What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What...
Transcript of What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What...
![Page 1: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/1.jpg)
What’s the worstthat could happen?
Petra SmithAura Information Security
OWASP NZ Day 2020
![Page 2: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/2.jpg)
This talk includes discussion of death, physical violence, torture and abuse that may be distressing or traumatic.
![Page 3: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/3.jpg)
I’m an inoffensive security consultantat Aura Information Security.
I catastrophise for a living.
These are not the views of my employer.
Hi. I’m Petra.
![Page 4: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/4.jpg)
What’s the worstthat could happen?
![Page 5: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/5.jpg)
Oh, I didn’t see you there.
![Page 6: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/6.jpg)
Uber’s autonomous vehiclekilled Elaine Herzberg.
What’s the worst that could happen?
![Page 7: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/7.jpg)
Mistakes were made.
![Page 8: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/8.jpg)
“If they catch me, they will kill me.”
Jamal Khashoggi to his friend Khaled Saffuri May 2018
![Page 9: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/9.jpg)
Pegasus gave up Jamal Khashoggi’s location to the men who killed him.
What’s the worst that could happen?
![Page 10: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/10.jpg)
“Why should anyone harm you physically? They try to drown your voice with smear campaigns and put pressure
on your family, but you are under the protection of the United States.”
Nihad Awad to Jamal KhashoggiSeptember 2018
![Page 11: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/11.jpg)
![Page 12: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/12.jpg)
“I like to be able to read the news and not think somebody’s
holding a gun to a reporter’s head, deciding what he writes”
Former Black Cube contractor Igor Ostrovskiy to reporter and surveillance target Ronan Farrow
![Page 13: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/13.jpg)
“Our technology is not designed or licensed for use against human rights
activists and journalists. We consider any other use of our products than to prevent
serious crime and terrorism a misuse, which is contractually prohibited”
Statement from NSO Group
![Page 14: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/14.jpg)
Twitter engineers used their privileged access to spy on political targets.
What’s the worst that could happen?
![Page 15: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/15.jpg)
Don’t worry, it’s just metadata.
![Page 16: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/16.jpg)
![Page 17: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/17.jpg)
![Page 18: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/18.jpg)
![Page 19: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/19.jpg)
![Page 20: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/20.jpg)
London Metropolitan Police successfully use AI to identify hundreds
of criminals.
What’s the worst that could happen?
![Page 21: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/21.jpg)
London Metropolitan Police “successfully” use
AI to falsely identify hundreds of young black
men as criminals.
What’s the worst that could happen?
![Page 22: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/22.jpg)
“We are using atried-and-tested
technology.”Statement from London Metropolitan Police
![Page 23: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/23.jpg)
Law enforcement agencies rely on technology that routinely
misidentifies people of colour.
What’s the worst that could happen?
![Page 24: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/24.jpg)
![Page 25: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/25.jpg)
iOS zero-days were exploited in a probable nation-state attack on
China’s Uyghur people.
What’s the worst that could happen?
![Page 26: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/26.jpg)
“we take the safety and security of all users extremely seriously”
Statement from Apple
![Page 27: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/27.jpg)
Don’t worry, it’s anonymised.
![Page 28: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/28.jpg)
Grindr shared users’ HIV status and location data.
What’s the worst that could happen?
![Page 29: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/29.jpg)
Up to 40% of cases of intimate partner abuse involve technology to
stalk, harass or intimidate.
What’s the worst that could happen?
![Page 30: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/30.jpg)
Trolls harassed children by hacking into Ring cameras.
What’s the worst that could happen?
![Page 31: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/31.jpg)
We take your security. Seriously.
![Page 32: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/32.jpg)
79% are concerned over how companies use their data
81% say they don’t have enough control over their data
79% aren't confident companies will admit misuse or breaches
81% say the potential risks outweigh the potential benefits
Source: Americans and Privacy, Pew Research Centre, 2019
![Page 33: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/33.jpg)
![Page 34: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/34.jpg)
What you don’t know can hurt you.
![Page 35: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/35.jpg)
![Page 36: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/36.jpg)
![Page 37: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/37.jpg)
What are you building?
What can go wrong?
What should you do about those things that can go wrong?
Did you do a decent job of analysis?
Source: Adam Shostack, Threat Modeling: Designing for Security
![Page 38: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/38.jpg)
What are you building?
What can go wrong?
What should you do about those things that can go wrong?
Did you do a decent job of analysis?
Source: Adam Shostack, Threat Modeling: Designing for Security
![Page 39: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/39.jpg)
What are you building?
What can go wrong?
What should you do about those things that can go wrong?
Did you do a decent job of analysis?
Source: Adam Shostack, Threat Modeling: Designing for Security
![Page 40: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/40.jpg)
Spoofing – threats against authenticationTampering – threats against integrityRepudiation - threats against non-repudiationInformation Disclosure - threats against confidentiality Denial of Service - threats against availabilityElevation of Privilege - threats against authorisation
Source: Adam Shostack, Threat Modelling: Designing for Security
![Page 41: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/41.jpg)
What are you building?
What can go wrong?
What should you do about those things that can go wrong?
Did you do a decent job of analysis?
