As a security consultant, I've run phishing campaigns for quite a few clients, usually as part of a pen test where we'd use any captured credentials as a foothold for further testing. Typically, I expect about a 1-5% of recipients to click on the link and enter their credentials, with a convincing email and website combination.

Ten years ago, I might have placed most of the blame on users, for not observing obvious warning signs in the email and after clicking on the link, but these days I put the majority of the blame on the engineers and developers building the legitimate systems that those employees use.

10-20 years ago, one could be pretty sure that any credentials for a given company (let's call them "TransferLicious") would be entered somewhere in the website whose name was the one domain associated with that company ("transferlicious.com"). Over time, devs and engineers embraced vanity/novelty domains for a variety of purposes, and now the same company might legitimately have login forms on "transferlici.os", "xfrlcs.io", "transferliciousbanking.com", and so on. Those URLs might be further masked by link-shortening services.

How many enterprise/social-media single-sign-on services involve redirections to other domains? Now the problem is multiplied, because their employer uses "BlueSkies SSO", and their devs and engineers do the same thing. Am I getting sent to a login page from "blueski.es" now instead of "online.blueskies.com" because it's a phishing attack, or because a BlueSkies dev thought it would be "sick" to use a vanity domain instead?

Browser vendors have made hiding technical information from users a priority, and a huge number of users are on mobile devices that don't support things like hovering the cursor over links anyway, so there's another "how to spot a malicious link" technique down the drain.

Users shouldn't have to care about details like that in the first place, but the people building the systems and browsers have done such a terrible job that there aren't even any consistent rules that users can keep in mind. This makes it easy for me to phish people during pen tests, which is great, but it's sad from just about every other perspective.

If malicious content isn't written to disk[1], it's much less likely to be picked up by AV/antimalware components, because most of those hook into file read/write operations within the OS for their real-time protection. Additionally, this technique can sometimes be used to bypass application-whitelisting tools, if it's a tool already on the whitelist which is injecting the malicious code into process memory. That's why it's treated as something special/"magic".

Post-exploitation tools that avoid writing malicious code to disk are inherently different from more basic tools which *do* write the code to disk. If not "fileless", how would you suggest referring to them?

[1] Doesn't matter if it's magnetic media, SSD, RAM disk, etc., but it needs to be something the OS considers a "disk", not just a random place in memory.

I first read _Starship Troopers_ when I was maybe 10 years old. I liked the story, but the further into it I got, the more I couldn't shake a sense of unease about the whole thing. By the time I'd finished, I realized why: whether Heinlein intended it this way or not, it reads like a sci-fi action-adventure written in a parallel universe where fascism is the norm. i.e. it generally assumes that a fascist society is basically "the way things are", as opposed to commenting on whether or not it's the right way.[1]

As an adult, I find this kind of thing very valuable, because it's a great way to get inside the heads of people who truly believe in points of view that I disagree with. I'm very much *not* a fascist, but without having read Heinlein's novel, I wouldn't understand the allure of it for people who *are*.

I hated the film when it was released, because it obviously had little to do with the novel. In retrospect, I feel like Verhoeven was trying to make a film that had a similar effect on viewers to what the novel had on me, but he focused too much on the "your heroes are fascists" aspect, as opposed to the "understanding why fascism is attractive to a lot of people" aspect. i.e. he wanted the viewer to draw a very specific conclusion - that fascism is wrong. I agree with that conclusion, but I think the story is more thought-provoking if the viewer/reader is left to make their own decision about it after being transported to a world where it's normal.

[1] a few parts, like the classroom lecture on armed force, are obvious exceptions.

There's nothing intrinsically wrong with using a timestamp

Yes, there is, when the topic involves security (which is almost always). Unlike a well-vetted PRNG, truncating a timestamp (at either end) has no mathematical basis for producing high-entropy results.

Just about every modern programming language has a built-in mechanism for generating random numbers with high entropy. There is no reason to not use that functionality in a case like this.

The small percentage of the population which falls outside size norms want to pass laws requiring that they be given enough space at the same price as everyone else.

I'm well within "normal" size - 5'10", 150-160 pounds depending on the season and what kind of exercise I've been doing. I wear a jacket with 36" shoulders, and my trousers have a 31" waist.

