[hire_charts]

There's a reason that phishing is the go-to infosec attack vector. It's because we still blame users for being tricked into doing things they shouldn't, rather than taking the time to build systems that prevent such vectors from working.

I'm happy that extensions no longer have such wide-reaching access to the system. Whatever we lost in power-user tinkerability isn't worth the high personal cost that the malicious extensions would have on the lives of unsuspecting users.

[stickfigure]

Hmmm. Apple seems to be making that same argument over gatekeeping apps on MacOS right now. I'm not convinced.

Maybe it's time to get off the consumer train.

[majewsky]

> Maybe it's time to get off the consumer train.

What's that supposed to mean? We put IT in everyone's hands. We're not going to be able to just take it away from them.

[Reelin]

I don't think this sort of security trumps everything else approach is a valid line of argument. Surely there are tradeoffs to be made, and surely one size doesn't fit all.

As to phishing in particular, I don't agree that the issue is a lack of willingness to design resistant systems or a misguided assignment of blame. I think it's because solving that problem at scale in the real world is (or at least was) legitimately difficult. The vast majority of people in the world don't carry a YubiKey on them and probably won't any time soon. There are even users in the US that still don't have reliable access to a mobile phone! A product that doesn't work for the actual users simply isn't viable.

[GoblinSlayer]

>There's a reason that phishing is the go-to infosec attack vector. It's because we still blame users for being tricked into doing things they shouldn't, rather than taking the time to build systems that prevent such vectors from working.

Such system was already built in the bronze age: Troy.