"Steven Adair, of cybersecurity firm Veloxity, revealed at the Cyberwarcon security conference how Russian hackers were able to [1]daisy-chain as many as three separate Wi-Fi networks in their efforts to attack victims," writes Longtime Slashdot reader [2]smooth wombat . Wired reports:

> Adair says that Volexity first began investigating the breach of its DC customer's network in the first months of 2022, when the company saw signs of repeated intrusions into the customer's systems by hackers who had carefully covered their tracks. Volexity's analysts eventually traced the compromise to a hijacked user's account connecting to a Wi-Fi access point in a far end of the building, in a conference room with external-facing windows. Adair says he personally scoured the area looking for the source of that connection. "I went there to physically run down what it could be. We looked at smart TVs, looked for devices in closets. Is someone in the parking lot? Is it a printer?" he says. "We came up dry."

>

> Only after the next intrusion, when Volexity managed to get more complete logs of the hackers' traffic, did its analysts solve the mystery: The company found that the hijacked machine which the hackers were using to dig around in its customer's systems was leaking the name of the domain on which it was hosted -- in fact, the name of another organization just across the road. "At that point, it was 100 percent clear where it was coming from," Adair says. "It's not a car in the street. It's the building next door." With the cooperation of that neighbor, Volexity investigated that second organization's network and found that a certain laptop was the source of the street-jumping Wi-Fi intrusion. The hackers had penetrated that device, which was plugged into a dock connected to the local network via Ethernet, and then switched on its Wi-Fi, allowing it to act as a radio-based relay into the target network. Volexity found that, to break into that target's Wi-Fi, the hackers had used credentials they'd somehow obtained online but had apparently been unable to exploit elsewhere, likely due to two-factor authentication.

>

> Volexity eventually tracked the hackers on that second network to two possible points of intrusion. The hackers appeared to have compromised a VPN appliance owned by the other organization. But they had also broken into the organization's Wi-Fi from another network's devices in the same building, suggesting that the hackers may have daisy-chained as many as three networks via Wi-Fi to reach their final target. "Who knows how many devices or networks they compromised and were doing this on," says Adair. Volexity had presumed early on in its investigation that the hackers were Russian in origin due to their targeting of individual staffers at the customer organization focused on Ukraine. Then in April, fully two years after the original intrusion, Microsoft [3]warned of a vulnerability in Windows' print spooler that had been used by Russia's APT28 hacker group -- Microsoft refers to the group as Forest Blizzard -- to gain administrative privileges on target machines. Remnants left behind on the very first computer Volexity had analyzed in the Wi-Fi-based breach of its customer exactly matched that technique. "It was an exact one-to-one match," Adair says.



[1] https://www.wired.com/story/russia-gru-apt28-wifi-daisy-chain-breach/

[2] https://slashdot.org/~smooth+wombat

[3] https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/

An anonymous reader quotes a report from Reuters:

> Google has sued one of its former engineers in Texas federal court, [1]accusing him of stealing trade secrets related to its chip designs and sharing them publicly on the internet. The lawsuit, [2]filed on Tuesday (PDF), said that Harshit Roy "touted his dominion" over the secrets in social media posts, tagging competitors and making threatening statements to the company including "I need to take unethical means to get what I am entitled to" and "remember that empires fall and so will you."

>

> Google hired Roy in 2020 to develop computer chips used in Google Pixel devices like smartphones. Google said in the lawsuit that Roy resigned in February and moved from Bangalore, India to the United States in August to attend a doctorate program at the University of Texas at Austin. According to the complaint, Roy began posting confidential Google information to his X account later that month along with "subversive text" directed at the company, such as "don't expect me to adhere to any confidentiality agreement." The posts included photographs of internal Google documents with specifications for Pixel processing chips.

