People get their identities stolen every day, and it is a super, super, super shitty process to go through depending on how deep it goes. It can change your life forever.
Having oldass OS and application versions make that a thousand times easier when you have so, so, so many CVEs you can exploit. And LLMs have been show to make this very trivial now.
All you need to do is click on the wrong pop-up, or the wrong link in your email, or tap something on your phone screen, or have a poorly configured (often from the factory) router, and the initial intrusion takes place. After that, an outbound encrypted session quickly gets setup, and congrats, now your network is acting as a residential proxy that can be sold to criminals that want to download CSAM from your IP, AI companies that will use your connection for scraping, and other elements that will either mine the data on your systems (your PII, logins, etc) and scrape your screens.
But if you don't care about your life becoming a living hell, then I can't make you.
This happens all the time, every day.
If you have a car, you maintain it. If you have a bike, you maintain it. Power tools? You maintain them. Your electronic devices also need to be maintained. They have access to your most sensitive data, and potentially private conversations.
Did you know that a lot of current home router NAT implementations are currently broken, in particular for UDP traffic handling, and you can therefore spoof your way into the network?
I had a 5 or 6 digit ID which was pretty good for a kid not from the Bay Area, but I never got into slashdot flame wars. I still reflexively check it many times a day.
Considering I'm going 40 years strong of not once falling for a phishing scam, I feel pretty confident in my assessment that I won't do so in the future. It has to be an exceptionally good phish to get anyone moderately technical to even take a second look. And even then, generally one can tell upon a second look. It's not hard to not get phished.
It's also happened with code pushes on GitHub, which didn't get caught in code review, and has compromised build processes by introducing a malicious domain that is visually identical.
I felt the same until my company's IT department got me with a (thankfully simulated) well-made phish on some bleary-eyed morning after a birthday party when I was only half awake.
Everybody feels confident until a slip happens. It's really just a function of probability and time acting against you as well as anybody, just like companies shouldn't ask themselves whether they'll be hacked, but when.
It also seems to me that phishing has become vastly more sophisticated in recent years, IMHO mainly due to 3 issues:
1. A growing number of huge data leaks that enable scammers to profile and target possible victims to an unprecedented degree and attack them using unexpected vectors. I remember my feelings sinking the day I received the first phish that contained basically all my personal data to address me. Once it's out there and traded, there ain't no getting back. As a consequence, spear phishing has become much more automated and widespread.
2. Proliferation of 2FA, often via email, as a supposed remedy-for-all which leads to a false sense of security.
3. The sheer ignorance of some actors that continue to undermine all the best awareness efforts and normalize insecure practices. For god's sake, I've received unsolicited emails from my bank as well as from globally acting online retailers telling me to click on a link and log in to solve some issue. To my great astonishment, both turned out to be legit. What the hell were they thinking?
Really, I wish all of us good luck. But I don't feel so confident anymore, rather like an unwilling participant in a lopsided arms race, where the adversaries have great resources at their disposal, and I have nothing more to rely on than my wits. ... Actually, put this way, it sounds like a classic cyberpunk tale. There's some appeal to it, I admit, but still.
Having oldass OS and application versions make that a thousand times easier when you have so, so, so many CVEs you can exploit. And LLMs have been show to make this very trivial now.
All you need to do is click on the wrong pop-up, or the wrong link in your email, or tap something on your phone screen, or have a poorly configured (often from the factory) router, and the initial intrusion takes place. After that, an outbound encrypted session quickly gets setup, and congrats, now your network is acting as a residential proxy that can be sold to criminals that want to download CSAM from your IP, AI companies that will use your connection for scraping, and other elements that will either mine the data on your systems (your PII, logins, etc) and scrape your screens.
But if you don't care about your life becoming a living hell, then I can't make you.
This happens all the time, every day.
If you have a car, you maintain it. If you have a bike, you maintain it. Power tools? You maintain them. Your electronic devices also need to be maintained. They have access to your most sensitive data, and potentially private conversations.