Researchers Bypassed Windows Password Locks With Cortana Voice Commands (vice.com)

← Back to Stories (view on slashdot.org)

Researchers Bypassed Windows Password Locks With Cortana Voice Commands (vice.com)

Posted by msmash on Wednesday March 7, 2018 @04:05AM from the security-woes dept.

Two independent Israeli researchers found a way for an attacker to bypass the lock protection on Windows machines and install malware by using voice commands directed at Cortana, the multi-language, voice-commanded virtual assistant that comes embedded in Windows 10 desktop and mobile operating systems. From a report: Tal Be'ery and Amichai Shulman found that the always-listening Cortana agent responds to some voice commands even when computers are asleep and locked, allowing someone with physical access to plug a USB with a network adapter into the computer, then verbally instruct Cortana to launch the computer's browser and go to a web address that does not use https -- that is, a web address that does not encrypt traffic between a user's machine and the website. The attacker's malicious network adapter then intercepts the web session to send the computer to a malicious site instead, where malware downloads to the machine, all while the computer owner believes his or her machine is protected.

90 comments

Min score:

Reason:

Sort:

Physical access by Gavagai80 · 2018-03-07 04:10 · Score: 4, Informative

Since this requires physical access, I propose an alternate method: unscrew the laptop and put whatever devices you want inside.

--
This space intentionally left blank
1. Re:Physical access by Anonymous Coward · 2018-03-07 04:12 · Score: 2, Funny
  
  The manufacturers have already done that!
2. Re:Physical access by Anonymous Coward · 2018-03-07 04:17 · Score: 0
  
  Good luck doing that on a Surface Book. Much faster, easier and less invasive (more discrete) to plug in a USB drive and issue verbal commands.
3. Re:Physical access by Anonymous Coward · 2018-03-07 04:24 · Score: 1
  
  Hey, lets see you put whatever devices you want inside a machine with bitlocker enabled ! Oh wait, that's right, it will lock itself down and say the hardware changed. On the other hand, this exploit of Cortana will allow you to bypass bitlocker and defeat the security....
4. Re:Physical access by Anonymous Coward · 2018-03-07 04:42 · Score: 0
  
  Cute, but attacking the hardware directly requires a significant amount of time and suspicious activity.
  Simply plugging a tiny USB wifi adapter into a usb port and issuing a few voice commands can be accomplished very quickly and would leave no obvious signs of attack once done. Your machine could be compromised while you go to pick up something off the printer or stick your lunch in the refrigerator.
5. Re:Physical access by Anonymous Coward · 2018-03-07 04:55 · Score: 0
  
  If a determined attacker has physical access to your machine you've lost via any number of methods.
  yeah so go get a job at the local gas station where you have unlimited physical access to the ATM, and take all the money!
  so maybe your argument is not so good after all?
6. Re:Physical access by Anonymous Coward · 2018-03-07 04:55 · Score: 1
  
  Why a machine that is "in sleep and locked" does open a browser following user input? This means it's not so locked. And there's the user session still running so that may be a more interesting target than an encrypted turned off PC.
7. Re: Physical access by Monster_user · 2018-03-07 05:01 · Score: 1
  
  This does not require physical access. A device can be reasonably securedfrom tampering, but stillbe accessible by various interfaces. Physical access is typically available when one has access to the microphone, but physical access isn't required in all possible scenarios.
8. Re:Physical access by sgrover · 2018-03-07 05:11 · Score: 1
  
  we will wait while you think this one through....
9. Re: Physical access by Anonymous Coward · 2018-03-07 05:13 · Score: 0
  
  This does not require physical access.
  Did you read the summary? You need to plug in a malicious USB network adapter. Kind of hard to do without physical access...
10. Re:Physical access by Ragnarok89 · 2018-03-07 05:18 · Score: 1
  