>

> The lawsuit said that Roy ignored Google's takedown requests and has posted additional trade secrets to X and LinkedIn since October. Google alleged that Roy tagged competitors Apple and Qualcomm in some of the posts, "presumably to maximize the potential harm of his disclosure." Google's complaint also said that several news outlets have published stories with confidential details about Google's devices based on the information that Roy leaked. Google asked the court for an unspecified amount of monetary damages and court orders blocking Roy from using or sharing its secrets.



[1] https://www.reuters.com/legal/transactional/google-sues-ex-engineer-texas-over-leaked-pixel-chip-secrets-2024-11-20/

[2] https://fingfx.thomsonreuters.com/gfx/legaldocs/egpbjjxmzpq/GOOGLE%20TRADE%20SECRET%20LAWSUIT%20complaint.pdf

The latest Steam client [1]drops support for operating systems older than Windows 10 or macOS 10.15 Catalina . "That means Mac users can't run 32-bit games anymore, as all macOS versions from Catalina onward only run 64-bit binaries," reports The Register. From the report:

> [I]f you have a well-specified older Mac, here is another reason to check out [2]Open Core Legacy Patcher . For now, macOS 10.15 Catalina will do but we suspect it won't for long. This version of Steam uses the equivalent to [3]Chrome 126 : "Updated embedded Chromium build in Steam to 126.0.6478.183." However, versions since Chrome 128 [4]require macOS 11 or newer . For now, Catalina will work -- but the next significant Steam update will update Chromium as well, and there's a high probability that that will drop support for 10.15.

>

> So, if you're using OCLP to install a newer macOS, you should probably go directly to Big Sur. In The Reg FOSS desk's testing, we found that Big Sur ran reasonably well on a machine with Intel HD 520 graphics, although the same hardware ran very poorly with macOS 12 Monterey. Unfortunately, the inevitable end is in sight for older Macs.

That said, the November 2024 Steam [5]client update brings several "wins," including a built-in Game Recording feature, an upgraded Chromium browser engine, and the new "Scout" Linux runtime environment for improved compatibility and performance, especially on the Steam Deck and Linux distros. Additionally, it delivers bug fixes and enhancements for modern OS users.



[1] https://www.theregister.com/2024/11/20/valve_steam_legacy_os/

[2] https://dortania.github.io/OpenCore-Legacy-Patcher/

[3] https://developer.chrome.com/release-notes/126

[4] https://support.google.com/chrome/thread/289795700/sunsetting-chrome-support-for-macos-10-15?hl=en

[5] https://steamcommunity.com/games/593110/announcements/detail/4472730495692571025?utm_source=SteamDB

Baidu's new Apollo Go robotaxi brings significant advances in affordability and scalability that [1]should make U.S. competitors like Waymo a bit nervous , according to The Verge's Andrew J. Hawkins. From the report:

> The RT6 is the sixth generation of Apollo Go's driverless vehicle, which made its official debut in May 2024. It's a purpose-built, Level 4 autonomous vehicle, meaning it's built without the need for a human driver. And here's the thing that should make US competitors nervous: adopting a battery-swapping solution, the price for one individual RT6 is "under $30,000," Baidu CEO Robin Li said in [2]an earnings call . "All the strengths just mentioned above are driving us forward, paving the way to validate our business model," Li added. [...]

>

> We still don't know the net effect of Baidu's cost improvements. But bringing down the upfront cost of each individual vehicle to below $30,000 will go a long way toward improving the company's unit economics, in which each vehicle brings in more money than it costs. There are still a lot of outstanding costs to consider, such as hardware depreciation and fleet maintenance, but from what Baidu is signaling, things are on the right track. From the looks of it, the company is passing those savings along to its customers. Base fares start as low as 4 yuan (around 55 cents), compared with 18 yuan (around $2.48) for a taxi driven by a human, according to state media outlet Global Times. Apollo Go said it has provided 988,000 rides across all of China in Q3 2024 -- a year-over-year growth of 20 percent. And cumulative public rides reached 8 million in October.



