Microsoft Advanced Threat Protection is a disaster

tl;dr: I’m pulling my hair out about this terrible email security service that is ruining my work email, so I blogged about it.

My employer uses Microsoft Exchange for university email. It recently purchased and implemented the “Advanced Threat Protection” package, primarily to combat phishing. The “Safe Links” feature, in particular, is a disaster. Pitt’s webpage explaining this service is here. Microsoft’s is here.

So the “Safe Links” feature replaces all links in incoming emails from outside servers with links that begin with “https://na01.safelinks.protection.outlook.com ” and are followed by several lines of complex code. This is a solution of sorts to phishing scams, but seems to have exactly the opposite effect as it should. For example, I now regularly receive emails with links such as this:

https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.tandfonline.com%2ftoc%2ftmam20%2f10%2f1&data=01%7c01%7cbickford%40PITT.EDU%7ca9f7b386fae94ca994bb08d38e3a59bb%7c9ef9f489e0a04eeb87cc3a526112fd0d%7c1&sdata=st79jNKGyGbI%2fcDprP%2fgra%2fTQz7lni5uZCS7a1W83OI%3d

In emails formatted with HTML that would be embedded as a link. In plain text emails the whole link is included in the text.

This is bonkers for several reasons:

(1) Security

My normal approach to potential phishing emails is to check whether the links go to the expected servers or not. If I look closely at the above link I can see that it may resolve to a site on the domain http://www.tandfonline.com, but there is no way to actually confirm that without actually clicking the link. That, then, requires me to trust that the Advanced Threat Protection service will in fact catch every potentially malicious link and will never go down. But, predictably, this service has already had major vulnerabilities that let malicious links through and apparently lasted for months.

This trains users to blindly trust long, complex links in general. One of the ironies here is that Pitt’s IT office recently implemented a “Phishing Awareness” program, to train and encourage email users to be more careful about phishing emails. That campaign tells us:

You can identify a phishing scam by looking for email messages that:

  • Create a sense of urgency
  • Invoke strong emotions, like greed or fear
  • Request sensitive data
  • Contain links that do not appear to match legitimate resources for the organization that is contacting you

So when you receive an email that seems to create a sense of urgency, invoke strong emotions, or request sensitive data, before you click you should check the links to make sure they go to expected servers.

The Safe Links program makes this impossible. Now when you receive an email that seems to create a sense of urgency, invoke strong emotions, or request sensitive data, you can’t confirm that the link goes to the expected server, because all links go to https://na01.safelinks.protection.outlook.com!

That domain itself is much more complex than normal. I can look at

https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.tandfonline.com%2ftoc%2ftmam20%2f10%2f1&data=01%7c01%7cbickford%40PITT.EDU%7ca9f7b386fae94ca994bb08d38e3a59bb%7c9ef9f489e0a04eeb87cc3a526112fd0d%7c1&sdata=st79jNKGyGbI%2fcDprP%2fgra%2fTQz7lni5uZCS7a1W83OI%3d

and confirm that it ends in “outlook.com” as the top-level domain. But it is a lot of work to parse. And it is so complex that it would be relatively easy to imitate and confuse even sophisticated users with small changes, like one more top-level domain.

With the Safe Links program, users now have no choice but to trust that the service never goes down and that it never misses a malicious link. Except that the service already has gone down and missed malicious links!

I’m sure it is difficult to train a large number of users at a large institution to be sophisticated, skeptical email users. But Safe Links trains users in exactly the opposite direction, to be passive, trusting email users. And then when Pitt students and faculty use their personal email accounts (very possibly on Pitt machines!) they will be even more susceptible to scams because we are teaching them the wrong habits.

Ironically, this works directly at cross purposes to Pitt’s own phishing awareness campaign. A significant element of that campaign is that Pitt is sending out fake phishing emails (so fake fake messages), which have phishing awareness sites on the other end of their apparently malicious links. So I received this message:

Screen Shot 2016-06-16 at 9.14.07 AM

screenshot of fake phishing scam email

Hilariously, that link at “Manage Order” goes to this page:

Screen Shot 2016-06-16 at 9.19.43 AM

screenshot of phishing awareness website

Which includes this (excellent) advice:

You should always be suspicious of links in email. Before you click, you should verify that you recognize the web address that is used in the link.

