Slashdot Mirror
Anti-Phishers Pose as Phishers to Make Point
Carl Bialik from the WSJ writes "This article notices a new trend in efforts to fight phishing: Anti-fraudsters are posing as phishers to 'to train users to be more careful about sharing sensitive information online.' Or, as the Wall Street Journal puts it, 'To fight computer crime, the good guys are masquerading as bad guys pretending to be good guys.' West Point cadets were among those who got fake phishing emails -- in their case, from Aaron Ferguson, a teacher at the academy. 'The gullible cadets received a "gotcha" email, alerting them they could easily have downloaded spyware, "Trojans" or other malicious programs and suggesting they be more careful in the future. ... Nonetheless, he says the exercise upset some cadets, who felt it exploited their inclination to follow an order from a colonel, no questions asked. He says the new edict is, "Ask questions first, then execute." '"
My initial response is that cadets needs to wise up about who's who when orders are given, but then I realized that it's probably a federal offense to impersonate a military officer in real life. The question then becomes whether it's illegal to impersonate an officer online. If so, the good/bad/good guys have gone too far.
What do you mean they cut the power? How can they cut the power, man? They're animals!
To me, it's pretty scary that someone would just commit an action just because that someone was trained to follow instructions only, and to never question.
That's why I never joined.
And because you 'never joined', it is understandable why you have little clue how the military actually works.
I think the issue here is to be more questioning of the authenticity of orders - I doubt they'll want cadets questioning the colonel about orders in person, but the point is that you can't trust the authenticity of an email without verification.
It depends. On a nuclear sub, they had better be verifying those orders are authentic before launching. In fact they do verify that messages are authentic. They use this thing called cryptography. So, this is in fact a healthy lesson to be teaching these cadets. They cannot blindly follow orders comming from untrusted sources.
Unfortunately, common sense does not mean the same thing for the average user, as it does for people on Slashdot.
Average users feel that since mail was sent to them, it should be safe to open in.
Common sense means that it is the job of the technical industry to make sure that this can happen. That the average user can open mail without worrying about being 'infected.'
Common sense means that when an e-mail is sent, and it says that Grandma Jones sent it, it really was from Grandma Jones.
Common sense means that WE (technical industry) have a lot of work to do. Not the average user. Thier only job is to use the infrastructure we create.
No reason to lie.
It's not as easy as that.
People tend to be uncomfortable and confused when dealing with computers and technology. They know that when a bank sends them a letter they should follow the directions (go to the branch etc). Why would they have any reason to expect anything different online?
The emails look professional, use the correct terminology and uneducated computer users have no reason to doubt what they are being told.
It's a long process to educate any user on ALL of the many dangers/issues on the net and there are more sophisticated and a tremendous number of attacks ALL THE TIME.
People think that just because they are power users or admins that everyone should natively know everything they do.... It's just not feasable. Regular users aren't reading security alerts, regular users aren't reading Slashdot. (hello to any that are) Regular users are doing other things that perhaps computer users don't do.
Soldiers are absolutely not supposed to blindly follow orders.
Cadets are given instructions and then a "colonel" comes along and convinces some of them to do something they shouldn't. How is this a problem specific to email/technology? Hasn't this type of exercise been around as long as the military?
``I think its sad that its come to the point where we have to assume everything is untrustworthy and to have to keep a guard up 24/7.''
That paints the picture a bit blacker than it really is. Of _course_ you can't just assume that _everything_ you encounter can be trusted without further thinking. That's not a recent development; it's always been that way. But it's not like you have to distrust everything you encounter, either.
Common sense should get you a long way. If someone is offering you great riches for no effort, or demanding you verify your account by entering your password even though your bank said they'd never do that, or you are asked to verify an account with a service you aren't registered with, or your sister sends you an email that is in a completely different writing style from what she normally uses, it's almost a sure bet it's a scam. If one of your friends or colleagues sends you a message about something you share an interest in, it's almost certainly legit. Anything that falls in between warrants closer inspection. It really isn't all that difficult.
Please correct me if I got my facts wrong.
Wrong. It was not an email from their superior, but from an outside third party (well, it really _was_ their superior, but masquerading as a scammer). And as such, the cadets got phished. They leaked some information, and thus were a potential security breach.
Questioning orders from your superior is one thing, betraying orders because told to do so by a third party is something different. It just happened that this third party was a good guy.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
``I wonder what'll happen if they try that? Is that what they're trained in the military? Isn't it shoot first, ask questions later?''
Depends which they do when. If they are in the heat of a battle and they start questioning the superior's orders, it probably won't end well. If they start blindly killing everyone because they might be a threat, things probably wouldn't end very well either.
Fortunately, even in the military, people have brains that they can use to judge which would be the most appropriate action. Of course, they do make mistakes. Everybody makes mistakes. Training can help prevent them from making mistakes. That's what people where doing in this case.
Please correct me if I got my facts wrong.
I thought a big part of military training was the idea that no soldier is to obey an unlawful order, or a lawful order unlawfully given.