[1] https://www.theverge.com/2024/11/22/24303299/baidu-apollo-go-rt6-robotaxi-unit-economics-waymo

[2] https://seekingalpha.com/article/4739368-baidu-inc-bidu-q3-2024-earnings-call-transcript

An anonymous reader quotes a report from Ars Technica:

> DirecTV is [1]pulling out of an agreement to buy its satellite rival Dish after bondholders objected to terms of the deal. DirecTV issued an [2]announcement last night saying "it has notified EchoStar of its election to terminate, effective as of 11:59 p.m., ET on Friday, November 22nd, 2024, the Equity Purchase Agreement (EPA) pursuant to which it had agreed to acquire EchoStar's video distribution business, Dish DBS."

>

> In the deal [3]announced on September 30, DirecTV was going to buy the Dish satellite TV and Sling TV streaming business from EchoStar for a nominal fee of $1. DirecTV would have taken on $9.75 billion of Dish debt if the transaction moved ahead. The deal did not include the Dish Network cellular business. Dish bondholders quickly objected to terms requiring them to take a loss on the value of their debt. DirecTV had said Dish notes would be exchanged with "a reduced principal amount of DirecTV debt which will have terms and collateral that mirror DirecTV's existing secured debt." The principal amount would have been reduced by at least $1.568 billion.

>

> DirecTV last night said it is now exercising its right to terminate the acquisition because noteholders did not accept the exchange offer. "The termination of the Agreement follows Dish DBS noteholders' failure to agree to the proposed Exchange Debt Offer Terms issued by EchoStar, which was a condition of DirecTV's obligations to acquire Dish under the EPA," the press release said. DirecTV CEO Bill Morrow indicated his company wasn't willing to change the deal to satisfy Dish bondholders. "We have terminated the transaction because the proposed Exchange Terms were necessary to protect DirecTV's balance sheet and our operational flexibility," Morrow said.



[1] https://arstechnica.com/tech-policy/2024/11/directv-plan-to-buy-dish-for-1-is-off-as-satellite-rivals-remain-separate/

[2] https://www.prnewswire.com/news-releases/directv-announces-termination-of-agreement-to-acquire-echostars-video-distribution-business-302313823.html

[3] https://news.slashdot.org/story/24/09/30/1836228/directv-to-buy-rival-dish-network

Weeks after federal regulators announced [1]a "click-to-cancel" rule for subscription businesses, a New York judge has ruled that SiriusXM [2]made it too difficult for customers to end their service . Deadline:

> New York State Supreme Court Justice Lyle Frank's ruling, issued Thursday, upheld elements of a lawsuit filed against the satellite audio firm in 2023 by New York Attorney General Letitia James. In a post on X after Frank's ruling, she wrote that the company "illegally forced people to go through a long and burdensome process to simply cancel their subscriptions. We sued SiriusXM to protect people's wallets, and now, SiriusXM must simplify its cancellation process and stop taking advantage of New Yorkers."



[1] https://news.slashdot.org/story/24/10/16/1550257/ftc-takes-on-subscription-traps-with-click-to-cancel-rule

[2] https://deadline.com/2024/11/siriusxm-subscription-click-to-cancel-new-york-judge-1236185377/

Netflix is looking toward Discord for help in figuring out who, exactly, is [1]leaking unreleased footage from some of its popular shows . From a report:

> The Northern District of California court issued a subpoena on Thursday to compel Discord to share information that can help identify a Discord user who's reportedly involved in leaking episodes and images from Netflix shows like Arcane and Squid Game.

>

> Documents filed alongside the subpoena specifically call out an unreleased and copyrighted image from the second season of Squid Game, posted by a Discord user @jacejohns4n. In an interview linked on the user's now deleted X account, published on Telegram, the leaker claimed responsibility for the self-described "worst leak in streaming history," where episodes of Arcane, Heartstopper, Dandadan, Terminator Zero, and other shows were published online. Netflix confirmed in August that a post production studio was hacked.



