Re: [GTALUG] Ongoing war story (currently issues of user trust)
Can't say that I disagree with any of this. I protested when the UofT decided to amalgamate all its services on Microsoft Server (to no avail), and even more so when they made it all but impossible not to use Outlook (after using mutt happily for years and years) - on the grounds that Outlook somehow had "more modern" security, which turned out to be doublespeak for "proprietary closed-source protocols" for accessing the mailserver that they now controlled. Rewriting links and pushing their brand is the completely predicable result. I tried to warn people in IT that this was all security theatre, but they, like me, were victims of decisions made by administrative staff rather than made by informed technical experts. There you have it. Just recently I was told that the University would not allow me to ssh in to my office computer "because ssh had to be protected from the internet" (!), and instead I was supposed to use some binary blob to create a VPN into the UofT network -- and how having one point of entry into the whole system, trusted internally, "improves" security over a single ssh connection to a single computer, I could not tell you (and neither can they). But it's policy, so that ends discussion. On 1/20/24 02:51, ac via talk wrote:
<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.amazon.ca%2FBeelink-Computer-4-0GHz-Screen-Display%2Fdp%2FB09SYSPSSM%2Fref%3Dsr_1_12&data=05%7C02%7Cpeter.king%40utoronto.ca%7Cfd92cef0581c4b68b9bc08dc198daeca%7C78aac2262f034b4d9037b46d56c55210%7C0%7C0%7C638413343519234072%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=BrbVi8IcMc70gtFT40UjsI%2BPVZSLwHxw7y4zvjG0NA8%3D&reserved=0> <snip> Anyway, so to issues of user trust: To me, it seems that utoronto.ca uses/pays Microsoft and outgoing emails, opens and reads all email Even https links in already replied to chains (which are now seen as outgoing links from the users@ utoronto.ca - are clearly - visited, indexed, checked/scanned (probably Microsoft would say : the websites/domains/links etc are scanned for malware, I would say that Microsoft has previously, and in the past, simply 'blocked', 'broken' or done other things to various websites it does not 'like')
It does so many other things as well, one small one being 'brand dilution' as readers and senders of emails and DM etc etc - where names are re-written to the Microsoft or Facebook or whatever abbreviated link brand name -
this serves to underline the brand doing the re-writing - as the "safe" link in the above example - COULD easily been displayed as AMAZON (with the actual a href -> protection.outlook.com/ as in example: <a href='https:outlook.com'>https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Famazon.com%2F&data=05%7C02%7Cpeter.king%40utoronto.ca%7Cfd92cef0581c4b68b9bc08dc198daeca%7C78aac2262f034b4d9037b46d56c55210%7C0%7C0%7C638413343519234072%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=hBoCafebsN1s%2BJepdksVjigW5yev7dnB%2FCwjWrMBNvo%3D&reserved=0</a>
Which would then just display the original link, but with an outlook landing.
BUT - Microsoft 'chooses' to display : protection.outlook.com?var=very.long.&data=ascii.long.long.long.long.long.long.long.long.long.long.long
Apparently because users@ utoronto.ca (and microsoft users) send out malware links and this is a way that Microsoft chooses to try to protect recipients and their users from malware/abuse - instead of their users or recipients relying on other software, like browsers, local anti virus, local script blockers, etc (taking the control away)
-- Peter King peter.king@utoronto.ca Department of Philosophy 170 St. George Street #521 The University of Toronto (416)-946-3170 ofc Toronto, ON M5R 2M8 CANADA http://individual.utoronto.ca/pking/ ========================================================================= GPG keyID 0x7587EC42 (2B14 A355 46BC 2A16 D0BC 36F5 1FE6 D32A 7587 EC42) gpg --keyserver pgp.mit.edu --recv-keys 7587EC42
On 2024-01-20 10:14, Peter King via talk wrote:
Just recently I was told that the University would not allow me to ssh in to my office computer "because ssh had to be protected from the internet" (!), and instead I was supposed to use some binary blob to create a VPN into the UofT network -- and how having one point of entry into the whole system, trusted internally, "improves" security over a single ssh connection to a single computer, I could not tell you (and neither can they). But it's policy, so that ends discussion.
