Darkoshi

On both my work and personal laptops (Windows 10 and 11), I have noticed that the file context menu in Windows Explorer now includes an "Ask Copilot" option.

I have privacy and security concerns about that. If I accidentally select this option, will the file or its contents potentially be uploaded to the web somewhere? Will Microsoft use the contents of the file for other purposes? I didn't find clear answers on that. If I wanted Copilot to analyze a file, I would prefer to select the file thru other means. I don't need extra items in my context menu; mine is already lengthy due to other custom entries (which I actually use on a frequent basis) that I've added to it. So I will edit my registry to remove the entry from the menu.

Windows 11: Microsoft is adding Ask Copilot to right-click menu, how to remove it

Windows 11’s Copilot in Context Menus: Benefits, Concerns, and How to Remove It

A few days ago I got a Facebook notification email that so-and-so "confirmed your Facebook friend request", where so-and-so was a name I did not recognize. Nor do I remember having sent any FB friend requests in a long time.

I logged into the FB account and sure enough, that person had been added to my friends list. I browsed their timeline and photos, and it looked like a real account, but nothing rang a bell. Nothing about their posts seemed related to my own interests. The only thing that made me feel uncertain was that that their profile pic looked vaaaaaaguely familiar; it was of a woman wearing a straw hat, and a guy, apparently at a beach but only the heads visible. I feel like I may have seen that photo before, but have no idea when, and maybe it only looks similar to some other photo I've seen in the past.

When I clicked the link to see who else they were friends with, it showed no one, so I guess they have their friends list set to private.

So then I downloaded all my Facebook data, and scanned it for her name. Nothing found.
I ran a search on all my emails and my FB notes (where I usually note down when I've sent or accepted a Friends request), and again found nothing.
I even checked my browser history; nope.
So I unfriended her.

But I still feel odd about it. Could it be someone whom I sent a friends request to a long time ago, and maybe they changed their display name (and profile URL) on FB since then?

I'm more of the belief that it was either a FB glitch, or some entity is using this method (hack Facebook to add their own fake accounts as friends to other people's accounts) to spy on people's non-public posts.

I've just thought why the profile photo might look familiar to me... maybe it was one of the "suggested connections" that FB always shows. Like a friend of a friend. So conceivably (or arguably from a hacker's point of view) I could have accidentally clicked on that part of the page sometime, resulting in a friends request being sent? But surely it would give a confirmation window before sending an actual request? Surely I wouldn't accidentally click twice, without remembering any of it?

I'd been swapping my wired keyboard and wireless mouse (one of the older ones with a wired transceiver, not the nano USB adapters they have now) between my personal laptop and my work laptop at the start and end of each work day.

One of the laptop's USB ports started getting loose, such that the mouse connection would drop & reconnect every once in a while. I used a toothpick to pull up on the prongs inside the port. That is a possible fix for a loose port problem, but it didn't make much difference in my case.

That made me realize that plugging & unplugging items into the USB ports multiple times a day isn't a good idea.

Not only was I swapping the keyboard & mouse; I was also swapping the position of the laptops on my desk. Therefore using a separate wired keyboard & mouse for each laptop wasn't ideal either. It's hard to move laptops around with peripherals plugged into them. It's also not practical to keep peripherals plugged in when carrying the laptops back and forth between Qiao's place and mine.

Using the laptops' built-in keyboard and trackpad isn't good either. I can't type nearly as fast on them, and it's quite frustrating.

I thought a good solution would be to get a separate wireless keyboard/mouse combo using a single nano USB adapter for each laptop. It is a good solution. (Except for the minor problem that I might need a bigger laptop bag now for my personal laptop, as having a nano USB adapter plugged into the side makes it not fit into the bag. Which is hard to believe as it's less than a centimeter difference, but yeah. Or I could simply unplug the nano adapter for that; that's not something I need to do every day.)

Today after eating lunch I noticed some grease spots on the wireless keyboard I'd been using. This keyboard doesn't have an on/off switch; it goes to sleep automatically when not in use. So I carried the keyboard all the way into the bathroom to wipe it off, thinking that was surely far enough away that any keys I pressed while cleaning it wouldn't be recognized on the laptop.

Much to my surprise, when I carried the keyboard back to the laptop, I saw that the keypresses had still registered on the laptop! The bathroom is about 35 feet away, with 2 walls in between. I had no idea the wireless signals being used were strong enough to travel that far!

