Bypass “Less Secure Apps” in GMail With SeaMonkey Mail Using IMAP.

Problem: Google doesn’t support STARTTLS or plain username and password over TLS anymore.

Google has declared war on mail clients. It will probably get worse in the near future, but for now, you can still log in with a proper email program, like SeaMonkey.

When Google makes these additional changes I’ll see if I can hack around them too and update everyone.

(Google really doesn’t like IMAP because they can’t shove ads that look like email messages in it like they do in the Web Mail version. These are basically a phishing attack that Google lets advertising companies pay for.)

To help keep your account secure, from May 30, 2022, ​​Google no longer supports the use of third-party apps or devices which ask you to sign in to your Google Account using only your username and password.

Important: This deadline does not apply to Google Workspace or Google Cloud Identity customers. The enforcement date for these customers will be announced on the Workspace blog at a later date.

If an app or site doesn’t meet our security standards, Google might block anyone who’s trying to sign in to your account from it. Less secure apps can make it easier for hackers to get in to your account, so blocking sign-ins from these apps helps keep your account safe.

-Google

Solution: Fake the User Agent for Google.com and GMail.

Even though SeaMonkey Mail doesn’t have any security problems that Thunderbird doesn’t have, Google allows Thunderbird and denies SeaMonkey. They both use the same code to implement mail support.

To get around this, lie to Google about your User Agent String.

In about:config, right-click, make a new String.

Paste in general.useragent.override.gmail.com and for the value, use Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:115.14) Gecko/20100101

Be careful there’s no whitespace. Then do the same thing, make the value

Paste in general.useragent.override.google.com and for the value, use Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:115.14) Gecko/20100101

Then select OAuth as the authentication type and set up your GMail account in SeaMonkey and sign-in again (you may need to click the “Get Messages” button), and instead of seeing the “less secure apps” warning, it’ll log in and fetch your mailbox.

Every 18 months or so you have to bump the fake User Agent. This should be easy because Thunderbird uses ESR branches of Firefox (currently 115) and the minor builds on this ESR branch normally go to .14.

They only check the minor revision to make sure it’s not lower than the minimum required Thunderbird. They don’t check the major version to see if it actually exists yet or not. So putting “current ESR plus .14” works even though there is no such version.

This is important because I have also found out that if you’re not “following minor versions” of Thunderbird, Google will log you out and your mailbox will disappear from SeaMonkey until you bump it. And you usually only get two minor releases behind before they do this!

So really the only thing to bump is the rv:xxx.xx part of the String, whereas the x’s indicate the major and minor build of Thunderbird you’re claiming to be.

If you look in the “apps with access to my account” you’ll see an entry for “Mozilla Thunderbird” with “Access to GMail”. This is SeaMonkey.

“Security“ that you lie your way past. I like it.

Very “I’ll make three Windows Registry entries and Windows 11’s installer has no Secure Boot, TPM, or minimum processor anymore.” (which is also a thing) of Google.

I Just Call It “Diarrhea Code” When I Encounter a Website That Won’t Work in SeaMonkey and WASMs.

I Just Call It “Diarrhea Code” When I Encounter a Website That Won’t Work in SeaMonkey.

When you’re not nice to idiots who make “Modern” stuff, like “Diarrhea Code”, they pretty much just ban you from everything.

It’s “bad” to be opposed to bloated Web sites that stick out a sign saying you’re not welcome here because they’ve made a mess and it only works in Firefox and Chromium.

The reason I call code meant for Chromium “Diarrhea Code” is because it reminds me of what happens to a toilet bowl after you had too much Taco Bell and Mountain Dew. Stuff goes flying everywhere, it’s nasty, it makes the paint peel off the walls. It makes the buttons melt off your shirt. And you can’t wait to get rid of it.

20 years ago people began to push for what the Web is now. Binary blobs that run untrustworthy applications in your browser, too much JavaScript, HTML files that are several MB long and impossible to read that call out to this.

And they criticized people like me for writing clean, readable, markup, which was parsed, displayed, and presented to the user, over dial up modems, in a matter of seconds.

In 1999, you could right-click on my site and read the entire source code of the page. You didn’t have to take my word as to what was in there. I couldn’t have hidden much in there if I wanted to. HTML 3 and 4 were clean and readable by humans.

People said the situation where browsers would “forgive” slightly bogus tag use or the occasional typo (which I checked for) was “unacceptable” and now you have Microsoft Azure pumping in stuff that’s barely even code when you try to pay your electric bill with ComEd, and Chrome, Firefox, and Edge happily try to make sense of tens of megabytes of that.

