Spot on.
I am a bit puzzled that I have not been reading about this in any big US media, not even IT ones. How did you first learn about it?
This IS a big deal and should be a scandal people are educated about, and Microsoft should be forced to stop this immediately. It's interesting that Microsoft appears to have managed to stay under the radar with these deceptive tactics...
I am a bit puzzled that I have not been reading about this in any big US media, not even IT ones. How did you first learn about it?
If Microsoft has the power to pay the EU for laws in its favour, i presume (i am actually sure see "die Welt") that paying some newspapers poses no big logistical problems.
The big logistical problem is: How do you select which newspapers to pay?
All of them? Now you've announced that you've got something to hideandare trying to to pay off newspapers to hide it. One of them is going to decide that this story is too juicy not to publish.
Only those that find out some other way and ask for comment? Well, in this case Microsoft didn't reply toc't Magazin's request for comment before publication...
Just one or two probably. One right and one left wing publication.
One side writes a piece, something like: "How the new Outlook saved my {insert protected class}", another one on the other side something like "New Microsoft Outlook uses your mail credentials to steal your DNA via nanosites because Bill Gates wants access to your children."
And then the rest of the media pick it up from there, spin it in their respective direction, receiving their generous donations from one of the numerous MS foundations that funnel money into these places, based on how damaging their puff pieces were.
Now nobody cares about the problem anymore because they are too busy fighting each other.
"How the new Outlook saved my LGBT" "How the new Outlook saved my Woman" (Hey, this actually parses! Though not in the intended way...) "How the new Outlook saved my African American" (ok, this is getting troubling) "How the new Outlook saved my Christianity" (The first article I'd actually read) "How the new Outlook saved my Age" (big scope!) "How the new Outlook saved my Ex Serviceman" "How the new Outlook saved my Disability"
MS (and other enterprise big tech) gets laws in their favor in the EU because the EU has no solid alternative to MS. There is no EU based big cloud provider with similar capabilities, software ecosystem, integration, nobody offering a comparable office suite, familiar operating system with legacy compatibility, collaboration platform, etc.
Even when you have solid competitors for individual components, the whole package is hard to resist. So they're stuck with MS for the moment, and slowly get absorbed in that ecosystem making it even more entrenched. But MS doesn't need to pay to get the law, they just have to let EU companies try out alternatives until they go back to being slowly boiled with MS. The EU is looking for excuses to excuse MS because everyone decided the price we all know now is worth paying to get access to a full ecosystem that fills all other needs.
Effectively the EU is "paying" MS to stay, not the other way around.
It is even worse.
MS doesn't need to do anything. They don't need to pay anyone off. EU bureaucracy is extremely strongly wedded to MS products like Windows, Office, Teams, Outlook etc. As are all EU national bureaucracies and public institutions.
There are firm opinions by e.g. the BSI (German IT security office, comparable to something between NSA, mostly NIST, DHS and ANSI) and other equivalent European national offices that it is practically impossible to operate modern MS products securely. E.g. there are guidelines from BSI like "we know that in that exact version (which is years old, because the guideline took ages to write) you need to set the following registry keys to prevent data exfiltration. Btw. this won't help you, because you also HAVE to upgrade within a few weeks of each available update". There are firm opinions by multiple European data protection offices that basically say the same about GDPR compliance in MS products. Practically impossible to achieve, there might have been that one configuration, "Once upon a time of writing the report, with that specific version of Windows and Office, when firewalling off half of azure, setting those 300 registry keys, manually deleting the following files, illegal telemetry could no longer be observed. Also, you are obliged by GDPR to follow good practice and update regularly, so good luck with that...".
Basically it is illegal to process any personal data using MS products in the EU if the processing system has any kind of outgoing internet connection. All the bureaucracies ignore this systematically, citing the "impossibility" of working without said MS products. Migration plans away from those illegal processes are regularly cancelled, ignored or never completed. MS is free to do whatever it wants, they are never really investigated, fined or held to any laws.
Meanwhile, other big IT firms like Meta, Google, Twitter/X and lots of others are held to far higher standards. Where tons of your local government's data about you like tax report, criminal records, school records and similar things are subject to being exported to the US via Azure, MS telemetry and what not. With FAANG there is complaining about comparably laughable stuff like "well, that IP address that Google Fonts could observe...".
The problem, why this doesn't change, is that the local government institution is responsible for their data processing (according to GDPR and other laws), MS being only their contractor. And those government institutions are usually (in almost all EU states) free from GDPR and other penalties, and those penalties would be left-pocket-to-right-pocket anyways.
This is why MS gets a free pass on everything. Imho this must end.
Calling "Die Welt" a newspaper is the problem at hand. It should be labeled as yellow press, but yeah...
Why even pay newspapers, when most do not understand the problem anyway, so do not want to read about it?
Microsoft is already taking so much data, I would have trouble to explain to the layperson, why this incident is worse, than all of the other shit they are doing.
The parent's remark was about US media. Hardly "some newspapers" to pay, and how does the EU come into play here?
They have been doing this for years. The mobile outlook app has had microsoft servers check for mail on the user's behalf since forever.
We first discovered this while troubleshooting why we were receiving logins with an old password.. after updating the settings in Outlook. They had no other email clients, but the 'New Outlook' didn't actually send the updated password to the Microsoft cloud due to a bug :P
Imagine my surprise discovering that this little banner in their Outlook settings that said "Using Microsoft sync technology"actuallymeans "This is no longer really a local IMAP client".
Cloud-first, in all the wrong ways. It's supposed to be a local app..
It's actually a really weird app. I have a windows PC I sometimes use at work, loaded with all the corporate crap, among which a full up-to-date installation of office 365. Since this machine isn't mission-critical, I sometimes like to check "what's new", so I've switched to the "new outlook".
Yesterday I got an email from someone with an attached Word doc. Usually, I just read those inside outlook, since I only need to skim them at best.
But this time, I clicked "open in word". The thing took ages. First it uploaded the doc somewhere on onedrive (didn't ask me anything). That took a good few seconds. Then it proceeded to open a browser window with a spinny thing doing whatever it is ms products do when they have you waiting around for no apparent reason. Then it finally opened the doc in word online. All the while having a perfectly good copy of word sitting on the same nvme drive as the freakin' attachment.
