Privacy and the Real ID

I was listening to a story the other day about the history of the RealID law and why it’s taken so long to get fully enforced. Originally, it was anticipated that having a verified ID would be no big deal, but then this thing called privacy rose up and started making people question why we needed to be in a database in the first place.

The origin of the need for proper verification came not from 9/11 but from how a fake driver’s license was made by the wife of one of the Oklahoma City bombers in 1995. She created the fake ID on an ironing board. Officials were concerned that it was so easy to circumvent the verification process.

Dissertations on the impact of the law have discussed how people have resisted the concept because of concerns about privacy and surveillance. If you already have a passport, you don’t need a RealID. In fact, other identification methods include trusted traveler cards such as Global Entry.

Even in computing we are struggling with proper verification. Attackers are moving past stealing our passwords and are now finding ways to grab the “other” authentication methods we use, such as OAuth. If someone malicious tricks us into approving OAuth permissions to another app without you realizing it, you may inadvertently give the attacker rights to something important. The best way to prevent this is to be aware of what you are clicking on — especially if you get a two-factor prompt out of the blue. Time and time again, attackers find weak spots to abuse, forcing us to keep changing how we do things.

What is a privacy concern to one, is a security protection to another.

MS-DEFCON 2: Deferring that upgrade

By Susan Bradley

It’s always a bit awkward to know when a major feature release should be accepted.

I do not recommend installing a feature release on or soon after the second Tuesday of the month — Patch Tuesday. That’s because the upgrade hits the Internet, looking for any uninstalled patches that the feature release needs.

It’s a good reason to pause updates, which is why I’m raising the MS-DEFCON level to 2.

Anyone can read the full MS-DEFCON Alert (22.18.1, 2025-05-08).

Are manuals extinct?

This weekend I finally got around to my project that consisted of changing out the cable box and the Onkyo receiver that were getting old and starting to have issues. The TV would start to digitize, and the sound would start popping out. Both units were many, many years old, so it was time to swap them out. Now before you ask why I didn’t cut the cable and dump the cable box, when you have folks in your household that don’t want to think about “What streaming service is that on?” when watching their nightly entertainment, sometimes you stick with technology that many are phasing out. But that’s not the point of this post.

Rather, it’s questioning why all instruction manuals are dumbed down or nonexistent?  Case in point, the Onkyo shipped with an “easy set up” fold-out document, several inserts for safety instructions, and absolutely no owner’s manual whatsoever. So, as I was trying to diagnose a few items, I had to go google (and potentially hit a dubious manual download site) to find more information. Now I’m not asking for a five-volume guide to the unit like we used to get back in the Novell Netware days, but why is documentation no longer seen as something that is needed, and we have to download it if we want it?

May 2025 Office non-Security updates

Microsoft released NO non-security updates for Office on May 6, 2025

Office 2016 reached  End of Mainstream Support on October 13, 2020. EOS for Office 2016 is October 14, 2025.

Updates are for the .msi version (perpetual). Office 365 and C2R are not included.

Security updates for all supported versions of Microsoft Office are released on the second Tuesday of the month (Patch Tuesday).

How much I spent on the Mac mini

APPLE

By Will Fastie

A surprising amount of interest arose about the cost of the M4 Mac mini I bought, both in the forums and via email.

I had not intended to discuss costs until the end of this series. However, it’s now clear to me that I will spend no more, so now is as good a time as any to discuss the budget while I still remember all my decisions. Correspondence also mentioned mini PCs based on Intel and AMD processors, so I’ll briefly mention that.

Part of my spending was prophylactic. I found myself on deadline, and it was necessary to ensure I had whatever I needed to discuss the setup and configuration of the mini. I thus spent more than was necessary. The disposition of all the components will be discussed here.

Read the full story in our Plus Newsletter (22.18.0, 2025-05-05).
This story also appears in our public Newsletter.

How to get rid of Copilot in Microsoft 365

AI

By Lance Whitney

Don’t want Copilot muscling its way into your favorite Office apps? You can put the kibosh on it, though Microsoft doesn’t make it easy.

I have a Microsoft 365 Family subscription that I’ve enjoyed for years. But recently there’s been a change that I don’t find so enjoyable. Whenever I start a new document in Word, I’m greeted by a Copilot icon in the left margin and a large, annoying message telling me to “Draft with Copilot.”

Those of you who also subscribe to Microsoft 365 may have noticed that Copilot now pops up in Word, Excel, and other apps — even though you didn’t add or request it. That’s because Microsoft has forced its AI into Microsoft 365 Family and Personal plans, whether you want it or not.

Read the full story in our Plus Newsletter (22.18.0, 2025-05-05).

