> Cisco Umbrella

My current employer was somewhat recently purchased by a large, publicly-traded company and I had this installed on my work machine. Suddenly DoH was forced off by administrator policy and I had to use some specific internal IP for DNS. Which isn't strictly less secure but let's just say I would, even for my large, publicly-traded business, trust Mullvad more than Cisco.

Well I can't speak for everyone in IT or every situation, but this does not match what I've experienced.

IT is basically being a system integrator with a load of systems that don't want to integrate. Corporate don't accept no for an answer. You need to bend things in ways they don't want to bend to get them to fit.

> The flashing cmd.exe windows are not drivers from Windows Update

The first thing I do with any new corpo laptop is completely wipe it down to the firmware, and clean the drive entirely to make sure the stench of Dell, Lenovo and HP is as cleansed as it's possible to be, then install Windows from a fresh ISO downloaded straight from Microsoft.

Then a few hours after reinstalling Windows again, the Lenovo shitware drivers are back. Not the software suites, at least, but the crappy drivers that throw up cmd prompts and have un-suppressible dialog boxes telling you to update the BIOS but look like malware and ask for the admin password. Check Windows Update and it will show that it has installed a bunch of stuff like "Lenovo - System" and "LG Electronics - Extension".

Recently there's a push to dropship directly to customers and use Autopilot, with some vendors now offering "Corporate-Ready" images, but most IT depts still prefer to get hands-on first because of how flaky that is, plus even the corporate ready image still comes with shitware, just less of it.

But anyway, even assuming it isn't coming via WU, and is one of those Lenovo bootkits, what else are we to do? Half the laptop won't work without drivers. Most of the other laptop manufacturers are aimed at gamers and fall apart in about a year. More recently I've been trying to move towards Microsoft Surface devices, and have found they're a much cleaner experience on the software, but have been finding the hardware reliability is quite terrible. I'm hoping that Framework's business programme turns out to be a success, but right now there are just no good options.

> You don't need a proprietary solution to remotely upgrade Google Chrome, just specify an enterprise policy with auto-update.

Sure. Chrome can be auto-updated and you have good controls over how that rolls out, so you can designate test users. But it's one of the few bits of software written "properly", including for example a Windows service that can run Chrome updates on behalf of a non-admin user, and they've actually provided GPOs to configure it. Even then it sometimes gets stuck and stops updating. So, we still need something like PMPC/Robopack/PSADT to update all the apps that either have a broken auto-update mechanism or just don't have one in the first place. We would also need to keep the original installer up to date ourselves, and for some software you're talking a day of fixing your manual packaging scripts every month, trying to work out which undocumented flags the MSI accepts, whether they've renamed the registry key they check to disable the non-functional auto-updates this version, etc.

Nowadays, we're starting to see more adoption of things like winget where the vendor themselves are packaging things in a way that is suitable for mass deployment, using a standard mechanism that Windows itself can use to auto-update the apps. This is a massive improvement for everyone, but I'd say only <10% of most corporate/LOB apps are available this way yet. Hopefully over the next few years we'll see more adoption, as this would solve a big chunk of the pain of corporate IT.

One of the worst vendors for writing stuff that doesn't use the standard mechanisms to install or update, incidentally, is Microsoft.

> The URL checker has no valid benefit, and makes it so people can never learn how to do it themselves. The browser performs the exact same checks with the exact same capabilities through its safe browsing stuff, and corporate IT often has network-level solutions too.

Nobody ever does it themselves which is the point. Also, if you're opening it on a corporate computer, current versions of Outlook do actually show you the original URL when you hover.

But anyway let's say we just rely on the browser check: what if it's a developer who's modified their browser settings? What if it's someone opening it from a personal phone? You could get rid of the URL rewriting and just ban users from using personal devices or modifying browser settings, but then you're going to war with senior executives who insist on keeping their work email on their personal phone. Almost all users don't even notice the URL rewriting, but it has prevented quite a lot of phishing attacks on personal devices that may otherwise have been successful. That's a pretty good trade-off for something that almost nobody notices is even happening.

Indeed, network TLS interception which would often have detected stuff in the past, but many corps have moved away from that now because as you point out, TLS interception is pretty crap. It breaks the increasing numbers of apps that use cert pinning, tends to be full of security flaws, and they don't work off-network unless you send all traffic to a central server or deploy it to every PoP, which is rare outside of megacorps, meaning internet experience is slow and flaky. Cisco Umbrella is a big suite with lots of other stuff too, but they do still push their TLS interception. MS advise not to use it, and the weight of opinion is shifting towards using URL protection built into the antimalware stack now, but unless we have full control over all clients accessing email, that doesn't eliminate the use case for URL rewriting.

In any case, this isn't something external we've bought in on top of the standard Microsoft 365 stack, it's part of Defender that Microsoft enable by default in their secure baseline. Going against vendor recommendations is opening yourself up to a big liability if it turns out something gets through that it would have caught.

