hckrnws
Thank goodness Microsoft isn't trying to force users to access their local PC through a Microsoft Account.
The amount of dark patterns on Windows nowadays is insane. If you want to go through the OOTB setup and use a local account, you'd better not connect to a network (which it's very pushy at getting you to do.) It's literally not an option to set up a local account in most cases. I've rarely touched Windows in the last decade and I'm better for it.
In Windows 11 Home 22H2, it's practically impossible to set up without a network connection, which has been a huge pain for me since my mobo's onboard ethernet drivers aren't included (too new, I guess). It's been at least 15 years since I needed to side-load a driver during an OS install to be able to complete it successfully, and the last time was a niche Linux distro. The so-called "workarounds" online are hit-or-miss.
What I've done is sign in using some throwaway account on setup, create a new local user once logged in, login to the new local user, and delete the old user with the Microsoft account.
I think you can also simply unlink and sign out of the Microsoft account once logged in to effectively make it a local user, but your user folder is stuck using the username of the Microsoft account, which also gets cutoff after like 8 characters.
I abhor the whole process and it's annoying because there's no other way to create a local account during Windows 11 setup on e.g., a laptop because it knows that the wifi module works and will not let you progress unless you connect to the internet. I tried unplugging my modem and connecting to my internet-less router, but it still refused to progress because it didn't have internet access.
Don't even get me started on the other dark patterns once you actually have a local user setup, like being pushed through part of the OOTB Windows setup again after a major feature update asking you to login into a Microsoft account and making sure you still want all the (user accessible) telemetry off.
The worst part is that I actually like Windows 11 and some of the new features like the tiling layouts when hovering over the maximize button on a window, the new default terminal program, etc. But, the whole thing is entirely soured by dark patterns like the aforementioned forceful use of a Microsoft account, all the extra Edge and Bing crap being shoved down my throat, the poor web-first Windows search, widgets just basically being an MSN feed, Teams starting at login by default on a new install, random apps and games being advertised in the start menu on a new install, etc.
You realize most windows users will simply go with the flow?
Of course, but what's your point? That's not meant to be rude. I'm just confused because I talking about myself, not "most windows users".
My point is that there’s a small loophole still open actionable for powerusers right now but that won’t be the case for too long. Probably the best thing is to start migrating to a different platform, or at least start thinking about it.
That's a fair point, but even if they got rid of this loophole, I'm sure there'd still be a registry or group policy loophole. I'd totally switch to Linux if it wasn't for my gaming library, my Nvidia card, and some of the software that I use that is either Windows only or works better on Windows, like the Affinity suite, Blender, UE5, etc. I know the latter two support Linux, but it goes back to the Nvidia card and they simply run better on Windows, at least from my experience. Proton also seems like a pain requiring Steam/Lutris to manage different versions of Proton/Wine, plus a good chunk of my gaming library isn't supported.
So instead of keeping a windows machine exclusively for your old catalog of games you likely rarely play and only buying new games which run under Linux, you're gonna keep upgrading through whatever nightmare path remains available just so your main PC can run those games?
Or is it that you're so concerned with experiencing specific games which will come out only for windows that you're willing to suffer that he'll?
Because really... Your comment makes you seem irrationally attached to windows only games....
I only have the one machine and I'm not buying another just to move to Linux. Maybe when it's time to upgrade, I'll go for an AMD GPU and move to a Linux distro.
Regardless, I mentioned other software besides video games and there's more besides what I listed. I've already gone through the process of making Windows less of a nightmare that it's not a problem for me right now. So no, I don't think it's irrational, regardless of video games, to go through the headache of dealing with Linux distros right now, which I've done plenty of in the past and is its own hell that I'd have to suffer.
For me, that platform is Windows LTSC / Enterprise / IoT, using a resale market product key.
Yeah, in the same way that cattle at the slaughterhouse "go with the flow"?
In order to get out of using the M$ft account for my dad on win11 I had to disable secure boot, use regedit, etc and it was all very dark and time consuming. Microsoft is The Worst.
There are much easier solutions than that. I've not tried the sibling's idea, but just not connecting it to wifi, pressing shift+f10 and running "oobe\BypassNRO" is enough. It's still ridiculous and shameful behaviour from Microsoft, but disabling secureboot isn't necessary.
That works for the initial logon attempt, but after that the computer was locked in “S mode” where it doesnt allow you to install anything. In order to get chrome running we had to do the above.
You can always utilize no@thankyou.com and it will go straight into creating a local account.
Comment was deleted :(
"Setup For Organization/School" then, "Domain Join Instead"
Is the spell to just make local account on Professional Edition.
If you have Home Edition, you have to do use the "no network" option in the OOTB setup.
