Skip to main content

in reply to Aral Balkan

Wait what? I'd argue that activation links is the least problem here.
in reply to Aral Balkan

and a friend just told me that #Microsoft was now «less bad» that it had been, much better than #google or #facebook,... Seriously, how many times do they have to trespass before it sinks in ? #MS is not your friend. None of them are.

Aral Balkan reshared this.

in reply to Rémi Letot

The #MACFANG tech giants are not all equally evil, and sometimes you may have to favor one over another if you can’t boycott them all, but someone who says MS is less evil than Google & Facebook doesn’t have the big picture. I have an idea where that comes from though.
in reply to censored for “transphobia”

If you ignore all the MS corruption & anti-consumer actions by MS & fixate just on privacy, MS was widely thought to not be in the #surveillanceAdvertising biz (certainly not to the Google/FB extreme). People assumed MS did not snoop in their email. But this year MS bought a surveillance ad spin-off (#XANDR?) from AT&T, so now there can be no mistake: MS is firmly in that business.
in reply to censored for “transphobia”

MS has been firmly in that business one way or another with Windows for years, not to mention Bing ads and MSN before that.
in reply to Aral Balkan

The widespread opinion is that MS does not depend on ad revenue for survival. Ad revenue is the *life-blood* of Google and FB & they would collapse w/out surveillance advertising. Whereas s/w sales is the life-blood of MS who doesn’t even need ad money to stay afloat. Historically if you start talking about gloves in your MS email, you wouldn’t start seeing ads for gloves.
in reply to Aral Balkan

I've experienced something similar myself, while trying to figure out why one-time login links were expiring for random outlook.com email addresses. Digging into the server logs I saw a Microsoft IP address send a HEAD request of the login link included in the email, which was invalidating the one-time link.

I solved it by having my app ignore HEAD login requests and only process GET requests, as my robots.txt file disallows indexing.

Still really rubbed me the wrong way. I figured it was some kind of anti-phishing gimmick, but the fact that they're just using it to populate their spider is an egregious violation of user trust.

in reply to Aral Balkan

Textbook reason for breaking up big tech companies and keeping them small, or at least preventing them running more than one online service.
in reply to Aral Balkan

Repeat after me: unencrypted email is not a secure communication channel.
in reply to Senioradmin

Yes and you can be stabbed to death if you're not wearing body armour. And yet we have laws against stabbing people and we treat those who stab others as criminals and understand that the person getting stabbed is the victim here so we don't go around blaming them for not taking steps to ensure their flesh is harder to stab. About time we stopped victim blaming in tech too. The blame here lies with one entity alone: the trillion-dollar faceless corporation we call Microsoft.
in reply to Aral Balkan

Of course Microsoft is the one to blame. I am not saying, that this is the victim's fault. I'm just saying, everyone should know the risks.

We can point fingers at all these data harvesting tech corporations, but they will not change. So we must educate the users and inform them about the risks.

in reply to Senioradmin

Let’s do both :) (Of course, they won’t change but they can be forced to comply with the law if we can influence the right laws. Not that I’m hugely confident we can but still…)
in reply to Aral Balkan

I think Microsoft should be either forced by law or at made to feel very embarrassed if they don't *provide* the proverbial body armor to protect their proverbial potential stabbing victims.

This sort of news needs to be something that corporations' PR people live in fear of and do everything to prevent. But putting it into law requirws more people to actually care, which seems to be a hard problem...
@Haydar

in reply to Aral Balkan

And there's *not even* any choice in that matter. It's not like you can commonly verify yourself through some secure messenger or such.
@Haydar
in reply to Aral Balkan

Yandex had a big scandal in 2018 when they indexed public Google Docs anonymous editor links and Google didn't expect this so robots.txt was wide open.
in reply to Aral Balkan

Here’s a fix for all #backend #dev
fosstodon.org/@lil5/1085554157…
in reply to Aral Balkan

MS has been trying to make Bing work locally for enterprises, so it can find things that were sent to/from you via Bing/Cortana. They have a custom enterprise site that lets you search company-related stuff instead of just public www-stuff. I guess e-mail needs to be indexed in order to do that.
in reply to Aral Balkan

@hbenjamin There are many reasons for systems to automatically visit links contained in emails. Some feel pretty evil (see OP's link) but others are definitely good (inspection for safety).

So the conclusion about not sending magic links is probably a good one.

in reply to Aral Balkan

I guess newly thankful that I use FastMail, even when it's less convenient at times.
in reply to Aral Balkan

Microsoft outlook has also a link protection feature that "scan" links in order to prevent the user to go to a malicious website.

That is the ad.

When the user clicks on the link in outlook email, microsoft is notified and will also make a visit to the link. However this visit will happen a few seconds after the user reaches the link endpoint so he could already be trapped....
This is done to avoid a long delay on link clicks I guess but it defeats the security argument.

in reply to Aral Balkan

Saw your post earlier this week and thought about this one. keys.openpgp.org verify links could also be compromised with this as an exploit. Makes me wonder is if some domains are filtered from the indexing.
in reply to Aral Balkan

And once again, we see why we can’t have nice things. 🤦🏻‍♂️