No, it takes them -10 minutes to get home, duhh

Mathematically… there has to be more than 2 or 3 people invited to orgies

Wait, you skinned it for hours but it wasn’t dead, and just walked off? Or it was dead and some animal took it while you weren’t looking?

Before Unicode adopted it in 2010, Gmail had added it in 2008 to their email client: https://medium.com/hackernoon/10th-anniversary-of-the-poop-emoji-aab16fcb5b08

Reactions like this work in closed ecosystems (Whatsapp / Facebook) where everyone is on the same client or via open standards that is baked into the spec of the protocol. E-Mail has neither of these, which is why it’s so egregious that a whole email is being sent with 4-16 bytes of actual content itself.

It’s also such a dumb metric because most of people’s jobs are to click on links elsewhere on the internet, yet when it’s in an email, it’s bad? Unless you’re running an old browser or there is a 0 day, simply opening a link isn’t going to hack your system, but further actions by the user would need to be taken to be compromised. These simulations don’t account for that.

What an emotional roller coaster, especially at the end when:

Totally agreed, I get it’s easier to consider it a fail if you open the link, and that simply opening a random link has some inherent risk, but there should at least be a fake page to enter credentials and evaluate how many people actually go through with that, and break that out as a CRITICAL where the other clicks are HIGH or MEDIUM status, to classify the risk.

Also, this is just an anecdote, but in a similar phishing simulation i helped with, we had to bypass filters for rejecting emails with links for websites registered in the last 60 days. Obviously this isn’t a foolproof way to prevent phishing attempts, but it does cut out a lot of junk, and we’ve indirectly been training employees to not deal with that.

Abstract from the paper itself:

This paper empirically evaluates the efficacy of two ubiquitous forms of enterprise security training: annual cybersecurity awareness training and embedded anti-phishing training exercises. Specifically, our work analyzes the results of an 8-month randomized controlled experiment involving ten simulated phishing campaigns sent to over 19,500 employees at a large healthcare organization. Our results suggest that these efforts offer limited value. First, we find no significant relationship between whether users have recently completed cybersecurity awareness training and their likelihood of failing a phishing simulation. Second, when evaluating recipients of embedded phishing training, we find that the absolute difference in failure rates between trained and untrained users is extremely low across a variety of training content. Third, we observe that most users spend minimal time interacting with embedded phishing training material in-the-wild; and that for specific types of training content, users who receive and complete more instances of the training can have an increased likelihood of failing subsequent phishing simulations. Taken together, our results suggest that anti-phishing training programs, in their current and commonly deployed forms, are unlikely to offer significant practical value in reducing phishing risks.

And the methodology:

Our study analyzes the performance of nearly 20,000 full-time employees at UCSD Health across eight months of simulated phishing campaigns sent between January 2023 and October 2023. UCSD Health is a major medical center that is part of a large research university, whose employees span a variety of medical roles (e.g., doctors and nurses) as well as a diverse array of “traditional” enterprise jobs such as financial, HR, IT, and administrative staff. For their email infrastructure, UCSD Health exclusively uses Microsoft Office 365 with mail forwarding disabled. On roughly one day per month, UCSD Health sent out a simulated phishing campaign, where each campaign contained one to four distinct phishing email messages depending on the month. Each user received only one of the campaign’s phishing messages per month, where the exact message depended on the group the user was randomly assigned to at the beginning of the study (§ 3.1). In total these campaigns involved ten unique phishing email messages spanning a variety of deceptive narratives (“lures”) described in Section 3.2. All of the phishing lures focused on drive-by-download or credential phishing attacks, where a user failed the phishing simulation if they clicked on the embedded phishing link.

I still personally benefit from the social engineering resistance training I’ve had over the years to this day though.

Me too, I use it to get out of situations I don’t want to deal with. “Ohh you’re calling me asking for PII? Sorry, i can’t provide that information unless I initiate the conversation. I’ll call the number I have on file for you to provide that.” <hangs up and never follows up>

a basic ass toilet

Relevant XKCD

Basic ass-toilet actually kinda works.

Yeah, seems like investment in Energy sector has had the biggest increase over the last 5 years. Don’t invest in the guy mining for gold, invest in the guy selling pick axes

Just to add some more words of caution, when you buy an investment, you can potentially lose up to 100% of your principal, and there is no limit on the amount of money you can gain. When you short an investment, you can lose more than 100% of your principal, and are limited on your gains if the price goes to $0.

All of these claims are easily able to be checked from the archived version of the site . It was not using home grown encryption algorithm.

The last version released was independently audited and “found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances”

I had never heard of the warrant canary for TrueCrypt, and quickly searching for news of the time, was unable to find anything to indicate that there was ever a mention of NSL on the website, so nothing to remove if they were served with a NSL.

My assumption has been that the author was pressured to add a backdoor or abandon the project since it was an issue for law enforcement. After TrueCrypt stopped releasing new versions, it was audited and there was no sign of any backdoor or flaw in the encryption. Now on device encryption is more common but so are cloud backups, and law enforcement has found that going after cloud backups is much easier to subpoena. Plus there is a more mature industry for law enforcement to provide tools tools to bypass encryption without the developer complying.

And the reason for calendars is because the reminder that an event is starting is usually sent as an email from Google, with the description that has spam links. We’ve been training people to look at the sender to gauge trustworthiness, and with a sender of google.com, people feel like they did due diligence and can trust the contents of the email.

Incase you need context like I did: Andrew stripped of ‘prince’ title and will move out of Royal Lodge

Everyone is posting the Snopes article, but you can also just check this for yourself by going to the actual Arlington National Cemetery website: https://www.arlingtoncemetery.mil/Explore/Notable-Graves/Prominent-Military-Figures

From the last time this was brought up, it had been pointed out that the courts have previously said that that presidential pardons do not even need to be written

A 2024 federal appeals court decision said a pardon doesn’t even have to be in writing. “The answer is undoubtedly no,” the Fourth Circuit Court of Appeals ruled. “The plain language of the Constitution imposes no such limit.”

This seems like the right answer. Also, if there is an incident and your personal insurance is involved, you might be hit with higher premiums for years, and would have a case to have your employer to have the increase be reimbursed.

The cost of the rental car avoids a lot of bureaucratic headache on both sides that could last years if something were to happen.