Quote

The most promising targets for campaigns are employers large and multifarious enough to implicate workers of many different kinds, as well as the broader community. Hospitals, school systems, and universities leap out as potential targets. These are the institutions where the RN, the custodian, and the fast-food worker are under the same roof. They might actually know one another. The meaning of their alliance might cut across lines of race, gender, and status.

Such institutions tend to have major footprints in their local labor markets. In New York City, the Department of Education is the largest single employer of all agencies of the city government, itself the largest overall employer; health-care providers and universities make up eight of the top ten in the private sector. What’s more, the students, families, and patients who are served by the institution often have interests that can be aligned with those of workers: Do you want enough nurses on the hospital floor? What is all this debt for if the money’s not going to the professors? Do you want your children tested to death and jammed into overcrowded classrooms? Here the classic case is the Chicago Teachers Union, which has successfully positioned itself at the head of a popular majority against mayor Rahm Emanuel.

These institutions are also susceptible to public pressure. Hospitals, school systems, and universities all depend on the public — its opinion, its dollars. If a significant number of people who work at these institutions can be mustered to volunteer in local elections, that group can persuade an even larger group of workers, students, and patients to vote for the same candidates. Then you have a shot at building real, substantive unity between different sections of the working class.

Source: Who Works for the Workers? | Issue 26 | n+1

Microsoft Advanced Threat Protection is a disaster

tl;dr: I’m pulling my hair out about this terrible email security service that is ruining my work email, so I blogged about it.

My employer uses Microsoft Exchange for university email. It recently purchased and implemented the “Advanced Threat Protection” package, primarily to combat phishing. The “Safe Links” feature, in particular, is a disaster. Pitt’s webpage explaining this service is here. Microsoft’s is here.

So the “Safe Links” feature replaces all links in incoming emails from outside servers with links that begin with “https://na01.safelinks.protection.outlook.com ” and are followed by several lines of complex code. This is a solution of sorts to phishing scams, but seems to have exactly the opposite effect as it should. For example, I now regularly receive emails with links such as this:

https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.tandfonline.com%2ftoc%2ftmam20%2f10%2f1&data=01%7c01%7cbickford%40PITT.EDU%7ca9f7b386fae94ca994bb08d38e3a59bb%7c9ef9f489e0a04eeb87cc3a526112fd0d%7c1&sdata=st79jNKGyGbI%2fcDprP%2fgra%2fTQz7lni5uZCS7a1W83OI%3d

In emails formatted with HTML that would be embedded as a link. In plain text emails the whole link is included in the text.

This is bonkers for several reasons:

(1) Security

My normal approach to potential phishing emails is to check whether the links go to the expected servers or not. If I look closely at the above link I can see that it may resolve to a site on the domain http://www.tandfonline.com, but there is no way to actually confirm that without actually clicking the link. That, then, requires me to trust that the Advanced Threat Protection service will in fact catch every potentially malicious link and will never go down. But, predictably, this service has already had major vulnerabilities that let malicious links through and apparently lasted for months.

This trains users to blindly trust long, complex links in general. One of the ironies here is that Pitt’s IT office recently implemented a “Phishing Awareness” program, to train and encourage email users to be more careful about phishing emails. That campaign tells us:

You can identify a phishing scam by looking for email messages that:

  • Create a sense of urgency
  • Invoke strong emotions, like greed or fear
  • Request sensitive data
  • Contain links that do not appear to match legitimate resources for the organization that is contacting you

So when you receive an email that seems to create a sense of urgency, invoke strong emotions, or request sensitive data, before you click you should check the links to make sure they go to expected servers.

The Safe Links program makes this impossible. Now when you receive an email that seems to create a sense of urgency, invoke strong emotions, or request sensitive data, you can’t confirm that the link goes to the expected server, because all links go to https://na01.safelinks.protection.outlook.com!

