Head of Israeli cyber spy unit exposed ... by his own privacy mistake

Re: "9% of them do so within three days"

I'm not convinced. Given the number of drivers I see that sail through red lights, undertake on the inside (for leftpondian readers, both illegal in the UK) and park in insanely stupid places (probably ditto), I don't believe passing a driving test and being given a license makes someone safe to use a vehicle - applying the same process before being allowed to use a computer would, I fear, instil a false sense of security. Have an upvote for the idea, though!

On a technical note, would a user have to resit a test each time the OS undergoes a major version change? I can almost hear gubberment tills ringing... ;)

Re: "9% of them do so within three days"

The users are only a tiny part of the problem. Microsoft simply doesn't care about security at this point and most for-profit security companies are happy to blame the user because it's great for their bottom line to do so.

They do the absolute minimum needed to check boxes and use flim-flam to convince IT security professionals to aggressively monitor things with overpriced EDR/SIEM/HIDS/HIPS software in lieu of proper per-process logical security controls which have already been an overwhelming success on systems like Android and iOS. There is no good reason why Windows has to allow all software access to pretty much everything within the user profile by default and even less of a reason for it not to use Cryptographic Services to attach an additional token to every running process to partition off access to saved credentials. Microsoft has a cloud-based Intelligent Security Graph service which the system can consult to see if an application is known and trusted enough to execute (Smart App Control uses this, for example) and ships with large application compatibility databases to identify exceptions to common rules when it comes to ASLR, DEP, CET and many other security features. There's no reason this couldn't be extended to detect whether an app truly needs "full trust" (to borrow Microsoft parlance) access to user data, and if there's no definitive confirmation that it does, to aggressively sandbox it by default instead. Microsoft has collected more than enough data to allow legacy software to be grandfathered in, while forcing new and unknown software to submit to additional restrictions.

Microsoft Windows is also the only mainstream desktop OS which allows software to write into the memory of other applications running as the same user account without a simple way to prevent it (unless you're Hollywood and meet the criteria for a Protected Process). This means an attacker is always only one unauthorised code execution attempt away from writing into a trusted process to bypass almost every security control a system administrator depends upon to protect corporate data (such as only allowing specific processes to have Internet access) even if the user isn't tricked into running malware. macOS prevents this behaviour using a hardened runtime (which almost all apps use by default) and Linux controls this with ptrace() checks restricted by LSMs like Yama to only parent/child process relationships. Even software like KeePassXC which thinks it has secured this side of things on Windows really hasn't because doing so requires a separate process with enough rights (basically admin rights) to alter the process owner of the unprivileged process to something other than the user which executed it (to prevent malware running as the same user from undoing the protection).

Re: "9% of them do so within three days"

This is interesting. Because, in my opinion, growing car dependency has led to an acceptance of people driving who are not ideally suited to the task. Some people I know don’t like driving at all. If other transport was convenient and reliable we could have fewer drivers and better driving standards. But with things as they are this would be unacceptably discriminatory.

I wonder how/if this applies to your analogy.

Re: A badge of pride?

"I've come across a disturbing number of people who actually boast that they have no technical knowledge."

Hang out with a lot of politicians, do you?

Re: A badge of pride?

What bothers me isn't that people are aware of not knowing, but don't make any effort. Those who admit ineptitude but are willing to learn are at least tolerable. I work with a lot of ex-cons, and those who have been in prison 20+ years are extremely far behind the curve, but at least generally want to get good enough to be self-sufficient. Compare that with those family members and friends that pretty much all of us have, who don't have the excuse of being locked up away from all of that and still call us with an "emergency" when that thing we've already shown them a dozen times has to be done again.

I'll take an admission of struggling with tech, or not being great at it if someone is teachable and making an effort over those with learnt helplessness and/or incompetence bordering on malice any day.

They are spam, every day I was on LinkedIn I "was on a roll" despite having zero connections, no info in my profile etc.

It's corporate wankery and an exceptionally useful source of insider info for pen testers, hackers and assorted sets.

Re: "The takeaway here is obvious: Keep training people not to click those phishing links!"

I worked at a company where an employee proudly explained to others that you can determine a phishing email by checking that the email headers originate from a specific company, which was the cyber security company that conducted the phishing training exercises for our company.