Re: chromebook

[Greg Wooledge]

On Tue, Jul 09, 2019 at 06:48:22PM +0200, mjonss...@gmail.com wrote:
> <html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--

Please post only text, not HTML. If your email agent *cannot* do plain
text alone, at least configure it to send both plain text and HTML. Or,
y'know, get a better email agent.

[Dan Purgert]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Greg Wooledge wrote:
> On Tue, Jul 09, 2019 at 06:48:22PM +0200, mjonss...@gmail.com wrote:
>> <html xmlns:o="urn:schemas-microsoft-com:office:office"
>> xmlns:w="urn:schemas-microsoft-com:office:word"
>

> Please post only text, not HTML. If your email agent *cannot* do plain
> text alone, at least configure it to send both plain text and HTML. Or,
> y'know, get a better email agent

It's like he attempted to send a word doc as mail.

Great lord cthulhu, is that what the latest iteration of outlook does?!


-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEBcqaUD8uEzVNxUrujhHd8xJ5ooEFAl0lK44ACgkQjhHd8xJ5
ooEJ5gf/YrhR5DVLmnCbrt7lHT/0wsFYLND3LL9t2yhtkl7jXMQnBAvHaowznhI3
PMkKp4vm8CNog2j04BzwdpXRIUcNfLXIJc5Vg4IlpscSTyUcT7s/o2AqPWxD4iAS
ZgVddn95iT34P5OPAfHHFmo8OsIpy4U9oAJNmnajiizTfWG39m/m0Mt/o5ax+oEb
NB2KevVP6Y3lMgkum2t9BMOpfiyyGM3GjtnEfFgqdJ4hZ/sFVABZHNWrGnCU62CL
KtSmjo9cW0wRkRQwcll9YeicKIHGlbwv7WlJk/njnvnQkOa8ScpcJPVABj8qEHZA
C5gy+zZJLbUdnrUbJwQNbHZX3Z442w==
=+8Cn
-----END PGP SIGNATURE-----

--
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5 4AEE 8E11 DDF3 1279 A281

[John Crawley]

Of course text messages are best (and what I use all the time) but
surely a decent mail agent on the receiver's end will display that OK?
On Thunderbird the OP was perfectly readable, and I had no idea it
wasn't plain text till I checked the source.

--
John

[Andrei POPESCU]

1. As far as I know html e-mail is not standardized.

This means that one's messages might look entirely different at the
receiver's end to what the sender intended.

Computer output needed to diagnose problems is best sent unchanged.
Good luck in figuring out how to do this in a html message.

Bonus points for e-mail clients trying to apply the same formatting
to the text part as well, making it less readable.

2. Some (many?) of us are reading messages on text-only clients.

This may be for objective or subjective reasons, but it's probably
quite common here.

Sure, there are ways to display html content, but see 1.

3. The html (part) can add significant overhead.

It's not a major issue for the few messages usually currently sent to
the list, but if all posters would be using html it could have a
significant impact for readers on a data cap.


Hope this explains,
Andrei
--
http://wiki.debian.org/FAQsFromDebianUser

[Reco]

Hi.

On Wed, Jul 10, 2019 at 10:35:33AM +0900, John Crawley wrote:
> On 2019-07-10 01:52, Greg Wooledge wrote:
> > On Tue, Jul 09, 2019 at 06:48:22PM +0200, mjonss...@gmail.com wrote:
> > > <html xmlns:o="urn:schemas-microsoft-com:office:office"
> > > xmlns:w="urn:schemas-microsoft-com:office:word"
> > > xmlns:m="http://schemas.microsoft.com/office/2004/12/omml"
> > > xmlns="http://www.w3.org/TR/REC-html40"><head><meta
> > > http-equiv=Content-Type content="text/html; charset=utf-8"><meta
> > > name=Generator content="Microsoft Word 15 (filtered
> > > medium)"><style><!--
> >
> > Please post only text, not HTML. If your email agent *cannot* do plain
> > text alone, at least configure it to send both plain text and HTML. Or,
> > y'know, get a better email agent.
> >
> Of course text messages are best (and what I use all the time) but
> surely a decent mail agent on the receiver's end will display that OK?

A subverted XHTML produced by Microsoft Word? You're joking, right?
It will display *somehow*, that's for sure. But to display it as
"intended" you'll need something from M$.

> On Thunderbird the OP was perfectly readable, and I had no idea it
> wasn't plain text till I checked the source.

It was readable in my mutt too. Still does not make it right.

Reco

[Joe]

On Wed, 10 Jul 2019 07:21:39 +0300
Andrei POPESCU <andreim...@gmail.com> wrote:


> 2. Some (many?) of us are reading messages on text-only clients.
>
> This may be for objective or subjective reasons, but it's probably
> quite common here.
>
> Sure, there are ways to display html content, but see 1.
>
> 3. The html (part) can add significant overhead.
>
> It's not a major issue for the few messages usually currently sent
> to the list, but if all posters would be using html it could have a
> significant impact for readers on a data cap.