I was seriousy shocked of all the abuse when I had to install a new winblows laptop for a relative. How is any of it legal? How the hell did we let it happen? Mindblowing.
I was seriousy shocked of all the abuse when I had to install a new winblows laptop for a relative. How is any of it legal?
What should be made illegal?
I don't know man, maybe a massive antitrust case is enough.
Windows 10 (not even 11) was so annoying on the last random laptop that I'm not dealing with it again. And I gotta stress how low my bar is. I don't care about privacy or anything on random spare PCs, I just want it to work without harassing me constantly, and up until now it was tolerable. Idk what a dark pattern is, my word for this is "dogshit." It's more annoying than dealing with Ubuntu's random issues at this point.
Doesn't MacOS require an iCloud account for updates ... effectively making it "required" to use the OS?
Mac App Store app updates, yes. macOS system updates, no.
Xcode / compiler - yes.
AFAIK you only need an iCloud account to use iCloud related features, like the app store, syncing across devices, access to Apple services, etc. It's very much usable with just a local user.
Admittedly, they do heavily suggesting connecting an iCloud account.
Right. They bother a little about it, but some of my spare Macs have no iCloud account associated, and it's fine.
You also literally can't even launch an iPhone past the initial screens without creating/logging into an Apple account. At least Google lets you use an Android phone without forcing an account.
"Literally" untrue.
Comment was deleted :(
> If you want to go through the OOTB setup and use a local account, you'd better not connect to a network (which it's very pushy at getting you to do.)
Pulling the ethernet plug to get a local account doesn't even work anymore. The only trick I know still works is to give it a fake account (like test@test.com).
Not an option unless someone searches YouTube. https://youtu.be/EOUcvgqOV-0
Are you sure there isnt some button visible on screen to create local account?
I've always been installing Pro versions and I've never been forced to use MS account
It’s the domain join instead dark pattern at the bottom of the screen
If this is real, $50,000 USD is a laughably small sum for the database. It reminds me of Dr. Evil's demand for 'one million dollars', you have to jack up the number to be taken seriously.
Was at a small startup. We kept begging CEO to raise prices so customers would take us seriously and stop laughing at us. Finally he tripled the prices.
We started landing new customers like crazy and in a few months got to 1,000 monthly paying customers. Same products.
Customers might reasonably believe you won’t be able to provide the advertised service if the price is infeasibly low.
This is old-skool salesmanship. If you don't make it expensive, the sales prospect won't think it's valuable.
Apple has known this since they were founded.
No, it's more that if your prices are too low it's either a scam or you're terrible at business. In both cases, you're not a trustworthy business partner.
I'm immediately reminded of Dr. Evil's demand for... one million dollars!
Also for a company the size of Microsoft, 30 million accounts seems very small. What user accounts would this database even contain?
This whole thing seems a bit fishy.
MITM'd login services perhaps? It does seem like a small number for Microsoft. Like robbing a bank and making off with $50
Could be an event like Microsoft Build conference or something.
Or the 100 "sample" accounts are sourced from unrelated phishing and there is no breach. Most of the phishing emails I get lately are trying to get me to fill out a fake MS login page.
Almost like it might be a scam, odd
A bug bounty would possibly have a bigger payout lol
This is possibly from some other breach and nothing to do with MS
I did receive a notification from Microsoft of a suspicous login about a week ago. The password for that account was a relatively strong one (upper/lower case, numbers and some symbols I think). It was an actual login, not just an attempt. I also don't use my Microsoft account for anything (no Windows/Xbox).
So I'm inclined to say that they have had a breach.
Let's remember what Microsoft said in their DDoS's blog post:
"We have seen no evidence that customer data has been accessed or compromised." -
https://msrc.microsoft.com/blog/2023/06/microsoft-response-t...
There you go, this news article is the evidence of intrusion + data breach
It continues to be a travesty of breach disclosure that companys are legally allowed to claim the best possible outcome without any proof. Only definitive proof of compromise compels them to indicate any problems at all and they still get to downplay it to the minimal proven consequences.
This is totally ass-backwards. There is negative incentive to do any investigation. A investigation can basically only make things worse as you get to assume no harm when you are ignorant.
They should be required to disclose the worst with only a thorough investigation demonstrating a credible absence of compromise allowing a positive statement.
This incentivizes investigation and properly errs on the side of the victim when assessing risks.
Basically, a company is only incentivized to disclose compromises that were intentional and financially motivated. That is, a hacker that intends to extort the company, sell the information or abuse it for financial gains will ultimately cause too much noise to keep it under the rug.
If this is what the company anticipates they will have to investigate and disclose.
It the breach is a foreign government or hush-hush data hoarder or the result of plain incompetence, the company can absolutely ignore the problem.
