Threat Landscaper: Societal Attack, Threat Actor and Mitigation Strategy Map TPS-0110
I'm excited to announce and describe the launch of a new web application that I created, which was quite an adventure to build to this point.
The name of this tool is the Threat Landscaper if you are into cyber security or national security or both, or security at any level this is one of the key phrases across the industries, to varying degrees, the idea of mapping the threat landscape that is unique to your tactical and strategic circumstance, whatever you're defending, or whatever your operation is, there's gonna be a threat landscape so threat landscaping is what I would call it. I'm a threat landscaper and some threats you can manage and mitigate some you can't but it's all about design, right? So landscape design.
So this is a designer's tool for threat landscaping and you'll see this intersection of this commonality between permaculture design and tactical and strategic defense and security type thinking.
So the subtitle is, societal attack threat, actor and mitigation strategy map.
So that is a compressed way of saying what, essentially what I had already just said now. As we move along, we'll see how these concepts actually map out onto the Web application.
So the description, which is another useful introduction,I describe it as understand and map your threat landscape by listing and arranging categories sub categories threat actors attacks and mitigation strategies affecting an array of ranges including urban suburban, rural and wilderness.
That will all make more sense as we move along, but I wanna get this anatomy laid out before going too much explaining things conceptually.
So you what you have at the top of the screen is a relatively simple web form environment or interface, where you have a number of menus to select options from.
And in the order of those, it goes as follows, first, you choose the format of what you're gonna enter.
So eventually you have the ability to type in or copy and paste in a title of an element that fits one of these formats so the formats include category sub category threat actor attack method and mitigation strategy.
Obviously, the idea of creating information architecture or data structure that's kind of like a tree structure that branches out the category if you consider the list that you will be creating as the trunk.
Then you have the option to create categories and sub categories that branch out to the right of that trunk.
So it's a branching tree like structure. You could call them the leaves but essentially these are the outgrowths from the categories that you're able to nest and choose from.
So obviously category sub category, if you're talking about societal threats, which is what this is based on, that could be criminals as a category and organized criminals as a sub category. Disorganized criminals as another sub category.
It doesn't branch out indefinitely. You only get the sub category level, then all the sub categories are basically at the same distance out, just to keep it from sprawling and having to scroll further and further to the right of the screen.
It's helpful in order to navigate, you have the ability to create nested sub categories, and for you to know where you are in the hierarchy of the tree as you, as you move along.
So nested within, you could nest the following under a broad category, or a sub category.
The next ones include Threat Actor, which is basically the examples I gave. The title of I would consider an institution an organization a type of a group of people or a type of characteristic of a group of people so thieves are within probably a sub category of criminals. Again, like a characteristic of a type of person. But then there's more specific threat actors, ones that may pose a regulatory threat to you for you engaging in behavior that you be better be damn sure you have a permit for, otherwise the threat actor would be code enforcement.
This just gives you the ability to list out every threat actor type that you can imagine that affects you.
So moving on the attack method, this is where obviously multiple or the same attack can be perpetrated by more than one threat actor.
If the threat actors are gonna be relatively discrete titles and then there will be instances where they will share attack methods.
So I've made it easy, later on, we'll see how that is accommodated. But of course, an attack method could be something like a fine, on the mild end, or it could be bodily injury and assault, depending on what type of whether it's criminal or officials working for the state.
They have the ability and sometimes the legitimacy to do harm to your body.
So those are just some examples to start thinking about making this this distinction in categories between the name of the threat actor and the type of attack that they are capable or authorized or both to conduct or to perpetrate against you.
Then the next field that you can enter as a format is a mitigation strategy.
So the utility already of this tool is that you start to enumerate and list and map out and organize the threat, that you're dealing with that are for the purposes of this tool, not so much natural disasters and storms and wild animals.
But mainly the sector that is the human world, and all of its characters with different intentions, from malicious to negligent, to accidental, to consider for your site or your project or your mission.
So that's one set of options you choose from in the format selector, and then you have the option to select the scope.
This is where it gets interesting in terms of permaculture design and mapping and zonation theory.
You are able to choose from urban, suburban, rural and wild.
Based on whichever one of those options are selected, when you add a threat or when you add an attack method, there will be a line that extends from the title that you entered for that attack method that is going to reach out to what appears on the right side of the page.
Which is a representation of the gradient between those categories urban, suburban, rural and wild.
