Month: August 2024

Microsoft update knocks out Linux computers

Last week, Microsoft released a security patch that is supposed to fix CVE-2022-2601, a two-year-old vulnerability in the GRUB bootloader.

However, something went wrong with the update and as a result, Linux-based systems refuse to boot on computers with dual operating systems.

When users try to boot the system, they get an error message saying “Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation.”

According to Microsoft, the bug only affects older versions of Linux-based operating systems, but apparently it has also affected the latest versions of Debian, Ubuntu, Linux Mint, Zorin OS and Puppy Linux.

Fortunately, while waiting for an official fix, it is possible to work around the problem by temporarily turning off Secure Boot, opening the terminal and deleting the SBAT policy with the sudo mokutil -set-sbat-policy delete command. After rebooting, you should turn Secure Boot back on, Ars Technica reports.

Want genAI to deliver benefits? You have a lot of work to do first.

Say what you will about generative AI (genAI) enterprise perceptions, but it’s certainly neither nuanced nor balanced. 

For months, virtually everyone thought genAI was going to solve all business and global problems. Then the reality pendulum swung the other way, with various reports and experts arguing it won’t work, nothing will come of it, the “bubble is bursting” and simply, “the numbers aren’t there.” 

Consider Gartner’s report that “at least 30% of generative AI (genAI) projects will be abandoned after proof of concept by the end of 2025, due to poor data quality, inadequate risk controls, escalating costs or unclear business value.” The problem with the Gartner figure is that roughly that same percentage of all IT projects never survive trial tests — so it’s not clear how genAI is worse. 

Of course, there’s the report about the CIO of a major pharmaceutical who paid Microsoft to have 500 employees use Copilot, only to have the CIO cancel the project after six months, saying it delivered slides that looked like “middle school presentations.” (Note: At least most middle school slideshows quickly get to the point, unlike every Microsoft presentation I have seen. But I digress.)

The practical truth is that both views are wrong. GenAI tools absolutely have value, but it won’t come easy. IT needs to do a lot more homework. 

What kind of homework?

Clean your data: As I noted recently about Agentic RAG strategies, many enterprises suffer from terrible data. It’s out-of-date, error-ridden, obtained from dubious sources, and might unintentionally contain sensitive data (including PII and health data) that is not supposed to be there. No genAI magic can ever work if the data foundation is a mess. Have your team generate pristine data and your AI ROI has a chance.

Select more ideal projects: This is actually a twofer: First, talk with your team about genAI particulars so you can identify where the technology can help. GenAI can indeed handle anything, but it can only handle a very small subset really well. Secondly, far too many projects have been selected because, as an experiment, execs wanted to see what genAI can truly do. You need to be far more selective if you want to give genAI a fair chance.

Assess your hallucination comfort zone: This is arguably the most crucial. GenAI will hallucinate, and it will do so with no predictability. There are mechanisms you can deploy to reduce hallucinations a small degree — such as using AI to double-check AI, as is being attempted by Morgan Stanley, as well as limiting the data sources genAI is permitted to use.

But hallucinations can’t be stopped, and many argue they can’t even be meaningfully reduced. That means difficult conversations. What tasks do you need done where you can tolerate a few blatant lies here and there? Do you want to ban its use with anything customer-facing, such as customer service chatbots? 

Even using it to summarize documents or meeting notes requires a discussion. How much human oversight can you apply before the efficiency goes away?  One way to look at it: What projects do you have that are complex enough to benefit from genAI but not important enough that lies/errors are not deal-killers? 

Be realistic about ROI objectives

Line-of-business chiefs are used to running ROI objectives by someone in the CFO’s office or at least a division general manager’s office. With genAI efforts, it’s essential to also check with an IT specialist who intimately understands what the technology can and can’t do. 

My recommendation: Start with the genAI expert — don’t even discuss it with the number-crunchers until IT okays goals that are reasonable from a tech perspective.

Is it even something you want to bring to the CFO’s office at all? If this is experimentation to see what genAI can do — a perfectly reasonable goal at this point — then perhaps it doesn’t need a spreadsheet-friendly ROI yet.

Rita Sallam, distinguished vice president analyst at Gartner who tracks genAI strategies, said she understands the frustrations CIOs have when trying to apply ROI standards to genAI. 

“You can’t get your hands around the actual value,” Sallam said. “There is additional work on your data that has to be done. Your proof of concept needs to be a proof of value. There is a certain percentage that will fail due to lack of the right data, the right guardrails or the absence of being able to properly demonstrate the value. Enterprises are sometimes not acknowledging the foundations that are necessary for genAI success.”

Another industry AI expert, Wirespeed CTO Jake Reynolds, was more blunt. “Believe how excited I was to learn we’re now moving away from statistics and math and instead using a drunken toddler to make these decisions for us,” he said. 

About those hallucinations

And about the concept of hallucinations, some experts have questioned whether the hallucination concept is being handled appropriately, mostly because it puts the blame on the software. GenAI is not necessarily malfunctioning when it hallucinates: it is doing precisely what it was programmed to do.

