Microsoft denies data breach, theft of 30M customer accounts (opens in new tab)

In Windows 11 Home 22H2, it's practically impossible to set up without a network connection, which has been a huge pain for me since my mobo's onboard ethernet drivers aren't included (too new, I guess). It's been at least 15 years since I needed to side-load a driver during an OS install to be able to complete it successfully, and the last time was a niche Linux distro. The so-called "workarounds" online are hit-or-miss.

What I've done is sign in using some throwaway account on setup, create a new local user once logged in, login to the new local user, and delete the old user with the Microsoft account.

I think you can also simply unlink and sign out of the Microsoft account once logged in to effectively make it a local user, but your user folder is stuck using the username of the Microsoft account, which also gets cutoff after like 8 characters.

I abhor the whole process and it's annoying because there's no other way to create a local account during Windows 11 setup on e.g., a laptop because it knows that the wifi module works and will not let you progress unless you connect to the internet. I tried unplugging my modem and connecting to my internet-less router, but it still refused to progress because it didn't have internet access.

Don't even get me started on the other dark patterns once you actually have a local user setup, like being pushed through part of the OOTB Windows setup again after a major feature update asking you to login into a Microsoft account and making sure you still want all the (user accessible) telemetry off.

The worst part is that I actually like Windows 11 and some of the new features like the tiling layouts when hovering over the maximize button on a window, the new default terminal program, etc. But, the whole thing is entirely soured by dark patterns like the aforementioned forceful use of a Microsoft account, all the extra Edge and Bing crap being shoved down my throat, the poor web-first Windows search, widgets just basically being an MSN feed, Teams starting at login by default on a new install, random apps and games being advertised in the start menu on a new install, etc.

In order to get out of using the M$ft account for my dad on win11 I had to disable secure boot, use regedit, etc and it was all very dark and time consuming. Microsoft is The Worst.

"Setup For Organization/School" then, "Domain Join Instead"

Is the spell to just make local account on Professional Edition.

If you have Home Edition, you have to do use the "no network" option in the OOTB setup.

I was seriousy shocked of all the abuse when I had to install a new winblows laptop for a relative. How is any of it legal? How the hell did we let it happen? Mindblowing.

Windows 10 (not even 11) was so annoying on the last random laptop that I'm not dealing with it again. And I gotta stress how low my bar is. I don't care about privacy or anything on random spare PCs, I just want it to work without harassing me constantly, and up until now it was tolerable. Idk what a dark pattern is, my word for this is "dogshit." It's more annoying than dealing with Ubuntu's random issues at this point.

Doesn't MacOS require an iCloud account for updates ... effectively making it "required" to use the OS?

> If you want to go through the OOTB setup and use a local account, you'd better not connect to a network (which it's very pushy at getting you to do.)

Pulling the ethernet plug to get a local account doesn't even work anymore. The only trick I know still works is to give it a fake account (like test@test.com).

Not an option unless someone searches YouTube. https://youtu.be/EOUcvgqOV-0

Are you sure there isnt some button visible on screen to create local account?

I've always been installing Pro versions and I've never been forced to use MS account

Customers might reasonably believe you won’t be able to provide the advertised service if the price is infeasibly low.

This is old-skool salesmanship. If you don't make it expensive, the sales prospect won't think it's valuable.

Apple has known this since they were founded.

I'm immediately reminded of Dr. Evil's demand for... one million dollars!

MITM'd login services perhaps? It does seem like a small number for Microsoft. Like robbing a bank and making off with $50

Could be an event like Microsoft Build conference or something.

Basically, a company is only incentivized to disclose compromises that were intentional and financially motivated. That is, a hacker that intends to extort the company, sell the information or abuse it for financial gains will ultimately cause too much noise to keep it under the rug.

If this is what the company anticipates they will have to investigate and disclose.

It the breach is a foreign government or hush-hush data hoarder or the result of plain incompetence, the company can absolutely ignore the problem.

How would it work to be required to disclose the worst, though? In most instances, you literally can't describe the worst possible case in the first hours/days of the discovery.

You'd be requiring companies to speculate on the outer bounds of something that is simply not knowable.

> It continues to be a travesty of breach disclosure that companys are legally allowed to claim the best possible outcome without any proof

> "We have seen no evidence that customer data has been accessed or compromised."

I think they are sincere here. I too have seen windows machines being compromised and the system, with the latest certified antivirus, run hapilly. /s

They are taking advantage of the "innocent until proven guilty" that is really only applicable to criminal charges but many people seem willing to extend it more generally.

The followup question to those kind of statements should always be "do you have any evidence that your accounts are not compromised?"

I.e. absence of evidence is not evidence of absence.

> It continues to be a travesty of breach disclosure that [companies] are legally allowed to claim the best possible outcome without any proof.

what proof would you propose that you be shown? how do you prove something didn't happen?

Might be the password to login to the computer itself.

Of course there is nothing wrong with using a relational database. My concern was about storing passwords in it. There is a difference between storing passwords and storing hashes and/or salts.

In general, you don't. You store hashes. Exceptions sometimes apply when it's a credential used to access some other system - for example, Plaid's gonna have to store your bank account password to scrape it - but there you'd at least hope for encryption.

Media coverage tends not to get the distinction right, so it's always hard to tell if the company fucked up or the attacker is exaggerating on early coverage.

Not at all. You store a salt and the hash(pw+salt).

on a post-it, under the keyboard its safer there

Or maybe they are so good that there is simply no evidence of their hacking.