oak_kittenMar 7
Robin DeRosa
I am taking a required online training on "internet security" at my new university. In order to get the course to run properly, I was advised to enable all cookies and pop-ups and relax several other security settings in my browser. Good times.
Mar 6 at 7:13pmWeb
Show threadDavidMar 6

@actualham

It was a test and everyone who completed the training failed the training

Show threadRobin DeRosaMar 6
@drdrowland sadly no. But would have been a brilliant final exam
Show threadWTLMar 6
@actualham @drdrowland 💯🤣
Show threadEconprophMar 6
@actualham I'm not sure those words mean (or do) what they think they do. SMDH.
Show threadFredrik GraverMar 6
@actualham 😂😬😭
Show threadadamriceMar 6

@actualham I once had to take a web-based infosec training module in order to work with a certain client.

The module was implemented in Flash.

Show threadRobin DeRosaMar 6
@adamrice oh flash remember those fun days
Show threadMozMar 6
@actualham @adamrice "oh flash" sounds like an adult not swearing around the kids.
Show threadMelloMar 7
@moz @actualham @adamrice FLASH YOU, MOTHAFLASHA!!
Show threadchris actualMar 7
@crisps @moz @actualham @adamrice what the flash?? every time I type flash it changes it to flash
Show threadHubert FiguièreMar 6
@actualham classic
Show threadKevin RussellMar 6

@actualham

Run a virtual machine to delete soon?

Show threada colony of eukaryotesMar 6
@actualham Our introduction to computer security started with everyone instructed to (launch a presentation by)... clicking a link in an unsolicited email. <groan>
Show threadBytebro 🇬🇧 🇺🇦 🇬🇱Mar 6

@actualham

Good time to find a better UNI, methinks!

Show threadRay Gulick, he/him/wtf 🇺🇦 ❌👑Mar 6

@actualham

The latest argument in favor of "those who can, do; those who can't, teach."

I'm an ex teacher, BTW/

Show threadCadbury MooseMar 6

@rgulick @actualham

And the final part:

Those who cannot teach administrate[1].

[1] or alternately: "teach teachers".

Show threadRobin DeRosaMar 6
@rgulick note that my excellent uni has world-renowned experts on cybersecurity, and highly skilled instructional designers. But all of this was farmed out to a third party, which is why it could hardly run inside our canvas without everything breaking. Another example of how we hire consultants to sell us what we could do better ourselves but think we can’t “afford” to support internally.
Show threademeritrixMar 6

@actualham @rgulick

I presume the "we" hiring the consultants are not the faculty who usually know a thing but the administrators, who at many universities I'm familiar with are corporate/corp-adjacent types who know line-go-up.

Show threadRobin DeRosaMar 6
@anarchademic @rgulick probably legal and the back end of IT
Show threadohirMar 6
@actualham @rgulick
> all of this was farmed out to a third party
Internal team would not pay the comission to the pockets due, simple as that.
Show threadRubenMar 7
@actualham @rgulick management getting in the way of education. It's the late-capitalism way. I've learnt that any mandatory education with the word Cyber in the title has little to do with security.
Show threadBillMar 7

@rgulick @actualham

Those that can't teach teach teachers

Show threadFlying Donny for DemocracyMar 6
@actualham Wow!
Show threadPaul_IPv6Mar 6

@actualham

i was working for a large corporation during a time they were going through the due diligence for a merger. since both companies were publicly traded, there were some very strict SEC rules about access to the info from both companies.

in order for me to see said documents to do the techical review, it required that i used only windows explorer, disable all ad blockers, all security features, and authenticate over an insecure web link.

yay for security...

Show threadCadbury MooseMar 6

@paul_ipv6 @actualham

I hope you demanded an expendable computer and printer for the purpose and had them securely destroyed afterwards.

...and then washed your hands thoroughly.

3:O)>

Show threadPseudo NymMar 6

@paul_ipv6 @actualham

Same as it ever was. Same as it ever was.

As part of #infosec, I weep when I see stuff like this and the training class.

The unauthenticated emails from 3rd party platforms that HR uses to inform employees of legit business stuff, the surveys, all of it.

And they wonder why BEC (business email compromise) keeps happening when the bad guys send a legit looking "We changed our bank account, please update this routing number" email to Accounts Payable.

Show threadPaul_IPv6Mar 6

@pseudonym @actualham

i worked at a company that did 3rd party phishing mandatory training, with "click on this link" to start the video.

HR forgot to tell anyone that the email would be coming from a 3rd party or what domain name it should be for the link.

our VP of engineering was pretty proud that over 70% of the engineering part of the company reporting the email as a suspicious phishing attempt. sadly, we still had to watch the video, which was pretty useless...