Now, this computer isn't the latest thousand core threadripper or nothing, but it was still the longest I've ever had to wait around for a 2 page text-only word doc to open.
New Outlook, which forgot to notify me that I had a meeting coming up despite having notifications set for it.
In a corporate office environment, that’s one of its two jobs.
New Outlook also fails at its second job for me, it won’t fetch email unless it’s the active window.
I wonder if this related to the Edge feature of "freezing" tabs, since New Outlook is clearly an Electron-like contraption, but I think they're supposed to use the Edge Web Views instead of shipping their own electron runtime.
At least it doesn't crash. At one point, it used to just die on me. They've also fixed the window decorations and ramdom icons in the left toolbar, which used to become weird on mouse over.
There's also something else odd going on with the app. When I start it from the start menu, there's a very long lag between my pushing enter and the start menu going away. This happens every time I start outlook after a fresh boot, but doesn't happen with other shitty apps, like New Teams. For those, it disappears right away, even though the app doesn't start up instantly. It doesn't matter the order in which I start them, nor if I only start Outlook after the machine has been running for a while.
Curious why they are making the connection on your behalf. Could it have anything to do with LLM’s? Either way, if I were IT, I’d be livid.
It's because IMAP is not very good for disconnected or mobile operation, and if you're willing to put a server between the on-device client and the IMAP server you can do much better at the cost of sharing credentials and content with the server. Not a new idea, mobile mail systems going back to Danger, BlackBerry, Good, etc have done this and probably there was precedent before that.
It’s quite amusing to read all the clueless comments acting as if this is some Microsoft invention, from people who apparently haven’t read up on the state of MUAs for the last two decades, if ever.
Depends very much on the client. Samsung Email is atrocious, but Apple Mail works great (and I think they’re both local clients).
Do not firewall them off. Serve different content and break functionality in a self-explanatory way (i.e. an email that tells what's wrong).
This is nothing user-facing. Microsoft will run that in the background, firewalling it off breaks it, so they'll have to act.
The emailsareuser facing. So if, say, the ISP were to detect Microsoft servers connecting and serve them back a mailbox with a single email in it instead of the user's real mailbox, then the user would open Outlook and see just a single message. Ideally non-threateningly titled "MICROSOFT HAS STOLEN YOUR PASSWORD" and containing clear instructions on how to switch back to direct IMAP.
You're looking at it wrong. As an email host, you surely have an agreement with your clients that they will keep their credentials secure and not share them with anyone. If you discover that they have, then they have wilfully compromised the security of the service you are providing, and you should immediately invalidate their credentials and contact them out of band to explain that you have acted to protect their account.
The credentials only give access to the users data so they damn well should be free to give those credentials/data* to whomever they please. Keyword give, Microsoft shouldn't build a de-facto keylogger.
* Ideally they should be separated like through OAuth, but that isn't an option for an ancient standard like IMAP.
As an email host, you surely have an agreement with your clients that they will keep their credentials secure and not share them with anyone
Why would they? The users can do whatever the hell they want with their credentials
Limit Azure connections to 500 b/s. Make them wait and keep slowing moving connections active.
And you still having your users complaining to you not to Microsoft.
but at least MS is paying the bill too
firewall azure ranges
This will happen naturally as users change their credentials on server but not on outlook. Outlook proxy will try wrong password for 5 or so times and will get their IPs banned. This will affect many more users using the same server.
This will generate tickets for you and you will direct them to use plain local IMAP clients instead.
This whole idea at Microsoft was clearly forged by someone who has never served mail and is bound to fail as it trips standard security practices present for decades.
Microsoft has been doing this for many years for mobile Outlook, so it seems to work well enough (unfortunately).
You may have been too late if you've only been doing this recently. Outlook for Android has been doing the exact same thing for years (which I was quite surprised and upset to find out about at the time).
It's a shame, because like many Microsoft apps, the Outlook app isn't half bad if it weren't for the disgusting privacy violations.
Curious, you are email host for what? If it is a corporate entity, can't you control devices your employees can access mail from or what client is whitelisted? If it is public, why do you care where is the mail server hosted.
I agree that changing an app from offline to online, without appropriate messaging is wrong. But, it is not different from how Gmail works as a mail client.
Is MS sharing the list of IPs to firewall, somewhere?
Also, no idea why rebuilding outlook in what can be argued is an inferior technology for a desktop app could be considered a good idea. I can imagine some advantages in consolidating the web and Windows code base, but I'd say that's already a fluke - web and desktop apps are not the same nor I expect them to ever be (and should they?? Look at your phone and ask yourself if you'd prefer all your apps ported to the browser).
New Outlook lacks many, many features it predecessor has, like hot keys and viewing options. It doesn't support multiple languages, a must for someone who isn't American but works in a global company. And yet they push it as if it was an improvement.
Whoever made the decisions on this should rethink their career.
Cloud-first
Well, IMAP is already "cloud-first" by itself; so this is "cloud first and second", also known as MITM.
My recent experience with New Outlook was that it forced the change every month or so and I had to disable it and restart it to get the old version back. There was no setting to stop this, I looked a lot
What's left now, for Windows users? I think the only solution is Thunderbird
Claws Mail: powerfulandlightning fastand100% multi platform native code. (MacOS too but has to be built or downloaded elsewhere)
https://www.claws-mail.org/downloads.php
There's a small command line tool around (can't recall the name, sorry) to convert message bases and contacts from Outlook format so that they can be imported into Claws Mail. I once did that at a workplace where they were having all sort of problems with Outlook and a fairly big mail archive and saw people dropping their jaws when looking at the difference in search speed. Give it a try.
Claws is GTK+, so it's not native.
Actually, on Windows GTK uses native widgets.
No, using DrawFrameControl et al does not make a widget native.
What is native these days? They seem to have a new UI toolkit every 2 years.
The only native controls on Windows are the classic Win16/Win32 controls, accept no substitutes (not even that new-fangled comctl32 thing).
Is Outlook even native these days?
Cloud Native, the only type of native that matters these days ;-)
Native code, not native UI (whatever that means, these days)
Stop using Windows. It is foolish to assume that any data on a Windows machine can stay out of the Microsoft cloud.
