Don't make me click "here"!

The internet has been around for decades, and yet the biggest of the big companies have not understood one of the basics of security:

If you force your users to go through procedures that could be fraudulent, then fraudsters will use those same procedures.

Some cases to illustrate this.

Flash Player. For many years Flash Player has popped up windows on people's screens, encouraging us to click "here" to get the latest safest version. The obvious problem is that most people cannot tell that window from a window from a spurious webpage, pointing to a completely different webpage that contains malware. Don't force me to click "here" for crying out loud!

Microsoft's "unusual activity." I recently took a quick trip across the border into the next country. Microsoft noted that my mail account now was updated from another location 50 km away from home, which seemed suspicious to them. They sent me a mail to my iPhone saying that to "help keep you safe, we've blocked access to your inbox, contacts list, and calendar."And "To regain access, you'll need to confirm that the recent activity was yours." And to do that, I should click "here," following a link that led far away onto a web page that could or could not be spoofed, where I was supposed to enter my password. I'm pretty sure it was them. The link pointed to eur01.safelinks.protection.outlook.com, which redirected (!) to live.com, and I'm fairly sure both of those URLs belong to Microsoft. But I was not willing to take the risk, so I stopped using MS Mail temporarily, until I got back home and could securely sign in on a laptop to a URL I knew I could trust. Don't make me click "here"!

Apple's Calendar. I used to sync my MacOS Calendar application with my Google calendar - a fairly convenient thing to do. After the latest update, however, (MacOS 10.14.4), I got a notification telling me that I need to update my Google password in Safari. So I am supposed to click "here" on the notification to open System Preferences, where I get another "here" that leads to a secret URL, which I do not even see, in a browser I never use, and where I never configured the security to my liking. I wearily click "here," and Safari displays a window, where the address bar is hidden, so I cannot easily see which URL I have accessed, unless I take some more steps. There are so many shady new things here with links leading to places I have not been before. I can take time to verify each step and make sure everything is legitimate, and I would have to spend probably half an hour before being perfectly sure. Honestly, I prefer to switch off the sync. Don't make me click "here"!


Each of those procedures, where big companies encourage users to naively click "here" without any guarantee that the links are safe, makes it easier for hackers to convince people to click "here" on their malware windows.

Don't, please, don't, make us click "here"!

(In the examples above, the actual label on the button or URL is not always literally "here," but that is its meaning.)

Mailto and some of its many problems.

I just realised what an annoyance the URI scheme mailto: is. When I see an email address somewhere on a webpage or in an app, it is very rare that I want to use it to create a new mail from my default mail address in my default mail client with that mail in the to-field.

Here are some of things I may equally well want to do:

• Add it to my contact list for later use.
• Paste it in a mail or SMS to forward it to someone else.
• Add it to CC or BCC field.
• Add it to a mail I already started writing.
• Send it from another client than my default. (I almost only use web mail.)
• Search for it in my mailbox or on my hard disk, to see if I already had a contact with them.

The irony is that the person who put their mail address in a mailto-element on a web page probably already is inundated by spam, as it is about lesson one in the spammers manual of favourite tricks, to crawl webpages looking for valid target mail addresses.

Whining about a colour between red and yellow

I'm tired of my mobile phone provider, even though I'm sure any other provider would cause me as much irritation. There is no reason to name them, but for those who wonder, the name of the provider describes a colour somewhere between red and yellow.

Spam. They keep sending me spam messages about great new deals. I duly blocked that number, but nevertheless, they managed to get through with a message today. I have no idea how. Could be an Apple bug, I guess.

Selling through bugs. Last time I bought an iPhone, I'm sure I clicked on a cheap model. Three seconds later, I got a confirmation message for a more expensive model. Five seconds later, I called them and asked them to cancel the order. They refused to do so, and insisted I must have clicked on the more expensive model, something that of course is impossible to be sure about. The only way to cancel the order, according to their staff, was to wait for it to be delivered, refuse to pick it up, which meant it would be sent back, and then the order would be cancelled. As I needed the phone urgently, that was out of question for me, so I coughed up for the more expensive model I did not need.

Silly creepy alerts. From a completely new spam number, they sent me a warning that I should unplug the modem during a thunderstorm. How do they know there will be a thunderstorm where I am? Do they track my movements? If so, they do it badly. There was no expected thunderstorm, where I was or any place where I usually go. Why did they send out a message about a trivial precaution everyone knows about? Just to spam me and divert my thoughts from other tasks? And why do they send me a warning about a modem? I do not have any cable modem at all, and I have nothing with them except a mobile phone subscription.

Surprise conditions. I recently changed from one subscription to another to save a few euro a month. On their site, there was a great comparison chart, which listed the difference in conditions. I got switched, and suddenly my iPad lost internet connection. I walked into one of their shops, and they explained that the new subscription did not include the extra SIM-card I used. I could get that service at an additional fee, which meant that my saving per month was close to zero. Besides, there was an activation fee to "activate" the SIM card I had been using for years.

Lost iPad access abroad. For quite a long time, my iPad refused to access the internet when I was abroad. The iPhone SIM worked fine. A few times, my provider sent me new SIM cards that worked for half a day abroad, before the connection failed without any useful error message. This was fixed when I finally got to talk to someone at a super-helpdesk, who revealed that there could be a difference between the SIM-cards needed in iPads and iPhones, even though this in most situations wasn't noticeable. I got a new SIM directly from their central, and the iPad started working again.

Twitter links not loading - a paranoic trick

If you use Twitter and sometimes prefer to copy links to articles and open them in private browser windows instead of in the window where you currently run Twitter, you may have noticed that some links never open.

I don't know why this happens. There may be some check where the link originates from, or the change of environment could make the systems confused. That doesn't really matter. What matters is that...

There is a fix:

1. Copy the link to the tweet itself. (Not the link inside the Tweet.) You can do this for example by using the V-like menu icon in the top right of the Tweet.
2. Open the private window.
3. Paste and go to the link. You will now have opened the Tweet in a window where you are not logged in.
4. Click on the link inside the Tweet. It is now likely to work.

It it still doesn't work, try pasting the link into a completely different browser. I have seen some links that won't open in Firefox, even though they open in an equally private window in Chrome.

(Some notes on why you may want to do this in certain cases: when you click on a link, the receiving URL will get the data of the browser session. If it is a link to Youtube, and you are signed in to google, Youtube may add this to your video history and recommend similar videos. If it is a link to a newspaper you subscribe to, the newspaper will learn that you are interested in this particular article, which you have no interest in at all, as you just get it for a friend. And you may simply want to avoid all the cookies each and every website now clutters your hard disk with. You may also have a touch of paranoia and want to limit any traceable internet activity. No matter which reason, the fix works.)