Oh wow, it posts your cleartext email credentials to an API endpoint called “/ows/beta/ShadowService/getShadowToken”.
But it least it calls the password string a “Secret” in the JSON payload so you can REST assured knowing the Shadow Service agents will handle this data appropriately.
How do you think login works for almost all network/web services? Very few do anything different. I wish they would, of course. Crypto/signature logins please!
There is the one trap-word. I am practicing a firewall-hygiene from the good-old ZoneAlarm days. If I don't need the software to 'get out', it is blocked. I only allow my Outlook to 'talk' to my mailbox carrier to bring in the emails. All other target IPs are blocked. So it can't 'phone home'. But again I'm on Office 2013 (and it still tries to phone-home).
It uses OAuth2 rather than IMAP for Google accounts, as per Heise's German-language reporting which was previously linked in HN (I haven't yet checked their English-language article). So the Google account password doesn't get sent to Microsoft servers or stored locally or anything, as it does with a regular IMAP account.
Microsoft stores an OAuth2 access token for these accounts, which is still unnecessary compared to the locally synced version of Outlook we're all used to, but the user can revoke it through Google account settings at any time, just like any other OAuth2 access token.
The already call IMAP an inscure, outdated service. So when you enable it, they will disable it for you after so many days whether you want them to or not.
I think it really is a security issue to some extent, because it doesn't support multi factor authentication.
For most services email is the master key to reset your password. By getting access to someone's email account a lot of other accounts can be breached easily. I try to disable password reset via email wherever possible. But most services don't provide this option.
I think it would be time for IMAP to get a standardized way to log in via OAuth2/OIDC. And maybe an update to the email standard to mark a recovery links or codes as secret, that require 2FA every time to read.
Especially dangerous are servers that still allow using IMAP without TLS, that's just asking for trouble.
I really love how they made a slick and fast mail app for windows, even if it it didn't support everything. but it did its job of being a fast email client.
Then they decided not anymore and replaced it with a bloated one...
Is this the same company that once created remarkable technological innovations like Windows XP, .NET Framework, Visual Studio Express, etc? I really hope it still is!
Is this new Outlook part of that new age Metro Interface or Windows Store apps? That's one of the first things I recommend everyone to get rid of as part of the windows de-bloat process.
New Outlook on Mac is terrible - it lacks basic critical functionality such as tabular view (1 line per message) with column sorting by: From, To, Date received, Subject etc.
Fortunately old Outlook is still available - I have to switch back after every update.
I hate this new “mvp” philosophy where they redo an existing product and leave our features.
“Let’s get it working and add in future releases” makes sense for new products but is so dumb when it’s reworking existing products to make the crappier.
Microsoft does this all the time. They also do stuff like decide that Teams won’t have wikis any more. Because, like, nobody wants wikis in their collab suite.
This is a result of promo-driven culture. But promotions are the carrot you need to dangle for many managers and engineers.
That's not why I got into software. I got into software to build useful products that delight the user. Products that make them more powerful and capable.
I've been running the O365 Outlook version at my company and they broke simple things. I want to search for an email, so I select the folder, then click search and start typing.
In the new Outlook, the moment I press the first key for my search query, the focus moves off of the search bar, for no reason whatsoever, so every. single. fucking. goddamn. time. I want to search, I select the folder, click into the search box, type 1 character, move my hand off the keyboard, over to the mouse, to re-click into the goddamn search box, then continue typing.
I dislike Outlook as a client for sure, but I must grudgingly admit that Outlook + Exchange is the single best, most usable, most seamless group calendaring & meeting tool I've ever used (and I've used a LOT).
For that reason, I end up keeping my corporate mail in TWO clients: True desktop Outlook in a Win VM, and also in my Mac's Mail.app. 99% of my mail I handle on the Mac side (for one thing, search is WAY WAY WAY BETTER). But scheduling? True Outlook every time. It's just better.
I haven't seen or used the "new Outlook," but it sounds like another example of MSFT calling multiple products by the same name to muddy distinctions for marketing reasons (e.g., "SQL Sever" and "Azure SQL"). "New Outlook" definitely doesn't sound like something I could or would ever use.
