Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

The Psychology of Phishing

s.petry Re:well (125 comments)

I don't work there anymore, but I've been in the security industry long enough to know a number of companies, as well as the uncomfortable squirming that follows if you ask security training providers for independent evidence supporting their claims.

As stated several times alrady, this is a culture problem with a company. Not an issue of security or training.

I never said security is stupid. I am saying security awareness trainings are a waste of time, by and large.

Your opinion vocalized will ensure that it is a waste of time. I gave an example of ensuring it's not. Hell, I'm not a security trainer. I provide data to ours, and work extensively securing systems and networks. When we have training I nudge people to listen instead of making it a "waste of time" or a "coffee break" as you claim the training is.

Most people are not experts, and most people don't deal with risks every day. Showing them "hacking" is like magic to an accountant, and it's a pretty effective way of teaching.

Tell me, how many people have you had in those trainings you thought before they went in that giving your password to random strangers is a good idea? 90% of the content of these trainings is either boring because everyone knows it already or boring because it's too technical and not interesting that they filter it out.

Wrong question to ask, followed by more of the same rubbish perpetuating your opinion.

There are numerous ways to get people involved and interested in training. Showing them a hack in progress or playing recorded calls of phishing attacks, let them put their hands on a hacking device or operate a key logger on a demo PC.

I've had the responsibility of writing or reworking existing IT security policies, and my advise has always been to make them as short and simple as possible. I've seen a multinational corporation vomit up a 300 page security policy, which was really great from an ISO 270xx POV, but aside from the guys in the security department who wrote it, I'm fairly certain I was the only other human being who actually read all of it, ever.

Writing policy is not the same as educating people. Two different skill sets. It's interesting that you claim to have so much knowledge yet hate to teach listen to shared knowledge, from a psychological stand point.

I'll hear you whine about depth of security policies after you have built and secured NISPOM/JFAN compliant networks. Knowing the policy is required to set them up, audit them, and maintain them. Once again, you bring up people not following or using policies which is a Culture issue and not a security or training issue.

I love security. But I think our industries approach to users and security is fundamentally flawed and trainings are a band-aid on a broken arm - placebo treatments that don't even touch the real issues.

Because everyone is exposed to and knows as much about security as you do right? Rhetorical question, don't answer it. Your problem with security awareness training is related to your own psychological problems. We all have them, I don't intend that as an insult. I work on mine every day.

1 hour ago
top

Lawrence Krauss: Congress Is Trying To Defund Scientists At Energy Department

s.petry Re:Rubbish (265 comments)

I would agree with this if, and only if, the tax is a unilateral tax and not a weapon of control by large corporations. The weaponization of taxes was used in Australia and in the US for purposes other than discouraging the use of fossil fuels.

Kraus is arguing about people preemptively ditching carbon taxes in the US which are written to primarily fund large corporations and punish smaller corporations.

Kraus is also notorious for being a bigot and a pawn for NWO the agenda, so can rot for all I care. He is one of many that perpetuate the "blame religion" mentality instead of fixing issues, while of course he gets paid speaking gigs and TV appearances.

3 hours ago
top

The Psychology of Phishing

s.petry Re:well (125 comments)

I've seen first hand that many employees consider those security trainings either a waste of their time or a coffee break.

Ahh, so you work at one of those places with horrible culture.

or all I know, the only people who think that security awareness training increases the number of people who give a fuck are the marketing drones selling security awareness trainings. People who cared before the training will get information. People who didn't care before will not care after. Why should they?

Got it, you are a lively participant in the horrible culture and happy to propagate the culture.

If you've managed to get your people to reliably report incidents, you've managed something that a lot of companies struggle with.

In 30 years of working IT (right after college which was right after the military) I have seen both good and bad. You are in a bad place with a bad culture, period. It usually takes a whole lot of new-hires and terminations to change a culture (depending on the size of the company).

As stated in a previous post, this is all behavioral psychology. When management and IT dismiss security as "stupid" and pee away opportunities to share knowledge that is a problem with management and IT. Of course accountants don't care, you are teaching them not to! Instead of saying "this is stupid, I know this stuff" you could volunteer to help mentor people or simply grunt "yup, saw a guy get hacked by this once" instead of holding negativity.

5 hours ago
top

The Psychology of Phishing

s.petry Re:well (125 comments)

Actually it's a post ordering thing. It shows _below_ your post after reloading the page, but when I added comments it was showing above your post.

