Fake Security and Microsoftism (UPDATED)
-
Important: Thunderbird 102.7.0 And Microsoft Office 365 Enterprise Users [Ed: Microsoft is sabotaging Free software for its monopoly's sake]
On Wednesday, January 18, Thunderbird 102.7.0 will be released with a crucial change to how we handle OAuth2 authorization with Microsoft accounts. This may involve some extra work for users currently using Microsoft-hosted accounts through their employer or educational institution.
In order to meet Microsoft’s requirements for publisher verification, it was necessary for us to switch to a new Azure application and application ID. However, some of these accounts are configured to require administrators to approve any applications accessing email.
If you encounter a screen saying “Need admin approval” during the login process, please contact your IT administrators to approve the client ID 9e5f94bc-e8a4-4e73-b8be-63364c29d753 for Mozilla Thunderbird (it previously appeared to non-admins as “Mzla Technologies Corporation”).
-
Thinking of Hiring or Running a Booter Service? Think Again. [Ed: Microsoft botnets very common]
Most people who operate DDoS-for-hire businesses attempt to hide their true identities and location. Proprietors of these so-called “booter” or “stresser” services — designed to knock websites and users offline — have long operated in a legally murky area of cybercrime law. But until recently, their biggest concern wasn’t avoiding capture or shutdown by the feds: It was minimizing harassment from unhappy customers or victims, and insulating themselves against incessant attacks from competing DDoS-for-hire services.
-
mjg59 | PKCS#11. hardware keystores, and Apple frustrations [Ed: Fake security and proprietary (secret) hardware. Let's trust companies that work for the NSA, shall we?]
There's a bunch of ways you can store cryptographic keys. The most obvious is to just stick them on disk, but that has the downside that anyone with access to the system could just steal them and do whatever they wanted with them. At the far end of the scale you have Hardware Security Modules (HSMs), hardware devices that are specially designed to self destruct if you try to take them apart and extract the keys, and which will generate an audit trail of every key operation. In between you have things like smartcards, TPMs, Yubikeys, and other platform secure enclaves - devices that don't allow arbitrary access to keys, but which don't offer the same level of assurance as an actual HSM (and are, as a result, orders of magnitude cheaper).
UPDATE
-
Thunderbird 102.7.0 requires manual updating due to a bug [Ed: Microsoft is breaking Thunderbird]
Thunderbird 102.7.0 is the first version of the email client that handles OAuth2 authentication for Microsoft accounts differently. The team had to make the change, according to a blog post on the official Thunderbird website, to meet Microsoft's publisher verification requirements.
The project switched to a new Azure application and ID. Some users who use Thunderbird may receive a notification prompt on first run of Thunderbird 102.7.0 that prompts for administrative approval.
If that is the case, an IT administrator needs to approve the client. The team provides the following information on the procedure:
"If you encounter a screen saying “Need admin approval” during the login process, please contact your IT administrators to approve the client ID 9e5f94bc-e8a4-4e73-b8be-63364c29d753 for Mozilla Thunderbird (it previously appeared to non-admins as “Mzla Technologies Corporation”).