while i sort this out i'll uh get started because i'm really really excited to be here and it's not just because it's less crowded on the side of the stage is a really special talk for me it's not a standard security talk it is a security talk but it's not about security it's about the security community still no screens

and i think the security community compared to other communities is uniquely positioned to apply our security skills to the very fabric of our community itself to build a more secure community and we're going to talk about that as soon as we could talk about threat modeling well who here is familiar with threat modeling quick show of hands who's heard of threat modeling other than just now there's a good show of hands that's pretty good not everybody threat modeling is basically a way it's a structured framework to think about security of your system to do a structured security analysis of a complex system there's a lot of different approaches a lot of different ways the uh going back

to some of the old folks in the room might remember a famous paper from 1999 by lauren and prairie working at microsoft put together a paper called the threats to our products and they basically laid out this structured framework of how to do threat modeling and they introduced something called stride which we're going to use without this good to go yay all right so that's threat modeling who here thinks community is important come on a little bit more than that we're at b-sides who thinks committee is important yes community doesn't just happen people work hard at it round of applause for everybody working on b-sides they work hard at it but i want i want to take these techniques of

threat modeling of security analysis which is one of the best ways to analyze a complex system and apply this to one of the most complex systems i know which is a community and apply this to build a more secure community that's exactly what we want to do quick introduction to myself actually omar pretty much said everything my name is avi duglan you can find my internet face bouncing around contact details if you want to reach out to me my pronouns my day job i do security consulting at a small boutique called bounce security but i am more active in several different communities as omar said i'm one of the leaders of the oasp israel chapter i'm on the global board of

directors of owasp if you have any complaints about oauth feel free to send them my way i probably won't be able to do much about it but feel free to complain that's what we do best i'm also a community moderator on the security stack exchange site it's the stack overflow site for security fantastic resource with a large community global community that actually built up around this site as well so i have quite a bit of experience with different kinds of online communities i'm also one of the co-authors of the threat modeling manifesto which is a great way to get started with threat modeling or to upgrade your existing practice to something even better you're gonna go to

threatmodelingmanifesto.org if you have seven minutes you could read through it twice and it's really interesting to to see how to scale up better and whatever approach you take to threat modeling but what is threat modeling right this isn't going to freely borrow from the manifesto i feel comfortable doing that since i was one of the authors this little statement took us about three weeks to put together 15 people but what is threat modeling threat modeling is about analyzing representations of a system to highlight concerns about security and privacy characteristics the emphasis here is mine i have my own definition that i usually share with developer teams but this serves our purpose well here because it's about

security it's about privacy right there's a lot of different things and it's about concerns we didn't say threats it's not a long list of bugs long list of vulnerabilities concerns things that we want to take care of things that we want to consider about how to fix how to make better and we do this not by testing the live system but representations we take an abstraction of a system this might be a diagram it might be the design of a system it might be some other description of it abstractions for those of you that not familiar with this diagram it's a classic picture of a world war ii bomber obviously the bombing effort was big deal for in world

war ii for the allies a huge amount of aircraft fire losing a lot of planes i think 25 of the planes didn't come back and the allies said you know what let's collect some data about the where the planes are getting shot every plane that came back they marked down where the planes were getting shot and there's a good map of where the planes get shot i'm gonna put more armor wherever the planes get shot survive better it's a lot cheaper and makes more sense than flying an entire tank for sure but right before they did that they realized they fell into a very common trap called survivor's bias they were only looking at the planes that came

back so this is actually a really good map of where you don't need to put armor on the planes because all these places are a place where the plane will get shot and still come back we're a lot more concerned about the planes that don't make it back so they need to put armor everywhere that you don't see bullet holes because if the plane got shot in the cockpit it's not coming back that's where they need to put armor in the same way we don't need to care about every possible attack we don't care about people not trying to attack our system we care about the attacks that get through we care about the attacks that