Today in the GNOME room I was somewhat horrified to learn that you can make a Firefox .desktop that can handle mailto: with a Webmail “provider”.

I responded,

Webmail *barf*

They all have different interfaces. Piles of JavaScript, their spam filtering is not uniformly effective, and they almost always have ads and tracking scripts, or at least whitespace where the ads are supposed to go. Consider SeaMonkey Mail.

Now if you do load Outlook in Firefox, it tries to register itself to handle mailto: *rolls eyes* with a banner that pops up. Also, I have to lie to Google about my SeaMonkey UA with a pref to make it think I’m Thunderbird, even though the underlying Mail code IS FROM THUNDERBIRD.

Jamie Zawinski’s “Law of Software Envelopment” said that all programs expand until they can read email.

Giving mail so some garbage Web browser, which is made to run “Diarrhea Code” is only about the worst way you could expand something to read email.

Email belongs in a reader that supports POP3 and IMAP. Email should be text-only.

Sylpheed is a good Email program, but I doubt it could even handle GMail because of the entire OAuth debacle and needing to load a Web page to handle that, which sniffs to see if you’re “on the list” of allegedly secure “apps”, like Thunderbird, which just rewrote the entire GUI.

Someone already wrote why WASMs are terrible for security.

They have introduced an entire unique set of CVEs (listed in the monthly Mozilla patch updates, WASMs are roughly 10% of the attack footprint of the entire Firefox browser!) that will never stop, and they’re on by default in Tor Browser.

If you use a Web browser to handle your mail, eventually what they’re probably going to do is just rewrite the entire “Web” thing into a WASM blob which is so much worse than “Diarrhea Code”.

It won’t even be markup and scripts anymore. Just a binary program you can run it like it is, and none of your extensions (NoScript, ublock-origin, etc.) can act on the elements as they come in.

WASM is part of the Google trap to destroy the Open Web.

Widevine (Web DRM…I turn it off) and WASM are the warm up band for WEI.

And why wouldn’t you trust some skeevy porn or bittorrent site to send a WASM your way?

After all, Windows is a *very secure* operating system because you can just trust the operating system company that already has 95% of the total malware to make sure that WASMs can’t do any harm. 😛

And Mozilla can *obviously* make sure they stay in the “sandbox”. *LOL*

Even when they do stay in the browser sandbox, they can still do a lot of damage. They can spy on the user. They can mine crypto.

Crypto Miners that load in Web pages boasted that they were early adopters of WASM and they could use the victim’s phone or laptop to mine “Monero” at “70% of the speed of a native program”.

Turn it off.

Security Posers talking about “threat models” and “Secure Boot” in the firmware are just absolutely laughable in light of all of the new threats the same people, and the companies that handle them, stuff into everything.

This is worse than ActiveX and Internet Explorer. At least all you had to do to stay safe from that was find some other browser.

Now all Mozilla does is blind copy things from Google.

Geico Auto Insurance Tries Picking Pockets by Over-Estimating Annual Mileage During Renewal

Geico Auto Insurance Tries Picking Pockets by Over-Estimating Annual Mileage During Renewal

I received my next six month term from GEICO the other day, after receiving an email that SeaMonkey said was “suspicious” the prior month, stating that I needed to update my annual mileage estimate, or GEICO would just go ahead and reset it to 12,500 miles per year, which they claim is the “average” for Illinois drivers.

I drive about 4,500 miles per year to take the spouse to work and back and to run errands and perhaps 500-600 miles per year for “other” and another 500-600 for “vacation/travel”, so you add that all up and the most I put on my car is like 5,500-6,000 miles tops.

So I gave them an updated reading for the odometer and a realistic (maybe slightly over) estimation of annual mileage, so that my policy would be priced appropriately.

Then they just threw it over their shoulder and quoted me at 12,500 miles anyway and sent me the bill.

Today, I called GEICO at the 800 number listed on my insurance card and asked to speak to an agent.

When I did, and I told her I caught what they did and I was not amused and would like her to reset it and regenerate the policy while we were on the phone, she punched away at the keyboard and came back at me with a quote that was about $35 less.

It dropped from $551 for the next 6 months for full coverage on my Buick to $513.

GEICO is obviously in trouble financially if you read the investor-oriented news like I do, and they admit they’ve been looking for ways to fuck Illinois driver’s in particular with 30-40% rate hikes, and they claim they still lose money due to “underwriting error”, which is a fancy way of saying they’re not really good at anticipating what accidents, vandalism, and car theft will cost and pricing it in.

So that’s like, not my problem. If you want to change your underwriting formula, that’s totally up to you. There’s no law saying you can’t, but trying to pick $35 out of my pocket like this is just pathetic.