“AI hallucination is all that genAI does,” said Symbol Zero CEO Rafael Brown. “All that it does is throw things together, like throwing pasta and sauce at a wall and waiting to see what sticks. This is done based on what the viewer likes and doesn’t like. There’s no real rhyme or reason. There’s isn’t true structure, context, simulation, or process. There is no skill, insight, emotion, judgment, inspiration, synthesis, iteration, revision, or creation. It’s like a word jumble or a word salad generator. It’s not even as good as Scrabble or Boggle. It’s better to think of it as AI Mad Libs — trust your business, your future, and your creation to AI Mad Libs.”

There’s also the possibility that genAI might well implode as it starts feeding on itself and all reality-based data vanishes. That’s how Pascal Hetzscholdt, senior director at content protection at publisher Wiley, sees it.

“Models like ChatGPT4 must constantly be retrained on new data to stay relevant and useful,” he said. “As such, this means generative AI is already starting to eat itself alive by being trained on its own output or other AI output. 

“Why is this a problem? Well, it means that they will start recognizing patterns of AI generative content, not human-made content,” Hetzscholdt said. “This can lead to a rabbit hole of development, in which the AI is optimizing itself in a counterproductive way. The patterns it sees within the AI content might also go directly against those it sees in human content, leading to incredibly erratic and unstable outputs, which could render the AI useless. This is known as model collapse.”

Hetzscholdt pointed to a study that found that “it only takes a few cycles of training generative AI models on their own output to render them completely useless and output complete nonsense. In fact, one AI they tested only needed nine cycles of retraining it on its own output before the output was just a repetitive list of jackrabbits. As such, by 2026, these generative AIs will likely be trained on data that is primarily of their own creation, and it will only take a few rounds of training on this data before these AIs fall apart.”

His less-than-optimistic conclusion: “This is the paradox of AI — the more we use it, the worse it will get. It’s also why we shouldn’t build our industries or digital social systems around this technology, as it could crumble away very soon, leaving our economy and digital lives like a hollowed-out rotten tree waiting for the next storm to topple it.”

The complete BitLocker encryption guide for Windows PCs

Data encryption is critical. Whether you’re using a PC provided by your employer or working from your own personal computer, encryption ensures that thieves and anyone else who might get their hands on your PC can’t view any sensitive private data.

Storage encryption can be complex on Windows PCs. This guide will tell you everything you need to know, including the difference between traditional BitLocker encryption and new “Device Encryption,” how to ensure your PC’s data is safe, and how to encrypt removable devices — just in case.

I’ll also explain what you need to know about recovering from BitLocker encryption errors. When the CrowdStrike meltdown occurred, many people booted their PCs only to see a blue screen that demanded a BitLocker recovery key. Hopefully, this won’t happen to you. In case it ever does, you should be prepared.

Want more Windows PC tips? Come check out my free Windows Intelligence newsletter for three new things to try every Friday and a free in-depth Windows Field Guide e-book (a $10 value).

What is BitLocker?

BitLocker is Microsoft’s storage encryption technology. First introduced in Windows Vista, it’s still part of Windows 11 and Windows 10 today. BitLocker is designed to encrypt entire volumes. In other words, BitLocker is designed to encrypt entire partitions on your hard drive.

When activated, BitLocker stores your PC’s files on disk in an encrypted manner. Think of them as being stored in a “scrambled” form — a thief can’t just pull your PC’s storage drive out and access your files. They’ll need the encryption key to access them.

BitLocker is often configured to function in “transparent” mode, automatically unlocking itself when you boot your computer. This uses the TPM (Trusted Platform Module) hardware in your computer to unlock the drive. The TPM stores the encryption key and provides it only if the Windows operating system doesn’t appear to have been tampered with.

This technology is a critical way for businesses to secure their company’s data. That’s why businesses will often enforce BitLocker usage on their managed PCs. But it’s also a useful way for individuals to secure their personal data. If someone does get their hands on your laptop, they won’t be able to access the files without the key. Even if they boot the laptop up, they’ll need to sign into your Windows user account to access your files.

If you ever have an issue with BitLocker, you will be asked to provide a BitLocker recovery key. If you set up BitLocker yourself, Windows prompted you to store it somewhere safe. If you set it up through your workplace, they have a copy. A copy will be stored with your Microsoft account in some situations, too.

BitLocker vs. Device Encryption: What’s the difference?

Back in the Windows 7 days, BitLocker was only offered on Professional, Enterprise, and Education versions of Windows. The average PC running a Home version of Windows didn’t have access to a built-in storage encryption technology.

That’s somewhat true today. The full version of BitLocker, also known as BitLocker Drive Encryption, is only available on Professional versions of Windows and higher. If you’re an individual who wants access to the full BitLocker set of tools on your PC, you’ll have to pay to upgrade to the Professional edition of Windows 11 (or Windows 10) if your PC came with the Home edition.

However, starting with Windows 8.1 and carrying on to Windows 10 and Windows 11 today, Microsoft began offering something called “Device Encryption” or “BitLocker Device Encryption.” This technology uses BitLocker under the hood. It doesn’t offer the full set of BitLocker configuration options, though, and it only works if a PC has the right hardware — a TPM 2.0 chip, for example, which is one of the hardware features officially required for Windows 11.