  If you can plug in a USB key, there's a much easier way to access the PC. Just install Kon-boot on the USB drive first, plug it in, and boot the PC. You're in. This works on Workgroup and Domain PCs, Servers, etc. Not sure what username to use? Try administrator...
  As for the subject of the original article: way to go MS... EPIC fail. Can't say I'm surprised though.
11. Re:Physical access by Anonymous Coward · 2018-03-07 05:21 · Score: 0
  
  The hardware check for Bitlocker is fairly forgiving. Simply adding a device usually does not trigger it.
  That said, an attacker has no way of knowing how much has changed since the initial TPM configuration... so good luck.
12. Re:Physical access by OrangeTide · 2018-03-07 05:29 · Score: 1
  
  swap their Surface Book with an identical looking one that you have modified. They might be surprised the next time they turn it on that they have to log in again to sync their cloud data, but this is the perfect time to hijack their passwords and accounts.
  
  --
  “Common sense is not so common.” — Voltaire
13. Re:Physical access by zlives · 2018-03-07 05:40 · Score: 1
  
  o man, this one never fails. works on iphones too
14. Re:Physical access by thegarbz · 2018-03-07 05:55 · Score: 1
  
  unscrew the laptop and put whatever devices you want inside
  What's a screw? Mine is held together by glue and I couldn't get in myself even if I wanted to.
15. Re:Physical access by Khyber · 2018-03-07 06:02 · Score: 1
  
  Heat guns work on pretty much every adhesive, including solder.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
16. Re:Physical access by WaffleMonster · 2018-03-07 06:06 · Score: 1
  
  Since this requires physical access, I propose an alternate method: unscrew the laptop and put whatever devices you want inside.
  Physical access is irrelevant in this case. From TFA:
  "allowing someone with physical access to plug a USB with a network adapter into the computer, then verbally instruct Cortana to launch the computer's browser and go to a web address that does not use httpsâ"that is, a web address that does not encrypt traffic between a user's machine and the website."
  In other words it is not necessary to install a BIW device. Any bad actor could intercept traffic at any point along the path or one could operate their own malicious site with the same effect pulling off the same stunt without ever touching the system in question.
17. Re:Physical access by edtice1559 · 2018-03-07 06:31 · Score: 1
  
  That won't let you access any of the data, at least not if BitLocker is on. If you modify the hardware configuration, the TPM won't prouce the BitLocker key and the machine won't boot. It's just generic hardware at that point.
18. Re:Physical access by Anonymous Coward · 2018-03-07 06:51 · Score: 0
  
  The issue here is it's just locked, not off, no booting required and the usb adapter is removed after the malware has been installed, so the next boot won't generate a flag either.
19. Re:Physical access by Anonymous Coward · 2018-03-07 07:47 · Score: 0
  
  No need. The USB insert is enough to pwn the box. This is just theatre.
20. Re:Physical access by Anonymous Coward · 2018-03-07 07:52 · Score: 0
  
  Since this requires physical access, I propose an alternate method: unscrew the laptop and put whatever devices you want inside.
  Exactly. Anything that requires physical access is NOT a security vulnerability. If someone has physical access to a device then you are already pwned right from the start.
21. Re: Physical access by Anonymous Coward · 2018-03-07 07:56 · Score: 0
  
  This does not require physical access.
  Did you read the summary? You need to plug in a malicious USB network adapter. Kind of hard to do without physical access...
  Dumbass security flaw report #239742365
  If someone has physical access to my computer they can do stuff to it.
  Please fix.
  kthxbye.
22. Re: Physical access by c6gunner · 2018-03-07 08:03 · Score: 1
  
  If you can plug in a USB key, there's a much easier way to access the PC. Just install Kon-boot on the USB drive first, plug it in, and boot the PC.
  Doesn't work if the device is encrypted. Doesn't work if BIOS doesn't allow booting from USB. Probably won't work on most modern devices which have secure boot enabled by default.
  (Don't quote me on the last one)
23. Re:Physical access by Calydor · 2018-03-07 08:04 · Score: 1
  
  This one has the advantage of not requiring a reboot, which means you can plug the USB in, do the voice commands, remove the USB, and the owner that returns from the bathroom a moment later will be none the wiser - the screen comes back up right on the Facebook post they were reading before.
  