That domain itself is much more complex than normal. I can look at

https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.tandfonline.com%2ftoc%2ftmam20%2f10%2f1&data=01%7c01%7cbickford%40PITT.EDU%7ca9f7b386fae94ca994bb08d38e3a59bb%7c9ef9f489e0a04eeb87cc3a526112fd0d%7c1&sdata=st79jNKGyGbI%2fcDprP%2fgra%2fTQz7lni5uZCS7a1W83OI%3d

and confirm that it ends in “outlook.com” as the top-level domain. But it is a lot of work to parse. And it is so complex that it would be relatively easy to imitate and confuse even sophisticated users with small changes, like one more top-level domain.

With the Safe Links program, users now have no choice but to trust that the service never goes down and that it never misses a malicious link. Except that the service already has gone down and missed malicious links!

I’m sure it is difficult to train a large number of users at a large institution to be sophisticated, skeptical email users. But Safe Links trains users in exactly the opposite direction, to be passive, trusting email users. And then when Pitt students and faculty use their personal email accounts (very possibly on Pitt machines!) they will be even more susceptible to scams because we are teaching them the wrong habits.

Ironically, this works directly at cross purposes to Pitt’s own phishing awareness campaign. A significant element of that campaign is that Pitt is sending out fake phishing emails (so fake fake messages), which have phishing awareness sites on the other end of their apparently malicious links. So I received this message:

Screen Shot 2016-06-16 at 9.14.07 AM

screenshot of fake phishing scam email

Hilariously, that link at “Manage Order” goes to this page:

Screen Shot 2016-06-16 at 9.19.43 AM

screenshot of phishing awareness website

Which includes this (excellent) advice:

You should always be suspicious of links in email. Before you click, you should verify that you recognize the web address that is used in the link.

But if you look at the original fake phishing scam, the link that is supposed to go to “http://orders.discontcomputers.com ” (a site I would know I did not have any recent orders with, and therefore would be suspicious of), instead goes to:

https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2forders.discontcomputers.com%2fgp%2fr.html%2fb0aaed%2f%3flogin_id%3db14486b8-9334-44bf-9fc4-138293e06303&data=01%7c01%7cBICKFORD%40pitt.edu%7cc13ccde9ce0e4cd6ef3008d39075f908%7c9ef9f489e0a04eeb87cc3a526112fd0d%7c1&sdata=3X6xloziBnsaxoXfn9c0r%2fID5AWUG2xOyfvszXODQs4%3d

This makes no sense.

(2) Usability

Replacing simple direct links in email with links that are almost 300 characters long (!) seriously impacts the readability of plain text messages. Most of the email lists for professional/disciplinary organizations that I subscribe to require messages be formatted in plain text, so I get a lot of these. For example:

Screen Shot 2016-06-16 at 8.21.21 AM

screenshot of email message with lots of really long links

I can’t even.

Now when someone’s email signature includes a link to their homepage, it is four lines long, and can’t be understood as links to an individual’s homepage. To learn where that person’s website is, you have to actually click the link and load the page! Paragraphs and sentences are broken up to the point of unreadability.

Unembedded URLs are good for email security, because they ensure that readers see where links are going, and we should encourage them. Instead this change further encourages email senders to embed URLs as hyperlinks in email, which makes it much harder for users to recognize and decipher the links they are clicking on, which is bad.

(3) Record-keeping

Of course this will also create serious “linkrot” problems in the future. I keep an archive of my work emails going back over a decade, and email is an important form of record-keeping (this is especially true for public institutions like the one where I work). This service relies on Microsoft servers continuously running to scan and translate clicked URLs. If Microsoft ever discontinues this service (and why wouldn’t they if it stopped being profitable? Google killed Reader, after all), all of these links will become completely unusable. The links themselves may not even contain all the information in the original URL, so the original destination may not even be able to be decipherable in the future. (They do seem to include all the original link information in some form, but I haven’t looked at enough of them to confirm that it is all in the new safelink URL and not stored online in a database, say. And even if the information is all there it is very heavily processed.) This means that we are relying on Microsoft to continue an active link analysis service in perpetuity to maintain the basic usefulness of our own email archives in the future. If Pitt ever decided, say, to switch from Exchange to Google’s Apps for Education, or even if Microsoft discontinued the Exchange service altogether, we would not lose our archives hosted on our own machines. But if this new service were discontinued we would lose access to basic information in messages in our email archives. That does not make sense to me as an approach to record-keeping either for academics or for a public institution.