There are ways for this to be more graphically complex and advanced, so that there's even more nuance.
But for the purposes of this, to have a basic visualization of the scope of the attack method, how far these attacks can basically span is is another way of thinking about it. The way it's displayed is that the wilderness is represented by a dark green bar on the far right and then it is adjacent to a slightly lighter green bar which again represents the spectrum from urban to suburban to rural to wild.
They're each bars next to each other, vertical bars next to each other that represent in a color gradient from all gray to dark green.
In between, you have those gradations and it represents how far from the city, the the zones are.
So if the line for urban it will only go from the left side of the screen where you type in the entry to the middle of the urban bar, and then it stops there.
So that would indicate that attack is limited in range or scope to an urban environment.
You can imagine a lot of threat actors and attack methods that really either just tend to be limited to the city, or they're just technically confined to it in some way, shape or form.
The logic here is that if you choose suburban, then that line is going to pass through urban and stop in the middle of suburban and that implies, essentially that the scope of that attack would include both urban and suburban, its urban plus suburban, but it stops at the suburban zone.
And then, if you choose rural, it's gonna it's going to cross urban, suburban and stop in the middle of rural, and then the same for a wild.
The reason to format it in this way is is making one assumption that is something that can be modified later to be more more distinct.
Because, not all attacks, would affect both urban and suburban environments, it could be an attack that is confined just to the suburban environment.
So at this point, there's no visual indication where the line stops is where the attack is confined.
What the visual indication is at this point is that it would be the exception, not the rule. The rule would be if it can get to you all the way into the wild and it's a human attack, it most likely is is capable of getting to you all of those zones in between, even if it's not typical.
But again, there are certain attacks that may only be limited to that.
It can evolve over time. But for now, the point of this is I want to make it visually clear how much more attack surface you are subjected to the closer you get to the city and how much less you're subjected to the further from the city you go. Like the number and the type and of attacks that you that you encounter.
For anybody on Earth who uses this tool, I would imagine that if they assess what threatens them, they're gonna discover of this. This is gonna lead to the discovery that the further you get from the city...
Obviously, there will bee exceptions for places. But for now, the utility of this, whenever you have to be in any of these zones, urban, suburban, rural and wild, you have a enumerated list of reasonably foreseeable threat actors and attack methods that they use.
Then you also have done the work to literally plan out and type out your mitigation strategy for each of those as a way to be more prepared and be more intelligent and be more tactically proficient around navigating the threats to your lifestyle or your mission, or your project site, or whatever it may be. This is a very accommodating to different types of design. So we are moving along from that.
The next thing you are able to select is a selector menu that will essentially change the color of that line that is created.
It connects the entry that you make on the list, and it connects it to the span, or the scope on the right within that zoning map, the color of that line is determined by what I call here, the victimization mode.
This is also in order to have a color coded visual display, to see in a very, a very stark contrast, whether your threat landscape is filled with threats to your life, or your body, threats to your finances.
So here's how this breaks down in order to be as broad and yet distinct as possible. These are the categories this that I've created, which can always broken down into further nuance or added to.
So far psychological is represented by the color blue, which is a kind of a kind of a bit of humor thrown in there because there can be all sorts of threat actors and attack methods that are intimidation or defamation, or manipulation of all kinds. That would be, it could be shame. It could be cancellation.
There could be all different types of attacks that their primary target and their primary effect, mode of victimization, as I'm calling it, is that they affect you emotionally or psychologically. So that's a blue color, obviously, for feeling sad.
So the next one is financial, which you can imagine the color use for that. Yes, it's, it's green.
So to go with the words, the concepts ending with an A and L, the word choice is carceral. The color for carceral is gray, as in the gray bars that you will be living behind if you get on the wrong side of the law and you end up incarcerated by the impact of carceral attacks.
So that could be detainment or being jailed, being imprisoned.
The idea being. Your list of threat actors, always on that list has got to be all the different state officials, officers of the state law enforcement, the judicial system. All of its forms, all the layers of invisible structures, as it's called in permaculture, but they're very visible, the sort of institutions and certainly the the warehousing of people who get on the wrong side of the law.
Even if you're the most law buying citizen, which I'm assuming that you are. The point of this is not to empower or to condone or facilitate any kind of lawlessness by any means. This is about lawful citizenship and being a good team player for national security and personal security.
But you gotta be aware, there are corrupt law enforcement officials.
There are bigoted officials. There are officials that are gung ho and want to make a name for themselves, and a little bit over zealous.