[1] https://slashdot.org/quid-game-arcane-leaker-subpoena-discord

Microsoft has released [1]a public preview of its redesigned Windows Recall feature , five months after [2]withdrawing the original version due to security concerns . The feature will initially be available only on Qualcomm Snapdragon X Elite and Plus Copilot+ PCs running Windows Insider Dev channel build 26120.2415.

Recall, which continuously captures and indexes screenshots and text for later search, now includes mandatory encryption, opt-in activation, and Windows Hello authentication. The feature requires Secure Boot, BitLocker encryption, and attempts to automatically mask sensitive data like passwords and credit card numbers. The feature is exclusive to Copilot+ PCs equipped with neural processing units for local AI processing.



[1] https://arstechnica.com/gadgets/2024/11/microsofts-controversial-recall-scraper-is-finally-entering-public-preview/

[2] https://it.slashdot.org/story/24/06/14/0318213/microsoft-postpones-windows-recall-after-major-backlash

An anonymous reader [1]shares a report :

> Plex is beginning to test its "newly reimagined Plex experience," which will be available first on mobile and is coming to TV platforms "very soon." Plex says the new experience has been in development for almost two years and is "designed to bring everything you love into one seamless interface." But don't worry -- while the new version of the app is currently missing some features, Plex says it will be "closing those gaps" and will keep the current app available during the preview, which will hopefully prevent a Sonos-like debacle.

>

> A big change for the new app is redesigned navigation that more clearly delineates between media you might have on your Plex server and the company's streaming and on-demand offerings. The bottom bar has dedicated tabs for your media libraries, live TV, and on-demand movies and shows. The Watchlist, which lets you make a list of things you want to watch, has a spot at the top of the app. And artwork is shown more prominently.



[1] https://www.theverge.com/2024/11/22/24303282/plex-app-redesign-sonos-debacle

Damage to two undersea fiber-optic cables in the Baltic Sea this month points to [1]growing vulnerability of critical submarine infrastructure , with German officials suspecting sabotage and Swedish police investigating a Chinese cargo vessel's involvement.

The incident highlights escalating risks to the global submarine cable network, which carries 99% of international telecommunications traffic through 530 cable systems spanning 850,000 miles. These garden hose-thick cables facilitate trillions in daily financial transactions and vital government communications.

Security experts warn that Russia has increased monitoring of undersea cables amid tensions over Ukraine. Taiwan reported 36 cable damages by foreign vessels since 2019, while Houthi rebels denied targeting Red Sea cables this year. Though most of the 100-plus annual cable faults are accidental, deliberate sabotage remains a concern. Repairs are costly, with new transatlantic cables running up to $250 million.



[1] https://www.theguardian.com/world/2024/nov/22/wire-cutters-how-the-worlds-vital-undersea-data-cables-are-being-targeted

Amazon said on Friday it will invest [1]an additional $4 billion in AI startup Anthropic , following [2]earlier investments of $4 billion made in September and March. As part of the deal, Amazon Web Services will become Anthropic's primary training partner, with the AI firm committing to use AWS's Trainium and Inferentia chips for future model development.

Anthropic operates the Claude large language model.



[1] https://www.anthropic.com/news/anthropic-amazon-trainium

[2] https://slashdot.org/story/23/09/25/1319210/amazon-to-invest-as-much-as-4-billion-in-ai-startup-anthropic

An anonymous reader [1]shares a report :

> OpenAI is preparing to launch a frontal assault on Google. The ChatGPT owner recently considered developing a web browser that it would combine with its chatbot, and it has separately discussed or struck deals to power search features for travel, food, real estate and retail websites, according to people who have seen prototypes or designs of the products.

>

> OpenAI has spoken about the search product with website and app developers such as Conde Nast, Redfin, Eventbrite and Priceline, these people said. OpenAI also has discussed powering artificial intelligence features on devices made by Samsung, a key Google business partner, similar to a deal OpenAI recently struck with Apple, according to people who were briefed about the situation at OpenAI.