E.g. Microsoft Edge on first launch can import bookmarks+stored passwords from Firefox (AFAIK without any user interaction, unless I clicked without thinking), and it also defaults to uploading this data to the Microsoft cloud (unless you're using a local account?).
Yep, I finally made the cut after they by default hijack your filesystem to onedrive. They can literally delete offline files.
I was utterly shocked to find Linux Desktop has more uptime than Windows. Windows forced updates caused so many issues dealing with autosaves, I was spending like 5-10 minutes per day reopening all my programs for work.
Those random linux annoyances you need the terminal for? I had like 1 or 2 of them during month 1, solved faster than a single Forced Windows Reboot. Fedora been flawless 5 months later.
The only terminal work I do is opening ports for my kid's games. It really is the year of the Linux Desktop. Its utterly shocking to me I'm saying it, I was a hater for so long.
Those random linux annoyances you need the terminal for?
Generally, if you want hardware that you don't have to fight, the only option is to buy computers with Linux preinstalled, with support. Modern computers are sufficiently complicated that they really only can support one OS. And, for consumer hardware, they even half-assthat.
It was that Fedora didn't have some video codec that reddit used.
I googled it, it was like copypasting 2 or 3 commands, then I could watch reddit videos.
I can't remember the other bug, it might have been an ID10T error.
Can't even blame Linux for that, I have to install way more stuff to make Windows work out of the box. Fedora weirdly has lots of stuff already installed.
That's not accurate.Mosthardware works out of the box with zero config on all the major distros. There are always some machines with unsupported hardware of course, but it's more the exception than the rule nowadays. This is especially true if your hardware is at least a year old.
I would say that "Generally", it's not a thing you need to worry about. If something isn't working, it's probably a configuration issue on your side. The easiest way to avoid that is to pick an immutable distro like Fedora Silverblue, Suse MicroOS, and soon Ubuntu Core Desktop. Combine that with Flatpaks, and you pretty much never have to touch a terminal or worry about a broken system.
I couldn't believe how much better the GUI had come in years as well. Around 2020 i tried a new work laptop with Ubuntu and was blown away. Without any fuss google meet worked in FIREFOX with full webcam audio support on a dell xps. Just to compare I went to the ms teams site, and of course it couldn't even get off the ground with firefox. "your browser isn't supported." it was obvious MS was/is crippling it artificially, and then it dawned on me, i just had my year of the linux desktop.
I use Windows for work because that's what corporate likes. But at home I've been running only Linux on laptops and desktops since 2006. In 2020, I switched my mom's home computer to linux. It's been a joy.
Why does anyone use Windows at home anymore? I guess gaming is still an issue?
Stop using Windows.
Er....no? Though i do spend an inordinate amount of time closing as many holes as possible. Unfortunately, windows is ok. The telemetry, ands and other bullshit is embarrassing but the software i run is on windows. Tried Linux, various ones, but I spent more time messing about that (software didn't cut it, drivers were an arse for audio, graphic setup was strange) it was a relief to go back. Linux reminds me of w3.1 and all that memory allocation bollocks just to run a game. I choose my lazy acceptance, combined with 'as much as I can do to protect myself', over beating my head over a whole operating system that doesn't cut it for what i require. I won't entertain macs as i trust apple even less (for being closed).
PuTTY + Mutt? :)
I’ve done myself over the years. :)
Windows now directly offers OpenSSH and a decent modern terminal app, so while PuTTY still works it’s no longer necessary for accessing mutt over SSH from Windows. Also with WSL you can also run mutt locally on Windows within a userland Linux distro like Ubuntu or Debian.
This is honeslty my favourite thing about windows in recent years. Now that you can just fire up native windows terminal and type 'ssh user@host.com' it has saved me so much time, and probably downloads for putty have dropped considerably as well.
That’s actually precisely what I use. :)
If, like many of us, you work in an org that refuses to authorize Thunderbird or anything else for IMAP+Oauth2 to Exchange Online then there are no other solutions. Outlook is e-mail, e-mail is Outlook.
You don’t have to use that for your private email though.
The online school I’m attending is like this with its email. My options are to run the Outlook for Mac desktop app (which oddly seems to be a different beast than “new” Outlook on Windows) or keep Outlook webmail open in a tab. Not even Apple Mail via its Exchange support is permitted.
I ultimately landed on keeping the desktop app open to reduce browser clutter and for the icon notification badge so I don’t miss any important emails.
This is what is so annoying with companies these days. Microsoft has them by the #%!!$ and they’ll continue taking all the productivity loss and other risks just so someone can check a box and say “We trust in Microsoft to manage this, and we’re off the hook.”
There are solutions like the Owl extension for Thunderbird, but that’s for the adventurous ones who want to take risks.
I switched to Mailspring a year or two ago and am very happy about it. It's based on electron so here be dragons, but does the job quite well. It's simple and basic and no fuss while not being an eyesore. Basically, a clone of the Mail app on macOS.
I've tried to use Mailspring a couple of times on Linux but apparently server syncing is still broken after 5+ years[0]. Until it works reliably I'm stuck with Thunderbird.
[0]https://community.getmailspring.com/t/disappearing-emails-de...
I think the only solution is Thunderbird
Some while ago, there was a bit of backlash over their re-design, but after actually using the more recent versions, I have to say that they did a good job - you can toggle the display density of the UI elements and it's still a good mail client with reasonable performance and usability.
I can even sign e-mails with OpenPGP and did you know that it also has a built in RSS feed reader (a bit clunky, but having news sites/blogs be a folder that's right next to my e-mail accounts works brilliantly well)? In addition, I have it both on my Windows and Linux machines, surprisingly consistent across the board.
Honestly, I couldn't be happier. Maybe also Roundcube hosted on VPSes for my own development mail servers when I don't feel like adding bunches of accounts to Thunderbird, but it's really nice that there's software like this out there in the first place!
My favorite RSS reader is Feedbro in Firefox, maybe on the minimal side but exactly what I need.
There is also The Bat!:https://www.ritlabs.com/en/products/thebat/
I use eM Client and I recommend it. It works super good, no issues with GMail calendar, Exchange server or any other weird quirks like Thunderberd (used to) have.