Device Encryption is designed to “just work” on the average modern PC. It only works if you sign into Windows with a Microsoft account or a work or school account. If you do, Windows will automatically activate Device Encryption (assuming your PC has the right hardware), protecting your files with encryption.

Since you’ve signed in with a Microsoft account, a work account, or a school account, Windows will back up your BitLocker recovery key to your Microsoft account — or your employer’s or school’s systems. This ensures the average PC user will have a way to access their recovery key if they ever have an error.

For the average person, that Microsoft account requirement is something to be aware of. If you choose to sign into your PC with a local user account, you won’t be able to use Device Encryption. For optimal security, you will want to sign in with a Microsoft account or pay for a Professional edition of Windows and use the full BitLocker experience.

How to check if your PC’s storage is encrypted

For these methods, you’ll want to be signed into Windows with an Administrator account. The options may not appear if you’re signed in with a Standard user account.

To check for Device Encryption on Windows 11, open the Settings app, select “Privacy & security,” and then click “Device encryption” under Security. If Device Encryption is active, it will be set to “On.”

Windows settings showing device encryption
The Settings app will only show a “Device encryption” option if your PC supports it.

Chris Hoffman, IDG

On Windows 10, open the Settings app, select “Update & Security,” and click “Device encryption” in the left pane. If Device encryption is active, you will see a message saying “Device encryption is on.”

If you do not see a “Device encryption” option in the Settings app at all, your PC doesn’t support it — or you’re signed into Windows with a Standard user account.

Device encryption enabled
If your PC has Device Encryption, the only option is to turn it “On” or “Off.”

Chris Hoffman, IDG

You can also look in File Explorer. Look under “This PC” and check the icons for each drive in your computer. If you see a padlock in the drive’s icon, it’s encrypted in some way — either with BitLocker Drive Encryption or with Device Encryption.

BitLocker lock icon
Windows will show a lock icon next to encrypted drives.

Chris Hoffman, IDG

You can control BitLocker options and see whether a storage device is encrypted by opening the classic Control Panel window, selecting “System and Security,” and then clicking “BitLocker Drive Encryption” or “Device Encryption.” You will see one of the two options here, depending on which technology your PC has.

BitLocker settings
BitLocker Drive Encryption offers more options than Device Encryption.

Chris Hoffman, IDG

How to encrypt a removable drive

If you have a PC with the full BitLocker Drive Encryption experience — not the Device Encryption feature found on Home editions of Windows 11 and Windows 10 — you can also encrypt removable storage devices. This uses a feature called “BitLocker To Go,” and it can be used with USB flash drives, SD cards, and external hard drives.

To do so, open the Control Panel, click “System and Security,” and select “BitLocker Drive Encryption.” You’ll see an option to encrypt a removable drive under “Removable data drives.”

How to find your BitLocker recovery key

BitLocker should normally “just work.” Most people will hopefully never see a BitLocker recovery key blue screen at boot. However, CrowdStrike’s extreme failure caused this screen to pop up on millions of PCs. It may also be caused by a hardware problem or if you need to pull a storage drive from one computer or access it on another.

In this case, you’ll need your BitLocker recovery key. If you use a device managed by your employer or educational institution, your work or school systems will have the recovery key backed up, and you can request it from them.

If you sign into your PC with a Microsoft account and Windows automatically enabled Device Encryption, you will need to access it from Microsoft. Visit Microsoft’s BitLocker recovery key page and sign in with your Microsoft account to find it.

If you set up BitLocker Drive Encryption yourself, Windows prompted you to save and store a recovery key as part of the setup process. You may have printed it on a piece of paper or stored it on a USB drive.

If your PC is working fine, you can also create a backup copy of your recovery key at any time. To do so, open the Control Panel, click “System and Security,” and select either “BitLocker Drive Encryption” or “Device Encryption.” From this window, you’ll find links to back up a copy of each drive’s recovery key.

Microsoft has a detailed guide on finding your BitLocker recovery key. If you’ve lost all copies of the recovery key and your PC is asking for it — this may happen if you set up BitLocker yourself on a personal PC and then didn’t print the recovery key or lost your backup copies of it — you won’t be able to access the files on your PC. You will have to restore your files from any backups you might have.

What about VeraCrypt and TrueCrypt?

If you’d like to encrypt a Windows PC’s storage but you don’t want to use BitLocker for some reason, you can turn to an open-source alternative. This was more common before Windows offered built-in Device Encryption on modern PCs, as people with Home versions of Windows could encrypt them using this software without paying to upgrade to a Professional edition of Windows.

Years ago, TrueCrypt was the go-to solution for this. The TrueCrypt project shut down in 2014, warning that the software was “not secure as it may contain unfixed security issues” and recommending Windows PC users switch to BitLocker.

The nature of these alleged security issues was never fully explained. The successor, VeraCrypt, took the project’s code and built on it, fixing security issues and continuing to develop it. The code has been independently audited, and issues found were fixed. If you are going to use an open-source drive encryption tool on Windows, you should likely go with VeraCrypt.