  --
  -=This sig has nothing to do with my comment. Move along now=-
24. Re: Physical access by c6gunner · 2018-03-07 08:04 · Score: 1
  
  Heat guns work on pretty much every adhesive, including solder.
  The good news is, I got the cover off. The bad news is, there's a bunch of little chippy things rattling around.
25. Re:Physical access by Anonymous Coward · 2018-03-07 09:03 · Score: 0
  
  If the machine is powered off and you have modern full disk encryption, you're probably fine. Hopefully you have good user keys protecting the disk key.
26. Re:Physical access by thegarbz · 2018-03-07 09:05 · Score: 1
  
  Heat guns work on pretty much every adhesive, including solder.
  I take it you haven't looked at the iFixit scores for some tablets. In many cases it's pretty much impossible to get into some devices without destroying the screen in the process.
27. Re:Physical access by Anonymous Coward · 2018-03-07 09:14 · Score: 0
  
  What's a screw? Mine is held together by glue and I couldn't get in myself even if I wanted to.
  Why did you buy a machine like that? Not a machine for nerds . . .
28. Re:Physical access by Khyber · 2018-03-07 09:43 · Score: 1
  
  Half the time they aren't even using the proper equipment, (get a real spudger, guys) so I don't bother with their reviews.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
29. Re: Physical access by Anonymous Coward · 2018-03-07 09:48 · Score: 0
  
  If you can plug in a USB key, there's a much easier way to access the PC. Just install Kon-boot on the USB drive first, plug it in, and boot the PC.
  Doesn't work if the device is encrypted. Doesn't work if BIOS doesn't allow booting from USB. Probably won't work on most modern devices which have secure boot enabled by default.
  (Don't quote me on the last one)
  Good since you are pretty much incorrect. Secure boot just require secure boot enable boot device and os like windows pe or a number of linux distros for example
30. Re: Physical access by Anonymous Coward · 2018-03-07 09:49 · Score: 0
  
  And you don't think anyone will be a bit suspicious their pc has rebooted while they were going to the toilet for fucks sake? How is that just as good?
31. Re: Physical access by Anonymous Coward · 2018-03-07 10:11 · Score: 0
  
  I read that windows 10 reboots all the time without warning, so there shouldn't be any suspicion.
32. Re:Physical access by Anonymous Coward · 2018-03-07 10:26 · Score: 0
  
  as far as i know bitlocker don't protect against usb-devices in os on a unlocked drive.
  Bitlocker is a nice step in a bigger security puzzle but if you think its the end all solution you are fooling yourself.
  ORWL ïs a device that comes close to physically secured as long as as you keep the key fob with you when leaving the computer
33. Re: Physical access by kwbauer · 2018-03-07 10:27 · Score: 1
  
  Monster_user can Harry Potter the USB NA into the port. No physical contact necessary. That is why he is a monster!
34. Re: Physical access by c6gunner · 2018-03-07 10:32 · Score: 1
  
  Good since you are pretty much incorrect. Secure boot just require secure boot enable boot device and os like windows pe or a number of linux distros for example
  Yeah, I tried that. Couldn't get the Linux iso to boot until I finally went into the windows settings and told it to allow it. And yes, the iso was secure boot enabled.
  But I definitely don't have a comprehensive understanding of how secure boot is supposed to work, which is why I added that disclaimer.
35. Re:Physical access by thegarbz · 2018-03-07 10:37 · Score: 1
  
  Half the time they aren't even using the proper equipment, (get a real spudger, guys) so I don't bother with their reviews.
  Yeah indeed, let's complain about the people who open devices for a living don't have the right equipment and then draw parallels to some field based quick espionage.
36. Re:Physical access by Anonymous Coward · 2018-03-07 14:29 · Score: 0
  
  Since this requires physical access, I propose an alternate method: unscrew the laptop and put whatever devices you want inside.
  Pardon - I disagree here. Give me your work address and some time. I will find a way inside your building, find out where your sit, and using this method can infiltrate your machine while you are out at lunch.
  