"new outlook" is just the webmail, you can see it at outlook.office365.com if you want.
It has a couple benefits. The search is better since it isn't limited to your local cache, and your scheduled emails don't require that you have outlook running on the desktop at go time. I try not to use it otherwise.
Search is the one thing that's been absolutely horrendous - I can be staring at an email, search for a phrase or similar from that email, and it can't find it.
I find, and have always found, that search in Outlook is so bad it's just not worth doing.
Search in the native Mac Mail client? Crazy good. Very reliable. Never let me down.
Mail clients are kind of all terrible, because right now my favorite one is just the one that does the things that really OUGHT to be the bare minimum:
* Reliably send and receive mail
* Support IMAP and Exchange
* Have the option for local storage of some or all of the mail corpus on any given account
* Have fast, accurate, reliable search
* Have a rules/filters function (though honestly this is usually something better done server-side)
* Have a well-designed, coherent interface that makes rapid work possible
OT: Classic Outlook can be a database and file server portal. I have never seen anyone use it for this purpose. I tried to build an application using this feature. It was difficult because of how poorly documented this is.
Why use Outlook without Office 365 or Exchange at all?
Only reason I could think of: some very specialized extensions that are only available for Outlook.
I'm really happy that Thunderbird recently got some updates, I think it's the only good free desktop mail client that is still around. Evolution looks really dated nowadays.
Personally I can recommend eM Client for Windows users as an Outlook replacement (and they have a macOS version too). It's commercial, but there is a free version for private use. It does CardDAV/CalDav quite well, and supports PGP/S/MIME.
I've got Office 365 for Business for my personal email. Comes with OneDrive for Business (built on SharePoint) with 1TB storage, all the Office apps, Bing Chat(GPT) for Enterprise, Outlook app on Android/iOS etc. etc. Integrates perfectly on Windows.
The email service is great, works as expected and emails don't go undelivered with great spam filtering.
Can't think of a better provider. I used to be with Google Workspace but after transferring my Google account it's irreversible and can't go back to a 'personal' account while losing access to many Google services like (I know it's dead now) Stadia. Had to create a new 'personal' Google account and transfer everything over manually after doing a takeout - lost a few things like my old YouTube account and Google Play purchases.
Thunderbird needs to get to the 21st century before general public starts swapping out MS or Google mail, calendaring, and contact solutions. As it is, the GUIs on need a Jacob Nielsen-style usability revamp.
Is your problem a UI problem or a functionality problem?
I'm asking, because I can understand wanting functionality (eg. decent calendar integration). I don't understand UI complaints but am willing to imagine "it could be better" (eg. UI-complaints of Gimp)... except I've used Thunderbird, and the UI does its job fine.
Sure, maybe with some MS ribbon-alike thingy it would work better for some, and maybe I'm a dinosaur, but most UI changes in programs I've used the last decade were either shrug or a bad idea. So I've become very hesitant about overhauling UIs simply because they come across outdated to some.
I've been using MS products since MS-DOS in my Radio Shack Model I in 1978. I've been using a cloud outlook.com email for years. Suddenly, a week or so ago, my outlook.com app lost the ability to compose new emails. I simply cannot find the option anywhere.
The only way I can create a new email is:
1. Hit reply on an existing email and delete to; subject; and body; or
2. Go to contacts, select a person, and click email to, and then modify the "to" field to insert the correct address.
I only have a local user on Windows 11, but have started wondering when MS will create a shadow profile for me and upload all the data. So kind of them.
Storing all of your data in a server that you have no control over and no option to not be a part of, exposing you to more attack vectors, solely for Microsoft to generate revenue from you...is for your protection!
My challenge in using the new Outlook with my hotmail account is that I disabled logging in to hotmail with my primary email address (too many hacking attempts from Russia). I use another email (yahoo) to login. This confuses the crap out of their signing in system. It assigns yahoo email protocol settings instead of hotmail/office protocol.