Yes. The large majority of most HTML, on the web or in emails, is
formatting stuff. It's often difficult to actually spot the two or
three lines of text in half a dozen pages of font instructions and
special display tweaks for different browsers and mobiles.

I use Claws, which can do HTML but never does here.

--
Joe

[to...@tuxteam.de]

4. html viewers are known for being exploitable in many and
surprising ways.

Complexity gotta give, somewhere.

Some folks (go figure!) don't like the idea of their mail
user agents being exploitable.

Cheers
-- t

[Greg Wooledge]

Your mutt must be configured very differently than mine. All I saw
was the raw HTML.

[Reco]

A relevant snippet from .muttrc:

alternative_order text/plain text/html
unauto_view *
auto_view = text/html

An appropriate entry at .mailcap:

text/html; /usr/bin/w3m -dump -o display_link_number=true -I %{charset} -T text/html '%s'; copiousoutput; description=HTML Text; %nametemplate=%s.html; needsterminal; priority=1


Literally all it takes. As a bonus, sender's HTML is converted to a
plain text on reply.

Reco

[Andrei POPESCU]

On Mi, 10 iul 19, 09:25:02, to...@tuxteam.de wrote:
>
> 4. html viewers are known for being exploitable in many and
> surprising ways.

Thanks, forgot about that one.

A recent example:
https://efail.de/

In the 'Responsible Disclosure' section there is nice coloured table
with popular clients. Note the green for mutt and Claws Mail ;)

Kind regards,
Andrei
--
http://wiki.debian.org/FAQsFromDebianUser

[Kenneth Parker]

As a Gmail User, but with a corporate (Universe?) email address (sea7...@eyeblinkuniverse.com), running on a hosted Ubuntu 16.04.6 Server with Exim4 4.86.2 running its Mail.  I administer it via ssh, and get email via alpine 2.20.  I used to use that corporate email for my technical email lists, until Gmail started putting MY OWN email into my Spam Folder.  I just tried it now.  Google's Error message:  "Why is this message in spam?  It is in violation of Google's recommended sender guidelines",  So now, Google is running the Internet?  Those Universe emails were DEFINITELY text only!  

I'm sorry to say:  This issue is bigger than a Bread Basket!

That said, I also would be interested in Booting a USB Stick on a Chromebook.

Please give me feedback:  How badly did Gmail mangle my text?  Thanks!

Kenneth Parker

P.S.  Just for Grins, I'm going to enroll sea7...@eyeblinkuniverse.com into the Debian Users list so I can participate in this text/html/Microsoft Word issue.

[John Crawley]

On 2019-07-10 15:31, Reco wrote:
> On Wed, Jul 10, 2019 at 10:35:33AM +0900, John Crawley wrote:
>> On 2019-07-10 01:52, Greg Wooledge wrote:
>>> On Tue, Jul 09, 2019 at 06:48:22PM +0200, mjonss...@gmail.com wrote:
>>>> <html xmlns:o="urn:schemas-microsoft-com:office:office"
>>>

>>> Please post only text, not HTML. If your email agent *cannot* do plain
>>> text alone, at least configure it to send both plain text and HTML. Or,
>>> y'know, get a better email agent.
>>>
>> Of course text messages are best (and what I use all the time) but
>> surely a decent mail agent on the receiver's end will display that OK?
>
> A subverted XHTML produced by Microsoft Word? You're joking, right?
> It will display *somehow*, that's for sure. But to display it as
> "intended" you'll need something from M$.

Well, just to display the text, without the html tags is not that hard.
As to how it was "intended" to be, who knows?

>> On Thunderbird the OP was perfectly readable, and I had no idea it
>> wasn't plain text till I checked the source.
>
> It was readable in my mutt too. Still does not make it right.

I was never trying to claim that it was OK to send messages as html - I
always use plain text myself - but I thought there might be something to
be said for user agents that could deal with html in some sane way, and
without exposing the recipient to attacks. Simply not following any web
links would be enough I'd have thought? Or are there some more subtle
attack paths?

As you've pointed out, mutt does OK. If all the posters to debian-user
refrained from including html in their messages, it would not remove the
need for MUAs to cope with it.

--
John

[Andrei POPESCU]

On Jo, 11 iul 19, 12:31:07, John Crawley wrote:
>
> I was never trying to claim that it was OK to send messages as html - I
> always use plain text myself - but I thought there might be something to be
> said for user agents that could deal with html in some sane way, and without
> exposing the recipient to attacks. Simply not following any web links would
> be enough I'd have thought? Or are there some more subtle attack paths?

