* Posts by suburbazine

5 posts • joined 19 Nov 2018

Satellites with lasers and machine guns coming! China's new plans? Trump's Space Force? Nope, the French


It's France. We'll soon have entire guns floating around in orbit after their satellites drop them.

Great, you've moved your website or app to HTTPS. How do you test it? Here's a tool to make local TLS certs painless


That feature photo

Is an awesome conglomeration of incompatible products. Also, very in keeping with certificate setup.

Domain name 'admin' role eyed up as latest victim of Whois system's GDPRmeggdon


Unicorn startup idea

Let's start a new company called EUROCANN. We'll make a billion GDPR compliant Euros in a year.

A little phishing knowledge may be a dangerous thing


I've submitted a question to the authors of the study regarding how it was conducted and the way they published the results. If anyone is interested, this is the question I submitted:

Hello all,

Your paper is beginning to spread around the world, with tech websites and security moguls alike seeing it. I have a question about the way you've defined a successful "phishing" though- it seems like you based a success on simply clicking the link, not the actual act of being phished which is submitting valid user information. I'm not sure if the scope or authorization of the phishing would have permitted the actual collection of information. However, the study as published doesn't indicate any restrictions on the methodology (Either preface the study with this, or include it in Limitations).

In corporate phishing tests, companies generally opt to capture their employees' data as it pertains to the company (no outside/unaffiliated data). In Experiments 1 and 2, this restriction would have denied collection of data, but in 3 it may have been permissible to capture credentials if overseen by your university's administration.

The reason I raise this question is because you're redefining phishing as the world knows it- not as the loss of user data, but as the act of clicking a link in a poorly constructed email. Your experiment as operated does not take into account the "outliers" as I will categorize them: the phishing-aware demographic that

Clicked the link in order to collect relevant information to report the phish to others in the affected groups (this happened apparently?)

Clicked the link to troll the phishermen by submitting falsified information

Clicked the link to otherwise hamper the phishing campaign (track down abuse teams of registrars or hosts)

The only way to sanitize these possibilities is to actually collect some information, qualify it, then sort it into legitimate and illegitimate results. Your after-action report could have been plied to better educate the ones that actually did fall for the phish and possibly commend the ones that didn't. But right now, you've got everyone lumped into the "you failed" group.


But were they phished? Clicking an email does not count as being phished or even being susceptible to phishing. What if they simply wanted to fill out the phish field with phish food like I do...random insulting information to hurt the phisherman's feelings.


Biting the hand that feeds IT © 1998–2020