But if you look at the original fake phishing scam, the link that is supposed to go to “http://orders.discontcomputers.com ” (a site I would know I did not have any recent orders with, and therefore would be suspicious of), instead goes to:

https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2forders.discontcomputers.com%2fgp%2fr.html%2fb0aaed%2f%3flogin_id%3db14486b8-9334-44bf-9fc4-138293e06303&data=01%7c01%7cBICKFORD%40pitt.edu%7cc13ccde9ce0e4cd6ef3008d39075f908%7c9ef9f489e0a04eeb87cc3a526112fd0d%7c1&sdata=3X6xloziBnsaxoXfn9c0r%2fID5AWUG2xOyfvszXODQs4%3d

This makes no sense.

(2) Usability

Replacing simple direct links in email with links that are almost 300 characters long (!) seriously impacts the readability of plain text messages. Most of the email lists for professional/disciplinary organizations that I subscribe to require messages be formatted in plain text, so I get a lot of these. For example:

Screen Shot 2016-06-16 at 8.21.21 AM

screenshot of email message with lots of really long links

I can’t even.

Now when someone’s email signature includes a link to their homepage, it is four lines long, and can’t be understood as links to an individual’s homepage. To learn where that person’s website is, you have to actually click the link and load the page! Paragraphs and sentences are broken up to the point of unreadability.

Unembedded URLs are good for email security, because they ensure that readers see where links are going, and we should encourage them. Instead this change further encourages email senders to embed URLs as hyperlinks in email, which makes it much harder for users to recognize and decipher the links they are clicking on, which is bad.

(3) Record-keeping

Of course this will also create serious “linkrot” problems in the future. I keep an archive of my work emails going back over a decade, and email is an important form of record-keeping (this is especially true for public institutions like the one where I work). This service relies on Microsoft servers continuously running to scan and translate clicked URLs. If Microsoft ever discontinues this service (and why wouldn’t they if it stopped being profitable? Google killed Reader, after all), all of these links will become completely unusable. The links themselves may not even contain all the information in the original URL, so the original destination may not even be able to be decipherable in the future. (They do seem to include all the original link information in some form, but I haven’t looked at enough of them to confirm that it is all in the new safelink URL and not stored online in a database, say. And even if the information is all there it is very heavily processed.) This means that we are relying on Microsoft to continue an active link analysis service in perpetuity to maintain the basic usefulness of our own email archives in the future. If Pitt ever decided, say, to switch from Exchange to Google’s Apps for Education, or even if Microsoft discontinued the Exchange service altogether, we would not lose our archives hosted on our own machines. But if this new service were discontinued we would lose access to basic information in messages in our email archives. That does not make sense to me as an approach to record-keeping either for academics or for a public institution.

(4) Privacy

On Microsoft’s webpage explaining this service, they advertise this feature:

Get rich reporting and track links in messages
Gain critical insights into who is being targeted in your organization and the category of attacks you are facing. Reporting and message trace allow you to investigate messages that have been blocked due to unknown viruses or malware, while URL trace capability allows you to track individual malicious links in the messages that have been clicked.

They include this image:

Image_RichReporting_713x325

image of list of links from Microsoft website

This appears to suggest that institutional IT administrators will receive reports with individually identifying information about every link clicked by every email user. Surely there is some tradeoff between privacy and security, but this seems, at least, like a significant movement away from the norms of privacy that university employees currently expect. My understanding is that Pitt’s IT administrators do not, for example, see the text of all my emails, or even their metadata, though that may be possible in extreme cases. But here Microsoft is suggesting that they will produce and make available reports detailing every link clicked on by individually identifiable email users. That seems like a bad thing.

I suppose there is some logic here, which is that if you ruin email as a useful tool for scholarly communication, then people will stop using email, and then you won’t have to worry about users clicking on malicious links in phishing scams.

