Here:
#!/usr/bin/env python3
from urllib.parse import urlparse, parse_qs
from sys import argv
print(parse_qs(urlparse(argv[1]).query)['url'][0])
1. Create dodgy looking URL
2. AI in Gmail spots link, blocks it.
3. Blocked link is spidered for more information automatically
4. Link resolves to website
5. Website black-listed
https://www.cyber.gov.au/business-government/asds-cyber-secu...
that is just binance.com lol
https://pc-helper.xyz/root-exploit/virus_loader_tool.exe?id=...
I reported it for phishing and I kid you not, less than 30 seconds later I got a response "Email is not suspicious"
What do you MEAN email is not suspicious? This is the most suspicious email I have ever received!
A phone call from Microsoft about my Norton anti-virus subscription putting me into debt that can only be settled with Nintendo gift cards bought in cash across 16 specific gas stations seem much more legitimate in comparison.
People kept falling for phishing links though, so they got a Trend Micro device to scan emails, which also rewrote every link in it to point to their URL scanning service, which means every link now looks like https://ca-1234.check.trendmicro.com/?url=...; I guess no one would be allowed to click on any link in an email at that company.
Of course, their URL rewrites also broke a good number of links, so you'd wake up to a production incident, and then have to get your laptop, log in manually to Pagerduty/Sentry or what have you, and look up the incident details from the email...
https://url.uk.m.mimecastprotect.com/s/<random_string>?domain=<domain_name>
I’ve worked for multiple large companies where the annual IT security signoffs look exactly like malicious emails: weird formatting; originates from weird external url that includes suspicious words; urgent call to action; and threats of discipline for non-compliance.
All this money being spent on training, only to immediately lull users into accept threats.
Of course with the millions of websites available I couldn't think of one specific one, so I just held down the "x" key and then pressed CTRL+ENTER (which automatically added "www" and ".com" to your entry - typing this on a mac I see it still works with Firefox).
Of course www.x(and a few more x).com was a porn site.
Of course there were a bunch of people (including customers) sitting in reception (and the receptionist herself) who could directly see the screen.
Of course the PC was running nothing else, so a quick alt+tab didn't hide anything.
I announced that all was fine and ran for my desk.
1. Make a site like this.
2. Wait for people to try it out with an URL that goes to a significant site (bank, social media, email, etc.)
3. Allow a bit of normal use, then secretly switch the link so that further visitors land on a corresponding phishing site.
4. Having just dismissed a bunch of "obviously fake" warning signs, people may be less alert when real ones arrive.
Hilarious, this is great.
https://cam-xxx.live/trojan-hunter/evil-snatcher/malware_cry...
EDIT: hehe got one https://news.ycombinator.com/item?id=45297475
Also, we were thought to inspect the URL before clicking on it.
Except that the spam system they use completely mangles the URL...
Since you can't exhaustively enumerate every good thing or every bad thing on the internet, a lot of security detection mechanisms are based on heuristics. These heuristics produce a fair number of false positives as it is. If you bring the rate up, it just increases the likelihood that your security folks will miss bad things down the line.
If you copy the generated url and put it into the entry field (and repeat) then you end up at a bitcoin site. As Bubblerings has pointed out that has malware.
And this madlad posts this at Friday.
GG HF, SOC people :D
If you really want to check every time someone clicks on a link then you can do this in the client and keep the visible link the same for the end user.
But instead there are different teams working on this in Outlook, Teams, Exchange, Defender and god knows where else.
(I'm one of the people in corporate IT trying to turn this off and often struggling)
Instead of naively trusting the link, only to click it and get rickrolled, you’re naively distrusting the link, so you’ll never know the link was fine all along.
I hate this trend. Like an overused pool of the same "Secret Questions" every company asks, it needs to be on some "X considered harmful" list.
(For a different domain).
In the meantime, does anyone else get a kick out of receiving emails from quarantine@messaging.microsoft.com where they quarantine their own emails?
Edit: I see other people said things that are similar to a more mature version of my feeling. We need to address this in a way that addresses the threat of email links properly, not throw machine learning at guessing which are OK to click. BTW, I'm not implying that you're saying that is what should be done to solve the issue, but I'm sure it's behind the silly MS quarantine I mentioned, and when an email from the one person I email the most, who is also in my contacts, going to spam in iCloud.
