undefined

points

[-]

The problem is, we haven't really created a safer world. We created an illusion of safety by taking away agency.

We might be safer in terms of vulnerabilities, root exploits, RCEs, etc. but the internet is still full of malware, scams are still just as rampant. Vigilance is still very much required, but is no longer taught.

Look at all the malware available on the Play Store. The curation does nothing but create an illusion of safety.

by Forgeties798 hours ago|

parent|

[-]

It’s absolutely safer browsing the internet now than it was when I was a kid. Getting a virus or equivalent on your phone is no small feat

by autoexec7 hours ago|

parent|

[-]

It happens all the time, and its as easy as sending a phone a text, or a packet, or escaping a sandbox, but you'll rarely be aware of it when you're infected because unlike the old days where malware would fill your screen with ads or something today they just silently collect your data or use your internet connection for careful port scans or DDoS attacks. NSO Group spyware (or similar) could be on your phone right now.

Hell, cellphones these days ship with spyware pre-installed. Samsung being the one of the worst for filling their phones with their own apps which spy on you constantly.

by pibaker1 hours ago|

parent|

[-]

No nation state actor is going to waste a 0day on a random nobody. Even the recent Notepad++ exploit was only used against specific political targets. Any actor smart enough to be able to have an arsenal of 0days at their disposal is also smart enough to use them only where they are worthwhile because they will only get to do it once.

Believing you are more under threat from sophisticated government hackers rather than unsecured IOT devices, unvetted npm packages or hijacked download links is just LARPing for people who want to sound more important than they actually are IMO.

by autoexec1 hours ago|

parent|

[-]

We've seen examples of phones being hacked which belonged to journalists, producers, editors, activists, staffers at NGOs, lawyers, security researchers, doctors, CEOs, HNWIs, government workers, and even their families and friends. You can bet there are people here on this site which would easily be considered valuable enough targets and because the people those targets associate with are also being hacked you can bet that there are lot of "random nobodies" caught up in it. It's also not just governments using attacks on cell phones, those just tend to be the most dangerous.

by tweetle_beetle7 hours ago|

parent|

prev|

[-]

Is it that much different? In the past if you downloaded the wrong file, you could get ads opening constantly, a new toolbar taking over your browser, data scraped and sent off to a mystery server, or have some process maximise your compute.

This accounted for most of the risks on the wild west internet, but the worst case scenario of permanently losing data or having to reinstall Windows was actually rarer than it was made out to be imho.

These days the common risks are the same, except they're no longer risks - all of those have been built into the fabric of everyday internet usage and criminals have been replaced by businesses. It's like the cliche about Vegas being better when it was run by the mob.

by asdfman1238 hours ago|

parent|

prev|

[-]

The late 90s internet was filled with predators, skeeziness, and viruses that would break your computer and require a reformatting.

That stuff is still there if you look for it, but it's not on your social media feeds or in any of the apps provided through app stores.

by pants27 hours ago|

prev|

[-]

When I joined my last job I noticed that their email settings were misconfigured... EVERYTHING was going straight to the inbox, not even the most basic of spam filters were in place.

When I got filtering on observe-only mode I saw users were getting up to a dozen phishing emails every day.

We quickly did a hard simulated phishing test and most users opened the email but zero users clicked through.

Two years later, after we had excellent email filtering in place, our simulated phishing test had a 30% fail rate.

Take from that what you will!

by mixmastamyk5 hours ago|

parent|

[-]

Immune system exercise, interesting point. At least you’ve kept up the checks.

by robotguy8 hours ago|

prev|

[-]

That's the philosophy behind Safety Third.

by lexszero_7 hours ago|

parent|

[-]

Just curious, what come first and second in this use of the phrase applied to computer security? I came to know the expression from fire circus performance and adjacent circles, where first and second are safety of the audience and the venue, and third is your own. I use it often when I'm about to knowingly do something sketchy or potentially dangerous without applying safety practices required "by the book", acknowledging the present danger to myself and accepting the risk. I never saw it used in infosec context.

by thewebguyd7 hours ago|

parent|

[-]

Interesting, I haven't heard of safety third from circus circles, I've always known it as more along the liens of if safety were actually the number one priority, no one would actually do anything because it's too risky.

In terms of cybersecurity, I see it as "security first" culture means people rely on the system to keep them safe. "Safety third" (or security third) emphasizes that everyone should already know they are operating in a risky and dangerous environment and take security as a personal responsibility.

It's just a reminder that no one cares about your life more than you do, so stay vigilant and take personal responsibility.

edit just realized I didn't actually answer your question on the first and second priorities.

I suppose First would be the reason the system exists in the first place (buy something online, for example). Second would be the user experience of doing the thing. Security should help you take calculated risks rather than prevent you from taking any risks at all.