On Thu, Feb 28, 2013 at 5:30 PM, Richard Brooks r...@acm.org wrote:
So organizations get compromised by well-meaning users who click on a
link in an email or slip up and use an insecure connection, and while
we can ameloriate that to a certain extent with code, we really need
to think more about how to make it easier for users to make the
right choices versus the wrong choices.
Too often this is phrased as users should know better. But,
to be honest, I think most anyone could be fooled by a well
planned spear-phishing attack. Last year it got RSA security,
ORNL, Lockheed-Martin, and the entire state of South Carolina.
State-affiliated actors use this frequently, yes, as I'm sure many on
this list can attest. But if we make it more difficult for users to do
the wrong thing, then the attackers have a more difficult time.
Hopefully we eventually change the cost/benefit calculation, but
that's probably best for another separate discussion.
On topic, though, if attackers can easily convince a user to run code
through deception or similar means, then all the crypto in the world
won't matter. And I hope that the linked article missed some context,
because if Rivest et al. only realize recently that the CA PKI is
irretrievably broken, we're way behind.
--
Kyle Maxwell [krmaxw...@gmail.com]
http://www.xwell.org
Twitter: @kylemaxwell
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
moderator at compa...@stanford.edu or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
