even the simplest of questions isn’t simple in security

Sometimes the simplest security questions are the worst. Today, I got an email forwarded to me: “Am I ok opening this?”

That question is properly responded to with another question,”Do you know the sender and did you expect a file from that sender?”

The easiest answer is when it is obviously a spam or phishing attempt. Beyond that, however, all bets are off on this ever being a fun question. Will I ever be able to say, “Yes, this is absolutely safe?”

And how is a user ever going to truly know the risks and make a proper acceptance or denial of them on their own? Even I had to take a few dozen minutes out of my day to poke around, since that email isn’t very clearly business-related, includes a link to a different site, includes a file format I can’t ever vouch for entirely, and the site used for the file transfer has an invalid SSL certificate.

And do I know that site is legit and itself is secure?

Little questions like these carry some of the worst weight with them. It also illustrates how, at some point, security just has to draw some line and say, “Looks clear.”

(Way too obscure allusion to Pitch Black’s Riddick character, who says, “Looks clear,” just before someone steps out and gets snatched by some creature. “You said it was clear!” “I said it *looks* clear.”)