Microsoft Copilot - Safety ?

NichtnurBibelleser
NichtnurBibelleser Member Posts: 269 ✭✭
edited November 21 in English Forum

As MS Copilot is coming, other sources raise safety concerns. One issue would be that there will be ongoing “screenshots” of your PC (which could facilitate hacking into your system by simply read passwords).

What’s Logos’ take on this? 

Tagged:
«1

Comments

  • MJ. Smith
    MJ. Smith Member, MVP Posts: 53,059 ✭✭✭✭✭

    (which could facilitate hacking into your system by simply read passwords).

    Having a grandson who works at Microsoft on system security, I take exception to the suggestion that Microsoft is so stupid as to breach password protection in such a basic manner. [If you want military grade security you will have to see my nephew. You should hear them fight regarding the priority of potential risks. [8-|]]

    Orthodox Bishop Alfeyev: "To be a theologian means to have experience of a personal encounter with God through prayer and worship."; Orthodox proverb: "We know where the Church is, we do not know where it is not."

  • Don Awalt
    Don Awalt Member Posts: 3,521 ✭✭✭

    Having a grandson who works at Microsoft on system security, I take exception to the suggestion

    Calm down MJ and don't act like it's a personal attack, it's a legitimate question with real concerns if you have been reading any on the topic lately. I had some of the same thoughts and it goes beyond just passwords. Just a few of the news items that I noticed:

    Microsoft Copilot Plus hands-on: Does it need a Recall? 

    Windows AI feature that screenshots everything labeled a security 'disaster' 

    Researcher says Microsoft's Windows Recall has security gaps "you can fly a plane through" 

  • MJ. Smith
    MJ. Smith Member, MVP Posts: 53,059 ✭✭✭✭✭

    Just a few of the news items that I noticed:

    As my grandson's job is basically to hack Microsoft products (he once used his home computer by accident and set off alarms that MS itself was hacked), the articles say nothing I haven't heard before or assume likely true until actual release. Given how few of us need the function, the obvious solution is don't use the function. 

    This is a day I'd have trouble being more chill ... but it's not particularly Logos related and between politics and subscriptions, I truly need a break from fearmongering. I'm high on the Christian virtue of equanimity which, judging from the forums, is not a universally recognized Christian value.

    Orthodox Bishop Alfeyev: "To be a theologian means to have experience of a personal encounter with God through prayer and worship."; Orthodox proverb: "We know where the Church is, we do not know where it is not."

  • Don Awalt
    Don Awalt Member Posts: 3,521 ✭✭✭

    I take exception to the suggestion

    judging from the forums, is not a universally recognized Christian value.

    Maybe when things are getting under your skin a little too much that you feel like firing back, you could maintain a high sense of equanimity by just turning off the computer for the evening. Just a thought.

  • MJ. Smith
    MJ. Smith Member, MVP Posts: 53,059 ✭✭✭✭✭

    you could maintain a high sense of equanimity by just turning off the computer for the evening. Just a thought.

    I do, in fact, take short breaks of a few days from the forums when I have "had it". However, in this case you are reading much more into my post than I intended. I always use 

    I take exception to the suggestion
    in the mildest sense of annoyance

    [quote]

    The connotation of "to take exception to" lands somewhere between a strong and mild objection. It leans more towards the milder side.

    Here's the breakdown:

    • Literal meaning: It simply means to disagree or object to something.
    • Implied emotion: It suggests that the disagreement might cause some offense or annoyance, but it's not necessarily a full-blown argument.

    So, it's stronger than a simple "I disagree," but not as strong as "That's completely outrageous!"

    Here are some examples to illustrate the range:

    • Mild objection: "I took exception to the movie's portrayal of that historical event." (There's disagreement, but it's not a huge deal.)
    • More moderate objection: "She took exception to my suggestion, but we were still able to have a productive conversation." (There's some annoyance, but it doesn't stop the conversation.)

