Assumptions:

• The science upon our cryptographic and architectural choices were made is sound;
• Each participating device bears a genuine installation of the secushare and GNUnet protocol stack without mass-exploitable backdoors and executes the code correctly;
• The person operating one or several devices maintains her or his master key material in a safe location.

What an attacker in physical vicinity can achieve:

• An attacker can subvert a device physically to undermine the anonymity or secrecy of its owner. This must not exceed a constitutionally meaningful amount.

What a local network attacker can achieve:

• A local network attacker can see who is participating in the GNU Internet;
• The attacker may be able to block some communication routes into the network, forcing the person's device to find other routing options such as mesh networking or to stay disconnected.

What an attacker with a global or regional overview of the network traffic can achieve:

• The attacker can see who is participating in the GNU Internet;
• Eventual deanonymisation of a person given
  1. the ability to observe communication patterns;
  2. persistent long-term pattern analysis;
  3. the person having preferred a configuration of convenience rather than ensuring anonymity;
  4. the person making extensive use of low-latency applications.

What an attacker can achieve upon social acceptance and infiltration:

• Gain access to social data that the person has chosen to make available to the attacker including social data that other persons have made available for social redistribution.
• Temporary disruption of the person's user experience by unsolicited messages and/or data exchanges (The person can however quickly clean the attacker and his or her data out of his or her user experience upon unsubscription).
• Attempt to engineer the targeted person into executing dedicated malware, however producing a social trail back to the origin.
• Attempt to mark the person's device as corrupted, which will only have consequences depending on the achieved social status. The person would then have to reconfirm her identity using her master password, then revoke the attacker's warning with social consequences for the attacker.

What a random attacker can achieve from a distance:

• Nothing.

What a malware developer can achieve from a distance if the person employs "broken old Internet" technology on the same device with secushare:

• Malware specifically designed to attack secushare installations and distributed via conventional means (e-mail trojans, web browser vulnerabilities) can produce a remote controllable access to all current data both generated by the targeted person as data made available to the targeted person by the social vicinity.
• The remote controlled secushare instance can be abused to send content in the name of the person or any of its pseudonyms.
• The remote controlled secushare instance can be abused to talk other people into unpacking and executing malware as secushare would not allow the distribution of obviously executable code. Should the victim recognize the social engineering attempt, she or he will be enabled to mark the person's device as corrupted.
• The malware developer cannot access the master private key and will lose all access to the person's data anytime the person executes the necessary recovery procedures detailed below.

That's it. Everything that is not said should not be possible, for example to successfully exercise a sybil attack on the person's GNUnet router in an attempt to make it expose information to malevolent nodes.

We diagnosed the biggest threat to our secushare plan to be malware that specifically targets secushare installations.