Yes, look up the EFAIL vulnerability (I posted a link in another
message). It enabled a potential attacker to trick e-mail clients
parsing html e-mail to decrypt an (old) encrypted message.

In most cases users only had to open the message.

[John Crawley]

On 2019-07-11 15:25, Andrei POPESCU wrote:
> On Jo, 11 iul 19, 12:31:07, John Crawley wrote:

>> ...user agents that could deal with html in some sane way, and without

>> exposing the recipient to attacks. Simply not following any web links would
>> be enough I'd have thought? Or are there some more subtle attack paths?
>
> Yes, look up the EFAIL vulnerability (I posted a link in another
> message). It enabled a potential attacker to trick e-mail clients
> parsing html e-mail to decrypt an (old) encrypted message.
>
> In most cases users only had to open the message.

Since enforcing no-html, and particularly no-malevolent-html on all
incoming mail is not an option available to us, the only remaining
choices for a "good" MUA would then be:
A) Display html as-is, tags and all
B) Strip out the tags and display what's left, like html2text

I think B) is the better option.

--
John

[Gene Heskett]

The TDE version of kmail will show a blank message window if there is no
plain text content, but will show a click here to see the html. I rather
like it that way, but spammy crap gets fed to sa-learn spam w/o a reply.

Works for me.

Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis
Genes Web page <http://geneslinuxbox.net:6309/gene>

[Andrei POPESCU]

C) Treat *all* message parts as potentially harmful, not just some
attachments. If additional parsing is needed (check signature, parse
html, etc.) do so in a safe way.

Of course, this is not easy to do, especially if you insist on parsing
all the bells and whistles in the html/css, which is probably why so
many clients were vulnerable.

[to...@tuxteam.de]

On Thu, Jul 11, 2019 at 10:10:16AM +0300, Andrei POPESCU wrote:
> On Jo, 11 iul 19, 15:52:56, John Crawley wrote:

[...]

> > A) Display html as-is, tags and all
> > B) Strip out the tags and display what's left, like html2text
> >
> > I think B) is the better option.
>
> C) Treat *all* message parts as potentially harmful, not just some
> attachments. If additional parsing is needed (check signature, parse
> html, etc.) do so in a safe way.

D) Show the HTML /as is/, literally, as if it were text. I know it's
hard on the receiver, but then, at least, there's someone motivated
enough to yell at the sender to fix his/her MUA.

Don't hide problems. They'll bite you in your behind.

Cheers
-- t

[to...@tuxteam.de]

On Wed, Jul 10, 2019 at 10:33:58PM -0400, Kenneth Parker wrote:
> On Tue, Jul 9, 2019 at 12:52 PM Greg Wooledge <woo...@eeg.ccf.org> wrote:
>
> > On Tue, Jul 09, 2019 at 06:48:22PM +0200, mjonss...@gmail.com wrote:
> > > <html xmlns:o="urn:schemas-microsoft-com:office:office"
> > xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="
> > http://schemas.microsoft.com/office/2004/12/omml" xmlns="
> > http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type
> > content="text/html; charset=utf-8"><meta name=Generator content="Microsoft
> > Word 15 (filtered medium)"><style><!--
> >
> > Please post only text, not HTML. If your email agent *cannot* do plain
> > text alone, at least configure it to send both plain text and HTML. Or,
> > y'know, get a better email agent.
> >
>
> As a Gmail User, but with a corporate (Universe?) email address (
> sea7...@eyeblinkuniverse.com), running on a hosted Ubuntu 16.04.6 Server
> with Exim4 4.86.2 running its Mail. I administer it via ssh, and get email
> via alpine 2.20. I used to use that corporate email for my technical email
> lists, until Gmail started putting MY OWN email into my Spam Folder. I
> just tried it now. Google's Error message: "Why is this message in spam?
> It is in violation of Google's recommended sender guidelines", So now,
> Google is running the Internet? Those Universe emails were DEFINITELY text
> only!

Most probably you'll have to implement SPF and/or DKIM [1, 2]

I manage my own mail server. Because I Want To Know (TM).

As this was happening to me more and more (people "on" some variant of
googlemail, or hotmail/outlook/some other Microsoft mail thingy, etc.
not receiving my mails -- and digging further yes, receiving them in
their spam folders and thus not seeing them), I bit the bullet and
went for SPF/DKIM (I hadn't the guts for DMARC yet, I don't particularly
like that one).

I think bigcorps love that, because they hate the decentralized nature
of mail. Spam pressure plus measures making the live of small mail
providers help centralization.

And this spam folder thingy was too tasty to pass on: SMTP RFCs
force you to either deliver a mail or bounce it [3]. Since bouncing
has become unattractive (cf. backscatter spam), the temptation to
silently drop things was high, but not permitted by RFC. Ha! Deliver
to a spam folder and tell the users that it is EXTREMELY DANGEROUS to
"open" a spam mail, heck, it's even dangerous to sneeze in the general
direction of your spam folder [4] -- Tada! "no, we don't drop any mail,
missus, we deliver it. It's the user who's doing that".

