|
-
January 21st, 2005, 04:08 PM
#11
Junior Member
You have a valid point, zencoder. I think you'll still agree that there is a serious problem here, though... what would your proposed solution be? Humanity has always been the weak link in the chain, wether through valid error, ignorance or maliciousness... there has to be some kind of mitigating system we can apply.
-
January 21st, 2005, 04:50 PM
#12
Actually there are much better commercial systems that can aid in authenticating the email for the user automatically (or just using digital signatures but there is an education issue here that the businesses cannot solve). I'll look em up later and post on them.
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
-
January 21st, 2005, 04:55 PM
#13
what would your proposed solution be?
There is no and never will be a 100% solution. That's something I think we'll have to accept. As time passes, technology becomes more complex and the attacks become more complex. People are licensed and trained every day to drive cars safely and yet, on a daily basis, people get killed due to DUI, speeding, poor driving habits, etc.
Does that mean we shouldn't try? No. We should keep trying. They key here is that we mitigate our risks as much as we can by educating our users (a video that runs when the user first starts the machine and can't be turned off might be one way of "encouraging" users to pay attention). Additionally, getting the media to publish stories that have proper facts and hints would also be good. Moxnix is right in that it needs to be a layered approach.
I don't know if society is ready for a physical device option yet and don't know if it's practical. Neither is a wide-spread biometric option (fingerprints are too easily circumvented and abused; iris scanning is too costly for personal usage as are RSA token generators).
Whatever is used to mitigate these problems has to be flexible enough to adapt to new technologies which is why, IMO, a certain level of constant education (through a variety of media) would be a good place to start.
-
January 22nd, 2005, 03:34 AM
#14
Junior Member
This is a wild run, the original post said "it was to tweak your interest" and it sure did. Read Antionline, thats what it is all about folks....
-
January 22nd, 2005, 04:31 AM
#15
Junior Member
ok, your all missing one fundamental thing:
Humans are stupid.
Ok, your avarage person does not THINK it will happen to them, therefore they zone out and do not pay attention. There is a really simple fix: let them experiance it.
Say you are a company and educating your employees about SEing. A lecture only goes so far, after that, you gotta show the employee that it CAN happen to them. have a tech call up each employees one after another and attempt to get some sensitive info out of them using social engineering techniques. If they succeed, them talk to them about it and warn them not to fall pray in the future. Furthermore, if you're really woried about it, you could take it even further, and play a "prank" on your employees, keep going through with it, call these people in and inform them that they have caused so and so SE to gain sensitive info and the company has lost so and so ammount, really play it up and get the gravity of it hammered into their head. At the point they look like they are ready to faint from distress, let them in on it and say to remember that this could happen for real.
As far as home users, theres not much you can do. Companies (eg: bank or whatever), simply need to say that if the attack could have been easily prevented by following the guidelines they set out (they will need to set some out) they will not get any compensation back, even if the phishers are caught. This will firstly get the users attention, as they do not want to loose money, secondly, and secondly no need for expensive and futile advertising campaigns against phishing (keep it at a acceptable low to get the message accross to those who will listen, but not waste time on those who wont). Once a user is scammed, they will have learned their lesson, if a user hears a first hand account from one of his/her freinds, hes also more likely to listen. Humans learn from their own mistakes, the more distant the warning is, the less impact it will have. In order to truely get through, the user victim needs to experiance it for them selves.
-
January 22nd, 2005, 06:52 PM
#16
Blunt as he is, I think VorTexx has the right idea. I don't mean we should abandon all hope and give up *trying* to educate, but let them experience the frustration of dealing with this. It *is* nice to be able to say "I told you so" every now and then.
As I've said, is it really a bad thing if some people are dissuaded from using the Internet, if they can't be bothered to learn a few pratical tips about security and netiquette? I swear to GOD I'm tired of getting the (L)user mail about "this cookie recipe from Neman Marcus" or "Bill Gates will send you money" or...well you all know. I'm sure you've seen them once or twice.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