Not even then. The company is only incentivized to disclose when there is public proof. Until there is public proof or compelling proof submitted by a victim they are not liable for their calculated willful ignorance.
The consequences to a company only manifest when noise is being made with proof. That is totally ridiculous.
How would it work to be required to disclose the worst, though? In most instances, you literally can't describe the worst possible case in the first hours/days of the discovery.
You'd be requiring companies to speculate on the outer bounds of something that is simply not knowable.
That is pretty easy: “We have been breached. Everyone may be affected. Preliminary results of our investigation to come shortly at {URL}.”
Sucks to be them, but then they have a very strong incentive to quickly begin investigation and triage so that they can quickly identify who is actually at risk.
It is ridiculous to sacrifice the victims by keeping them ignorant of the risks they are facing so that the company can save face. They should not be allowed to blindly speculate that everything is perfectly fine which is simply not knowable without a investigation.
How long until those become the security equivalent of Prop 65 "causes cancer" warnings? Or the shitshow that DMCA takedowns are today?
What's the burden of proof to confirm that the first sentence in your quote is correct? (Can I just claim to have breached some company and have the law compel them to issue that quote?)
You're frustrated that companies are issuing information-free notices today; your proposal appears to make them issue information-free notices tomorrow.
Establishing the presence of any data breach is far easier than establishing the exact scope. My proposal moves the burden of proof to just establishing the former and demanding the company prove the latter. This is a division of labor that is common in safety critical industrys with decades of proven results supporting the effectiveness of such a regime.
Your complaint that the situation will just turn into everybody acknowledging that they are hopelessly insecure is a far better situation than now where everybody lies by claiming that they are secure. It results in the acknowledgement of breaches and the acceptance of liability that would be helpful for future legislation that can actually apply penaltys for delivering products that are defective with respect to security.
Can I just claim to have breached some company and have the law compel them to issue that quote?
I don't think anyone would have to claim to have breached the company in question.
Just the act of asking the question would compel any company to have to respond "Yes, we have been breached."
> That is pretty easy: “We have been breached. Everyone may be affected.
so as a user, just assume this at all times, then. just assume that all of your accounts are hacked or will be in 10 minutes and don't put anything in them that you would not be ok with others knowing. I don't see the difference between just assuming they're all compromised and waiting for a company to tell you that your account may be compromised and that they'll tell you more in 2 years once the investigation is fully completed and everything is known.
> It continues to be a travesty of breach disclosure that companys are legally allowed to claim the best possible outcome without any proof
> "We have seen no evidence that customer data has been accessed or compromised."
I think they are sincere here. I too have seen windows machines being compromised and the system, with the latest certified antivirus, run hapilly. /s
They are taking advantage of the "innocent until proven guilty" that is really only applicable to criminal charges but many people seem willing to extend it more generally.
The followup question to those kind of statements should always be "do you have any evidence that your accounts are not compromised?"
I.e. absence of evidence is not evidence of absence.
> It continues to be a travesty of breach disclosure that [companies] are legally allowed to claim the best possible outcome without any proof.
what proof would you propose that you be shown? how do you prove something didn't happen?
This article is evidence? what?
That does seem like an odd thing to include in a post-mortem. I can see appeasing to the layman by saying that but it’s unusual for sure.
Usually, breaches this size from tech companies that should know better are accounts that were part of another breach and reused their password.
Well. That is an annoying password to have to change. Most of the I don’t care much because I just generate a new one and away I go.
The Microsoft password is one I couldn’t just copy paste from a password manager and now I have to change and relearn it.
Damnit.
Do you use MFA on your accounts? I guess if the attackers have the MFA seeds as well that wouldn't matter.
Is it a thick client app that you cannot use the password manager? Or just a web page that adds "onpaste=..." handlers to make life unnecessarily difficult? The latter can be "fixed" with some JS console magic.
Might be the password to login to the computer itself.
Yes. It’s my gaming machine log on. It’s just easier to know this password than to always have to find it.
I do not trust corporations, so I generally do not do things like biometrics and stuff.
I don’t completely understand how pins are more secure than my complex password either. That could be ignorance.
Worth noting that Microsoft lets you set up single-machine passwords (they call it a PIN) that you can use to access a user account on a machine without having the password for the associated MS account. That way you can have a secure (and changeable) MS account, but the single-machine PIN can be something you don't need to copy/paste.
Do you need a password on your gaming machine? What is your threat model?
Even if there’s nothing on the machine itself you care about, don’t forget about everything else it can talk to on your local network.
So the scenario is: somebody breaks into the house, sits down at the gaming PC, and is able to poke around the local network because the gaming PC has no login password?
I wouldn't say it's THE scenario, but it's A scenario.
