I've worked at a number of companies. They all had phishing training that was at best useless, and often completely counter productive.

One company sent an invite to a mandatory off-site (only a city block away, but still) security training seminar to everyone in the company. The invite was sent from the training vendor, with no advance notice, and demanded employees register for the event using their company ID and password. Employees received an unexpected email from an unknown third party, demanding their corporate login credentials, and naturally reported it to IT. IT instructed HR to reprimand users for refusing to sign up for the mandatory training.

When users asked how they were supposed to know that this email was legit, IT said it was obviously legitimate because "it has the corporate logo on the letterhead". Boy, it's a good thing that scammers can't fake letterheads, that's all I can say.

Another company's IT sent out a test phishing scam to see who clicked on the link. Of course, they sent it internally using valid Exchange credentials, and the link was to an internal company server's 10.0.x.y IP address. Tech savvy users were confused why a scammer would link to an internal server, and many reported it to the corporate security head office as a breach of the internal network.

At a third company, management's emails to staff violated the phishing rules so routinely that when one employee left, at his new company, he almost fell for their phishing test, because "$COMPANY1 trained me to think that suspicious looking emails are probably legit ".

I saw one security head report to management that there was no point in doing phishing education amongst employees, because so many emails from management, IT, and HR violated the rules for proper communication that employees were continually guessing what was and what wasn't legitimate.

When users get emails with all the signs of a scam - bad grammar, mis-spelled words (including the name of the company), links to external sites, demands for corporate login credentials, threatened punishment for refusing to provide credentials - that later turn out to be legitimate IT/HR communication. When the company doesn't reprimand IT/HR for breaking email rules, but instead reprimands employees for ignoring these suspicious emails, of course they're going to not going to find phishing training effective.

If corporate communications don't follow phishing rules, why should the employees?

Years ago, I worked at a company that had won a major contract, and need to staff up rapidly. They had over 150 open positions, and at the annual town hall meeting, all the CxO types talked about the referral bonuses that were being offered, etc., and they really wanted people to spread the word.

They were not only looking for generalists, they had some specific skill sets, some of which were rare. As it turned out, I had a friend with one of those skill sets. He wasn't actively looking, but his current contract was due to expire soon and he wasn't terribly keen on renewing, so I told him about the place.

Despite the company brass practically begging staff to get people to apply, HR wouldn't actually talk to anyone who called. They were referred to the online HR portal. The portal was almost impenetrably difficult to navigate, and despite the CxOs saying they needed more than 150 people, the portal only had about 25 positions listed. Worse, none of them actually even mentioned the skill set that we were supposedly desperate for.

HR's response was "We really don't have any openings at the moment. Tell him to make sure to use project management keywords in his resume in microsoft word format, otherwise the automated system will filter out his resume". Yes, while senior management was begging for applicants, HR was turning them away, refusing to talk with them, and the only advice they would give was how to trick their own automated systems.

Guess what? HR like this is going to find that AI can get past their automated systems, while keeping applications of actual human beings from ever being seen. And I'm sure that it will be seen as a failure on the part of the applicants, not HR.

A few years ago, I had a customer freaking out because her hard disk was dying, and she couldn't do a backup. She had a Windows 10 PC with a 2TB disk, and had bought a 4TB external WD disk to back up her dying internal machine. But every time she tried to copy files, she got a Windows error saying the disk was full. The 4TB disk was properly formatted, had only 200MB of files on it, and showed 3.98TB free space, but Windows refused to copy files to it because it was "full".

As you can imagine, she was frantic, as irreplaceable data was at risk. I was called in to debug the issue, and sure enough, copies to the 4TB disk didn't work. I hooked it up to my laptop, and it was fine. Why could my PC copy files to it, but hers couldn't?

Because of OneDrive.

The error message was a OneDrive error. But she wasn't copying to OneDrive in the first place. Or was she?

It appears that when you copy files using Windows Explorer using drag and drop to another Windows Explorer, OneDrive quietly intercepts the copy, and also copies the files to OneDrive, for backup.

She was doing drag and drop between two Explorer windows. And her OneDrive was completely full, and out of space, so it couldn't take any more files. So Windows aborted the copy with any error.

Yes, because OneDrive was full, Windows prevented copying to a local hard drive.

The customer didn't even know what OneDrive was. Exiting it, and stopping it from starting up again, she was able to back up her system, but she was totally freaked out about the OneDrive "virus" that almost caused her catastrophic data loss.

And when she found out what OneDrive was, and realized that confidential, proprietary data from her customers was now on Microsoft servers, she freaked out yet again.

My only question is, why isn't there a "because it causes data loss" option in the list of reasons people want to exit it?

No, actually, I'm talking about cases where the patient had failed to respond to other treatments and then tried it as a last chance, and then recovered. A couple of the cases were quite dramatic.

