[Cryptography] bad advice, was New SSL/TLS certs

Kent Borg kentborg at borg.org
Tue Apr 22 09:02:02 EDT 2025 

On 4/21/25 7:15 PM, John Levine wrote:
> No, that's not the reason. Endless failures have told us that trying
> to train users just does not work.

We have never tried.

First there /is/ a powerful contingent that insists that only a 
technical solution is acceptable and it is wrong to try to educate. 
Literally, I have heard this argument repeatedly, they call any 
education blaming the user. Trying to teach people to swim when there is 
a crowd screaming that swimming is impossible is hard.

Second, when we have tried to educate we have done it terribly. One job 
I had, at a company with almost all technical employees, spent a lot of 
money for some fancy training program for new hires about phishing, and 
it was entirely based on superficial aspects of e-mails, things like how 
good the spelling is or whether there was a contrived urgency. Never did 
they mention things like "Where did the e-mail come from, is it where 
the e-mail pretended to come from?" or "Do the links in the e-mail match 
the purported sender?". Never did they advise to not enter 
authentication credentials in response to a link in an e-mail, to 
instead log into the account in question using a known good URL, and 
then click in the e-mail link that pretends to be for that account.

But they could /not/ train on these aspects, because the company itself 
sent legitimate e-mails that looked like phishing. They hired services 
that sent e-mail to new hires that pretended to be from one entity but 
were sent by another. And they sent e-mails where there was no way to 
independently login other than via the link in the e-mail.

I currently have at least one account with a bank that sends me e-mails 
where I have no choice but to type login credentials in response to an 
e-mailed link.

We are doing anti-training by sending non-phishing e-mail that looks 
like phishing.

Third, even if we had done some decent user education, it would take 
time and would be imperfect…handy excuses for arguing "just does not work".


Building insecure systems is /profitable/. Companies that have had 
/massive/ breaches only have little blips in their business. Look at 
Crowdstrike, did their failure last July hurt their stock price for more 
than a few weeks? No! Of course user education isn't important enough to 
actually do.

-kb
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20250422/da00e691/attachment.htm>

More information about the cryptography mailing list