The disadvantages are that its paid (one time payment) and Windows only (no linux version).
It is not stealing anything because you get a dialog asking you for permission to do it. If you give someone permission to take something, they are not stealing it.
https://heise.cloudimg.io/v7/_www-heise-de_/imgs/18/4/3/3/1/...
It is not stealing anything because you get a dialog asking you for permission to do it
That dialog talks about sync but notably does not mention credentials at all.
Surely this is instance where informed consent is needed, with full disclosure of what's going to happen.
Something along the lines of: "this means your IMAP username and password will be passed to Microsoft where we will store it indefinitely so we can regularly log into your IMAP server to sync your messages".
Of course, users are less likely to consent if you explain exactly what's going to happen...
That is IT understanding but legal wise, I think, they are good with the informed consent on the use case. Distasteful, but fine.
It is not informed consent if people don't understand what is happening, though.
Well, they consent to the fact that data is "synced" to Microsoft. That is the use case and the consent-able item. The password is just a random property of that item. And that is literally on the screen. That is broad but that is how privacy topics are generally handled.
I also do not like it.
If the data includes credentials but that isn't explicitly mentioned when asking for consent, I seriously hope that won't hold up before a judge.
I am not so sure about that. Are they allowed to simply assume "expert" knowledge?
No, they are not. GDPR notices (which this is) must be understandable to the layman. Including all consequences like "this will also allow access to other services secured with the same university/company-wide password".
This could also be a punishable crime in Germany:https://www.gesetze-im-internet.de/stgb/__202c.htmland other articles around that one.
I genuinely don't understand how you can come to this conclusion.
If I open the door to someone and allow them to take picture inside my house, there is no legal understanding that they are now allowed to make and keep a copy of my keys.
The understanding is that I allowed to take the picture (make the sync), through the access that I gave (door opened / imap connection made). And the underlying understanding is actually that I remain in control of access later on, meaning they can't do it again without me opening the door / connecting again.
Microsoft knows that, because they buried that information inside the webpage that the consent dialog links to, except the dialog doesn't say "important detail there" but "for more information see there" aka pretend the dialog's summary is correct.
If anything, coupled with the awkward Outlook (but not Outlook) naming this is one more of their modern move that will piss off entreprise IT admins. Your employee opens the "wrong" outlook, type his office credentials and then Microsoft now has outside of your corp account a copy of all data of that employee AND its credentials. If there was any actual real competitor in their field they would never be able to pull such crap.
Well, the consent item is "sync" and that translates in your sample more to "you consent to let them take pictures of your house whenever they want". And for that, a key property is the username (or your house key). Otherwise, "sync"/"taking photos any time" would not work. You could argue that "sync" could be considered 1-time sync or permanent sync ... but honestly we talk about IMAP and a permanent connection to fetch Emails. Let us not assume we talk about a one time "sync".
And yes, I agree that Microsoft buried the nasty password detail with the purpose of not disengaging the users. I also think that anything data privacy related, normal users are completely overwhelmed with no chance to ever understand the situation.
I share your thought about replicating passwords. Not to the concrete worry you express but that it is a really bad practice compared to industry practice (see OAuth2 refresh token).
At least in the EU it is.
Explained in detail, here.
https://gdpr.eu/gdpr-consent-requirements/
Consent must be specific, informed, freely given and unambiguous. The user must be able to revoke consent at any time, as easy as it was providing the consent before.
Very clearly the Microsoft "consent" info does not tick any single one of those items.
Illegal.
Or, in other words:
There is much to criticize about the EU. But where the US has brought the world "By farting during installation of this software you consent to us stopping by and taking your first born child" kind of EULAs / "choices", EU's GDPR is forcing big tech to treat humans as humans again (instead of just data).
I don't know why political entities are brought into these conversations other than for some sense of high-horsedness or a figurative pissing contest.
GPDR is good. So is CCPA, COPRA, etc. Meanwhile, both the EU and the US have plenty of predatory legislation that allows companies to do all kinds of fucked up things.
Because nuance is valuable? "GDPR is good" doesn't remotely address its strengths and failings, nor the conflicting incentives and motivations that produced it.
I agree that there's no room for home-team mentality here, but we should absolutely assign credit and blame where it's due, especially when those of us who don't live in a jurisdiction with such a law gain some halo-effect benefit.
My comment wasn't meant as a pissing contest. It's not me who has created GDPR, I did not have a choice of getting born in the EU, it just happened :)
But I am pretty impressed that in these days where most regulations for pretty much everything are defined by lobbyists, GDPR actually did happen, ended up to be a very reasonable set of rules, and actually gets enforced. It was written well, and unlike with other regulations it's not full of loop holes.
Laws and regulations created to the sole benefit of your general population is just something you can't take for granted these days anymore. Therefore, for me GDPR is kind of magic.
It is not stealing anything because you get a dialog asking you for permission to do it
Also, at least according to several comments on nearly any story about movie piracy, it is not stealing because all they have done is made a copy.
Is it asking for informed consent for a change when the ui encourages and defaults to not keeping the system quo
The dialog talks about needing to synchronize your email account. It then goes on to tell that contacts and events are not synchronized. No one will reasonably suspect your authentication credentials are send to Microsoft. Such reasoning of this dialog will never fly in a German court.
I disagree. I think that you can’t consent to something you don’t know about and certainly not something you don’t understand. This includes every single eula that everyone agrees to without reading. In my opinion that is not an agreement, as an agreement requires informed consent.
Unfortunately our legal system strongly disagrees with me but that’s my two cents
When I saw that I immediately cancled my the "new outlook" tryout and wrote in the feedback form I don't want my mails in the microsoft cloud.
"Although TLS protected, the data in the tunnel runs to Microsoft in plain text". What? Not sure if this is a mistranslation but this makes absolutely no sense. TLS is encryption. Why would they further encrypt it "in the tunnel"?
What they are talking about is that your passwords are uploaded via HTTPS/TLS, so an encrypted connection, but what they are sending are you full passwords in plain text over it.
https://heise.cloudimg.io/v7/_www-heise-de_/imgs/18/4/3/3/1/...
