I always had this fealing that, threat modelling is a wrong way to think about security.

I mean, ideally wouldn't you want to be maximally secured?

The counter argument ofcourse is that, we have limited resources - money, time etc.

But

I am gonna make a very big claim, security is cheap, as in, it won't cost you much to set it up, its just practice, and once setup is done, it doesn't need much time and you would be secured against most vulnerabilities.

By stating that, your threat model allows a certain vulnerability to be out of scope of your preparation against an adversery, you lost wayyy before even thinking about starting the fight.

Even state actors can't break maths (If they could, I know a lot of people, in a lot of jurisdictions that would have ended up behind bars)

The worst state actors can do, is infiltrate via social/cultural programming/subversion (Hence I will have a section on COGSEC in bible 2025) - also study how xz backdoor played out.

Today I propose to you a different approach to security which I don't think anyone on the interwebz has codified, but its very intuitive to us, physically, somewhat less digitally, like how privacy is intuitive to most people when they buy the curtains for their windows but not when they post on Insta or sell their DNA sequence to a bankrupt organisation.

Trust is something we all understand, its something that is ingrained in a personality that you don't know all the complexities of, but after certain encounters with said personality, you develop almost an instinct to judge it, hence decide to trust them on some spectrum.

Physically we always do this intuitively, slowly allowing a stranger into our lives untill we know how trustworthy, the individual is. We don't share everything, to everyone, all at once - same should be applied to everything digital, trust should be given in layers.

Services and products, have a personality, brands have a personality, heck substances that we use and abuse have personalities.

Threat modelling is a waste of time, most security is free because code is free speach, and we all have right to speak anything we like, once we have adequate security.

Refutation to CounterProductive Argument

The argument goes something like this “If you don’t even know what you’re defending against then you’re liable to do things that are useless or even counterproductive”

For the time being, I can only say this:

Having maximal Security Baseline isn't counterproductive.

Usability

maximum privacy is tails os?

Not really.

Macbook m series with obscura, is maximum usability + more or less same privacy.

Opsec & CogSec

Cognitive security is your habits and behavioural conduct in your immediate physical and digital environments.

The Action Plan