> Corporate IT uses emails services that spoof domains and look suspicious

You'd be surprised how often vendors just directly email users without you ever having approved it or having been informed that they were going to send an email so you can pre-warn them. Again, Microsoft are one of the worst for doing this (e.g. sending emails from "User's Full Name <no-reply@sharepoint-online.com>"), but Google and Apple also do it.

> Say, they had a ransomware incident, and now they're buying every ransomware product for a few years. Stuff with such buggy kernel code that it deadlocks and makes it impossible to create new processes until you hard reboot.

Any company that is just stacking loads of conflicting antimalware products on each endpoint is clearly incompetent and not something I've seen, and I've seen some pretty shocking stuff.

There was obviously the Crowdstrike issue, but that wasn't as you describe, and as much as I'm not personally a fan of Crowdstrike, that was one major incident it caused, but you're not comparing to the counterfactual where these systems didn't exist and 0days can just spread across the network faster than an under-resourced IT dept can stop them.

I'm unusual in that I moved more into IT and cybersecurity stuff from dev, so you know, I do have sympathy for how shit this can be as a user and a developer. I have a lot of hot takes about the shitty state of technology today and how it trains the users to do dangerous things. But believe me when I say this: if there was a better way of doing it, I would be the first one adopting it. There isn't, though. At least not one open to those of us outside of Big Tech with the budget to essentially write their own security stack.

It's not really an easy answer as (1) it doesn't stop phishing attacks hitting work emails so isn't really relevant anyway, (2) most people, executives especially, don't want to cart multiple devices around, which is why we now have to deal with the security nightmare that is supporting work stuff on BYOD phones, (3) I don't work for a SV company with the budget to buy everyone two laptops, and if we did, honestly I think most people would prefer a better single laptop than two mediocre ones. Besides, most people just treat their phone as their personal portable device now. The odd person brings their own laptop.

Developers are the exception here, where usually they'd prefer to develop on a machine with minimal BS running, even if it means carrying around an ultraportable in addition to their development workstation laptop.

Your "crazy" proposition is exactly the reality at many companies: the work computer is increasingly isolated from the Internet. At my last employer their game plan for employees was to move the whole web to a whitelist approach - if you want to browse the web freely, use your personal computer or personal phone.

So most of us carted around a work laptop (connected to corp WiFi) a personal laptop (on guest WiFi or tethered) a work phone and a personal phone.

In other news, you should never ever MDM enroll your personal phone with a work BYOD policy.

Just call one business internal and the other one LLM inference. You don’t want AI crafting packets on business internal.

> heard IT pays a lot with not much work

I want to live in this fantasy world!

(Our IT dept is so overworked that I go out of my way to work around them purely out of empathy.)

No one in IT wants to deal with that stuff. Upper management requires it for compliance and cyber insurance.

My company does similar phishing thing.

Except their system adds extra headers related to the phishing… Wonder if they even know…

Thus, I created an Outlook rule to automatically move them to a dedicated folder… (;->

My university pulled the same BS 10-15 years ago. The worst part is that they sent the "test" email from the same email address they use for all of their other announcements, and then had the gall to send an automated "shame on you" reply if you clicked their link.

Knowing what I know now about the IT staff and professors and knowing in hindsight only 3-4 of my CS classes were of any relevance to my work, I seriously regret not cheating my way through undergrad. I wish I could take back the time I wasted on Java and spend it with my N64.

Hey, simulating the hack is a lot better than using some canned tool with blatant knowbe4 urls.

There's no legitimate case for that since PSD2 (mandatory since 2020). Are you not confused by that? PSD2 doesn't share your credentials.

I'm an European and have never needed to use nor encountered those services.

Care to mention what these legitimate and established services are?

Name and shame: Klarna did this.

Not sure if they still do because i stay well clear of them.

I find this hard to believe and have never seen that ever.

Are you talking about the possibility to pay via your bank account directly on a checkout page? If so this is the bank page you are using.

Can you give some examples?

Multiple US hospitals and insurance companies use genuine links like doctor-services-for-u.biz - infuriating.

Are you sure? Never seen any such thing.

Well it's probably hard for anyone except Microsoft to get a domain with the .microsoft TLD.

My IT department use the official Microsoft phishing test. The emails arrive in inbox with 0 headers. (There's also a helpful Microsoft page of all the dodgy sounding domains they've registered for this.)

I just don't check my emails anymore. If it is important, people will complain on teams that nobody answer with some sort of urgency and then I'll look for it specifically.

Mind sharing your filter rules? KnowBe4 uses X-PHISHTEST header and I think I saw Proofpoint using something similiar a few years back

I did this and it worked for a few months before word got to security who then forced everyone to remove the rule.