5 hours ago
top

Wikipedia Blocks 'Disruptive' Edits From US Congress

s.petry Re:Citation needed? (148 comments)

Descartes primary body of work proves how wrong you are. Lacking physical evidence does not imply that something is impossible to prove, just that you can not prove something absolutely without physical evidence.

Given the political history of the person TFA is discussing (Franklin Coverup amongst numerous scandals), I think there is enough to question whether or not he is at a minimum a pedophile worthy of being labelled an "alien reptilian baby eater".

6 hours ago
top

Lawrence Krauss: Congress Is Trying To Defund Scientists At Energy Department

s.petry Rubbish (265 comments)

This is not about "Climate Change", it's about "Carbon Tax". Carbon Taxes have been used to stifle innovation and competition, and the players that should be paying the most have been immune to the tax. That's not an issue of a tax as much as issue of corruption. That said, while so many governments are grossly corrupt a "Tax" is not going to be the answer.

As long as people like you believe in a false paradigm blaming religion (or democrat vs. republican), no corrections will be made.

10 hours ago
top

The Psychology of Phishing

s.petry Re:well (125 comments)

Security awareness training in companies is largely nonsense.

Rubbish! If you are starting from scratch you have to lay the foundation. Jumping right into impersonal communications shows that your security team does not care, therefor the amount of people with genuine concern will never increase.

Reminders are incredibly powerful, there's now a decent amount of psychological research to back that up.

That we agree on, but you are choosing to ignore all of the precursor psychology which is just as well documented.

And from your one incident I gather you also have a reporting culture where people are not afraid to report problems. Many companies don't have that, people constantly sweep problems under the rug because they're afraid it would damage their career to report them.

It's hard to tell if you were attempting to be condescending with that first sentence. I've been working in IT for 3 decades, so have much more experience than one incident. Going beyond one example is not necessary.

Re-read my last paragraph, I point out that in SV there is a culture issue to overcome. That said, where I work currently the culture is open and honest and is in SV. Corporations can change their culture, if they try to do so.

yesterday
top

The Psychology of Phishing

s.petry Re:well (125 comments)

Going by personal history here, it's easy to mistake a "stupid phisher" for a syndicate. Often they operate the same, and the syndicates do test what they sell to the "stupid phishing" people.

I'm not against what you are doing at all, but pointing out the risk which you overlooked. Definitely not something a novice should attempt.

yesterday
top

The Psychology of Phishing

s.petry Re:well (125 comments)

I would surely hope that is not true. Perhaps there is a segment that doesn't care

yesterday
top

The Psychology of Phishing

s.petry Re:well (125 comments)

Which is fine until your IPs start to get extra attention for fucking with people. Avoiding drug dealers in a big city is not hard once you know what to look for. I'd not recommend that people start driving by and throwing eggs at them, eventually they will get pissed and shoot someone.

yesterday
top

The Psychology of Phishing

s.petry Re:well (125 comments)

Or install ad-block and no-script and don't show her how to disable them

yesterday
top

The Psychology of Phishing

s.petry Re:well (125 comments)

People misusing or abusing a proxy server (or any other service that can be used to increase security) is a totally separate issue. I laugh at anyone claiming it makes things slower too, because you are obviously not using a proxy properly if your internet slows down. Either that or you think a single cache drive is "enough" and skimped on scaling out the service properly.

yesterday
top

The Psychology of Phishing

s.petry Re:well (125 comments)

As I replied above, it's much simpler than that. Proxy logs are used to determine who clicked a bad link.

yesterday
top

The Psychology of Phishing

s.petry Re:well (125 comments)

Proxy logs are not magical things, they are actually very effective in determining users that followed a phishing link. Even if the user did not report the breach themselves, the security incident would have been found (though it may have taken an hour or two as opposed to minutes.

Sadly many people think a proxy is a bad thing and believe direct access is better.

yesterday
top

The Psychology of Phishing

s.petry Re:Not everyone is train-able (125 comments)

As one who has thousands of people working in companies that I either own, co-own, or have invested in, I can tell you that not everyone is trainable

I agree, but those are not people you want working for you if you are concerned about security.