For IMAP to work you need the original password, not e.g. a hash.
Once you've decided to send the actual password, whether wise or not, the best you can do is encrypt it, and TLS does that.
What else would you expect?
What else would you expect?
I would expect user credentials to not be uploaded without giving an extremely explicit explanation and receiving informed consent from the user.
Also, the credentials have to be stored in plain text. M$ servers cannot auth with your IMAP host with a password hash, so they must be saving the plain text password somewhere which seems absolutely crazy to me.
No, that's just wrong. They can store these credentials encrypted with algorithms such as AES-256. No need to store them in plain text.
This is actually standard security practice when you absolutely have to store a key in a way that you can use it later, such as a password or an API key.
Next time there's a data breach at Azure, there will be fireworks.
I would expect them to at a bare minimum encrypt it using a temporary public key before transmission, in case TLS connection was MITM'ed, and I'd expect them to use those fancy hardware security modules (HSM) they have[1] to protect it on their side.
[1]:https://learn.microsoft.com/en-us/azure/key-vault/managed-hs...
It doesn't matter how well they protect it, they still have the credential, and they decrypt it in order to be able to use it, so for all intents and purposes, it's in the clear _for Microsoft_ (and whoever else manages to have access). This is not how it should be.
Obviously, and this is something they should communicate clearly.
But if they were to provide such a "service" I'd expect them to minimize exposure, including the steps I mentioned.
I was tired and forgot to add they should first check if the IMAP server supports XOAUTH2, and in that case require that to be used.
Still not a great solution but at least not passing the password around.
IMAP supports a multitude of authentication standards, including hash and key-like, so the above is not necessarily true, however it is unlikely that Outlook supports them.
Client certificates are supported by both Thunderbird and K9, would prevent this type of issues.
In the cloud first era, your value is derived from how much customer data is under your control. Not for resale primarily but for stickiness. It's like the dot com era, only for real this time.
Client certificates are supported by both Thunderbird and K9, would prevent this type of issues.
How? Outlook could just ask you for your certificate (+ private key) and upload that.
I would expect that my local e-mail client is making the connection to my IMAP server. Not a connection to Microsoft servers which then in turn connect to my IMAP server.
I would expect Microsoft not to be on the receiving end of my plaintext password.
Another reason to use something else than passwords with IMAP for authentication.
Once you've decided to send the actual password,
Butyouhaven't. Microsoft has decided that for you - without telling you.
The more I think about it - that's not even just a GDPR issue, it's blatant malware behavior.
TLS is only transport encryption. The password will be transmitted in clear before and and after that transport.
This is not at all comparable to other "store my passwords inside the cloud"-systems, where the passwords are encrypted and decrypted on the users' devices, without the encryption key going to the cloud provider - that's the way it's handled in Password Managers, Chrome Auto-Fill etc.
And I would expect Microsoft asking the user for explicit consent "May we take your IMAP password and transfer it and store it in our cloud?" in easy to understand wording so people understand the consequences (for example getting fired for having punched a gapping hole into your employers security policies like "Don't share this password with anyone")
That expectation would match the law in the EU.
And in addition, inside the EU it would also have to guarantee that the password will only be stored on servers inside the EU, and not end up, for example, with the NSA. And even then it still might not be legal.
And from a user's perspective: Certainly a big chunk of users that have been using email software for the last decades would assume that an email client installed on your PC is doing the IMAP access locally. There is no need for your IMAP credentials to go to Microsoft. Merging your local mail store from multiple sources inside the client is what email clients have been doing for the last 20 years. There is absolutely no need to move this to the cloud. Yes, my computer can handle merging email folders.
It’s encrypted between the starting point (Microsoft) and your ISP. Microsoft is the “client” in this case and just like you can read your email in Outlook or Thunderbird, MS can read all of your email that they pull over from you ISP.
Yes I know but saying TLS is 'plaintext' is completely silly. It's like saying your credit card number is transmitted in plaintext when you do a TLS ecommerce transaction.
I do understand the point that the article is making, but implying that TLS is equivalent to plaintext is just plain hyperbole. What else can Microsoft do (assuming they want to do this feature?). Encrypt itagainon the client side, then put it in the TLS tunnel? It's just double encryption at that point. They need the password
FWIW the amount of users still using unencrypted IMAP is often pretty high in outlook or apple mail. Nowthatis a security issue. Try using a wifi packet analyzer at a large conference. I bet you'll see multiple or even dozens of plaintext IMAP passwords going thru the air.
Transit vs rest, maybe?
I suppose they'd prefer it be not transferred at all, but if it were... to be bundled up safely[for storage]before exfiltration
My magic crystal ball just showed me that they're going to use your email for training AI models.
They're just trying to catch up with Google in any and every way they possibly can, users trust, privacy and security be damned.
I don’t know about this. Microsoft would already have a huge body of e-mail to train on with Microsoft 365 and outlook.com if they wanted to I guess?
Yes, but mostly internal corporate emails, stretching back decades, with most of the content about how to violate user privacy using various sneaky schemes. I wonder what kind of A.I. would result from training on such content.
Microsoft have run hotmail/outlook.com for decades.This is a service used by hundreds of millions of people, I would guess mostly non corporate. I think they have more than enough personal email data to train on if they wanted to.
This. I would gather it’s one of the bigger free mail services after Gmail, at least in the western world.
I mean the mails of all their Microsoft 365 customers. Which at least where I live is the majority of all businesses.
Does the crystal ball say anything about what’s going to happen if Copilot or Bing start revealing non-public information to anyone who asks? It’s bound to happen if they train on non-public information. Imagine Microsoft accidentally releasing other companies’ corporate strategies and proprietary internal tech, or people’s personal finances and private social interactions. I would foresee both major litigation and government regulation coming down pretty hard. I would also expect a dramatic migration away from the product if something like that came to light. I honestly hope they’re smarter that this- training on data without explicit permission is already one of the biggest problems with AI efforts.
You use public data only for your external-facing products like Copilot and Bing.
You use all data, public and private, for your in-house skunkworks LLM-AI used by vetted, NDA-bound staff and execs.
