Why DKIM signature doesn't include the content of the email too?

It does. It's not obvious from the writing but Google actually sent this email to the attacker (which then redirected it mostly unchanged except for the To: header).

The main content of the email is text used for the "App Name" field of the attacker's OAuth app. This explains why the screenshot of the email actually does look weird, with unlinked URLs and weird formatting.

I'm pretty sure there is a lot more at the end of the email that makes it obvious it's not legitimate. But then I also understand how quite a few people wouldn't even get to the end.

The attacker did not change the To: header. This would invalidate the DKIM signature and result in a DMARC fail and the message landing in Spam (or being rejected).

You can receive e-mail with a To: header saying anything. It doesn't have to be you.

I don’t think the content was modified. If it had been then the signature would have been invalidated. The attacker found a way to send themself an email from Google that the author later replicated using Google workspace + a Google OAuth app. Then they replayed that because Google isn’t signing the “to” field.

> Then they replayed that because Google isn’t signing the “to” field.

Google is signing the To field (at least on all email they send me). The attacker didn't change that either, as displayed in the screenshots in the article. The attacker took an email legitimately sent from Google to them, then redirected it to the victim.

An equivalent real-world mail scenario would be me taking a letter from my bank to me, putting it in a new envelope, then sending it to you. Then your assistant takes it out of the envelope and puts it into your inbox. The letter in your inbox is a completely valid letter from said bank, intended for me.

There's two things in this article Google does badly: Allowing free input of an app name and putting it directly at the top of an email they send without preceding it with an indication what the email is about, and hosting user-managed websites on a subdomain of google.com.

Anyone knows what paper he was referring to "to be rejected"?

Did you think computers and ARPANET came out for commercial-grade applications and not "good for playing with stuff" ?

Of course they came from playing. But did you have people claiming we have a general AI while basic programming building blocks were still on the operating table?

Then what was dot com bubble?

"You don't say..."

A bit more context:

Show HN: If YouTube had actual channels - https://news.ycombinator.com/item?id=41247023 - Sep 2024 (532 comments)

Great work on the protocol!! I am looking for some examples of creating my own custom client with the Anthropic API leveraging MCP, but I could not find any. Pretty much want to understand how Claude Desktop is integrating with MCP Server along with Anthropic API Can you provide some pointers about the integration? e.g.

import anthropic

client = anthropic.Anthropic()

response = client.messages.create( model="claude-3-5-sonnet-20241022", max_tokens=1024, [mcp_server]=... ## etc.? ... )

The irony of it all is that the "help" to beat this addiction is another youtube link...

It's not very ironic to send that to someone that is claiming "internet addiction" rather than "youtube addiction".

Hell, they can burn it to an audio CD if they want.

It's funny to see how people pushing their idea of what's important in life, the definition of short-sightedness onto others. Spoken as if he found out about the meaning of life in the universe.

The author narrowly defines "capital" as the context of the argument:

"... industrialization shifted scarcity from land to capital (which throughout The World After Capital refers to physical capital, such as machines and buildings, unless otherwise noted)."

Seems a lot of comments here assumes the broader definition of "capital", just want to point out...