[1] https://www.theinformation.com/articles/openai-considers-taking-on-google-with-browser

Apple's restrictions on mobile browsers are [1]limiting innovation and holding back new features that could benefit iPhone users, according to provisional findings published today by the UK's Competition and Markets Authority (CMA). From a report:

> In its report, the CMA's independent inquiry group determined that Apple's Safari browser policies prevent competing browsers from implementing certain features, such as faster webpage loading technologies. The investigation also revealed that many UK app developers would prefer to offer progressive web apps as an alternative to App Store distribution, but Apple's current iOS limitations make this impractical.

>

> Adding to competitive concerns, the regulator highlighted a revenue-sharing agreement between Apple and Google that "significantly reduces their financial incentives to compete" in the mobile browser space on iOS. The CMA also found that both companies can manipulate how users are presented with browser choices, making their own offerings appear as the clearest or easiest options.



[1] https://www.macrumors.com/2024/11/22/apple-browser-rules-stifle-innovation-cma/

Mozilla has warned that the Justice Department's [1]proposed breakup of Google could harm independent web browsers, pushing back against a key element of the government's antitrust remedy.

The maker of Firefox browser said in a statement the DOJ's blanket ban on search revenue-sharing deals would disproportionately impact smaller players that rely on such agreements, while failing to meaningfully increase competition in search.

Firefox and similar browsers account for a small share of US search queries but provide crucial alternatives for privacy-conscious consumers, Mozilla said. The DOJ's wide-ranging proposal, submitted to a federal court in Washington, includes forcing Google to sell its Chrome browser and prohibiting the company from paying other firms to set Google as their default search engine.

The plan follows an August ruling that found Google illegally monopolized the search market. In a statement, Mozilla argued that rather than an outright prohibition on search agreements, remedies should focus on "addressing the barriers to competition and facilitating a marketplace that promotes competition and consumer choice."



[1] https://yro.slashdot.org/story/24/11/21/0458216/us-regulators-seek-to-break-up-google-forcing-chrome-sale

An anonymous reader quotes a report from PYMNTS:

> The Justice Department's proposal to resolve its antitrust case over online search against Google reportedly would [1]force the tech giant to unwind its partnership with artificial intelligence (AI) company Anthropic . A [2]recommendation in the Justice Department's court filing Wednesday (Nov. 20) that Google be barred from partnerships with companies that control where consumers search for information, is intended to apply to the company's investment in Anthropic, Bloomberg [3]reported Thursday (Nov. 21). [...]

>

> It was reported in October 2023 that Google had invested $500 million in Anthropic and agreed to contribute another $1.5 billion over time. During that same month, PYMNTS reported that Anthropic's commitment to building and deploying what the company said are generative AI capabilities with stronger built-in guardrails, differentiated it from other foundational AI models on the market. On Tuesday (Nov. 19), the U.K.'s competition watchdog, the Competition and Markets Authority (CMA), [4]cleared Google's partnership with Anthropic , saying that it had determined that the deal between the tech giant and the AI startup did not warrant additional investigation. "The CMA does not believe that Google has acquired material influence over Anthropic as a result of the partnership," the regulator said in its assessment of the arrangement.

U.S. regulators also call for a [5]sale of Google's Chrome browser and restrictions to prevent Android from favoring its own search engine.

"DOJ had a chance to propose remedies related to the issue in this case: search distribution agreements with Apple, Mozilla, smartphone OEMs and wireless carriers," Google said in a Thursday [6]blog post . "Instead, DOJ chose to push a radical interventionist agenda that would harm Americans and America's global technology leadership."



