I would consider this innovative, but Office365 has had this built in (and as far as I can tell impossible to turn off) for years. What used to be a sensible link turns into a vast "safe link honest, guv" mess. I call it "man in the middle attack as a service"
I went to a government committee meeting, first one of the committee to get the ball rolling. 2+ hours of everyone introducing themselves, to folk who already know each other.
And we're adjourned. Next month we'll discuss the rules of governance for the committee.
That's two of the total 6 meetings the committee has allocated.
And all the bureaucrats made plenty of show for the "progress we've made".
Same with PayPal. I've received perfectly valid emails direct from PayPal that include random sketchy links from third parties that are obvious phishing expeditions. I reported it to PayPal, but the ability still exists.
That's inherent to features that allow user generated content, which is obviously mandatory in the context of PayPals invoicing feature.
The only reason why companies don't care about it in the context of mail is because there is no equivalent to safe browsing for mails, so Domains aren't penalized by Google for sending fraudulent messages at small scale.
If this was to change, they'd all pivot to using secondary domains for these mails, like GitHub does for GitHub pages.
It would also be a pretty pointless feature as you'd probably complain anyway, as the email would still come from a Paypal owned domain.
On the same topic: if you've got a Gmail address you're also able to send from @googlemail.com
How about disallowing urls or even just vetting urls in the messages sent from your own service? One of the ones I received was a link to a fake PayPal login that was something along the of lines of (making this up) http://login.PayPal.com.somethingsketchy.biz/login.php and was a replica of the PayPal login screen. It was pretty blatant. Seems like they should figure out a way to avoid that is all, because I know my mother would have put in her PayPal credentials to that site and I'd be hard pressed to fault her for it. We train users to check if it's a valid/real email before clicking on links and this was a perfectly real email sent from PayPal with a malicious link. This seems like PayPal's responsibility to me. I'm shocked they don't care about this.
Vetting is impossible, the scammers can just change the content of the page after the PayPal bot requested the website. Human vetting is even more impossible, invoices will always require unique links for each mail.
Nor does it matter wherever it's a clickable link or text in this context. The only way to "solve" your issue is by removing user generated content, which makes the invoicing feature inherently impossible.
If you're seriously shocked that PayPal isn't decommissioning a highly profitable feature because a random carebear worries about their family... Then you're honestly out of touch with reality.
Most people nowadays know that emails are untrustworthy, and if your family doesn't... Then you should tell them that, as they're bound to get scammed eventually if they click on any links from their inbox.
I sent a URL through Teams to an Ops guy to put in an Nginx configuration file as an upstream server. He just copied and pasted and it's now a configuration file in production with all of the parameters Teams added.
As a G Suite user, my "favorite" (/s) M365 feature is those "WARNING: EXTERNAL EMAIL" banners. Whenever I'm in an email thread with someone whose company adds those banners, it breaks Gmail's ability to collapse the previous messages at the bottom of the email.
I also recommend the developer's blog. Very detailed and hilarious articles https://mango.pdf.zone/ I laughed myself to tears reading Operation Luigi: How I hacked my friend without her noticing[1]
There is an archiveteam project to index all the shorteners and where they direct to. I think it's the default project if you're running the warrior and there's nothing more important going on.
No training needed. That ship has sailed. You could call the link click-here-and-you-will-get-scammed.com/drain/my/bank/account.asp and your colleagues, friends, and family will all click it.
Personally, for long-running things, metered cloud has two upsides:
- IaaS, static hosting, etc. can maintain security updates on their end. My own VPS will eventually be broken into if I don't maintain security updates.
- Many things are accessed only intermittently. For low access patterns, it's cheaper to pay for what you use.
What I'd really like is something like Heroku, Amazon Lambda, or similar, but with an open, competitive ecosystem, and without vendor lock-in.
I don't use these services because I've seen the prices Amazon asks for a gigabyte of traffic but I think you'll have to have VERY intermittent access to make these scaling providers worth the money.