 

Quote

Natalia Cecire has an extraordinary post today on the cultural politics of Google’s self-infantilization, responding to the company’s announcement that it would restructure itself under the new name “Alphabet.”

But Google’s simplicity doesn’t go for sophisticated (read: adult) simplicity in the way that Apple’s design so openly does.14)

Contrast this with the conscious citation of children’s alphabet books in the title of Google’s Alphabet announcement, “G Is for Google.” With its logo in primary colors, the letters in a serif typeface as if on toy letter blocks, and of course a name that’s nearly a gurgle and a corporate headquarters (the “Googleplex”) that’s a pun, Google has never exactly gone for the grown-up look. On the contrary, they are, like Facebook, famous for ping-pong tables in the workplace and Silicon Valley’s “youth culture.”

[…]

That is not to say that Google’s design strategy is antimodernist. Not at all. For the childishly-named doodles don’t register as ornaments without the “simple and iconic” reputation of the default search page. More to the point, though, the performance of childishness is a key form of modernist primitivism, a way of superseding modern civilization’s (supposed) hypercontrol, not by admitting to being decadent or regressive but rather by appropriating a position of genuine newness in the form of youth (which is also, of course, a proxy for other alleged developmental earlinesses—modernists like Gertrude Stein and William Carlos Williams freely appropriated African-American, Native American, and immigrant positions).

It’s spread across two sites and many posts but at this point I think Natalia’s blogging over the last few years is basically the definitive statement of how to think about the cultural politics of puerility and childhood in contemporary culture.

(Categorizing this in “Calling adults childish” because companies can do it to themselves!)

adults are acting like children! (a bibliography 1997–2014)

This whole thing is just completely fallacious I think?

  • Anderson, Kurt. 1997. “Kids Are Us: These Days, Behaving Like a Grownup is Child’s Play.” The New Yorker 73 (December 15): 70.
  • Barber, Benjamin R. 2007. Con$umed: How Markets Corrupt Children, Infantilize Adults, and Swallow Citizens Whole. New York: Norton.
  • Bernardini, Jacopo. 2013. “The Role of Marketing in the Infantilization of the Postmodern Adult.” Fast Capitalism 10 (1): http://www.uta.edu/huma/agger/fastcapitalism/10_1/bernardini10_1.html.
  • Bly, Robert. 1997. The Sibling Society. New York: Vintage.
  • Cross, Gary. 2008. Men to Boys: The Making of Modern Immaturity. New York: Columbia University Press.
  • Danesi, Marcel. 2003. Forever Young: The Teen-aging of Modern Culture. Toronto: University of Toronto Press.
  • Epstein, Joseph. 2004. “The Perpetual Adolescent and the Triumph of the Youth Culture.” Weekly Standard (March 15): http://www.weeklystandard.com/Content/Public/Articles/000/000/003/825grtdi.asp.
  • Noxon, Christopher. 2006. Rejuvenile: Kickball, Cartoons, Cupcakes, and the Reinvention of the American Grown-up. New York: Three Rivers Press.
  • Pittman, Frank. 1999. Grow Up! How Taking Responsibility Can Make You A Happy Adult. New York: St. Martin’s Griffin.
  • Porterfield, Sally, Keith Polette, and Tita French Baumlin. 2009. Perpetual Adolescence: Jungian Analyses of American Media, Literature, and Pop Culture. Albany: State University of New York Press.
  • Samuelson, Robert J. 2003. “Adventures In Agelessness.” Newsweek (November 3): 47.
  • Scott, A. O. 2014. “The Death of Adulthood in American Culture.” New York Times Sunday Magazine (September 11): http://www.nytimes.com/2014/09/14/magazine/the-death-of-adulthood-in-american-culture.html.
  • West, Diana. 2008. The Death of the Grown-Up: How America’s Arrested Development Is Bringing Down Western Civilization. New York: St. Martin’s Griffin.

