After having finished my master's degree I realized something important that must be understood about corporate security.
Corporate/Enterprise security has nothing to do with securing things it has to do with offloading risk and liability. It isn't about making things secure it's about making sure you don't get blamed when things do happen. Because when security things do happen it's the customers who take the shafting not the organization itself, who cares if you get slapped with a fine or lawsuit it doesn't have much to do with the stock price and is likely going to be less expensive then actually implementing real security controls.
This also explains why there are so many people selling security "solutions" out there, because the C suite doesn't really care about security, in fact they may not even want it, after all with real security comes real monitoring and logging and non-repudiation which can get important people in trouble if it's found out, they want to check the box that says the paid for super secure stuff and now if it doesn't work they just turn around and blame the vendor and bicker with them. All this happening while their customers identities are being stolen and their data sold.
Remember CSO stands for Chief Sacrificial Officer.
Ultimately if we really want to be secure we must realize that at the end of the day security isn't some glamorous special super world of spies and hackers. Security is 90% just a QA problem, once security gets reframed as a quality problem it allows to start addressing it like the problem it is and not the security theater that is constantly going on.
> How about "if you click a link in an email sent by your bank, make sure it goes to your bank's actual web address"? That would be great advice if my bank's IT could keep all their systems within one domain; they can't, and register shit like http://banknamelending.com.
This is a very distressing pattern. So many terrible attempts have been made to verify the identity of the server for the purposes of mutual authentication, and all of them are terrible, and behavior like this (incredibly common!) is part of what makes it untenable.
And the banks, etc., will occasionally try to consolidate their pages into their main domain for this reason, but lock down the domain so much that internal teams that want to promote some crazy feature end up having to work around this by launching under a new, sketchy-looking domain because users just don't care.
The other trend I hate is to show on a webpage information about identifying bad servers, because it can't help by definition. I ended up https://login.gov a little while back, and it warns you:
> An official website of the United States government
> Here’s how you know
> Official websites use .gov
> A .gov website belongs to an official government organization in the United States.
> Secure .gov websites use HTTPS
> A lock or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
That's great! If I had to phish the US government page, I would just include this warning but change it to suit my purposes, because it's not like they'll open the government page to check. "How do you know if this is an official US government website? Official US government websites always use either .gov or .ru"
Best bank phishing site I ever saw was hosted by the bank itself. Whatever CMS they were using allowed GET URLs which specified the contents of an iframe.
This title of the post here from the first thread is a bit counter to what the twitter thread itself is about, which is basically complaints about businesses being terrible at doing things in a safe way, and why that undermines what is otherwise good general advice.
The complaints are generally valid and I'd encourage a read of the full thread. However, where I disagree is that those pieces of general advice should be thrown away just because numerous companies are failing to do things well.
To look at the bank/credit card examples, in my opinion if a company is going to make the kinds of decisions where their fraud department is asking shady questions, they need to pay for those mistakes through employee hours wasted and complaints to regulators. I realize though I'm in the minority and can reasonably take the time to yell at the bank(s) for doing stupid things. I have personally had more success simply going into my local bank branch with my ID and so on at getting these things moving quickly, which most people appear loathe to do. Sit down in front of someone and make it their problem, start costing them money and they'll rectify things far quicker it seems (obv. YMMV).
I hope in 15-20 years with a slew of new retirees who have the knowledge and the time to fight this kind of garbage we'll start to see meaningful changes to these practices.
> I hope in 15-20 years with a slew of new retirees who have the knowledge and the time to fight this kind of garbage we'll start to see meaningful changes to these practices.
No. Brilliant young people have age related cognitive decline.
> Emails will not come from the domain of the company that sent them and companies will call you and ask for your SSN, and often you have no choice but to comply with these or not use those services, because they simply offer no other options.
I still can't understand how it's possible that a SSN is used as a sort of password. In Italy and Belgium (the two places where I lived) there is an equivalent thing, of course, but it's not meant to be a password at all. If anything, it's akin to a username. If you want to authenticate against it you need something else (an actual password, a smart card, a 2FA app, it depends). In Italy, specifically, the so called "fiscal code" is essentially a function of you name, surname and place and date of birth.
It would be cool if governments issued each person a “real” SSN only available to that person and the government, and an encryption tool/function. When a company asks to verify your ID they provide a “request” with the company ID with a timestamp, you encrypt it and sent it back to them, and the company can send the encrypted request to the government who decrypts it and verifies that you authorized it.
