Comment by palata

Comment by palata 2 days ago

I am not sure what you are trying to say.

Security is a gradient. At some point, adding security means reducing freedom. It is a societal choice where you stop. If you put all the humans in your country in a jail, each in a separate cell, never let them go out and just bring them food, then there will be no crime in your country. But nobody wants that.

> I think this principle applies to every single type of social engineering attack. Limiting the context of permissions lessens the risk of a confused deputy.

A confused deputy is a computer program. We're talking about phishing.

Borealid 2 days ago

Originally you were positing that phishing (specifically password phishing) was not preventable.

Now you are arguing that by restricting users' permissions it is possible to move along the security gradient, potentially to a point where phishing is not a viable threat.

I agree.

Reply View 1 reply

palata a day ago

As I said, I was talking about phishing generally. Password was an example, and passkeys do help with some of the pain there, for sure.
> potentially to a point where phishing is not a viable threat
You keep ignoring the parts that are inconvenient to you :-). I said that at some point, increasing security means decreasing the freedom. It's a compromise. And as long as people have some freedom, someone will be able to abuse it. Phishing will always exist. The only way to prevent phishing entirely is to remove all the rights of everybody. If I cannot do anything, then I cannot do anything wrong. As long as I can do something, I can do it wrong. Phishing fundamentally leverages that.

Reply View | 0 replies