    If you want to convey a very strong objection, you might use a different phrase, like "I vehemently disagree" or "That's absolutely unacceptable."

    Orthodox Bishop Alfeyev: "To be a theologian means to have experience of a personal encounter with God through prayer and worship."; Orthodox proverb: "We know where the Church is, we do not know where it is not."

  • Don Awalt
    Don Awalt Member Posts: 3,521 ✭✭✭

    However, in this case you are reading much more into my post than I intended.

    I take exception to your assumption about how much I read into your posts 😉

    That's the way it is with the written word in the eyes of the reader, huh. Nobody knows if strong language was written with tongue in cheek, or a smile vs. a glare. It stands on its own.

  • MJ. Smith
    MJ. Smith Member, MVP Posts: 53,059 ✭✭✭✭✭

    Orthodox Bishop Alfeyev: "To be a theologian means to have experience of a personal encounter with God through prayer and worship."; Orthodox proverb: "We know where the Church is, we do not know where it is not."

  • Justin Gatlin
    Justin Gatlin Member Posts: 1,993 ✭✭✭

    Doesn't Copilot only save passwords if they are shown on the screen? Logos masks passwords, like almost every other app. So I don't see what security concern there would be regarding Logos.

  • Manuel R.
    Manuel R. Member Posts: 339 ✭✭

    As my grandson's job is basically to hack Microsoft products (he once used his home computer by accident and set off alarms that MS itself was hacked),  [...]

    I am sure your grandson does a great job. It's only the devs at Microsoft would need to listen to him (or the management) and probably would need to have a lot of more people like your grandson. Microsoft has a horrible security track record and even Satya Nadella had to reassure the shareholders in a recent earnings call that they want to improve security ( https://www.geekwire.com/2024/haunted-by-repeated-breaches-microsoft-is-putting-security-above-all-else-vows-ceo-satya-nadella/ ) - Because of the fatal breaches and security holes only in the last weeks and months. They brutally failed at essential things in the cloud and of course in the Windows operating system. Just ask Tavis Ormandy one of the best hackers out there can attest to that. Windows Server and Active Directory and Exchange used in most companies and institutions around the world is the primary reason why they all get hacked and all their files encrypted. I am sorry but Microsoft is one of the worst examples of cyber security. No wonder they are pushing Linux (even integrate it in Windows) and use a lot of Linux Servers in their own cloud.

    If you add up all the security nightmares Microsoft created over the years (and established as a standard) this would be a very long list.

  • Don Awalt
    Don Awalt Member Posts: 3,521 ✭✭✭

    The risks go beyond passwords. This is an informative article from the Malwarebytes web site:

    Microsoft’s Recall feature has been criticized heavily by pretty much everyone since it was announced last month. Now, researchers have demonstrated the risks by creating a tool that can find, extract, and display everything Recall has stored on a device.

    For those unaware, Recall is a feature within what Microsoft is calling its “Copilot+ PCs,” a reference to the AI assistant and companion which the company released in late 2023.

    The idea is that Recall can assist users to reconstruct past activity by taking regular screenshots of a user’s activity and storing them, so it can answer important questions like “where did I see those expensive white sneakers?”

    However, the scariest part is that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers and that data may be in snapshots that are stored on your device.

    Many security professionals have pointed out that this kind of built-in spyware is a security risk. But Microsoft tried to reassure users, saying:

    “Recall data is only stored locally and not accessed by Microsoft or anyone who does not have device access.”

    The problem lies in that last part of the statement. Who has device access? Although Microsoft claimed that an attacker would need to gain physical access, unlock the device and sign in before they could access saved screenshots, it turns out that might not be true.

    As a warning about how Recall could be abused by criminal hackers, Alex Hagenah, a cybersecurity researcher, has released a demo tool that is capable of automatically extracting and displaying everything Recall records on a laptop.