So depending on where you are and what the type of attack is and where it reaches and who you are and what you're doing, you may not get the best treatment.
I don't know exactly what the statistics are, and you can't exactly know perfectly who's guilty as charged, and who's been manipulated to take a plea.
That's beyond the scope of this project. But the idea is, if you were not afraid of the potential of being caught up in the justice system, even if you had the best of intentions, even if you were in your mind, fully in the right.
In a self defense scenario, or in a financial partnership, or whatever it could be, that threat is always looming.
They say, innocent til proven guilty, but still, if you're not rich and you can't post bail, you're gonna be treated as guilty until proven innocent by the fact that you will be jailed until, until trial.
You may be theoretically innocent until proven guilty, but if you were behind bars, then that's pretty much a moot point.
A lot of people whether it's speeding or jay walking there's an underestimation of the eminent danger of being caught up. Even just being a witness to a crime could be become a bad day.
How you communicate knowing your rights, knowing what you're obligated to provide or not provide or confirm or not confirm, your right to an attorney when that begins.
The next category is physical meaning, bodily harm, lethal force, injury.
There are all kinds of attacks most people would think about being attacked by, let's say, a mugger or a carjacker, or being shot by a stray bullet or something like that, even as a edestrian or bicyclist, hit by an automobile.
So obviously that color is red for blood. So you will be able to see how deadly your threat landscape is by how many red lines are affecting you, and how far they, they reach into the zone that you're in.
Then the last one, which is more of a national security type of concept, but also applies at all level to project sites, and one off missions, if you wanna call it that.
But it's infrastructural. And I chose basically a copper color representing wires, essentially just as the one of many potential, sort of thematic notions of infrastructure, but certainly it's the one that we're most dependent on now, communications infrastructure.
Even though a lot of that is wireless, it's sort of maybe antiquated to use the copper wire indicator color, but I think it is useful and distinct from the others.
So infrastructural attacks, that's something some might call the security state or the national security state. They may or may not be using that term with the best feelings around it.
I don't take offense to that terminology because in my studies, our security deficit is probably bigger than our financial deficit, at least in the United States, in terms of the fitness and the tactical proficiency of the civilian population and the distance from the ruggedness and tactical proficiency of the founders of the nation, which I have mixed feelings about, to be to be honest, of course. But point being, they knew how to operate a firearms. Quite a number of them did and if they didn't it, it wasn't a taboo. I doubt it was glamorized or of made into a caricature, the way that gun ownership and gun violence is now. It was just a part of being a frontier person or a colony person.
Again, caveat disclaimer about my feelings about the genocide of the Native Americans. That's not just a side note or an obligation for me to say. I have quite a bit of of time in the battlefield of indigenous rights, as an advocate, sometimes allies.
Point being, infrastructural security applies for individuals. Look at what's happening with routers being hacked. Okay, that's infrastructure.
That's not national Critical infrastructure, by a strict definition, but by a reasonable definition, it is because we all now in the modern age use the same software, the same hardware for civilian and state and military applications of all kinds.
So that puts us all in the same barrel to be shot at, essentially.
So infrastructural victimization mode is important to consider. whether it's a targeted attack on your personal private infrastructure, like your phone gets hacked or your computer gets hacked, or your phone lines get cut down, or your, your encryption gets compromised in some way...It could be on a personal level, or it could be on a more public infrastructure or critical infrastructure kind of scale.
Again, this is gonna show that the majority of dependency and risk is concentrated most in the urban and then it decreases the further you get out in the wild, where it becomes more and more obvious that for you to be subsisting further from the city, you are more independent.
That's kind of a truism of permaculture and survivalism.
And so we'll move along.
So the next selector is attributing low mid or high severity level to each individual attack.
What that does is in the listing of attacks gives you a color coded triangle icon, which is of borrowing from the idea that it's a road sign indicator of danger or hazard or need for alertness, that triangle symbol is essentially applicable in that sense.
So you've got yellow, orange and red triangles that appear alongside the attack method listing then you're able to choose from the selector.
Then what's happening each time you choose one of those low, mid, high severity level properties for a threat or an attack method that you include on the list, a behind the scenes a running score is calculated.
So let's say you add three low severity attacks, then you have a score of three.
You add two mid level attacks. If you add to it as a score of seven, that's adding four to seven.
Every time you add a high severity attack, you're adding three. And then we'll, we'll move along.
