Just today I was joking with my colleagues on Teams - "Who is the Product Manager of Teams, and why hasn't Mr. Gates fired him/ her yet!"
At the peril of being downvoted, I am going to rant, but rant I shall.
Last year they tried to move all Skype users to Teams, which failed miserably. Today, they have tried doing the same, but to my much chagrin, the issue from last year still persists. We are not able to share screen with Skype users. One user just got irritated and left.
A few weeks ago they forgot to renew their SSL certificate, which is unacceptable for a corporation like Microsoft.
Teams has its issues, but compared to skype its amazing in my opinion. Granted, skype is a pretty low bar to compare with, but still.
At my last company, Teams was introduced as a tool besides skype - and everyone was encouraged to move meetings etc. whenever possible over to Teams. It worked out pretty well, after a few months skype meetings became the exception, almost everything, especially if only techies were included, was happening on Teams.
I recommend to give it a serious try, some of it features do suck (notification settings etc. are absolutely horrendous and seem to not properly work half the time) but overall it improved the ways people communicated a lot compared to skype. At least that was my experience :)
> Teams has its issues, but compared to skype its amazing in my opinion. Granted, skype is a pretty low bar to compare with, but still.
Yeah, it's amazing that such an aborted thing ever seen the day of life. Skype looks like a windows program. Team looks like an Android game.
About corporate: Skype can do a 250 people meeting, Teams can do only 100.
It is like in the old M$ joke: How wonderful it's gonna be when they will get it.
> At my last company, Teams was introduced as a tool besides skype - and everyone was encouraged to move meetings etc. whenever possible over to Teams. It worked out pretty well, after a few months skype meetings became the exception, almost everything, especially if only techies were included, was happening on Teams.
In my company people preffer Skype.
> I recommend to give it a serious try, some of it features do suck (notification settings etc. are absolutely horrendous and seem to not properly work half the time) but overall it improved the ways people communicated a lot compared to skype. At least that was my experience :)
It is a piece of crap. The only "feature" above skype is that it has these groups. From an UI point of view is a piece of crap. Who was the idiot that conceived such a crappy interface ? When i start a new chat i want a new chat not to see my last chat with someone else.
- Coworker too silent in a conference call? You can't adjust their volume.
- Want to paste some code? Hope you like smileys everywhere! (This one alone blows my mind. How is this still a thing?)
- Want to send something longer than two twitter messages? Nope, can't have that! Please chunk it into separate messages.
- You receive an image. Why does it take three clicks before you can actually see it?
- How many Skype apps would you like? There's Skype for Business, Skype (the normal windows program), Skype (the Windows app)... Knowing the nonsense that is Microsoft's account system, you probably can't even communicate between them.
- Small hiccup in your connection? Video call now stays at crappy resolution. Solution? Switch to "show full video". Or back from it (cropped). Or fiddle with other unrelated stuff and pray. It's completely erratic.
- You chose "show full video"? Enjoy doing that again in 5 minutes when Skype decides it would really rather crop that person on the side of the frame.
- Trying to edit the middle of a message before sending? Enjoy our state-of-the-art "run spell check on the main thread after every character". Now you can type your message and then watch it appear on the screen in slow-mo over the next five seconds! (Not sure if this is 100% Skype's fault, but I haven't seen it elsewhere.)
Yeah, you pretty much summed up all features of skype.
You can chat and you can screenshare.
However, I do expect a little bit more than that in 2020 to be honest - I wanna be able to paste code snippets or the like without having to fear that skype introduces some weird special characters when copying it out of skype again (which caused super weird issues more than once).
I want to talk asynchronously: Skype (at least in the for-business variant that I know) is very intrusive; if someone messages you you get a window in the face, and if you click it away you have to do some seriously weird digging to see the message again.
Similarly, I want chat persistence that is not an absolute pain in the butt: If I wanna check what a colleague sent me three days ago in a chat, this has to be like one or two clicks away, not scrolling through stuff.
I want to talk to multiple people at once regularly (a team, a workgroup, you name it) without having to set up the group every single time.
I want to share GIFs and pictures, not just links.
... hope that gives you a bit of an idea on why I'm not particularly fond of skype :)
That's the reasons I like skype. It's for talking one to one. When I get a message, it's because somebody needs help now. Otherwise they'd send an email or use the group chat software.
The auto reformatting is annoying though. Outlook does even worse, always replacing dash with long unicode dash.
This is something you can configure in outlook, go to settings, mail, autocorrect or something like that. You will see a table with all the substition and you can edit it, or completely disable
Teams on the Mac is a UX disaster. Start the application, you get a Teams logo. Then it switches to a large white window, that can persist for up to 40seconds (100 mb fibre). No indication of what the app is doing. Downloading a full app every time? In some meetings I have lost the ability to access the chat. When trying to access recorded videos that I get a shared link to I end up with a login window that refuses to acknowledge any account (maybe I have no access, but that isn’t what it tells me). The resources section, files etc, is confusing to the point of being useless and old videos just tell me a token has expired.
Teams on my Mac has this wonderful feature where the notifications render as a completely white rectangle until I mouseover, and then it finally renders the content.