actually impact whatever value we have in our system whatever data we have whatever records we have we need to think about how these attacks work and how these threats affect our system so why do we want to be doing threat modeling it makes you a lot more efficient whatever you're doing if you're building a simple web form application deep technology machine learning bug bounties pen tests whatever you're doing threat modeling it the system you're working on will help you be a lot more efficient it'll help you focus on the parts of the security that actually matter the ones that will give you the most value it'll help you make more informed decisions over time and there's this concept of the shared

understanding of what security actually means for our system everybody familiar with the parable of four blind folks describing this great big thing that they found in the room and one of them says there's this big pillar i can't move it the other one says i keep bumping my head on this leathery surface over here and another one is complaining that there's this feather keeps slapping her in the face and another one says this hoes just stole my hat and they don't realize they're all talking about the same elephant very often with teams we'll see that in the same way everybody has a different idea of how the system works of what security actually means to us

threat modeling gets us reading on the same page in the same direction and understanding and agreeing what security actually means to us in our context i'm going to pull one best practice out of the manifesto there's a bunch of others but this one i really like in our context to really have an impactful threat modeling practice you need to have a culture of finding and fixing issues it's not just enough to say okay we're gonna go look at these things but you have to have a culture built up around of actually fixing the issues and the problems that you find and there's a lot of different methodologies a lot of different approaches whatever you take whatever

you decide to use you're going to need to answer these four questions sometimes we call this adam showstax framework adam shellstack is practically the godfather of modern threat modeling literally wrote the book on it uh years ago when he was at microsoft and as a co-author of the manifesto we actually adopted this into the manifesto as well because threat modeling is about answering these four questions number one what are we working on what are we building is it the system is it this diagram is it is that feature or that kind of security what is the system that we are working on number two what can go wrong these are the threats the concerns the assumptions we might

have about the system number three what are we going to do about it it's not just about generating a long list of vulnerabilities it's about actually making a more secure product a more secure system and like any process we need to ask ourselves did we do a good job it makes sense and we might analyze a system it's a online system we might use something like a data flow diagram a dfd and you got your processes and your data stores and your data flows going everywhere and it gives you a really good view of how the system works the different components the interfaces between them and how everything could the architecture how things work and what

crosses crust boundaries and we can analyze this diagram in a really effective manner another approach excuse me another approach to analyzing system is based on the value chain what i like to call the value-driven approach and this is focusing less on the vulnerabilities but more on the value right number one why are we working on this what is so important here about this system what value do we get out of it again if you're building a feature are we doing this usually it's to follow the money sell more product maybe it's to get more eyeballs on my cat blog maybe it's a literal chain with a diamond hanging on that you're going to steal at the end of the movie right

whatever it is you want to understand what the value is what you're after and then we could ask ourselves well how do we get there from here how does this that we're working on actually produce that value as a direct value chain and then we can just go ahead and say well how do we protect that value chain how do we make sure that that actually happens right now when we're trying to find the issues the what can go wrong the threats a common framework for this is known as stride introduced in that 1999 paper stride is a mnemonic it stands for spoofing tampering remediation information disclosure valve service elevation of privileges good repeat that in a second

but it's important to realize that this is you know six different categories of types of attacks that an attacker might be looking for what their goals are to do in your system what are they looking to do but it's not a classification scheme it's all about structured brainstorming to help you focus on asking the right questions to understand what it is you're looking for and you could ask tons of questions tons of questions kind of kind of like you're a five-year-old tons of questions to find what would happen if what would happen if what can i do within finding and finding additional very specific attack scenarios for each one of these classes of threats but again once you've

found the threat you don't need to start classifying it which bucket does it fit in it's not that kind of scheme it's just about the structured brainstorming and spoofing spoofing is all about identity who am i who are you pretending to be somebody you're not tampering is about playing with data until something breaks trying to harm the integrity of that data repudiation is claiming you didn't do something which you ostensibly did claiming something didn't happen and making it a way that you can't prove it that i did do it information disclosure of course is uh harming the confidentiality of data denial of service is blocking the availability of the system and there's a lot of different ways to slice