The other 10% are people who are just like you and know better.
Uh, what? I just tried it a few times, and it seems to just follow the redirect each time, always ending up back at the original target URL I entered. How many times did you have to "repeat" to make that happen?
> As Bubblerings has pointed out that has malware.
No, that's not what BubbleRings said. BubbleRings said one site on VirusTotal reported it was malware. That sounds like a false positive because the URL is fishy, which is the entire point of the joke here.
Most people are never going to check the links no matter how much you ask them to, and even if they did they wouldn’t know what to check for. But the tool Microsoft give you to check a link before opening it is that awful URL rewriter, which prevents the small minority who would check from being able to.
Similarly those flashing cmd windows are usually automatic update processes that Windows has no way to hide. Even some drivers that MS distribute through Windows Update do it. We could turn automatic updates off, but then nobody would update their software.
IT is rough because you’re often stuck between a rock and a hard place. On the one side you have users who don’t want to change their behaviour, on the other side you have industry leading vendors, that the SLT insist on using, that make it impossible to do the right thing or put the right thing on an Enterprise plan that the budget won’t permit. Then to top it off, there are usually compliance and insurance breathing down your neck forcing you to implement questionable best practices from the 90s, so you just have to do your best to limit the damage.
I'm using Finicky[1] on Mac to rewrite the URL by extracting the original URL from the query params[2].
1: https://github.com/johnste/finicky
2: https://github.com/fphilipe/dotfiles/blob/31e3d18fe5f51b2fd8...
1: https://pc-helper.xyz/scanner-snatcher/session-snatcher/cred...
https://match-heaven.club/trojan/malware_dropper.exe?id=0416...
We have something that makes genuine links look malicious at work too.
I think it’s called Microsoft Safelink or something. Its purpose is to go through your Outlook inbox and obscure the origin of every link because, obviously, being able to understand what you’re clicking on is bad.
Remember kids, no one ever gets fired for buying Microsoft. ;)
Now sketchy emails are preceded by an equally sketchy “it’s ok” email from IT.
The flashing cmd.exe windows are not drivers from Windows Update - this could have been the case as drivers shipped with Windows Update is a total security nightmare running arbitrary code with administrative privileges upon hotplug - but in this context of managed devices, commonly from HP or Lenovo's corporate portfolio, it's usually additional products and changes pushed by group policy or random management software.
The often changing user prompts, looking like they were from some early 2000's hello world example, come from obscure and overlapping management software they remotely deploy which they change at will. You don't need a proprietary solution to remotely upgrade Google Chrome, just specify an enterprise policy with auto-update. You don't need a proprietary solution to prompt users and manage Windows Update, because you have... Windows Update.
The URL checker has no valid benefit, and makes it so people can never learn how to do it themselves. The browser performs the exact same checks with the exact same capabilities through its safe browsing stuff, and corporate IT often has network-level solutions too.
Corporate IT uses emails services that spoof domains and look suspicious, reversing all the phishing training they paid for.
Not to mention that Corporate IT might deploy network-wide solutions like Cisco Umbrella, which is a TLS Man-in-the-Middle attack where you install their root CA on all machines and let them control DNS to randomly redirect all traffic to their servers, effectively undermining the basis of all modern web security for the entire organization.
In general there's a fetish for buying products that has significant negative impact to security, user experience and possibility of training users, usually for the purpose of feigning progress and meeting some targets. Say, they had a ransomware incident, and now they're buying every ransomware product for a few years. Stuff with such buggy kernel code that it deadlocks and makes it impossible to create new processes until you hard reboot. I'm sure that's not a security problem!
One is the 'business' one. Mostly locked down, with checks in place.
The other is on a different network, isolated from all business functions, and they can do what they want but must never use it for work data, just like their phones (that everyone knows they use for social media etc. in the day).
Sure, you still have to deal with copying from one to the other (but there are solutions for that if critical, and much easier to secure).
It sounds crazy, but air-gaps are largely proven and it also means that employees feel less oppressed.
Now I realise, even ignoring the cost, businesses won't want this, as perish the thought their employees may do anything other than work. But I suspect it would actually stop more attacks and issues than otherwise and maybe... just maybe.. employees feel as if they're actually human.
