Fun reading about how even @pluralistic falls for phishing sometimes thanks to all the enshittification of getting in touch with necessary services making us less likely to catch the red flags.
I've clicked on a few of my office's "phishing tests" which at least gets me more "watch this social engineering info video" even if the videos are so bad that you can't help zone out.
@squishymage42@pluralistic what happens when you get emails and ignore the links and then or later told that they were not fishing emails and that you were supposed to click on that link and do some work? Literally, everybody who gets email for work related purposes gets email with links they’re supposed to click. This is such a farce. If clicking the link and interacting with it, causes your IT to get hacked that’s on your IT not you.
@kurtseifried@pluralistic I mean, understanding that the average person has valid credentials that can be tricked out of them is one of the problems IT has to be aware of and work to mitigate.
Only so many ways to mitigate that problem, and many of them make daily work more of a hassle for the legitimate user (thinking of certain ways to do MFA)
@kurtseifried@pluralistic Can be, but often times isn't. Like the MFA on my work computer has glitches if I have multiple windows open when the 23 hour MFA clock runs that can cause me to have to reauthenticate once for every window before any of them allow me to do anything.
@kurtseifried@pluralistic That one is reentering a password on my computer, then awaiting a notification on my phone, so relatively painless if it worked right the first time.
But means that taking my laptop into places I'm not allowed to have a cell phone (because the IT department imposed a requirement without thinking through all user scenarios) has to be planned and thought through because I can't trigger MFA early. (Which becomes a pain point)
@squishymage42@pluralistic it sounds like you have a terrible IT department that makes bad decisions OR can’t explain them properly, then there is the apparent lack of a feedback mechanism for you to use. I don’t implement any security unless I can clearly explain why to users. A perfect example. When we set up zoom I locked down the screen control feature, because the security controls weren’t very good on it many many years ago. One of our people pointed out, that screen control feature would be perfect for doing internal support, and that there are better controls on it now. So I looked at the controls, and indeed they are better and the ability to lock it down to within the use of our account only as possible and so I enabled it and posted an email internally, thanking her for doing the research and pointing out that it is relatively safe now, resulting in a change that gives us a new capability to better and more easily support users.
That’s what IT supposed to look like in my opinion.
@kurtseifried@pluralistic The IT department I actually speak with is good, they just have to deal with state policies that come from outside our section.
Overall, within state government, my combination of "computer contains sensitive PII" and "Computer must be taken into corrections facility where the MFA becomes a pain" is an outlier. So I see how my section's feedback got weighed less over cost issues and other considerations.
@squishymage42@pluralistic see I would see this as an opportunity to both potentially fix a reasonably common corner case (lots of people work with and in the justice system), and solving it would solve situations for other people (eg their phone runs out of battery or whatever).
Add comment