zlacker

[parent] [thread] 4 comments
1. mschus+(OP)[view] [source] 2023-07-26 19:01:51
The thing is, yes it was controversial at the time to enforce HTTPS, but on the other side I 'member pwning people with ARP spoof attacks (both to steal cookies and credentials as well as simply redirecting all images to porn) at my school already way over a decade ago, and all I had was a laptop, Wireshark, Metasploit and some other piece of open source software whose name I forgot. No ARP sponge and the internet uplink was 10/10 mbit anyway so it was easy to do that shit for the entire school. A year later someone packaged all that stuff into a single software even a complete dunderhead could use to prank and steal facebook sessions at will.

Basic reality and the easiness of attacks made it impossible to stick with HTTP for much longer. And hell if I watch Scammer Payback on Youtube, I'm beginning to think it might be a good idea to disable developer tools on browsers and to only unlock them if you can prove physical, un-remoteable access to a machine, similar to Apple's SIP.

replies(2): >>Gauntl+o6 >>chrisw+h7
2. Gauntl+o6[view] [source] 2023-07-26 19:27:18
>>mschus+(OP)
Whatever proof you require, scammers will still convince Grandma to enable it.
3. chrisw+h7[view] [source] 2023-07-26 19:31:12
>>mschus+(OP)
> "I'm beginning to think it might be a good idea to disable developer tools on browsers and to only unlock them if you can prove..."

Strongest possible disagreement here.

replies(1): >>lxgr+u7
◧◩
4. lxgr+u7[view] [source] [discussion] 2023-07-26 19:32:22
>>chrisw+h7
How so? I don't see how a secure attention sequence (i.e. what Windows used to do with requiring ctrl + alt + esc to be pressed to log in) could be a bad thing.

On the other hand, you can bet that that's absolutely something scammers will be able to convince people to do while they're on the phone with them...

replies(1): >>mschus+Q9
◧◩◪
5. mschus+Q9[view] [source] [discussion] 2023-07-26 19:41:57
>>lxgr+u7
That, or a reboot with pressing F8 with a clear prompt "Enabling developer mode, do not do so if required by a phone support". Easy enough for actual developers and tinkerers, but disruptive for someone getting scammed.

> On the other hand, you can bet that that's absolutely something scammers will be able to convince people to do while they're on the phone with them...

Indeed but it will slow them down significantly and reduce the amount of marks by a significant amount as well.

[go to top]