Can IT protect people from their own stupidity?

[Jehanne]

Russian operations against the DNC were extensive and, not surprisingly, very skillfully run. They began with "spearphishing," wherein fake sites made to look like real sites (for example, a phony gmail.com, or a phony warning that accounts had been hacked). These sites were used to capture login credentials, which were then used to login to and compromise at least 33 DNC computers. Here, for example, is a re-creation of a message that fooled Clinton campaign chair John DePodesta on March 19, 2016:



Once various malware and key-capture programs had been installed, the hackers routed stolen information (including e-mails) from the DNC to a server in Arizona they rented using bitcoin.

Making Sense of Friday's Indictments

I think that Firefox does a pretty good job here, but maybe John DePodesta could have benefited from a big, red pop-up warning???  What to do?

[KevinM1]

The weakest link in most systems is a human. It's why social engineering works.

[Jehanne]

Maybe instead of "black lists", modern browsers should use "white lists", by default; and so, unless the site has been vetted, it should just get blocked?

[KevinM1]

Maybe instead of "black lists", modern browsers should use "white lists", by default; and so, unless the site has been vetted, it should just get blocked?

Terrible idea. That would introduce pay-to-play, which would cripple smaller content providers. "You're not Google, or Facebook, or whatever, so you don't make the white list unless you can prove you're not harmful (and with a fee, naturally)." It's an anti-net neutrality idea, just that the gate keepers are browser vendors instead of ISPs.

[Jehanne]

I understand what you are saying; maybe a non-profit certification authority could do the heavy-lifting?

[KevinM1]

I understand what you are saying; maybe a non-profit certification authority could do the heavy-lifting?

How would sites be certified? What would certification actually mean? Would Joe "Look, Ma, I can do WordPress all by myself" Schmo be able to get certified? What if, after certification, their site gets pwned one way or another? What about false positives - sites still in development that are mistakenly/accidentally pushed to the public (it happens more than it should)?

There are a ton of sites out there. New, legit sites are popping up all the time. We're only just beginning to get heavy SSL adoption with Let's Encrypt, but, from a technological standpoint, it's child's play. Especially on shared hosting where it's literally a control panel button click. As a defined problem, it's trivial - is the connection between client and host encrypted? Determining a site's overall safety, or, even more, it's intent is a much harder problem to solve.

Not saying it can't be done, but it's not as simple as just making a white list of certified sites and calling it a day. There's a lot to consider, especially regarding the tension between how stringent the hypothetical certification process would be and the idea of an open internet. That, and browser adoption. The vendors have their own interests, and generally speaking, one of Apple/Microsoft is usually absent of any kind of joint foundation whose mission is setting some kind of web standard.

[Jehanne]

Google, to an extent, already does this; also, there is this site:

VirusTotal

Maybe a site could actively troll all links once every few hours, and if they are good, they get a "green", maybe a "yellow" for anything odd, "red" for suspicious, etc.

Again, all of this would be voluntary; it just seems like the DNC hacks should have been completely preventable.

[WinterHold]

It's an infinite loop if you think about it: the hackers will always attack, and the defenders will always hide. Soon enough; our statues as defenders would mean "more and more freedoms gone from the internet".

Just like real life, authentication is a must before any interaction. So the key should be authentication.
Take the Clinton example:

-Clinton's guy signs in. Is this the right site? provide proof, please.
-Site takes John's request. Is this the right man? provide proof, please.

This simple authentication is carried on with bank accounts. Why isn't it carried out in crucial places on the internet on demand?
Google provides sign-in through the mobile phone now. That is a nice way to execute the authentication test between google and the user.

Aren't there private channels for these people to use ? I mean like a VPN?

[Jehanne]

No one seems to have broken Debian or BSD, at least here recently.  Certainly, the DNC can do better!

[Mister Agenda]

We need to come up with a strategy that can defend against hundreds of troll farms with millions of rubles in funding couples with countless twitterbots gnawing away at the bonds that unite us and feeding the fears that divide us. Cybersecurity is a necessary part of that, and we need to be throwing our best efforts at this problems instead of pretending it's harmless.