On Sat, 2011-03-19 at 05:33 +0400, Hamad Ali wrote:
> I think we have been always yelling that our users are stupid and blah,
> and the reality still shows that users (which we hope to be educated)
> are still the weakest element in the security chain. Some people still
> focus on user training programmes (such as a) b) points what you have
> list). However, number of other people focus on enhancing the software
> to build better solutions for the dear stupid clients.
Well, my point basically was to show that one assumption, or statement,
is incorrect. Yes, user education CAN prevent this type of attack.
> As an engineer, I would make my life with less work if I simply blame
> the end user for his stupidity (which makes sense from some
> perspective). However, from the perspective of safety, we know that
> there are traps and problems that will happen and things will go
> unplanned, which is why we need to take some actions in advance,
> similar reasons why we have fire fighting systems to solve human
> mistakes should they make fire accidentally. [...]
This is a retro-active scenario, after the fact. Not preventing it from
happen, but to keep the outfall under control.
An analogy here would be, to monitor (and rate-limit) sent mail, should
one account get cracked, and abused to phish more accounts on-site.
Talking about spear phishing, sent mail *not* leaving your internal
systems are of special interest to watch.
> In my view, if we look at engineers, I see contradicting opinions (some
> are pro-human training, some are pro-software enhancing). But, if we
> look at the reality, we will see that we are adapting how the vast
> majority of humans are deciding to interact with technology. Example?
> look at firefox v2, or IE v6, they all replaced their little pop
> warnings for invalid X.509 certs for HTTPS with another alternative
> approaches: the new alternative approach is blocking the WHOLE user
> interface, with BIG SCARY RED-Background, with only a little button to
> by pass the security warning. Why? users didn't bother reading the
> warnings *shrug*, we told them to read and it didn't work, so we
> though let's make it more obvious.
Ah, good old "go away bloody dialog" user interaction.
You wanna big fucking red sign for phishing mail? You can have it, make
it lightly trigger on bare-word matches, rewriting the Subject or even
the body just in case.
Or, tell your users to *never* write down their password or any other
account details in mail -- by policy, violation warrants getting fired
next day.
> What I have observed is improvements on the software side, but haven't
> seen improvements on human-training side; did you observe such thing?
> and were they evaluated?
No improvements seen on human training -- did you try? Is it a company
policy?
> ps: I'm using hotmail's web interface to send my stuff, it says it's
> text/plain, and things look compatible with old-school inet manners.
> lemme know if my mails are still awkward, so that I'll use another
It wraps badly. ;) But yes, it's a proper text/plain message.
> freemail (too afraid to show my personally identifiable information --
> PII).
Your employer would not be happy to see you getting help, discussing and
evaluating methods to secure his company?
That really sounds like there has been any serious user education. Not.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