Your score appears at the top of the screen just below the these selector menus so you see how you can track that. You have a list of buttons that accompany each entry that you include that list of buttons from left to right. Every time you you add a new entry.
There's a button that says, add new items. So you click that button, when you click, add new item, whatever the state is, whatever selection you have chosen for each of those selector menus that I described before, whatever you've selected those at, whatever they're now resting at when you go add new item, those properties are attributed to the item that you add.
What you then do is you type in or copy and paste in the name or the title for that, but it has the properties that you selected, and then those remain once you select them until you change them.
Every time you add a new item, you're gonna have those same properties.
So if you can think of ten attacks in a row, or you already have a list of them somewhere, and then you wanna put them in this, this visualization tool, as it were, then you could set all of the parameters with the selectors, and then just keep pressing add new item and entering in the the names for them.
And then until you're ready to move on, let's say, oh, you know what I realized?
I can break this up into two sub categories. I need to add a sub category item that is not gonna need those other attributes. So you can set those. You can set those to just having the default.
So they don't carry with them any of the attributes that wouldn't apply. But it's optional, because you may want to say oh, state police have this scope, and city police have that scope. So it does make sense to attribute the scope selector to them.
If you don't want it, you would reset it to the default, which would give you nothing other than just the title or the name that you enter, and no other properties along with it.
Now, back to that list of buttons. So every time you add a new item, you have a list of buttons that each item individually has.
So what it is is an edit button where you click it, and then it highlights the text field that you're gonna be entering and copying and pasting in, the reason that this is there is it's not obvious in the way it's displayed, that when you add an entry that you would click into it. Into the default text that says enter title, it's not perfectly clear that you would click into that and then start typing.
So the edit button, it does what's called focusing that element. So when you click edit, which is a little more intuitive, it lights up in the box where you're gonna be typing the text.
So that just gives you the indication, oh, that's where you would be adding that entry, it's ready to be typed into.
The cool part is, whether you click into it again after you've typed into it, or you click the edit button, it'll do the same thing, just prompt you to start typing in there.
You can update them anytime you want, say you wanna fix the spelling, or you wanna, capitalize it, or even give it a different name, or add more to it.
Whatever you wanna do, you're able to edit it and change it anytime as many times as you want.
So the next buttons are to move up and to move down with up and down arrow icons on the buttons. This is where you get to have a lot of fun, because you're not always going to when listing things out.
If you're gonna sort things around within different categories and sub categories, you're gonna want to use these up and down buttons to sort and to move each item as you see fit individually.
I want this to appear with where the most threatening threat actors are, the most the high severity attacks. I want them all grouped. So I'm gonna bump them all up to the top and I'm gonna use these up arrow buttons to move them upwards.
Or if you wanna change that order, or you wanna move something from one category to another, you can move them down.
The next button is to copy, which is a useful, a useful ability to, let's say you have multiple threat actors are capable of using arrest. That is an attack, a looming threat that threat actors of all kinds, can perpetrate against you lawfully or unlawfully, depending on the circumstances.
But the point is, in order to save you having to type in or copy in arrest or stolen from, or whatever it is, in order to avoid the necessity of typing that in over and over and over, it's easy enough to just copy.
That will generate a copy of that entry below the one that you just pressed copy on, and then you can move that wherever you wanna move it.
Obviously, it wouldn't make sense to leave it right below it and for it to be in the same category, or underneath the tree structure of a branch of the same threat actor. You you copy it, and then you're, you're free to move it.
It would be a more advanced feature to add later in order for when you copy it to to automatically inherit all of the properties that have been attributed to it.
Within a few within of using this, you're gonna develop and a clear understanding of how to rearrange those selectors so that you're getting what you wanna get.
So the next one is pretty obvious. Delete that will remove the item.
If it has a threat or it has a severity score, then when you delete that item, it will subtract whatever the severity score was from one to three from that threat score.
So now you see where this becomes somewhat of a game where you're saying to yourself, okay, I just entered in all of my potential threats, wow my threat score is through the roof. I need to get that down. Which of these or can I possibly delete and lower that score?
Because you have the ability to associate a mitigation strategy with each attack it's foreseeable that I could add features to where you could reduce the severity level down because you have a mitigation strategy.
I feel the threat severity, unless you're able to neutralize that threat somehow, the severity of the threat, even though you have a mitigation strategy, that creates a whole new category of thinking about have you mitigated the severity of the threat or is the threat severity the same and you have just buffered yourself from it by some means.