This is what I call Emergent Evil. I thon't think there's a single
person out there scheming out those things, but a corporation as
a whole does come up with that kind of perverse behaviour.

Of course, most of the spam I receive these days (i do look into
my spam from time to time :-) has correct SPF and DKIM records :-/

Cheers

[1] https://en.wikipedia.org/wiki/Sender_Policy_Framework
[2] https://en.wikipedia.org/wiki/DKIM
[3] There's also reject at the DATA phase, which is quite attractive
for smaller sites.
[4] Of course, if your MUA "opens" HTML mails and Word attachments...

-- tomás

[Reco]

Hi.

On Thu, Jul 11, 2019 at 10:22:40AM +0200, to...@tuxteam.de wrote:
> On Wed, Jul 10, 2019 at 10:33:58PM -0400, Kenneth Parker wrote:
> > On Tue, Jul 9, 2019 at 12:52 PM Greg Wooledge <woo...@eeg.ccf.org> wrote:
> >
> > > On Tue, Jul 09, 2019 at 06:48:22PM +0200, mjonss...@gmail.com wrote:
> > > > <html xmlns:o="urn:schemas-microsoft-com:office:office"
> > > xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="
> > > http://schemas.microsoft.com/office/2004/12/omml" xmlns="
> > > http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type
> > > content="text/html; charset=utf-8"><meta name=Generator content="Microsoft
> > > Word 15 (filtered medium)"><style><!--
> > >
> > > Please post only text, not HTML. If your email agent *cannot* do plain
> > > text alone, at least configure it to send both plain text and HTML. Or,
> > > y'know, get a better email agent.
> > >
> >
> > As a Gmail User, but with a corporate (Universe?) email address (
> > sea7...@eyeblinkuniverse.com), running on a hosted Ubuntu 16.04.6 Server
> > with Exim4 4.86.2 running its Mail. I administer it via ssh, and get email
> > via alpine 2.20. I used to use that corporate email for my technical email
> > lists, until Gmail started putting MY OWN email into my Spam Folder. I
> > just tried it now. Google's Error message: "Why is this message in spam?
> > It is in violation of Google's recommended sender guidelines", So now,
> > Google is running the Internet? Those Universe emails were DEFINITELY text
> > only!
>
> Most probably you'll have to implement SPF and/or DKIM [1, 2]

Both, and a DMARC too. Also, valid PTR records. While not required by
any RFC, valid PTRs are considered mandatory by some big players like
GMail.

> As this was happening to me more and more (people "on" some variant of
> googlemail, or hotmail/outlook/some other Microsoft mail thingy, etc.
> not receiving my mails -- and digging further yes, receiving them in
> their spam folders and thus not seeing them), I bit the bullet and
> went for SPF/DKIM (I hadn't the guts for DMARC yet, I don't particularly
> like that one).

DKIM is very straightforward. There are some "gotchas" if you're sending
mails to the maillists - some maillists just love to modify arbitrary
e-mail headers, which leads to failed DKIM checks - but they can be
solved.

Reco

[to...@tuxteam.de]

On Thu, Jul 11, 2019 at 11:34:53AM +0300, Reco wrote:
> Hi.
>
> On Thu, Jul 11, 2019 at 10:22:40AM +0200, to...@tuxteam.de wrote:

[...]

> > Most probably you'll have to implement SPF and/or DKIM [1, 2]
>
> Both, and a DMARC too. Also, valid PTR records. While not required by
> any RFC, valid PTRs are considered mandatory by some big players like
> GMail.

You're possibly right. As I said, I could get by without DMARC yet,
but we're not done (we're never done, are we ;-)

[...]

> DKIM is very straightforward. There are some "gotchas" if you're sending
> mails to the maillists - some maillists just love to modify arbitrary
> e-mail headers, which leads to failed DKIM checks - but they can be
> solved.

And for SPF you've got to have some control over your DNS records,
which, depending on your hoster (or registrar) may get "interesting".

Same for DMARC.

Cheers
-- t

[Brad Rogers]

On Thu, 11 Jul 2019 10:03:34 +0200
<to...@tuxteam.de> wrote:

Hello to...@tuxteam.de,

>enough to yell at the sender to fix his/her MUA.

Except that the worst offenders are commercial entities such google,
ebay(1), all banks, amazon, etc, etc. ad nauseam. *None* of them are
going to remove HTML and/or CSS from their emails until something
'better'(2) comes along.

Don't forget, either, that most computer users simply don't care what
comes in as long as they can read it. They have little or no idea what
HTML is, much less care.



