Well, they did succeed, so for that they get points, but I think it was more due to a very weak defense on behalf of the victim rather than a very strong effort by petrov_day_admin_account.
Like, the victim could have noticed things like: * The original instructions were sent over email + LessWrong message, but the phishing attempt was just LessWrong * The original message was sent by Ben Pace, the latter by petrov_day_admin_account * They were sent at different points in time, the latter of which was more correlated by the FB post that caused the phishing attempt
Moreover, the attacker even sent messages to two real LessWrong team members, which would have completely revealed the attempt had those admins not been asleep in a different time zone.
I personally feel that the fact that it was such an effortless attempt makes it more impressive, and really hammers home the lesson we need to take away from this. It’s one thing to put in a great deal of effort to defeat some defences. It’s another to completely smash through them with the flick of a wrist.
I haven’t actually figured that out yet, but several people in this thread have proposed takeaways. I’m leaning towards “social engineering is unreasonably effective”. That or something related to keeping a security mindset.
Props to whoever petrov_day_admin_account was for successfully red-teaming lesswrong.
Agreed, this is probably the best lesson of all. If the buttons exist, they can be hacked or the decision makers can be socially engineered.
270 people might have direct access, but the entire world has indirect access.
Well, they did succeed, so for that they get points, but I think it was more due to a very weak defense on behalf of the victim rather than a very strong effort by petrov_day_admin_account.
Like, the victim could have noticed things like:
* The original instructions were sent over email + LessWrong message, but the phishing attempt was just LessWrong
* The original message was sent by Ben Pace, the latter by petrov_day_admin_account
* They were sent at different points in time, the latter of which was more correlated by the FB post that caused the phishing attempt
Moreover, the attacker even sent messages to two real LessWrong team members, which would have completely revealed the attempt had those admins not been asleep in a different time zone.
I personally feel that the fact that it was such an effortless attempt makes it more impressive, and really hammers home the lesson we need to take away from this. It’s one thing to put in a great deal of effort to defeat some defences. It’s another to completely smash through them with the flick of a wrist.
What exactly do you think “the lesson we need to take away from this” is?
(Feel free to just link if you wrote that elsewhere in this comment section)
I haven’t actually figured that out yet, but several people in this thread have proposed takeaways. I’m leaning towards “social engineering is unreasonably effective”. That or something related to keeping a security mindset.