New article about Hannah Montana in Women’s Studies Quarterly

An essay I wrote about the strange ways the Disney Channel show Hannah Montana adapts the “having it all” problematic from postfeminist women’s TV to a 21st century tween sitcom came out this month in a brilliant issue of WSQ: Women’s Studies Quarterly on the theme CHILD. The special issue also includes articles my new colleague at Pitt Julian Gill-Peterson and amazing people like Natalia Cecire and Nicholas Sammond. It is already a thrill to contribute something to WSQ, and to be part of this incredible issue is even better.

Buy the whole issue from Feminist Press; or if your library subscribes it’s at Project MUSE; or it’s here.

 

Quote

The biggest difference is that when I was young, I wore sweaters. Crewneck sweaters, with button-down shirts and jeans, every single day. And I think at a certain point in my twenties, I decided that was childish. So I gave away all my beautiful sweaters.

Blue jeans are childish too, obviously. But luckily everyone my age kept wearing them. It used to be that adults did not wear jeans—not men, unless they were construction workers—only teenagers wore them. But I guess my generation just said, “We’re going to keep wearing them until we die, because we’re almost there.”

I have to say that one of the biggest changes in my lifetime, is the phenomenon of men wearing shorts. Men never wore shorts when I was young. There are few things I would rather see less, to tell you the truth. I’d just as soon see someone coming toward me with a hand grenade. This is one of the worst changes, by far. It’s disgusting. To have to sit next to grown men on the subway in the summer, and they’re wearing shorts? It’s repulsive. They look ridiculous, like children, and I can’t take them seriously.

You know when George Plimpton died, someone told me, ‘He was so eccentric. He used to ride his bike in a suit and tie!’ and it drove me crazy. I said, ‘What’s eccentric is the bicycle. Everyone here used to wear suits and it was lovely! But only children rode bicycles.’ The trademark of New York City fashion used to be that we dressed more seriously here. More formally. Now people need special costumes to ride bicycles. I mean, a helmet, what, are you an astronaut??

via ‘Yoga Pants are Ruining Women’ and Other Style Advice From Fran Lebowitz.

Calling adults childish

Robert Pogue Harrison, “The Children of Silicon Valley“:

In “Change the World,” a splendid New Yorker article published in 2013, George Packer mentions an employee at a high-tech firm who refused to take time away from work to hear what President Obama, who was visiting the campus, had to say. “I’m making more of a difference than anybody in government could possibly make,” the employee reportedly told a colleague. There are not many places in the world—maybe only one—where an employee can expect an absurd utterance like that to be taken seriously, and where children, metaphorically speaking, believe that adults need their guidance and tutelage.

… and on and on. (I’m all for maximalist critiques of Silicon Valley, but politicians as adults is rich.)

(an ongoing series)

coming at you like spider monkeys

The clock is ticking. Those 16-year-old girls are coming at you like spider monkeys, and everyone else is going to feel left out. —Angelo Sotira, “Never Forget that 16-year-old Girls Run the Internet

I have read this weird advice/app review column by the deviantART founder/CEO so many times, and I can’t for the life of me figure out what the 16-year-old girls that bookend (and headline) the article have to do with the body, about new “secret-sharing” web apps. Is the advice about keeping 16-year-old girls out? Why does the advice not also apply to 16-year-old girl users? Will 16-year-old girls adopt any platform regardless of its merit? Will they destroy a perfectly good tool? There isn’t even a coherent passage to quote!

And don’t plenty of 16-year-old girls use deviantART? Is this column expressing Sotira’s resentment of his own client base? Is his the cautionary tale? When he writes, “Imagine that you’re in your apartment, scrolling through the latest confession/messaging/social app, and it’s full of woes of teenage heartbreak. You realize that this app doesn’t speak to you.” is he complaining about his own site? Because, um, go look at the stuff on the front page of deviantART (which is an amazing website—truly no disrespect or criticism there is intended, but the point is obvious I hope).

And if teenage girls run the internet, why WOULDN’T you want them on your site?

I guess I know it’s obvious that everyone hates teenage girls, but is it THAT obvious? Are they such a pure symbol of abjection?

cf, I guess. sigh