I recommend most people use some form of BitLocker — BitLocker Drive Encryption or Device Encryption — if possible. BitLocker is integrated with Windows, and it should work well. You are more likely to experience data loss or other problems or incompatibilities with a third-party solution like VeraCrypt.

Everyone should have encryption

Ultimately, basic storage encryption is a necessity on any modern PC — unless you have a desktop PC that stays locked up in a secure office, perhaps. But the average laptop needs this feature for data security. A lost laptop shouldn’t be a major data security concern, whether you’re using a computer from your employer or your own personal PC.

Every other modern platform — Android, ChromeOS, macOS, and iOS — offers storage encryption by default. With Device Encryption, Windows 11 now offers encryption on most new devices by default. That will be even more true in the fall of 2024, when Windows 11’s 24H2 update will enable Device Encryption on more PC hardware configurations.

Want more Windows analysis that cuts through the jargon and explains what really matters? Check out my free Windows Intelligence newsletter — I’ll send you three things to try every Friday. Plus, get free copies of Paul Thurrott’s Windows 11 and Windows 10 Field Guides (a $10 value) for signing up.

Worldwide UC&C revenues to hit $69.1B mark this year, IDC projects

The worldwide unified communications and collaboration (UC&C) market is forecast to reach US$69.1 billion in revenue in 2024, an increase of 7.5% compared to last year, according to a new report from International Data Corporation (IDC) released on Tuesday.

IDC defines UC&C as a “bundled, integrated UC/UCaaS and UC collaboration solution stack that may include an advanced telephony solution integrated with messaging (i.e., email, voice, and fax), instant messaging (IM) or chat, presence, and conferencing platforms for web conferencing, audioconferencing, and/or videoconferencing.”

The research firm notes that during the 2023-2028 forecast period, the market is expected to witness a slightly lower compound annual growth rate (CAGR) of 5.7%, reaching $85 billion by 2028.

Two software segments — UC collaboration (meeting software without voice telephony subscriptions) and unified communications as a service (UCaaS) (meeting software including voice telephony subscriptions) — accounted for most of the worldwide market revenue (89% in 2023), IDC said in a release.

Their share, the research firm said, “is expected to rise further as growth in the hardware segments (IP telephony and enterprise videoconferencing systems) turns negative over the forecast period. Meanwhile, the UC collaboration segment is forecast to outpace the overall market with a five-year CAGR of 7.6%.”

The study noted that among the drivers of UC&C adoption is the continued introduction of AI capabilities into offerings. This, said IDC, includes AI-enabled videoconferencing and telephony solutions that help improve productivity, as well as capabilities that improve business outcomes across employees and customers.

Jitesh Gera, research manager of unified communications and collaboration at IDC, said in an email, “AI appears to be the primary focus area for all UC&C vendors at the moment, especially since early 2023 when Microsoft launched Copilot.

Most companies, he said, “started with focusing on AI-based meeting transcriptions that power the creating of automated meeting summaries, notes, and action items. However, many are now moving towards more advanced capabilities like live coaching assistance for employees in customer-facing roles and productivity enhancements through automated content creation via integrations with email, presentation, and document management applications. These capabilities are also being applied to voice telephony for better customer interactions.”

Asked if these extra AI features are going to be bundled or come at an extra cost, straining CIO budgets, Gera said that while these are deemed to be valuable capabilities for businesses, they are still “nascent in terms of how they are packaged into UC&C solutions and the extent of time they have been used by organizations. Therefore, the market has not yet been able to properly quantify the productivity and collaboration enhancements AI capabilities can lead to.”

Some companies, like Cisco and Zoom, are including AI features in all their paid subscription plans, and others, like Microsoft, are charging separately for Copilot, he said.

Gera said, “it is important to note, though, that the value proposition for these organizations varies, as Microsoft’s Copilot takes a more holistic approach by covering many office productivity applications in addition to Microsoft Teams. Therefore, I think the monetization approach towards AI would vary by UC&C vendor, depending on factors like the stickiness of the platform with users, value added to the users businesses, and the sheer breadth and accuracy of the features to actually improve user experiences.”

Microsoft continued to lead the worldwide UC&C market with a 44.7% market share by revenue in Q1 2024, the release stated. It added that Zoom and Cisco followed distantly with a 6.4% and 5.5% market share, respectively. Other companies or offerings named in the report include Slack, Google Meet, Unify and Avaya.

IDC said it also expects cloud-based UC&C deployments will increase over time, replacing on-premises deployments as security and data integrity continue to improve. In addition, “the integration of UC solutions with contact center platforms will continue as buyers look to simplify their technology stacks and reduce their administrative load to work with single unified providers of UC, CC, and CPaaS capabilities.”

UK proposes giving digital workers the ‘right to switch off’

Britain’s new Labour government is the latest legislature to consider how it might make it easier for digital workers using always-on technologies to turn them off at the end of the working day.

