papasquat's recent activity

  1. Comment on Phishing tests, the bane of work life, are getting meaner in ~tech

    papasquat
    Link Parent
    I'm surprised to hear about all of the IT departments apparently attempting to roll their own phishing simulation programs. It's a deceptively difficult thing to do correctly and actually...

    I'm surprised to hear about all of the IT departments apparently attempting to roll their own phishing simulation programs.

    It's a deceptively difficult thing to do correctly and actually reinforce the behaviors you want to reinforce, while simultaneously being a pretty affordable service to purchase from a number of vendors that specialize in it, and who are guaranteed to do a better job than 99% of the homegrown stuff most IT teams could cook up.

    2 votes
  2. Comment on Phishing tests, the bane of work life, are getting meaner in ~tech

    papasquat
    Link Parent
    It's crazy how many hours of mind numbing, monotonous work people are willing to do in order to avoid having to learn something by spending half an hour googling a better way to do things. I had a...

    It's crazy how many hours of mind numbing, monotonous work people are willing to do in order to avoid having to learn something by spending half an hour googling a better way to do things. I had a coworker (in it no less) that did something similar every week. Probably six hours of work eyeballing excel spreadsheets instead of googling for an hour how to write a function or macro to do it instantly for him from then on. I almost admired him for it. It would be literally impossible to get myself to concentrate on a task like that for that long.

    3 votes
  3. Comment on Phishing tests, the bane of work life, are getting meaner in ~tech

    papasquat
    Link Parent
    I think as with most things in technology, the implementation is everything. You can make the same arguments against multifactor authentication, encryption, data classification, network...

    I think as with most things in technology, the implementation is everything.

    You can make the same arguments against multifactor authentication, encryption, data classification, network segmentation and so on. There are ways you can implement them so that it's nothing but a massive pain in the ass for your users without actually making you more secure, and there are ways you can implement them so that they get out of your users' way or even help them get their jobs done while greatly reducing the likelyhood of a devastating incident. You just need to be careful about it and ask the right questions when you're considering your controls as a whole.

    2 votes
  4. Comment on Phishing tests, the bane of work life, are getting meaner in ~tech

    papasquat
    (edited )
    Link Parent
    It should be safe, just like our EDR should catch any malicious code executing or abnormal behavior from an application, and our web filter should block the http request to the malicious site, so...

    It should be safe, just like our EDR should catch any malicious code executing or abnormal behavior from an application, and our web filter should block the http request to the malicious site, so they wouldn't even get anywhere if the link was clicked anyway, except the mail filter should make all of that a moot point anyway because it should catch phishing attempts before they're even delivered to users.

    In reality, none of these controls are 100% effective, which is why we layer them. The spam filter catches around 95% of phishing attempts, the web filter stops maybe 70% of the malicious URLs, the EDR does quite a good job and stops 99% of the garbage users manage to download, but all it takes is one getting through.

    There have been quite a few zero click browser exploits out there in the wild. They're very scary and very rare, but once a new useful zero day is unleashed, it's a race against the clock for every single threat group to exploit it as quickly as possible, and every single vendor to patch it as quickly as possible. The organizations are downstream of those vendors, so they'll always be behind the attackers, and my organization is no different unfortunately. That gap of time between disclosure and vulnerability remediation is prime striking ground for an attacker, and the best line of defense against a well crafted attack using a novel weakness (other than your normal security baselines) is users who pay attention.

    I've heard a lot of arguments against security controls (often from my own department) that usually go something like "why do we even have to do x (some control) if we already have y (some different control that mitigates the thread somewhat, but in a different way))" the answer is usually because the risk isn't reduced to an acceptable level without x. That's the case with any other security control + phishing simulations (at least for my organization).

    Edit to add some more thoughts to what you were saying: Realistically, you're right 99.99% of the time. Most phishing attacks are either an attempt to compromise an identity (token theft, fake logon) or an attempt to install malware via a download (office macros, DLL side loading, etc). These require further interaction from a user. From what I've found however, if a user is willing to click on a random link, there's a good chance they're willing to put their credentials in a popup or download a file from that link too. Either way, that .01% risk of a zero click browser exploit does also exist and has taken down companies before as well.

