The replies about how people "should" notice the funky URL are distressing. Why should they?
If you expect people to become experts on esoteric naming conventions in order to use technology safely and securely, you're the problem, not them.
@mattblaze point #4 from someone who forgot far more about security than they will ever know https://hachyderm.io/@shortridge/111784865253206399 I’m in a reflective mood this week and it’s kind of wild to me that I’m known as a “provocateur” in #cybersecurity for takes like:
💡 don’t shame victims
💡 UX matters, a lot
💡we should understand what we’re supposed to protect
💡 if someone clicking a thing on the thing-clicking machine leads to security failure, they are not the foolish one
💡 the best things a security program can invest in aren’t in the RSAC vendor hall
💡 maybe we should start actually proving outcomes??????????
¯\_(ツ)_/¯
I’m in a reflective mood this week and it’s kind of wild to me that I’m known as a “provocateur” in #cybersecurity for takes like: 💡 don’t shame victims 💡 UX matters, a lot 💡we should understand what we’re supposed to protect 💡 if someone clicking a thing on the thing-clicking machine leads to security failure, they are not the foolish one 💡 the best things a security program can invest in aren’t in the RSAC vendor hall 💡 maybe we should start actually proving outcomes?????????? ¯\_(ツ)_/¯
@wollman @Oobleck ticket came in to setup marketing.domain dkim/spf/dmarc records.
And two other groups are putting in records for different spam cannons on the top domain. At least marketing knows to get a subdomain setup. Just a few days left for https://dmarcian.com/yahoo-and-google-dmarc-required/
@Oobleck I use the free version of them for my personal domain.
Work kicked off with https://sendgrid.com/en-us/blog/gmail-yahoo-sender-requirements for my group.
@mattblaze I just don't know how to square this with requirements coming from the business that significant actions occur from a single click on a link in an SMS. I barely got them to let me do the GET -> JavaScript -> POST dance that will at least prevent preview/prefetch from breaking things.
Users have to read and understand before triggering something significant (i.e. clicking), right?
@mattblaze I've done a lot of different (and popular) security awareness training classes, and most of them spend a bunch of time explaining how to recognize a phishing URL.
I always roll my eyes, because I've been working in security/exploits for years and years, and I'm not sure I could recognize 100% of malicious URLs (not to mention the various ways to hide URLs, open redirects, etc etc)
@mattblaze Complicated further by legit companies sometimes using shady-looking short links themselves. Someone in my house got a legitimate Australia Post delivery text that included a link to something like auspo.st and we all thought it was a scam because we'd never seen it before.
Looked it up online and it was their real shortened URL lol.
So even "shady-looking URL" isn't a consistently reliable heuristic on top of the usability problem you've brought up.
@mattblaze
Don't get me started. Apart from the victim blaming this simply doesn't work because companies use the weirdest URL schemes for marketing purposes (to track click) and even security tools are contributing to the issue. E.g. ti find the real URL behind a Safe Link in Microsoft Defender for Office 365 isn't trivial
🤬
@mattblaze it’s never been clear to me if Lockdown mode suppresses linkable URLs. Does it?
My dad clicks every single one. I’ve had to set up screen time content restrictions and an allow list of URLs.
I enjoy the ones I get like this where they misspell words.
I received the same message a week ago immediately after receiving a notice from Amazon that a package couldn't be delivered. Makes me wonder if spammers know more about Amazon deliveries than I know.
@mattblaze the domain is enough to stop one in one's tracks. I usually look up domains to see who registered them, but that information is getting harder to come by these days:
@pcbeard https://hachyderm.io/@shortridge/111784865253206399 I’m in a reflective mood this week and it’s kind of wild to me that I’m known as a “provocateur” in #cybersecurity for takes like:
💡 don’t shame victims
💡 UX matters, a lot
💡we should understand what we’re supposed to protect
💡 if someone clicking a thing on the thing-clicking machine leads to security failure, they are not the foolish one
💡 the best things a security program can invest in aren’t in the RSAC vendor hall
💡 maybe we should start actually proving outcomes??????????
¯\_(ツ)_/¯
I’m in a reflective mood this week and it’s kind of wild to me that I’m known as a “provocateur” in #cybersecurity for takes like: 💡 don’t shame victims 💡 UX matters, a lot 💡we should understand what we’re supposed to protect 💡 if someone clicking a thing on the thing-clicking machine leads to security failure, they are not the foolish one 💡 the best things a security program can invest in aren’t in the RSAC vendor hall 💡 maybe we should start actually proving outcomes?????????? ¯\_(ツ)_/¯
@RHW @mattblaze of course. That’s why we have to teach non-technical people how to cope with phishing. I wouldn’t expect non-technical people to know about whois searches. If a web address doesn’t end with .gov but purports to be from USPS, that’s a valuable red flag. The other difficulty is typo squatting. Not every URL points where you think it does.
@mattblaze I'm reminded of Last Week Tonight's episode on Ransomware, where apparently Ransomware deliverers had a whole support system to help get people to buy cryptocurrency to send it to the ransoming party to unlock their device.
Only now, it's included in the main text?
Matt Blaze
Max Leibman has moved!
James Tinmouth
Martin Kelly
Adam Shostack 
Garrett Wollman
Oobleck
Christopher Evans
Chloé Raccoon
Darryl Ramm
Boyd Stephen Smith Jr.
Dan Riley
2xfo
✨pencilears✨
Ron Bowes
Jernej Simončič �
Haelwenn /элвэн/ 
Joanna Holman
Wendy (prev Jason) A
MHLoppy (has moved!)
AfroScribble
Claudius Link
Josephine Ici
Brian Clark
Eva Chanda
whereismcgee
skippy
𝔸𝕣𝕚𝕖𝕝
deblike
KBSez ✅
Michael Bishop ☕
pcbeard
DragonFlame
Christian
Félix
Alexander The 1st
mcfedr