In Labour’s Plan to Make Work Pay, published before it won the UK’s July general election, it promised to address the issue, saying “We will bring in the ‘right to switch off’ so working from home does not result in homes turning into 24/7 offices.”

And this week it brought the issue back into the spotlight, with a government spokesperson telling the BBC, “Good employers understand that for workers to stay motivated and productive they do need to be able to switch off, and a culture presenteeism can be damaging to productivity,” a government spokesperson told the BBC on Monday.

Zoom ups webinar cap to 1 million attendees

Zoom has raised the webinar attendee limit to one million users to enable large-scale events on the video meeting platform.

Zoom has proved an effective fundraising and voter engagement tool for Democratic political groups in the run-up to the 2024 US presidential election, with several celebrity-led events held in support of candidate Kamala Harris pushing the limits of the app.

One call, targeting white women, was so popular that it exceeded Zoom’s pre-existing 100,000 attendee cap, prompting the vendor to raise the limit to 200,000 on a temporary basis. Another three-hour event held last month, “White Dudes for Harris,” was even more popular, with almost 200,000 attendees, according to reports, raising over $4 million.

On Monday, Zoom announced that it has officially raised the webinar limit to 1 million attendees for all customers. Event organizers can now select the intended size of an event, with a cap of 10k, 50k, 100k, 250k, 500k, and 1m attendees, the company said in a press release. Webinars can last up to 30 hours and feature up to 1,000 “interactive” video panelists.

Zoom made no specific reference to the Democratic political group fundraisers in the press release. It said that it envisages a range of uses for such large-scale, one-off events, including massive internal corporate “all-hands” meetings, celebrity-hosted events such as fan “meet and greets,” brand product launches, and crisis communications for government agencies.

“Now event organizers have the flexibility and power to host truly interactive experiences on an unprecedented scale and the ability to purchase large single-use webinars,” said Smita Hashim, chief product officer at Zoom.

Holding such large events isn’t cheap, however, with reports that a webinar with 1 million attendees will cost around $100,000.

Zoom also stated that webinars that last longer than three hours may require “additional paid consulting services” from its Event Services team.

Microsoft intros ‘Loop 2.0’ with UI upgrades

Microsoft has unveiled Loop “2.0,” bringing several UI updates to the productivity app.

Announced in 2021, Loop is essentially Microsoft’s answer to the emergence of a new breed of flexible document creation apps such as Notion and Coda.

The Loop app, available with certain Microsoft 365 subscriptions since November 2023, is more complex than it may seem at first glance. It can serve as a shared workspace that multiple colleagues can edit in real time, with the ability to embed a variety of content, such as tables, polls, and even third-party apps. Loop “components” can also be inserted into other Microsoft 365 apps, with all components updated simultaneously as any changes are made. (Here’s a full explanation of how Loop functions.)

In a series of X (formerly Twitter) posts on Tuesday, the company highlighted several additions aimed at improving the Loop app’s UI:

  • A “Create new” button now lets users add workspaces or draft ideas from anywhere in the app, rather than just the Loop homepage.
  • Loop components and pages can be added to an existing or new workspace from a menu at the top of a Loop doc.
  • A tab for Microsoft Teams meetings notes has been placed on the Loop sidebar.
  • There’s a new “Favorites” section in the sidebar for frequently accessed workspaces.
  • A “Recent” section on the sidebar provides quick access to the most recently opened Loop pages and components across Microsoft 365 apps.

Microsoft is rolling out the new Loop features now; they should be available to all users “very soon,” the company said.

Microsoft Office apps circumvent Mac security

Another day, another Microsoft security failure, this time involving vulnerabilities in the company’s productivity apps for Macs. Microsoft says it isn’t a problem. Security researchers disagree.

What’s the problem?

Security researchers at Cisco Talos have identified eight vulnerabilities in widely deployed Microsoft Office apps that can be abused to the extent that attackers can:

  • Record video clips
  • Record audio clips
  • Take pictures
  • Access and exfiltrate data
  • Send emails

Which applications are affected?

Cisco Talos identified the vulnerabilities across a swath of Microsoft’s productivity suite: in Word, Excel, PowerPoint, Teams, Outlook, and OneNote. They take advantage of a permission Microsoft has built into its applications to enable use of third-party plug-ins.

What Microsoft says

Microsoft reportedly says these security vulnerabilities in its products are “low risk.” The company argues that some of its apps need to allow the loading of “unsigned libraries” to support plug-ins they use. But that sounds less convincing when you learn that since the flaws were reported, Microsoft has updated Teams and OneNote so those applications are no longer vulnerable. Word, Excel, PowerPoint, and Outlook remain vulnerable.

What the vulnerabilities do

Attackers can use Microsoft’s weak application security to inject specially crafted libraries into the systems, which then give them all the access permissions users have provided to the relevant apps.

What this means in practice is that if you have granted Microsoft Word permission to access to your microphone, for example, then an attacker can use the injection attack to assume that right, giving them access to your microphone.

Among the potential consequences of such an attack, the security researchers warn: “the attacker could send emails from the user account without the user noticing, record audio clips, take pictures or record videos without any user interaction.”