I don't think it necessitates building out more features to accommodate that for now.
The final button as of now is to add below. It's a button with a plus sign. So each line has at the end of the line of buttons, or the end of the series of buttons, you have the ability to press the plus symbol button.
What that does is it will add a new item directly below that's a blank item, not a copied item.
It's going to be just like pressing the add new item at the top of the page. What the add new item does at the top of the page is that it will always add a new item, with whatever properties are set with the selectors it will add that item at the bottom of the list.
If you add an item, and your intention is for that item to be nested under a category sub category that's all the way at the top of the list you don't wanna have to use the up button to move that item up all the way to the top of the list.
Rather, you're able to press the add button or the add below button, which is that plus sign.
Then, wherever you are in the list, wherever you want that new item to be you hit the add button of the item. That's gonna be above where you wanna place it. That's an empty item that you can now enter into below that.
Then this is where I'm gonna say, from this point forward, it's gonna get, it's gonna get extra technical.
After being spoiled with content management systems, and then discovering that there is security nightmare and wanting to actually roll your own code from scratch and write static HTML pages with very security conscious dynamic features.
A single page application means you don't click back, you don't click forward, you don't refresh the page. Everything that happens that's interactive about the page is happening in a manner that feels like you're not having to do the old school website process of going from page to page to page and reloading the page over and over.
Now, the technology is elegant enough to where you can make a better user experience if you're interested in making it more secure, then it can be more secure.
It's not only a single page application, the code that I'm responsible for writing and managing and maintaining the security of it's all there on one page. It's not pulling in any images even from the server. It's not pulling in image files from other folders. It's not pulling in style sheets or javascript files from other locations on the server.
What you see is what you get, and what you add to it is your business and, and not mine. I don't get a copy of any of the information that you put into this application.
For bug hunting, if there's any bugs in it gets far more manageable and simplified when you have a discrete one off application, where not only does it on the front end, on the user interface, it operates as a single experience. But the code itself is one single page of code.
So it's one page on the back end, one page on the front end.
For the purposes of this tool, there's no need to fetch any images or any other types of content from anywhere else on the Internet, from anywhere else on my server.
Now, for me to operate within my standards of security and privacy, I'm obviously not allowing users of my applications to go through the very often poorly implemented user account creation process where I would be responsible for personally identifiable information, such as user names, real names, location data, passwords and email addresses, and certainly any data that is entered into any Web form that I present to the public Internet. I don't want any of that stuff. I don't need any of that stuff and that is a trade off, right?
Because that forces me to be very innovative and creative about how to do what, in basic sort of computer science, you might call storing the state of the computation that's happening within the application.
This usage of the word state is in the context of a status.
Every change that you make as you're using it, the status of the tool, the status of the application is going to be updated.
But then if you don't have a user account and you're not able to send the state of your use of the application and all the information you put into it, if you're not sending that to my server for me to store in a database that gets accessed either by me and you or only by you if it's done a certain way, which is the better way to do it.
I don't wanna touch it. I don't wanna handle it. I don't want anything to do with it. So how do I make it possible for you on your end, what they call the client side? How do I make it possible for you to store the state?
In most circumstances, when you close that browser tab or you close that window where you shut down your machine, that all that goes poof.
Because whatever isn't just the what's called the hard coded document, which is the HTML document that you loaded from my server, that starts out every time it's loaded as a blank slate, right?
It has all the tools that I described within it, but none of them have been configured.
No entries have been made. If you spend an hour working on this, and then your machine surprises you by going into shut down or auto update, then you just lost everything.
So if I'm not providing you the option to create a user account where I save the state of your application on my server in some form of a database that you can then rebuild and reassemble on demand when you log in and you restore your last saved session.
Without that feature, and with the looming threat that if you don't just leave that tab open forever, you're gonna lose everything that you worked on.
I do feel like I want this tool, of all the tools, this isn't just a little several minute kind of exercise.
This tool is something that could be a document, it's a living document, or work in progress that you update and continually use throughout your whole life.
Wherever you go, whatever you do, you could use it as a master list, you're gonna wanna be able to save this is. I'm gonna wanna be able to save the work I do on this.
I definitely do not wanna enter everything from scratch every time.
So the problem that I solved with that was very interesting to me from a development and designer perspective, because of how I was able to utilize very, very low level primitive HTML functionality and scripting functionality that was far less cumbersome and complex and error prone.
