"The Grugq: I’m not joking. You don’t even need to do that. You just send an e-mail which says, you can literally just say, "Run this code." Some of the anti-phishing guys I’ve worked with are just shocked at what happens. I had some friends who worked in corporate security who had to do a cleanup after they got hit with e-mails which said literally, "click on this" and they had 10 or 20 people who did. It was less than 1 percent, but it was enough. People will do it and even on a locked-down corporate PC, it doesn’t matter. If you can get an HTTP connection back out to the Web, you can then tunnel in over that."

(The Grugq sells high value 0days and is a respected member of the hacking community) http://www.csoonline.com/article/216370/where-is-hacking-now...

That was how RSA was breached, which led to the eventual loss of the SecureID master key (and follow-on breeches at DoD suppliers).

What does RSA stand for? I was on their (SecurID) related site, and checked out the "about" page, but the acronym is never defined.

Initials of the three inventors (discoverers?) of the algorithm: http://en.wikipedia.org/wiki/RSA_(algorithm)

(Ron) Rivest, (Adi) Shamir, (Leonard) Adleman

You used to be able to just password protect the file, and instruct users to enter the password.

Some malware is remarkably unsophisticated and relied on users installing it and giving it permissions to run.

I hope they're not silently rejecting files.

You can't put it too deep. The scanner should stop attempting to unzip at a certain depth. Presumably, any file that has more than N depth is malicious and should get flagged, but who knows if the person that configured the scanner did id right?

I've worked with a leading commercial scanner that failed to respect the max depth parameter even when set. It would scan for days before we killed it.