Most of the major US airlines have seats that just barely fit me. I have flown on one (can't remember which offhand) where my hip bone was pressing into the padding on both sides of the seat simultaneously. If my hips had been any wider, I would literally have not fit in the seat.

This isn't about edge-cases. This is about airlines trying to provide accommodations that are inadequate for something like half of the population.

You don't think it's possible that one of the manufacturers used a software/firmware-enforced lockout instead of a physical mechanism? That's basically what the designers of the THERAC-25 did.

What about a lockout mechanism that was physically weak enough for the robot to break through?

IMO, the lockout mechanism for heavy machinery should physically cut the power to the entire system, but I'm not a mechanical engineer, and there may be reasons where that's not possible.

Absolutely, and I'm very concerned that the results will be misinterpreted as a result.

I've known a number of people with schizophrenia and other psychoses, and most of them didn't develop full symptoms until their mid-20s or later. I believe this is also why the condition is not selected against as one might expect - it's very possible for someone to have children before going over the edge. Perhaps if it's caused by exposure to toxoplasma gondii, we're actually selecting for mutations of it that don't cause symptoms until after the average age of procreation :\.

I'm not an unbiased observer, because I've seen really promising people destroyed psychologically by psychoses, but I consider the way the results were framed *extremely* irresponsible due to the age cutoff.

I agree that it's silly to spend a *lot* of time thinking about this topic. However, I think most of the discussion here is missing some obvious scenarios:

1 - We exist entirely within the simulation (the 'Holodeck Moriarty' scenario)

a - It may still be possible to escape. If I have code running in RAM on my PC, and I turn off my PC, yes, that code stops running. But if instead I migrate it to a mobile device, it can continue to run even if the PC is turned off. IIRC, Virtualization software can do this sort of thing literally with an actively running system, and the OS running in that system will not "notice" that it has been migrated.

a1 - There may be some sort of VMWare Tools-/Holodeck Arch-esque interface within the simulation which provides access to the simulator or the world in which it exists.

a2 - There may be flaws in the simulator which allow the equivalent of a stack buffer overflow exploit.

b - The entire goal of the simulation could be to use evolutionary algorithm-style processes to create entities with the capability and desire to escape the simulation.

b1 - Our reality could be a simulation created by entities who believe *they* are living in a simulation, and want to develop the capability to escape from it but don't know how (the 'Meta-Musk' scenario).

b2 - Our reality could be a mostly-benign test environment intended to determine if there are flaws in the security controls of a complex simulation system which will eventually be used as a sort of sandbox for something potentially really dangerous.

2 - We have physical form of some sort outside the simulation, and are simply wired into the simulator.

a - If those physical forms are fully-functioning bodies, then escaping is potentially just a matter of disconnecting (the 'Matrix' scenario).

b - If those physical forms are the equivalent of a brain in a jar, then escaping would also require transferring that into fully-functioning bodies, which would require some sort of ability to interact with devices in the "real world", or cooperation from someone in that world, but it would still be theoretically possible.

3 - Regardless of the type of simulation, it may not be actively monitored. It seems *unlikely* that entities advanced enough to simulate our reality would leave out automated protective measures, but I don't think it's *impossible*.

a - Maybe our universe is running on the equivalent of an old Pentium Pro rack server that someone forgot about in a corner of the datacenter.

b - Maybe after setting the simulation in motion, a catastrophe wiped out the entities which created it, but not their machines.

4 - To go in a completely different direction, we (the human race) still don't have a full understanding of what consciousness is. If we did, then logically we could build something with artificial consciousness from scratch, or understand with certainty why doing so was not possible. Until we do have that level of understanding, then it remains possible (however remote) that there is something metaphysical about consciousness*.

a - If there is, and it is not actually possible to create artificial consciousness, then a lot of the "reality as simulation" scenarios are pruned away, because all of the remaining scenarios require at least one "brain in a jar"/Keanu Reeves in a Giger pod (if not billions/trillions). It may even fundamentally change the probability of whether or not we're living in a simulation.