There's a reason IEEE says it's best practice to give IoT devices a strong username and password and to segment them away from the rest of your network, right?
"All rumors are false until officially denied" - Nassim Taleb
Don't make me dig out this exact quote from Yes Minister in the 1980s.
Sir Humphrey Appleby, surely?
"a large database containing more than 30 million Microsoft accounts, emails, and passwords."
A database containing passwords? Why would anyone store passwords in a database is beyond my comprehension.
However you store them, it is a database. And there's actually nothing wrong with using a relational database for that. (Of course, you don't store passwords, but salts and salted hashes.)
Of course there is nothing wrong with using a relational database. My concern was about storing passwords in it. There is a difference between storing passwords and storing hashes and/or salts.
Where else should you store the passwords?
In general, you don't. You store hashes. Exceptions sometimes apply when it's a credential used to access some other system - for example, Plaid's gonna have to store your bank account password to scrape it - but there you'd at least hope for encryption.
Media coverage tends not to get the distinction right, so it's always hard to tell if the company fucked up or the attacker is exaggerating on early coverage.
(Assuming this is what you meant by *but there you'd at least hope for encryption*, but expanding to verify): Even in this case, it seems unreasonable to store the password. Rather, the user's Plaid login should act as a part of multi-token access setup, where Plaid's backend services' tokens can also be used to decrypt the user's credentials in order to authenticate to those other service.
In short: even then, storing plaintext passwords seems... like choosing convenience for security, and that seems very wrong.
Nobody said the passwords weren't hashed
The article states "the group provided 100 credential pairs". That indicates one of a couple things; a) lying attacker providing old hacked accounts, b) unsalted or weakly salted credentials vulnerable to rainbow tables or brute force or c) plaintext storage.
Or it's just credential stuffing matching email with plaintext passwords from other old breaches, or they created 100 accounts and thus know the password, etc.
Until a more detailed investigation/write comes out it's difficult to say for certain what they have, if anything.
It could also be colloquial use of "credential pairs." In that it could be that they were, in fact, hashed; but the report went with a quick verbiage to say they were leaked. Especially considering that most hashing/encoding tricks will go out of date and many common passwords will still be as effectively leaked.
Hashes aren’t passwords. So if they only have hashes, they don’t have passwords.
Not at all. You store a salt and the hash(pw+salt).
that's still "storing the passwords", though. no one said it should be stored in plain text.
No a one-way hash is not "the password". If you have the hash you can't use it to login or reverse it to a password without brute force comparison which is why you always store a hash with salt using slow hashing algo, and not "the password", this has been best practice for years so a DB breach does not mean the password are compromised.
Right, but if someone mentions passwords in a non-technical context like a random Twitter threat, it's possible they mean the hashes.
I agree, but it's still the password in that it's the secret set of characters needed to be compared against to login. It's just not the same text a user would enter when prompted for the password.
Keeps in mind these hackers are the ones saying they have passwords and this is Microsoft. Most likely hashes.
I disagree you cannot use the hash to login, therefore it is not a password. Is a digital signature the item it is signing?
The whole point of hashing passwords is so if the DB containing them is breached the passwords are not compromised.
Comment was deleted :(
Be warned that this makes your authentication system less secure because it caps the maximum entropy of the password to the entropy of the hash function.
You need crazy long passwords for that to become the limiting factor. With random printable characters on the keyboard there are a bit less than 7 bits per character (unless a crazy amount of different accents are used). So you need passwords longer than 18 characters to surpass the entropy of even MD5.
What would you suggest instead?
A simple change if you don't want to change it too much eg. moving away from passwords would be to use a sponge function instead of a hash and and squeeze out the same number of bits as the plaintext.
A cryptographic sponge function has a fixed capacity just like a the fixed state size of a cryptographic hash function…
Good point. How about splitting the password into chunks, then use a key streching algorthim on each chunk with difficulty tuned to be easier based off the total amount of chunks, and concatenating them.
That sounds like the kind of homebrew crypto that one should never do in production. I'll stick to my boring but proven salted hashes, thanks.
on a post-it, under the keyboard its safer there
Comment was deleted :(
These huge centralized mono-system monopolies are quite the fire-hazard when it comes to security.
If microsofts centralization allowed for a attack vector to take down the whole western hemispheres productivity for a week - could the resulting rage destroy the monopolies?
What’s the procedure for someone that has Microsoft accounts, change passwords?
> “We have seen no evidence that our customer data has been accessed or compromised” - Microsoft spokesperson
So they have been breached. Ok.
I don't get jumping to this kind of conclusion.
"Hacking groups" have tried this tied of scam in the past where they try and hotglue some data from various sources and claim its a bigger leak.
Or maybe they are so good that there is simply no evidence of their hacking.
Crafted by Rajat
Source Code