    For reasons any science fiction fan will understand, Hagenah has named that tool TotalRecall.  All the information that Recall saves into its main database on a Windows laptop can be “recalled.“

    As Hagenah points out:

    “The database is unencrypted. It’s all plain text.”

    TotalRecall can automatically find the Recall database on a person’s computer and make a copy of the file, for whatever date range you want. Pulling one day of screenshots from Recall, which stores its information in an SQLite database, took two seconds at most, according to Hagenah. Once TotalRecall has been deployed, it is possible to generate a summary about the data or search for specific terms in the database.

    Now imagine an info-stealer that incorporates the capabilities of TotalRecall. This is not a far-fetched scenario because many information stealers are modular. The operators can add or leave out certain modules based on the target and the information they are after. And reportedly, the number of devices infected with data stealing malware has seen a sevenfold increase since 2023.

    Another researcher, Kevin Beaumont, says he has built a website where a Recall database can be uploaded and instantly searched. He says he hasn’t released the site yet, to allow Microsoft time to potentially change the system.

    According to Beaumont:

    “InfoStealer trojans, which automatically steal usernames and passwords, are a major problem for well over a decade—now these can just be easily modified to support Recall.”

    It’s true that any information stealer will need administrator rights to access Recall data, but attacks that gain those right have been around for years, and most information stealer malware does this already.

    Hagenah also warned that in cases of employers with bring your own devices (BYOD) policies, there’s a risk of someone leaving with huge volumes of company data saved on their laptops.

    It is worrying that this type of tools is already available even before the official launch of Recall. The risk of identity theft only increases when we allow our machines to “capture” every move we make and everything we look at.

  • Jerry Bush
    Jerry Bush Member Posts: 1,110 ✭✭

    On a different subject, I had MSCopilot write a 2,500 academic paper using sources and footnotes.

    It was spooky how good it was. Like crazy spooky.

    iMac (2019 model), 3Ghz 6 Core Intel i5, 16gb Ram, Radeon Pro Graphics. 500GB SSD.

  • Dave Gifford
    Dave Gifford Member Posts: 96 ✭✭

    Yes and it was less than amusing how MS tries to defend it. Now take, MS Recall into the highly regulated healthcare industry. In the US we have something called HIPAA. Now, EMR/EHR (electronic medical and health records) PC's will have a nice log, with text and screen shots, of patient data.

    They claim you can turn it off, however I imagine that is much like Incognito mode----ON but hey  google was still looking.

    Although MS claims it is stored locally only, does anyone really believe that?  It is one click away from being sent to our "trusted" government.

    This is a 1984 and Brave New World confluence. 

    Maybe add HAL into that thought process.

    Time to revisit ubuntu or air-gapped machines. 

    Dave

    p.s. On a lighter note----let's say as Windows Recall churns about---sees what you are doing---and sends missionaries to your door.

  • xnman
    xnman Member Posts: 2,779 ✭✭✭

    Welll... that just does it! Adding a bit of sarcasm into all this... as my granddad said more than once...."The more you open your door to outsiders, the more they will take over your life. Stop using all this digital stuff and have a better life!"  Maybe he was right???

    xn = Christan  man=man -- Acts 11:26 "....and the disciples were first called Christians in Antioch".

    Barney Fife is my hero! He only uses an abacus with 14 rows!

  • DMB
    DMB Member Posts: 13,413 ✭✭✭

     Maybe he was right???

    Maybe. Except your data is all over the commercial world ... using Microsoft.  You're doomed (smilimg).

    "If myth is ideology in narrative form, then scholarship is myth with footnotes." B. Lincolm 1999.

  • xnman
    xnman Member Posts: 2,779 ✭✭✭

     Maybe he was right???

    Maybe. Except your data is all over the commercial world ... using Microsoft.  You're doomed (smilimg).

    Yeah.... but you know how it is with Christians....  we never give up hope! We have faith!!!  [8-|]

    xn = Christan  man=man -- Acts 11:26 "....and the disciples were first called Christians in Antioch".

