I've banned Forbes from my news feed over this type of "$TechCompany just gave $NumUsers a reason to be afraid" clickbait titles. Every time I opened them, they were a teemendous waste of time, a simultaneously dumbed down and hyped up drivel about a security issue that made the news a week prior that was never as serious as the title implied.
Forbes.com is more of a blog host than a news organization.
They've got that "Opinions expressed by Forbes Contributers are there own" hover tip hidden on the byline of just about every article. I don't think their editors vet or screen articles beyond passing them through Grammarly, if even that.
... after rejecting the initial submission as WAI. Getting a gap like this addressed shouldn't be dependent on how many twitter followers the submitter has. It's a bad look for Google.
I ignore any blue check from google as that just means they’ve paid google. Most of my spam nowadays is from “legitimate” companies (today I got a “happy pride month” email from Walmart even though I’ve unsubscribed dozens of times).
I think for people who fall for email scams the behavior change is to ignore all emails and training them to trust some stupid blue check mark is not good.
Perhaps I missed it in the linked tweets. Is there a technical write-up on how they are spoofing BIMI? Are they not using BIMI DNS lookups and only trusting SMTP header contents? Gmail is purported to have a VMC requirement. [1]
> initially dismissed his discovery as “intended behaviour” before his tweets about it went viral, and the company acknowledged the error
Google's security team seems to make mistakes like this more often recently. I know they've got an onslaught of reports and (lacking a real support system) the security report channel has become an alternate way to escalate non-security issues, so I don't envy the challenge.
There was a blog post on HN recently about a guy's experience reporting an issue to Google and they got a similar dismissive WONTFIX in robotic corp-speak. Security researchers should have a direct hotline to actual employees (engineers) interested in solving security issues, not be forced to raise tickets for morons who want to close them immediately because they don't care enough to investigate. I'd wager that a lot of people don't even bother reporting unless there's a potential reward because of this kind of treatment.
OTOH, given bug bounty payouts, the sheer number of reports they get for real WAI not-actually-a-hack behavior must be exhausting. People just seeking a payout for every trivial thing. Which, tbc, this thing isn't.
How many Internet users really know what it means when there's a little golden padlock in the URL bar? What goes through their minds when there are security warnings about not having the golden padlock?
I knew a guy who wouldn't open my email to him, because the icon/avvie was a question mark or something, and so it must be malware. He pointed it out to me in person.
Now there is a social-medial industry standard 'blue check' or 'verified account'. Instead of a golden padlock meaning the same, narrow thing, everywhere and always, the blue checks are implemented however they want. You can put a blue check in your Slack status if you feel like it. So what does a blue check mean?
I don’t understand this comment? The original tweet author isn’t blue and doesn’t have a follower count that would make him valid to have blue under the old rules…
Noted. I had to look at the article on my laptop for because I can’t load Forbes on the phone. Was basing my comment on the comments I had read so far and the threads on Twitter.
[The security of Gmail has always been one of its biggest selling points, but now one of its most important new security features is actively being used by hackers to scam users]