Spring cleanup — 2025

FREEWARE SPOTLIGHT

By Deanna McElveen

My irises are in bloom, baby squirrels are taunting my dogs from the trees, and thunder rumbles in the west. I adore spring and I love spring cleaning. Today we’re not going to clean out a garage or shed — we’re going to clean out your computer.

There are lots of things that can slow down a computer — everything from junkware to temporary files to startup programs. We’re going to tackle all of it with some free software! These three programs may seem familiar to you because I have featured all of them over the years.

Read the full story in our Plus Newsletter (22.18.0, 2025-05-05).

Setting up Windows 11

TAME YOUR TECH

By Susan Bradley

Whenever you get a new computer, it’s a time of change and disruption.

Change is annoying and sometimes hard. But change also lets you clean out things that don’t work and take a clear look at what does.

The looming end of support for Windows 10, mere months away, is an opportunity to start fresh with a new operating system. For purposes of this article, I’m assuming that you’ll be buying a Windows machine.

Read the full story in our Plus Newsletter (22.18.0, 2025-05-05).

Is it a bug or is it expected?

Microsoft acknowledged today that KB5052077 introduced a bug in the jump list for apps. This was triggered by a “dribbled” change.

As Redmond notes, it was triggered by:

… a recent feature rollout that integrates account control experiences in the Start Menu for users on Windows 10, version 22H2. Account control provides users with an easily accessible way to manage their accounts and helps them get the most value from their accounts. This rollout began gradually in March 2025 via Controlled Feature Rollout (CFR), which is the process of gradually rolling out new features to compatible devices.

I find the dribbled updates extremely annoying especially if you have multiple PCs and one gets the change and the other doesn’t. These days, you never know if some change is expected or is a bug until some notification like this shows up. I signed up for notifications from the Microsoft 365 health release dashboard, but they should be also in the public health dashboard.

Cached credentials is not a new bug

Many years ago back in the Windows XP era, there was a security story indicating that you could log into a system with expired credentials. The issue relates to something that has to be balanced all the time.  Security.  Useability.

Seeing a recent story in Ars Technica RDP lets you log in using revokes passwords is touching on exactly the same problem.

If you need absolute security, especially in a domain/network setting, all of us should be setting a value to disable cached credentials. The idea behind this if you cannot connect to the domain controller, you shouldn’t be able to log onto the system. BUT. There’s that time when the Internet is down or there’s a configuration problem.

Even more important for laptops is the need for a way to logon when offline.  As noted in the ITpro article,

“Don’t set the number of logons to cache to 0 on mobile users’ laptops. These users would then be unable to log on with their domain credentials when away from the office. Although the CachedLogonsCount registry key doesn’t appear in the registry by default, Windows NT caches a set of 10 domain credentials by default. The maximum value for CachedLogonsCount is 50. When credential caching is disabled and no DC is available, a user can still log on to a machine via a local machine account.”

Folks, the sky is not falling. Microsoft isn’t making stupid security choices (at least not here). This is, like many, one of the choices you have to make in a network to balance out the ability to do your job with being secure.  Sometimes there are no absolutes.

Does this impact consumers? No. And if you have a local account with no password, you can’t RDP into that box in the first place. Also, I do not recommend opening up RDP to the open world in the first place. Does this impact businesses? Yes. But it’s not the threat or risk you think it is and it’s honestly nothing new.

Security fixes for Firefox

Firefox released a browser update on April 29. It includes security fixes as well as enhancements. There is a new profile manager as well as unique features that are only available in the United States. It’s always interesting to see how software manufacturers must navigate the different mandates from various locations.

I found it interesting that Firefox is also facing bugs in its updater service. As noted in a Mozilla Foundation Security Advisory:

Mozilla Firefox’s update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation.

The local account tax

There is a term often used when buying a computer called the “Apple tax.” It means that once you move into the Apple ecosystem, things are more expensive. Or, at a minimum. you must plan on possibly buying extra cables, connectors, and a printer and scanner or two.

Here’s another one, but from the Windows 11 world: the “local account tax.” If you want a local account without a password, there is an easy way to get one set up. It involves zero hacks, no back doors, no dropping to a command line.

How? Buy Windows 11 Professional Edition when you buy a new PC.

With that SKU, you choose the option in setup to Setup for work or school. Don’t enter anything; just click on Sign-in options. Then click on Domain join instead, put in your desired username, and leave the password blank. Click Next and that’s it. No fuss, no muss — you get a local account with no hassle.

So, yes, it’s a “tax.” But if you insist on a local account, my guess is that you’ll think it’s worth it.