Shostack + Friends Blog


Threat Modeling Thursday: Thanksgiving

What can we learn from Gunnar Peterson’s Threat Model for Thanksgiving? a threat graph for Thanksgiving

Sunil Yu updated Gunnar Peterson’s “Thanksgiving Threat Model” and on Linkedin, I posted that this threat model fails to consider important elements of what can go wrong:

  • Insufficient hygiene in the kitchen
  • Spills from your turkey fryer
  • Overly pedantic threat modeling experts getting judgy with it

And as I thought about it, I decided I wasn’t judgy enough! But more seriously, I decided to revive Threat Model Thursday and talk about this. Especially on Thanksgiving, my goal is not to start a fight, but to be thankful for their work, and constructively ask “what can we learn from it?” I think the answer is quite a bit, and I hope that this doesn’t ruin anyone’s fun.

The first question we ask in threat modeling is “what are we working on?” The question helps us scope and ensure we have good coverage, and we usually have a diagram and the The model is labeled “Thanksgiving,” and it maybe doesn’t even include gravy and mashed potatoes. It does include “inadequate side dishes,” but it’s not clear what adequate or inadequate means to the creators.

It also doesn’t include travel chaos. Should it? We use diagrams to help us paint a picture.

Thanksgiving Threat Model

This model seems more like a flowchat, and it works surprisingly well to integrate a set of use cases and outcomes. To be blunt, I’ve given up on abuse and misuse cases because they don’t work even in the academic papers that advocate for them. I’ve yet to see a paper that has more than a few obvious samples, or thats explains how the style and mechanisms of use cases relate to structured analysis. But the idea is dreadfully hard to kill, and those working on abuse cases might want to experiment with this.

While I’m talking about diagrams, I want to comment on the graphical presentation. The diagram uses attractive colors as well as shading and 3d boxes to make it pop visually. And the boxes take up space, and distract from the text enough that my critique about spills from a fryer was inaccurate -- there’s a box for that. And the text (especially white on gray) is hard to read, and so I missed it.

The second question we ask is “What can go wrong?” and this is a smorgasboard of answers. It’s not clear how Uncle Billy relates to the inebriated cook, nor, really, why assigning him to do the dishes will help. Is someone universalizing a bit here?

It’s also not clear to what extent this threat model should consider the trifecta of airborne pathogens (RSV, flu, and Covid) which are on track to kill a great many Americans thisyear, and especially with covid’s high rates of mutation, people should be aware of the additional risk, especially as travel helps strains migrate to new areas.

The next question is “What are we going to do about it?” For about a decade, I’ve been using Kenji Lopez-Alt’s deconstructed approach with sous vide breast and roasted legs. You don’t have the 2 minutes of oohing and ahhing over the bird, but you lose hours of cooking time, hours of stress over when the bird will be done, and you get better food. (The dates on those recipies are ‘updates’ because Google prioritizes recency.)

And the final question we ask is “Did we do a good job?” And frankly, Gunnar and Sounil did a better job than me at keeping it fun, but I hope you enjoyed this post, learned a little, and, if you celebrate, have or had a lovely Thanksgiving.