| ▲ | andsoitis 6 hours ago |
| > It's like they just assume that everything on the web is trustworthy. > It's not hard to see why though. They grew up with app stores & locked down devices. When we create a safer world, people’s defense mechanisms naturally atrophy or are never developed in the first place. |
|
| ▲ | thewebguyd 5 hours ago | parent | next [-] |
| The problem is, we haven't really created a safer world. We created an illusion of safety by taking away agency. We might be safer in terms of vulnerabilities, root exploits, RCEs, etc. but the internet is still full of malware, scams are still just as rampant. Vigilance is still very much required, but is no longer taught. Look at all the malware available on the Play Store. The curation does nothing but create an illusion of safety. |
| |
| ▲ | Forgeties79 5 hours ago | parent [-] | | It’s absolutely safer browsing the internet now than it was when I was a kid. Getting a virus or equivalent on your phone is no small feat | | |
| ▲ | autoexec 4 hours ago | parent | next [-] | | It happens all the time, and its as easy as sending a phone a text, or a packet, or escaping a sandbox, but you'll rarely be aware of it when you're infected because unlike the old days where malware would fill your screen with ads or something today they just silently collect your data or use your internet connection for careful port scans or DDoS attacks. NSO Group spyware (or similar) could be on your phone right now. Hell, cellphones these days ship with spyware pre-installed. Samsung being the one of the worst for filling their phones with their own apps which spy on you constantly. | |
| ▲ | tweetle_beetle 4 hours ago | parent | prev | next [-] | | Is it that much different? In the past if you downloaded the wrong file, you could get ads opening constantly, a new toolbar taking over your browser, data scraped and sent off to a mystery server, or have some process maximise your compute. This accounted for most of the risks on the wild west internet, but the worst case scenario of permanently losing data or having to reinstall Windows was actually rarer than it was made out to be imho. These days the common risks are the same, except they're no longer risks - all of those have been built into the fabric of everyday internet usage and criminals have been replaced by businesses. It's like the cliche about Vegas being better when it was run by the mob. | |
| ▲ | asdfman123 4 hours ago | parent | prev [-] | | The late 90s internet was filled with predators, skeeziness, and viruses that would break your computer and require a reformatting. That stuff is still there if you look for it, but it's not on your social media feeds or in any of the apps provided through app stores. |
|
|
|
| ▲ | pants2 4 hours ago | parent | prev | next [-] |
| When I joined my last job I noticed that their email settings were misconfigured... EVERYTHING was going straight to the inbox, not even the most basic of spam filters were in place. When I got filtering on observe-only mode I saw users were getting up to a dozen phishing emails every day. We quickly did a hard simulated phishing test and most users opened the email but zero users clicked through. Two years later, after we had excellent email filtering in place, our simulated phishing test had a 30% fail rate. Take from that what you will! |
| |
| ▲ | mixmastamyk 2 hours ago | parent [-] | | Immune system exercise, interesting point. At least you’ve kept up the checks. |
|
|
| ▲ | robotguy 5 hours ago | parent | prev [-] |
| That's the philosophy behind Safety Third. |
| |
| ▲ | lexszero_ 4 hours ago | parent [-] | | Just curious, what come first and second in this use of the phrase applied to computer security? I came to know the expression from fire circus performance and adjacent circles, where first and second are safety of the audience and the venue, and third is your own. I use it often when I'm about to knowingly do something sketchy or potentially dangerous without applying safety practices required "by the book", acknowledging the present danger to myself and accepting the risk. I never saw it used in infosec context. | | |
| ▲ | thewebguyd 4 hours ago | parent [-] | | Interesting, I haven't heard of safety third from circus circles, I've always known it as more along the liens of if safety were actually the number one priority, no one would actually do anything because it's too risky. In terms of cybersecurity, I see it as "security first" culture means people rely on the system to keep them safe. "Safety third" (or security third) emphasizes that everyone should already know they are operating in a risky and dangerous environment and take security as a personal responsibility. It's just a reminder that no one cares about your life more than you do, so stay vigilant and take personal responsibility. edit just realized I didn't actually answer your question on the first and second priorities. I suppose First would be the reason the system exists in the first place (buy something online, for example). Second would be the user experience of doing the thing. Security should help you take calculated risks rather than prevent you from taking any risks at all. |
|
|
