Forgot your password?

Comment: Wait a second (Score 3, Insightful) 135

You should really qualify "The Press" in these types of statements. The Press could be ABC, NBC, CBS, BBC, and many more who today claimed an 82 year old man shot a pregnant woman as a headline, when the person was both not pregnant and also committing armed robbery for at least the 2nd time against the same 82 year old man who was beaten as well as robbed. The Press could be the same crew that edited audio to make it look like a guy on neighborhood watch simply claimed to the Police that he was following a Black guy where the full audio shows he is responding to a 9/11 operator asking what race he believes the suspect was. The same media claimed that that guy was White when he's Hispanic, and portrayed the victim in a 7 year old picture to make it appear like the guy shot a little kid instead of a 6'1" nearly legal adult. All to sway public opinion (that one was for numerous purposes). The same media that interrupted a Congresswoman discussing the NSA for "breaking news" that Justin Beiber was arrested, and ensured that a twerk skank received more air time than dialogue about numerous political issues.

The media we normally see and hear IS on the same team as the government, make no mistake.

As such, I continuously wonder if there were just as many secrets before, but it's just faster to find out about their existence nowadays

To some extent I agree that this, but up until 20 years ago we had some real journalism. Nation wide every station lost their "investigative reporters" within the same couple years, and that was the end of any real journalism with any of the 3 letter media outlets.

With rare exceptions today, the only thing that get air time is propaganda.

Comment: Re:well (Score 1) 127

by s.petry (#47535649) Attached to: The Psychology of Phishing

I don't work there anymore, but I've been in the security industry long enough to know a number of companies, as well as the uncomfortable squirming that follows if you ask security training providers for independent evidence supporting their claims.

As stated several times alrady, this is a culture problem with a company. Not an issue of security or training.

I never said security is stupid. I am saying security awareness trainings are a waste of time, by and large.

Your opinion vocalized will ensure that it is a waste of time. I gave an example of ensuring it's not. Hell, I'm not a security trainer. I provide data to ours, and work extensively securing systems and networks. When we have training I nudge people to listen instead of making it a "waste of time" or a "coffee break" as you claim the training is.

Most people are not experts, and most people don't deal with risks every day. Showing them "hacking" is like magic to an accountant, and it's a pretty effective way of teaching.

Tell me, how many people have you had in those trainings you thought before they went in that giving your password to random strangers is a good idea? 90% of the content of these trainings is either boring because everyone knows it already or boring because it's too technical and not interesting that they filter it out.

Wrong question to ask, followed by more of the same rubbish perpetuating your opinion.

There are numerous ways to get people involved and interested in training. Showing them a hack in progress or playing recorded calls of phishing attacks, let them put their hands on a hacking device or operate a key logger on a demo PC.

I've had the responsibility of writing or reworking existing IT security policies, and my advise has always been to make them as short and simple as possible. I've seen a multinational corporation vomit up a 300 page security policy, which was really great from an ISO 270xx POV, but aside from the guys in the security department who wrote it, I'm fairly certain I was the only other human being who actually read all of it, ever.

Writing policy is not the same as educating people. Two different skill sets. It's interesting that you claim to have so much knowledge yet hate to teach listen to shared knowledge, from a psychological stand point.

I'll hear you whine about depth of security policies after you have built and secured NISPOM/JFAN compliant networks. Knowing the policy is required to set them up, audit them, and maintain them. Once again, you bring up people not following or using policies which is a Culture issue and not a security or training issue.

I love security. But I think our industries approach to users and security is fundamentally flawed and trainings are a band-aid on a broken arm - placebo treatments that don't even touch the real issues.

Because everyone is exposed to and knows as much about security as you do right? Rhetorical question, don't answer it. Your problem with security awareness training is related to your own psychological problems. We all have them, I don't intend that as an insult. I work on mine every day.

Comment: Re:Rubbish (Score 1) 289

I would agree with this if, and only if, the tax is a unilateral tax and not a weapon of control by large corporations. The weaponization of taxes was used in Australia and in the US for purposes other than discouraging the use of fossil fuels.

Kraus is arguing about people preemptively ditching carbon taxes in the US which are written to primarily fund large corporations and punish smaller corporations.

Kraus is also notorious for being a bigot and a pawn for NWO the agenda, so can rot for all I care. He is one of many that perpetuate the "blame religion" mentality instead of fixing issues, while of course he gets paid speaking gigs and TV appearances.

Comment: Re:well (Score 1) 127

by s.petry (#47534115) Attached to: The Psychology of Phishing

I've seen first hand that many employees consider those security trainings either a waste of their time or a coffee break.

