On Techlore, the materials go with a threat model of primarily protection from the general public and corporations, while serving as a prelude to protection from (theoretical) targeted, non-state, specialized adversaries.
And for like 95% of the general population, the foundational threat model Techlore goes with is solid and sound. I’d go and say, at times, what Techlore presents is easier than mitigation strategies over Big Tech. Like, it’s easier to switch to Brave of Firefox than to figure out how to mitigate Chrome’s issues. (Is the latter possible to what extent?)
That being said, I was reading the New Oil and Cupwire and they mentioned a threat model about protecting information from agencies and governments. I was also reading a few pages of the Hitchhiker’s Guide to Anonymity. On one of the first pages, the Anonymity guide made this comment about a highly skilled and motivated adversary with virtually unlimited resources (like the FSB and Mossad) with this:
“Of course, there are also advanced ways to mitigate attacks against such advanced and skilled adversaries but those are just out of the scope of this guide. It is crucially important that you understand the limits of the threat model of this guide. And therefore, this guide will not double in size to help with those advanced mitigations as this is just too complex and will require an exceedingly high knowledge and skill level that is not expected from the targeted audience of this guide.”
This piqued my curiosity, even though the chance I’ll ever have a threat model this severe is remote.
Who would have a threat model against an adversary like Mossad and what do they usually do? And are there guides or experts who actually have sufficient knowledge on a threat model where a powerful state actor is the adversary? Where can I find information about the complicated strategies the Anonymity guide briefly mentioned but glossed over?
It’s a great question, but the reality is very few people are experienced enough to even give advice here. (myself included) Some thoughts about these situations:
Generally, the pattern of these situations is people tend to be ‘important enough’ where they naturally receive aid. Snowden, for example, did a lot of extreme things to protect himself - but he wasn’t perfect, and I don’t think he would’ve made it through his journey without the external help of Assange and other governments who assisted him. Many people in these positions are whistleblowers or enemies of their own state, which generally make them allies of another foreign power or supporting entity that’s willing to help.
This may seem like an unrelated example, but Dr. Grigory Rodchenkov was a Russian whistleblower who came forward and publicized the Russian athlete doping scandal. When he was in Russia, he was fighting to protect his life, but once he came to the US, he immediately was put into a witness protection program. As far as everything I’m reading is telling me, he’s still living under this program to this day. He’s completely dependent on the state to protect him, as well as many people in his situation.
I don’t want to sound grim, but frankly - even the most extreme advice you ever implement will at best slightly delay things against a state actor, The goal in these situations is to leave the country, and seek aid from external parties - as they’re the only people realistically capable of battling off another state actor.
The threat model in these situations is not things like “I don’t want Google tracking me” - it’s quite literally survival. These are individuals fighting for their lives - as the consequences are either death, torture, or life in prison.
Hi Henry, thanks for your reply! I think I better understand an answer.
The question also came up when I have been listening to Michael Bazzell’s Privacy, Security, and OSINT Podcast and picked up a cue that the adversary Bazzell and his team primarily centers on are targeted attacks. and OSINT. I don’t remember when Bazzell ever said his services will protect against state actors, and there was a possible tie with this in the 280th episode where they had to redact some topics after attorney review. Or some of the nuances of the anonymous LLC (anonymous from whom I want to be anonymous from?).
To continue on from the conversation, I would like to ask this: what makes state actors night and day stronger than a company like Google? If I have to guess, it has to be even Big Tech are finite in their resources and there are laws that forbid them from doing things only governments can do. But state actors can get resources far more than just taxes…
For some reason, I think your video about threat modeling where you thought about your needs and situation and switched to stock Android may provide some cues, but I can’t figure them out.
And another question: where can I more read about state actors? This is really interesting to someone studying international relations at college.
I’ve only taken one course that touches on these ultra-high threat models. (link below)
It’s actually 4 courses and the instructor occasionally talks about applications for intelligence agencies that he consults for. It’s a very comprehensive course but I think you’ll find it interesting.
Just to be clear, the nation-state threat level is not the focus of the course. There just happens to be some good information included that would address your personal interest.
I agree with Henry. These threat models and mitigations are basically designed to keep you alive long enough to complete your goal and run for the hills. It’s just a matter of time.
It’s hilarious you ask this, because in my original response, I had an entire paragraph talking about how Google/Apple can be your best friends in these situations - but I omitted it before publishing.
Assuming the country you’re trying to hide from is not the US, nor a country that has a close relationship with the US - Google & Apple both have safe-guards in place to protect people in these dangerous positions, particularly Google. Day-to-day, I find the concept of a company like Google being able to compete & thwart state actors a scary one, but in this situation, they become your best friend. Google has actively prevented, warned, and protected politicians and other targeted users from state attacks - assuming the attackers were not American
Many journalists & people in high-risk situations seem to opt for Chromebooks, iPads, & iPhones - and this is all likely a good reason for it. Their threat model calls for security from some of the most powerful people in the world, not avoiding data collection.
Just to add onto this. If you can, check where the company hosts the date collected. For example, Apple has data centers in China, for their Chinese users. I don’t see much protection there. You can see where Google hosts their data centers, here. Apple does not publicly mention what data centers they have, and where. However third parties have tried to keep track of what they have. You can see one such list, here on dgtlinfra.
Who would have a threat model against an adversary like Mossad and what do they usually do?
Political dissidents, BDS, National Socialists, Taliban, Rebels.
Usually they don’t do anything, and then they get taken to the gulag. Or they start an actual war and kill and die.
And are there guides or experts who actually have sufficient knowledge on a threat model where a powerful state actor is the adversary?
There are experts. I don’t know of any good guides. Fundamentally if you’re going to try and hide from the big boys you have to really change the way you’re using tech, not just use tech a different way. Things like you can’t use banks, you can’t let people scan your ID (e.g. buying alcohol), you can’t fill out a W2, you can’t carry a cell phone, etc. Its not an easy task by any means, and making a “guide” isn’t going to be an easy task either.
I think if you’re really trying to hide from the Mossad / the NSA its because you’re at a stage where you’re basically waging a small scale war with them. The mindset changes from “how do I keep myself safe” to “how do I keep myself alive while I wage my war against a corrupt government regime”. What that means is that risks really become a way of life. A lot of the advice for a person in that situation might actually be illegal, so it would be very hard to find a guide for.
The Chromebook usage is so relatable. I work in a financial services company and I use a Chromebook just for that for the purpose of wanting to protect the assets I am working with against targeted attacks.
I haven’t had a personal Google account for a few years now. Just a Google account for something specific.
There is something really valuable that privacy really benefits from prevention and self-control.
The stock Android video is one of the most interesting videos out there, speaking miles about the importance of threat modeling (and learning to understand POVs). Look forward to a possible Section 8 of Go Incognito that goes into (possible) protections against targeted attacks, which I think would be particularly applicable to those in sensitive industries, like finance.