Not that people are stupid - no, as far as I am concern, almost all who are working in the companies I mentioned above are above average in intelligence - but the one thing that is needed the most is not information, rather, it's intuition with a large bit of paranoia mixed in

I think that you and I have different definitions of intelligence (mine matches the dictionary). If a person does not care, or is lazy in terms of security, that has nothing to do with intelligence. An intelligent person that cares can easily learn. An intelligent person that does not care will perform questionable acts, and not just in terms of phishing campaigns. A lazy person will filter security messages to junk and never read them.

Making people care about security takes work, and making sure they review security bulletins takes work. Reward vs. punishment systems are a juggling act, but this is true in any behavioral science.

It takes a paranoid to be suspicious of everything - and in this social-media world that we have today, where everybody shares every bit of their own info to the world - paranoia is becoming a scarce resource

If the dangers of social media are not part of your security awareness campaigns in the office, you need to have your security team add this to their normal message campaigns. It does not take paranoia by end users to catch phishing attacks, it takes awareness. I.E. "Our company will never ask you for personal information on a social media site. We will never ask for your login name or password on the phone. If you receive such a request contact security at [some extension] immediately, preferably while the person making this request is on the phone." or how about "Want a free lunch? Report questionable content to security and if it's a campaign to cause damage we'll buy you lunch." and finally "Send suspect phishing emails to security, be entered for a raffle to win dinner with the CEO/attend a game in our suite at the Shark Tank, etc...." There are many ways to mold behavior.

Further if you are are a company that does take login names and passwords over the phone or asks for people's personal social media information, change your friggin policies immediately! That is not a problem with uneducated users, that is a problem with horrible company policies and practices.

No matter how much info we have shared with our colleagues, no matter how many times we have told them to be ultra careful, you bet someone will get phished, almost in a daily basis, and the local level network will get breached

I have seen too many examples where this is simply not true. Companies that skimp on acquiring and maintaining a good security team and enforcing internal training are the biggest victims. Where I work currently we have regular training, and even though we experience regular phishing attacks people are not giving out data. It's only 600 employees, but we still see 0 successful phishing attacks.

I'd be willing to bet that any company you claim is "good" yet gets regularly victimized by phishing attacks receives little to no regular security training. And "NO", an email from security that requires no follow up is not "training". Annual face to face meetings with security are similarly not training. Even in a place where users have been well trained quarterly is a minimum, and while working to train users this should be monthly at a minimum. Make the training mandatory, but buy your people lunch for attending. If you let people skip training you are teaching them that it does not matter, so your company needs to ensure a zero tolerance policy for this training. This is all pretty basic psychology for behavior training.

yesterday
top

The Psychology of Phishing

s.petry Re:well (125 comments)

Sometimes yes, but not always true. Sure, "Free Porn" will get a whole lot of clicks, especially from uneducated people (who are usually schooled shortly thereafter by the spammer).

Professional phishing is geared to make it look like something the target company sent out. Working in DOD for about a decade, I saw some exceptional work. They register domains similar enough to the company and often related (support-raytheon for example) so that even people that look for questionable URLs can be fooled.

How are spammers successful so often? Simple, companies don't train people.

At the DOD site I worked at, it was a weekly training memo from our security team on the latest threats. Phishing was always a topic. People had to read the briefings or they could be terminated. 3-4 questions were enough to ensure people at least skimmed the content. Before you get anal about productivity, the email was a 2 minute read max, so even if you had to read it twice to answer the few questions it was a whopping 5 minutes out of your Friday.

We experienced numerous well crafted phishing attacks, and had 1 person out of 5,800 click the link. That person immediately contacted security, and we reset all of their account data. That was 1 out of 5,800 once, and we had professional campaigns run against us several times a year.

Now, take the average IT company in Silicon Valley which spends no time training on these issues (if your company has security awareness training I'm not referring to you, your company is not "average"). Since their people lack training, it's not uncommon to see 10% success in a phishing campaign. Compounding the problem, people often won't report the breach until it's too late if they report the incident at all (cultural issue with many companies in SV).

2 days ago
top

Researchers Test Developer Biometrics To Predict Buggy Code

s.petry Re:This ... from the people who brought you Window (89 comments)

Is there any company on earth that treats its customers with more contempt than Microsoft?

Comcast? AT&T? Anyone associated with the MPAA/RIAA?

2 days ago
top

Researchers Test Developer Biometrics To Predict Buggy Code

s.petry This and more (89 comments)

Once again we have some big sister/brother company/government claiming that they can do the impossible with biometric data. They don't address the primary source of the problems, which you lay out in detail.

