{
name: Daniel Spilsbury,
title: Product Security Senior Leader, Smart Home Tinkerer and Ibiza dreamer,
post-nominals: BEng (Hons) MSc MBCS MCIIS,
tag: It’s that kick, snare and clap that dictates how we act!
}
I live in an old stone house that was originally built in 1732 as a stable. It was converted to residential in 1978 and actually won awards, although I’m not entirely sure how having learned about stone house conservation over the past few years.
When we first looked at buying this house, we were acutely aware that we wanted a good survey because of our lack of knowledge of old houses; I work in IT security and, whilst I might be able to teach you how to generate a threat model, I certainly didn’t know a lot about building and conservation (and am still absolutely no expert).
It might be obvious that any LastPass users should want to migrate away from the service given the recent data breach they’ve had but it’s not that simple, especially when you’re fully in with the service. To put that in to context, I’ve been a user for about eight years, fully paid up with an annual plan that I share across the family; we’re all pretty heavy users and I had over 500 passwords stored in the service to give you some context.
My home is relatively smart in that I run a Home Assistant server with quite a few integrations with lighting, motion sensors, door/window sensors, CCTV, temp/humidity, energy and heating so I figured I’d list out my tech choices and any good/bad points that I’ve found while in use. My tech choices are now pretty stable after a few iterations over a few different types which means I have time to write a blog about it rather than play with Home Assistant all the time!
My previous post looked at producing a C4 model for my (simple) website. This post takes that a step further and looks at how we can use C4 modelling to elicit security and privacy threats using two frameworks:
STRIDE. Most people know STRIDE, it’s derived from the Microsoft security threat modelling process from the early 2000s and represents Spoofing, Tampering, Repudiation, Information leakage, Denial of service and Elevation of privilege. LINDDUN.
This site has been around for a few years now and has changed significantly, mainly from an infrastructure perspective, over that time. That can be done as the site gets very few hits so I can use it to test features and experiment without worrying about outages.
In a work context, I very much promote the use of C4 modelling as a consistent and clear means of expressing a system architecture.