So we get e-mails from @microsoft.com and it's only if you dig in the metadata that you see it failed authentication. The only tell in the e-mail is checking the URL, which doesn't tell you much because tons of regular e-mails use tracker redirects too. They even send emails from our own domain or the domain of our payroll company.
I won't type out my rant, but our IT department is a few guys who couldn't figure out what to do when their competitive xbox FIFA 2006 dreams failed, heard IT pays a lot with not much work, and then sat through the certs.
Just saying I haven't failed a phishing test in ~10 years.
Nothing raises my suspicions quite like something calling itself "safe".
Greetings from AWS,
There are upcoming changes in how you will be receiving your AWS Invoices starting 9/18/2025. As of 9/18/2025, you will receive all AWS invoices from “no-reply@tax-and-invoicing.us-east-1.amazonaws.com”. If you have automated rules configured to process invoice emails, please update the email address to “no-reply@tax-and-invoicing.us-east-1.amazonaws.com”.
This was brain dead. If I saw an email with that sender, I would think it was a scam. They had to walk it back.
For context, I get random other emails about things like Lambda runtime deprecation from “no-reply-aws@amazon.com” which looks a lot more official.
And “aws-marketing-email-replies@amazon.com”
I ended up creating my own browser extension for gmail that blocks clicking on any link unless the domain is whitelisted. Now if I click any link and it's not in the whitelist, it shows a popup that displays the domain name, and I can then choose to whitelist it and then it opens the link, or just keep blocking it. I haven't had to re-take any phishing compliance tests in a long time.
IT is basically being a system integrator with a load of systems that don't want to integrate. Corporate don't accept no for an answer. You need to bend things in ways they don't want to bend to get them to fit.
> The flashing cmd.exe windows are not drivers from Windows Update
The first thing I do with any new corpo laptop is completely wipe it down to the firmware, and clean the drive entirely to make sure the stench of Dell, Lenovo and HP is as cleansed as it's possible to be, then install Windows from a fresh ISO downloaded straight from Microsoft.
Then a few hours after reinstalling Windows again, the Lenovo shitware drivers are back. Not the software suites, at least, but the crappy drivers that throw up cmd prompts and have un-suppressible dialog boxes telling you to update the BIOS but look like malware and ask for the admin password. Check Windows Update and it will show that it has installed a bunch of stuff like "Lenovo - System" and "LG Electronics - Extension".
Recently there's a push to dropship directly to customers and use Autopilot, with some vendors now offering "Corporate-Ready" images, but most IT depts still prefer to get hands-on first because of how flaky that is, plus even the corporate ready image still comes with shitware, just less of it.
But anyway, even assuming it isn't coming via WU, and is one of those Lenovo bootkits, what else are we to do? Half the laptop won't work without drivers. Most of the other laptop manufacturers are aimed at gamers and fall apart in about a year. More recently I've been trying to move towards Microsoft Surface devices, and have found they're a much cleaner experience on the software, but have been finding the hardware reliability is quite terrible. I'm hoping that Framework's business programme turns out to be a success, but right now there are just no good options.
> You don't need a proprietary solution to remotely upgrade Google Chrome, just specify an enterprise policy with auto-update.
Sure. Chrome can be auto-updated and you have good controls over how that rolls out, so you can designate test users. But it's one of the few bits of software written "properly", including for example a Windows service that can run Chrome updates on behalf of a non-admin user, and they've actually provided GPOs to configure it. Even then it sometimes gets stuck and stops updating. So, we still need something like PMPC/Robopack/PSADT to update all the apps that either have a broken auto-update mechanism or just don't have one in the first place. We would also need to keep the original installer up to date ourselves, and for some software you're talking a day of fixing your manual packaging scripts every month, trying to work out which undocumented flags the MSI accepts, whether they've renamed the registry key they check to disable the non-functional auto-updates this version, etc.
Nowadays, we're starting to see more adoption of things like winget where the vendor themselves are packaging things in a way that is suitable for mass deployment, using a standard mechanism that Windows itself can use to auto-update the apps. This is a massive improvement for everyone, but I'd say only <10% of most corporate/LOB apps are available this way yet. Hopefully over the next few years we'll see more adoption, as this would solve a big chunk of the pain of corporate IT.
