Clearly you do not have poodles. They don't do that.

Didn't Steven Spielberg make a movie about this?

Not forcing introverts into painful, humiliating social encounters will go a long way.

Conversely, keeping extroverts at home and away from each other probably isn't doing them any good.

According to Wikipedia: " AARD code was originally discovered by Geoff Chappell on 17 April 1992 and then further analyzed and documented in a joint effort with Andrew Schulman.[2][3][4][5][6] The name was derived from Microsoft programmer Aaron R. Reynolds (1955–2008),[7] who used "AARD" to sign his work; "AARD" was found in the machine code of the installer"

You too could be social engineered. The worlds foremost security specialists are not immune, good chance that there is some social engineering vector that would work on you.

Admitting that to yourself is a huge step forward in being able to detect it. Believing yourself immune increases your chances of being spearfished.

> The worlds foremost security specialists are not immune

I bet there are some that are immune. But yes, 99% of employees can be phished.

Training that is notorious for being ineffective in practise and usually more about box ticking.

Assuming that none of your employees fall for phising, much less targeted phising, is woefully unrealistic. Especially at twitter's scale.

Assuming humans won't do stupid things 100% of the time is never an effective security control.

Where I work there is training software that is somewhat effective at preventing phising - it actually sends out phising emails itself. Then employees who fall for it are given extra training (in a no fault sort of way).

Perhaps, but im also wary of these types of things, because i worry that people will feel embarassed at being tricked, and will (maybe subconciously) see the internal security team as the enemy, which is also a bad outcome.

I also worry that the emails might not represent real attack emails, and we end up training users to identify the test emails but not real attack emails.

(Not that i got any better solution)

Nothing is 100% secure. Having users fail to spot a pishing mail, is a very good training on general awareness, but no guarantee, that they will not make misstakes under pressure.

Yep, I think that's a good thing. But I also think most employees will still fall for real phishing emails some of the time.

This is an excessively pessimistic take on security training. How many spear phishing attempts have been thwarted because the employee knew better?

It’s not a solution to the problem, but it certainly helps.

I would actually be interested in seeing some studies on that.

My gut feeling is for engineers, the phising training that most companies use is wholly ineffective at doing anything, and in particular it is especially ineffective against targeted attacks. But i have yet to see any research one way or another.

I suspect less technical users might benefit from such training a bit more (but still not that much)

How many? A fair number. Not 100%, though. If your system depends on your people 100% not falling for spear phishing, your security is dead.

Well, that’s what I meant when I said that it isn’t a solution. You shouldn’t rely on training, but it’s disingenuous to say it can’t help.

Ah. It seems I was in violent agreement with you.

All companies employ people who are vulnerable to social engineering tactics.

All of them.

It just takes one mistake to be spearfished.

I will freely admit that I fell for a phishing campaign. I’d just bought something on eBay (this was a while ago). I got an email about something in my account later that day that made it through my spam filters. I clicked on it, signed in, and then realized I’d done the deed. Nothing happened or was lost, but yes - it just takes one quick mistake.

I don’t get it. You know your ebay password?

Some password databases involve copy and pasting or autotyping. If you want automatic hostname verification you need a password database integrated with your browser. On mobile many browsers don't support extensions so integrating my password database into the browser would be hard.

In short, I do not know my ebay password, but I could have fallen for this phishing attack.

On mobile this is possible even without browser extensions - enpass, lastpass etc work just fine in Chrome or any other app, if it detects a password field.

Oh, you're right. I didn't know Android had that feature. Apparently I was way behind the times. I can no longer edit or delete my comment.

This was 2008 - way before I’d discovered the value of a password manager.

You say this like human beings can be perfect.

Nobody is perfect.

Everyone is vulnerable given time/effort.

I loved this show. You can watch purely for the opportunity to drool at Lee Pace even if for no other reason, and there are PLENTY of other reasons. It's a great story and gives a very insider look at the early days of the commercial web, online gaming, the PC, etc. etc. . . . Deals very well with sexism in the industry without being hectoring about it. And did I mention Lee Pace? I think I might have . . .

It is comforting to find I am not alone in this.