this post was submitted on 24 Dec 2023
22 points (80.6% liked)
cybersecurity
3262 readers
8 users here now
An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!
Community Rules
- Be kind
- Limit promotional activities
- Non-cybersecurity posts should be redirected to other communities within infosec.pub.
Enjoy!
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
There are many ways to be more selective about from whom to accept email. SPF, DKIM, DMARC, and various blacklists are among them. They are supposed to make life harder for spammers. But they have also made running a mail server something that few dare to try anymore. Setup is not easy, but getting blacklisted is, and it causes silent delivery failure, and takes days of work to fix.
As a result, most of the email is run by Microsoft and Google. But that didn't stop phishers. They just go after people at smaller companies where security isn't as tight yet, and then they've got valid Microsoft accounts to send from. Liars and Outliers by Schneier is about this sort of dynamic.
As for PKI: If I may assume you to be, or have been, affiliated with an armed service -- Whose property is your CAC? And why did you use a pseudonym to make this post? (I mean to be pithy, not sarcastic.) I think Liars and Outliers by Schneier is all about this sort of thing - but I didn't get much of it read before it was due back at the library.
Yeah, my frustration with how we've centralized email on those enterprises is that criminals and spammers can just get accounts, pay marketing fees, malware ads, etc.
Even PKI is frustrating in that it's both a racket where only a couple can do it for good reasons, they can almost charge whatever they want, and still there's places where you can get certs minted with almost no validation.
I initially hated token login, but after you realize you never need passwords, to remember accounts, and it works for signing documents.
I'm not says you shouldn't still have a private selection, but I wish we had a certified solution that could reduce deception. Or at least I would direct all non certified senders to spam.