arcliteIndira | 7 years ago | on: Sheryl Sandberg’s New Job Is to Fix Facebook’s Reputation and Her Own
arcliteIndira's comments
arcliteIndira | 7 years ago | on: Email security on Democratic campaigns is as bad as 2016
Wow, so, you really believe that asking people to lock up their important messages to you, using a public key that you've provided through a verified, alternate non-email channel really won't work?
PGP actually does do something about incoming email attachments. It offers the opportunity to programmatically reject anything that is non-encrypted ASCII text, and renders malicious files as non-executable ASCII text, when such policies are properly enforced. At this point, the promiscuous user is protected from delving deeper into emails. The server can effectively isolate attachments entirely, by proxying mail delivery, and refusing to decrypt attachments automatically. This would further defend against account compromise, through practices that require special handling of attachments. Email then becomes a medium of communication, rather than file transfer, and file transfer is pushed to other protocols and applications.
Sort of like a point-and-call policy. Forcing a user to cognitively jump through hoops to discover the contents of an attachment, when they should really be using email for the exchange of messages with humans, or automated control messages, such as multi-factor auth. Doing something like this limits email to character data only, rather than interpretable instructions. You know, much in the way we don't execute JavaScript from an email context.
Example:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFuPKDYBCAC6xIbamQ3hTFCp8qcu8fLiz8XrSMXod/Xo5/iV/7FbqN8pE6uB
9EFyrWX1gy6ZNP+EGXrQ017sNcGHL7LquV74m+Z4/CRZlKpHMR2U9WEIhjgfL46c
vtQP/l9MB39P/VK3xsPXHTWSBiVdDdhWQTTZ5Tl88Zwo5n81ToOMFDLSXqZThlBl
CjUNOmHt1nLpkUzyn5h8c9/x2gNe/ArD2nY6DewHZCALLSDAEKLqrru+v2N6ABRh
Ad7GTVaHrD7aM84nlDMYiJmWSbx+IX2i4sxOeescjFPCmgjIuLLfIv94Oc7a6cV/
O7JzaX5Vyr+wBiHqhG2Xrwo+/V6+hRLv3Aj7ABEBAAG0H2xhdXJlbnQgbWlndWVs
IDxsbUBleGFtcGxlLmNvbT6JAVQEEwEIAD4WIQRrmP8aKYfcI7jMLtoYF2U5ECzk
nQUCW48oNgIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAYF2U5
ECzkneaeCACVHmasl2V+gz2dDKJr3ELuCM82ZGltq44kSj2Wod5KyvAulb8XB4Ox
d5LXw8rdLuHiGl8vFrPljRO1do+8ahQyPy6Sk5UNb73zi8ujubhLHm/jpSdO5lUO
ryb/TN4lnBnGSDeYkUtKn2FUr0+i4EgnqAi2L2svQoDwzzyyeWrkXBgqqm1NT0bw
hbBhQfozdafqvFF3gBfaBqrFpD/KAgHzmTe3YejrD9tJTVJamTsEvmMXNMhaXF3s
FVqlWGoGr0/17Ft75SyuKj+ssJ7oxeblxhocUum8XvtmVlu8Ee/wxqugApeDLN0x
6cqEH837QIU6vQgx3mGK7Vv035uRru1yuQENBFuPKDYBCADC1Hea+6AMj7gwNnfX
tOIJ8X/rKeqw6u3Up1vt7DC3IOrml0AQHk08bklLbXokO/GlW0uUwX/tqKeIz35y
l+uzqBooR62H99CQc36trN96GD6zxeVYlbMpWdTzPqgxSVmEx9EvfCPhsgCueTz1
oTJw5SW4dUOHuL3k8R/cEFraJJpigp8PceXJWsxinUTOVSKH1VhWsZaActRRicf4
Y9GOcEJhgFhNlvVgFW+x/+hYL3vLXeUNTb6UCH6O9X0I+zv03VbLO/GdZFGA3Vps
MYzzk8y/n93DkAIAD6vCPZAvcOLGMXaEv5GER2Scpv/sgINefh67+ExH/Vc8ZrUl
C421ABEBAAGJATwEGAEIACYWIQRrmP8aKYfcI7jMLtoYF2U5ECzknQUCW48oNgIb
DAUJA8JnAAAKCRAYF2U5ECzknTEMB/0ZcvUYZq5IlqsBNYdZjCaXY5KQqWqKnQlW
jISSM7RmjCQwDqjTgyOVfl19PeVpj63h/tAPTXcsJ31LlpyHUklBVAeQmXuvMRry
WMfLeHa5nAQmS3VgZNyahFyps+mGFiDChy7Zz14v/bpfUAeqBIY4txVHwT4fLWEM
M1ZRbu8DcgwUErXt5xe5kOJZRWd8Q/xnspn9Tg+QvdWF67xi4CZ7RTl2+aL8MshT
051atXtkskDomQD/kNhP757cUuvDBkC4FydP8rztMdNLUiiC0L1R6V4bxhr4Yhsh
dbf+w0XrcuUaSnaka5TAeh+NCK//CoUsnVF/fun2bJ8bRikMPwxy
=/JKx
-----END PGP PUBLIC KEY BLOCK-----
page 1
You can take a look at the entire ecosystem of React code out across so many repos and documentation sites, and then stand that next to Facebook proper, and then note the difference in tone, quality and psychological warfare.
https://reactjs.org
With that in mind, consider what kind of strategy and tactics Facebook's internal operations must be operating.