One of the worst vendors for writing stuff that doesn't use the standard mechanisms to install or update, incidentally, is Microsoft.
> The URL checker has no valid benefit, and makes it so people can never learn how to do it themselves. The browser performs the exact same checks with the exact same capabilities through its safe browsing stuff, and corporate IT often has network-level solutions too.
Nobody ever does it themselves which is the point. Also, if you're opening it on a corporate computer, current versions of Outlook do actually show you the original URL when you hover.
But anyway let's say we just rely on the browser check: what if it's a developer who's modified their browser settings? What if it's someone opening it from a personal phone? You could get rid of the URL rewriting and just ban users from using personal devices or modifying browser settings, but then you're going to war with senior executives who insist on keeping their work email on their personal phone. Almost all users don't even notice the URL rewriting, but it has prevented quite a lot of phishing attacks on personal devices that may otherwise have been successful. That's a pretty good trade-off for something that almost nobody notices is even happening.
Indeed, network TLS interception which would often have detected stuff in the past, but many corps have moved away from that now because as you point out, TLS interception is pretty crap. It breaks the increasing numbers of apps that use cert pinning, tends to be full of security flaws, and they don't work off-network unless you send all traffic to a central server or deploy it to every PoP, which is rare outside of megacorps, meaning internet experience is slow and flaky. Cisco Umbrella is a big suite with lots of other stuff too, but they do still push their TLS interception. MS advise not to use it, and the weight of opinion is shifting towards using URL protection built into the antimalware stack now, but unless we have full control over all clients accessing email, that doesn't eliminate the use case for URL rewriting.
In any case, this isn't something external we've bought in on top of the standard Microsoft 365 stack, it's part of Defender that Microsoft enable by default in their secure baseline. Going against vendor recommendations is opening yourself up to a big liability if it turns out something gets through that it would have caught.
> Corporate IT uses emails services that spoof domains and look suspicious
You'd be surprised how often vendors just directly email users without you ever having approved it or having been informed that they were going to send an email so you can pre-warn them. Again, Microsoft are one of the worst for doing this (e.g. sending emails from "User's Full Name <no-reply@sharepoint-online.com>"), but Google and Apple also do it.
> Say, they had a ransomware incident, and now they're buying every ransomware product for a few years. Stuff with such buggy kernel code that it deadlocks and makes it impossible to create new processes until you hard reboot.
Any company that is just stacking loads of conflicting antimalware products on each endpoint is clearly incompetent and not something I've seen, and I've seen some pretty shocking stuff.
There was obviously the Crowdstrike issue, but that wasn't as you describe, and as much as I'm not personally a fan of Crowdstrike, that was one major incident it caused, but you're not comparing to the counterfactual where these systems didn't exist and 0days can just spread across the network faster than an under-resourced IT dept can stop them.
I'm unusual in that I moved more into IT and cybersecurity stuff from dev, so you know, I do have sympathy for how shit this can be as a user and a developer. I have a lot of hot takes about the shitty state of technology today and how it trains the users to do dangerous things. But believe me when I say this: if there was a better way of doing it, I would be the first one adopting it. There isn't, though. At least not one open to those of us outside of Big Tech with the budget to essentially write their own security stack.
Developers are the exception here, where usually they'd prefer to develop on a machine with minimal BS running, even if it means carrying around an ultraportable in addition to their development workstation laptop.
So most of us carted around a work laptop (connected to corp WiFi) a personal laptop (on guest WiFi or tethered) a work phone and a personal phone.
In other news, you should never ever MDM enroll your personal phone with a work BYOD policy.
Except their system adds extra headers related to the phishing… Wonder if they even know…
Thus, I created an Outlook rule to automatically move them to a dedicated folder… (;->
Knowing what I know now about the IT staff and professors and knowing in hindsight only 3-4 of my CS classes were of any relevance to my work, I seriously regret not cheating my way through undergrad. I wish I could take back the time I wasted on Java and spend it with my N64.
This is a tool that takes any link and makes it look malicious. It works on the idea of a redirect. Much like https://tinyurl.com/ for example. Where tinyurl makes an url shorter, this site makes it look malicious.
