Hacker News new | ask | show | jobs
by bluGill 817 days ago
70% of security vulnerabilities in code are memory safety issues. However the vast majority of in then wild attacks were not against security vulnerabilities but against people. No technology can protect you from someone giving out the secret keys to the attacker.
1 comments
waihtis 817 days ago
just false, if you look at most of the ransomware cases for example. This whole fixation of "human layer security" has done more harm to cybersecurity than many actually malicious things. Wasting your money and resources on training Karen from HR to spot 20% more phishing emails yields exactly the results you'd think it does.

I hope we can get out of that nonsense and tackle cyber issues with actual technological investments as it should and can be done.

link
bluGill 816 days ago
The only part of what you said that disagrees with me is the words "just false". I don't know how to ensure "Karen from HR" doesn't fall for those things, but training is clearly not enough (or at least current training, I'm not hopeful for future efforts but...). Either way, since the attack wasn't against something a programing language can protect against no amount of fixing programming languages will help.

We need come up with answers that work despite humans not being perfect. This is a hard problem. (what gets hard is sometimes someone will lose/forget a key and so you need to issue a replacement but only to the correct person)

link
waihtis 816 days ago
i wrote a different reply initially but i think we agree after all, and i misinterpreted your original post.
link
loeg 817 days ago
The technology solution here is not allowing Karen from HR to have a password at all and instead using something like Yubikey + FIDO, which can't be phished.
link
bluGill 816 days ago
Which is great until someone who might or might not really be "Karen from HR" says they lost their Yubikey and needs a new one. This workflow must exist, but it is generally easy for an attacker to get authenticated by that system.
link
loeg 816 days ago
That is a significantly higher barrier than phishing.
link
bluGill 816 days ago
often The point of fishing is to get enough info to fool that sywtem.
link