Bing won't be able to answer questions like "What are the monthly active user counts for CoolService LLC?" or "What are the manufacturing processes used at Gadgetmaster International?" but maybe DarkBing will.
Even if LLMs aren't good enough to deliver those answers today, they might be in five or ten years, and in the meantime you want to fill the pool of data you're going to feed it.
Cynical speculation? Yes. Eventually possible? Maybe...
Catch up? This is an attempt to re-claim, or solidify, monopoly.
1. Embrace (Sure, Outlook supports SMTP and IMAP! Kinda.)
2. Extend (New Outlook supports IMAP, but only in the sense that we copy all your stuff to our Cloud) <--- We are here
3. Extinguish (We are deprecating support for legacy e-mail protocols, but it's okay because all your old stuff is in M365 anyway)
The dream of decentralized e-mail based on open standards is dead.
Definitely scummy behaviour but it's funny how someone always has to bring up EEE and try their hardest to contort whatever the subject is to fit within that definition.
Back in my day we just wrote Microsoft with a dollar sign for an S
Do you really think this is a particularly try-hard contortion?
Microsoft has supported IMAP for decades. And, even today, they're nowhere near the top of the heap in email control.
So what exactly is the goal of their master plan? They stop using IMAP for their Hotmail and Outlook.com accounts? Big whoop. The mass of people on Gmail and icloud.com/me.com services will just download one of a dozen other apps. And then just slowly stop using the outlook required accounts; unless mandated by their companies/corporate offices, wherein they just run two clients.
EEE was a policy Microsoft had when it gained monopolistic position in a field. It's misguided and inaccurate to try to apply it here.
A mail client supporting IMAP from the beginning, and then waiting almost 30 years to move on to step 2 of their evil plan? yeah I'd say so
Wait for "Microsoft would never!" brigade...
No, it's just that the Halloween Documents are now obsolete, not because Microsoft is kind.
It's because there are newer and better sharks out there, and you guys haven't caught up to the last 1-2 decades.
For example:
Funny how all the antitrust stuff melted away in recent years. It's almost as if the parties involved see that their interests are aligned.
I mean it's easy to claim your actions don't hurt your competitors when you haven't got any.
Turns out, if you are using an Oauth2 backed service (G-mail) or something like iCloud - then you are fine. It's only for local IMAP accounts (think: your ISP email account) where you type the password directly into the settings that Microsoft is doing this.
Doesn't make this any better- but before you worry that MS has your Google account password, they don't.
No, they only have a Oauth bearer token that lets them impersonate you to the IMAP server. But it's not your password so that's cool, right?
For Google and Apple at least, wouldn't you get a message saying that a new device has attempted to connect, asking you to confirm?
No. The dirty secret is that OAuth tokens, JWTs and whatnot are just as bad as passwords and cookies in terms of credential theft, the difference is only in built-in expiration and scope.
But would you not get a "A new device has accessed your account" warning? Or it that skipped because the token is already validated?
No. A bearer token (which almost all credentials are) doesn't say anything about the device that is using it.
Thesoleexception are tokens tied to a device's HSM (TPM, Secure Enclave, TrustZone, ...) - you can't clone these onto another device.
ETA: to expand a bit... passwords, SSL client certificates, JWTs, tokens generated after a SAML assertion, they are all fungible bearer tokens. A server has no way of verifying if what is presented to him is originating as an intentional act of a user, or if a malicious third party has duplicated the token somehow and is using it from somewhere else. An attacker can act just the same as the user themselves can. A HSM-backed token, i.e. having the server send a preflight challenge value, and the client HSM signing that challenge together with the token to send back with the actual request, at least proves that the request originated from the device expected to be in control of the user. However, such a scheme comes at a high cost - the user needs to be in possession of a capable device, the HSM needs to be secure, and doing preflight requests to obtain the challenge adds considerable latency.
I didn't get such warning when I connected Outlook to my Gmail.
But I had to click accept on the Google form requesting my permission to grant Outlook access. So I was informed when the app was connected.
I'm not sure how you would count "new device", since that token is going to be used by a random Microsoft cloud server, potentially different every time.
So just like every other connected app, right?
How are they supposed to access the emails without some sort of token?
While it's probably not many companies that works this way, and use Outlook, I do wonder what happens if your IMAP is on a closed network.
It is completely possible to have SMTP and IMAP be on internal networks and not on the internet (SMTP obviously needs a way to rely to a internet connected buddy).
You wonder what needs to happen that would make people stop using Windows.
Shouldn't be too hard:
1. Remove it from schools so kids don't grow up used to it
2. Stop it being bundled with new PCs
3. Get companies to stop using Excel
4. Convince gaming companies to stop making first class support for games for Windows
5. Make all existing important software and games work just as well on Linux
6. Get NVIDIA to make Linux a first-class citizen
Surely you are being sarcastic?
The only sarcasm there is the first line.
3. Get companies to stop using Excel
Libre Office is just... not there. Something is seriously wrong with it.
Anyway, Linux Desktop is ready for the mainstream. I can typically get away with Google's suite for Office. All of my workflows work fine with Linux, and I have hobbies from 3D printing to electronics to writing to creative work.
I use Excel on my mac just fine.
For most users, it’d be nearly perfect, hiccup-free compatibility with Windows software and a desktop experience that is identical to that of Windows wherever practical so there is no learning curve. In other words, when users can’t tell they’re not using Windows.
Anything less won’t move the needle, at least in the short term. People don’t like change and they don’t like thinking about their tools. You see this even with macOS, where switchers only put up with learning because there’s immediate tangible benefits like long battery life and reduced heat/fan noise acting as a carrot, and even then sometimes that’s not enough and they end up falling back to Windows.
Isn't this exactly what BlackBerry used to do?
Privacy wise it's distasteful but it does work around a lot of IMAP's problems which still don't seem to have been fixed in the ~20 years that they've been known about...
There are no such IMAP problems, at least ever since IDLE was a thing (which arguably you could argue may have not been a thing up until the 2010s, even if it's technically from the 2000s).
It's just all political bullshit -- the same reason you can have decent IMAP clients on Android, but you can't on iOS (they have to resort to tricks like this), except if you're Apple.
Isn't there still a limit of one watched mailbox per TCP connection?
