>Except the steps to to that are disable bitlocker, create a local user account (assuming you initially signed in with a Microsoft account because Ms now forces it on you for home editions of windows), delete your existing keys from OneDrive, then re-encrypt using your local account and make sure not to sign into your Microsoft account or link it to Windows again.
1. Is there any indication it forcibly uploads your recovery keys to microsoft if you're signed into a microsoft account? Looking at random screenshots, it looks like it presents you an option https://helpdeskgeek.com/wp-content/pictures/2022/12/how-to-...
2. I'm pretty sure you don't have to decrypt and rencrypt the entire drive. The actual key used for encrypting data is never revealed, even if you print or save a recovery key. Instead, it generates a "protectors", which encrypts the actual key using the recovery key, then stores the encrypted version on the drive. If you remove a recovery method (ie. protector), the associated recovery key becomes immediately useless. Therefore if your recovery keys were backed up to microsoft and you want to opt out, all you have to do is remove the protector.
They've come up with a memo saying that non-judicial warrants can let them break in. This has historically been very much not allowed.
Edit: As a quick explanation, this is more or less a separation-of-powers thing. The rule has been that for the executive to enter someone's home they need a warrant from a judge, a member of the judicial branch. They now say that an "administrative warrant" is enough, issued by an immigration judge -- but immigration judges are just executive branch employees, so this is saying that the executive can decide on its own when it wants to break into your house.
not saying you’re wrong, but we have to get in the habit of sourcing our claims! whistleblowers testified to Congress about this memo that began circulating around mid-2025.
IMO, the problem is that you must learn what "research" actually entails before attempting it, so that you don't fall into the trap of that fallacy.
Most people… eh. I don't know about the rest of the world, and my experience was in the 90s, but for me GCSE triple science was a list of facts to regurgitate in exams, and although we did also have practical sessions those weren't scored by how well we did Popperian falsification (a thing I didn't even learn about it until my entirely optional chosen-for-fun A-level in Philosophy; I don't know if A-level sciences teaches that).
Yes, because object level facts matter, and it's intellectually dishonest to ignore the facts and go straight into analyzing which side is the most righteous, like:
>Microsoft is an evil corporation, so we must take all bad stories about them at face value. You're not some corpo bootlicker, now, are you? Now, in unrelated news, I heard Pfizer, another evil corporation with a dodgy history[1] is insisting their vaccines are safe...
>A finger slip, a bug in a Windows update, or even a cosmic ray flipping the "do not upload" bit in memory, could all lead to the key being accidentally uploaded.
This is absurd, because it's basically a generic argument about any sort of feature that vaguely reduces privacy. Sorry guys, we can't have automated backups in windows (even opt in!), because if the feature exists, a random bitflip can cause everything to be uploaded to microsoft against the user's will.
>This is absurd, because it's basically a generic argument about any sort of feature that vaguely reduces privacy. Sorry guys, we can't have automated backups in windows (even opt in!), because if the feature exists, a random bitflip can cause everything to be uploaded to microsoft against the user's will.
This is a dismissal of an objection to a software system implemented such that it performs in a discrete manner by default(no info leaves until I explicitly tell it to; this would be a nice thing, if you hadn't noticed). You repudiate the challenge on the basis of "we want to implement $system that escrows keys by default; a bad thing, but great for the company and host government in which said thing is widely adopted).
You may not have used the exact words; but the constellation of factors is still there. We can't have nice things (machines that don't narc, do what we tell them, etc.) because there are other forces at work in our society making these things an impossibility.
It is regrettable you do not see the pattern, but then again, that may be for the better for you. I wouldn't wish the experience of seeing things the way I do on anyone else. Definitely not a fun time. But it is certainly there.
>they did it with the intention of overturning elections:
>[...] to "find evidence of voter fraud and to overturn election results in certain States,"
The actual election fraud allegations are probably spurious, but regardless we shouldn't be trying imply that intending to overturn elections in cases of fraud is bad in and of itself. The badness comes from inappropriate access to the data, not trying to find evidence of fraud.