Later I tested the other wireless keyboard and mouse, which are made by a different company. They also work from far away. I tested the mouse outside the house from the porch, with the front door and storm door closed, about 20 feet from my laptop. The mouse's scroll wheel still was able to scroll the browser page open on my laptop.

That got me to wondering whether using a wireless keyboard can be a security risk. Suppose someone planted a device outside your home to record the signals from your keyboard, thereby capturing all your key presses, including any user IDs and passwords you type. Maybe a malicious app on your phone could even listen for wireless keyboard signals, and secretly record your keystrokes.

From what I've read now, wireless keyboards & mice may use encryption to prevent that kind of thing. But how can you know if yours are using encryption or not? I don't recall reading that in the specs of the ones I have. I will have to look up more on that.

The first thing I found when searching on it was not about the keyboard signals being captured, but rather hackers transmitting their own signals to control your mouse, "mousejacking".

I wonder if having my hands on these wireless-transmitting devices all day (as well as being within a few feet of the laptop's wi-fi signals) is deleterious to my health. The cell phones and iPad are also usually not far away. The wifi router is a bit further away, but still not that far. And there are several other devices in the house that send out wireless signals. I know they say it's nothing to be concerned about. But maybe it all adds up. I wonder.

And then there's the physical problems one can get simply from typing a lot and using a mouse. My right wrist has been achy today.

Every once in a while Google sends an email asking me to "Confirm your recovery email". But the email address this is sent to isn't shown as a recovery email in any of my Google accounts. It is a non-Gmail email address, and is the *primary* email for one of my Google accounts (which was created from a YouTube account when Google bought YouTube). When I log into that Google account and check the email & security settings, it seems fine; no confirmation required.

The email itself doesn't mention which account it relates to; it only gives a general link (https://myaccount.google.com/security-checkup) for logging into an account. I may have created another Google account at some time and forgotten about it, but then the email should already have been confirmed back then whenever.

I think this email used to be the recovery email for one of my Gmail accounts, but I switched it to a different recovery email. So why would Google start wanting to confirm the old email again?

Anyway, note to self: IGNORE THESE DURNDED EMAILS. I already checked every single account. No need to check them again.

..

Update, 2019/11/27:

Today I got a similar email for one of my other Google accounts which has a gmail.com email address. That email clearly indicated which account the message was for (the email address it was sent to), as well as the (other) recovery email address it wanted me to confirm.

When I logged into that Google account, the settings pages didn't show any outstanding action required. But when I opened the "Take Action" link that was included in the email, that page asked me to confirm (Yes/No) that the listed recovery email was still good. I clicked Yes.

The other email I mentioned above does not list which recovery email address it wants me to confirm. When I open that email's "Take Action" link, it doesn't show any required actions regarding the email addresses. So I still don't know why I was getting those emails.

The recovery email listed is the same one as I use to log into the account. Since it is not a Gmail email address, apparently that makes it the recovery email address by default. There is no option to change it or to add any other recovery email to that account.

If I click the Gmail link while logged into that non-Gmail Google account, I get this message:

Add Gmail to your Google Account

By completing this form, you're upgrading to Gmail, email from Google. Gmail works on any device, blocks spam, and much more.

You'll be able to sign in using your new Gmail address, which will become the primary email address associated with this account. We'll send account updates, invitations, and other notifications to your Gmail address.

[old non-Gmail email address] will become an alternate email address on this account, and you'll still be able to sign in with it.

If you prefer, you can create a new Google Account with email, and leave this one as-is.

(info originally via someone else)

There's a flood of new Dreamwidth accounts being created:
https://fail-fandomanon.dreamwidth.org/233944.html?thread=1301156056#cmt1301156056

Which is likely due to the LiveJournal servers having been moved from California to Russia during the last week:
https://dw-maintenance.dreamwidth.org/73907.html?thread=2581171#cmt2581171
https://dw-maintenance.dreamwidth.org/73907.html?thread=2577075&style=mine#cmt2577075

Meaning that Russian authorities now have much easier access to user data, and are blocking many accounts:
http://en.news-4-u.ru/within-days-after-moving-servers-lj-in-russia-ilv-blocked-almost-100-entries.html

https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fdolboeb.livejournal.com%2F3078638.html

.

I've also had problems loading certain LJ pages, especially ones that use the default style. For example, the comments don't display, the drop-down list by my username at the top-right part of the page doesn't work, and on Profile pages, the Bio & Interest sections are blank. Oddly, this is only happening to me when logged in. When I log out, those same pages display ok. So I'm not sure if that is due to server issues or something else.