That's why there are lots of doctors that are enthusiastic about it. But their experiences aren't universal, or (so far) reproducible. As I said, there have been just as many, if not more cases where it's not helped at all.

The NYT did a writeup about a doctor who initially claimed to have treated 699 patients with it with a 100% success rate. Sounds to good to be true? It is. The follow-up investigation showed that it was closer to 350 documented cases that could be traced, and 4 of them had died. Which is close to the 1% mortality rate that is normally associated with Covid-19.

Of course, that 1% is for the population as a whole; this was for 350 hospitalized patients. Which is to say, they were from the 15% that get a severe case, where the 1% is 1 out of 15, or about 6.67%. For a sample size of 350, that would normally lead to 23 deaths, so 4 deaths is a significant improvement.

Yay, wonder drug, right?

Well, not so fast. Some of the cases weren't so serious; the doctor was prescribing it in the early stages of the symptoms. So perhaps some of the 350 patients were part of the wider 80% that would recover naturally. But within that group were several that did have extreme respiratory issues that cleared up and didn't require ventilation.

Now, the doctor says that he's had great success and his patients have all recovered, which is the important thing. And, he's been treating huge numbers of patients. Obviously he's enthused about this drug and attributes his patient's recovery to it.

His methodology doesn't prove that this drug is a cure-all, but his sample size of success is significantly large to indicate that there is something. So fans of the drug point to his success and critics point to his methodology. There's something for everyone.

Of course, properly randomized, double-blind tests trials need to be run. By the time they are complete, the pandemic will be over, so the information won't be useful for the current onslaught of patients. And that's why people are looking at unscientific anecdotes as an alternative.

From what I've read about this, and I've read a lot, there are numerous documented cases where it (paired with zinc or other treatments) has absolutely been a successful treatment.

And there are just as many if not more cases where it has done absolutely nothing.

So it is neither the miracle drug that Trump has proclaimed it is nor is it just quackery. It's a YMMV drug.

It may be that it only works when the Covid-19 disease is at a certain stage. Or it may be that people that have (or do not have) certain genetic markers that make them respond to it. It might be affected by certain pre-existing comorbidities.

There have simply been too many documented cases where it has had a mitigating effect to say that there's no benefit to it. We don't know how, or under what conditions it helps, but sometimes it has.

We simply don't understand it yet. It's like the Corona virus itself in that way. Why are some people (the majority) who get it minimally affected, while others become gravely ill, and die from it?

We shouldn't dismiss it or embrace it wholeheartedly, either. We should study it, as we are, but I can understand why people in the middle of a pandemic want to rush to embrace something that's worked at least some of the time.

The CDC really made a mistake in saying that masks don't work, while concurrently complaining about a shortage of them.

Absolutely they work, or medical staff wouldn't use them.

But the CDC didn't want the general public hoarding N95 masks, which is understandable. So they said masks don't work, which of course just added to the confusion.

The thing is, it's not a question of N95 or nothing. Different masks provide different levels of protection, both from droplet and aerosol spread.

It's like social distancing. If you can't maintain a 6 foot distance, that doesn't mean it's not worth having a 5 foot distance. And a 5 foot distance is better than a 2 foot distance, etc. The same is true with masks.

Even if a non-N95 mask only cut the spread by 10%, that's 10% better than nothing, so why not add it to the list of precautions?

I don't know about RSE, but a cloned 2FA doesn't give anything away. The app is keyed to the hardware of the phone, not (just) the phone number. If you cloned my cell phone and ran my 2FA app, it wouldn't work.

This is something that users of Google Authenticator have complained about, actually. They get a new phone, have the same phone number and Google account, but the Google Authenticator won't give 2FA tokens out. Other OTP systems, like Authy, have mechanisms so that you can port it to another device, but you can only do it from a working system, ie. it won't help you if someone's done a SIM hack job on you. On the down side, you can't get into your accounts any more, but on the up side, neither can whoever stole your phone number. It's inconvenient, but it gives you time to lock down your accounts and/or inform your financial institutions that you've been hacked.

Yes, that is a very valid complaint.

Every SIM hacking story I've seen falls into one of three categories.

Either (a) the victim called the bank/eBay/Visa and got their account frozen, usually after $5K-$10K was taken or charged, and got re-imbursed, (b) they got an email from the bank/eBay/Visa telling them there had been suspicious activity on their account, that's why it was frozen, and by the way, you're not answering your phone, or (c) they had lots, possibly everything, in Bitcoin, lost it all in seconds or minutes, and are suing their phone company for the losses.

Bitcoin exchanges are not banks, and also, telephone numbers are not secure tokens. Use RSA. Get a Yubikey. Use 2FA at the very least. Relying on your phone number, which is something that is not under your control, and which is provided by vendors who don't even claim it's secure, is fraught with peril.