[1] https://www.pymnts.com/antitrust/2024/doj-proposal-in-antitrust-case-aims-to-undo-google-anthropic-partnership/

[2] https://yro.slashdot.org/story/24/11/21/0458216/us-regulators-seek-to-break-up-google-forcing-chrome-sale

[3] https://www.bloomberg.com/news/articles/2024-11-21/us-justice-department-seeks-to-unwind-google-s-anthropic-deal

[4] https://finance.yahoo.com/news/google-anthropic-ai-deal-cleared-133518657.html

[5] https://yro.slashdot.org/story/24/11/21/0458216/us-regulators-seek-to-break-up-google-forcing-chrome-sale

[6] https://blog.google/outreach-initiatives/public-policy/doj-search-remedies-nov-2024/

The Register's Simon Sharwood reports:

> Japan's National Consumer Affairs Center on Wednesday [1]suggested citizens start "digital end of life planning " and offered tips on how to do it. The Center's somewhat maudlin advice is motivated by recent incidents in which citizens struggled to cancel subscriptions their loved ones signed up for before their demise, because they didn't know their usernames or passwords. The resulting "digital legacy" can be unpleasant to resolve, the agency warns, so suggested four steps to simplify ensure our digital legacies aren't complicated:

>

> - Ensuring family members can unlock your smartphone or computer in case of emergency;

> - Maintain a list of your subscriptions, user IDs and passwords;

> - Consider putting those details in a document intended to be made available when your life ends;

> - Use a service that allows you to designate someone to have access to your smartphone and other accounts once your time on Earth ends.

>

> The Center suggests now is the time for it to make this suggestion because it is aware of struggles to discover and resolve ongoing expenses after death. With smartphones ubiquitous, the org fears more people will find themselves unable to resolve their loved ones' digital affairs -- and powerless to stop their credit cards being charged for services the departed cannot consume.



[1] https://www.theregister.com/2024/11/21/japan_digital_end_of_life/

China has [1]overtaken Germany and Japan in terms of robot density , according to an [2]annual report by the International Federation of Robotics (IFR). Reuters reports:

> South Korea is the world leader with 1,012 robots per 10,000 employees, up 5% since 2018, said the IFR. Singapore comes next, followed by China with 470 robots per 10,000 workers - more than double the density it had in 2019. That compares with 429 per 10,000 employees in Germany, which has had an annual growth rate of 5% since 2018, said IFR.



[1] https://www.reuters.com/technology/china-overtakes-germany-industrial-use-robots-says-report-2024-11-20/

[2] https://ifr.org/ifr-press-releases/news/global-robot-density-in-factories-doubled-in-seven-years

An anonymous reader quotes a report from Ars Technica:

> A federal court yesterday ruled against parents who sued a Massachusetts school district for punishing their son who used an artificial intelligence tool to complete an assignment. Dale and Jennifer Harris [1]sued Hingham High School officials and the School Committee and sought a preliminary injunction requiring the school to change their son's grade and expunge the incident from his disciplinary record before he needs to submit college applications. The parents argued that there was no rule against using AI in the student handbook, but school officials said the student violated multiple policies.

>

> The Harris' motion for an injunction was rejected in [2]an order (PDF) issued yesterday from US District Court for the District of Massachusetts. US Magistrate Judge Paul Levenson [3]found that school officials "have the better of the argument on both the facts and the law ."

>

> "On the facts, there is nothing in the preliminary factual record to suggest that HHS officials were hasty in concluding that RNH [the Harris' son, referred to by his initials] had cheated," Levenson wrote. "Nor were the consequences Defendants imposed so heavy-handed as to exceed Defendants' considerable discretion in such matters." "On the evidence currently before the Court, I detect no wrongdoing by Defendants," Levenson also wrote.

"The manner in which RNH used Grammarly -- wholesale copying and pasting of language directly into the draft script that he submitted -- powerfully supports Defendants' conclusion that RNH knew that he was using AI in an impermissible fashion," Levenson wrote. While "the emergence of generative AI may present some nuanced challenges for educators, the issue here is not particularly nuanced, as there is no discernible pedagogical purpose in prompting Grammarly (or any other AI tool) to generate a script, regurgitating the output without citation, and claiming it as one's own work," the order said.

