Today, my university sent me a link to a mandatory cybersecurity training. In the HTML-formatted email, they included a link that looks like this:
https://university.matrixlnselu.com/training/home
But the actual link that would be opened goes to something like:
https://num9.safeclicks.protection.outlook.com/?url=https%3A%2F%2Fclick.marcon.university.edu%2F%3Fqs
%3D79af0e80a4fc65b28bc6d7truckf2e0620df074d3c5769b3901
732d80246a6a905559ef9d772af96560ba50bbfe6380c2309c565d
7e2c62631&data=05%7C02%7Csdbrewer%40university.edu%7Cb
702860502824bdd172f08dd421140a2%7C7bd08b0b13374dc194bb
d0b2e57a497f%7C0%7C0%7C638739364061829157%7CUngown%7CT
WFpbGZsb3d8eyJFbXBsex1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCI
sIlAiOiJXaW4zpenisFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7
C%7C%7C&sdata=Km50bFeo%2FrVW4AtWPtduUM2FZQhKdYWbcJQZlS
7YNjE%3D&reserved=0
(note: these have been munged so they hopefully won’t work)
There are actually two redirections in the link above. First, the mail-system rewrites every URL you receive in email and replaces it with a database look up at outlook.com so that if they decide a URL is malicious (i.e. links to something they don’t like) they can make it so the link doesn’t work. The second redirect is done by the system that generates the original email: they want to keep track of who clicked on the link so they can generate metrics about who is reading their emails.
I replied to the email to say “This seems like a terrible security practice. URLs should go where they say they do. And if they don’t, employees should be trained to not click on them. Duh.”
I replied back to the sender (which opened a “ticket” with IT) and I copied the Chief Information Officer of the university, whom I’ve known for many, many years. He replied first, “I hear you” he said. But he made it clear this is just what we’re doing now.
I pointed out that I’ve always tried to teach people to never click on links like that which leak information information about your browsing activity. I spent most of my career pushing back against this kind of enshittification. But to little avail seemingly.
We went on to exchange a couple more emails about feeling like grumpy old men complaining about the young whippersnappers who can’t read packet captures or “parse a coredump to save themselves.”
University IT replied later to close the ticket and say, “Thanks for the feedback. We will take it into consideration for future training notifications.” Heh. Right.
I wrote this before I actually completed the training. Here is the feedback I left:
Wow. What an embarrassing display of educational ignorance. As a professional who dedicated his entire career seeking to improve education, to see my institution slowly read text to people and then ask trivial, poorly structured questions was disgraceful. I’m ashamed to have spent my career at an institution that would do something like this. What a huge waste of time both for the “professionals” who created this course and the hardworking faculty and staff of the University compelled to view it.