I do not believe this is a trade-off, I believe this behavior from corporate IT is a primary cause of the problem. I do agree that dealing with users is awful, but that doesn't justify solutions that only make things worse.

The flashing cmd.exe windows are not drivers from Windows Update - this could have been the case as drivers shipped with Windows Update is a total security nightmare running arbitrary code with administrative privileges upon hotplug - but in this context of managed devices, commonly from HP or Lenovo's corporate portfolio, it's usually additional products and changes pushed by group policy or random management software.

The often changing user prompts, looking like they were from some early 2000's hello world example, come from obscure and overlapping management software they remotely deploy which they change at will. You don't need a proprietary solution to remotely upgrade Google Chrome, just specify an enterprise policy with auto-update. You don't need a proprietary solution to prompt users and manage Windows Update, because you have... Windows Update.

The URL checker has no valid benefit, and makes it so people can never learn how to do it themselves. The browser performs the exact same checks with the exact same capabilities through its safe browsing stuff, and corporate IT often has network-level solutions too.

Corporate IT uses emails services that spoof domains and look suspicious, reversing all the phishing training they paid for.

Not to mention that Corporate IT might deploy network-wide solutions like Cisco Umbrella, which is a TLS Man-in-the-Middle attack where you install their root CA on all machines and let them control DNS to randomly redirect all traffic to their servers, effectively undermining the basis of all modern web security for the entire organization.

In general there's a fetish for buying products that has significant negative impact to security, user experience and possibility of training users, usually for the purpose of feigning progress and meeting some targets. Say, they had a ransomware incident, and now they're buying every ransomware product for a few years. Stuff with such buggy kernel code that it deadlocks and makes it impossible to create new processes until you hard reboot. I'm sure that's not a security problem!

> Cisco Umbrella

My current employer was somewhat recently purchased by a large, publicly-traded company and I had this installed on my work machine. Suddenly DoH was forced off by administrator policy and I had to use some specific internal IP for DNS. Which isn't strictly less secure but let's just say I would, even for my large, publicly-traded business, trust Mullvad more than Cisco.

Well I can't speak for everyone in IT or every situation, but this does not match what I've experienced.

IT is basically being a system integrator with a load of systems that don't want to integrate. Corporate don't accept no for an answer. You need to bend things in ways they don't want to bend to get them to fit.

> The flashing cmd.exe windows are not drivers from Windows Update

The first thing I do with any new corpo laptop is completely wipe it down to the firmware, and clean the drive entirely to make sure the stench of Dell, Lenovo and HP is as cleansed as it's possible to be, then install Windows from a fresh ISO downloaded straight from Microsoft.

Then a few hours after reinstalling Windows again, the Lenovo shitware drivers are back. Not the software suites, at least, but the crappy drivers that throw up cmd prompts and have un-suppressible dialog boxes telling you to update the BIOS but look like malware and ask for the admin password. Check Windows Update and it will show that it has installed a bunch of stuff like "Lenovo - System" and "LG Electronics - Extension".

Recently there's a push to dropship directly to customers and use Autopilot, with some vendors now offering "Corporate-Ready" images, but most IT depts still prefer to get hands-on first because of how flaky that is, plus even the corporate ready image still comes with shitware, just less of it.

But anyway, even assuming it isn't coming via WU, and is one of those Lenovo bootkits, what else are we to do? Half the laptop won't work without drivers. Most of the other laptop manufacturers are aimed at gamers and fall apart in about a year. More recently I've been trying to move towards Microsoft Surface devices, and have found they're a much cleaner experience on the software, but have been finding the hardware reliability is quite terrible. I'm hoping that Framework's business programme turns out to be a success, but right now there are just no good options.

> You don't need a proprietary solution to remotely upgrade Google Chrome, just specify an enterprise policy with auto-update.