    4 votes
  5. Comment on Phishing tests, the bane of work life, are getting meaner in ~tech

    papasquat
    Link Parent
    Sometimes online, especially in places with a large community of software developers or other tech role where you don't interact with non tech roles much (like tildes) people get in a bubble...

    Sometimes online, especially in places with a large community of software developers or other tech role where you don't interact with non tech roles much (like tildes) people get in a bubble regarding the tech literacy of the average worker.

    It's bad out there. Organizations give users access to and require they use an extremely powerful tool that if misused, can spell doom for the entire organization. We don't require that they have any special certificates or training to use this tool either.

    It's like if we required Mabel from accounting to hop on and operate the 800' tower crane downtown to update her direct deposit info. That's how much risk a large organization is assuming by giving users unfettered access to an internal computer and network without decent controls in place. It makes sense to make sure she's as well prepared as possible to avoid a really expensive mistake.

    7 votes
  6. Comment on Phishing tests, the bane of work life, are getting meaner in ~tech

    papasquat
    Link
    I can comment on this with a little more data and info because I run my organizations cybersecurity program. Were a large public sector organization with a lot of sensitive data, and a lot of...

    I can comment on this with a little more data and info because I run my organizations cybersecurity program. Were a large public sector organization with a lot of sensitive data, and a lot of uneducated users, which is kind of the prime candidate for a phishing simulation program.

    With a lot of journalism about a lot of stuff, there's a tendency to frame the authors viewpoints as a win/win (we can eliminate fossil fuel emissions AND have cheap power if just we build nuclear plants! We can reduce food insecurity AND develop more land if just we do vertical farming. And in this case we can reduce annoying users emails AND at least keep the same level of cybersecurity if just we got rid of phishing simulations!)

    The real world rarely works that way. Most things that are commonly done have tradeoffs. Before we instituted a phishing simulation program, users would click through just about every email they saw. We had an education program when they got hired on, and regularly afterwards, but understandably, most people just didn't pay attention to it because they're busy with other things. As a result, we had many, many clickthroughs to attacker controlled sites. Our web filter would catch most of them, the EDR and firewall would catch most of the rest, but we still had credential theft, malware, and ransomware incidents that started with phishing emails.

    Since instituting a phishing simulation program, our clickthrough rate went from over 10% to just under 3% now. Users have a 15 minute training course they must complete it they click a phishing email. They're not named and shamed, which I think is degrading and counter productive when I've heard of it happening, but they are forced to spend some time reviewing what we've told them.

    I've gotten feedback that at times, some of the simulated emails are cruel (sometimes it's an email offering an employee an award for good performance), but my response has been, and continues to be, we use emails that look like that because they're enticing, and enticing emails are exactly what attackers use to execute successful phishing campaigns. My job isn't to be nice, unfortunately. It's to protect my organization from attack.

    The simulated emails look just like an attacker email would. They're marked as external emails from our email filtering system, they come from an outside domain, if you hover over the links in them (which we train users to do), they direct users to domains that we don't control. I'm very confident that if a user clicks a phishing simulation email, they would have clicked on a real phishing email. A more impactful result: since instituting the program a few years ago, we haven't had a single security incident that started from a phishing email.

    Because of all of these things, the program is valuable to me and my organization, and I have no intention on changing it.

    Large peer reviewed studies are great and all, but I have real data from my specific organization proving that the program is valuable. I have no idea what the implementations look like at the organizations that took part in the study the story references looks like. I don't know what the simulated emails look like, what happens if you fail, how often users are tested, and so on. I do know that the program works in my case though. So even though it might annoy a few users each month, or result in some of them feeling dumb or bad for a little bit, it's a small price to pay for potentially avoiding a massive cybersecurity incident that will cost the public tens of millions of dollars.

    16 votes
  7. Comment on Dating & ghosting people in ~life

    papasquat
    Link
    I think it's more common among two groups of people. 1. Very non confrontational people, and 2. People who have been doing online dating for a really really long time. The first group is just...

    I think it's more common among two groups of people. 1. Very non confrontational people, and 2. People who have been doing online dating for a really really long time.

    The first group is just scared of formally ending things, and it is scary, so I understand that. It's also part of being an adult, and there's a word for not confronting your fears and doing scary, but necessary things: cowardice.

    The second group is just kind of exhausted with the whole process and probably shouldn't even be dating anymore.