ESPECIALLY at the top military academies, such as, oh, say, West Point!
So these cadets are, in effect, saying "But I was Just Following Orders!" - which is NOT a valid excuse.
www.eFax.com are spammers
"I think its sad that its come to the point where we have to assume everything is untrustworthy and to have to keep a guard up 24/7."
Just because you remember a time when that wasn't the case doesn't imply that it ever was the case, you simply weren't old enough to know better.
To me, it's pretty scary that someone would just commit an action just because that someone was trained to follow instructions only, and to never question.
Military members are obligated to follow lawful orders from those above them. They have to ask themselves "is this legal? Does it mesh with the Uniform Code of Military Justice? Rules of engagement? Geneva Conventions?" Something tells me that inputting personal information because of an email does not necessarily qualify as an unlawful order.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
What will happen if someone knocks at Joe 6P's door and tells him:
[BLAH BLAH...]
and ask for his bank account number and other personal info.
A lot of people would fall for it. You think con-artistry didn't exist before email? It's just more efficient now. Once you had to knock on 1000 doors to find someone so gullible, now you let them come to you. Some people are just [trusting/greedy/desperate] like that.
Well, we all know you don't need something "well-written" at all.
There are a few disturbing sides to phishing, but the one that hits me hardest is that people fall for messages that are incredibly poorly written. Anyone who reads regularly and who has any sense of graceful language should see though the vast majority of phish attempts in a second or two. Phishers generally are truly bad, tone-deaf writers. Your bank isn't going to botch the spelling of "account" in a message asking for your SSN. Nobody from American Express would send a curt four-sentence message threatening bluntly to "remove your account."
It always seemed to me like the Nigeria messages were successful partly because people found the garbled language appropriate for the supposed sender. Those phishes play to the stereotype.
"Fundamentalism" isn't about divine morality. It's about human authority.
That only applies to soldiers of other countries. As the winners, our soldiers aren't subject to European or world courts, else our leaders themselves, as well as officers, would be incarcerated as war criminals for the invasion of Iraq and subsequent events in Abu Garaib, Camp X-Ray, etc.
You get a letter in the mail on your banks letterhead in an envelope exactly like every other letter you have received from the bank (with the exception that the postmark is from a different zipcode than usual, but who checks those?). The letter states you need to sign some paperwork, could you please come to the nearest branch to take care of it. It provides some directions to your branch that isn't your usual route but their way does seem more direct. You arrive at the branch and everything looks just like you remember it, even the tellers look familiar. They ask you to fill in some account information on a form, sign it, and you are on your way.
The good phishes don't ask for your password or account information through email outright. In an official looking email they direct you to visit your financial companies website to update or confirm something. For your convenience they even provide a link to the "website" for you, which directs you to an exact duplicate of that companies login page. I have even seen ones where clicking on the "help" or "contact us" links will actually take you to the corresponding pages on the real sites. A lot of these phishers are far from amateurs!
I agree with your sentiment entirely, but I think the reality is the opposite, specifically: it's sad that we have not yet reached a point where we can assume everything is trustworthy .
Whilst some may aspire to a utopian dream where we no longer need money, and every human can strive for personal fulfilment, the truth is there's a long way to go before every human joins in.
We just have to start living that dream in isolated pockets (and the open source movement is one such pocket IMO) and hope that the influence spreads.
boakes.org
If you were a head of state, then maybe you should be suspicious, but would you seriously be afraid of this package?
Are you an ex CIA agent? Ex military? Law enforcement? Did you used to be a judge?
No?
Then you are stupid for being suspicious of strange boxes showing up at your door.
(Unless badness has been sent to you in a brown box in the past, why would you be suspicious?)
Let's just chalk this one up as another geek analogy bites the dust.
damaged by dogma
I think there are some dead university professors who would disagree with you. I doubt any of them had reason to believe Mr. Kaczinsky had made up his mind to send them bombs in the mail just because they happened to work at a university.
Never mind the people who found out a few years ago that they'd been given a free subscription to Military Anthrax Strain Monthly(r)...
ERROR 144 - REBOOT ?
The US soldiers often have the benefit of superior intelligence so they don't have to ask, but mostly confirm who they are going to shoot.
Or in some cases, request permission to fire, get denied and then drop a bomb or two on coalition forces thus resulting in the death of four allied infantry personel.
Unfortunately, common sense does not mean the same thing for the average user, as it does for people on Slashdot.
Based on responses to Over half the people said yes and claimed that I was stupid for being suspicious of strange boxes showing up at my door. such as: Then you are stupid for being suspicious of strange boxes showing up at your door. it apparently does mean the same thing.
He's the one saying that he'll never kill anybody, while you're the one claiming that under certain circumstances we can call it "true compassion for humanity". So that'd be a "relativism" point for you, surely, not him.
Mind the Gap
In other news: Common sense is not really that common. It just should be.
New Zealanders are well balanced with a chip on each shoulder. One represents Australia, the other the rest of the world