It seems to me if you raise the difficulty enough, and lower the success rate enough, at some point a given scam stops being economical. https://news.ycombinator.com/item?id=45913529
>It's not possible to provide a path for advanced users that a stupid person can't be coerced to use.
I actually think you might be wrong about this? Imagine if Google forced you to solve a logic puzzle before sideloading. The puzzle could be very visual in nature, so even if a scammer asked the victim to describe the puzzle over the phone, this usually wouldn't allow the scammer to solve it on the victim's behalf. The puzzle could be presented in a special OS mode to prevent screenshots, with phone camera disabled so the puzzle can't be photographed in a mirror, and phone call functionality disabled so a scammer can't talk you through it as easily. Scammers would tell the victim to go find a friend, have the friend photograph the puzzle, and send the photo to the scammer. At which point the friend hopefully says "wait, wtf is going on here?" (Especially if the puzzle has big text at the top like "IF SOMEONE ASKS YOU TO PHOTOGRAPH THIS, THEY ARE LIKELY VICTIM OF AN ONGOING SCAM, YOU SHOULD REFUSE", and consists of multiple stages which need to be solved sequentially.)
In addition to logic puzzles, Google could also make you pass a scam awareness quiz =) You could interleave the quiz questions with logic puzzle stages, to help the friend who's photographing the puzzle figure out what's going on.
I guess this could fail for users who have two devices, e.g. a laptop plus a phone, but presumably those users tend to have a little more technical sophistication. Maybe display a QR code in the middle of the puzzle which opens up scam awareness materials if photographed?
Or, instead of a "scam awareness quiz" you could could give the user an "ongoing scam check", e.g.: "Did a stranger recently call you on the phone and tell you to navigate to this functionality?" If the user answers yes, disable sideloading for the next 48 hours and show them scam education materials.
It would also fail for users who are differently abled. That sounds like an absolute nightmare for accessibility. Good news for preventing scams, but bad news for anyone without full mental and physical faculties.
What if there is a 12-hour delay to unlock "power user mode", and during that entire 12-hour unlock period, the phone keeps displaying various scam education information to help even an unsophisticated user figure out what's going on? Surely Google can devote a few full-time employees to keeping such educational materials up to date, so they ideally contain detailed descriptions of the most common scams a user is going to be subject to at any given time.
This would help for sure. Ideally, the phone should stay in "expert mode" for a limited time only, like 1 hour.
However, there is still a danger that scammers will call after 12 hours, and they will be more convincing than educational material (or the user may not have read it).
> However, there is still a danger that scammers will call after 12 hours
It is unlikely it will work. Scammers are talking all the time and creating a sense of urgency, people have issues to think and listen at the same time, and they tend to drop thinking completely when in a haste. 12 hours of a break will give the victim time to think at least. Probably it will give time to talk about it with someone, or to google things.
Apple wants to charge $150 for this sock. My premium fair-trade version, woven using traditional indigenous practices from sustainably-grown biodegradable materials, blessed via an aboriginal ritual, complete with an autographed certificate of authenticity from a rural craftsperson who subsequently follows you on social media, will cost $200. Joke's on Apple.
How about a hybrid open source license, where the software is free for anyone to use unless they're a commercial entity with $1B or greater in annual revenue?
Google might even prefer this deal, if it means more maintainer activity and fewer vulnerabilities.
Not the OP, but I have heard something similar from a sec conf before. Gist being if a laptop has stickers like this, then the chances of the owner being an engineer is significantly higher, so pentest teams / malicious actors can better focus their efforts on those individuals, and have a higher chance of gaining access to internal systems than if they targeted random folks in public.
Doesn't help as well that arguably the kind of stickers a laptop displays tends to hint at who's a sysadmin or not, etc.
You're missing something, but that's sorta the point. The idea of what a full-stack developer or back-end engineer or hacker (or whatever term we want to bandy about) looks like is largely based on stereotyping and a bit of myth. You can't tell what someone does for a living just by looking at them all of the time, but you can some of the time, so it's easy to play on that by dressing the part because we humans can be easily tricked into trusting our own information by default. If you cosplay as a network engineer, it's pretty likely that's what most people will think you do.
Say you're red teaming, and you are on-site looking to gain access to the server closet of a business. Some initial setup about you being there comes into play, but once there, it's up to you to look like you belong there, when some unwitting person with access to the server closet will lead you to it, then leave you to do your thing on the pleasant notion that you'll have the "problem" fixed by the end of the day. This is an ultra-simple scenario used as an example, but looking the part sometimes means having some stickers on your laptop that tell people you're really into a specific language or tool chain, or that you've been in the SOC trenches long enough to know what a lot of those inside jokes mean. Details often sell the lie.
Well, the _corporate_ stickers are a major giveaway, of course; if you have 15 AWS-related stickers it is highly likely that you work at Amazon, say, and it may not necessarily be wise to make it clear that your laptop is an Amazon corporate laptop, in public.
Beyond that, you could _maybe_ use it to identify a person's interests for social engineering purposes, but that feels a lot more tenuous.
Someone should start a museum where you can walk in and play these ancient games and fiddle with ancient software (probably using virtual machines and emulators for the sake of hardware preservation). They could use donations and admission tickets to fund the restoration of more and more old stuff, in a virtuous cycle.
Counterpoint, I read this interesting article recently contrasting two progressive mayors in the USA, Brandon Johnson (~6% approval rating) and Michelle Wu (66% approval rating)
Is it really? Local approval rating is in no correlation with national name recognition. You don't get your name in the national news by just fixing potholes. I guess you have to do it in order to not get voted out, and some ideological mayors fail to do it.
reply