Yes. But you're going to have a unique TCP connection per host, at minimum.
Unless I'm misunderstanding the problem you're raising, it seems like a non-issue for the majority of people with multiple accounts (a work email, a Gmail, a hotmail; for instance).
A unique connection per host isn't too bad. But I have 12 connections for each of my desktops and laptops and phones and tablets...
As you say the problem is somewhat caused by Apple and Google forcing apps to use their proprietary notification systems so that e.g., mail can be checked while a phone is idling. But the end user does not care about the market abusing power of the monopolies--they wants instant notifications when they receive mail...
Google is _not_ forcing, only Apple is. This cannot be emphasized enough.
You can still perfectly have dozens of background TCP connections idling on Android with no issue. The only caution you need to take is to synchronize the keepalives (otherwise the radio may take stay on for too long, hitting your battery life), but this was solved back when Android was still Danger.
As evidenced by the power analysis of IM apps that was here on HN a couple weeks ago, there is no discernible advantage to using Google notifications versus just keeping your multiple TCP connections idling in the background: Conversations is a Jabber client which does the second and was practically the most power-friendly client of the entire Android ecosystem.
I thought that's what every email provider does? Fastmail has the same feature where you can provide your credentials and they'll fetch the emails from other providers for you.
Many webmail services offer this, but the difference is that the Windows program is a local program, not a cloud service.
The Outlook app for Android does the exact same thing, copying your email to the Microsoft cloud and then serving the emails to your phone from Microsoft's servers.
Many webmail services offer this, but the difference is that the Windows program is a local program, not a cloud service.
Is it really? The comments on the original Heise article mention that Heise actually misunderstood it and it's basically just a link to the web interface in the task bar so it's not a local app.
I can't see any indication that it's actually a web interface in Microsoft's announcement.
Looking at the Microsoft Store entry (https://apps.microsoft.com/detail/outlook-for-windows/9NRX63...) I don't really see any indication of it being a web app either.
Maybe they're hiding their web app Electron/Tauri style, but I would certainly expect it to be local-only based on the way it's advertised and designed.
If I instruct fastmail or another provider to fetch mail from a different email provider on my behalf so that I have it in one place then that is a deliberate decision I make. If I connect to my mail provider via IMAP/SMTP from a local application (Outlook, Thunderbird, mutt or whatever) I do not expect my credentials to be exfiltrated to a third party so that they can also fetch my mail. In fact, I would consider that to be criminal behavior if not VERY clearly communicated, with all it's implications.
The difference here seems to be transparency.
Microsoft is allowed to do whatever it wants with impunity, including stealing your password and tunneling back to their servers in plain text
Wow, just wow
It's not plain text, it's encrypted via TLS
Well, two counter-points: 1. their TLS implementation isn't secured against MitM attacks. 2. They receive the the full plain text password, not a a hash.
Not sure if it's apparent from the English version of the article, but Heise performed a successful MitM attack to extract the plain text password from the daa stream.
What use would a hash of the password be when the purpose is to log in as the user?
You're correct it's necessary for how they use this, to impersonate a user and 'clone' their email data. But then, that is the problem, they shouldn't be able to do this at all.
it is not a hash
I've had all my Google Translate posts taken down with the ask to post it in the original language, but this one somehow stays up. Mysterious are the ways of the mods.
The mods need to sleep sometimes.
I'm fairly certain they're on different timezones and a 9h span with a front page link has been noticed by several.
I'm fairly certain they're all in the US and this post has been on the front page for only a little more than an hour:https://hnrankings.info/38212453/
Wasn't aware of this rule, has been one of my first submissions.
If any mod wants to modify...
Original is:https://www.heise.de/news/Microsoft-krallt-sich-Zugangsdaten...
Deepl-Translated PDF version:https://www.scamp.de/stuff/heise_windows_outlook_stealing_im...
I'm not surprised to be honest because the 'new' outlook is simply the old office 365 version of Outlook Web Access in an element wrapper. They don't seem to have added local storage or local imap support but they simply sync your mail into their cloud instead.
I wouldn't be surprised if this is a ploy to offer users a 'migration' to a paid office 365 subscription later.
The old windows mail was ok even though it wasn't very full featured.
I can't wait for a "Mail" app that can't be properly removed, and keep restarting itself with the computer just to nag you to upgrade from the tray, like they did with One Drive.
Don't wait, leave. Get on an OS that serves you.
This. I hardly understand Linux but I tentatively switched to xubuntu in 2017. Ever since, I only boot windows once every 3-6 months for some proprietary software.
It's an amazing feeling when your OS isn't insisting left and right on behavior you don't want.
When combined with the rate limiting on 365 email api and ultimately removing imap access this seems like a strategic goal to capture our data.
The dark patterns pushing content to one drive from office apps and web access opening attachments and keeping them in one drive is another example of this data grab.
It’s an example of shareholder value trumping customer value, the primary purpose of cloud is to make you pay more without having to provide more in return.
When combined with the rate limiting on 365 email api and ultimately removing imap access this seems like a strategic goal to capture our data.
While I agree with your other points, I'm not sure how this one works. If you're using Office365, you're already having your mail at least go through their servers. What difference does IMAP make to their snooping intentions?
seems like a strategic goal to capture our data.
Sure is good they're not an ad company then. /s
The majority seems to like one-drive. In theory having everything in one place sounds great. Few people think long term. Customer value trumps customer value if you ask me. IT departments and clueless users love MSFT and that will never change. Embrace it.
It’sfunnybut anyone who’s ever used Gmail’s “Accounts” tab on its options page, has voluntarily given Google their passwords to keep forever.
Now Microsoft wraps their web UI in a “native” app and everybody loses their mind.
It’s hardlyunusualfor an internet-connected app to be at least partially run in the cloud in 2023. Much less unusual when it’s something related to MS365 and AI (one of the banner features of this new release)
False equivalence. In one case, credentials are deliberately given for remote use. In the other case, credentials are expected to be used for a direct connection, but are instead taken for remote use.
One is an explicit delegation, while the other is a man-in-the-middle attack.
I don’t think so. Remote or direct is only something we think about. The general user could not care less nor know the difference. Hardly a false equivalence.