(1) Possibly the worst; 150kbyte+ emails to say, essentially, "You've
been outbid". Why, FFS?!
(2) Better for them that is. IOW, something that makes it easier for
them to make more money out of us.

--
Regards _
/ ) "The blindingly obvious is
/ _)rad never immediately apparent"
I must be hallucinating, watching angels celebrating
There Must Be An Angel (Playing With My Heart) - Eurythmics

[to...@tuxteam.de]

On Thu, Jul 11, 2019 at 10:10:46AM +0100, Brad Rogers wrote:
> On Thu, 11 Jul 2019 10:03:34 +0200
> <to...@tuxteam.de> wrote:
>
> Hello to...@tuxteam.de,
>
> >enough to yell at the sender to fix his/her MUA.
>
> Except that the worst offenders are commercial entities such google,
> ebay(1), all banks, amazon, etc, etc. ad nauseam. *None* of them are
> going to remove HTML and/or CSS from their emails until something
> 'better'(2) comes along.

But giving up is not an option.

> Don't forget, either, that most computer users simply don't care what
> comes in as long as they can read it. They have little or no idea what
> HTML is, much less care.

That's where talking to people comes in.

"Discontent is the first step in the progress of a man or a nation."
-- Oscar Wilde

Cheers
-- t

[John Crawley]

Fair enough. Easier if you don't insist on having all that stuff.
Thunderbird, anyway, let's you view message bodies as "Simple html",
which I'm hoping avoids most of the vulnerabilities. Maybe it's
something similar to the mutt/mailcap config Reco posted earlier.

--
John

[rhkr...@gmail.com]

On Wednesday, July 10, 2019 10:33:58 PM Kenneth Parker wrote:
> So now,
> Google is running the Internet? Those Universe emails were DEFINITELY text
> only!

For quite a while -- they decide what goes in your (well, their) spam folder,
and, quite often, if someone else decides something is spam for them, Google
assumes it is spam for you as well.

I'm not clear on exactly the circumstances of how that happens, it seems I can
undo it by clicking on a message and saying not spam. I haven't kept records,
but I'm sure that has become undone, presumably when somebody else marks the
same thing as spam.

(And one bad example of this is when somebody is subscribes to a mail list,
later decides they are not interested, and marks it as spam (in Google)
instead of unsubscribing.)

I'm sure all of us you use (or have used) gmail are aware of this, but those
who haven't used gmail may not be.

[John Hasler]

Brad Rogers writes:
> Except that the worst offenders are commercial entities such google,
> ebay(1), all banks, amazon, etc, etc. ad nauseam. *None* of them are
> going to remove HTML and/or CSS from their emails until something
> 'better'(2) comes along.

Some banks have found something "better". Their emails contain a link
which automatically opens a page on their site in your browser (they
assume that everyone reads email in a browser, of course). They claim
this is more secure.

Citi does this with emails inquiring about a possibly fraudulent
transaction. If you kill the process as soon as you realize that
something in that email is trying to connect to something (as any sane
person would) they consider that you have authorized the transaction.

There is no point in complaining. 99% of users object to anything *but*
html mail. Most don't know that anything else exists.
--
John Hasler
jha...@newsguy.com
Elmwood, WI USA

[to...@tuxteam.de]

On Thu, Jul 11, 2019 at 07:26:00AM -0500, John Hasler wrote:
> Brad Rogers writes:
> > Except that the worst offenders are commercial entities such google,
> > ebay(1), all banks, amazon, etc, etc. ad nauseam. *None* of them are
> > going to remove HTML and/or CSS from their emails until something
> > 'better'(2) comes along.
>
> Some banks have found something "better". Their emails contain a link
> which automatically opens a page on their site in your browser (they
> assume that everyone reads email in a browser, of course). They claim
> this is more secure.

Horrifying.

[...]

> There is no point in complaining. 99% of users object to anything *but*
> html mail. Most don't know that anything else exists.

For me, that would be a reason to change the bank.

My bank offers a standardized protocol based on public key cryptography.
I can initiate a transaction (or fetch records) with a simple shell
script.

No browser involved.

Cheers
-- t

[to...@tuxteam.de]

On Thu, Jul 11, 2019 at 07:53:12AM -0400, rhkr...@gmail.com wrote:
> On Wednesday, July 10, 2019 10:33:58 PM Kenneth Parker wrote:
> > So now,
> > Google is running the Internet? Those Universe emails were DEFINITELY text
> > only!
>
> For quite a while -- they decide what goes in your (well, their) spam folder,
> and, quite often, if someone else decides something is spam for them, Google
> assumes it is spam for you as well.

Enough reasons to change mail provider. Ad industry is out to influence our
perception of the world (systematically and scientifically at least since
the 1920s [1]). It seems to me a bad idea to let some entity from that hostile
planet into the very core of our communications.

But, of course, each one decides for herself.

Cheers

[1] https://en.wikipedia.org/wiki/Edward_Bernays

-- t

[Brad Rogers]

On Thu, 11 Jul 2019 07:26:00 -0500
John Hasler <jha...@newsguy.com> wrote:

Hello John,

>assume that everyone reads email in a browser, of course). They claim
>this is more secure.

They can claim it, but they're wrong. The safest, most secure way is to
send plain text, without any links at all.

Safer still; Never send email. :-)

--
Regards _
/ ) "The blindingly obvious is
/ _)rad never immediately apparent"

He signed up for just three years, it seemed a small amount
Tin Soldiers - Stiff Little Fingers

[Brad Rogers]

On Thu, 11 Jul 2019 11:31:54 +0200
<to...@tuxteam.de> wrote:

Hello to...@tuxteam.de,

>That's where talking to people comes in.

By and large, people simply do not care.
In fact, it seems most would rather have pretty than be safe. For a
certain value of 'safe', obviously.

--
Regards _
/ ) "The blindingly obvious is
/ _)rad never immediately apparent"

A friend of a friend he got beaten
I Predict A Riot - Kaiser Chiefs

[Greg Wooledge]

On Thu, Jul 11, 2019 at 02:49:41PM +0100, Brad Rogers wrote:
> By and large, people simply do not care.
> In fact, it seems most would rather have pretty than be safe. For a
> certain value of 'safe', obviously.

And a certain value of "pretty".

[David Wright]

On Thu 11 Jul 2019 at 07:26:00 (-0500), John Hasler wrote:
> Brad Rogers writes:
> > Except that the worst offenders are commercial entities such google,
> > ebay(1), all banks, amazon, etc, etc. ad nauseam. *None* of them are
> > going to remove HTML and/or CSS from their emails until something
> > 'better'(2) comes along.
>
> Some banks have found something "better". Their emails contain a link
> which automatically opens a page on their site in your browser (they
> assume that everyone reads email in a browser, of course). They claim
> this is more secure.

And if you don't open that link, they¹ assume you don't read their
emails at all. After a few months, they start sending emails
complaining about that, and threatening to stop sending you emails.

> Citi does this with emails inquiring about a possibly fraudulent
> transaction. If you kill the process as soon as you realize that
> something in that email is trying to connect to something (as any sane
> person would) they consider that you have authorized the transaction.

I can't confirm that as they sent me a simultaneous text as well as
the email, so our dialogue was continued by text and then phone. (They
were extremely efficient, and I can't complain about their actions.)
But thanks for the heads-up.

> There is no point in complaining. 99% of users object to anything *but*
> html mail. Most don't know that anything else exists.

¹ not Citi, thankfully.

Cheers,
David.

[Gene Heskett]

On Thursday 11 July 2019 08:46:48 to...@tuxteam.de wrote:

> On Thu, Jul 11, 2019 at 07:26:00AM -0500, John Hasler wrote:
> > Brad Rogers writes:
> > > Except that the worst offenders are commercial entities such
> > > google, ebay(1), all banks, amazon, etc, etc. ad nauseam. *None*
> > > of them are going to remove HTML and/or CSS from their emails
> > > until something 'better'(2) comes along.
> >
> > Some banks have found something "better". Their emails contain a
> > link which automatically opens a page on their site in your browser
> > (they assume that everyone reads email in a browser, of course).
> > They claim this is more secure.
>
> Horrifying.
>
> [...]
>
> > There is no point in complaining. 99% of users object to anything
> > *but* html mail. Most don't know that anything else exists.
>
> For me, that would be a reason to change the bank.
>

And you would be amazed at the leverage a 5 digit account gives the
disgruntled customer. Do some shopping around, and don't be afraid to
vote with your wallet.

> My bank offers a standardized protocol based on public key
> cryptography. I can initiate a transaction (or fetch records) with a
> simple shell script.
>
> No browser involved.
>
> Cheers
> -- t

[John Hasler]

tomas writes:
> I think bigcorps love that, because they hate the decentralized nature
> of mail.

I don't think they care (except that they don't want one of their
competitors in control). Government hates it, of course. It would have
been easy to adopt anti-spam measures that would have made what you do
impossible, but it wasn't done.

> Spam pressure plus measures making the live of small mail providers

> [difficult] help centralization.

This is true. People also seem to like centralization, unfortunately.

> This is what I call Emergent Evil. I thon't think there's a single
> person out there scheming out those things, but a corporation as a
> whole does come up with that kind of perverse behaviour.

Better "emergent evil" (I've seen the term elsewhere) than the "devil"
theory but I don't think it is useful to talk about evil at all. They
are just people doing what works for them (even in government, the
biggest and most powerful bigcorp of all).

[Dan Purgert]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Brad Rogers wrote:
> [...]

>
> By and large, people simply do not care.
> In fact, it seems most would rather have pretty than be safe. For a
> certain value of 'safe', obviously.

There's a certain elegance to amber-on-black...

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEBcqaUD8uEzVNxUrujhHd8xJ5ooEFAl0nZnQACgkQjhHd8xJ5
ooFFsAgAql4zXq5gTpQxdphtT7fC73k2o5T8hVubxSR8i78h0X6h5peKXeJ4kEEU
hpzAWE6kErSZhjfqAciYFTt1enVpScljRa7MuApkQgJHgpcKq2JSZldd8t072lEF
fH/7Lh5rpUyjA3G0ad48OFKzUzC/xMy+ag5ZSkcLMpRWHwr8d0EeDl9xNR2ECvON
mklRKyeBvLQSRdZgx73Wtc2iwwMnMnRcpOQxCTrhT6PprsOfzjfkfitUHyja+sQ5
FCuDs+U2j5R8JeuHe8ZcNz+LIXDyfbVTFl4fgcuG6J/fyyZsZAT5NS9TZmsMRB6o
coCIo4Ed7hkSbQB1B6GXiTxIA0SgYA==
=lysu
-----END PGP SIGNATURE-----

--
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5 4AEE 8E11 DDF3 1279 A281

[Carl Fink]

On Thu, Jul 11, 2019 at 02:49:41PM +0100, Brad Rogers wrote:

> By and large, people simply do not care.
> In fact, it seems most would rather have pretty than be safe. For a
> certain value of 'safe', obviously.

I think "convenient" more than "pretty". (This idea stolen from Bruce
Schneier.)
--
Carl Fink nitpi...@nitpicking.com

Read John Grant's book, Corrupted Science: http://a.co/9UsUoGu
Dedicated to ... Carl Fink!

[Thomas D Dial]

Can you name the bank? It has annoyed me for between 20 and 30 years
that banks, generally, have avoided this obvious way to conduct business
with their customers in favor of more vulnerable methods pushed by their
enterprise IT suppliers.

Regards,
Tom Dial
>
> Cheers
> -- t

[to...@tuxteam.de]

On Thu, Jul 11, 2019 at 01:00:11PM -0600, Thomas D Dial wrote:
> On Thu, 2019-07-11 at 14:46 +0200, to...@tuxteam.de wrote:

[...]

> > My bank offers a standardized protocol based on public key
> > cryptography.

[...]

> > No browser involved.
>
> Can you name the bank? It has annoyed me for between 20 and 30 years
> that banks, generally, have avoided this obvious way to conduct business
> with their customers in favor of more vulnerable methods pushed by their
> enterprise IT suppliers.

Most probably it won't help you -- my guess is that we're at opposite
banks (heh) of the big pond. But FWIW, my bank is GLS bank [1] (which
specializes in ethical investment) and the mentined standard is
HBCI [2].

Cheers

[1] https://www.gls.de/privatkunden/
[2] https://en.wikipedia.org/wiki/HBCI

-- tomás

[to...@tuxteam.de]

On Thu, Jul 11, 2019 at 11:34:01AM -0500, John Hasler wrote:
> tomas writes:
> > I think bigcorps love that, because they hate the decentralized nature
> > of mail.
>
> I don't think they care (except that they don't want one of their
> competitors in control).

Oh, they do. You can't easily monetize mail (the interfaces are standard,
for a consumer it's easy to change providers), whereas with whichever
"platform" (Facebook, LinkedIn, Slack, Google+, younameit) the audience
is captive: changing provider means giving up on your network.

> Government hates it, of course. It would have
> been easy to adopt anti-spam measures that would have made what you do
> impossible, but it wasn't done.

I have the impression you're being blindsided by ideology there. To me,
Bigcorp is like state (minus First Amendment).

> > Spam pressure plus measures making the live of small mail providers
> > [difficult] help centralization.
>
> This is true. People also seem to like centralization, unfortunately.
>
> > This is what I call Emergent Evil. I thon't think there's a single
> > person out there scheming out those things, but a corporation as a
> > whole does come up with that kind of perverse behaviour.
>
> Better "emergent evil" (I've seen the term elsewhere) than the "devil"
> theory but I don't think it is useful to talk about evil at all. They
> are just people doing what works for them (even in government, the
> biggest and most powerful bigcorp of all).

I had early and intense religious education. Not trying to offend
anyone, but I had my share of devil and then some. These days I
prefer to make do without :-)

Cheers
-- t

[Curt]

On 2019-07-12, <to...@tuxteam.de> <to...@tuxteam.de> wrote:
>
>
> I have the impression you're being blindsided by ideology there. To me,

C’est l’hôpital qui se moque de la charité.

--
“We are all in the gutter, but some of us are looking at the stars.”
― Oscar Wilde, Lady Windermere's Fan

[to...@tuxteam.de]

On Fri, Jul 12, 2019 at 07:57:33AM -0000, Curt wrote:
> On 2019-07-12, <to...@tuxteam.de> <to...@tuxteam.de> wrote:
> >
> >
> > I have the impression you're being blindsided by ideology there. To me,
>
> C’est l’hôpital qui se moque de la charité.

:-)

But still, *my* ideology is right and *yours* is wrong ;-P

Cheers
-- t

[John Hasler]

tomas writes:
> You can't easily monetize mail (the interfaces are standard, for a
> consumer it's easy to change providers)

Gmail. The only interface that matters to most people is the user
interface they see in their browser and that is not standardized.

> I have the impression you're being blindsided by ideology there.

I don't suffer from that disease (which is pretty much the same as
religion).

> To me, Bigcorp is like state (minus First Amendment).

Businesses don't have armies.

> I had early and intense religious education. Not trying to offend
> anyone, but I had my share of devil and then some. These days I prefer
> to make do without

If you still believe in evil you haven't entirely overcome your
religious indoctrination.

[to...@tuxteam.de]

On Fri, Jul 12, 2019 at 08:52:57AM -0500, John Hasler wrote:
> tomas writes:
> > You can't easily monetize mail (the interfaces are standard, for a
> > consumer it's easy to change providers)
>
> Gmail. The only interface that matters to most people is the user
> interface they see in their browser and that is not standardized.
>
> > I have the impression you're being blindsided by ideology there.
>
> I don't suffer from that disease (which is pretty much the same as
> religion).

Famous Last Words (TM).

> > To me, Bigcorp is like state (minus First Amendment).
>
> Businesses don't have armies.

Says who?

> > I had early and intense religious education. Not trying to offend
> > anyone, but I had my share of devil and then some. These days I prefer
> > to make do without
>
> If you still believe in evil you haven't entirely overcome your
> religious indoctrination.

Of course I don't believe in "evil". What's there to believe in?
Still there are actions I'd describe as evil. It's a useful
adjective, as are "red" or "bitter" or "tenuous".

Cheers
-- t

[Reco]

Hi.

On Fri, Jul 12, 2019 at 08:52:57AM -0500, John Hasler wrote:

> > To me, Bigcorp is like state (minus First Amendment).
>
> Businesses don't have armies.

Or do they?

https://en.wikipedia.org/wiki/Blackwater_Worldwide

Reco

[Diagonal Arg]

They now even have mini-states, thanks to the Kochs and the Cato Institute:

https://www.alternet.org/2015/01/nightmare-libertarian-project-push-one-central-american-country-through-massive-privitization/

> Reco

Dave.

[Keith Bainbridge]

On 11/7/19 10:44 pm, to...@tuxteam.de wrote:
> Enough reasons to change mail provider.

Good afternoon All

I agree, but every time I look around, I find only other mega corporate
operators that offer realistic data storage limits.


I'd be interested in some suggestions, please.



Keith Bainbridge

keit...@gmail.com
+61 (0)447 667 468

[Diagonal Arg]

>>> On 11/7/19 10:44 pm, to...@tuxteam.de wrote:
>>> Enough reasons to change mail provider.
>>

>> I agree, but every time I look around, I find only other mega corporate
>> operators that offer realistic data storage limits.
>
> I'd be interested in some suggestions, please

https://riseup.net/en/security/resources/radical-servers

> Keith Bainbridge

Dave.

[to...@tuxteam.de]

You beat me to it :-)

Thanks
-- t

[Nicholas Geovanis]

On Tue, Jul 16, 2019 at 9:14 PM Diagonal Arg <debia...@niwas.net> wrote:

On 7/12/19 9:57 AM, Reco wrote:

>       Hi.
>
> On Fri, Jul 12, 2019 at 08:52:57AM -0500, John Hasler wrote:
>>> To me, Bigcorp is like state (minus First Amendment).
>>
>> Businesses don't have armies.
>
> Or do they?
>
> https://en.wikipedia.org/wiki/Blackwater_Worldwide

They now even have mini-states, thanks to the Kochs and the Cato Institute:

Well, they have a maxi-state too. The takeover is not yet 100% but quite close:

 https://en.wikipedia.org/wiki/United_States

One of the turning points was the legal precedent that corporations were separate legal entities.

After that, the people in charge of them could not be personally held legally responsible for their

actions as corporate officers. Only the paper corporation. So for example no pharmaceutical

executive will go to prison for pushing narcotics on Americans. Only the paper corp will have to pay damages,

and they will write-off their losses on their taxes. So the American taxpayer picks up their tab. 

Rich men and women skate again :-)

https://www.alternet.org/2015/01/nightmare-libertarian-project-push-one-central-american-country-through-massive-privitization/

> Reco

Dave.