Place any link in the below input, press the button and get back a fishy(phishy, heh...get, it?) looking link. The fishy link doesn't actually do anything, it will just redirect you to the original link you provided.
Not sure if they still do because i stay well clear of them.
Handles all the phishing concerns, except that participation was either low or the feedback was negative, which would lead to the leaders issuing subtle threats to the team about how they'd find out the involved folks and fire them. If you tried to uninstall it, it'd be back in a few hours through policy management software (jamf and its ilk). On the internal discussion forums, they'd nuke threads talking about how to disable that software.
So, in the end, people just started giving the best possible feedback regardless of the team or manager performance. I never really needed those threads, all I needed was tcpdump and then blocking its domain in the hosts file :)
This is getting off-topic, but I found it interesting so I'll include more details anyway.
In a lot of cases, all the fuss is to return amounts that are tiny, and yet the companies need to keep reaching out and trying to convince people. I got $0.06 (2) from my current employer. Because I've moved countries with them, I ended up falling in the category of needing to provide some bank/tax details. Of course, I wanted to log in with the silliest OS I could think of to test/mess with the tracking dashboard, and so somehow I managed to enter my DOB wrong, which even further increased the back-and-forward and emails involved (I was in the project, so the Payroll peeps involved probably didn't hold it against me).
The re-calculation which led to the payment actually worked out that I had been underpaid in come calculations, but overpaid by far more (although still very, very little) in others. The company believed they couldn't offset, so all the fuss was for a tiny amount, which I felt I really wasn't owed anyway. Also unfortunate, was that if any former employee didn't bother to claim the amount because it's so small it's not worth the fuss, it just leads to more work in follow-ups.
New Zealand Holidays Act is quite an interesting area in general, in a how-can-it-possibly-be-this-hard kind of way. I think it contributes to the reputation of NZ payroll being one of the trickiest in the world.
1) https://thespinoff.co.nz/business/27-06-2019/cheat-sheet-wha...
Sounds like something a phisher would do. Better not click.
My company does this too by the way. Usually for external things like surveys they send a pre-email.
Ah yes, it's like a country having "democratic republic" in it's name - if you have to say it, it's probably not true.
If anyone complains, refer them to the security department to be audited. It's really rather suspicious when someone values doing their job above security.
My current employer was somewhat recently purchased by a large, publicly-traded company and I had this installed on my work machine. Suddenly DoH was forced off by administrator policy and I had to use some specific internal IP for DNS. Which isn't strictly less secure but let's just say I would, even for my large, publicly-traded business, trust Mullvad more than Cisco.
I want to live in this fantasy world!
(Our IT dept is so overworked that I go out of my way to work around them purely out of empathy.)
I'm an European and have never needed to use nor encountered those services.
They train people not to click links and then someone in management is fucking stupid enough to pull "just send an email with a link" kind of crap instead of properly planning the communication in advance by telling people that there will be a survey, what will be the company that is sending it, when they should expect it - but that just "too much work".
I would fire that kind of clown ass on the spot for not doing their job.
There should be a white hat phishing service you can hire to target your elders. Then when they give up their social security number, someone shows up at their door with a big cake with all their personal details in frosting.
Not sure if that's really a safe links problem, but it's super annoying.
also ProofPoint filtered links
Never going to know what reaction I'm going to get.
Can you give some examples?
That seems to be the best possible strategy for any feedback you have to give as a captive audience?
Reminds me of the feedback German companies are forced to give about their employees. It's like a formal letter of reference, but you can and will be sued if you you anything negative. Consequences are as you would expect.
And because there has been an inflation in how complimentary these letters are, people started suing when their letter wasn't flowery enough, because that somehow could be read as an implicit criticism. (Just like how A is a bad mark, when everyone else gets A+.)
I presume you're referring to "Amazon Connections"?
Had to be the most-hated bit of corporate enforcedware around. Every Linux laptop user had a different hack for hobbling or removing it.
Greetings from AWS,
We recently notified you about upcoming changes to AWS invoice emails (subject “Important – AWS Invoice e-mail address changes”). Based on customer feedback, we are reviewing this change to determine a better customer experience. The email you receive your AWS invoices from will not change on 09/18/2025, as originally communicated, and you will continue to receive all AWS invoices from the usual email address.
