The threat model, written down

Post two of six on the Covert Cyber Deck. The threat model I have spent the last month writing down — what I am protecting against, what I am not, and why putting it in plain English changed the rest of the build.

Last month I started writing about a slate I am building. This is the post I promised: the threat model, written down.

(A note for anyone reading the series in order. Since I posted part one, Hedgehog Security has merged with UK Cyber Defence. I am writing this from the same desk, with the same slate-in-progress, under the merged firm. The continuity is real.)

The thing nobody admits about threat models is that almost all of them are bad. They are bad because they are written by people who have to fill in a form, and the form has rows for asset, threat, likelihood, impact, treatment, so the document ends up being a colour-coded table of restatements. Personal data — exposed in breach — likely — major — encryption at rest. Then it is filed. The only people who read it afterwards are the auditors, who file it again.

The fix is to write the threat model in sentences. Not for anyone else. For yourself. To find out what you actually believe before someone makes you defend it.

Here is mine for the slate.

What I am actually protecting against

Five things, in roughly the order I think about them.

Visual profiling and casual observation. I do not want the slate to flag itself as anything in particular when it is on a table in a coffee shop, a meeting room, or an airport gate. Not because I have something to hide, but because interesting equipment attracts interest. A featureless black tablet does not. The first design decisions — matte ASA, no branding, recessed antennas under rubber covers, no LEDs visible from a metre away — all flow from this single requirement.

Opportunistic theft. If the slate is taken from a hotel room or out of a bag at a venue, the contents should not be readable. Full-disk encryption with LUKS2 using Argon2id at a 4 GiB memory cost makes brute-forcing impractical on consumer hardware. A planned tamper switch under the lid catch will trigger a kernel panic and a LUKS keyslot wipe if the lid is removed without the correct keyboard sequence — software-side anti-tamper, not magic, but enough that the device returns from a snatch with its data unreadable.

Border crossings. I travel for work. The UK's Regulation of Investigatory Powers Act, section 49, allows for the compelled disclosure of decryption keys under court order. I am not pretending I can fight that. What I can do is arrange that, on the day, I do not have the key. The LUKS keyslot has two unlocks: a passphrase I know, and a small USB-C key fob using clevis and tang. The fob travels separately from the slate when the situation suggests it should. I can decline to decrypt because the credential is not in the country.

Conference Wi-Fi and hostile networks. When the slate connects to a network I do not own, I assume the network is hostile. ufw default-deny inbound on every interface. USBGuard default-deny on the front-panel USB-C ports once the desktop is up. SSH off by default. No mDNS. No Bluetooth pairing modes left open. The local control panel listens only on 127.0.0.1 behind a self-signed mTLS pair with the client certificate installed in my own browser. The slate exposes nothing to a network I do not trust.

Self-jamming and accidental transmission. HackRF One is a transmitter as well as a receiver. Transmitting on most non-licence-exempt frequencies without authorisation is an offence in the UK under the Wireless Telegraphy Act 2006. The systemd target for the HackRF holds transmit-disable until I switch to a TX-capable mode through the panel and confirm with a typed phrase. Wi-Fi monitor mode and packet injection through the Alfa adapter are gated the same way. The point is not that I cannot transmit. The point is that I cannot transmit by accident, and I cannot transmit because a script somewhere thought it would be helpful.

What I am explicitly not protecting against

This is the harder list, and the more important one.

A targeted nation-state adversary with prior access to my supply chain. If a state-aligned actor decided to put effort into me specifically and had a year to do it, they would succeed. The slate does not raise the cost of that attack to the point of futility; nothing I can build would. Pretending otherwise would push me into security theatre that compromises usability without buying anything real. I am protecting against the opportunistic and the broad-net, not the bespoke.

Compelled disclosure in a jurisdiction where I am detained. If a court I am physically subject to orders me to decrypt and the key is reachable, I will decrypt. The clevis/tang split is for situations where the key is physically elsewhere; it is not a refusal of due process.

Coercion against me personally. If someone is in a position to coerce me, the slate is the wrong layer of the problem. Personal safety is not a hardware question.

Network-level attribution against my service provider. I use a normal UK ISP and a normal UK mobile carrier. They know which sites I visit and when. Building a portable computer does not change that. Tor is installed for situations where it is appropriate; it is not the default.

My own future stupidity. The slate cannot save me from the moment I decide it would be fine to plug the USB stick a friendly stranger handed me into the front-panel port "just to look at the photos". USBGuard makes that mistake survivable but not impossible. The threat model assumes I am a fallible operator, because I am.

What writing it down changed

Three things, in increasing order of usefulness.

The list of things I am not protecting against turned out to be longer than the list of things I am. That is correct, and worth admitting. A threat model that pretends to cover everything covers nothing.

Several design decisions that had felt arbitrary made sense once I had to justify them in sentences. The clevis/tang fob was not invented during this exercise; it was always there. Putting RIPA section 49 in the legal section of the design doc forced me to ask what do I want to be true on the day this matters, and the answer reshaped the boot sequence.

The discipline transfers. Last week I sat in a board meeting where someone asked the CISO what the firm was protecting against. The CISO had a framework slide. I noticed myself wanting the version where someone had written it in sentences and admitted what was out of scope.

What is next

Post three is the supply chain — where I have decided to trust, where I have decided not to, and why I am ending up drawing a circuit board myself instead of buying one.

The slate itself is the prop. The argument is the thing.