this post was submitted on 25 Mar 2024
122 points (94.9% liked)

News

23684 readers
4562 users here now

Welcome to the News community!

Rules:

1. Be civil


Attack the argument, not the person. No racism/sexism/bigotry. Good faith argumentation only. This includes accusing another user of being a bot or paid actor. Trolling is uncivil and is grounds for removal and/or a community ban. Do not respond to rule-breaking content; report it and move on.


2. All posts should contain a source (url) that is as reliable and unbiased as possible and must only contain one link.


Obvious right or left wing sources will be removed at the mods discretion. We have an actively updated blocklist, which you can see here: https://lemmy.world/post/2246130 if you feel like any website is missing, contact the mods. Supporting links can be added in comments or posted seperately but not to the post body.


3. No bots, spam or self-promotion.


Only approved bots, which follow the guidelines for bots set by the instance, are allowed.


4. Post titles should be the same as the article used as source.


Posts which titles don’t match the source won’t be removed, but the autoMod will notify you, and if your title misrepresents the original article, the post will be deleted. If the site changed their headline, the bot might still contact you, just ignore it, we won’t delete your post.


5. Only recent news is allowed.


Posts must be news from the most recent 30 days.


6. All posts must be news articles.


No opinion pieces, Listicles, editorials or celebrity gossip is allowed. All posts will be judged on a case-by-case basis.


7. No duplicate posts.


If a source you used was already posted by someone else, the autoMod will leave a message. Please remove your post if the autoMod is correct. If the post that matches your post is very old, we refer you to rule 5.


8. Misinformation is prohibited.


Misinformation / propaganda is strictly prohibited. Any comment or post containing or linking to misinformation will be removed. If you feel that your post has been removed in error, credible sources must be provided.


9. No link shorteners.


The auto mod will contact you if a link shortener is detected, please delete your post if they are right.


10. Don't copy entire article in your post body


For copyright reasons, you are not allowed to copy an entire article into your post body. This is an instance wide rule, that is strictly enforced in this community.

founded 2 years ago
MODERATORS
top 11 comments
sorted by: hot top controversial new old
[–] betterdeadthanreddit 45 points 9 months ago (3 children)

An exclusive photo of the investigator at work:

[–] Lanusensei87 12 points 9 months ago (1 children)
[–] betterdeadthanreddit 6 points 9 months ago

What? "Donna, redeem"? You got it, boss.

$500 has been added to your balance!

[–] [email protected] 8 points 9 months ago

I immediately thought of Kitboga as the Granny character as well.

[–] Dkarma 3 points 9 months ago

Gary Larson did it better

[–] [email protected] 32 points 9 months ago

"Jim, there's no need for the dress and wig, they have no idea what you look like..."

"Please let me have this."

[–] [email protected] 9 points 9 months ago* (last edited 9 months ago) (1 children)

Sun first contacted the 64-year-old woman in February and claimed to be “Mark Cooper”, an agent with “the office of the inspector general, Federal Trade Commission”, according to court documents, the Washington Post reported.

I don't know via which mechanism the contact occurred, but I have to say that if it was via phone, the fact that we don't have any real sort of authentication system for phones is once again rearing its head. There have been a lot of high-profile examples of people getting tricked via phone, including people who are going to be in a relatively-good-position to avoid fake communications. Consider the case where Navalny tricked one of his would-be FSB assassins into believing that he was with the FSB and confessing on record -- that was an intelligence agent working in an extremely-sensitive area who probably was trained in a set of procedures and they can still get clobbered. And a number of politicians with entire organizations devoted to ensuring their security have been phone-pranked...and God knows how many have been tricked into exposing information, where it never became a news story. How is a random senior citizen going to know what can be trusted, be familiar with the existence of Caller ID spoofing? And then there's deepfakes complicating the issue. The situation with phones is an outright dumpster fire. We actually have the computational hardware at each end today to be able to legitimately do end-to-end authentication and have trusted hardware to do things like app purchases and we still don't have authenticated calls. It's ridiculous.

Then there's postal mail. Pretty much no authentication system in place. Anyone can slap an official-looking letter in an envelope.

For email, we have a few authentication systems (X.509 certs for companies, PGP certs by individuals), but they aren't widely-used outside of organizations.

Of the contact mechanisms that are widely-used, only on the Web do we have an actual, widely-deployed authentication system...and there are some kind of egregious ways to game that. People often use search engines to reach given sites; people can do things like place ads for scam sites, or just try to game the search engine's ranking criteria. The only thing that one gets even if one is using a TLS-secured connection and if the user understands how to check for that is a guarantee that the domain name in a browser's URL bar is associated with the given organization and that the fields in the certificate -- if they know how to check this and actually do, which I have never seen a user do and is inconvenient in a browser -- also match. There is no standard mechanism for various organization using domains; governments might use a .com from a company they have a contract with, official government sites may live at various locations in various places, etc.

Realistically, unless a Web browser gives some kind of sane, reasonably-non-gameable heuristic for "is this probably not some random fly-by-night organization", I suspect that even on the Web, even in the situation where the best authentication mechanisms exist, a typical person can be gamed.