My government does that: I can have a smart card that, with the appropriate protocols, can issue a cryptographic legally recognized proof that I am who I am.
I'm working on all sorts of things, but am hampered by the facts that I have (a) no skillz, (b) no time, and (c) no money.
But I have a version of this to visualise Mastodon discussion, HN discussions, and I have a tool that lets you have discussions directly in the graph format, including being able to tie threads together to help people come to conclusions.
So, sort of. It's all a long way off being usable, though.
I guess I don't understand what's being suggested, because this comment makes no sense to me. I have a large and complex DiGraph ... are you suggesting there's a simple way of laying it out using plain text?
Here's an example of another chart produced by my system:
How would you produce that with newlines and tabs? If you're suggesting the usual linear/indented version that existing social media systems use, that's exactly what I'm trying to get away from, so I can properly visualise the entire tree, seeing descendants as descendants, and not as a comment a long way down the page.
Maybe I'm just not understanding what you're suggesting.
Interesting concept and I think there's a great idea here buried behind some usability issues.
Having an option to go top down might help, as would ability to collapse branches and maybe zoom out/in to get a broader overview and then focus on certain areas.
In the left-to-right view I had to scroll down to get to the root of the tree and I was confused what I was looking at until I saw that - ensuring that the root node is always visible on load would probably help a lot.
Seems like something D3 might be good at, making it more interactive instead of static svg?
I've deliberately put the original thread running down the left with the discussions going off to the right, because that seems to be more usable for most people. Other options exist, I can just have it run as an ordinary tree from the top, but it's harder to find the "one true thread".
I've used other more dynamic layout systems, but they tend to wobble about and give me motion sickness, or not do as well with the layout. There's a lot going on here.
Yes, foldability, forcing layout, allowing people to move things around, I've tried all of these to the best of my ability, and other people have had a go, then given up and gone away. To do a decent job will require skill and time, neither of which I have.
I am, as you might be able to tell, frustrated with this. I know very much how Ted Nelson feels. I have a vision, and I have neither the skillz to implement it, nor the ability to communicate it clearly to others. Yes, there are many things that can be done here.
Just reporting my experience like a focus group user:
I opened the chart and thought "I am supposed to look at the thing on the screen". It was a reply out of context so it didn't make sense. I didn't consider clicking through because there is not an affordability of clicking like an arrow or a URL. I didn't scroll around because the thing I saw didn't grab my interest.
I saw your other post and scrolled down to the top tweet on the left. I looked to the immediate right for the self-reply to the top tweet. It wasn't there, so I gave up. I didn't notice the lines heading off-screen and I didn't expect them there. My mental model was a tree with a single top-level element.
I've experimented in the past with putting a node at the top left to say to people "Scroll down", or "Scroll right", depending on which layout I've used, but folks giving usability feedback who are experienced with it say that it's annoying and irritating constantly to be told something they know.
So it's the usual problem of helping the novices versus annoying the experienced. Given that there's no login or other persistence I'm pretty sure I can't solve that. I'll probably put the top-left node back in.
Thanks for listening even when complaints contradict each other.
An idea I just had: a little inlay in the upper right showing where you are in the complete image. That would help people realize they could scroll around as well as helping them get context of the shape of the tree.
Corporate/Enterprise security has nothing to do with securing things it has to do with offloading risk and liability. It isn't about making things secure it's about making sure you don't get blamed when things do happen. Because when security things do happen it's the customers who take the shafting not the organization itself, who cares if you get slapped with a fine or lawsuit it doesn't have much to do with the stock price and is likely going to be less expensive then actually implementing real security controls.
This also explains why there are so many people selling security "solutions" out there, because the C suite doesn't really care about security, in fact they may not even want it, after all with real security comes real monitoring and logging and non-repudiation which can get important people in trouble if it's found out, they want to check the box that says the paid for super secure stuff and now if it doesn't work they just turn around and blame the vendor and bicker with them. All this happening while their customers identities are being stolen and their data sold.
Remember CSO stands for Chief Sacrificial Officer.
Ultimately if we really want to be secure we must realize that at the end of the day security isn't some glamorous special super world of spies and hackers. Security is 90% just a QA problem, once security gets reframed as a quality problem it allows to start addressing it like the problem it is and not the security theater that is constantly going on.