How these attacks work (simplified)

MacOS has a feature called Hardened Runtime to prevent this kind of DLL (Dynamically Linked Library) hack. The problem is that Microsoft’s apps have enabled an entitlement to disable this protection. 

That means that hackers may be able to exploit these vulnerabilities by injecting malicious libraries into Microsoft’s applications to gain their entitlements and user-granted permissions. Cisco Talos has more in-depth information here.

What the researchers said

Francesco Benvenuto, Sr. Vulnerability Researcher with Cisco Talos, wrote:

“Microsoft appears to use the com.apple.security.cs.disable-library-validation entitlement for certain apps to support some kind of ‘plug-ins.’ According to Apple, this entitlement allows the loading of plug-ins signed by third-party developers. Yet, as far as we know, the only ‘plug-ins’ available to Microsoft’s macOS apps are web-based and known as ‘Office add-ins.’

“If this understanding is correct, it raises questions about the necessity of disabling library validation, especially if no additional libraries are expected to be loaded. By using this entitlement, Microsoft is circumventing the safeguards offered by the hardened runtime, potentially exposing its users to unnecessary risks.”

What experts say

Michael Covington, Jamf VP of strategy, describes the third-party plug-in support Microsoft has used as a weakness in Apple’s own security. 

“This is a noteworthy flaw in apps that naturally require permissions to Apple’s controlled resources, like the camera or microphone, because users are inclined to grant such permissions to collaboration tools like Microsoft Teams or logging tools like OneNote. Fortunately, Microsoft agreed to update these applications,” he told The Channel Company.

Covington also pointed out that while Microsoft hasn’t rectified the problem in the other applications, most users are “unlikely” to grant sensitive permissions to those apps.

Despite his pragmatism, it is hard to ignore that “unlikely” is not as great a protection as “never.”

How Apple could prevent this

The researchers suggest that Apple might want to begin notarizing third-party plug-ins to protect against such vulnerabilities, but this is more complex than it sounds. It would also require “Microsoft or Apple to sign third-party modules after verifying their security,” they said.

Another alternative — which sounds a more likely option — would be to give Mac users a permissions prompt to put them in control when loading third-party plug-ins. I imagine this would also impose time limits for the support of those plug-ins. I expect that Apple will now consider this option, as it is in keeping with other changes it is making in macOS to harden those systems.

What can you do to prevent such attacks?

There are alternatives to Microsoft’s productivity apps. The challenge is that not everyone uses them, many users are deeply invested in Office apps, and various forms of business communications and collaboration rely on them. 

It is, however, good practice to regularly review the Privacy & Security settings for Microphone and Camera on your Mac. In very general terms, if you don’t use dictation to write in Word, why does it have Microphone access?

We deserve better

You’d think the trend for designer insecurity within software would have met peak horizon following the billions of dollars of economic damage wrought by the Crowdstrike/Windows disaster in recent weeks. 

These newly disclosed vulnerabilities are not so is deeply distressing but once again underscore the argument that there is no such thing as a safe back door into any software

With nation-state hackershighly paid mercenaries, and criminal gangs all deeply involved in undermining platform security, no vulnerability should be ignored, and when it is (or even may be) left unpatched, users, particularly enterprise users, should seek alternative platforms, applications, and code. 

And security regulators must increase the pressure on those companies most widely known to deliver insecure software to get their act together.

Every user on every platform deserves better.

Please follow me on LinkedInMastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

Humanoid robots are a bad idea

In case you hadn’t noticed, humanoid robots have joined the workforce. 

An evergreen staple of science fiction, autonomous AI-driven machines with feet, legs that bend at the knee, torsos, arms with hands and fingers, all topped with a head are now being deployed in real workplaces. 

Specifically:

  • Amazon is piloting the use of Agility Robotics’ humanoid robot, Digit, in logistics operations — mainly for picking up empty bins and returning them to where they can be filled again with merchandise. 
  • Mercedes-Benz is collaborating with Apptronik to explore the use of the Apollo humanoid robot in manufacturing. (The robots deliver assembly kits to production lines.) 
  • BMW is testing Figure AI’s humanoid robot, Figure 01, at its factory in Spartanburg, SC. They’re used for moving components onto jigs and making corrections to component placements. (Figure recently unveiled its Figure 02 robot, which is even more humanoid than the first one.)
  • Hyundai, through its subsidiary Boston Dynamics, is working on deploying the Atlas humanoid robot in its manufacturing plants. The aim is to scale up its use for industrial applications.
  • Tesla developed the Optimus humanoid robot and has  already deployed two of them in a factory so far, mainly for sorting battery cells. 
  • UBTECH Robotics’ Walker robot is being used in two Chinese car factories for a wide variety of repetitive manufacturing tasks, such as placing car logos on vehicles  and performing quality inspections.

For now, these robots are solutions in search of problems — or, rather, they’re being used for menial work of value nowhere near the price of the robots. But companies expect their roles to grow.

Why humanoid?

Non-humanoid robots have been used in factories for decades. Industrial robots are highly capable, and nowadays increasingly programmed with generative AI capabilities. Tesla’s factory is a marvel of robotic engineering, as you can see from this video

If non-humanoid robots are so capable, why would Tesla and other companies introduce human-shaped robots? 