    They've stopped viewing the people they're dating as people, and instead see them as date #28332 or whatever. In their mind they don't owe them a breakup because they're just another profile on their page who will soon be replaced by someone else. I can also understand this, but if you find yourself treating human beings as commodities, you should probably stop doing what you're doing. This group isn't very likely to find a relationship using dating apps because they're just basically using people, which is pretty selfish, and we normally call selfish people assholes.

    So I'd say the reason boils down to: people ghost others on online dating apps because they're either cowards or assholes.

    8 votes
  8. Comment on How to lose weight in four easy steps in ~life

    papasquat
    Link Parent
    Hah, yep. Someone finally cracked the code! The back squat is my absolute jam.

    Hah, yep. Someone finally cracked the code! The back squat is my absolute jam.

    1 vote
  9. Comment on How to lose weight in four easy steps in ~life

    papasquat
    Link Parent
    Well I appreciate the well wishes, and I'm honestly surprised anyone remembers anything I say here! Thanks!

    Well I appreciate the well wishes, and I'm honestly surprised anyone remembers anything I say here! Thanks!

    6 votes
  10. Comment on How to lose weight in four easy steps in ~life

    papasquat
    Link
    Man, it's really wild reading this for me, because I remember reading it roughly around the time it was published around 10 years ago. I was in a relationship that would turn into a marriage at...
    • Exemplary

    Man, it's really wild reading this for me, because I remember reading it roughly around the time it was published around 10 years ago. I was in a relationship that would turn into a marriage at the time and I thought it was a great piece, but didn't really hit me too deep, because I'd honestly never had my heart broken. I'd only loved one other woman at that point, but it was a kind of juvenile, youthful love. My first love broke up with me for valid reasons, and I was sad, but I got over it in a week or two.

    I got divorced from the woman I was with when I originally read this article about four years ago, and reading it again puts it in a whole new light, and it's insane how accurate it is. I can confidently say that my ex wife really did break my heart in the way the author describes. It was a really bad breakup, which began with her cheating on me for months without my knowledge while I was out of the country with the military. I'm not someone that has ever really struggled with long bouts of depression or anxiety, so dealing with those new feelings in my 30s was really difficult.

    I'd always worked out to some degree, but I'd say I gave it maybe 60% of my effort. I never really pushed myself super hard. I just lifted weights, I started doing crossfit a few times a week and so on. After I got divorced, I really became a "gym guy". I worked out six days a week, sometimes twice a day. I learned about things like macros, Basal Metobolic Rates, optimal water intake, maximizing natural testosterone production. I actually spent time watching youtube videos about working out. I stopped drinking alcohol. I started bonding with other gym guys about lifting heavy pieces of metal and putting them down over and over. As a result, I got in incredible shape over the course of two or three years. I had a six pack without flexing for the first time in my life. I remember the coaches at my gym joking "From now on when any of the new members ask me the quickest way to get ripped, I'm just going to tell them to get cheated on and then go through a brutal divorce".

    I think from the outside, a lot of people saw it as an unhealthy coping mechanism, and I could see how it may have seemed that way. I became obsessed with my body fat percentage, my calorie intake, my run time, my PRs. I would decline drinks out at the bars with my friends. I would insist on going to bed at a reasonable hour. I wouldn't compromise my time at the gym for anyone or anything. Even so, it was nice to just care about something for once.

    A few years later, I'm in a very happy relationship with my fiance who I'm going to marry in about a year, I still go to the gym regularly, but at a more manageable 3 days a week, and I'm still in pretty good shape, although I don't have a six pack anymore (I don't recommend trying to maintain a six pack for long periods of time unless you're very genetically gifted, it's a pain in the ass).

    Overall I'm very, very grateful for that time in my life. I learned a lot, I made a lot of really good friends, I had a hobby I really enjoyed that occupied my time and got me out of the house, and I got to finally learn what it felt like to be the archetype "ripped gym guy" for the first time in my life. I don't think it's a really sustainable lifestyle unless you're single or have a partner that is also really into it and you make your whole lives about being in shape, which I was never really interested in.

    I can at least attest that "hit the gym" is actually pretty good advice for someone going through a horrible breakup, at least it was for me.