(4) Privacy

On Microsoft’s webpage explaining this service, they advertise this feature:

Get rich reporting and track links in messages
Gain critical insights into who is being targeted in your organization and the category of attacks you are facing. Reporting and message trace allow you to investigate messages that have been blocked due to unknown viruses or malware, while URL trace capability allows you to track individual malicious links in the messages that have been clicked.

They include this image:

Image_RichReporting_713x325

image of list of links from Microsoft website

This appears to suggest that institutional IT administrators will receive reports with individually identifying information about every link clicked by every email user. Surely there is some tradeoff between privacy and security, but this seems, at least, like a significant movement away from the norms of privacy that university employees currently expect. My understanding is that Pitt’s IT administrators do not, for example, see the text of all my emails, or even their metadata, though that may be possible in extreme cases. But here Microsoft is suggesting that they will produce and make available reports detailing every link clicked on by individually identifiable email users. That seems like a bad thing.

I suppose there is some logic here, which is that if you ruin email as a useful tool for scholarly communication, then people will stop using email, and then you won’t have to worry about users clicking on malicious links in phishing scams.

 

Quote

Natalia Cecire has an extraordinary post today on the cultural politics of Google’s self-infantilization, responding to the company’s announcement that it would restructure itself under the new name “Alphabet.”

But Google’s simplicity doesn’t go for sophisticated (read: adult) simplicity in the way that Apple’s design so openly does.14)

Contrast this with the conscious citation of children’s alphabet books in the title of Google’s Alphabet announcement, “G Is for Google.” With its logo in primary colors, the letters in a serif typeface as if on toy letter blocks, and of course a name that’s nearly a gurgle and a corporate headquarters (the “Googleplex”) that’s a pun, Google has never exactly gone for the grown-up look. On the contrary, they are, like Facebook, famous for ping-pong tables in the workplace and Silicon Valley’s “youth culture.”

[…]

That is not to say that Google’s design strategy is antimodernist. Not at all. For the childishly-named doodles don’t register as ornaments without the “simple and iconic” reputation of the default search page. More to the point, though, the performance of childishness is a key form of modernist primitivism, a way of superseding modern civilization’s (supposed) hypercontrol, not by admitting to being decadent or regressive but rather by appropriating a position of genuine newness in the form of youth (which is also, of course, a proxy for other alleged developmental earlinesses—modernists like Gertrude Stein and William Carlos Williams freely appropriated African-American, Native American, and immigrant positions).

It’s spread across two sites and many posts but at this point I think Natalia’s blogging over the last few years is basically the definitive statement of how to think about the cultural politics of puerility and childhood in contemporary culture.

(Categorizing this in “Calling adults childish” because companies can do it to themselves!)

adults are acting like children! (a bibliography 1997–2014)

This whole thing is just completely fallacious I think?