  Granted this scenario has several objections of "this can't happen at my workplace for XYZ reasons". Fine. The point is this method requires minimal amount of time to infect a computer without being completely obvious about it. If you try to unscrew a docked laptop, you are going to make some noise and be obvious about it, somebody will walk by said cubicle and say something. Plugging in a USB device is much more discrete / easy enough to execute corporate espionage at various companies.
  
  P.S. Executive "locked" offices that never undock their computers - excellent targets.
37. Re: Physical access by Anonymous Coward · 2018-03-07 17:29 · Score: 0
  
  What if the admin (or perhaps OEM) sets up a custom key and self-sign images? Then revoke the vanilla Microsoft key used by Windows and linux distros.
38. Re:Physical access by Khyber · 2018-03-07 17:50 · Score: 2
  
  "Yeah indeed, let's complain about the people who open devices for a living"
  No, they make videos for a living. I open devices for a living, far more than they have ever done. Hundreds of thousands in repair depots around the country.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
39. Re:Physical access by Anonymous Coward · 2018-03-07 21:39 · Score: 0
  
  You could probably do the same thing by spoofing a wifi access point (and accepting any password).
40. Re: Physical access by Monster_user · 2018-03-08 10:24 · Score: 2
  
  The USB was not required. It was merely a VERY effective means of exploiting this weakness.
  
  The USB allowed a direct Man in the Middle attack, which is why it doesn't work for HTTPS sites. A highly coordinated effort does not require physical access to the machine itself, on a weak link in key infrastructure and audible proximity to the device in question.
  
  The USB adapter serves the same purpose as a poisoned DNS cache or routing table.
  
  The USB device did not install software, Cortana did, as she was instructed to do so.
41. Re: Physical access by Monster_user · 2018-03-08 10:37 · Score: 1
  
  Further down it was propose that an infected computer in an office could similarly infect neighboring computers via voice commands. Infect one machine through a locked door, and get the entire office infected overnight.
  
  "So this attack is not only limited to the physical access scenario but also can be used by attackers to expand their access and jump from one computer to another"
42. Re:Physical access by bill_mcgonigle · 2018-03-08 11:20 · Score: 1
  
  (get a real spudger, guys)
  But from where?
  https://www.ifixit.com/Search?...
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Nope by h8sg8s · 2018-03-07 04:11 · Score: 2

Just another reason to not use Cortana or any of the other voice-activated appliances from Amazon, Apple, Google, etc.

--
Organization? You must be joking..
1. Re:Nope by Sperbels · 2018-03-07 04:30 · Score: 1
  
  Logic failure. It is a reason not use Cortana. It's not a reason to not use Amazon, Apple, or Google.
2. Re:Nope by Cinnamon+Beige · 2018-03-07 04:46 · Score: 1
  
  Just another reason to not use Cortana or any of the other voice-activated appliances from Amazon, Apple, Google, etc.
  Or have it not respond to vocal commands without a password, preferably one locked to a voice print and not just specific words, when locked down. However, given that I doubt anybody making these products will institute such a basic level of security until it's established that they cannot shift responsibility for security to a user when they either did not have the ability to secure it available, or what ought to be a basic security option only offered via a series of hidden super-sekret commands with few people even aware that they exist, no less how to access them.
3. Re:Nope by zlives · 2018-03-07 05:41 · Score: 1
  
  limiting exposure is never a logic fail. what are the chances that the other software vendors don't have a zero day exploit on code written by monkeys.
  you have to do a cost analysis.
4. Re:Nope by Anonymous Coward · 2018-03-07 05:42 · Score: 0
  