Sure. Chrome can be auto-updated and you have good controls over how that rolls out, so you can designate test users. But it's one of the few bits of software written "properly", including for example a Windows service that can run Chrome updates on behalf of a non-admin user, and they've actually provided GPOs to configure it. Even then it sometimes gets stuck and stops updating. So, we still need something like PMPC/Robopack/PSADT to update all the apps that either have a broken auto-update mechanism or just don't have one in the first place. We would also need to keep the original installer up to date ourselves, and for some software you're talking a day of fixing your manual packaging scripts every month, trying to work out which undocumented flags the MSI accepts, whether they've renamed the registry key they check to disable the non-functional auto-updates this version, etc.

Nowadays, we're starting to see more adoption of things like winget where the vendor themselves are packaging things in a way that is suitable for mass deployment, using a standard mechanism that Windows itself can use to auto-update the apps. This is a massive improvement for everyone, but I'd say only <10% of most corporate/LOB apps are available this way yet. Hopefully over the next few years we'll see more adoption, as this would solve a big chunk of the pain of corporate IT.

One of the worst vendors for writing stuff that doesn't use the standard mechanisms to install or update, incidentally, is Microsoft.

> The URL checker has no valid benefit, and makes it so people can never learn how to do it themselves. The browser performs the exact same checks with the exact same capabilities through its safe browsing stuff, and corporate IT often has network-level solutions too.

Nobody ever does it themselves which is the point. Also, if you're opening it on a corporate computer, current versions of Outlook do actually show you the original URL when you hover.

But anyway let's say we just rely on the browser check: what if it's a developer who's modified their browser settings? What if it's someone opening it from a personal phone? You could get rid of the URL rewriting and just ban users from using personal devices or modifying browser settings, but then you're going to war with senior executives who insist on keeping their work email on their personal phone. Almost all users don't even notice the URL rewriting, but it has prevented quite a lot of phishing attacks on personal devices that may otherwise have been successful. That's a pretty good trade-off for something that almost nobody notices is even happening.

Indeed, network TLS interception which would often have detected stuff in the past, but many corps have moved away from that now because as you point out, TLS interception is pretty crap. It breaks the increasing numbers of apps that use cert pinning, tends to be full of security flaws, and they don't work off-network unless you send all traffic to a central server or deploy it to every PoP, which is rare outside of megacorps, meaning internet experience is slow and flaky. Cisco Umbrella is a big suite with lots of other stuff too, but they do still push their TLS interception. MS advise not to use it, and the weight of opinion is shifting towards using URL protection built into the antimalware stack now, but unless we have full control over all clients accessing email, that doesn't eliminate the use case for URL rewriting.

In any case, this isn't something external we've bought in on top of the standard Microsoft 365 stack, it's part of Defender that Microsoft enable by default in their secure baseline. Going against vendor recommendations is opening yourself up to a big liability if it turns out something gets through that it would have caught.

> Corporate IT uses emails services that spoof domains and look suspicious

You'd be surprised how often vendors just directly email users without you ever having approved it or having been informed that they were going to send an email so you can pre-warn them. Again, Microsoft are one of the worst for doing this (e.g. sending emails from "User's Full Name <no-reply@sharepoint-online.com>"), but Google and Apple also do it.

> Say, they had a ransomware incident, and now they're buying every ransomware product for a few years. Stuff with such buggy kernel code that it deadlocks and makes it impossible to create new processes until you hard reboot.

Any company that is just stacking loads of conflicting antimalware products on each endpoint is clearly incompetent and not something I've seen, and I've seen some pretty shocking stuff.

There was obviously the Crowdstrike issue, but that wasn't as you describe, and as much as I'm not personally a fan of Crowdstrike, that was one major incident it caused, but you're not comparing to the counterfactual where these systems didn't exist and 0days can just spread across the network faster than an under-resourced IT dept can stop them.

I'm unusual in that I moved more into IT and cybersecurity stuff from dev, so you know, I do have sympathy for how shit this can be as a user and a developer. I have a lot of hot takes about the shitty state of technology today and how it trains the users to do dangerous things. But believe me when I say this: if there was a better way of doing it, I would be the first one adopting it. There isn't, though. At least not one open to those of us outside of Big Tech with the budget to essentially write their own security stack.