What exactly does the teams implementation need to do that cannot be achieved with the Mac notifications?
When I get a notification all I want to do is be able to click it or dismiss it. But teams loves to appear on the wrong screen, behind windows, or just not show up at all.
That combined with the questionable design choices of the UI, I have missed calls because I heard the sound but couldn't find the alert for it.
Sadly this is likely never to change since Microsoft does the exact same thing for Outlook, which is why I refuse to use it and just stick with native apps for work.
> And now this. It makes me loathe Teams even more.
Yet, feature-wise, nothing comes even remotely close. Nothing Cisco offers (Webex is a trash dumpster fire), Skype for consumers is garbage, Skype for Business marginally better, and the FOSS crowd... Mattermost is a decent Slack alternative but no video calls, Jitsi is flattened against the video call capabilities of Teams and Asterisk can't even get a multi-party video call done. Zoom is video calls only, and appear.in/whereby too (plus Whereby tops out at 12 participants).
Hate to admit it but MS Teams is so far away the others might just call it quits, the only thing it would need to completely ditch Webex and S4B at my employer would be an easy way to invite totally random guests to video conferences and support for dial-in via telephone as fallback.
If you look at Microsoft features in isolation they are often really bad. But taken together they add up to something that is difficult to compete with. On the surface you get chat/video calls/and live streamed events. But you also get Sharepoint, Onedrive and integrations with all the other Microsoft products. You may be able to think of products that do one of those things better, but it is tough to replicate the entire ecosystem.
Discord would tick all the boxes I care about, they'd have to pivot their marketing and "theme" a bit though. Or just release a separate corporate focused product that's still Discord under the hood.
I don't think any of them can be designated the best collab tool because they all (Skype, Zoom, Teams, Slack) have their strengths and weaknesses. I think Teams handles calls and video conferencing better than Slack, but Slack has a more intuitive and feature-rich experience for text-based communication and water-cooler style casual channels. Teams performs better on my machine. Slack has a much more reliable mobile tier. Zoom (not taking privacy issues into consideration) is unbeatable IMO for video reliability, I've used it for years across two major corporations now and it's yet to fail. I think Microsoft is aiming to make Teams unify the best of all these worlds.
Yeah Teams may be the best "do it all", but Zoom and Slack are far better at their focus. Slack makes it very well known they don't use the calling built into Slack, they use Zoom.
Yes - can someone shed some light on how someone would (a) compromise a subdmomain and (b) get a cert issued? This seems like you would need to be internal to the org, not the 3rd party exploit the article is trying to push?
I read analysts report about slack from time to time. It is amusing. Many investor looking at it from a market perspective claim that MS will crush slack and potentially Zoom, because both are commodities included in your monthly 365 subscription. So reasonable companies will give up on the convenient slack and Zoom combo over time. I just don’t buy that simple logic because quality is simply ignored here. Your comment is in line with my thinking.
Companies ignore quality all the time to save costs. We're on the Office 365 bandwagon. We used Skype before company wide and Slack in IT. They made a group of seeing which tool is better. Slack ended up better, but Teams is free in our Office subscription, so now we are all on Teams (while in our team we still use Slack internally under the radar, especially because we have loads of useful plugins for builds, git, automation). Teams has some of those plugins, but it seems like some sort of cheap clone made with Material UI or Bootstrap that they just gobbled up in a few months to take on Slack. I ranted before about the notifications on Mac, about the support on Linux for some people, for us it doesn't even work with our conferencing equipment from Logitech (everything else works on a Mac with it, except Teams), but nobody cares, we have a good enough "free" solution.
Office 365 is crap too. Outlook web app is significantly slower than Gmail. Outlook doesn't even support labels natively, and their filters are miserable. Outlook web app still is far from feature parity with their desktop app and their desktop app doesn't work on Linux.
Outlook calendar automatically deletes the entire series when you try removing past events. I had a manager that left recently and therefore they cancelled a series. Rather than keep the previous events so that I could go back and see what I was doing on a particular day, it just removed the entire past series from everyone's calendar like they never attended.
Outside of my wheelhouse, but is the actual vulnerability here that legit domain has a legit subdomain CNAME record pointing at uncontrolled endpoint; $BAD_PERSON registers target domain and then tricks a user into hitting endpoint with credentials in cookies?
I had to read up on it, the gist of it is (these are example domain names I made up for illustration):
1. Domain like "abcde.teams.microsoft.com" has a CNAME that points to a domain like "abcde.microsoft-teams.com", but "microsoft-teams.com" is no longer registered to or controlled by Microsoft.
2. Hacker registers microsoft-teams.com, gets a LetsEncrypt SSL for it.
3. Send a message to someone with a GIF that was uploaded to "abcde.teams.microsoft.com". Teams thinks it's legit because it's a subdomain of "teams.microsoft.com", and SSL checks out, so it sends the user's auth token along with the HTTP request for the GIF. Problem is, it's sending it to the attacker controlled "abcde.microsoft-teams.com".
4. Since the hacker controls "abcde.microsoft-teams.com", they now have your auth token, which they can use to impersonate you.
Et voila, account takeover.