The most common reason given for why robots should be the size, general shape and have parts designed after human body parts is that our environments, buildings and vehicles are designed for people — so basing the design of robots on the human body means they can open doors, sit in chairs, walk up stairs and generally operate in any place or situation designed for people. 

This argument sounds persuasive at first, but doesn’t hold up to scrutiny. Workspaces like factories are designed for both humans and equipment. Factory floors, for example, are mainly designed for wheels — they tend to be perfectly hard, flat and smooth. A rolling robot would be far more efficient than one that requires a supercomputer to enable bipedal walking. Other robot designs can lift vastly heavier weights, move much faster and have profoundly better dexterity than humanoid robots do. 

If the main justification for humanoid robots is so they can operate in human-centric environments, then what’s the purpose of the Digit robot’s big white eyes that blink. Why do Figure and Tesla robots need heads that are almost exactly the same size and shape of human heads? Why do these robots tend to have exactly four fingers and one thumb? 

The human body and mind were designed by evolution over 2.5 million years during the Paleolithic Era, not for factory work, but for persistence hunting and general survival in the wilderness based on social cooperation, food sharing, and the use of stone tools and fire. 

Why design factory robots based on the bodies of stone age cave men?

It’s clear their designers have an unexplained desire to make robots that make people feel that they’re kind of human. To have this effect, engineers are working overtime to make robots with lifelike faces and to create generative AI personalities that appear emotionally responsive and emotionally intelligent. 

But why?

The problem with humanoid robots

Humanoid robots have a psychological effect on people that’s very different from other robots. 

When humanoid robots display human-like emotions and behaviors, people are more likely to attribute mental states to them that they don’t have. The phenomenon is called “cognitive anthropomorphism.”

Specifically, a study conducted by scientists at the University of Genova and the Italian institute of technology found that while non-humanoid robots are perceived as objects, humanoid robots are often perceived as “human-like” or “social agents” — not objects. 

When people make eye contact with other people, the act elicits a psychophysiological connection or bonding response. Research by scientists at Tampere University in Finland found that eye contact with robots elicits the same response in people. 

Yet another study conducted at IRCCS Centro Neurolesi Bonino Pulejo in Messina, Italy, found that robots programmed for “emotional intelligence” can evoke empathy in people, “especially when they exhibit anthropomorphic traits.”

And look at the crazy, unthinking claims some robot makers are saying out loud. 

Xiaolong Wang, a professor in the Department of Electrical and Computer Engineering at UC San Diego involved in basically teaching humanoid robots to dance and express themselves through body language said: “Through expressive and more human-like body motions, we aim to build trust and showcase the potential for robots to co-exist in harmony with humans.”

Tesla CEO Elon Musk says he wants Tesla’s Optimus robot to be “good looking” and for people to think of it as a “friend” to which they “get quite attached.” (He also envisioned a future where 20 billion humanoid robots like Optimus live and work amongst humans.)

The main difference with humanoid robots is their effect on humans, not their efficiency as tools.

Humanoid robots that talk, perceive social and emotional cues, elicit empathy and trust, trigger psychological responses through eye contact and who trick us into the false belief that they have inner thoughts, intentions and even emotions create for humanity what I consider a real problem.

Our response to humanoid robots is based on delusion. Machines — tools, really — are being deliberately designed to hack our human hardwiring and deceive us into treating them as something they’re not: people.

In other words, the whole point of humanoid robots is to dupe the human mind, to mislead us into have the kind of connection with these machines formerly reserved exclusively for other human beings. 

Why are some robot makers so fixated on this outcome? Why isn’t the goal instead to create robots that are perfectly designed for their function, rather than perfectly designed to trick the human mind?

Why isn’t there a movement to make sure robots do not elicit false emotions and beliefs. What’s the harm in preserving our intuition that a robot is just a machine, just a tool? Why try to route around that intuition with machines that trick our minds, coopting or hijacking our human empathy?

What’s the motivation for wanting tools to become members of human societies and families?

My guess is that we all grew up on science fiction where android robots were commonplace, and some want to realize that vision. Or they feel humanoid robots are preordained and inevitable, so we might as well get on with it. 

My fear is that if robots are basically people, then robot makers may feel like gods in creating them.

Whatever the motivation, I don’t buy the justification that humanoid robots are needed to operate in environments designed for people. And I would call on robot engineers to re-think their impulses and examine their motivations as to why they want to build machines designed to delude.

Robots are just machines. And giving a machine two legs, 10  fingers and a face doesn’t make it a person. So why try to trick people into believing it is? 

How to bring Google’s Pixel 9 Call Notes feature to any Android device

One of the best parts of owning a Google Pixel phone comes down to an oft-forgotten role these modern mobile devices play in our lives — and that’s the role of acting as, y’know, an actual cellular telephone.