In the legal realm, journalist and legal analyst Emily Bazelon analyzes the legal "presumption of regularity" which has been trashed by the current administration.
How many allegations of fraud need to be taken to court and dismissed before it’s no longer conceivable that this is a good faith non-partisan search for evidence of fraud?
Sure, and my point is that we shouldn't apologize for people deliberately "investigating" bogus allegations on the grounds that investigating legitimate allegations is a good thing.
>Sure, and my point is that we shouldn't apologize for people deliberately "investigating" bogus allegations
But I'm not "apologizing" for them? I'm pushing back on OP's phrasing of "they did it with the intention of overturning elections". It's possible to push back on some person's criticism of [bad guy] without being accused of "apologizing" for [bad guy].
From my original comment:
>we shouldn't be trying imply that intending to overturn elections in cases of fraud is bad in and of itself
You said "The badness comes from inappropriate access to the data, not trying to find evidence of fraud." I disagree. I think that a blatantly bad faith partisan investigation demanded by a politician who stands for gain and executed by public servants would be bad even if they didn't inappropriately access this data. Both things are bad and would be still be bad independent of one another.
>I think that a blatantly bad faith partisan investigation
Sounds like you agree with me, because you're still not objecting to my original premise of "we shouldn't be trying imply that intending to overturn elections in cases of fraud is bad in and of itself". You might think "bad faith partisan investigation" is bad, but not the act of trying to overturn elections itself.
You explicitly applied it to this investigation, saying the investigation itself was not bad. If you intend to weaken your claim to "not all conceivable investigations of election fraud are bad," then yes, I agree, but that's such an extraneous comment that I would question the intent of including it.
We don't have to examine every situation in the theoretical. We can pay attention to context. These are not good faith actors, they are not seeking the truth.
Right, I'm not trying to argue that the actions in this case are praiseworthy, only that the OP is misidentifying the source of the badness. That's important, because if we establish a pattern of "overturning elections are bad", then that will come back to bite us when there actually is a legitimate reason for overturning elections.
Hold up, does this mean outlook sends your full credentials to Microsoft when you try to set up an outlook account? I'm sure they pinky promise they keep your credentials secure, but this feels like it breaks all sorts of security/privacy expectations.
> Hold up, does this mean outlook sends your full credentials to Microsoft when you try to set up an outlook account?
Not just an “outlook account” - any account in outlook, with default settings at least.
I run a mail server, mainly for me but a couple of friends have accounts on there too, and a while ago one friend reported apparently being locked out and it turned out that it was due to them switching Outlook versions and it was connecting via a completely different address to those that my whitelists expected sometimes at times when they weren't even actively using Outlook. Not only were active connections due to their interactive activity being proxied, but the IMAP credentials were stored so the MS server could login to check things whenever it wanted (I assume the intended value-add there is being able to send new mail notifications on phones/desktops even when not actively using mail?).
> but this feels like it breaks all sorts of security/privacy expectations.
It most certainly does. The behaviour can be tamed somewhat, but (unless there have been recent changes) is fully enabled by default in newer Outlook variants.
The above-mentioned friend migrated his mail to some other service in a huf as I refused to open my whitelist to “any old host run by MS” and he didn't want to dig in to how to return behaviour back to the previous “local connections only, not sending credentials off elsewhere where they might be stored”.
I am so glad people are finally noticing and complaining about this. It's the same reason I won't use Spark or Superhuman. Those are neat services, but I can't abide storing the creds to perhaps the most security-sensitive service I use to a cloud provider. If they get hacked, then the attacker can access my email account, send phishing emails to my contacts, read and respond to password reset requests they make to other online services, etc. It would be disastrous.
No, I'll keep my credentials stored and used locally, thanks.
They store passwords and proxy everything at the same time they’re pushing OAuth, authenticators, passkeys, etc. for their own services. Everyone should have revolted when they bought Acompli and started doing this kind of thing.