Source: Adam Shostack, Threat Modeling: Designing for Security
![Page 42: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/42.jpg)
To protect our app’s usersfrom spoofing attacks, we
• Give them the option to turn on 2FA
• Let them paste into the password box
• Remind them we’ll never ask for their password
• TODO: add “never ask for passwords” to Support’s induction manual
![Page 43: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/43.jpg)
What are you building?
What can go wrong?
What should you do about those things that can go wrong?
Did you do a decent job of analysis?
Source: Adam Shostack, Threat Modeling: Designing for Security
![Page 44: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/44.jpg)
“Now he had learned that a machine simple in its design,
could produce results of infinite complexity.”
Neal Stephenson, Cryptonomicon
![Page 45: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/45.jpg)
Why do bad things still happen?
![Page 46: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/46.jpg)
What are you scared of?
• credit card skimming
• identity theft
• sensitive data exposure
![Page 47: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/47.jpg)
Here’s what I’m scared of
• stalker knowing where to find me
• getting hacked by the scary ex
• outed to an anti-LGBTIA+ government
• denied healthcare by an algorithm
![Page 48: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/48.jpg)
“The future is here – it’s just not very evenly distributed.”
William Gibson
![Page 49: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/49.jpg)
The Washington Post’s owner was blackmailed over photos
extracted from his phone using Pegasus spyware.
What’s the worst that could happen?
![Page 50: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/50.jpg)
The Washington Post’s owner was blackmailed over photos
extracted from his phone using Pegasus spyware.
He told the blackmailers “no thanks”.
What’s the worst that could happen?
![Page 51: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/51.jpg)
![Page 52: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/52.jpg)
“There are more things in heaven and earth, Horatio,
than are dreamed of in your philosophy.”
William Shakespeare, Hamlet
![Page 53: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/53.jpg)
The problem with threat modeling
![Page 54: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/54.jpg)
The problem with threat modeling
• we don’t know what we don’t know
![Page 55: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/55.jpg)
The problem with threat modeling
• we don’t know what we don’t know
• we don’t recognise our biases
![Page 56: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/56.jpg)
The problem with threat modeling
• we don’t know what we don’t know
• we don’t recognise our biases
• we don’t recognise biases in technology
![Page 57: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/57.jpg)
“Technology is neither good nor bad; nor is it neutral.”
Melvin Kranzberg’s first law of technology
![Page 58: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/58.jpg)
The problem with threat modeling
• we don’t know what we don’t know
• we don’t recognise our biases
• we don’t recognise biases in technology(especially when they mirror our own)
![Page 59: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/59.jpg)
“The model confuses parenting while poor with poor parenting.”
Virginia Eubanks, Automating Inequality
![Page 60: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/60.jpg)
Algorithms disguise human biases and make them
seem neutral and objective.
![Page 61: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/61.jpg)
![Page 62: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/62.jpg)
“Is it legal” isn’t a goodyardstick for morality.
![Page 63: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/63.jpg)
How can we do it better?
![Page 64: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/64.jpg)
How can we do it better?• involve people with a diverse range of perspectives
![Page 65: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/65.jpg)
!!!!!
![Page 66: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/66.jpg)
"!#$%
![Page 67: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/67.jpg)
!!!"!
![Page 68: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/68.jpg)
How can we do it better?• involve people with a diverse range of perspectives
• listen to people with lived experience
![Page 69: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/69.jpg)
Finally, some good news!
![Page 70: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/70.jpg)
A law meant to prevent sex trafficking and exploitation made it harder to prosecute
trafficking and increased harm to survival sex workers.
What’s the worst that could happen?
![Page 71: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/71.jpg)
How can we do it better?• involve people with a diverse range of perspectives
• listen to people with lived experience
![Page 72: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/72.jpg)
How can we do it better?• involve people with a diverse range of perspectives
• listen to people with lived experience
• design for “stress cases” not “edge cases”
![Page 73: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/73.jpg)
RamonaAs a ninja delivery driver who travels between dimensions, I need web apps that are mobile-friendly and work even when data coverage is patchy.
I don’t like having to commit to anything for too long.
I have seven evil exes.
![Page 74: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/74.jpg)
How can we do it better?• involve people with a diverse range of perspectives
• listen to people with lived experience
• think about “stress cases” not “edge cases”
• be transparent and let people make choices
![Page 75: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/75.jpg)
How can we do it better?• involve people with a diverse range of perspectives
• listen to people with lived experience
• think about “stress cases” not “edge cases”
• be transparent and let people make choices
• accept and listen to feedback
![Page 76: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/76.jpg)
How can we do it better?• involve people with a diverse range of perspectives
• listen to people with lived experience
• think about “stress cases” not “edge cases”
• be transparent and let people make choices
• accept and listen to feedback
• advocate for positive change
![Page 77: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/77.jpg)
Takeaways
Technology can seriously harm people
Threat modeling can help us build safer software
We need to be more aware of our biases and limitations
![Page 78: What’s the worst that could happen? · 2020-03-22 · What you don’t know can hurt you. What are you building? ... using Pegasus spyware. He told the blackmailers “no thanks”.](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5943085a66d95d470618e6/html5/thumbnails/78.jpg)
thanks tothe team at Aura for the time and support
the OWASP NZ Day organisers and volunteers
and all of you for coming on this adventure