Re: In-Process is out


Jackie
 

I think it needs to be considered that NVDA is not always used simply
in a "consumer" (or perhaps, more accurately, a single user milieu. It
can also be used in an enterprise scenario where these security flaws
can have devastating implications. If NVDA is to market itself as a
competitor to Jaws, for example, then it had dog-gone well better take
these advisories seriously & implement fixes ASAP, which it does
indeed seem to be doing. & although it's tempting for single users to
blow off the implications of these security flaws, remember that blind
folks can only be employed in the technical field only if they use
some sort of screen reader, & those need to be seen as not being a
security threat. It amazes me to this day how many computer issues get
blamed on the screen reader, & many times those problems occur before
the screen reader ever actually loads. I remember in my previous life
as an adaptive technologist I got blamed 1 time that my scripting work
on behalf of a client took down the network. The problem w/that logic
was that I had taken the computer offline before ever doing any
scripting. The view towards our software is often pretty hostile. To
try to allay it, at least somewhat, we've got to demonstrate that we
pose no greater risk than any other user. So whether you as an
individual are interested in these things or not, they are nonetheless
extremely significant & need to be dealt with accordingly.

On 10/20/22, Quentin Christensen <quentin@...> wrote:
Indeed, it is tricky to generalise as we do have a wide audience. I would
agree with the comment earlier that basically all of these security
releases we have put out have been generally theoretical in nature -
exploitations which COULD happen under the right circumstances, and in all
cases, requiring either access to the machine, or remote access (eg using
NVDA Remote or other similar connections) - worth fixing, but not an
immediate threat to the majority of users.

Is it worth the average user disabling the lock screen? Or conversely you
could ask, does the lock screen provide any actual benefit to most users?
The idea behind the lock screen seems to stem from mobile phones where
having a screen before you are asked to enter your password or pin is
helpful to prevent random button presses in a pocket or bag, which, on your
pin, could potentially lock you out of your device. On a Windows tablet,
in a bag, that's theoretically possible (though I'd strongly recommend a
relatively sturdy cover at least). Given the general lack of usefulness
(unless I've completely missed something obvious?), I'm surprised Microsoft
haven't offered a simply way to disable the lock screen.

As Brian noted, I did include a link to the registry patch he created in
In-Process (thanks Brian) and corrected a couple of things in the steps - I
didn't go through and fully rewrite them - the points made are all valid,
although what is there SHOULD be enough for someone experienced to go
through it manually if desired, otherwise the registry patch would be
recommended..

Meanwhile what I will do, is put the suggestion around a simple toggle for
the feature to Microsoft.

Quentin.

On Fri, Oct 21, 2022 at 10:39 AM David Goldfield <
david.goldfield@...> wrote:

Cyrille wrote:

security advisories and "In-Process" do not target the same audience.



With respect I’m not sure that we can make such a general statement. I’m
sure there are many In-Process readers who don’t care about the details
of
security advisories who would just skip over such material. However, I’d
be
willing to bet that many readers would have an interest in such things
and
who would review all of the details. In-Process likely is seen by experts
as well as novices. If I’ve misunderstood your assertion by all means
please feel free to correct me.

David Goldfield,

Blindness Assistive Technology Specialist

[image: JAWS Certified, 2022]
<https://www.freedomscientific.com/Training/Certification>

NVDA Certified Expert <https://certification.nvaccess.org/>



Subscribe to the Tech-VI announcement list to receive news, events and
information regarding the blindness assistive technology field.

Email: tech-vi+subscribe@groups.io

www.DavidGoldfield.org



*From:* nvda@nvda.groups.io <nvda@nvda.groups.io> *On Behalf Of *Cyrille
via groups.io
*Sent:* Thursday, October 20, 2022 3:27 AM
*To:* nvda@nvda.groups.io
*Subject:* Re: [nvda] In-Process is out



Hello

Quentin, you have copied the content of a security advisory. However
security advisories and "In-Process" do not target the same audience.
I do not know if In-Process are usually edited after having been released
but this case would be an opportunity.

