(no title)

I'm not sure this is very fair because humans are often not given the right tools to make a good decision. For example:

To gift to a 529 regardless of the financial institution, you go to some random ugift529.com site and put in a code plus all your financial info. This is considered the gold standard.

To get a payout from a class-action lawsuit that leaked your data, you must go to some other random site (usually some random domain name loosely related to the settlement recently registered by kroll) and enter basically more PII than was leaked in the first place.

To pay your fed taxes with a credit card, you must verify your identity with some 3rd party site, then go to yet another 3rd party site to enter your CC info.

This is insane and forces/trains people to perform actions that in many other scenarios lead to a phishing attack.

Reminds me of a co-founder of an adtech company I know. They are a platform that buys inventory using automated trading, mostly mobile, and they realized that most of their customers were all clickfraud / scammers / etc. He didn’t want to go into too much detail.

But he shrugged it off.

I bet there are quite a few shops online that may sell gift cards that are used in money laundering schemes. Bonus points if they accept bitcoin.

But those are all quite implicitly used by cybercrime. I can imagine there are quite a few tools at their disposal that are much more explicit.

I worked at a $xxxB company that had an internal red team. They ran almost as a separate company but were housed in one of our offices.

I was involved in probably 15 operations with them while I was there. They would usually get C&C within six hours, every single time it was phishing lol.

Insofar as every security mechanism was made by a human, yes.

But if we're holding users accountable because 1 out of every 100 clicks a link in a phishing email like clockwork, we're bad at both statistics and security.

>It isn't illegal to create premium software that could in theory be use for crime if you don't market it that way.

Who is making money off of selling premium software, that's not marketed as for cybercrime, to non-governmental attackers? Wouldn't the attackers just pirate it?

He would complain that it disrupted their business, and that it doesn't catch all keys—it catches the big ones that he certainly found to be very valuable.