Sincerely, The Amazon Web Services Team
Usually use company-i-buy-from@mydomain.ninja whenever I make online purchases, and I had a guy from a small shop call me up and ask why I had an email with his company name on. Took some good fifteen minutes to explain him that I was legit and owned the domain. He was still reluctant in the end, but eventually ended the conversation with something along the lines of "it's your problem, not mine, if the parcel won't reach you for using a fake email" :)
I didn't have the guts to tell my family about goatse.
Not great when you're on the phone with United Airlines and the person who's trying to help you get un-stranded asks what your favorite ice cream flavor is.
United has the absolute stupidest secret questions.
my high school mascot? fish-car-base-picture((#$#$&#*4303483
then to ${my_initials}${random_few_digits}@${my_domain} to be able to hand out pre-generated email addresses of mine even offline, and bookkeep who has got which random number at my side internally.
this raised the least eyebrows so far.
Also when you're snooping on a conversation between myself or one of my servers and one of your employees you are impersonating me and intercepting my communications too! I did not sign your AUP to agree to this. Also if I happen to be in a two-party consent state at the time, and you're intercepting a VoIP call/Teams/Zoom with me, that's a crime.
The vast majority of security controls are designed for the careless and the clueless.
https://mammon.typepad.com/root_of_all_evil/2007/06/goatse_l...
As I am still alive, it is still my day. Need I make myself clearer?
It is, but at that point why even have that bureaucratic process that achieves exactly nothing?
Of course, I understand that being able to pat yourself on the back and concluding with statements like "Leadership is truly connected with its employees, keeping in touch every day through questions about improving the workplace. Our surveys show 99% of our employees are very satisfied with their team, their work, and work-life balance" is "valuable", I guess, I just feel very sad about humanity.
You got a source for this folktale?
Again, YMMV.
It is the former employees for up to 15 years that make the contacting step difficult. They all need to provide bank/tax details.
There are also some current employees who still have to provide details before they can be paid. The company I work for has a lot of people moving countries, and therefore tax jurisdictions. In addition, some employers decided it was worth asking if employees were prepared to voluntarily allow offsetting between the overpayments and the underpayments, as in some cases those were quite large.
I can understand not wanting to give large amounts of money where it effectively would just balance out, especially after spending staggering amounts on the recalculation itself. There are government departments that have been working on it for years (or perhaps worse, and paying consulting companies to work on it).
Edit: I should have said, I did see companies rounding all amounts up to some small amount, like $1, so your suggestion is good. It just doesn't save effort on recalculation, or much effort in getting people to dig the email out of their trash folder and provide their information to receive their $1.
I'm not sure how many companies that would happen at, but it seems... just dumb enough to be plausible.
That said I've caught and blacklisted quite a few bad actors this way, AND filtering is easier. So worth the occasional weird interaction.
I know teachers that make $50k and no pension, with others making $93k, halfways to their pension at 35yrs old, get almost 12 weeks off total a year, and work from 8am to 3pm (1 hour lunch, 1 hour for 'prep' aka Netflix) and home by 335, and no, they basically never do any work at home. She technically has students (10 year olds she sends links to for their chrome books) about 5x53 minutes a day.
Whats funny though is that if you click the link in a phishing test, they will e-mail you to complete the training. But there is no enforcement (general management doesn't care), so you just get a daily e-mail telling you that you are overdue. It also however stops them from sending the fake phishing emails. So a bunch of us clicked the phishing link, marked the "do your training" e-mail as spam, and now never get bothered.
I did this for a decade and decided it was't worth it, nor the plus in gmail addresses.
It was a ton of effort remembering which address I used (I have multiple domains, too, oh joy).
I would end up with multiple accounts on websites, and support calls were super painful.
Eventually I switched providers and realized that in all that time I literally never found any "smoking gun" of a company selling my info.
And the plus email addresses were super useless because spammers know they can just strip out the bit after the plus. Duh.