If possible, I would:
1. put the .reg file option before the manual registry edition option
2. put a big warning for people before editing the registry as we can
find
everywhere (e.g. here
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.howtogeek.com%2F325096%2Fhow-to-make-windows-10s-taskbar-clock-display-seconds%2F&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EZpWVnJ1GhKvERxnrXXWQrhOqiyEnRUOGFWPN5zddIk%3D&reserved=0>)
on the internet when dealing with registry edition.
3. fix the steps with the correct wording (key instead of folder) and
make
the steps according to what is most commonly found ("Personalizatino"
missing); people already having the "Personalization" key can just ignore
the step for creating it.
or
3 bis. Remove the steps to edit the registry and just link the security
advisory.

Cheers,

Cyrille




On Thu, Oct 20, 2022 at 04:48 AM, Quentin Christensen wrote:

Brian,



Thanks for the help for William on this one - I must admit, I just copied
those steps from a previous recommendation we had put up with another
security fix related to the lock screen. I had a lot of content this
week
(and already a few items held over for the next post) so I didn't analyse
those steps as closely as I might have another time. I did note that the
steps weren't as fully written as I would have with every keystroke,
although being the registry, my original thought was that people should
know what they are doing before going in and editing it - but then again
maybe that is just more reason why the steps should be provided in full
as
well...



Quentin.



On Thu, Oct 20, 2022 at 12:01 PM Brian Vogel <britechguy@...>
wrote:

By the way, I have yet to encounter any Windows 10 machine * in its
default state* that will have a Personalization subkey under the Registry
Key, Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows.

Count on having to follow my previously noted steps to create it and set
its value to 1.
--

Brian *- *Virginia, USA *- *Windows 10, 64-Bit, Version 22H2, Build
19045

*There are many people who can only make themselves feel better about
themselves by making themselves feel better than others. *

~ Commenter *Looking_in* on the * Washington Post*, 7/10/2014








--

Quentin Christensen
Training and Support Manager



Web: www.nvaccess.org
<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nvaccess.org%2F&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=dUNPdO4sxoYL0UUQlzETKtZpLqHgEP3cjJmSkfU6g%2FQ%3D&reserved=0>


Training: https://www.nvaccess.org/shop/
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.nvaccess.org%2Fshop%2F&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=COibmOeb1vIUgWMPldqEed1ayKti00V8Mlhg4cTGylM%3D&reserved=0>

Certification: https://certification.nvaccess.org/
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcertification.nvaccess.org%2F&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=scbPBzfe6z5KtE4ZOhiXLA5ef%2Fz5F0pmxg8qunmUf9c%3D&reserved=0>

User group: https://nvda.groups.io/g/nvda
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvda.groups.io%2Fg%2Fnvda&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=64W4HmLaMMqXYpYk3hGvQvv22%2FbeMAP3FbJA0LPO8s4%3D&reserved=0>

Facebook: http://www.facebook.com/NVAccess
<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2FNVAccess&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=TUqlBOIqMg5UgpMLmT9%2FoCQn%2BZ3TtwGh0zxlTr%2FAMRQ%3D&reserved=0>

Twitter: @NVAccess
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FNVAccess&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ka6MDBPN%2BCLumEszO3fhHy765Had5Di%2F1yBdWByGFkM%3D&reserved=0>



--
Quentin Christensen
Training and Support Manager

Web: www.nvaccess.org
Training: https://www.nvaccess.org/shop/
Certification: https://certification.nvaccess.org/
User group: https://nvda.groups.io/g/nvda
Facebook: http://www.facebook.com/NVAccess
Twitter: @NVAccess <https://twitter.com/NVAccess>





--
Jackie McBride
Be a hero. Fight Scams. Learn how at www.scam911.org
Also check out brightstarsweb.com & mysitesbeenhacked.com

Join nvda@nvda.groups.io to automatically receive all group messages.