and dice this right it might be the whole server crashes it might be one module is not available you can't log in whatever it might be one user it might be all users there's a lot of different ways to look at this and finally elevation of privileges excuse me is all about authorization basically doing anything that you shouldn't be allowed to do and the way we do this is we go one bucket at a time once one of the stride elements at a time we go through that dfd that data flow diagram one element at a time and we ask very focused questions what kind of spoofing threats are there on this element what kind of

tampering threats are there on that element and in this way we can find ask questions and find and identify a lot of those issues now this is a common framework i want to go ahead and take this framework and apply it on more complex systems real world systems an actual community now we need to ask ourselves whose responsibility is it to be doing this threat modeling thing well pretty much everyone and the interesting thing is that most people do some form of threat modeling in the real world they most people have some idea of what the threats are you're parking in a dark alley you're going to lock your car right you're buying a new house or

building a new house you might be worried about the ground floor windows so you're going to put bars on the windows because you're worried about a velociraptor attack or thieves i don't know i don't know your life whatever zombies whatever it is don't talk to me about zombies the problem is that most people are not experts in all of those fields don't have rigorous structure for that that's why it's important to use this structured framework structured methodology that help you approach and design and design and understand the threat model of whatever it is you're working on and it's important to note all threat models are wrong some are useful this is not the original quote i

like to mangle it as all threat models are wrong some are useful the threat model is not about perfection it doesn't need to be exact by definition we're dealing with abstractions so they're not exact what's important is that it is useful is useful to find and identify those security issues right it's fine that it's wrong as long as it is useful to us to find issues that we need to fix with that in mind i want to present a very wrong model a model that is not comprehensive not complete it's not any kind of formal model but it might be useful for us to help to think about how to deal with these threats that might be

on a community first thing we need to ask ourselves what actually is a community we need to model the system we're working on before we model the threats well easy flippant answer is that community is a jungle it's pretty fitting here but truthfully you know it's a great theme for a conference it's not really the way you want to leave your lives you'd rather live in a more rule-based society where people respect the rules and are safe and you know you can address lots of different forms of communities but most pretty much fit into these principles number one the reason you're joining a community a community is to help each other that's why you're here right you're here to help each

other do the thing whatever that thing is right here the thing is to learn security to do security better right every community will have different rules but every community has rules and everyone expect is expected to comply with them to follow those rules and in every community everybody contributes in some form in some manner and it's very important that all members of the community are important if you have members that are not important they're not really part of the community or maybe they're part of a parallel community because i mean that's really the point of the community we're here to help each other that's the point of it but if we're modeling a community as a

complex system that really means that we need to treat we need to attend to people as if they are components of that complex system and like any complex system some components go rogue some components don't follow the rules some compute some components are not supportive of the community goals in security we like to talk about insider threats being a pretty big issue we need to talk about community insider threats as well now obviously for modeling a community a data flow diagram is not what really fit here it doesn't work we might want something more like a worldly map really interesting structure that helps you focus on the value flow between the components of the system

focusing on who contributes who are the leaders who actually benefits from the different activities and the different contributions of the community and all the different levels of the flows of power dynamics between the different parts of the community between the different groups between the in crowds and and the outcrowds and so on all right now based on that we can now have this amorphous idea of a community and start thinking about what kind of threats we may find and you know i do want to say you know we're talking about real life actual physical threats so if you're feeling uncomfortable by anything i say you know if you feel like you need to step out that's fine i

promise i won't be insulted and i apologize for making you feel uncomfortable but that's fine that said let's talk about spoofing threats spoofing is all about attacks on identity that's literally what spoofing is and there are all kinds of these kind of threats in a community and these are just examples this is not a comprehensive model in any way just examples of how to think about what we should be looking for the first example is pretending to be an expert on something you know what i'm not an expert on this this is definitely not my field there are people who are experts on social threats but i'm learning i want to share that but there are people get up and tell you