What's the difference between this and some of those other email apps like Spark?
Spark does the same thing. Infact, many email clients do this, so you may want to read the fine print before using them.
I know. That was my point. People are in an uproar, but I bet a lot of them use Spark, etc.
German IT magazine has uncovered that with Windows 11 Update 23H2 if you accept the "recommended" new version of Outlook the client may be uploading your secret IMAP credentials to the Microsoft cloud.
If you are trying to add a "local" IMAP/SMTP account, there is short notice that Outlook needs to "synchronize" your IMAP account with the Microsoft cloud.
It does NOT explain that what this actually means is that it will send all your credentials including your passwords in clear text to Microsoft.
Microsoft's support document to this also only mentions:
"Syncing your account to the Microsoft Cloud means that a copy of your email, calendar, and contacts will be synchronized between your email provider and Microsoft data centers."
No word that it means that they are uploading your passwords.
This is evil. And at least in the EU, illegal.
I have not yet found any report on this in english-language IT media, and therefore have provided a Google Translate link to the report in German.
big if true, i mean what a footgun. Imagine the target they are painting on their back, with all those credentials now harvested.
Yeah, it's true. c't magazine is the biggest IT print publication in the EU, and is highly respected and known for investigative journalism. It looks like the pictures provided which show what they captured is sent to Microsoft (your passwords in plain text) aren't shown if the page is viewed via Google Translate.
So here is the original page URL:https://www.heise.de/news/Microsoft-krallt-sich-Zugangsdaten...
And here is the picture that shows what they have captured is sent to Microsoft:
https://heise.cloudimg.io/v7/_www-heise-de_/imgs/18/4/3/3/1/...
Sorry I can't read german but do I understand properly that you give your gmail password to outlook (microsoft) and you are surprised that outlook does whatever it likes with the password ?
I think it's a surprise that that password is going off device. The default mail app traditionaly and sensibly is a local only client and and "sync" features have not behaved in this fashion in the past.
To call the "new" Outlook a horrible piece of software, would be an insult to actually horrible pieces of software. They're one tier below that, wherever that is.
The fact that this is acceptable, in their narrow minds, is insane
I wonder if Microsoft execs themselves use this crap, and what they think of it
This is the horrifying core issue: "When creating an IMAP account, c't was able to record that the target server, login name and password were being transferred to Microsoft's server. Although TLS protected, the data in the tunnel runs to Microsoft in plain text. Without informing or asking, Microsoft grants itself full access to the IMAP and SMTP access data of users of the new Outlook."
To be clear: this is for accounts not hosted on Microsoft servers. They likely copy all of your existing mails to their servers, and any future mails sent or received also run through their servers.
How is that not a $1 billion fine under European law?
I have now translated it as a PDF using Deepl. Much better translation, and you can see the images, too:
https://www.scamp.de/stuff/heise_windows_outlook_stealing_im...
thanks. with the screenshot of the json payload it's quite frightening and explicit. they did not even try to conceal it...
How is that remotely even legal? That's actively malicious behavior.
Apple has also started to try to get users to switch to their Mail app, at least on iPadOS. Every time I switch gmail accounts on the web UI in Chrome, I get a popup from Mail asking me to set the account up in Mail.
I can't turn it off.
just one word: Linux
If you have large mailboxes, this would steer you toward paying for cloud storage at Microsoft, which might be a surprising bill to face.
What do you call an economy where the central establishment keeps stubbornly giving consumers things they don't want?
Everything will run in Azure and all apps will be web apps. You can count on that. This is a clear strategy from Nadella and I doubt anything will change his mind.
I only use Knock-OutLook for Microsoft accounts. They have my password already, so no lost security there. Synchronizing email accounts is useful, but I never thought worth the hassle before or after Outlook.
Who on earth approved something like this at Microsoft?
I filed a GDPR complaint regarding this when they released it on Mac, because it is not transparent what data Microsoft stores when you stop fetching email over their Exchange proxy. This was their response, after 3 months...
• How long is mail data fetched from the non-Microsoft server retained? On 31st day of user inactivity we mark the account for removal. The account is soft deleted, and the data is purged within a week (approximately) after that.
• What happens with an account that is no longer being used? Does the service continue fetching and “enhancing” mail data or does it happen on demand when a user opens Outlook? - If the user is not signing into the 3rd party accounts using outlook mobile, Teams for life or Outlook for Mac. We stop syncing any data after 7 days and mark the account for deletion after 30 days.
• How do I know what data the service holds? - Service holds Mail, Calendar, contacts data and profile data for the user (User provides consent to collect this data during add account flow).
• How can I make sure data is no longer retained? (e.g., does logging out from Outlook delete the mail data and credentials?) - When removing the account in Mac you can choose to "Sign Out On All Devices" which deletes the mailbox from the Microsoft Cloud (Exchange-backed mailbox where the third-party account is being synced).
I also filed a complaint about not making it clear if data is required for processing (Article 13, Section 2(e) [1]) - but the supervisory authority ignored me on that one.
Without google translate (german):https://www.heise.de/news/Microsoft-krallt-sich-Zugangsdaten...
I installed the new Outlook just a few days ago and I almost immediately started to receive emails like "I recorded you, pay or I'll share your files with everyone" on my customized email address. I thought it was a coincidence but now I am beginning to have doubts.
This could become a bit of an issue. There's a reason why you're using IMAP in the first place, typically.
Hopefully this doesn't apply to eg. Outlook365 as well.
Does this mean the new Outlook is actual malware? It's literally stealing your password.
How else are they supposed to get your emails to train their ai models?
Not to mention that Microsoft authenticator seems to be required now.
As an email host... I've been turning New Outlook off for clients for weeks trying to explain this.
Apart from the security issues, it's also very annoying to have to explain that I can't actually troubleshoot any IMAP connectivity issues when your machine isn't the one thats actuallymakingthe connection.
Now we've been internally discussing whether we should just firewall off whatever Azure ranges are connecting to our IMAP backend servers and intentionally "break" the functionality. Not my first choice, but users keep seeing the "New" toggle and turning it on, causing all sorts of other uncontrolled chaos!
Cloud-first, in all the wrong ways. It's supposed to be a local app..