Why was security skimped on in the code? Funding.
Why did funding get dropped? So that someone could get a bonus.
Who was the person that had the demo code for security? Canned to save budget.
Can't our Outsource code it? Not in their contract or business statement.

None of those issues are the coders fault, and this is the majority of our "shitty" code today. Piles and piles of shit so that someone in the management chain (or several someones) can get bonuses/raises/justify their existence in a company.

I'll give an alternate method of finding better targets for biometric scanning. Randomly sample executive and management emails. If you can win buzzword bingo in 2 or less random emails, you have a valid target. Build a "shifty eye" detector into power point, and there ya go!

3 days ago
top

Why Are the World's Scientists Continuing To Take Chances With Smallpox?

s.petry Re:The problem is... (189 comments)

Except that Smallpox is not a WMD, so "weaponized" smallpox is not a deadly disease if the person who contracted it receives very _basic_ medical treatment.

As an educated guess, the study into smallpox has been to figure out out why it is so contagious so that we can build our own great contagion. Merge the contagious properties of smallpox with the payload of Ebola and then you have a weapon.

Sad that we spend so much money learning how to kill each other instead of figuring out how to advance society, but this is the reality that people continue to buy in to.

3 days ago
top

No RIF'd Employees Need Apply For Microsoft External Staff Jobs For 6 Months

s.petry Question for someone with Legal? (275 comments)

If you do not sign an agreement when hired, is it legal for Microsoft to bar employment after termination? While it's surely possible that MS makes many sign such an agreement at hire time, for those that don't I'd be contacting a Lawyer for a class action lawsuit.

3 days ago

Submissions

top

Slashdot Beta Woes

s.petry s.petry writes  |  about 6 months ago

s.petry (762400) writes "What is a Slashdot and why the Beta might destroy it?

Slashdot has been around, well, a very long time. Longer than any of it's competators, but not as long as IIRC. Slashdot was a very much one of the first true social media web sites.

On Slashdot, you could create a handle or ID. Something personal, but not too personal, unless you wanted it to be. But it was not required either. We know each other by our handles, we have watched each other grow as people. We may have even taken pot shots at each other in threads. Unless of course you are anonymous, but often we can guess who that really is.

One of Slashdot's first motto's was "News for Nerds" that Matters. I have no idea when that was removed. I have not always scoured the boards here daily, life can get too busy for that. That excuses my ignorance in a way. I guess someone thought it politically incorrect, but most of us "Nerds" enjoyed it. We are proud of who we are, and what we know. Often we use that pride and knowledge to make someone else look bad. That is how we get our digs in, and we enjoy that part of us too. We don't punch people, we belittle them. It's who we are!

What made Slashdot unique were a few things. What you will note here is "who" has been responsible for the success of Slashdot. Hint, it has never been a just the company taking care of the servers and software.

— First, the user base submitted stories that "they" thought mattered. It was not a corporate feed. Sure, stories were submitted about companies. The latest break through from AMD and Intel, various stories regarding the graphic card wars, my compiler is better than your compiler, and yes your scripting language stinks! Microsoft IIS has brought us all a few laughs and lots of flame wars to boot. Still, we not only read about the products but get to my second point.

— User comments. This is the primary why we have been coming here for as long as we have, many of us for decades. We provide alternative opinions or back what was given in the article. This aspect not only makes the "News" interesting, but often leads to other news and information sharing. It's not always positive, but this is the nature of allowing commentary. It also brings out the third point.

— Moderation. Moderation has been done by the community for a very long time. It took lots of trial and error to get a working system. As with any public system it's imperfect, but it's been successful. People can choose to view poorly modded comments, but don't have to. As with posting anonymous versus with our own handle it's an option that allows us to personalize the way we see and read what's on the site. And as a reward for submitting something worth reading, you might get a mod point of your own to use as a reward for someone else.

Why we dislike Beta and what is being pushed, and why this will result in the end of an era if it becomes forced on the community.

1. Bulky graphics. We get that Dice and Slashdot need revenue. I have Karma good enough to disable advertisements, but have never kept this setting on. I realize that Slashdot/Dice make money with this. That said, the ads sit away from my news and out of the way. I can get there if I want it (but nobody has ever gotten a penny from me clicking an ad... nobody!), but it's not forced into my face or news feed.