So far, if my calculations are correct or until I'm proven wrong, I was surprised, basically, in if we use the term elegance for meaning, getting whatever the task is done with as few lines of code as possible, that would be a simple definition of elegance.
That would be an elegant definition of elegance in software engineering or coding or development, if you can achieve what you want to achieve without sacrificing security...
If there's a way to take a hundred lines of code and get the exact same result with three lines of code...those are those moments, those aha moments that I live for now because this document to me is the cutting edge of my beginning to master some of these techniques and so to describe what's happening now when I'm describing you have a button at the top of the page that says Save and export.
What that basically does? I'll see if I can describe it in an elegant manner.
When you press that button, save and export, it builds a new file within the browsers memory. It constructs a file by copying to that file everything that you've added to the base level, the baseline of the original document.
You could always just right click and save, but you would not be saving all the work you did. So when you click that save button, it takes the structure of the page and copies that, but it includes everything that you have added to the page.
It's as if you were to select all the code that has been generated that gives you the front end display.
If you were to select all and copy and paste into a text file all the work you've done, well, great. Now you have a copy of all the work you've done, but how are you gonna resume and restore the session that contains all of these what are called variables?
How are you gonna restore all of the things that went on behind the scenes?
How are you gonna update, or how are you gonna maintain a running threat score?
How are you gonna maintain a running accurate identifier for each new item that you create? You're gonna have conflicts. You can't just copy and paste everything you did in that session.
You have to basically take a snapshot, that's a metaphor, but it is a useful metaphor for this kind of computer science stuff. It takes a snapshot of the state, copies that into a file, and with a little bit of clever engineering…
There's a word people use called hackish meaning, you're not doing anything bad or any evil kind of hacking.
It's the sense that, let's say you have a taillight that is kind of intermittently going in and out and you duct tape a clothes pin into the wire in order for it to kind of like flicker a little bit less. That would be kind of hackish, it might work but really the thing to do is to get that wire replaced.
If you're capable of doing it, great, if not, take it to professional or replace the whole part, or whatever.
You could call it Macgyvering, whatever. So usually, when on forums of web developers, when they say things, oh, that's a little that's hackish, you can do that but certain applications if you do something kind of hackish to make it do something you want, but then when you do a full update of that software, the next time they make a release of it, ehich you gotta do, you can't be negligent on that. You've gotta keep updating it.
That update could very well wipe out that little Macgyvering hack that you did, which was, again, not evil or malicious.
It was just to help you get a job done. But it's kind of like cutting corners, doing it in a lazy kind of fashion.
So for me I was glad to know that I was not in my methodology of making this save and export function, I'm complying with all of the rules as they exist. I'm just innovating and being creative with it in a way that is non compliant with the specifications.
I'm doing it by the book, by the rules. Now, of course with any website, you can't possibly know what every end user's operating system is, and the version of the operating system, the browser that they're using. So that is a whole can of worms in itself, trying to be cross compatible across different browsers.
That's where you would have to do, unfortunately, a lot of those, quote, hackish things in order to get the same user experience across all possible environments and browsers.
It's impossible at a certain level. But you do your best.
I'm glad to say that, I'm trying to use the most time tested and built in browser features and HTML and basically the building blocks of websites, use the most universal features and not the most nuanced and browser specific features, which would require a lot of that hackishness to come into play.
But luckily, I've been able to make it possible to save and export the page in a way that it takes a snapshot of the state of the web page that you just built, I gave you the template, and now you embellished it, and now you wanna save it.
You can save it, export it based on this simple technique that allows a snapshot to be created, and then you are prompted to save the file.
It has included the date in the file name so it says saved map, and then the day and, the date and the year so that there's not a conflict and that each time you save a version then you'll see the ordering of the dates in the file name.
So if you want to roll back to one, that's your archive.
If you want to roll back to a previous version, you you can keep an archive easily.
The next consideration, now you've saved your state, you've copied it downloaded into a file. Now what? Well, wherever you save that file to your desktop, you don't even need to be online anymore. Now it's your own private copy of the app that you are privately updating. It doesn't, has no need whatsoever to be connected to the Internet. All you need is a browser.
It doesn't even matter if that computer has any connection to the Internet, or if the Internet is live and connected, or the Internet is disconnected, but potentially can be connected.