Levenson concluded with a quote from a [4]1988 Supreme Court ruling that said the education of youth "is primarily the responsibility of parents, teachers, and state and local school officials, and not of federal judges." According to Levenson, "This case well illustrates the good sense in that division of labor. The public interest here weighs in favor of Defendants."



[1] https://news.slashdot.org/story/24/10/16/2045235/parents-take-school-to-court-after-student-punished-for-using-ai

[2] https://storage.courtlistener.com/recap/gov.uscourts.mad.275605/gov.uscourts.mad.275605.30.0_3.pdf

[3] https://arstechnica.com/tech-policy/2024/11/school-did-nothing-wrong-when-it-punished-student-for-using-ai-court-rules/

[4] https://supreme.justia.com/cases/federal/us/484/260/#tab-opinion-1957304

Google is introducing "Restore Credentials," a feature that [1]simplifies transferring app credentials when switching Android devices to keep you logged into your apps. The Verge reports:

> While some apps already did this, Google is making it easier for developers to include this experience by implementing a "restore key" that automatically transfers to the new phone and logs you back into the app. [...] Restore Credentials requires less work than the [2]previous approach on Android , and can automatically check if a restore key is available and log you back in at the first app launch. A restore key is a public key that uses existing passkey infrastructure to move about your credentials.

>

> Restore keys can also be backed up to the cloud, although developers can opt out. For that reason, transferring directly from device to device will still likely be more thorough than restoring from the cloud, as is the case with Apple devices today. Notably, Google says restore keys do not transfer if you [3]delete an app and reinstall it .



[1] https://www.theverge.com/2024/11/21/24302562/android-restore-credentials-transfer-restore-key

[2] https://developers.google.com/identity/blockstore/android

[3] https://developer.android.com/identity/sign-in/restore-credentials#:~:text=Note%3A%20Restore%20Credentials%20does%20not%20handle%20the%20scenario%20where%20an%20app%20is%20reinstalled%20on%20the%20same%20device.%20Uninstalling%20an%20app%20is%20interpreted%20as%20an%20intent%20to%20delete%20the%20corresponding%20restore%20key%20from%20that%20device.

According to [1]Business Insider (paywalled), Microsoft's Copilot tool inadvertently let customers access sensitive information, [2]such as CEO emails and HR documents . Now, Microsoft is working to fix the situation, deploying new tools and a guide to address the privacy concerns. The story was [3]highlighted by Salesforce CEO Marc Benioff. From the report:

> These updates are designed "to identify and mitigate oversharing and ongoing governance concerns," the company said in [4]a blueprint for Microsoft's 365 productivity software suite. [...] Copilot's magic -- its ability to create a 10-slide road-mapping presentation, or to summon a list of your company's most profitable products -- works by browsing and indexing all your company's internal information, like the web crawlers used by search engines. IT departments at some companies have set up lax permissions for who can access internal documents -- selecting "allow all" for the company's HR software, say, rather than going through the trouble of selecting specific users.

>

> That didn't create much of a problem because there wasn't a tool that an average employee could use to identify and retrieve sensitive company documents -- until Copilot. As a result, some customers have deployed Copilot only to discover that it can let employees read an executive's inbox or access sensitive HR documents. "Now when Joe Blow logs into an account and kicks off Copilot, they can see everything," a Microsoft employee familiar with customer complaints said. "All of a sudden Joe Blow can see the CEO's emails."



[1] https://www.businessinsider.com/microsoft-copilot-oversharing-problem-fix-customers-2024-11?

[2] https://21hats.substack.com/p/all-of-a-sudden-joe-blow-can-see?utm_campaign=post&utm_medium=web

[3] https://x.com/Benioff/status/1859646385018274147

[4] https://learn.microsoft.com/en-us/copilot/microsoft-365/microsoft-365-copilot-blueprint-oversharing