Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I didn't get how people end up entering paswords into randon places and click on suspicions links until I started to work for a big corp.

You get a lot of stuff in the inbox that doesn't exactly relate to your day to day work from departments you only vaguely heard about.

Then the UX of corporate stuff, especially one from microsoft is designed in a way to randomly jump in your face with a password prompt without you starting it actively. The session timeout here, kerberos prompt for smartcard here, the vpn hickup, teams needs to reconnect after the laptop gets out of sleep state. Then half of it random at some point updates and looks subtly different too.

After some exposure to this kind of stuff you don't even know what's real and what's level of corporate-sanctioned bullshit is above or below the baseline set by The Policy.



And don't forget the "SSO Tax" that some SaaS implement. Ideally, your company login should be your one and only login, and should be strongly tied to your device, a hardware token, and a central directory. Often, Saas providers charge far more to integrate with these directories, so, companies will just use a lower cost "LDAP Authentication" and condition users to enter their staff passwords on multiple sites :(


It’s time to start calling them what they are: insecure apps.

Maybe if they get the reputation they deserve they’ll change their ways


Nah, better to run those tests and chastise employees who fall for it.

After all, it's not that they're routinely required to enter their password on an endless list of websites all the time to do their job right? Right?


>"The session timeout here, kerberos prompt for smartcard here, the vpn hickup, teams needs to reconnect after the laptop gets out of sleep state. Then half of it random at some point updates and looks subtly different too."

OMG. Did not consider that. Lucky me. I do software development for clients, include some of decent size but am independent to the point that all my development is done at my own premises (basement of my house;) .


I'm surprised it isn't common for companies to just block inbound external email by default.

Most of the time I have an inbox rule enabled that just deletes anything not from the corporate domain and a few other known services.


Beginning to understand why companies never respond to my emails…

What you are suggesting here sounds insane. You only get work emails from your corporate domain and a few others?


I use a similar filter at work but have it automatically label it as external and remove it from my primary inbox, not completely blocking but I have to go find emails from new people. I do filter external emails from vendors we do use into folders and read them. But the amount of spam I get just because someone managed to find my title and email is insane. I don’t even have my work email listed anywhere publicly that I am aware of.


It's not hard to find a corporate email based off a few standards.


I setup filters to eradicate some of the internal corporate scam. The CEOs email ramblings have no relevance to my day to day.


I've worked somewhere that adds a banner to all external emails.

Then they ran a phishing test and it didn't have the external banner :D


What if your bulk mail traffic is coming from your users?


IT security is unfortunately not taught in schools. Schools still seem to be stuck somewhere in the 1920s.


There are many curriculums where IT security is taught in schools [0]. America does have a problem where their education systems are extremely disparate, but the lack is not universal.

[0] Virginia commonly uses Fortinet's lesson plans, for example.


You can't secure it because it's badly engineered.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: