Threat level marker for each software

What do the PT mods think about adding some kind of marker that states which software is more recommended to a specific threat level? This could also help to create more formal distinctions between each threat level and to make new users understand about these concepts while they learn.

For example, there could be something like a rectangle which shows green, yellow/orange and red and is marked orange and red for Tor browser, yellow/orange for FF, green for Brave, etc.

I’ve seen certain people complaining about Signal being on PT’s recommendations, and I think it’s not the best app in the world but for someone who just wants to change their regular Google product I don’t see why this would be wrong. Or maybe someone new thinks “So do I have to start using Tor as my main browser to be private?” when it’s not the case.

Let me know what you think!

How do you define threat levels?

One of the points of this is to define threat levels better, although they are pretty subjective I think we could create a basic definition to identify groups of people with different needs. A marker with colours is obviously a very simplistic division of how you could apply some protection to your data but it’s not the idea to create an objective classification, just make easier for people to choose a software based on what they want to protect.

I think one way we could define this is basic/intermediate/high, or something like that, with two colours in the middle to apply to something that could be used for both basic and high.
For example, basic would be for someone who is beginning to be a more privacy-conscious person and wants to transition from Google products to something less damaging. Signal, and Jami instead of Whatsapp, Brave instead of Chrome, Ubuntu instead of Windows.
For intermediate level Jami and Silence instead of Whatsapp, Firefox with uBlock (without advanced user activated), Debian insted of Windows.
For a high threat level, Briar and Silence instead of Whatspapp, Firefox with hard tweaks, uMatrix and uBlock and Tor, Tails instead of Windows.

These are examples and of course maybe some software that I mentioned maybe should fit in another category, but I think we can more or less categorize them. I’m just trying to provide some foundation to see if this is viable.

This is a perfect example of what I mean.

And hell, you even did something similar here.

For Power Users Only
These addons require quite a lot of interaction from the user. Some sites will not work properly until you have configured the add-ons.

This looks more like distinguishing between “normal” users and “advanced” users, not directly connected to threat modeling.

The issue here is that non-technical people are overwhelmed by reading (technical) recommendations. They often don’t understand why something was recommended in the first place, and then they try to stick with recommendations if they think that the recommending party is somewhat reliable.

However, some privacy-/security-focused websites list contradictory recommendations. For instance, one blog tells users to stay away from DuckDuckGo. The blogger wrote DDG is bad since it is based on Amazon AWS and AWS is a service provider for the American CIA. On the same webpage, the same blogger recommends Signal, which is also based on Amazon AWS. Moreover, this blogger collects donations via Amazon PartnerNet (based on Amazon AWS), and publicly admits to use Amazon.

In the end, a reader is totally confused. The same happened here: Wire got delisted for being owned by an American holding. Now, some people are confused because PTIO still lists Signal, Keybase, and other services which are also American-based services. There is no “why” included, and there are many myths out there.

We already suggested that recommendations should always tell readers the “why should I use this”, and we will implement this ourselves. However, there are some people saying that threat modeling isn’t something “normal” people should see or do.

So there seems to be no easy solution here. Anyway, we should keep in mind that technology is only one part of information security that needs to be addressed. People also need to address the human factor and implement processes. Installing arbitrary software due to some recommendations doesn’t make someone magically more secure.

So if your threat is US government, you shouldn’t use Signal? But you can use Wire if you are not US resident? Though the safest messenger for you in that case is Briar. Which is Android only - OS made by US company. Good thing is, you can install custom ROM/OS. But SoC is also made by US company, and might have backdoor…

Long story short - don’t make US government your enemy

This wasn’t the point here, but it shows another problem:

Many private users solely consider the US government to be their ultimate “enemy”, and look for technology to protect against it. This ignores the fact that there are hundreds of other government authorities around the globe that can also spy on people, even in countries like Switzerland, Iceland, or Germany. Besides, government authorities have much more rights than criminals when it comes to legally breaking into homes/executing search warrants.

The question is then: Is the US government really your primary “enemy”, and do your (oftentimes purely) technical countermeasures protect against it? Most people don’t know but assume that there is some level of protection. In countries like Russia, China, North Korea etc., people don’t have the ability to choose a wide range of technical countermeasures against their governments.

But what about the “common hacker”, the “curios neighbor”, or a “script kiddie”? Such categories of people can also pose a threat to your security, and it is more realistic that they actually are threats. In most cases, it is more likely that you lose access to your accounts due to a hardware failure or that your data gets leaked due to a publicly-exposed database instead of being “attacked” by the US government.