This seems like it would completely break any attempt to track access from unauthorized users or devices — any IT department using a backend other than Microsoft’s would need to pretend that all access from MS’s servers is safe.
In response to discovering this any competent IT department would immediately move to ban the use of any offending apps and blacklist the MS servers from the relevant backends. Also I guess rather than drop the connections ideally you would want to accept the initial request, record the provided credentials, and then lock said account because the credentials have clearly been compromised and the user is now known to be making use of a banned app.
It’s also the case that, of the major cloud providers, one of them is quite notably poor at securing its own systems. If I were a company that cared about security, I would not want Microsoft holding credentials to my system.
My bank isn't end to end encrypted either, but that doesn't mean it's suddenly ok for Microsoft (or any other company) to suddenly start MITMing my online banking connections.
I am talking about the fact that the new default email client on Windows will hand over all your email credentials to Microsoft. This has nothing to do with Gmail.
Basically everything microsoft makes that touches http will send your username and your password to any server that asks for Basic Authentication.
It looks like Microsoft Edge had the _ability to disable_ this added in 2020 or 2021, but it isn't currently the default and the Group Policy unintuitively only applies to unencrypted HTTP Connections.
>Basically everything microsoft makes that touches http will send your username and your password to any server that asks for Basic Authentication.
Are you talking about NTLM hashes? It's a weak hash, but not the same as "sending your password". The biggest difference is that even a weak hash can't be reversed if the password has high enough entropy.
yes, I meant to type hash. Not that it matters as even 10yr old integrated GPUs are enough to brute force 8 or 9 character NTLM(or any variant) passwords in a few hours. Not that you need to with Pass The Hash.
I don't think there's any evidence that windows sends cleartext passwords. The whole reason why NTLM is a thing is to avoid sending cleartext passwords.
It's more common than you might think. I know of at least one popular email client that stores your credentials on their servers to enable features like multi-account sync and scheduled sending.
I bought a hardware password manager a while back and the bulk load tool sent all your creds to a cloud service. I have not used it since, and sent the manufacturer a nasty note.
>I would expect such a feature to use end-to-end encryption for the data
How would "end-to-end encryption" when such features by definition require the server to have access to the credentials to perform the required operations? If by "end to end" you actually mean it's encrypted all the way to the server, that's just "encryption in transit".
Use our new open source (modification and redistribution not permitted) app to exchange end-to-end encrypted (from your client to our server) messages with your friends! Having all your data on our service protects your data sovereignty (we do not provide for export or interop) by guaranteeing that you always have access to your full history! Usage also protects your privacy (we analyze your data for marketing purposes) by preventing unscrupulous third parties from analyzing your data for marketing purposes.
If we had competent regulators this sort of blatant willful negligence would constitute false advertising.
Already many years ago I remember installing a firewall on my phone and noticing in surprise that Outlook was not connecting at all to my private mail server, but instead only sending my credentials to their cloud and downloading messages from there.
The only Android mail client not making random calls to cloud servers was (back then) K-9 Mail.
I think the curl -u switch just requires the password field to be filled, there obviously isn't a legit user account test@example.com with a password of password either at microsoft or at the Japanese imap server.
>I think the curl -u switch just requires the password field to be filled
Yeah you're right, if you don't specify the password (eg. -u user), it prompts you for it
>there obviously isn't a legit user account test@example.com with a password of password either at microsoft or at the Japanese imap server.
But presumably the fact it's there at all suggests it's a required parameter? Maybe "password" is just a placeholder, but it's unclear based on the command line transcript alone.
I don't get it. The screenshot on reddit appears to show that tapping on the card changes the billing info, and under that there's a separate button to change the card. So far as I can tell that's the same on iOS 18? The only difference is that tapping on the card doesn't do anything. What's the "muscle memory"?
No, "another non-disabled organization" sounds like they used the account of someone else, or sockpuppet to craft the response. He was using "organization" to refer to himself earlier in the post, so it doesn't make sense to use that to refer to another model provider.