they're experts and you know they claim to have certifications and and yet they have roles i mean how many directors of 8200 were there in the past year we all know people like that that pretend they're experts on things and they're really not another form of attack on identity is on other people's identity is misgendering right not respect not being respectful of their identity or dead naming when you use a person's uh pre-transition name that's not respectful is very harmful makes people feel attacked another form of spoofing putting your name on somebody else's work or claiming their ideas are yours changing their identity and then there's this whole idea of you know the good guy who's up there and and

pretending to be the good guy who thinks they are the good guy and you get to things like the innocent lives project was which is a group dedicated to helping and preventing uh preventing child abuse that was actually run by an abuser which leads to a whole you know grooming conversation pretend to be somebody good and it's gotten to the point where somebody told me you know any middle-aged white guy that wants to talk publicly about these topics is probably a yellow flag right there and you know i can't blame them for saying that but let's talk about tampering let's talk about tampering threats and again it's all about attacks on integrity and there's a lot of different ways to look

at what integrity means for a community for you know real life uh social uh environment one way to look at it and this is something that i have done in the past is my mistake mia culpa if you include somebody who produces or uh uh who produces software weapons and sells them to dictators who chase down and murder their citizens and you introduce that person as a speaker at your conference at your event and again this is something kind of a slow-moving mistake that i kind of my fault and i couldn't stop it once it got started it harms the integrity of that event and it did it harms the integrity of that organization long term and it does

and this harms the integrity another way of looking at it integrity of truth misinformation right or deep fakes right those fake videos that make it look like i'm saying something or make it look like obama's saying something that he didn't right it's all about the integrity of the data and then there's man this new thing called mansplaining do you all know what mansplaining is mansplaining is when a man condescendingly interrupts a woman to explain to her what she's already saying i i like to think of this as conversational man in the middle repudiation is about claiming something that didn't happen it might be you didn't do something or something that did happen claiming you didn't like you

know holocaust denial right being able to prove it and in our context we might be talking about things like gaslighting make a person doubt what they perceive as reality make them feel crazy right or you know making sexualized jokes at the expense of somebody else and saying no i didn't mean it was just a joke she can't take a joke girl's crazy plausible deniability and it's also about doubting somebody else's experiences somebody comes to you and says something happens you say well where's the proof you don't need proof the proof is in their experience you don't need to pretend that it didn't happen that's not cool and then there's this story about this beautifully disgusting term that i just

heard that i learned recently called darvo which is actually a common uh tactic used by abusers that if they get called out for misbehavior they go on the offense they deny it ever happened they go on the offense they attack the per the a person complaining against them and they pretend that they're the victim and the person complaining is actually the one that's abusing them instead of the other way around again you're repudiating the truth you're creating what actually happened information disclosure this is something that we're familiar with right any kind of secrecy confidentiality we we're familiar with that in our context we'll be talking about things like outing outing somebody that is gay having

somebody that is trans outing somebody uh in all kinds of ways or we can talk about doxing leaking your personal information on the internet right i don't want people knowing where i live and following me home stealing uh uh food for my tree lead to stalking right or obviously much worse than that we could also talk about sharing non-consensual photos for example it might be if i took a picture of everybody in the crowd that didn't want to be posted online or much worse sometimes there's intimate photos that you may have shared with your ex partner and after breaking up they post it online sometimes known as revenge porn very unpleasant causes a lot of damage

to the community denial of service is all about attacking access preventing access to the community preventing access to opportunities and it might be something simple like saying you know you know very explicitly you're not you know we don't allow gingers in here sorry sorry jesse good but it might be something a lot less explicit like saying everybody's welcome here and we have shirts for everybody as long as you have a normative male body right it might be something a little bit more subtle like that and then there's gatekeeping and say you know i don't mind having women and speaking at the conference but she has to prove that she's really good i don't want the quality to go down like i have