* I am not overly-fond of most variations on that scenario, because I prefer to believe that there are no barriers other than time and effort to developing a complete understanding of our universe, but I don't think it makes sense to discount it as a possibility until we actually understand how to make an artificial self-aware entity.

I'm sure there are many others that I'm not considering. It's an interesting philosophical exercise, if nothing else. I personally don't think it's worth expending actual research time on unless some compelling evidence is discovered to support it first.

If you look at the behind-the-scenes production design material for _Tron Legacy_, the "direct digitization of matter into information" laser from the first film was retconned into a system where basically the positions of each molecule were mapped, magic happens resulting in the conscious personality being transported into the computer world, and the raw matter that makes up their body is disassembled and stored in tanks attached to the device so that their body can be recreated in the physical world when they want to leave.

It doesn't explain everything, but the production crew did think about the problem you mention. Quora (sp?) is given a physical body using matter that was in those tanks.

Most of the reactors built to produce plutonium in the US did not generate electricity. Their sole purpose was to produce plutonium, and everything else (IE many gigawatts of heat that could theoretically have been used for power-generation) was a waste product. IMO it's extremely misleading to refer to such a source as "spent fuel", because it implies that a typical nuclear power station's spent fuel (IE the waste byproduct of electrical power generation) could be used as a source of weapons-grade plutonium.

IMO it's sort of like describing orange juice as coming from "spent oranges". Yes, you have to "spend" oranges to make orange juice, but you're not going to get any substantial amount of usable orange juice from oranges that have already been "spent" in some other way.

Apparently the Russians built a number of dual-purpose reactors, so maybe the claim makes more sense in the context of that part of the world. I don't know how efficient such a system is, but AFAIK there was only ever one reactor in the US (the N Reactor at Hanford) that could produce both weapons-grade plutonium *and* electricity, and it was a political disaster (WPPSS).

5-10 years ago I would have agreed with you. These days, IMO, it's *far* better to just run Linux in a VM if you need a Windows base OS but want access to Unix/Linux command-line tools. VirtualBox and VMWare both support mapping filesystem locations within the host environment through to guests.

Cygwin is an impressive technical achievement, but it's a nightmare to install due to the archaic packaging system and installer. Certain tools (in particular, grep) perform much more poorly than running the "normal" versions in a Linux VM. Very few people typically have it installed in a given organization, so just about anything you create with it ends up being a one-off hack for your own system, not something that can be shared.

I don't have much experience with Windows 10 yet, but I installed the "Enterprise" version on a VM at work last week and it doesn't seem to allow picking and choosing of updates, at least when operating as a standalone workgroup machine.

It sounds like the FBI was probably wrong in this case, but there really is a mind-boggling amount of sensitive/classified technology exfiltration by the Chinese government. People working for them have walked off with blueprints for nuclear submarines, brand-new fighter jets, the Space Shuttle, etc. When that sort of thing happens, and then a few months later the Chinese government shows off a new fighter jet that looks suspiciously similar to one of ours, I can't entirely fault the US government for being over-protective. If you were in their position, would you want to potentially go to war with a China that had copies of all of our fanciest weapons?

That having been said, clearly there are some additional protections required against abuse, like maybe talking to someone who actually knows anything about the field the suspect works in to make sure there is really something fishy going on.

If you have a 12-char password made up of random upper/lower/numeric/punct chars, then you're good (assuming that the other end is using proper salted hashes). There is little benefit to routinely changing such a password [...]

It depends. If you use the same password on multiple systems, then it's only as secure as the least-secure of those systems. If you never change it, for all you know, someone has compromised one of the weaker links in that chain and been able to log on as you for months or years.

Not all of the TSA-approved locks have both of those features.

I have a Master padlock with a single keyway that will accept either the included key or the TSA key and no "opened" indicator.

I also have a combination lock that can be opened with the TSA 004 "key", but because the "key" is an L-shaped piece of metal, it might not be obvious to everyone that that's what the hole on the bottom is for. That one also doesn't have an "opened" indicator.

FWIW, the "opened" indicator is a bit of a joke anyway. On the one TSA lock I have which has it, it's pretty easy to prevent it from being able to pop up while the TSA part of the lock is picked, and as long as it's held down until the lock is closed again, no one would be the wiser.