No, I don't think so. I think my interpretation is correct.
> a textbox where I tried to convince some Claude C in the multi-trillion-quadrillion dollar non-disabled organization
> So I wrote to their support, this time I wrote the text with the help of an LLM from another non-disabled organization.
> My guess is that this likely tripped the "Prompt Injection" heuristics that the non-disabled organization has.
A "non-disabled organization" is just a big company. Again, I don't understand the why, but I can't see any other way to interpret the term and end up with a coherent idea.
It seems just as likely to me that they're just using their terminology inconsistently as it is that they're using it consistently but with that egregious amount of ambiguity. The only thing that I'm confident about is that they're communicating in a very confusing way, and that doesn't really give me any strong insight into whether they're being consistent but vague or just plain vague.
Again, I don't agree. If you replace every instance of "non-disabled organization" with just "company", the sentences make sense. There's no need to suppose that the term means anything else, when this interpretation resolves all the outstanding questions satisfactorily and simply.
Just want to say thank you for being patient and rational. Reading your comments in this thread, they're like a soothing bandaid over all this flustered upset.
I wish there were more comments like yours, and fewer people getting upset over words and carrying what feels like resentment into public comments.
Apologies to all for this meta comment, but I'd like to send some public appreciation for this effort.
Sure, but that's not what they said, which is why it's confusing. Earlier in the article they referred to themselves as the "disabled organization", so it's not obvious to me that there's change in what they mean by the word to an entirely different one. Your explanation is plausible and consistent, but that doesn't necessarily mean it's correct, and I don't think that being internally consistent is sufficient evidence to conclude that something is true.
Okay, but if you won't be satisfied by a plausible and consistent answer then you won't be satisfied by any answer. Even if the author themselves stood in front of you and told you what they meant when they used the phrase, that would still be unsatisfactory because they could still be using language inconsistently and incorrectly.
I’m sorry but the fact this has turned into a multi comment debate is proof that that phrase was way too ambiguous to be included. That phrase made no sense and the article, while unreliable, would have at least been more readable without it.
>Same reps, same meetings every years, nothing happens. Farmer seemed to have all the pieces except the idea that he might want to vote for someone else ...
I get it's funny to dunk on dumb Republican farmers voting for the same party for over and over again, and not getting what they want, but it's hardly a farmer or Republican issue. How is this any different than say, Democratic voters who want medicare for all (or whatever) and not getting that for decades?
Fix your voting system. This two party system you have if caused by the First Past the Post voting system you have. Basically mostly all the is uniquely broken about US politics is downstream from FPTP. You can't get smart solutions if all your options are dumb and dumber.
> How is this any different than say, Democratic voters who want medicare for all (or whatever) and not getting that for decades?
How is it different? It’s different because people do stop voting for right-leaning Democrats who are all talk, and then they lose and Republicans win, and then the Republican voters get exactly what they voted for (and everyone else gets it too).
Republicans control the government, what on Earth do Republican voters have to complain about? They got what they voted for.
If they’re unhappy with the government they should complain to the mirror.
>How is it different? It’s different because people do stop voting for right-leaning Democrats who are all talk, and then they lose and Republicans win, and then the Republican voters get exactly what they voted for (and everyone else gets it too).
Is there any indication this doesn't happen for Republicans? Around a decade ago there was a huge shift in the Republican party from being pro-globalization to protectionist.
> How is this any different than say, Democratic voters who want medicare for all (or whatever) and not getting that for decades?
Because democrats largely support M4A and socialized health care in general. A handful are squishy on the issue, and the structure of the senate requires significant bipartisanship to pass[1]. But if you want it to pass you want to vote for democrats, duh. If you do happen to vote for a democrat who actually opposes that and complain to them that they didn't vote for it, then yeah: you're dumb.
[1] The exception that proves the rule being the ACA itself, which passed on an EXTREMELY rare party-line 60 vote majority. And didn't include a government-offered insurance option because of the objections of Just One Guy (Joe Lieberman, representing the insurance hotbed of Connecticut) whose vote was needed.