The file now exists, just like a document or a spreadsheet. When you click on it, it's an HTML file, whatever your operating system is configured to use as a default browser, it will open that local file, and then you'll see, instead of a point of origin that's my server you're going to see, your local file system and folder system and then that file name that's the file that you downloaded and when you then use your browser to modify that saved version of the file representing wherever you left off, you can do another session, add things to it, modify it, rearrange it, do everything that you're capable of doing there.
When you save and export it again, it does exactly the same thing, but takes that state snapshot, keeps your running totals, and everything is able to keep running along.
What you're doing is just saving a new version of that file with all the updates again to wherever you want on your local machine, and then you move, you go on from there indefinitely.
So you only need to download the file once.
For me, I cracked the code of doing a non hackish, very simple, elegant and compliant save and resume type of feature and workflow, which is non invasive and doesn't require a lot of edge case features.
If I can find the solution that is compliant, works with all, at least all relatively modern browsers and doesn't even bend the rules to do it, I'm stoked.
And so I'm very, very stoked.
This tool was the catalyst for me to push myself to develop that skill.
Now that I have it, it can be applied retroactively. It can be applied moving forward.
This tool represents independence from untrusted third party packages or libraries, which is basically other people's generally free and open source code, you're trusting them to be secure, to be non malicious, to be maintained indefinitely.
You just go click, drop it in, and you merge your code base with that code base, and you get the feature almost instantaneously.
You add potentially infinite attack surface that you have no control over and that you are responsible for every time someone loads your app or your page and you induce them to make a call to a server that isn't your own to pull in that library.
That's the worst case scenario. That is in inviting the vampire in.
That's called a supply chain attack. And they're doing a lot now with protecting critical cyber infrastructure, to start to create frameworks to hold people accountable for product liability as software developers for open source.
I like this term that I'm gonna be using more often, which is single page application that's independent.
So another word that is less catchy, hermetic code, or hermetic build, which is essentially describing the same thing.
It doesn't call in random dependencies, which can always be poisoned or compromised, that you have no control over and that you were on blind faith hoping are either secure already or aren't being tampered with.
If they were secure, they could be insecure and untampered with, or they could be secure but potentially tampered with, and therefore, either way, they're not secure and they can't be trusted.
If they can be trusted from one moment, they can't be trusted to the next because of too many straws in the milkshake or too many chefs in the kitchen.
But the reality is there are good chefs and there are bad chefs.
There are well meaning, but negligent chefs where accidents happen under the best of intentions and circumstances, point being less code, more limited files of code, and certainly less external files and code, the further out, those are all things that can be nested.
If I rebuilt this, which I probably will, as a matter of fact, to be purely a cyber security threat landscape tool, then instead of using urban, suburban, rural and wild as the scope, I would be using the layers of the technology stack.
The further away you get from the independent code, the more pages that you add on your own server, and certainly the more scripts and pages that are included in resources from external servers, the more diffficult privacy and security gets.
It gets already to a point for most applications where there's no chance in hell that they're ever gonna be able to catch up to all of the what they call technical debt associated with it.
To go back and check all of the dependencies. When one package or library that you install while it's installing, it looks like there's this blur going on on your server, which is all of these infinite number of dependent packages.
It's almost like a Trojan Horse filled with other vampires.
That's the state of affairs. So, I am wanting to understand all of these parameters all these dimensions of potential threat actors and attack methods.
The mitigation strategy for this is everything I just described.
My advice is to say, go download this file once, and then work with it and save and export it on a computer that you never connect to the Internet, not because the file makes any calls out to the Internet. But because, for god's sake, I have no idea what creepy crawley browser extensions you've got on your machine.
And every time you click on the consent to install an extension or a plug into a browser, what does it tell you?
Most browsers, I think now are gonna warn you.
They're gonna say, vampire Alarm. This extension can read and write every page that you that you open so already, right there, you're like, well, does that mean that they could be stealing my credentials and injecting, hijacking my forms and click jacking and doing all these different types of attacks?
Well, if it slips through the security teams in the browser environments, they'll often warn you, this is not an officially security vetted extension.
We don't know. You're on your own. That's been the downfall a lot of things.
So there's a time and place to have no guard rails, and then there's a time place to have extra guard rails.
So I appreciate that we're in a time now where that type of nuance is being accommodated and designed for within the industries.
I'm leaning towards optimized defaults for privacy and security.
I hope you appreciate that. I hope that you enjoy the discourse around that.