I've talked with my banks about SIM attacks. They all have procedures in place to minimize losses from something like this, and one of those procedures is that don't allow you to empty out your life's savings electronically. Well, if your life savings are only $2K or in that range you can, but if you have $300K in RRSPs, TFSAs (yes, I'm Canadian), or investment funds, you can't just convert that to cash and sent it to the Cayman Islands in 30 seconds from your computer. Even if you had that $300K lying around in cash for some reason, you can only send a daily limit of something like $10K or whatever.

Banks know that they have to cover the cost of fraud, so they limit the amount at risk. Bitcoin exchanges were practically designed to be untraceable. People who keep their life savings in a liquid, untraceable financial instrument like that are the prime target for SIM hackers, specifically because the victims have already done most of the work for them.

If a SIM hack swipes $10K from my bank, or changes $10K to my Visa, I take the issue up with my bank and Visa. If a SIM hack takes $10K from my Bitcoin exchange (if I had one), I can't take it up with the exchange, so I sue the middleman, the phone company. The thing is, the phone company never made me any guarantees that my phone number was secure, and suitable as a security token.

Whoops, wrong tab. I meant to post this in a thread on the issue of the problems it's having with photo radar, not the night visibility. There are numerous complaints about the new plate in addition to the night visibility issue.

I just came back from lunch, and there was a car in the lot with the new plate. I've seen the pictures of the completely unreadable plates, but the one I saw was completely legible, for whatever it's worth. Possibly there's a bad batch, or the issue occurs in different lighting conditions. But the problem may not be universal. Which, of course, only makes the problem worse, in terms of diagnosing the problem.

Here's another one. Did a number of rail-related projects in OS/2 back in 1996/1997. Although most have been replaced with newer, Windows-based systems, many are still running. The biggest problem is getting replacement hardware that OS/2 will run on.

For those who do need to do that, we've had some success with Arca, which is the latest name for the old Workspace On Demand product, ie. the post-IBM version OS/2. There's nothing really new in it; it's just that unlike Merlin, it will work on CPUs more recent than Pentium Pros, can see hard drives greater than 8GB, runs on machines with more than 64MB (yes, MB) of memory, etc.

That's not to say it will use those resources overly well, or even at all. USB devices are often still a hassle, other than keyboard/mice. But you can at least get the OS running. And it's a hell of a lot easier than trying to find a working hard drive that's smaller than 8GB to install on.

For the typical slashdotter, who already knows about 2FA, PGP, an IPSec, and has a password wallet, it won't be.

For a more typical mundane user, whose current password for the phone, the PC, the bank, and every web site is her dog's name/his favourite sports bar and maybe his/her birth year after ("to make it secure"), having a piece of hardware and using a biometric or PIN is a lot more secure. It's not better because the hardware key and a 4-digit pin are more secure than a 64 character password. It's better because because it's more secure than the painfully poor security practices that most mundanes use in real life.

There are more secure options out there for security. But the key for most end users is getting them to actually use the damned thing. Most people simply don't follow good security practices. This allows them to, without requiring them to make much effort, and they don't have to memorize anything.

I think it was "Sum of All Fears" which had a track with Tom Clancy, in what can only be called a "contractual obligation commentary". He spent the entire track slagging the producers, pointing out in painful detail where they deviated from his book (basically everywhere), explained that they had no effing clue what they were talking about ("Neo-nazis calling Hitler an idiot? Neo-Nazis worship Hitler").

When the first thing the commentator says is "I'm the author of the book with the same name as this movie, with the producers apparently only leafed through", you know it's going to be an amusing commentary

Oddly enough, there's another Bruce Campbell commentary that I'd say is even better: Alien Apocalypse. The movie is just as horribly cheesy as it sounds, but the commentary track is a completely different level. Take an at best B-movie plot, about giant termites taking over the work, with a practically nonexistent budget, and fly a few cast members to Bulgaria to make it on the cheap.

So, 90% of the cast and crew didn't speak English, and the director of this insane flick is dragging in allusions to The Godfather, Planet of the Apes, and, of all things, Spartacus. Then there's the story about the local "special effects" guy who they gave a few thousand bucks to film an explosion, not realizing he was a retired demolitions man from the Bulgarian military and could get stuff cheap. "It was at this point we realized we didn't have the option of a second take, since Vlad's little bang blew most of Set Two into the backlot of Set One..."

Hilariously bad movie. Amazingly amusing "behind the scenes" commentary track.

I used to use standalone RSS readers, but keeping work and home separate became a bit tricky. Then browsers incorporated it, and I started using the RSS support in portable Opera. There were always web-based RSS readers, but they were rarely very mature, until Google Reader raised the pair. When Google Reader died, there was a collective scream, but Feedly, Ino Reader, and others stepped up to the plate, and I don't see any indication that they will be stopping any time soon.