It sounds almost funny to say in our current call-averse culture, but ask any Pixel owner, and they’ll tell you the same thing: Google’s Pixel-specific software makes the act of placing and receiving regular ol’ voice calls far more pleasant than you ever thought possible. Whether you’re dealing with calls regularly for business or even just fielding (or perhaps dodging) the occasional incoming call for any purpose, Pixel-exclusive calling features like enhanced call audio, hassle-free holding, and phone tree menu maze skipping really can make your life a heck of a lot easier — and less irritating.

With the newly announced Pixel 9 model, Google’s adding another intriguing option into the mix: a feature called Call Notes that lets you easily record any calls on your device and then see a transcript and summary of the conversation seconds later, right within your Pixel Phone app.

It’s a smart and sensible-seeming addition and something that could certainly come in handy, especially if you make a fair amount of work-related calls and want to be sure you never forget anything important.

And while the full Call Notes feature is currently limited only to the new Pixel 9 products, with a teensy bit of careful planning and a pinch of extra effort, you can implement something similar on any Android device — no matter how old it is or which company made it — this minute.

[Psst: Want even more advanced Android knowledge? Check out my free Android Shortcut Supercourse to learn tons of time-saving tricks for whatever phone you’re using.]

Some Pixel 9 Call Notes context

Now, first things first: Recording calls on Android without the Pixel 9’s Call Notes system isn’t exactly easy.

That’s in large part because different regions have different laws around call recording and the kind of disclosures you’re required to make in such scenarios. With that complicating factor in mind, Google implemented new security measures within Android a few years back that make it pretty tough for most Android apps to even record any audio while a voice call is actively underway.

As a preinstalled system app, the Pixel Phone app is an exception. It’s able to get around that restriction and claim deeper permissions than what’s possible for a typical Play-Store-downloaded title. Without that element in the picture — well, things get a little messy.

But it can still be done. It just isn’t anywhere near as simple or seamless as what the Pixel 9 Call Notes system makes possible, and it takes a bit of time and patience to set up.

The first piece of the puzzle is the app that actually handles the recording of the call — and that’s where the bulk of the heavy lifting comes into play.

The short version is that for most of us, an app called Cube ACR Call Recorder is the key to making this happen.

➜ The long version is that you really need to read my separate guide to call recording on Android to understand how, exactly, that app is able to work and what you need to do to get it up and running properly on your device.

Again, it’ll take a teensy bit of time and effort. But you’ll only have to do it once — and then you’ll be ready to come back to the next and most rewarding part of the Pixel 9 Call-Notes-recreating puzzle.

Google’s Pixel 9 Call Notes magic, anywhere

What makes Google’s Pixel 9 Call Notes feature so useful is that it doesn’t just record your calls — it also transcribes and summarizes them for easy future reference. That’s where the true magic happens and where things get especially interesting.

And that’s where this next piece of the puzzle comes into place. It’s a well-regarded app called Notta that’ll take any audio file you feed it — in this case, the call recording you captured using these methods — then transcribe and summarize the recording on demand for you.

Notta can handle up to 50 such imports per month with a maximum of three minutes per transcript for free. If you need more than that, you’ll have to opt for one of the service’s pro-level plans to lift the restriction (or look at the similar Otter app instead, which has slightly cheaper pricing but a much more limited free offering). For most casual purposes, though, the service’s free tier should be plenty.

So go install Notta from the Play Store, open ‘er up — then:

  • Skip past the initial sign-in screen that comes up and select to continue as a guest.
  • Tap the “x” on any screens you see prompting you to upgrade to the pro plan right off the bat.
  • Tap the circular plus icon in the app’s lower-center area.
  • Select “Import Files” from the menu that comes up.
  • Tap “Import Audio Files.”
  • In the file picker that pops up next, you’ll need to find the folder where Cube ACR — the Android call recording tool we were talking about a minute ago — stores its files. (On most reasonably recent Android devices, you’ll do this by tapping the three-line menu icon in the upper-left corner of the screen, then selecting the name of your phone and navigating to “Documents” followed by “CubeCallRecorder” and then “All.”)
  • Tap the name of your most recent recording — or whichever recording you want to access — in the list.
Google Pixel 9 Call Notes Android: Notta import file
Once you select your audio file within Notta, it’ll be ready for transcribing and summarizing — just like what the Pixel 9’s Call Notes system provides.

JR Raphael, IDG

You’ll then see that file show up in Notta’s main home screen area. You can tap it to view a complete transcription as well as to generate a summary of the high points and any action points, translate the text into another language, and copy the text for pasting wherever you want.

Google Pixel 9 Call Notes Android: Notta transcription and summary
Transcriptions, summaries, and even an action item breakout (when available) — à la the Pixel 9’s Call Notes, only on any Android phone.

JR Raphael, IDG

Like most voice-to-text transcriptions, the results aren’t perfect. And the process here certainly isn’t as simple or seamless as what you’d get with Google’s own Pixel Call Notes system.

But if you aren’t planning on picking up a Pixel 9, it’s a crafty way to get the job done and get the same basic end result on whatever phone you’re palming — and that, my friend, is what we call the power of Android.

Get six full days of advanced Android knowledge with my free Android Shortcut Supercourse. You’ll learn tons of time-saving tricks!