  It exposes a class of attacks which should give any sensible person pause as to the level of power and integrations these devices might have in your own tech ecosystem.
5. Re:Nope by magarity · 2018-03-07 07:19 · Score: 1
  
  Logic failure. It is a reason not use Cortana. It's not a reason to not use Amazon, Apple, or Google.
  How do you know it isn't via Siri that the security firms get into Apple devices?
6. Re: Nope by Anonymous Coward · 2018-03-07 19:30 · Score: 0
  
  The same applies to web browsers last decade
  Maybe the trick is to make them better, instead of killing the idea completely.
History repeats by lucasnate1 · 2018-03-07 04:13 · Score: 4, Interesting

In the past, you could hack into old windows machines by pressing F1 at password prompt. If the help file was missing, it would ask you to browse and find it, which would allow you to right click on executables and run them. Nice to see that some things never change.

--
Avantgarde Hebrew science fiction
1. Re:History repeats by Anonymous Coward · 2018-03-07 05:03 · Score: 0
  
  You could also plug in a USB storage device with autorun.bat on the root directory and it will run those commands automatically.
2. Re:History repeats by Anonymous Coward · 2018-03-07 05:19 · Score: 0
  
  If the computer has an external drive of any sort (floppy, zip, cd, etc), you can pop in a disk with linux on it, reboot, and get access to everything on the hard drive.
3. Re:History repeats by Anonymous Coward · 2018-03-07 05:53 · Score: 0
  
  That hasn't been true for almost a decade
4. Re:History repeats by WallyL · 2018-03-07 05:56 · Score: 1
  
  I used the old method of swapping in command.exe as sethc.exe from some bootable medium, and then booting back to windows. Ta-da! Ownage of the administrator account.
5. Re:History repeats by thegarbz · 2018-03-07 05:58 · Score: 4, Interesting
  
  You didn't even need a missing help file. If you could open the help bubble you could right click and click print. Then from the print dialogue you could open a proper windows help screen. From there if you opened the index search and opened a different help topic you'd get a full windows help screen with menubar. Then just click file, open, navigate to the windows folder, right click on explorer.exe and run it.
6. Re:History repeats by Anonymous Coward · 2018-03-07 08:15 · Score: 0
  
  That hasn't been true for almost a decade
  /. never forgets.
Easily fixed by Anonymous Coward · 2018-03-07 04:20 · Score: 2, Informative

It is a relatively simple matter to configure Cortana to ignore commands when the voiceprint of the issuer is not the owner of a machine account. Simply enabling this option would prevent this type of attack.
1. Re:Easily fixed by ausekilis · 2018-03-07 04:29 · Score: 1
  
  You're putting a lot of trust in Grandma and Grandpa knowing how to dig into Cortana's config and enable it.
  Not everyone has a family member that can/will help protect them from themselves.
2. Re:Easily fixed by Anonymous Coward · 2018-03-07 04:37 · Score: 0
  
  And you're assuming hackers/criminals would want to break into Grandma and Grandpa's house to obtain physical access to their computer in order to pull this off. That's about as likely as G&G turning off Cortana on their own.
3. Re:Easily fixed by sgrover · 2018-03-07 04:48 · Score: 1
  
  An OS security hole is an OS security hole - regardless whose computer it is on. If it is on Grandma's computer, then it is on Bob's Small Business computers, or Jane's government computer. Situations always come up where the best effort by skilled techs are rendered meaningless and only the core OS protections are left. If your core OS defaults to an unsafe setup, then that is a problem. I think Listening while in sleep mode is unsafe at anytime. Now, if an attacker has physical access to your device in the first place, then you have a different problem that needs to be solved. Probably first.
4. Re:Easily fixed by Anonymous Coward · 2018-03-07 04:50 · Score: 0
  