Ahh, so you work at one of those places with horrible culture.

or all I know, the only people who think that security awareness training increases the number of people who give a fuck are the marketing drones selling security awareness trainings. People who cared before the training will get information. People who didn't care before will not care after. Why should they?

Got it, you are a lively participant in the horrible culture and happy to propagate the culture.

If you've managed to get your people to reliably report incidents, you've managed something that a lot of companies struggle with.

In 30 years of working IT (right after college which was right after the military) I have seen both good and bad. You are in a bad place with a bad culture, period. It usually takes a whole lot of new-hires and terminations to change a culture (depending on the size of the company).

As stated in a previous post, this is all behavioral psychology. When management and IT dismiss security as "stupid" and pee away opportunities to share knowledge that is a problem with management and IT. Of course accountants don't care, you are teaching them not to! Instead of saying "this is stupid, I know this stuff" you could volunteer to help mentor people or simply grunt "yup, saw a guy get hacked by this once" instead of holding negativity.

Comment: Re:Citation needed? (Score 1) 162

by s.petry (#47533647) Attached to: Wikipedia Blocks 'Disruptive' Edits From US Congress

Descartes primary body of work proves how wrong you are. Lacking physical evidence does not imply that something is impossible to prove, just that you can not prove something absolutely without physical evidence.

Given the political history of the person TFA is discussing (Franklin Coverup amongst numerous scandals), I think there is enough to question whether or not he is at a minimum a pedophile worthy of being labelled an "alien reptilian baby eater".

Comment: Rubbish (Score 2) 289

This is not about "Climate Change", it's about "Carbon Tax". Carbon Taxes have been used to stifle innovation and competition, and the players that should be paying the most have been immune to the tax. That's not an issue of a tax as much as issue of corruption. That said, while so many governments are grossly corrupt a "Tax" is not going to be the answer.

As long as people like you believe in a false paradigm blaming religion (or democrat vs. republican), no corrections will be made.

Comment: Re:well (Score 1) 127

by s.petry (#47525713) Attached to: The Psychology of Phishing

Security awareness training in companies is largely nonsense.

Rubbish! If you are starting from scratch you have to lay the foundation. Jumping right into impersonal communications shows that your security team does not care, therefor the amount of people with genuine concern will never increase.

Reminders are incredibly powerful, there's now a decent amount of psychological research to back that up.

That we agree on, but you are choosing to ignore all of the precursor psychology which is just as well documented.

And from your one incident I gather you also have a reporting culture where people are not afraid to report problems. Many companies don't have that, people constantly sweep problems under the rug because they're afraid it would damage their career to report them.

It's hard to tell if you were attempting to be condescending with that first sentence. I've been working in IT for 3 decades, so have much more experience than one incident. Going beyond one example is not necessary.

Re-read my last paragraph, I point out that in SV there is a culture issue to overcome. That said, where I work currently the culture is open and honest and is in SV. Corporations can change their culture, if they try to do so.

Comment: Re:well (Score 1) 127

by s.petry (#47523971) Attached to: The Psychology of Phishing

Going by personal history here, it's easy to mistake a "stupid phisher" for a syndicate. Often they operate the same, and the syndicates do test what they sell to the "stupid phishing" people.

I'm not against what you are doing at all, but pointing out the risk which you overlooked. Definitely not something a novice should attempt.

Comment: Re:well (Score 2) 127

by s.petry (#47523557) Attached to: The Psychology of Phishing
Which is fine until your IPs start to get extra attention for fucking with people. Avoiding drug dealers in a big city is not hard once you know what to look for. I'd not recommend that people start driving by and throwing eggs at them, eventually they will get pissed and shoot someone.

Comment: Re:well (Score 1) 127

by s.petry (#47523417) Attached to: The Psychology of Phishing

People misusing or abusing a proxy server (or any other service that can be used to increase security) is a totally separate issue. I laugh at anyone claiming it makes things slower too, because you are obviously not using a proxy properly if your internet slows down. Either that or you think a single cache drive is "enough" and skimped on scaling out the service properly.

Comment: Re:well (Score 1) 127

by s.petry (#47522453) Attached to: The Psychology of Phishing

Proxy logs are not magical things, they are actually very effective in determining users that followed a phishing link. Even if the user did not report the breach themselves, the security incident would have been found (though it may have taken an hour or two as opposed to minutes.

Sadly many people think a proxy is a bad thing and believe direct access is better.

I find you lack of faith in the forth dithturbing. - Darse ("Darth") Vader