I am seriously considering no longer cross-posting protected entries to LJ. If you are currently only on my LJ Friends-list, and if you create a Dreamwidth account, let me know and I'll give it access.

By the way, if you use Firefox and want an add-on for translating selected text and/or full web pages (including Russian), I recommend this one - it works pretty good for me:
https://addons.mozilla.org/en-US/firefox/addon/dictionary-anywhere/

'Web Of Trust' Browser Extension Cannot Be Trusted - it collects and sells your browsing history to third parties

Web Of Trust Browser Add-On Blasted For Breaking User Trust

Logging into the web page for my email account, I look up my password. (I don't usually have to remember it, as Thunderbird's Password Manager has it saved). And I wonder why did I ever set my password to *that*? There's no way I'd *ever* be able to remember it.

So I change it to something else that I'd at least have a chance of remembering, if I really wanted to.

Five minutes later I'm at the login screen of another site, whose password I usually have no trouble remembering. But due to me having used a particular word in the new password I set above, and due to this password also having contained that same word, I'm now completely flummoxed as to what the rest of this password was. So I end up having to look it up.

I've generally felt that access-locked posts on DW and LJ were fairly secure. But it occurred to me recently that unless you use https to submit your post, it is still sent unencrypted over the internet. Whenever someone in your access list reads it, unless they are using https, it is also sent unencrypted. Therefore, anyone sniffing traffic could potentially capture the text and read it. I should check whether DW and LJ fully support https now; the last times I checked it, it was only partially supported.

I suppose posts are also stored unencrypted on the servers, so that they might be vulnerable to hacking. This DW news post from 2010 seems to indicate so. I guess it would be hard to encrypt posts, considering that they need to be visible not only to the author, but also to anyone the author gives access to.

.

Because Thunderbird always prompts me for a password when I bring it up, I've had a vague feeling that my email was secure. That's silly, as I know that when I cancel the password prompt a few times, I can read mail that's already been downloaded; only new mail won't be downloaded. I was also under the mistaken impression that the mail was at least stored in encrypted form on my hard drive (though obviously, there's no point in that, as one can simply open Thunderbird and read it from there).

.

I hadn't realized that the original TrueCrypt project had shut down last year, until reading about it on the above linked Thunderbird page. The circumstances around the shut down sound quite suspicious (even though they might not be). It makes me start thinking of all kinds of possible subterfuge and conspiracies. Even regarding the audit that was done on the code, which as pointed out by one of the comments on that page, was limited in scope.

I never did get around to installing and using TrueCrypt myself. It's been one of those things I'd always wanted to do, sort of, if I had more time.

How My Mom Got Hacked - malware that encrypts all your files and requires a bitcoin ransom payment.

...they almost always honor what they say because they want word to get around that they’re trustworthy criminals who’ll give you your files back.”

Welcome to the new ransomware economy, where hackers have a reputation to consider.

Terrorists used false DMCA claims to get personal data of anti-islamist YouTuber

First, I'll mention a few items from the original German article that I didn't see mentioned in the other English posts I read.

The automated emails sent by YouTube to the channel owners clearly stated that 1) the channel owner had to provide their personal data in order to counter the copyright infringement claim, and 2) that this personal data would be shared with the person who submitted the claim.

YouTube alternately allows you to provide the contact information of an authorized representative (such as a lawyer) rather than your own, but the channel owners didn't discover that until afterwards.

Neither of the 2 main presenters of the channel were willing to share their contact information. Sabatina James (not her real name) was already in a victim's protection program, and in the habit of moving every few years for her own protection. In the past, she received death threats from her own family after fleeing an arranged marriage in Pakistan.

They suspected that the person making the false claim was an Islamist, and they repeatedly tried to tell YouTube this. But they were ignored.

After YouTube received 3 copyright infringement claims and no counter claim, the channel was shut down. After the channel was shut down, one of the channel's collaborators offered to provide his contact information in order to get the channel reinstated. It was this person's personal data that was provided to the false claimant and subsequently made public.

.

According to Google's help pages, one can submit a copyright infringement complaint by web-form or email. The web-form requires you to enter your full legal name, address and phone number. But curiously, the email option only says that it requires your contact information "such as an email address, physical address or telephone number".

Whereas, when submitting a counter-notification by email, you are required to include a full legal name, email address, physical address, and phone number.

So it sounds like someone can file a claim by providing only an email address, whereas to fight a claim, one has to disclose much more.