    14 votes
  11. Comment on Are we witnessing the takeover of a country right now? in ~society

    papasquat
    Link Parent
    Hitler was voted chancellor of Germany and then given emergency dictatorship powers without having to murder anyone. In fact, the beerhall puscht a decade earlier, an attempted violent overthrow...

    Honestly, I think it's kinda showing the 1st world problem biases of many that they think a full country takeover could occur without millions dead in the streets. I've spoken to people who've lived through government takeovers.

    Hitler was voted chancellor of Germany and then given emergency dictatorship powers without having to murder anyone.

    In fact, the beerhall puscht a decade earlier, an attempted violent overthrow of the government, was a massive failure (remind you of anything?).

    Only after Hitler was given absolute power did he start murdering people in droves to consolidate that power and ensure no one could threaten it.

    Not saying that's what happening here (I'm also not NOT saying that), but there's definitely precident for dictators to come to power with minimal or no bloodshed. There's a significant portion of people who seem to like the idea of being ruled by someone with completely unchecked power for some reason.

    20 votes
  12. Comment on CIA offers buyouts to entire workforce to align with US President Donald Trump priorities, sources say in ~society

    papasquat
    Link
    It's crazy how different this term feels. In his first term, Trump seemed to just rage against a built up system that mostly managed to keep things in check. It felt like despite all the political...

    It's crazy how different this term feels. In his first term, Trump seemed to just rage against a built up system that mostly managed to keep things in check. It felt like despite all the political insanity, most of the career bureaucrats managed to continue doing their jobs and be the adults that kept the lights on.

    This term the plan seems so much more systematic, and that entire apparatus is going to cease to function shortly, leaving a bunch of unqualified maniacs without any experience or idea of the implications of the policies they're implementing. I really can't see a path for the US to remain on top of geopolitics, or even a prosperous nation after this term.

    21 votes
  13. Comment on Donald Trump won’t rule out deploying US troops to support rebuilding Gaza, sees ‘long-term’ US ownership in ~society

    papasquat
    Link Parent
    Honestly, I'm not very empathetic. I don't buy the arguments that the US needs to bend over backwards to care for the economic issues and well being of other countries, and I find the frequent...

    Honestly, I'm not very empathetic. I don't buy the arguments that the US needs to bend over backwards to care for the economic issues and well being of other countries, and I find the frequent arguments that the Democratic party makes to that effect very disingenuous. On the surface, you could call me an "america first" person. I don't know if that makes me unusual for a progressive, but I still absolutely consider myself one.

    The issue I have with trump and his ethos is that it's not America first. It's going out of our way to make enemies and antagonize our allies, which is not within our self interest at all. It's like a friend who continually fucks you over, so eventually when someone breaks into his house, you miraculously are busy when he needs help cleaning up.

    Alliances, treaties and working relationships aren't developed by countries out of the goodness of their hearts, they're developed out of self interest, so when you trash those agreements, you're not only hurting the other party, you're hurting yourself.

    If there was a real proposal that fucked over another country while helping the US long term, I'd honestly be fine with that. I'm a US citizen, so is virtually everyone I'm close to. It would be within my best interests to support that kind of proposal. Diplomacy doesn't work like that though. It's not a zero sum game. Peace, prosperity and cooperation is good for the whole world, not just the US. So even from a purely self interested perspective, these choices make no rational sense.

    19 votes
  14. Comment on I hate the new internet. I hate the new tech world. I hate it all. I want out, and I can't be the only one. in ~tech

    papasquat
    Link Parent
    There is definitely a "The Internet". It's just that "The Internet" is used as a metonym for a single overarching internet culture that doesn't actually exist. "The Internet" is literally an...

    There is no “The Internet”.

    There is definitely a "The Internet". It's just that "The Internet" is used as a metonym for a single overarching internet culture that doesn't actually exist.

    "The Internet" is literally an internetwork of seperate networks all communicating via the internet protocol. It's not actually the people that use the internet, which is the majority of humanity at this point, in the same way that "the white house" is a building, not the office of the president of the United States, even though we use it that way.

    5 votes
  15. Comment on US children joked about school shootings. Then the sheriff sent them to jail. in ~news

    papasquat
    Link Parent
    SMS (what most people mean when they say texting) shouldn't be publicly viewable. Yes, it's plaintext, but we shouldn't need to have all communication encrypted to feel safe that the government...

