Hacker News new | ask | show | jobs
by betterunix 4864 days ago
"no alternative way of dealing with the phishing attacks effectively"

How about not using passwords? All students, staff, and faculty should have ID cards; start issuing smartcards, and start using cryptographic techniques to authenticate users. Also, digitally sign all official mail, and instruct the users to check those signatures.

These are not insurmountable problems. The real issue is that the IT team is not willing to push for a real solution, and instead went for a bandaid on a broken leg.
4 comments
pfortuny 4864 days ago
Your solutions do not take into account the main problem with the security department: budget. There is a huge budgetary crisis in ALL european universities at this moment, including Oxford and Cambridge.

I bet if they ask for the resources to implement all those solutions, they will be told: find something at zero cost, I repeat zero-cost. Roger that?

Not that I agree blocking google docs is reasonable, just pointing out the problems with your suggestions.

link
huhsamovar 4864 days ago
>Your solutions do not take into account the main problem with the security department: budget. There is a huge budgetary crisis in ALL european universities at this moment, including Oxford and Cambridge.

False.

link
Semaphor 4864 days ago
> How about not using passwords? All students, staff, and faculty should have ID cards; start issuing smartcards, and start using cryptographic techniques to authenticate users.

Costs. At my university (though of course slightly smaller than Oxford) that would never work.

> Also, digitally sign all official mail, and instruct the users to check those signatures.

Have you met users? That's as good as saying they shouldn't be idiots and never enter their credentials in a site linked in a mail. If that would work all anti virus vendors could close shop.

link
EwanToo 4864 days ago
I also wonder why so many phishing emails are getting through the university spam filters - a slightly better solution might of been to remove links in external emails that point to docs.google.com.

But anyway, I don't want to start slagging off a particular team that I've never met - maybe they wanted to do all sorts of other, smarter, things and weren't allowed, and maybe they'll be allowed to do them now..

link
jacques_chester 4864 days ago
> I also wonder why so many phishing emails are getting through the university spam filters

It's usually customised for each university.

link
EwanToo 4864 days ago
I can believe it, I just don't know why it's not been customised to react to links to docs.google.com if it's such a high volume issue.

It's not a trivial problem by any means, but from the network security team's blog it doesn't seem like they've taken many of the steps that I'd expect prior to cutting off a very high traffic website.

link
jacques_chester 4864 days ago
Time.

There's the nice clever intelligent solution which could be developed over a few weeks, or there's the fact that the phishers have decided -- for whatever reason -- to go apeshit today.

link
EwanToo 4864 days ago
True, but in this case it seems like it's not a particularly new problem, just something that they've finally reacted to?

They actually mention sinkholing spreadsheets.google.com in this post from August 2011 [1], they actually say "There are also some forms which are more difficult to block ( I don’t think we’d be too popular if we sink-holed spreadsheets.google.com for example)".

So they've had the issue for years.

1 - https://blogs.oucs.ox.ac.uk/oxcert/2011/08/12/the-price-of-p...

link
rmc 4864 days ago
instruct the users to check those signatures.

People fall for 419 phishing scams. What makes you think they are able to check for digital signatures.

link
betterunix 4864 days ago
Their email client can do it automatically. Basically, you just need to tell them, "Official emails will always have a big, green border around them."

Also, the number of people who fall for 419 scams is fairly low, just barely above the threshold of profitability. The reason people are shocked when they hear that anyone falls for such scams is that hardly anyone does. There is a hypothesis that 419 scams are designed to be obvious, because it helps in filtering potential victims: anyone who would be naive enough to reply is an easy target.

I think a broader problem is that most people are not just unaware of cryptography, but they use an email client that has no support for checking digital signatures. Webmail is by far the most popular email client type, but many popular webmail systems have no support for digital signatures at all, not even checking them for validity. It would be a lot easier to tell people to check for a digital signature if that meant looking for a border color, or a big gold star, or if hovering over/clicking on a link in an unsigned message displayed an annoying warning but no warnings were displayed in signed messages; sufficiently annoying warnings do help in making cryptosystems more effective in practice:

https://bugzilla.mozilla.org/show_bug.cgi?id=460374

link
rmc 4864 days ago
Their email client can do it automatically. Basically, you just need to tell them, "Official emails will always have a big, green border around them."

You then have 2 problems: (a) What email clients will support it and (b) con artists will just put big green borders around their spam emails.

link
betterunix 4863 days ago
Further proof that HTML mail is a terrible idea...

(Edit: It is also conceivable that a client could put another prominent border around HTML mail, to mitigate the issue somewhat.)

link
rmc 4862 days ago
Heh, and you think people will be able to tell the difference between HTML email with a border, and the border around certified email.
link