In fact, my "real" email address that kept super secret and never ever ever gave to anyone except real in-the-flesh human friends (and thus never got any real email to, lol) was by far and away the most compromised email address. Stratospherically compromised.
same! A long time ago I registered an adobe account with the email "<username>+fsck_adobe@gmail.com"
Adobe then got hacked and their account database leaked. Later I got a personalized spam email for a dating site sent to the same +fsck_adobe@gmail email. I complained, and they claimed innocence, saying they got the email from some sort of contact lead service. I then got in touch with that contact lead service's CEO, and of course he had "no idea" how that email got in there. I'm sure they knew very well how it got in there, and after I reported it, they just removed everything after a "+" on @gmail.com emails...
Also, the last one I took they talked about phishing using a malicious Google docs link IIRC.
Anecdotes don't mean you know everything about a system.
If I need to link my accounts and these services are the only choice then I change my banking passwords immediately after.
I think Bankin' used to before PSD2 and to get a bit more information from some banks but then again Bankin' is a financial agreggator whose explicit purpose is crawling your banking data so it's not too surprising to see them asking for your credentials.
"Connecting" savings accounts from EQ Bank or Wealthsimple to an account at TD Bank requires providing TD credentials to Flinks.
Most of the times you did not see it, as it's obfuscated as a part of the transaction.
They are also the companies complaining a lot about the "failure" of the PSD standards since it limits how much and how obfuscated they can scrape everything (and there are records).
The other reason I hypothesise is that corporate big brother snooping systems that have whitelists for their trusted services – with entries like mail.google.com or calendar.google.com – are simply too painful at this point for big tech to break for their customers by dropping the .com suffix, so big tech doesn’t bother.
No hard data on any of that, though.
OTOH, there were probably a lot of places already violating the "ends with @<company>.com" rule, e.g. by using subdomains, or even other domains. So very little of the online population was likely using the rule. And with email spoofing, even "ends with @<company>.com" can't be relied on to ensure the email is legit. So the rule of "don't click links in emails" is the only foolproof rule. Though you also need to add "don't copy and paste things from emails".
I could imagine something like x-mucrosoft.email etc. being used and the users would just be like well there was email.microsoft so same thing!
It is a very good question that you should never bring up as captive audience.
Well, I was talking about the best strategy from the captive audience's point of view. You are now asking about the strategy for the captor.
Going a bit beyond: getting honest feedback out of subordinates is a hard problem! Both formally and informally. That was always a big concern on my mind as a manager.
You usually need the reference letter to be reviewed by the works council or by an employment lawyer.
This code is known by people in the HR and hiring departments. It’s a very weird praxis. I have to explain this to my non German colleagues because for them even a mark F letter sounds awesome ;)
I have written all my recommendation letters myself. The employers just put their letter head and sign it.
There's a difference in saying "Yes I confirm person X worked here, he did a good job on all the tasks that we have asked him to do" vs "Yes, he was amazing at his job, he was proactive and really drove innovation, we are sad to see him leave"
> It is the former employees for up to 15 years that make the contacting step difficult. They all need to provide bank/tax details.
Give people 30 dollars extra on their way out, and only contact them when you used up that budget? (Should take care of the majority of cases?)
> Edit: I should have said, I did see companies rounding all amounts up to some small amount, like $1, so your suggestion is good. It just doesn't save effort on recalculation, or much effort in getting people to dig the email out of their trash folder and provide their information to receive their $1.
Oh, my suggestion was to do the calculation, as arduously as you describe, compare with what you already overpaid earlier voluntarily, and if the company is still in the green, then don't bother contacting anyone.
Or is that not possible?
* https://jdebp.uk/FGA/html-message-myths-dispelled.html#MythA...
Some markets are pretty much exclusively compliant - I don't think there are any Nordic banks that don't have fully PSD2 compliant APIs for example whereas, if I remember rightly, the Spanish banks were all over the place. I'm fairly out of date though, so things may have improved or exceptions for scraping expired.
¹ Note that I'm talking exclusively about banking integrations here, not AI nonsense.
> So the rule of "don't click links in emails" is the only foolproof rule.
The only truly foolproof rule is "don't open emails". Also helps a lot on mental health and associated expenditures!
Don’t do it with a group which isn’t large enough though, you’ll get you all fired for unionizing^W no reason.
The German situation is especially unhinged. See https://de.wikipedia.org/wiki/Arbeitszeugnis (ask Google Translate for help, if necessary).