In a customer long long ago, we had a similar rule imposed. It turned out the right person to talk to was in-house counsel, as by pure happenstance my concern was that I would be blamed when (not if) the known-buggy product let someone pretend to be me. That was right up his ally, and about a year later, we settled on ssh with certificates. --dave -- David Collier-Brown, | Always do right. This will gratify System Programmer and Author | some people and astonish the rest dave.collier-brown@indexexchange.com | -- Mark Twain CONFIDENTIALITY NOTICE AND DISCLAIMER : This telecommunication, including any and all attachments, contains confidential information intended only for the person(s) to whom it is addressed. Any dissemination, distribution, copying or disclosure is strictly prohibited and is not a waiver of confidentiality. If you have received this telecommunication in error, please notify the sender immediately by return electronic mail and delete the message from your inbox and deleted items folders. This telecommunication does not constitute an express or implied agreement to conduct transactions by electronic means, nor does it constitute a contract offer, a contract amendment or an acceptance of a contract offer. Contract terms contained in this telecommunication are subject to legal review and the completion of formal documentation and are not binding until same is confirmed in writing and has been signed by an authorized signatory.
On 2024-01-20 10:14, Peter King via talk wrote:
Can't say that I disagree with any of this. I protested when the UofT decided to amalgamate all its services on Microsoft Server (to no avail), and even more so when they made it all but impossible not to use Outlook (after using mutt happily for years and years) - on the grounds that Outlook somehow had "more modern" security, which turned out to be doublespeak for "proprietary closed-source protocols" for accessing the mailserver that they now controlled. Rewriting links and pushing their brand is the completely predicable result.
A few years ago I found a package that would proxy IMAP into an Exchange server. If I remember correctly it was called davmail. It made some of the problems with a clients insistence on Exchange go away.
I tried to warn people in IT that this was all security theatre, but they, like me, were victims of decisions made by administrative staff rather than made by informed technical experts. There you have it.
Just recently I was told that the University would not allow me to ssh in to my office computer "because ssh had to be protected from the internet" (!), and instead I was supposed to use some binary blob to create a VPN into the UofT network -- and how having one point of entry into the whole system, trusted internally, "improves" security over a single ssh connection to a single computer, I could not tell you (and neither can they). But it's policy, so that ends discussion.
I have been on both sides of that argument and there is something to be said for a single point of control. Generally speaking control over VPN users means that if you remove a user you have blocked their access. Random port forwards are harder to keep track of. However you could have run SSH from your office computer to your home computer and set up a port forward. [snip] -- Alvin Starr || land: (647)478-6285 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
On 1/20/24 21:26, Alvin Starr via talk wrote:
A few years ago I found a package that would proxy IMAP into an Exchange server. If I remember correctly it was called davmail. It made some of the problems with a clients insistence on Exchange go away.
Well, more exactly, Microsoft Exchange Server insists on authentication being through XOAUTH2. The problem when they began insisting on that was that there was no ready way to configure mutt to do that, and while there might have been technical workarounds I didn't have the time to figure them out, since I was already without email and couldn't afford to miss any. So I found out that Thunderbird would work and threw that on for the time being. The time being is now many months later. Thunderbird seems okay if you want a gui client for web-based email. I don't. I far prefer the use of a console client (mutt) and to keep my email off the server and on my main computer. I suppose I should see whether there is now some ready solution for mutt, and then figure out how to migrate all the email since switching out of Thunderbird and into my mutt archives -- but too many battles at the moment getting hardware to work to take time out for reconfiguring software. If anyone knows a straightforward way to do either of these things (get mutt to work with Exchange and migrate from Thunderbird to mutt) I would be very pleased to hear about it!
On 1/20/24 21:26, Alvin Starr via talk wrote:
A few years ago I found a package that would proxy IMAP into an Exchange server. If I remember correctly it was called davmail. It made some of the problems with a clients insistence on Exchange go away.
On 2024-01-22 15:36, Peter King via talk wrote:
Well, more exactly, Microsoft Exchange Server insists on authentication being through XOAUTH2. The problem when they began insisting on that was that there was no ready way to configure mutt to do that, and while there might have been technical workarounds I didn't have the time to figure them out, since I was already without email and couldn't afford to miss any. So I found out that Thunderbird would work and threw that on for the time being.