to prove it prove it to me that you are really know what you're saying right which is similar to any kind of discrimination right having different rules for different people based on whatever quality it is and then there's a distributed flavor of dos as well microaggressions are just a constant stream of tiny pinpricks and much like a network-based ddos you can handle one packet you can handle 100 packets if you start having to deal with 10 000 packets every second your system is going to get overwhelmed if you have to deal with all these tiny pin bricks which might be just a stupid comment which is not a big deal in isolation but if you have to deal with

hundreds of these every day or thousands of these every day every day every day it starts to wear down and takes an emotional toll and these people can no longer be contributing as fully contributing to the community because they're simply overwhelmed finally we need to talk about elevation of privilege and elevation privilege is about consent doing things that shouldn't be done it might be simple things like harassment obviously or any kind of physical content that physical contact that is not wanted especially after it's been after they said over and over again you know don't touch me no more and then we can talk about violence and all other forms of assault and to be honest

i don't feel like i can actually talk about this in this context without completely trivializing victims of assault and that's just not okay so i'm not going to do this i'm going to leave this as a thought exercise and it's worth thinking about in this context in this in this frame of looking for these issues but we could also think about any kinds of abusive power use of privilege because there's always going to be people that have power in the community there are flows of power there are different uh contexts where you might have power over other people you abuse that that's not cool but then we can talk about patterns of abuse right because if somebody has done

something wrong three or four times odds are they did it 30 or 40 times and you know we might be able to run yara rules to be able to identify network patterns but here we have to know what to look for and if they've done it 30 or 40 times if they got away with it for 30 times they're doing something bad they're probably going to be getting worse and getting away with a lot more especially when they have people backing them up and saying no they didn't do anything bad it's fine leave them alone it's not their fault as i said this is a completely wrong incomplete model but i think it might be

useful for thinking about these threats in this context and understanding how these things actually affect the people the members of the community and the community as a whole now wouldn't it be a threat modeling talk if we didn't talk about countermeasures we have to talk about character measures as part of threat modeling so i can talk about preventive controls number one just simply banning people that you know have abused in the past somebody has this pattern of abusing 30 40 50 times don't let them be part of the community don't let them continue to attend events there are activities that never end well right you're gonna have an open bar everybody's getting stinking drunk all

night long at some point it's not gonna end well trying to have some kind of uh meet up in a strip joint that's not gonna end well for anybody that's not gonna be comfortable for anybody simply don't have these and with just a little bit of compassion and empathy we can realize that supporting mental health goes a long way we may even be able to prevent some of these issues at the root after cause we could also talk about detective controls situational awareness always a good thing being aware what's going on around you paying attention if she's if you see somebody that is visible visibly uncomfortable from somebody else you should notice that and handle it in

whatever way and to do that you need to really have every event needs to have the volunteers running at the organizers that are the kind of people that other people feel comfortable coming to and telling them what happened we could also talk about administrative controls things like a code of conduct which karen talked about we have a great code of conduct here having explicit process and policies explicitly following the incident handler playbooks if something bad does happen and being able to actually comply with the results of that playbook com stick to the results of those decisions there's also what i would like to call strategic controls or environmental controls and this is something like having a diverse

community having a diverse community can help battle that environment where people feel free to perform those threats it's kind of a hurt immunity to some extent not having a diverse community or having not having diversity in your company actually harms everybody even the people that are not explicitly excluded but everybody else suffers from not having that diversity but if you can build up that community if you can build up a community stated around those shared values and shared values might be something like everybody's a noob right everybody's learning everybody shares everybody learns women should be safe everybody should be safe if you know these are the values of the community then that helps create that

environment that prevents those threats being manifest and enforce those cultural norms if this is the way that we do things then people feel more comfortable and if you can build up these bonds between the community people have that built up level of trust and that's really what threat modeling is about finding those connections those levels of trust we don't want a zero trust community we want to build that up right and that helps prevent it now all these different controls preventive detective administrative strategic actually all rely on one other i would call like an uber control kind of the blue team of community and that's allies allies are underlying everything else and allies are what drives all the other controls

