[waihtis]

just false, if you look at most of the ransomware cases for example. This whole fixation of "human layer security" has done more harm to cybersecurity than many actually malicious things. Wasting your money and resources on training Karen from HR to spot 20% more phishing emails yields exactly the results you'd think it does.

I hope we can get out of that nonsense and tackle cyber issues with actual technological investments as it should and can be done.

[bluGill]

The only part of what you said that disagrees with me is the words "just false". I don't know how to ensure "Karen from HR" doesn't fall for those things, but training is clearly not enough (or at least current training, I'm not hopeful for future efforts but...). Either way, since the attack wasn't against something a programing language can protect against no amount of fixing programming languages will help.

We need come up with answers that work despite humans not being perfect. This is a hard problem. (what gets hard is sometimes someone will lose/forget a key and so you need to issue a replacement but only to the correct person)

[waihtis]

i wrote a different reply initially but i think we agree after all, and i misinterpreted your original post.

[loeg]

The technology solution here is not allowing Karen from HR to have a password at all and instead using something like Yubikey + FIDO, which can't be phished.

[bluGill]

Which is great until someone who might or might not really be "Karen from HR" says they lost their Yubikey and needs a new one. This workflow must exist, but it is generally easy for an attacker to get authenticated by that system.

[loeg]

That is a significantly higher barrier than phishing.

[bluGill]

often The point of fishing is to get enough info to fool that sywtem.