    Barney Fife is my hero! He only uses an abacus with 14 rows!

  • Dave Gifford
    Dave Gifford Member Posts: 96 ✭✭

    The letter of St. Paul to the churches of Microsoft, Apple, and Google.

  • MJ. Smith
    MJ. Smith Member, MVP Posts: 53,059 ✭✭✭✭✭

    as my granddad said more than once...."The more you open your door to outsiders, the more they will take over your life. Stop using all this digital stuff and have a better life!" 

    Equal time for alternative theology: "Let all guests who arrive be received as Christ" (Rule of Benedict, Chapter 53). There are no outsiders. [;)]

    Orthodox Bishop Alfeyev: "To be a theologian means to have experience of a personal encounter with God through prayer and worship."; Orthodox proverb: "We know where the Church is, we do not know where it is not."

  • 1Cor10 31
    1Cor10 31 Member Posts: 737 ✭✭

    Microsoft has a horrible security track record and even Satya Nadella had to reassure the shareholders in a recent earnings call that they want to improve security ( https://www.geekwire.com/2024/haunted-by-repeated-breaches-microsoft-is-putting-security-above-all-else-vows-ceo-satya-nadella/

    Ok, Manuel, you finance jock, you got me with your reference to "earnings call". I've read hundreds and hundreds of earnings call for investing and research purposes, and I never thought "earnings call" would ever be mentioned in Logos Forums. Another finance person in the Forum!

    I believe in a Win-Win-Win God

  • xnman
    xnman Member Posts: 2,779 ✭✭✭

    as my granddad said more than once...."The more you open your door to outsiders, the more they will take over your life. Stop using all this digital stuff and have a better life!" 

    Equal time for alternative theology: "Let all guests who arrive be received as Christ" (Rule of Benedict, Chapter 53). There are no outsiders. Wink

    Yeah right! lol  God said there were two roads... a wide one and a narrow one... and few there are that go down the narrow road - Mat 7:13-14.  Which brings up.. are there rules for going down the narrow road?  [8-|]

    Or maybe the question is, "Is Benedict more important than God"?   (Asking all this in fun... no disrespect meant) [8-|]

    xn = Christan  man=man -- Acts 11:26 "....and the disciples were first called Christians in Antioch".

    Barney Fife is my hero! He only uses an abacus with 14 rows!

  • Fabian
    Fabian Member Posts: 1,009 ✭✭✭

    As MS Copilot is coming, other sources raise safety concerns. One issue would be that there will be ongoing “screenshots” of your PC (which could facilitate hacking into your system by simply read passwords).

    What’s Logos’ take on this? 

    Du meinst wohl MS Recall https://www.heise.de/news/Erste-Erfahrungen-mit-Recall-9750138.html nicht Copilot per se, wenn ich deine Frage am Anfang richtig verstanden habe.

    Χριστὸς ἐν ὑμῖν, ἡ ἐλπὶς τῆς δόξης· 

  • (‾◡◝)
    (‾◡◝) Member Posts: 924 ✭✭

    For those who fear that MS is scraping your personal data, or are afraid that future hacks will expose it, I recommend the following:

    1.  Stop using MS OneDrive.  Use another, non-MS cloud service like pCloud which places a premium on your privacy.

    2. Stop using MS programs like Outlook, Office, CoPilot, etc.  Lots of good alternatives.

    3. Install and use DoNotSpy11.  If you are not familiar with this privacy/security program, check out the YouTube videos at the link.  I fully expect DNS11 to disable the Recall feature in Windows if/when it arrives in the Windows 11 24H2 release.