Show threadMichelle BaconMar 6
@paul_ipv6 @pseudonym @actualham I've heard the head of IT tell off multiple people for not doing the mandatory training...and they all tell him they thought the emails were malicious. Nothing has changed.
Show threadMozMar 6

@pseudonym @paul_ipv6 @actualham for a while I had a mortgage with a bank that primarily communicated via a generic bulk email provider that obfuscated links in emails.

So I'd get "Important notice about your loan" from nsw6252.salesmail-au.com and every URL was to ...cliktrak.org

They could not understand how this was problematic. "just click the link"

Show threadSteve GisselbrechtMar 6

@actualham

I used to have to do a sample submission procedure that required both enabling Excel macros and enabling JavaScript and I thought, I don't *really* believe that whoever set this up is a mole for a botnet farm, but I can't see how their behavior would be any different if they were.

Show threadsoftproofMar 6
@actualham They prolly also strongly advised to use google chrome because, well, the internet loves it. Good times for good people.
Show threadRobin DeRosaMar 6
@softproof yes. I always use a lot of hand sanitizer after I have to whip out Chrome 🤮
Show threadsoftproofMar 8
@actualham Sound practice indeed. Let's hope it kills all hidden germs.
Show threadJake in the desertMar 6
@actualham 🙄 🤮
Show threadBørgeMar 6
@actualham After doing all that one should just come to a website saying "you failed the class"
Show threadZSMar 6
@actualham As someone who develops and supports e-learning, I can tell you that ALL the software available to produce and then host it is terrible. In ours, depending on which software was used to create the SCORM you either must use Edge for some and Chrome for others. It’s a total nightmare.
Show threadRobin DeRosaMar 6
@ZS SCORM was a new term for me and it was at the root of the whole fiasco I have learned
Show threadZSMar 6
@actualham The struggle is real. 2 years in the e-learning team broke me, just waiting a transfer to a different department to get away from it. 😆
Show threadBilly SmithMar 7

@ZS @actualham

Even worse, the SCORM standard was developed for the USA DoD :O

https://en.wikipedia.org/wiki/Sharable_Content_Object_Reference_Model

Sharable Content Object Reference Model - Wikipedia

Show threadMozMar 6

@ZS @actualham some of us have a VM with Windows and Edge and Chrome specifically for times like that. The VM gets reset after every event. No reason.

Also, please provide the link to the training in the form of a QR code in a PDF that takes users to a URL obfuscator before redirecting to the actual training.

Show threadAby & the Axolotls ꒰(˶• ᴗ •˶)꒱Mar 6
@actualham - ✨✨yikes✨✨
Show threadCarolynMar 6
@actualham That seems a work computer thing.
Show threadRoger BW 😷Mar 6
@actualham And when you say "no", I bet they don't give you a pass…
Show threadmanchickenMar 6
@actualham how else are they going to train you to know how you’ve been breached if you haven’t been breached? Windows and macOS both have a bunch of new features to breach, so it’s important to know what it looks like when they are breached.
Show threadWideEyedCurious 🇺🇸 💙 🇺🇦 & 🇨🇦Mar 6
@actualham 👀🫤
Show threadPete Prodoehl 🍕Mar 6
@actualham Admiral Akbar.gif alt text "It's a Trap!"
Show threadbeemohMar 6
@actualham Reminds me of the fake phishing email they sent everyone as a 'training' at a firm I worked at, only for not only people to see through it, but also meticulously send back all the reasons why it was clearly fake.
Show threadEliza MBMar 6

@actualham

In a virtual machine, of course.

Show threadGabriel NMar 6

@actualham malicious actors are the reason we can’t have nice things:

It seems that there’s no way to share anything with a URL these days.

You can’t even trust QR’s, and that is the only way to read a restaurant’s menu in Santiago since the pandemic.

Show threadChookMother 🇦🇺🦘Mar 6
@actualham 'Tis the Age of Bewilderment.
Show threadLeonardo FontenelleMar 6
@actualham 🙃
Show threadTodd KnarrMar 6
@actualham At least where I work I can legitimately respond "Can't do. Those settings are managed by security policy and the ability for users to change them is disabled.".
Show threadSebastian ZMar 7
@actualham Same vibe at my Uni where they hosted a „digital privacy day“, meanwhile the whole infrastructure got moved to microsofts cloud apps
Show threadPaco HopeMar 7

@actualham I assume you probably got a link to that training by email. And it went to some site like mycompanytraining dot com, when your company’s domain is mycompany dot com. So you just clicked the link in the email to launch the web training that has you turning off the ad blockers and pop up blockers…

Perfect

Show threadMrGrumpyMonkeyMar 7
@actualham Time to run this in a VM.