On Thu, Feb 28, 2013 at 5:30 PM, Richard Brooks <r...@acm.org> wrote: >> So organizations get compromised by well-meaning users who click on a >> link in an email or slip up and use an insecure connection, and while >> we can ameloriate that to a certain extent with code, we really need >> to think more about how to make it easier for users to make the >> "right" choices versus the "wrong" choices. >> > > Too often this is phrased as "users should know better." But, > to be honest, I think most anyone could be fooled by a well > planned spear-phishing attack. Last year it got RSA security, > ORNL, Lockheed-Martin, and the entire state of South Carolina.
State-affiliated actors use this frequently, yes, as I'm sure many on this list can attest. But if we make it more difficult for users to do the "wrong" thing, then the attackers have a more difficult time. Hopefully we eventually change the cost/benefit calculation, but that's probably best for another separate discussion. On topic, though, if attackers can easily convince a user to run code through deception or similar means, then all the crypto in the world won't matter. And I hope that the linked article missed some context, because if Rivest et al. only realize recently that the CA PKI is irretrievably broken, we're way behind. -- Kyle Maxwell [krmaxw...@gmail.com] http://www.xwell.org Twitter: @kylemaxwell -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech