Every email gets flagged as “opened,” so the flag is meaningless, and recipients can see the images without triggering a tracker.
The company also ran a mail filter called Baracuda or something similar that followed links in emails to see if they were malicious.
I was quite annoyed when I was called to do the mandatory training as "I" had clicked a link (on an email I hadn't seen) and more so when told I had no other recourse than to sit through it.
I resigned shortly afterwards.
Edit: also, to be fair, you basically told them you had opted out of the test, so it’s not completely ridiculous for them to ask you to do the training instead.
This method of test passing wasn't okay when Volkswagen did it, and it's not appropriate for employees at a company that asks them to take the test, for the exact same reason.
Sure you are being clever, but (and I don't know the state of art science wrt effectivity of these fake phishing emails), you are defying a measure that was taken by management to try to make the company safer. Sure it may feel, and even be, a waste of time. But you are also putting yourself above the rules in a way. Your assumption is that these programs will actually NOT make the company safer, with 100% certainty. Because even of it makes the company 1% safer, it is management's responsibility to go ahead with these measures or not.
I don't know what to think of how you acted, as much as I hate most mandatory course, at least some if my knowledge comes from them. Obviously the company pays you normally while you take the course. And somewhere I feel that "work is work".
Of course, in this case, you have shown the system to be erroneous, while showing yourself to feel superior. Difficult... As manager I'd like you to seek a conversation with me.
Edit: Of course, you are 100% free to leave this company, are you 100% free to cheat on cyber security measures? I don't think I agree with you there.
As said, mixed feelings.
> are you 100% free to cheat on cyber security measures?
Why do you think that implementing an email filter like that is "defying a measure" or "cheating"? What value do you think there would be in individually, manually, reviewing each such email, if you've already identified the pattern they all follow and their purpose? You're essentially arguing for wilful inefficiency, which is "cheating" the organization out of useful labor.
The other reply to you may have been less than perfectly polite, but they certainly had a point.
Nowhere am I saying that I agree with the chosen methods, especially not the part that sounds like punishment. But there are better ways to deal with the disagreement than suggested here.
I'm generally considered knowledgeable and I'm just thinking from the perspective of owning a company and employees taking these actions instead of coming to talk to me, showing evidence of my poor management decisions.
This whole text reeks of a employee vs employer situation, which is never good (you're in it together), so probably it is good that the person left the company, for both parties.
Perhaps I'm naive, or not American enough, US work culture seems harsh to me sometimes, especially wrt work ethic and hierarchy.
I'm off now to find what PMC is, thank you.
Edit: Looked around for sometime, no idea still what PMC is.
I guess lyu07282 is what I have taken to calling a "Judger". Always labeling, always judging, always seeking the moral high-ground, never realizing the lack of nuance that must exist in short texts. Never thinking "what if this was meant in a kind way." Oh, and I see the irony, it is intentional (feels bad right?).
I think it's what tearing the US apart at this very moment. Always Us against Them. Most people are kind you know. I really thought I did my best to add nuance.
The cool thing though is when people post the link on Yammer asking if it's safe, then you can screw them by clicking on it and they have to do the course hehehh
But yeah bad service
You could imagine a system more like the notification tray on iOS/Android where at any time a notification can appear, be edited, timeout, or be deleted.
Your email inbox could be like that. The email saying "Your parcel has been dispatched" could be edited to say "Your parcel has been delivered".
When you refund something you've bought, the original purchase receipt could be crossed out or hidden. When you get invited to a wedding but then the wedding is cancelled, the original invite could be deleted, etc.
Says who? It's not in the original RFC as far as I'm aware.
It was text delivered over SMTP.
And yes, that means that an image with an amount is publicly accessible, so what, there's no information about the invoice in there as that's in the text of the email.
I subscribed to the daily headlines from a newspaper, they delivered them as a remote picture in the mail. Only it was always the same remote picture each day, just updated. So if you didn't open the mail each day too bad: you snooze you loose, those past headlines are gone.
I made an attempt to enumerate them[1], and whilst I catch this issue with feImage over a decade ago by simply observing that xlink:href attributes can appear anywhere, Roundcube also misses srcset="" and probably other ways, so if the server "prefetched every image" it knew about using the Roundcube algorithm the one in srcset would still act as a beacon.
I feel like the bigger issue is the W3 (nee Google). The new HTML Sanitizer[2] interface does nothing, but some VP is somewhere patting themselves on the back for this. We don't need an object-oriented way to edit HTML, we need the database of changes we want to make.
What I would like to see is the ability to put a <pre-cache href="url"><![CDATA[...]]></pre-cache> that would allow the document to replace requests for url with the embedded data, support what we can, then just turn off networking for things we can't. If networking is enabled, just ignore the pre-cache tags. No mixing means no XSS. Networking disabled means "failures" in the sanitizer is that the page just doesn't "look" right, instead of a leak.
Until then, the HTML4-era solution was a whitelist (instead of trying to blacklist/block things) is best. That's also easier in a lot of ways, but harder to maintain since gmail, outlook, etc are a moving target in _their_ whitelists...
[1]: https://github.com/geocar/firewall.js
[2]: https://developer.mozilla.org/en-US/docs/Web/API/HTML_Saniti...
> Then drop any elements and attributes that are not allowed by the sanitizer configuration, and any that are considered XSS-unsafe (even if allowed by the configuration)
The XSS-unsafe functions are all named "unsafe". Although considering web programmers, maybe they should have been named "UnsafeDoNotUseOrYouWillBeFired".
[0] https://developer.mozilla.org/en-US/docs/Web/API/HTML_Saniti...
https://developer.chrome.com/blog/sanitizer-api-deprecation/
multipart/related already exists.
Which web browsers render multipart/related correctly served over https?
Never mind the context is e-mail, which is not served to a browser over HTTPS.
As to why I prefer one thing that doesn’t exist over another thing that doesn’t exist depends on my priors. You might as well be asking my opinion and making fun of it before you know the answer.
What do you think the impact would be if Content-Location: would be if it suddenly gained the interpretation I suggest?
What do you think a script in the package can do to reference a part of the URL is constructed by code?
A better approach is to follow all links always (even to non-existent recipients) if you must play this game.
That reminds me: I should make sure all my mail clients are still set to plain text rendering.
my contact info is in my profile to arrange settlement
I'm also wondering if you could (ab)use SMIL mouse events to bypass this approach.
An automated system processing emails isn’t going to be fetching images or rendering attached SVGs.
Probably any unknown element attribute pair should be stripped by default. And that's still not considering different "namespaces" such as SVG and MathML that you need to be careful with.
But you still have to dynamically allow or disallow external content such as images. It also makes any operations based on the content more convoluted. Like adding event invites to calendar and so on.
I’m not sure if Exchange Online doesn’t scan them or something, but I landed up making a rule which blocks all emails with either .svg or .htm(l) attachments and to notify me when blocked.
Happens a couple of times per month for the our small company, no false positives yet.
Content-Security-Policy: img-src 'self';I am trying to read as less _online_ as possible nowadays. I essentially have dovecot in my crontab, and read it off roundcube. It's been working great, RoundCube is dead simple to setup and use, the UI and search are very fast.
Best of luck to you on your blog. I would suggest you also add a "welcome to my blog" post where you give a little background about why you're writing the blog and what kinds of content readers can hope to see in the future. There's no denying that you have little content, so you might as well make it clear to readers _why_ that is. Plus, it sets them up to be interested to see what's coming next.
Also: what's the legal status of this kind of tracking? How does it jibe with the GDPR?