    Instead of Artificial Intelligence, I prefer to continue to rely on Divine Intelligence instructing my Natural Dullness (Ps 32:8, John 16:13a)

  • Fabian
    Fabian Member Posts: 1,009 ✭✭✭

    3. Install and use DoNotSpy11.  If you are not familiar with this privacy/security program, check out the YouTube videos at the link.  I fully expect DNS11 to disable the Recall feature in Windows if/when it arrives in the Windows 11 24H2 release.

    Is this similar to XP-Antispy I used 20 years ago? It was an issue then, and I guess it has not been better since then. If you read the condition on the new MS Outlook, you get goosebumps, but on the negative sort.

    Χριστὸς ἐν ὑμῖν, ἡ ἐλπὶς τῆς δόξης· 

  • (‾◡◝)
    (‾◡◝) Member Posts: 924 ✭✭

    Is this similar to XP-Antispy I used 20 years ago?

    I do not know but I suspect it is similar.  DNS11 is actively supported and has about 165 different items that can be blocked or disabled.  Under the "Advertising" category, there are 14 items that can be disabled.  Under "Apps", there are 32.  Under "Defender", 3.  Under "Privacy", 64 including the disabling of CoPilot, OneDrive, and Telemetry.  Under "Search", 5.  Under "Start", 5.  Under "Updates", 6.  Under "Edge", 34.

    __________

    BTW, for those who are interested, pCloud may be obtained either as a subscription or as a one-time purchase.  There is, I believe, a small free version, too.

    Instead of Artificial Intelligence, I prefer to continue to rely on Divine Intelligence instructing my Natural Dullness (Ps 32:8, John 16:13a)

  • John
    John Member Posts: 548 ✭✭

    As MS Copilot is coming, other sources raise safety concerns. One issue would be that there will be ongoing “screenshots” of your PC (which could facilitate hacking into your system by simply read passwords).

    What’s Logos’ take on this? 

    I quit the Microsoft upgrade wagon train when they first began sneaking telemetry into Windows 7. It has been entertaining to watch all the Windows updates as users react to each stupid move Microsoft has made since then.

    Not only have they ruined Windows, the business model switched from selling software to collecting and selling your data. It is obviously a profitable model for google. Microsoft began giving Windows away free. And now they are beginning to display advertising in the system itself.

    Anyone who believes Microsoft systems are secure  certainly has not been paying attention over the years.

    Apple is not perfect, but is the only real choice in the market now.

  • Fabian
    Fabian Member Posts: 1,009 ✭✭✭

    Is this similar to XP-Antispy I used 20 years ago?

    I do not know but I suspect it is similar.  DNS11 is actively supported and has about 165 different items that can be blocked or disabled.  Under the "Advertising" category, there are 14 items that can be disabled.  Under "Apps", there are 32.  Under "Defender", 3.  Under "Privacy", 64 including the disabling of CoPilot, OneDrive, and Telemetry.  Under "Search", 5.  Under "Start", 5.  Under "Updates", 6.  Under "Edge", 34.

    __________

    BTW, for those who are interested, pCloud may be obtained either as a subscription or as a one-time purchase.  There is, I believe, a small free version, too.

    Thanks. Also thanks for the tip.

    Χριστὸς ἐν ὑμῖν, ἡ ἐλπὶς τῆς δόξης· 

  • (‾◡◝)
    (‾◡◝) Member Posts: 924 ✭✭

    FWIW:  DNS11 just updated yesterday.  Note the description of the new version re: Windows Recall.

    Instead of Artificial Intelligence, I prefer to continue to rely on Divine Intelligence instructing my Natural Dullness (Ps 32:8, John 16:13a)

  • Zack
    Zack Member Posts: 23

    This seems like a great way for non-computer nerds to manage privacy easily. I mean I have some powershell scripts I wrote that do the same thing as this program... (I won't share them because it breaks a lot of windows features I don't use and requires reinstalling the OS to revert) 

    As far as I know CoPilot is only in "Feature preview" versions of windows 11, and much future computers, and they did choose to enable encryption after some backlash.