  It is a relatively simple matter to configure Cortana to ignore commands when the voiceprint of the issuer is not the owner of a machine account. Simply enabling this option would prevent this type of attack.
  But what if you're being hacked by a Terminator?
5. Re: Easily fixed by Monster_user · 2018-03-07 04:59 · Score: 1
  
  It is also worth noting, this does not require physical access, merely physical proximity.
6. Re: Easily fixed by Anonymous Coward · 2018-03-07 05:25 · Score: 0
  
  The exploit involves routing traffic through a USB network adapter, so physical access is required.
  Cortana cannot run anything on the system.
7. Re:Easily fixed by Anonymous Coward · 2018-03-07 08:57 · Score: 0
  
  Easily fixed but also easy to bypass. Someone voice is not the hardest thing to reproduce.
8. Re:Easily fixed by kwbauer · 2018-03-07 10:36 · Score: 1
  
  But saying that Bob or Jane cannot be expected to have more knowledge than Grandma and Grandpa is a departure from the path.
  "Hey, this is fixable by doing X"
  "Retired old farts can never be taught to do X"
  "What do retired old farts have that somebody would physically break into their house to mess with their computer"
  "What about government employee's with Top Secret clearance?"
  Okay, I give up. sgrover is correct. As long as we hand out Top Secret clearances to people as unreliable as Hillary Clinton, we can never be secure.
9. Re: Easily fixed by Monster_user · 2018-03-08 10:39 · Score: 1
  
  No. It involves intercepting unencrypted traffic over the network. The USB NIC is only a foolproof option to guarantee that the traffic is intercepted.
big whoop by Anonymous Coward · 2018-03-07 04:21 · Score: 0

It's likely game over anyway if someone has physical access to your device.
Physical access by chaotixx · 2018-03-07 04:25 · Score: 4, Informative

If a determined attacker has physical access to your machine you've lost via any number of methods.
WTF? by Anonymous Coward · 2018-03-07 04:31 · Score: 0

When the machine is locked and sleeping, it is always listening?
What possibly could go wrong?
If a machine is in sleep mode and locked, there should be no "listening", this is more spying crap that NSA can turn on.
Nice, captcha "record"
Marketing over security by swb · 2018-03-07 04:59 · Score: 4, Insightful

Wow, what a fail by Microsoft. It should be beyond obvious to anyone with a pulse that not providing a way to completely disable Cortana opens computers up to an entire Pandora's box of security vulnerabilities.
It's totally obvious Microsoft is just jamming this down everyone's throat, especially business users, because they know they can get big (and mostly bullshit) "adoption" numbers and operational data for Cortana.
Of course the larger problem is nobody wants Microsoft's bullshit attempts to re-invent themselves as Google, Amazon/Alexa or Apple/Siri. So they will cram it down everyone's throats and get some minor level of usage just because it's there even though it aggravates most everyone else.
1. Re:Marketing over security by Anonymous Coward · 2018-03-07 06:23 · Score: 0
  
  you're assuming that always-listen on is not by design. It is. They do want to hear everything. just like amazon and google.
Windows Update? by Anonymous Coward · 2018-03-07 05:00 · Score: 0

where malware downloads to the machine
I think they mean windows update.
Just disable it by ourlovecanlastforeve · 2018-03-07 05:01 · Score: 1

Since the last big Windows update Cortana was coming up every time I touched the touchpad, so I just removed Cortana entirely with a Powershell script I found on the Internet.
1. Re:Just disable it by Anonymous Coward · 2018-03-07 05:17 · Score: 0
  
  so I just removed Cortana entirely with a Powershell script I found on the Internet.
  Trusting a random script found on the internet doesn't seem like the most sound response to being concerned about the potential vulnerability. Sadly, it's probably more trustworthy than what Microsoft forces on your^Wtheir^W Windows 10 computers every month.
2. Re:Just disable it by Anonymous Coward · 2018-03-07 05:59 · Score: 0
  