now i'm not here to give an ode to allies and yes allies are super important if you're not trying to be an ally you might be part of the problem right i'm not here to sing praises to allies though i'm here to make demands because if you want to try to be an ally the number one thing that is most important and this is not me being a brilliant person this is just what everybody what i've heard from everybody else the number one most important thing for allies to do is to listen to listen to those who are marginalized to listen to those who might be abused in some way to listen to survivors of

those attacks the second most important thing for allies to do is to speak up you hear something going on something's not right you speak up you get up in the face you stop what's ever bad from happening so if you ask me from you know why is avi speaking here this is why allies need to step up and help not just listen to the marginalized but help everybody else hear them as well and you know everybody has some form of social power social capital some privilege some earned authority allies will consistently and effectively use the power and privilege and authority that they have for the common good for everyone else in some ways you work in public to make

that change happen so i'm good gear but you don't have to be on stage talking for far too long like uh well you know change can happen quietly as well allies insist that proper security controls are in place and they drive to make sure that they're effective code of conduct don't join an event without a code of conduct um having diversity equity inclusion policies driving more and more diversity throughout and all these other things that we talked about it's allies that can drive us because the people that are marginalized the people that are most affected by not having this in place are not the ones that should be responsible for making a safe environment they already have enough to deal with

they probably don't have the power to make it happen anyway allies do and allies don't do this to get a cookie right i did something good i want to treat no not to get recognition or attention or being on stage or whatever allies do this because it's what's right it's because what is fair until all of us are free no one is free and evidence and it happens you know we don't have an uncomfortable conversation or you know the speaker is saying harmful stuff i don't want to drag him off stage in the middle absolutely if i'm saying something harmful drag me off stage before it continues to harm other people focus on harm reduction

the most important thing is safety of everybody else and including if there's a speaker that's causing harm you get rid of them if there's a known abuser in the community you get rid of them and if you think it's not possible stanford actually did a study a couple years ago of online communities and they found that one percent of online communities are responsible for three quarters 75 of all issues of all conflicts so it's not just the right thing to do it's also kind of a good idea being an ally is not one and done it's not you're never a complete ally constantly learning you're responsible to get better teach yourself teach yourself teach yourself and help each other get

better help other allies with compassion you make a mistake you get better allies knowing to show up whatever is needed know when to shut up let other voices be heard and i'm not listening to my own advice because i'm told to get off the stage one more minute sometimes you're not invited to the party and that's okay alex ship has to be intersectional and by that i mean it cannot be conditional here in israel we most often talk about needing more needing more women on stage but it's not just having more women it's not just about gender it's not just about gender it's about gender representation sexual preferences uh race and a lot of religion and a lot of other

factors now this is not like um you know a hierarchy of who gets the most uh discrimination points now it's an interlaced matrix of disadvantaged and we all have some power we can all step up and realize that you can't support one without supporting all the others support everybody whoever they are and realize that there are different factors here for example i'm sure most people know that women on average statistically will earn 80 percent of what a typical man with the same role in the same background will earn in the united states a black woman will earn 60 62 cents on the dollar so it's a combination of both the racism and the sexism and all these other

things come together another thing allies do get tired allies make mistakes i made mistakes hell i made definitely my share of mistakes i made his share of mistakes as well plenty of mistakes what we don't do is start complaining somebody calls us out for making mistake we accept it we apologize we move on hopefully apologies will be accepted and we try better now a few seconds because i usually leave people with a with takeaways but instead i want to leave three calls to action i'll leave three calls to action number one threat model everything we do security threat modeling is how we do security right do it it's part of the job that's how we do it

number two we want to build a community it has to be a secure community and that includes safety and all the other things hopefully i gave you a model that will help you think about these different things and understand how to make them better and finally if you feel like you already are an ally because you really care deeply about these things i say great my call to you is to stop caring and get up and start doing or do more of whatever you're doing thank you very much [Music] [Applause] [Music] [Applause] you