    I used to be a windows fanboy, but now.... I only use windows because software like Logos/CovenentEyes/etc.. isn't supported on Linux... Though I am working on a version CE for linux so I can dump windows. 

  • Manuel R.
    Manuel R. Member Posts: 339 ✭✭

    Ok, Manuel, you finance jock, you got me with your reference to "earnings call". I've read hundreds and hundreds of earnings call for investing and research purposes, and I never thought "earnings call" would ever be mentioned in Logos Forums. Another finance person in the Forum!

    [:D] oh I am more of an IT person than finance but I am interested in many things [:)]

    But it is great to see the wide range of knowledge and wealth of talent that is in the community of the body of Christ!

  • Bootjack
    Bootjack Member Posts: 734

    The risks go beyond passwords. This is an informative article from the Malwarebytes web site:

    Microsoft’s Recall feature has been criticized heavily by pretty much everyone since it was announced last month. Now, researchers have demonstrated the risks by creating a tool that can find, extract, and display everything Recall has stored on a device.

    For those unaware, Recall is a feature within what Microsoft is calling its “Copilot+ PCs,” a reference to the AI assistant and companion which the company released in late 2023.

    The idea is that Recall can assist users to reconstruct past activity by taking regular screenshots of a user’s activity and storing them, so it can answer important questions like “where did I see those expensive white sneakers?”

    However, the scariest part is that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers and that data may be in snapshots that are stored on your device.

    Many security professionals have pointed out that this kind of built-in spyware is a security risk. But Microsoft tried to reassure users, saying:

    “Recall data is only stored locally and not accessed by Microsoft or anyone who does not have device access.”

    The problem lies in that last part of the statement. Who has device access? Although Microsoft claimed that an attacker would need to gain physical access, unlock the device and sign in before they could access saved screenshots, it turns out that might not be true.

    As a warning about how Recall could be abused by criminal hackers, Alex Hagenah, a cybersecurity researcher, has released a demo tool that is capable of automatically extracting and displaying everything Recall records on a laptop.

    For reasons any science fiction fan will understand, Hagenah has named that tool TotalRecall.  All the information that Recall saves into its main database on a Windows laptop can be “recalled.“

    As Hagenah points out:

    “The database is unencrypted. It’s all plain text.”

    TotalRecall can automatically find the Recall database on a person’s computer and make a copy of the file, for whatever date range you want. Pulling one day of screenshots from Recall, which stores its information in an SQLite database, took two seconds at most, according to Hagenah. Once TotalRecall has been deployed, it is possible to generate a summary about the data or search for specific terms in the database.

    Now imagine an info-stealer that incorporates the capabilities of TotalRecall. This is not a far-fetched scenario because many information stealers are modular. The operators can add or leave out certain modules based on the target and the information they are after. And reportedly, the number of devices infected with data stealing malware has seen a sevenfold increase since 2023.

    Another researcher, Kevin Beaumont, says he has built a website where a Recall database can be uploaded and instantly searched. He says he hasn’t released the site yet, to allow Microsoft time to potentially change the system.

    According to Beaumont:

    “InfoStealer trojans, which automatically steal usernames and passwords, are a major problem for well over a decade—now these can just be easily modified to support Recall.”

    It’s true that any information stealer will need administrator rights to access Recall data, but attacks that gain those right have been around for years, and most information stealer malware does this already.

    Hagenah also warned that in cases of employers with bring your own devices (BYOD) policies, there’s a risk of someone leaving with huge volumes of company data saved on their laptops.

    It is worrying that this type of tools is already available even before the official launch of Recall. The risk of identity theft only increases when we allow our machines to “capture” every move we make and everything we look at.

    Don, do you use a Mac? 

    MSI Katana GF76 Intel Core i7-12700H, RTX3060, 16GB RAM, 1TB SSD, Windows 11 Home

  • Don Awalt
    Don Awalt Member Posts: 3,521 ✭✭✭