| ▲ | IshKebab 25 days ago |
| I don't know if that is the right lesson. It's kind of like "don't click on links"... Err, no. You should be able to click any link without getting hacked. |
|
| ▲ | marysol5 25 days ago | parent | next [-] |
| I have always found the whole "Don't trust links" a faux-pax when it comes to user training. As it just means that the failure to secure systems in the first place has already failed..... |
| |
| ▲ | ffaccount2 24 days ago | parent [-] | | It's worse, often the saying goes "don't click on suspicious links"/"don't open suspicious attachments". If I (target of such hint) knew the link was "suspicious" I wouldn't click it! Users are not opening suspicious attachments, they open (what they think is) important invoice or message from their boss. |
|
|
| ▲ | ImPostingOnHN 25 days ago | parent | prev | next [-] |
| Sure, in an ideal world different from this one. You should be able to do anything on any device and never worry about security. Unfortunately, since we don't live in that world, we need to not open links, emails, text messages, etc, if they are sketchy. A better solution may someday exist, but as of yet has not been found. |
| |
| ▲ | kybernetikos 25 days ago | parent [-] | | "Don't click on links" is not a solution, and it's not something people actually do, it's just something they think they do. Corporate Security will tell you that it's ok to click links to the payroll system or hr or vanta or the 'secure email service' or jira or github or to docusign or the microsoft office document that a partner company sent you or an amazon delivery notification, but not ok to click links in the phishing email that looks exactly like one of those that they sent you. It's not possible to tell whether a message giving you a link to something is 'sketchy' or not before clicking the link, and any 'security' that relies on people knowing whether a message is malicious or not by magic is broken in the real world. | | |
| ▲ | encom 25 days ago | parent | next [-] | | >It's not possible to tell whether a message giving you a link to something is 'sketchy' or not before clicking the link Sure it is. It's just not something the average user can do. But what makes the situation worse is that most emails now use click tracking, so ALL links are sketchy. For example, emails from my union all link to 2mv.aplink.red and are 200 characters long and look like /dev/urandom output. No fucking idea what or who controls that domain, but it for sure is not my union. I've complained multiple times, including acting dumb and asking if they've been hacked because their email look shady as hell. Email with the unsubscribe link wrapped in click tracking gets sent straight to SpamCop. I hate tech more and more every day. | | |
| ▲ | saagarjha 25 days ago | parent [-] | | I think you are providing a very good argument for why even technical users cannot distinguish legitimate links from sketchy ones. |
| |
| ▲ | subscribed 25 days ago | parent | prev | next [-] | | In my company I regularly see genuine, legitimate emails that carry several huge red flags, like these conveyed to us on trainings. If I can plausibly claim I wasn't sure it was legit (ie it was sent from the outside form the sketchy looking host), I'd always report it internally as phishing attempt. Just to make the security work with it. | | |
| ▲ | marysol5 25 days ago | parent [-] | | There's also something about "admin" and "HR" systems in companies where they ignore everything they told you not to do. I don't think I've worked anywhere yet that does 2FA, SSO, or even a vaguely usable system that doesn't look like it was made 30 years ago in these departments. Which is extra troubling as these systems are the ones with the PII! |
| |
| ▲ | ImPostingOnHN 23 days ago | parent | prev | next [-] | | > "Don't click on [sketchy] links" is not a solution, and it's not something people actually do, it's just something they think they do. And yet, there is currently no better solution I'm aware of, so that is what they must do. "Just let anybody click and open anything" is not a solution, either. | | |
| ▲ | kybernetikos 22 days ago | parent [-] | | It's not a solution, it's the problem statement. | | |
| ▲ | ImPostingOnHN 21 days ago | parent [-] | | If the solution you're suggesting is not a solution, then the solution I suggested (which is a solution) seems to be the best one we have at the moment. | | |
| ▲ | ImPostingOnHN 21 days ago | parent [-] | | > It's not a solution It seems we're in violent agreement: neither of us think that "just let anybody click and open anything" is a solution. That leaves us with the robust solution cited earlier: "Don't click on sketchy links". | | |
|
|
| |
| ▲ | brandonwindson 22 days ago | parent | prev [-] | | [flagged] |
|
|
|
| ▲ | krupan 25 days ago | parent | prev [-] |
| Wr aren't talking about clicking links even. This is a bug in some stupid code that tries to read your messages for you and act on them. No thank you! |