  Since the last big Windows update Cortana was coming up every time I touched the touchpad, so I just removed Cortana entirely with a Powershell script I found on the Internet.
  Talk about using a sledgehammer instead of a screwdriver lol. There's an option in touch pad settings that you can change, by default 3 finger tap opens cortana.. you can change it to be a middle mouse button click or a few other things including disable.
hardware limitations by Gilgaron · 2018-03-07 05:17 · Score: 1

Do these voice assistants respond to any sound frequencies the microphone can pick up? You might be able to pull this off with something people can't hear well, too, if you can trick the algorithm into matching your out of human hearing band to speech.
1. Re:hardware limitations by SandorZoo · 2018-03-07 07:18 · Score: 1
  
  They can do, yes. The article links to a piece about a so-called dolphin attack, that gets voice assistants to respond to ultrasonic signals.
2. Re:hardware limitations by Anonymous Coward · 2018-03-07 17:09 · Score: 0
  
  It would be easier to hold a very small, quiet speaker right over/against the microphone. Like when you're using a phone and people in the room can't hear the remote half of the conversation..
What does the network adapter have to do with it? by Anonymous Coward · 2018-03-07 05:22 · Score: 2, Interesting

I don't get it. The attack as described involves plugging in a compromised network adapter so that you can tell Cortana to go to an insecure website, and instead direct the machine to a different site that serves malware. Why not skip the network adapter, and just tell Cortana to go straight to a malware site instead?
In a related tactic ... by CaptainDork · 2018-03-07 06:10 · Score: 1

... hackers do a home invasion and make the user type in stuff.

--
It little behooves the best of us to comment on the rest of us.
I thought that Cortana was useless by OneHundredAndTen · 2018-03-07 06:37 · Score: 1

However, this seems to prove that it is worse than useless.
Re:Nope, Not enough by BoRegardless · 2018-03-07 07:10 · Score: 1

If you have proprietary or sensitive info, it ought to be only on a non-connected PC/Mac, whatever.
There are too many bugs in Windows. I don't care what promises Microsoft and Satya have to say.
Checklist by thegreatbob · 2018-03-07 07:39 · Score: 1

No Cortana? Check. We're good.

--
There is no XUL, only WebExtensions...
Re:What does the network adapter have to do with i by scdeimos · 2018-03-07 09:27 · Score: 1

I also don't get it: at what point does Windows decide a newly plugged-in USB network adapter should get all traffic routed to it instead of the existing cable/Wi-Fi connection?
If the weakness is Cortana always listening and able to be directed to a non-SSL web site why not attack the Wi-Fi access point or the modem/router?
Re:What does the network adapter have to do with i by scdeimos · 2018-03-07 09:31 · Score: 1

I also don't get it: at what point does Windows decide a newly plugged-in USB network adapter should get all traffic routed to it instead of the existing cable/Wi-Fi connection?

Because this is /. and I didn't read TFA, here's the answer to my own question:

"One of the things we saw was that even when a machine is locked, you can choose the network to which that machine is attached," he notes.

That's just fucking stupid.
Novel Idea by DarthVain · 2018-03-07 09:32 · Score: 1

or perhaps best suited for a movie...
but I somehow would like to see someone remotely hack an Alexa to utter voice commands to Cortana, to bypass Windows security and gain access to "sensitive files"...
Who knows maybe they will get into an argument, or have built in hard-coding to give each other the silent treatment.
As far as the movie option, it'll probably never happen as the producers would probably get sued into oblivion by the tag team of Amazon and Microsoft...
1. Re:Novel Idea by kwbauer · 2018-03-07 10:30 · Score: 1
  
  Nah, the script will have Cortexa talking to Alana. No trademarks infringed.
that lockscreen tho by bobmajdakjr · 2018-03-07 09:55 · Score: 1

it does bother me though that the shutdown and network select is on the lock screen and works without any verification. has since forever.
insecure by design levels up by epine · 2018-03-08 03:33 · Score: 1

People used to say "a woman's work is never done". At least this story conveys a hint of gender parity.