Skip to main content


I can't believe that this is still a thing, but if your risk model is noticeably impacted by the adversarial capability of _writing an email in the English language_ then I'm pretty sure your threat model is already broken.

https://www.nbcnews.com/tech/security/nsa-hacker-ai-bot-chat-chatgpt-bard-english-google-openai-rcna133086

#threatmodeling #phishing

User discretion is not a security boundary.
Seems like something where someone should be let go after their 2nd offense, if anyone ever gets that far.
@hypolite

I disagree. People click links. It's up to security to ensure that the impact is mitigated. If users had to fear for their jobs if they happened to click a link that security allowed into their inbox, you would run out of productive employees.

There are entire workflows that require the users to click links sent to them from the general public. If security is so poor that it allows malicious links to the user, how can the user be expected to pick up what the specialists missed?

@cR0w @Kinetix My company's phishing test emails are obvious, if only because there's a banner reading "This message was not sent to Spam based on your organization's settings.". Of course this banner also shows on top of innocuous emails and actual spam from recruiters and marketers.

Why can't people be held accountable for being maliciously stupid? People aren't allowed to do many stupid things, but would you blame the janitor for someone flinging poo on a wall after being explicitly told not to?

Thinking InfoSec people are going to catch everything is delusional, and normalizes nonsense like spying on all content in and out of the corporate network. (while ignoring that there's still handfuls of other ways to yank data from the company).

@hypolite

@Kinetix @cR0w What if your job actually involved clicking on links in emails? How well are you paid to spend enough time to discriminate between the legitimate links and the malicious ones?

I would be curious to know what kind of job has 'indiscriminate link clicking' as part of it's role, but if I had to have someone in such a position and I couldn't trust them to actually read emails that say "Do not click this link" (and am I setting them up for failure anyway with poor incentivization?), then they're going to be off on an isolated network with access to sweet nothing.

Would you hang on to a millwright who kept cutting off limbs because they just couldn't pay attention to what they're doing? I mean, this discussion revolves around someone clicking a link in an email that specifically says to not click the link.
@cR0w

@cR0w
@Kinetix @cR0w In my experience, almost all non-engineering desk jobs. Sales, marketing, project management, administration, etc... all rely on sending attachments or links by email for their regular job duties, including sensitive material. And the fluff text around the links/attachment is rarely relevant.