    SMS (what most people mean when they say texting) shouldn't be publicly viewable. Yes, it's plaintext, but we shouldn't need to have all communication encrypted to feel safe that the government isn't monitoring the communication of every single private citizens at all times. The premise is just absolutely absurd, but that's the world we live in I guess.

    7 votes
  16. Comment on I hate the new internet. I hate the new tech world. I hate it all. I want out, and I can't be the only one. in ~tech

    papasquat
    Link Parent
    It honestly depends. I would say for 99% of stuff, doing it online is easier if you're using the normal, expected workflow and not doing anything out of the ordinary. As soon as you have some...

    It honestly depends. I would say for 99% of stuff, doing it online is easier if you're using the normal, expected workflow and not doing anything out of the ordinary.

    As soon as you have some problem, or are doing something that wasn't expected or accounted for by the developers of the site, everything falls apart and getting a hold of someone that 1. Cares, 2. Can help you, and 3. Is allowed to help you is an absolute fucking nightmare. Which I think is the point.

    8 votes
  17. Comment on Why and how I use Immich in ~tech

    papasquat
    Link
    I like immich a lot, and have run it for years now. Unfortunately I don't have as much time as I'd like anymore, and the sheer number of breaking changes and architecture redesigns really fatigued...

    I like immich a lot, and have run it for years now. Unfortunately I don't have as much time as I'd like anymore, and the sheer number of breaking changes and architecture redesigns really fatigued me. It's the one app I have that's publicly exposed, so not updating it immediately isn't an option from a security standpoint, but that usually resulted me in spending an hour I don't have rewriting docker compose files. As a result, it's been down for a few months for me, probably needing a database rebuild, which I don't know if I'll ever get around to.

    I'd advise that for anyone looking to migrate from a SaaS solution like Google photos, make sure you have the time and will to keep up with system maintenance tasks for as long as you plan on running it.

    7 votes
  18. Comment on Elon Musk's junta establishes him as head of US government in ~society

    papasquat
    Link Parent
    The entire article is over the top. I understand the sentiment, but writing long cathartic hyperbolic essays isn't helping anyone. Things are bad enough without us having to exaggerate what's...

    The entire article is over the top. I understand the sentiment, but writing long cathartic hyperbolic essays isn't helping anyone. Things are bad enough without us having to exaggerate what's going on.

    15 votes
  19. Comment on Steam Brick: No screen, no controller, and absolutely no sense, just a power button and a USB port in ~tech

    papasquat
    Link Parent
    There's no way in hell apple ever opens up the iPhones hardware to allow alternate OSes. It's the direct antithesis of their entire philosophy, and more importantly their business model. The only...

    There's no way in hell apple ever opens up the iPhones hardware to allow alternate OSes. It's the direct antithesis of their entire philosophy, and more importantly their business model.

    The only way you can get apple software is by buying apple hardware, and the only way you can use apple hardware is with apple software. Both of those choices are very intentional.

    The only reason you can install alternative operating systems on MacBooks still is because of the cultural expectation that computers let you run whatever OS you want, but they've certainly gone out of their way to make it difficult to do.

    There was never any such expectation for phones, and so apple has no reason to ever change that.

    Seriously though, expecting apple to ever open up their platforms is like expecting the Catholic church to stop believing in God. If any concept is truly the core of Apple's business philosophy, it's walled gardens and vertical integration. From their view, computers of any type, and the software that interacts with the hardware on those computers are something to be built, controlled, programmed, and sold by a small group of elite tech professionals, and everyone else is just a user.

    2 votes
  20. Comment on Steam Brick: No screen, no controller, and absolutely no sense, just a power button and a USB port in ~tech

    papasquat
    Link Parent
    Good to know. Didn't realize that. Kind of impressive they were able to squeeze out the kind of battery life and performance needed for a handheld from an x86 chip. I agree with you though, it's...

    Good to know. Didn't realize that. Kind of impressive they were able to squeeze out the kind of battery life and performance needed for a handheld from an x86 chip.

    I agree with you though, it's not silly. It's silly in a vacuum if you've never attempted custom hardware like this before, but once you have the full context about what an absolute pain in the ass it is to keep a system running that's only powered on and updated sporadically, it makes a lot more sense to start with something fully supported by a single vendor.

    2 votes