I remember, years back, talking with a guy -- studying computer science at a prestigious university, probably in a vastly-better position to make security calls than most people out there -- about how vulnerable people are to attacks that trick them. I said that I was pretty sure that pretty much anyone was vulnerable; he was convinced that if people were careful, it wouldn't be a problem. I said that I was pretty sure that I could break into his computer. Thirty minutes later -- and remember, this is at target with domain expertise who has been warned within the hour that he's likely to be attacked -- I sent him a link to a file via, I think, ICQ. He clicked on it. It opened a Minesweeper game. The file had been of the form:

neat-image.jpg                                                     .exe

A lot of spaces in there, with a ".exe" hanging off the end.

At the time, the ICQ client would simply open a file locally, using Windows' database which used a filename extension to determine how to act on a file. The ICQ client didn't try and restrict the list of file types that could be opened, and at the time, it was possible to make a filename so long that the client wouldn't display the last bit.

I'd just grabbed the Windows Minesweeper binary as the quickest thing to hand, and I told him what it was, but had it been a malicious program that -- for example -- had a malicious payload and then opened an image, I doubt that a typical person would have been aware.

That particular attack isn't noteworthy -- and various types of software packages have aimed to defend against that class of attacks -- so much as the fact that I think that it really illustrates how unrealistic it is to expect the average Joe to "patch over" the security problems in software and hardware out there via rigorous behavior. If someone who has domain expertise and has immediate forewarning and where the attacker just had a few minutes to think up an attack can't deal with it, how realistic is it to expect anyone to do so?

In the US, sometimes organizations ask for some sort of secret information, like one's Social Security number or mother's maiden name or name of one's first school or one's first pet. First of all, some of those are not terribly-difficult to get ahold of anyway -- birth records are accessible to public, and it may not be too hard to figure out someone's first school or the like from looking back to see where someone or their parents were at a given point in time. But even in addition to that, various organizations don't coordinate and restrict which ones can use a given secret. So if Organization X is trying to ensure that their users are authenticated, maybe they ask for their mother's maiden name. Organization Y does the same. But that secret can't be revoked and may be shared across multiple organizations. Say that Organization X's computer system gets compromised...now someone has the secret required to get into the person's account at Organization Y.

I remember one time that I'd lost some authentication data to get into a stock broker account at a company. I didn't have enough to get in via the phone or the Web...but each exposed and required a different set of information, so that using information provided by one was sufficient to get into the other: clearly, the portion of the organization dealing with phones and the portion dealing with the Web weren't coordinating in how they did things. And that was a major stockbroker, where access to the account could mean access to millions of dollars, and correlation across their own authentication systems, somewhere where I would expect each side to be checked. It was horrifying.

And that's even before the fact that most organizations permit password resets if someone can get into someone's email, which is not always the best-secured thing in the world.

Organizations have tried to use SIM cards as a form of authentication, for lack of a better route. But then you've got SIM-swapping attacks.

What I'm saying is that security is just horrendous on most systems from the standpoint of a regular user.

You do need the human to have some sort of understanding of a system to use it securely, but what we do today is kind of foist on the user all kind of ill-defined expectations that are constantly changing and probably unrealistic.

What I think would need to be done for things to pass muster is to give people a set of maybe five simple rules, make sure that they're taught to everyone, from school on up, and as long as they follow those rules, they can't be tricked as to identity...and if software or hardware permits for them to be tricked, even if they're following those rules, then it's a bug in the software or hardware.

Even some of the better heuristics are pretty limited. "Don't trust incoming phone calls"...okay, fine. But if my bank sends me a piece of postal mail and it says "call this number"...do I do that? Because anyone can drop a letter in an envelope on an official-looking letterhead. And financial institutions that I've dealt with have contacted me via phone, and certainly sent me mail telling me to call them at a given number.

People should be able to use phones or to use email or to get a letter or to use the Web and reasonably trust that the organizations they are communicating with are actually who they say they are. The situation today is just embarrassingly bad.

We shouldn't have had this story about the detective in a wig because it shouldn't have been possible to pose to the victim as a government agent in the first place, shouldn't have even gotten to the place where the police were having to try to fix the problem.

[–] [email protected] 2 points 9 months ago

Even the DoD has been known to use texting/sim-based MFA, and they have people who work full time in SCIFs.

Definitely agree there needs to be sweeping improvements in general safety re: authentication and account access.

[–] francisfordpoopola 3 points 9 months ago (1 children)

A lady down the street had her mom get taken for $500K of gold bars. She loaded it into their car. Thought she was part of a scheme that the FBI was investigating and she was to not tell her family else it would rope her family into the group of suspects. None of it makes sense but to her it was completely believable.

[–] [email protected] 2 points 9 months ago (1 children)

Why did some random lady you know's mom have $500k worth of gold bars?

[–] francisfordpoopola 2 points 9 months ago

They had her take her retirement money, pull it out and convert it to gold because they told her it was safest that way. They said by being physical the thieves couldn't take it. The irony.

Come to think of it another old lady friend got taken for 20K but it wasn't the gold thing. I think it was just good ole graft. Sad story. Her kids took over her estate after consulting with her and are now forcing her to move into an old folks home. They are selling her home she's had for 50 years. A friend offered to buy it direct and they said nope... talk to the real estate agent. A holes.