> How is this any different than say, Democratic voters who want medicare for all (or whatever) and not getting that for decades?
They can see progress. ACA wasn't a slam dunk, but it was progress.
Also, you aren't voting for a Republican or a Democrat, you are voting for a person, and if the person you are voting for supports M4A, that's what you can do. If someone else in the same party doesn't support that, you can't do anything about that. However, your representative is one piece of the puzzle. Giving up on that is dumb.
It's not like the Democrats are under the heels of a tyrant leading their party and country over a cliff.
> How is this any different than say, Democratic voters who want medicare for all (or whatever) and not getting that for decades?
To be fair, the progressive movement in the Democratic Party is much larger than any actual working-class movement in the GOP. MAGA is not exactly pro-union, pro-striking, or even pro-farmer, given the tariffs. The Progressive Caucus otoh is now 45 % of the House Democrats. Zohran Mamdani was just elected mayor of NYC, and is already making big moves against landlords.
And that's even aside from the voters who don't vote for corporate Dems, and then get blamed by the DNC for losses. Every time someone asserts that "Bernie Bros" sat out in 2016, they're talking about Democrats who refused to keep 'voting for the same party over and over again'.
At least (some) Democrats actually say they want Medicare for all. The farmer parallel would be like voting for a Republican hoping for Medicare for all.
Though I'm a bit biased, because it seems like if you want anything other than for billionaires to get more money, you would vote Dem.
to be fair, this isn’t a perfect solution but it does get us much closer to that solution each time. There are still plenty of democrats whom don’t support solving these problems (for any number of reasons, I’m not going to conjecture here why)
The best solution I’ve seen is to just keep pushing leftward—even if we only get a few increments here and there.
I agree, keep pushing leftward. It feels like we will never get there, but I predict that we will get a wave of change eventually, with folks like Mamdani. Trump dramatically shifted the Overton window rightward, which just means that it's possible to move leftward.
>The real reason for the difference in policy is the incentives that it creates for the meat-producers. In the US there is no incentive to keep sanitation up in the production chains because the chicken will be chlorinated anyway. This actually incentivizes sloppy (cheaper) production methods over ones that are more sanitized but more costly.
If there's no actual downsides from the chlorine, what's the issue? In many cities the municipal water source is local river that's polluted, and needs treatment to be drinkable. Part of that process might involve adding chlorine. I'm sure that all of this can be avoided if the water is sourced, at great expense, from a glacier or whatever, but nobody would suggest we should ban chlorinating water, and that allowing chlorinating water would be better because it forces the water source to be clean.
The poor sanitation in American poultry farming can have other negative effects outside the meat being safe. Such unsanitary conditions make dangerous conditions for workers including an elevated risk of novel avian flues and, if ever the chlorination isn't properly executed, the meat is extremely unsafe to eat.
Chlorination is a good idea when you can't control the supply chain (i.e. drawing water through infrastructure that's been compromised) but the better solution (if it's reasonable) is always to fix the supply chain. In the case of a city relying on chlorination vs. bringing clean water in by train the chlorination is a clear winner. When it comes to meat it's a cost issue and the EU made the decision to force that cost onto the producer while the US has made the decision to bear the cost at large.
1. Is there any indication it forcibly uploads your recovery keys to microsoft if you're signed into a microsoft account? Looking at random screenshots, it looks like it presents you an option https://helpdeskgeek.com/wp-content/pictures/2022/12/how-to-...
2. I'm pretty sure you don't have to decrypt and rencrypt the entire drive. The actual key used for encrypting data is never revealed, even if you print or save a recovery key. Instead, it generates a "protectors", which encrypts the actual key using the recovery key, then stores the encrypted version on the drive. If you remove a recovery method (ie. protector), the associated recovery key becomes immediately useless. Therefore if your recovery keys were backed up to microsoft and you want to opt out, all you have to do is remove the protector.