If they sneak this past most or all of the people in Illinois that insure with GEICO, how much money is that? And they can honestly say with a straight face that they’re just pricing in your risk because if they punch in 12,500 miles a year that’s what the computer says the risk is! Even if you’re not actually driving those “risky miles” they added to your bill.

This is like a restaurant not wanting to say your meal costs 8% more so they just add a slice of pie you didn’t ask for. It perplexes me why this is even being done. If they want more money, why is GEICO defrauding their customers instead of pricing things accurately at the time of the original quote?

It’s to make it look cheaper, and then they come back and defraud you and millions of others a year later when you’re probably not even paying attention and your email sends it to Junk.

More problems with Google’s “insecure apps” alert and SeaMonkey Mail.

I went to get my email yesterday using SeaMonkey Mail over IMAP.

Google logged me out of OAuth and then SeaMonkey said it failed to fetch my mail.

So I tried to log back in and it said I had an “insecure app” and to try again with another “app”.

After playing around with the User Agent again, I noticed that Firefox 106’s would work, but since Mozilla releases Firefox versions every 6 weeks, and Google is obviously making it impossible to continue logging in using the older version after another week or so, I decided to play around with User Agents until I found something that worked.

It turns out Firefox 102’s user agent doesn’t work for OAuth even though it’s an ESR.

So I decided to fake a Thunderbird “102.12” on “Windows 10” UA.

Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0

I don’t know if Google logs you out and pops up an “insecure app” alert over minor revisions to Thunderbird, but it’s likely. The current release is actually 102.4 according to the Web site. This 102.12 bogus UA would therefore probably buy me about 8-9 months before I have to come back and bump it again.

You can use this value for these “new string”s in about:config

general.useragent.override.google.com

and

general.useragent.override.google.com

And that should be the last you hear about Google for a while.

You will obviously have to come back and bump it again sometime next year.

My guess is that when the next major version is out, use that followed by “.12.0 at the end of the Thunderbird part at the end, but not on the Gecko version.

OAuth is turning into a major usability disaster and there’s not any guarantee that simple UA hacks will keep SeaMonkey working. Google could actually resort to testing browser features that it knows are only in the latest “supported” applications.

Lenovo violates the United States CAN-SPAM Act of 2003.

Just a heads-up.

If you give Lenovo your email address to make an order, they’ll start sending you unsolicited emails every day or two, and they’ll ignore your unsubscribe requests even though they said it was processed.

This violates the CAN-SPAM Act of 2003. I’ll be lodging complaints with the Illinois Attorney General and the Federal Trade Commission shortly.

Apple has fallen to #4 in smartphone sales. Blames COVID and raises prices. Bonus: iClown Mail collapses. 2FA code proliferation. More fake privacy.

Apple has fallen to #4 in smartphone sales according to AppleInsider, citing a study by Trendforce, which now has Samsung, Oppo, and Xiami ahead of the iPhone-maker.

Apple blames COVID and the upcoming iPhone 13 launch, which they admit will be a “continuation of the 12 series”. Of course, anyone who knows Apple knows that they’ve barely improved their phones at all in the past several years, and aside from messages popping up saying your apps will no longer work because reasons and raising the price of the phone another $100 every time you go to replace it, Apple’s revenues would be in the toilet.

As it stands, they have Consumertards buying a $1,749 iPhone that can’t do much more than the $400 model.

It’s anyone’s guess how long this sad company that jumped the shark years ago and which has cheated off of Android except to remove the occasional Android feature that does something useful, can convince the market to accept its incessant price hikes for its vapid products.

In just the latest example of what happens to people who believe in Clown Computing, iClown email is down this morning and people can’t do anything with it at all.

If they had been using a proper IMAP email client with a local mailbox, they could respond to what was in it at least, from a different account, but they had their choice between that and an “app” that doesn’t work at all when it can’t ping a server, and they chose apps.

Now on to 2FA codes. AppleInsider posted an article on how to port over your codes from Google Authenticator to an iPhone. Google really doesn’t want you doing this. There are some open source authenticator apps that save the token you used to seed the generator, but mostly, if you use secure passwords that Firefox can generate on the fly, 2FA is rubbish in order to sell more phones and make it hard (if you use SMS) to change your phone number or carrier, or give up on using smartphones.

What’s more, is it’s almost impossible to keep track of it all and make sure you can log into everything important when you upgrade to a newer phone or switch carriers.

Finally, Apple is now popping up notifications that every iPhone has a unique advertising ID that follows you around and associates itself with you to help them sell personalized ads. If I was cynical, I’d say that blocking Facebook from doing essentially the same thing was a ploy to plow the road for this.