I'd bet that plenty of whitehats and blackhats have bots automatically crawling domains belonging to tech companies searching for subdomain takeover opportunities.
>Domain like "abcde.teams.microsoft.com" has a CNAME that points to a domain like "abcde.microsoft-teams.com", but "microsoft-teams.com" is no longer registered to or controlled by Microsoft.
Can you elaborate a bit on this? I get that these are example domains, but why would "abcde.teams.microsoft.com" (which is presumably controlled by Microsoft) point to a domain "microsoft-teams.com" that is not controlled by Microsoft? Was that a mistake on Microsoft's part, or did the attackers do something clever to gain control of that domain/point a Microsoft-owned subdomain to the attacker's domain?
Yup, in my hypothetical example, at some point "microsoft-teams.com" was registered by Microsoft. At that time, some engineer deployed something that involved the CNAME. Over time, "microsoft-teams.com" was moved elsewhere and the domain became unregistered, but the engineer maybe forgot or left the team, and nobody remembered that there's this out of date "abcde.teams.microsoft.com" DNS record just sitting there.
Microsoft has a lot of these, just random Microsoft-ish domains that were used at one point or another. It's a problem because it makes it harder to look at the domain name as a sanity check against phishing.
Microsoft and other large companies are made up of many smaller groups, and to make this work there are a lot of extra rules. For the most part those rules serve a purpose and the benefit outweighs the cost. Sometimes these rules create extra problems, because of how people actually make choices and use the resulting system.
It is likely there is a detailed change approval process for updating a *.microsoft.com DNS record. Or that only certain depts can make changes, and only for certain reasons. Someone involved with Teams avoided that by using a separate domain and a cname record, then they could update their separate domain records more easily. Later someone forgot to register this domain, and/or forgot to update the DNS to somewhere that is over their control, or forgot to put in sufficient checks to prevent tokens being shared with unauthorized servers.
I don't think you got it quite right. No one would ever see microsoft-teams.com and you wouldn't need an SSL cert for it. The CNAME affects the DNS lookup, so if you ask "where's abcde.teams.microsoft.com", the server replies "it's at the same IP as "microsoft-teams.com, so go look there".
Since you control the DNS for microsoft-teams.com, you can point it to your server. Now both domains point at your server and you get all requests to abcde.teams.microsoft.com. That's how they get cookies.
You can get an SSL certificate because you can serve anything for abcde.teams.microsoft.com. That includes abcde.teams.microsoft.com/.well-known/acme-challenge/* and the .gif (or other) resource you use to steal cookies.
Either abcde.microsoft-teams.com is a typo or you seem to think CNAMEs work like an HTTP redirect, which they don't.
Aha! Thank you munchbunny. Another title for this article could be "How some major tech companies DNS record management practices left your organization vulnerable to attack". This is a great lesson for all of us. Leaving old records in DNS is so easy to do.
> I'd bet that plenty of whitehats and blackhats have bots automatically crawling domains belonging to tech companies searching for subdomain takeover opportunities.
If Microsoft had one of these, they could've caught this before it was exploited.
Those records probably pointed to an ip or a CNAME which was not registered or not under microsoft control.
But some more information on that mistake would have been nice.
Putting subdomain takeover aside, are the gifs that are available to use in the chat pane all screened by Microsoft and deemed SFW (safe for work)? I see some of them are watermarked with 'giphy'. Does that mean if it's available on giphy.com it's available to share on Teams?
As admin you can control the content restrictions for gifs. It’s like sfw, sketchy, nsfw If I recall correctly. But yes, if it’s on giphy it’s on teams.
Wasn’t WhatsApp also compromised via gif? Gif is a really remarkable format that seems so simple but it’s much more. It’s just a series of images with timings but then you realize that the first few bits of the gif can be written with arbitrary code.
Except in this case it didn't really have anything to do with GIFs. The actual vulnerability was caused by misconfigured DNS settings for *.teams.microsoft.com
Code is data. Data is code. The difference is metaphysics; the machine doesn't care.
Any parseable data format has the potential to trigger a bug in the parser.
I was always confused by seeing those types of exploits. In my head, I could not see why would GIF cause anything other show up on screen. But then I remember I think of offline activity.
All that said, and please excuse my ignorance here, but how common is it for subdomain not to be under the control of its owner?
> All that said, and please excuse my ignorance here, but how common is it for subdomain not to be under the control of its owner?
This is how FreeDNS works: There's lots of domains which are donated to the project, and people can register subdomains of those domains and have them point to their own systems, with software to ensure the DNS records stay up-to-date even in the face of dynamic IP addresses.
That's not what this bug is about. The bug is not to do with the content, but merely the connection. And it's only "external" because Microsoft relinquished control of its internal system but still treated it as internal.
At the peril of being downvoted, I am going to rant, but rant I shall.
Last year they tried to move all Skype users to Teams, which failed miserably. Today, they have tried doing the same, but to my much chagrin, the issue from last year still persists. We are not able to share screen with Skype users. One user just got irritated and left.
A few weeks ago they forgot to renew their SSL certificate, which is unacceptable for a corporation like Microsoft.
And now this. It makes me loathe Teams even more.