This is why gamers should reject kernel anti cheats. A single dev at a single company that requires one could read them as easily as any other file. I’m not exaggerating, unless I’m misinformed
Just use a separate boot for games
One that is not Windows, yes
I think instead I will choose to both A) not install a rootkit on my desktop B) avoid an OS that handles passwords in plaintext
This is sort of like saying “I leave my valuables in plain sight by my door because it has a lock on it and door locks are trustworthy.” I’m not super into cyber security and stuff but it seems like one of the most common problems is programs managing to get access to memory they shouldn’t have access to. It seems to happen all the time! Just like many locks for you door are trash.
Defense in depth is a concept they teach you in cybersecurity 101. But that’s expensive and time consuming, so you end up with shit like this.
It’s ridiculous. It presupposes that cybersecurity doesn’t value or employ defense in depth. Completely untrue.
Look at the attack vector researchers were trying to solve when they created OAuth2.0 w/ PKCE.
And yet you and most people use a door with a lock instead of something more secure because… in general they do work well for the purpose they’re trying to serve. Most criminals aren’t master criminals, and master criminals aren’t coming after your house.
Don’t overthink the metaphor. These things are fragile and fall apart. The “door with a lock” is the “guarantee” (wink wink) that the operating system won’t let programs see memory they shouldn’t be allowed to. Putting your valuables in a safe instead of sitting in the floor would be encrypting the passwords in memory in the metaphor.
Also, cyber security and physical security are very different. With cyber security you need to understand that there are orders of magnitude more people looking for simple problems. Like a criminal checking every door in the world automatically, just looking for ones that are unlocked. Someone not being a “target for master criminals” isn’t really applicable for this. Besides, that’s a critique of what level of security an individual should have, but pointing out the flaw in Edge is a critique of something that claims to be secure that isn’t.
fair
I extracted IE6 passwords from hundreds of people when I was 13, for fun. If passwords are now being stored plaintext again, they are going to leak. Some of the people who steal those passwords won’t be doing it just for fun.
to be honest passwords on their own are on their way out as a form of security entirely for this reason - they’re inherently weak no matter how they’re stored as they’re a single point of failure. we’re even moving on from 2 factor to passkeys.
Fuck Microslop Fuck windows 11
“Yeah totally secure! Just trust me!..” basically
This is LITERALLY isn’t secure; they should atleast make it encrypted. This is just the same as using your notes app as password manager! But it’s microsoft, and they’re willingly giving your bitlocker encryption key to the FBIs for your drives. So I’m not surprised…
I feel it may be worse than using your notes app.
A malicious attack doesn’t know which notes app, nor the filename.
This has every browser opening the exact same passwords.txt in root.
You guys are using edge?
Edge is on my computer, and I can’t delete it, at least not with my limited IT experience. It’s buried deep in the operating system, and it opens up seemingly randomly, I use firefox.
Looking online about getting rid of it, others described it as cancer.
It’s not that hard, all you need is usb drive and choosing a distro (the hard step)
The solution is to use Linux Mint.
I’m afraid as I am on my backup computer, and I worry that if I try to change over I will not do it correctly as has been the case every single time I’ve tried to download a program to accept zip files, or torrents I don’t know what my deal is.
I really do want to switch over, I am working on fixing my better computer. More than anything I want a graphene OS phone.
Good that you want to switch, take your time, don’t be afraid. There are many resources online for how to switch without accidentally deleting or losing access to things. I have been using Linux Mint for over a year now switching from Windows 10 and I haven’t run into any limitations or issues. It’s been a great learning experience and has overall lead to me being more technologically savvy. If you have any questions there are many places to discuss, feel free to ask.
Not sure how it works in Win11 but historically it has not been possible to remove Internet Explorer or Edge from Windows.
That is an anti-competitive practice and illegal in truth. Against the laws of the United states, the ones that aren’t enforced anymore.
I have refused the upgrade and I’m still on Windows 10 which also sucks by the way. The old 2013 ish operating system, I think windows 7, had a task manager that could actually help manage your computer even if you don’t know everything about a computer.
And so much more, everything is going to shit especially in electronics. We seriously need just a complete set of Open Source or otherwise trustworthy alternatives.
Or a way to wipe the programming off of products we buy and install our own programming, but they would make that illegal if that caught on.
Agreed.
I assume you have some good reason for running Win10 on your PC but just in case you do need to hear it, you can try Linux live from a USB drive and see if it works for you.
phew it’s an expected feature, thank goodness!!!
if they patch this, they should be dragged through the town square after that comment
It’s an expected feature for me too, in that I expect Microsoft to be fucking useless at everything lol
That’s the added trust and security they always boast about
trust is multiplicative, not additive
Everytime I read a Microsoft headline these days
Microsoft SSH agent persistently stores your unencrypted private keys in the registry. They’re still there unlocked and usable after you reboot.
God, the final comment in that thread makes my blood boil.
That is infuriating. Leaving those keys available to the user means that worms can later use you to compromise additional machines. It turns a local problem into a much bigger one. There’s a recursive script out there that automatically scans your ssh files and attempts to access all hosts in your history…name escapes me at the moment.
How will the NSA spy on you if Microsoft doesn’t hand them your passwords?
Safety and security are foundational to Microsoft Edge. Access to browser data as described in the reported scenario would require the device to already be compromised. Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats.
“We value user safety and usability, but if you’re already compromised you can go fuck yourself”
No, if you are already compromised there is just no way anyone can help you anymore besides wiping your whole system.
True, but there’s a big fucking difference between handing over the keys without being asked, and doing basic fucking due diligence and not loading all your passwords in plain text into memory by default.
(@iglou@programming.dev ) I can’t defend MicroSlop because that mentality is pants on head stupid and is directly in opposition to any statement that they care about security. Because, again, they made their browser behave this way for no real reason besides blowing smoke up our ass. Chromium handles passwords properly, MicroSlop chose to do it insecurely and is hiding behind the dumbest defense. Because their OS has more holes than Swiss cheese and they refuse to plug a basic security hole that they put there intentionally.
Chrome’s handling is barely more secure. A compromised device will have a much easier time reading Chrome’s encrypted store than scanning your RAM to find passwords.
Remember that if you don’t need to input a password to open the store, then anything with access to your device can also read it.
Wether it’s encrypted in your RAM or not barely makes any difference in how difficult the task is.
The only solution is: Browsers should require a password. Or even better: Use a dedicated, properly secured password manager.
Chrome’s handling is barely more secure. A compromised device will have a much easier time reading Chrome’s encrypted store than scanning your RAM to find passwords.
Regardless, they’re still loading them into memory in plain text, and knowing this exists, is going to be an easier task to grab than dealing with the encrypted store chromium uses. At least chromium uses the in built credential api to try to protect the secrets, the fact edge doesn’t is an egregious security hole.
I don’t disagree that users need to have to enter a password to view their stored passwords, but you’re hand waving a massive and intentional decrease in security on Edge’s part. No matter how easy it is to get out of another browser, this is a violation of basic secure development practices. Security is only as strong as the weakest link, and edge is determined to not even close one of the easiest links in the chain.
Yeah, I can’t believe I’m defending Microsoft but that’s probably what they meant. No browser password saving feature is safe if your device is compromised.
Use a proper encrypted password manager
M365 chat also fetches a copy of whatever secured file links you send to each other. Goes without saying, but never use Microsoft products if you value security.
Trust me bro
Nothing in this timeline surprises me any more.
Lucky. I have surprise fatigue lol
I just can’t be indifferent to reading news like “US To Start Firing Unspayed and Neutered Dogs Into The Ocean From Florida Coast”