Good thing I'm still running Office 2013!!!! (and I only had to upgrade due to .pst size limits of past versions if I remember correctly - it's been a while since I moved to the brand-new-at-the-time-2013!)(and I got Windows Firewall Control, still on v.4.9.x.x version - before it became 'free' after its acquisition and move to v.5)
I was disillusioned almost a decade ago and switched to LibreOffice back then itself. The only caveat is that the Microsoft's DOCX format isn't fully compatible with open ODT, so documents saved with one word processor may have slight formatting issues in another but I've stopped caring about it now and try to push everyone in my circle to adopt LibreOffice only. My hunch is that in about a decade or so, almost everyone will.
It was so full of security holes though. Someone could just send you an email, and without you even opening it, it would send more email to your other contacts. It was really bad.
> The German Federal Commissioner for Data Protection and Freedom of Information, Ulrich Kelber, is also alarmed: On the social media network Mastodon, he described the data collection as "alarming" and announced his intention to pursue the issue at European level through the data protection authorities as early as next Tuesday.
I tried to switch back previously due to some issue, but when I installed the old Mail app, it was barely functional and full of issues. Once you install the new version, it will be hard to switch back. Also, it's still lacking in many areas.
They didn't get away with bundling the browser, but practically, that went nowhere, and they still keep pushing Edge at every turn.
One of my pet peeves against Microsoft is, precisely, how they bundled a mail client with their office suite, and one hostile to standards at that. A mail client that, somehow, only worked properly with other Office elements, and, at some point, it created interoperability issues if sender, receiver, and mail server, weren't all running Microsoft software.
Only available on Windows 12 devices with Microsoft-approved software.
Only €99 the first 20 months, then triples. Bundled with Microsoft Oven, Microsoft Fridge, Microsoft Wave, Microsoft Printer, Microsoft TV, Microsoft Sofa.
Never worry with virus again!
the bundle is not guaranteed to work with non-Microsoft Partners, such as Netflix, Steam, Android; companies need to submit for certification their hardware drivers; you can check the Compatibility DB available on the website.
You may be downgraded to grayscale 360p if hardware is not verified with the cert level NBBcert 5 stars or another aproved Microsoft partner.
Availability in your country depends on your country subscription to Microsoft DRM-center, plan AA, and adherence to snoop-your-neighbor mutual agreement act 5000. China relations must be at level 304 or inferior, per mututal agreement 497.
To be eligible for support, you have to buy Microsoft Insurance Pack, and only network devices approved by Liberty Party or its subsidiaries are eligible. You must register at all times the current invitees at your house. If more than 2 invitees, you must apply, with 7-day precendence, for a license fun-at-home. The accuracy of your submission may be validated using Wifi sensors, per patent USPTO20130, and others. Patent Pending. Camera validation may be used if your credit score is under 200. If Microsoft agents knock at your door, failure to open the door will result in all subscribed pack being reduced to a plafond of 30 mins per day until Microsoft Corp and its partners are satisfied your way of life and current invitees are in the agreement of Microsoft, Oracle and Google tricorporation shared agreement.
In their defense, Outlook and Exchange were created to compete with Lotus Notes. As much as Office interacted poorly with open standards, it was that it interacted with them at all that made it more successful than the other commercial office software in the 90s.
I don't see it as a defense, as much as it was a strategy.
They may have made their software more standard compliant, and when they gained enough market share, they tried locking competitors out of their environment.
The new Outlook is really bad. The old one it has a setting to hide images of emails and the new Outlook I can't find it, they probably hidden it somewhere you can't find it. The only option is to use their service to download the image and the image is shown.
This is the and Apple is mystify given that they are very focused on image and advertising. However I tolerate that more, as fixing formatting in my job is actual hell, people are tying to get work done and the tools are objectively broken and it’s a de facto standard.
This is accurate and Apple is mystify given that they are very focused on image and advertising. However I tolerate that more than Microsoft, as fixing formatting in my job is actual hell, people are tying to get work done and the tools are objectively broken and word is a de facto standard.
“If you are trying to login to IMAP hosted by Google or Fastmail, why should Microsoft need to be contacted let alone given the password?” is how I read the article…
Now, I know the answer is so that you can have push notifications sent to your mobile phone with every IMAP poll Microsoft does on your behalf, but that’s because the architecture of the new Outlook app likely borrows features of the Accompli mobile app they bought and maintained as Outlook mobile. That the desktop app re-uses the same APIs as the mobile app rather than process mail locally makes sense from a code reuse and efficiency standpoint, but really only because your accounts can seamlessly carry over to all your devices.