Mac users have the same problem. My wife bought a new Mac and copied everything over, but Rogers/Yahoo stopped providing her mail, and insisted she should use webmail and be happy with it. I use Thunderbird, but expect to lose my Rogers mail at some unannounced future date. I too would like a path for local mail to and from exchange --dave
--- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
| From: Peter King via talk <talk@gtalug.org> | Well, more exactly, Microsoft Exchange Server insists on authentication being | through XOAUTH2. I don't know what XOAuth2 is. Googling gets me things that would take too long to read. If XOauth2 is the same as OAuth2 (I'm sure it isn't), this might be a good resource (less than 2 years old): <https://www.redhat.com/sysadmin/mutt-email-oauth2> | I far prefer the use of a console | client (mutt) and to keep my email off the server and on my main computer. I don't do this, so this is just guess work and suggested research directions. I run my own mail server and mail goes in and out of my house using SMTP. I then read and write mail with alpine(1), another console client. One could use fetchmail to fetch from imap and deliver to a local MUA. - you'd need to figure out how to get fetchmail to use XOAuth2. Google results suggest that this has been done, perhaps with a patch to fetchmail. - you'd have to set up local mail (Mail Delivery Agent) in some way. - reading (local) mail with your choice of MUA (mutt) is easy. - I don't know how you would handle outbound mail: that's not fetchmail's job. + can you still send mail with your mutt setup? If so, I guess this subproblem is solved. + you'd like a copy to be local + your MUA probably has a config for an SMTP server. Can exchange accept that? Surely with some unknown-to-me authentication. | I | suppose I should see whether there is now some ready solution for mutt, and | then figure out how to migrate all the email since switching out of | Thunderbird and into my mutt archives There are a few ways of storing mail in a user's files. Mutt can probably use a couple. maildir and mbox are common. <https://en.wikipedia.org/wiki/Maildir> <https://en.wikipedia.org/wiki/Mbox> That second claims Thunderbird uses the mboxrd variant of mbox. | -- but too many battles at the moment | getting hardware to work to take time out for reconfiguring software. Yeah. | If anyone knows a straightforward way to do either of these things (get mutt | to work with Exchange and migrate from Thunderbird to mutt) I would be very | pleased to hear about it! I hope these notes help.
On 2024-01-22 17:19, D. Hugh Redelmeier via talk wrote:
| From: Peter King via talk <talk@gtalug.org>
| Well, more exactly, Microsoft Exchange Server insists on authentication being | through XOAUTH2.
I don't know what XOAuth2 is. Googling gets me things that would take too long to read. https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-xoa...
Others may have picked up the extensions but TL;DR -- Alvin Starr || land: (647)478-6285 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
[I seem to have forgotten to send this.] | From: Peter King via talk <talk@gtalug.org> | Can't say that I disagree with any of this. I protested when the UofT decided | to amalgamate all its services on Microsoft Server (to no avail), and even | more so when they made it all but impossible not to use Outlook (after using | mutt happily for years and years) - on the grounds that Outlook somehow had | "more modern" security, which turned out to be doublespeak for "proprietary | closed-source protocols" for accessing the mailserver that they now | controlled. Rewriting links and pushing their brand is the completely | predicable result. Hear hear! I have (rarely used) courtesy accounts at U of T. I just tested. Mail to me at cs.toronto.edu isn't touched by Microsoft. Postfix and Exim only. | Just recently I was told that the University would not allow me to ssh in to | my office computer "because ssh had to be protected from the internet" (!), Yuck. I can still ssh into the one U of T CS system I tried. I don't know the current nodes that general CS users are supposed to use (it's been that long). | and instead I was supposed to use some binary blob to create a VPN into the | UofT network Open Standards! They should use IPSec and not require binary blobs of unknown safety. SSH is good as long as passwords are not used.
participants (5)
-
Alvin Starr -
D. Hugh Redelmeier -
Dave Collier-Brown -
David Collier-Brown -
Peter King