If you expect your website to one day go from 100 requests a month to a million a day and expect that traffic to continue from that point on, these services will be a huge benefit for uptime while you rework your code to a more reasonable system. However, a simple $10 VPS with Nginx can handle much more than people seem to expect, assuming you don't use some excessively bloated platform or your content can be cached.
In terms of security updates: a cron job to reboot weekly and unattended-upgrades will keep your server safe without much to look into. Your only risk will be end of life software, your own code, and your dependencies, but those aren't fixed by going with some managed platform either.
There are definitely upsides to these quick deploy tools if you want to iterate quickly with an API that's not accessible from your dev workstation, setting up a multi tenant K8s/Docker/whatever server to deploy to is much harder than giving devs API keys to push to external parties, but I wouldn't consider these services for 99% of the stuff I would deploy.
"Very intermittent access" is the use-case for most things I build. There's a short tail -- I've built a platform you've heard of and, given this is HN, more likely than not, used. Then there's a long tail:
- Home automation
- Municipal / school / community sites
- Personal web page
- Various internal automation within my organization
... and so on.
These are things which:
1. Require very simple technology (E.g. storing data in a small key-value store is more than good enough)
2. Should work for the next decade or three with no maintenance
3. Expect to be accessed maybe a couple of times a day, if I'm lucky, and probably much less
4. Most will never scale to gigabytes of data, ever
For real. I once worked with a non-IT company who just had one junior developer responsible for everything IT, including websites and their management. When I asked why they don't run everything on some dedicated instance with X GB included in the plan instead of fancy bandwidth pricing so they have static sums to pay each month (reason I was pulled into the project was to decrease spending which increased each month as traffic increased), the person said something akin to "What? How? I didn't know you could even do that"
Had a similar thing at my place. We spend extortionate amounts on AWS for a load balanced setup - we dont make any real use of any of their other services so its not like we're reliant on them for everything. The guy who set it up had (and really still has) no clue that you can get just as reliable setup at a fraction of the cost using a few bare metal servers.
Of course when I suggested that we use a huge provider (I think it was probably Hetzner) it was shrugged off as being a bad idea because "they probably run them out of their garage", ignoring the multiple datacenters spread out across Europe where our primary clients are based.
"£Free" is rarely £0. It usually means "£you do some of the work yourself and we indirectly profit due to metrics/economies of scale/network effects/data/kudos".
I don't think that's the trick at all. Running up bills will only make people leave for other services once their business does get money flowing.
Instead, I believe the reason cloud companies give away free stuff is the same reason Microsoft will give away Windows upgrades to students: if their weird, proprietary API is all you learn, you'll only be able to get started quickly on their platform so the moment you need to pick tech for a small business/your startup, you'll be quicker to choose their service.
There's a reason AWS Lambda (and Azure's competitor) is free but OpenStack/vSphere providers expect you to pay off the bat: if your workload and knowledge transfer (relatively) easily, there's no lock-in with which to trick people into choosing you.
For $2.50 you can get 1 vCPU, 512MB RAM, 500GB bandwidth, and 10GB storage from Vultr[1]. The only catch is it's IPv6 only, you have to add an extra dollar monthly to get an IPv4 address ($3.50).
For $5.00, you get 1GB of RAM, 1TB of bandwidth, 25GB of storage, and an IPv4 address. Not bad...
1 GB, and 20 GB disk, at OVH. With unlimited bandwidth.
Here though, that service could be hosted on a static website (free at github/gitlab/cloudfare/etc), with client-side javascript used to decode data encoded in the url fragment.
Hmm interesting, haven't heard of those yet. Though seems like I was a bit off, DigitalOcean has a 512MB instance for $4 and Scaleway a 2 GB one for $6.5. But then again Scaleway will also nickle and dime you separately for the IP, the HDD and anything else that they can possibly think of.
Hmm, I just double-checked OVH's VPS offers and actually, it's 2GB RAM, 20GB disk, 1vcore, unlimited 100Mbps for €3.5/month (€4.20 with VAT). That's their "starter" offer.
I suppose it could be used to help auto-generated those phishing-test emails to see if employees click on shady links, but they all really point to a phishing training page.