2. Low text area. I like having enough on my screen to keep me busy without constant scrolling. Slashdot currently has the correct ratio of text to screen. This ratio has never been complained about, yet Beta reduces the usable text area by at least 1/2 and no option for changing the behavior. I hate reading Slashdot on mobile devices because I can't stand scrolling constantly.

3. JavaScript. We all know the risks of JS, and many of us disable it. We also have an option of reading in Lync or non-standard browsers that many of us toy with for both personal and professional reasons. This flexibility is gone in Beta, and we are forced to allow JS to run. If you don't know the risks of allowing JS to run, you probably don't read much on Slashdot. Those that allow JS do so accepting the risk (which is admittedly low on a well known site).

4. Ordering/Sorting/Referencing. Each entry currently gets tagged with a unique thread ID. This allows linking to the exact post in a thread, not just the top of the thread. In Beta this is gone. It could be that the site decided to simply hide the post ID or it was removed. Either way, going to specific posts is something that is used very commonly by the community.

5. Eye candy. Most of us are not here for "eye candy" and many have allergic reactions to eye candy. Slashdot has a good mix currently. It's not as simple as the site starting with a r-e-d-i-t, which is good. That site has a reputation that keeps many of us away, and their format matches my attitude of them (s-i-m-p-l-e-t-o-n). At the same time, it's not like watching some other "news" sites with so much scrolling crap I can't read an article without getting a headache. The wasted space in beta for big bulky borders, sure smells like eye candy. Nothing buzzes or scrolls yet, but we can sense what's coming in a patch later.

The thing is, the community cares about Slashdot. We come here because we care. We submit stories because of that, we vote because of that, we moderate because of that, and we comment because of that. At the same time we realize that without the community Slashdot loses most of its value. We respect that we don't host the servers, backup the databases, or patch the servers. Slashdot/Dice provide the services needed for Slashdot.

It's a give give relationship, and we each get something in return. Slashdot gets tons of Search hits and lots of web traffic. We get a place to learn, teach, and occasionally vent.

Look, if you want to change default color scheme or make pre-made palettes for us to choose from, we would probably be okay with that. If you want to take away our ability to block ads by Karma, or move the ads to the left side of my browser window, I would be okay with those things too.

If you want to make drastic changes to how the site works, this is a different story all together. The reason so many are against Beta is that it breaks some of the fundamental parts of what makes Slashdot work.

User input until recently has not been acknowledged. The acknowledgment we have received is not from the people that are making the decision to push Beta live. We told people Beta was broken, what it lacked, and we were rather surprised to get a warning that Beta would be live despite what we told people. People are already making plans to leave, which means that Slashdot could fade away very soon.

Whether this was the goal for Dice or not remains to be seen. If it is, it's been nice knowing you but I won't be back. A partnership only works when there is mutual respect between the parties. A word of caution, us Nerds have good memories and lots of knowledge. The loss of Slashdot impacts all of Dice holdings, not just Slashdot. I boycott everything a company holds, not just the product group that did me wrong.

If that was not the goal of Dice, you should quickly begin communicating with the user base. What are the plans are to fix what Beta has broken? Why is Beta being pushed live with things broken? A "Sorry we have not been communicating!", and perhaps even a "Thank you" to the user base for helping make Slashdot a success for so many years."
top

Limiting debate in science, is it still science?

s.petry s.petry writes  |  about 10 months ago

s.petry (762400) writes "We knew that this was coming, but I'm sure many of us thought that science would be immune to censorship. Perhaps not. I was not surprised that it happened on Boing Boing, but on a "science" site I never expected it (at least not this quickly).

These decisions may smack some as subjective or even malicious. After all comments are arguably the digital age response to print's "letter to the editor" — and they often contain criticisms of the article ranging from grammatical erorrs to factual oversights. Some may view the decision to ban comments as a form of censorship, a means for writers to escape any sort of visible accountability among their audience.

While that statement does not get to the meaty subject of real trolling and sock puppets, it does beg a very important set of questions. Especially when the reason for Popular Science from them claims:

And because comments sections tend to be a grotesque reflection of the media culture surrounding them, the cynical work of undermining bedrock scientific doctrine is now being done beneath our own stories, within a website devoted to championing science.

As the article points out, Science is not about doctrine. Science is about methods of proof. Science also requires collaboration and gets much better when numerous minds work on and debate the Science.

Is censorship the right direction, or is finding more intelligent ways of reducing sock puppets and trolls through moderation?"

Link to Original Source

Journals

s.petry has no journal entries.

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...