  • Anderson, Kurt. 1997. “Kids Are Us: These Days, Behaving Like a Grownup is Child’s Play.” The New Yorker 73 (December 15): 70.
  • Barber, Benjamin R. 2007. Con$umed: How Markets Corrupt Children, Infantilize Adults, and Swallow Citizens Whole. New York: Norton.
  • Bernardini, Jacopo. 2013. “The Role of Marketing in the Infantilization of the Postmodern Adult.” Fast Capitalism 10 (1): http://www.uta.edu/huma/agger/fastcapitalism/10_1/bernardini10_1.html.
  • Bly, Robert. 1997. The Sibling Society. New York: Vintage.
  • Cross, Gary. 2008. Men to Boys: The Making of Modern Immaturity. New York: Columbia University Press.
  • Danesi, Marcel. 2003. Forever Young: The Teen-aging of Modern Culture. Toronto: University of Toronto Press.
  • Epstein, Joseph. 2004. “The Perpetual Adolescent and the Triumph of the Youth Culture.” Weekly Standard (March 15): http://www.weeklystandard.com/Content/Public/Articles/000/000/003/825grtdi.asp.
  • Noxon, Christopher. 2006. Rejuvenile: Kickball, Cartoons, Cupcakes, and the Reinvention of the American Grown-up. New York: Three Rivers Press.
  • Pittman, Frank. 1999. Grow Up! How Taking Responsibility Can Make You A Happy Adult. New York: St. Martin’s Griffin.
  • Porterfield, Sally, Keith Polette, and Tita French Baumlin. 2009. Perpetual Adolescence: Jungian Analyses of American Media, Literature, and Pop Culture. Albany: State University of New York Press.
  • Samuelson, Robert J. 2003. “Adventures In Agelessness.” Newsweek (November 3): 47.
  • Scott, A. O. 2014. “The Death of Adulthood in American Culture.” New York Times Sunday Magazine (September 11): http://www.nytimes.com/2014/09/14/magazine/the-death-of-adulthood-in-american-culture.html.
  • West, Diana. 2008. The Death of the Grown-Up: How America’s Arrested Development Is Bringing Down Western Civilization. New York: St. Martin’s Griffin.

New article about Hannah Montana in Women’s Studies Quarterly

An essay I wrote about the strange ways the Disney Channel show Hannah Montana adapts the “having it all” problematic from postfeminist women’s TV to a 21st century tween sitcom came out this month in a brilliant issue of WSQ: Women’s Studies Quarterly on the theme CHILD. The special issue also includes articles my new colleague at Pitt Julian Gill-Peterson and amazing people like Natalia Cecire and Nicholas Sammond. It is already a thrill to contribute something to WSQ, and to be part of this incredible issue is even better.

Buy the whole issue from Feminist Press; or if your library subscribes it’s at Project MUSE; or it’s here.

 

Quote

The biggest difference is that when I was young, I wore sweaters. Crewneck sweaters, with button-down shirts and jeans, every single day. And I think at a certain point in my twenties, I decided that was childish. So I gave away all my beautiful sweaters.

Blue jeans are childish too, obviously. But luckily everyone my age kept wearing them. It used to be that adults did not wear jeans—not men, unless they were construction workers—only teenagers wore them. But I guess my generation just said, “We’re going to keep wearing them until we die, because we’re almost there.”

I have to say that one of the biggest changes in my lifetime, is the phenomenon of men wearing shorts. Men never wore shorts when I was young. There are few things I would rather see less, to tell you the truth. I’d just as soon see someone coming toward me with a hand grenade. This is one of the worst changes, by far. It’s disgusting. To have to sit next to grown men on the subway in the summer, and they’re wearing shorts? It’s repulsive. They look ridiculous, like children, and I can’t take them seriously.

You know when George Plimpton died, someone told me, ‘He was so eccentric. He used to ride his bike in a suit and tie!’ and it drove me crazy. I said, ‘What’s eccentric is the bicycle. Everyone here used to wear suits and it was lovely! But only children rode bicycles.’ The trademark of New York City fashion used to be that we dressed more seriously here. More formally. Now people need special costumes to ride bicycles. I mean, a helmet, what, are you an astronaut??

via ‘Yoga Pants are Ruining Women’ and Other Style Advice From Fran Lebowitz.

Calling adults childish

Robert Pogue Harrison, “The Children of Silicon Valley“:

In “Change the World,” a splendid New Yorker article published in 2013, George Packer mentions an employee at a high-tech firm who refused to take time away from work to hear what President Obama, who was visiting the campus, had to say. “I’m making more of a difference than anybody in government could possibly make,” the employee reportedly told a colleague. There are not many places in the world—maybe only one—where an employee can expect an absurd utterance like that to be taken seriously, and where children, metaphorically speaking, believe that adults need their guidance and tutelage.

… and on and on. (I’m all for maximalist critiques of Silicon Valley, but politicians as adults is rich.)

(an ongoing series)