Ah, I see. We should allow HTML but display it as plain text.
The aspiring career schoolteachers will just have to find a job in a field that is short-staffed, like registered nurses or one of the trades. I'm sure that comes across as "let them eat cake" to some Bernie moron, but going back to school for 6 months is small potatoes, and doing a little market research before making big financial decisions like choosing your college major in the first place is basic adult responsibility.
If we apply the "lump of labor" fallacy everywhere else honestly and consistently, we would have to be opposed to immigration and trade because "those damn foreigners" went and "took er jerbs".
https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRtkJaZ...
(I worked for a Plaid competitor. The long-term goal for all similar companies is of course to use OAuth and APIs, because it breaks less often; but since the banks don't offer that, scraping it is!)
Instead, they authenticate using a common auth service (say, auth.google), which by virtue of being a single domain can persist shared cookies for all its consumers. This would yield a valid token (possibly a JWT) that the authenticating application can then use however it would like, including as a cookie on the application's own domain.
Whenever you go to a service that temporarily sends you to a different login domain (often just immediately redirection you back), this is why.
- grade D, poor performance: "We were satisfied with his performance" - grade C, meh: "We were entirely satisfied with his performance" - true grade A+: "We were always satisfied to the utmost degree with his performance" plus highly positive and extensive in the rest of the reference letter.
- "was sociable": alcoholic - "was always striving for a good relationship with colleagues": was gossiping instead of working - "sociability was appreciated": had sex with colleague - "was very empathic": had sex with customer
(Writing your passwords down on paper is actually less crazy than it sounds like:
It's impossible to hack paper from the internet. And, if someone has physical access to your stuff, they could install a keylogger anyway.)
I created a separate Chrome profile, and logged in to gmail. Then I disabled javascript, then deleted all my google.com cookies (but left my mail.google.com cookies). Then I reenabled javascript and visited mail.google.com again. I was logged out. So Google is using the google.com cookies.
You'll definitely want to memorize the password to the backup service that has the last copy of your password vault after a disaster. :P
> Writing your passwords down on paper is actually less crazy than it sounds
I agree that physical security can be incredibly useful against a lot of modern threats... but we can do better. I wish there was a dedicated password-keeper device format of:
* A small keyboard and screen
* The data encrypted at rest by one master password
* Only permits upload/download of the the encrypted file over USB. With some companion software, you just plug it into your computer, computer copies the encrypted file to somewhere on disk that gets regularly backed up, the disconnects and beeps to tell you it's done.
* Sturdy enough that any "Evil Maid" attack needs to be done by a professional rather than a conniving roommate or jilted partner.
* Tracks history of entries, last-changed, etc.
But at least the answer doesn't match the question.
I've also learned to store the question, as some websites make you select the question before providing the answer. And my answers don't allude to what the original question was.
The only people who care about HTML mails are scammer and marketing.
I usually pick the first or default question. But yeah, that order might change.
This would be very funny to see on an Arbeitszeugnis for a prostitute. Remember prostitution is legal in Germany.
Why? Write it down. Perhaps leave multiple paper copies around with some trusted people, like your lawyer and a safe deposit box at your bank.
Your proposed device seems a bit complicated. You can get pretty far with a piece of paper and this protocol:
Construct your password from two parts. (1) random gibberish you write down on paper, (2) a 'correct horse battery staple'-style part that you memorise.
Btw, have you looked into Yubikeys? They are better than password storage, because they can store your private keys and do signing with them. The key never leaves the device. (They can also store passwords, I think.)
Those people would then effectively have access to your nearly-current desktop/laptop data from anywhere, especially since they would have to know who you are which greatly simplifies guessing your username/email.
> You can get pretty far with a piece of paper
Password Papers (A) never get backed-up, meaning they'll be locked out of basically everything if the house burns down and (B) I've already tried getting relatives using them to adopt exactly such a fixed+variable combo scheme.
Those people would then effectively have access to your nearly-current desktop/laptop data from anywhere, especially since they would have to know who you are which greatly simplifies guessing your username/email.
> You can get pretty far with a piece of paper
Password Papers (A) never get backed-up and (B) I've already tried getting relatives using them to adopt exactly such a fixed+variable combo scheme.
Why from anywhere?