It’s arguable that the distinction between keeping your password in the cloud and keeping your password local is a security risk. However, if you previously used Outlook.com to check your IMAP email, and maybe this is where the feature derives from, then you already provided your IMAP password to Microsoft on the web. Likewise Google for importing IMAP to Gmail. We do this because it is nicer to get one inbox and one push notification across multiple accounts - when we want cloud providers checking emails for us.
It is less clear why a desktop app would do this unless you opted in to fancier service of some kind - e.g. viewing emails on the web when not at this device, or push notifications to your mobile phone, etc.
If Microsoft wanted to read your emails even with a locally stored and never shared IMAP password, they could still send telemetry derived from the local client to build an advertising profile based on local emails, or to display targeted ads. They don’t technically need your password to read your emails if you are using their email client.
I think you're wildly overestimating how much deliberation or thought the average Gmail user has put into any of these topics outside of "free email, neat".
The difference between Gmail's IMAP setup and this new Outlook IMAP behavior is the same difference between borrowing a friend's car and stealing a friend's car. In both cases, you're driving a car that doesn't belong to you. The difference is whether you have permission to be driving that car.
Both Gmail and Outlook are receiving passwords, then using those to perform IMAP requests from their servers. The difference is that Gmail had permission to do so, while Outlook did not.
The concern is someone logging into Gmail is sending plain text passwords and email contents to Microsoft. That’s why sending plain text passwords over an encrypted channel is a concern.
It would be fine if Outlook was backing up encrypted data and then not sending the decryption key to Microsoft servers.
It's to distinguish this behavior from password managers. Here, the message is sent to Microsoft in an encrypted form, but Microsoft can decrypt it to access the underlying password. For password managers, the remote server receives a password in an encrypted form, and cannot decrypt it to access the underlying password.
It could have been phrased better, but the clear message is that Microsoft has pilfered access to unencrypted passwords, regardless of any transportation-level encryption.
The question is, why does Microsoft need your Gmail password at all to begin with? Thunderbird works perfectly fine with Gmail without sending Mozilla your password.
It is conceivable that they wanted to express "although encrypted in transit, it is not hashed and Microsoft can recover the full password". However, you'd have to be very charitable to interpret the articale like that.
This is not a translation error either. The same mistake can be found in the German original.
> Did whoever write this realize you need to be able to recover the cleartext for this to even work?
The first author of the article has a degree in 'commercial information technology' and has worked as a sysadmin, so I assume they do understand that this is necessary, they may just have done a bad job of expressing that.
An article in a technical outlet should still do better in such regards.
I think with Microsoft no longer considering your data off limits to them regardless of informed consent we've hit a decision point whether you are okay with that (knowing that their AI software has the possibility of regurgitating anything it's been trained on) or have to rip off the bandaid and abandon them completely.
Except disguised such that people think it is not webmail. They are replacing a desktop IMAP client (which stored data locally) with a webapp that (it sounds like) copies all of your Google Mail to a Microsoft server.
I do think this is a big deal, certainly my expectation was that the New Outlook work alot like the old Mail app.
Does the iOS mail app do that? Every time I get a new Apple device I have to set fastmail back up from scratch with a new app password, even if I restore the device from a backup of an older device.
Well to be honest I don't know for sure. I don't use the Mail app but I had assumed that pretty much everything on the iPhone was synced/backed up to iCloud unless you very deliberately are not doing that.
Yes that was the bizarre part. I recognize it's a .de domain but the URL and content seemed to be in English. I didn't know how to get past the (what is presumably) cookie dialogue though, so I guess I'll never know.
Or I could just close the tab, and move on with my day.
It may be a regulatory requirement to display the info. It's my opinion doing it in such a disruptive and unintuitive manner is a good way to increase the bounce rate on a given site, especially when I've already got multiple browser settings enabled indicating my preference.
https://news.ycombinator.com/item?id=38217457
https://news.ycombinator.com/item?id=38212453