In-Process is out


Quentin Christensen
 

Hi everyone,

There is lots to share in our In-Process blog this week!
- All the details on NVDA 2022.3.1 and NVDA 2022.4 Beta 2
- How to disable the Windows lock screen
- Info for users on an eSpeak-NG change
- An update on our earlier Task Manager article
- and more!
Read it all at: https://www.nvaccess.org/post/in-process-19th-october-2022/



--
Quentin Christensen
Training and Support Manager


William
 

Hello,

According the article

'4. If it does not exist, “Personalization” may need to be created as a folder in “Windows”.'

Sorry, I do not know how to do this step.

I find that “Personalization” folder doesn't exist, then I try to trigger the context menu when my focu sis on “Windows”, but there is no option to create a new folder there.



Quentin Christensen 於 19/10/2022 19:26 寫道:

Hi everyone,

There is lots to share in our In-Process blog this week!
- All the details on NVDA 2022.3.1 and NVDA 2022.4 Beta 2
- How to disable the Windows lock screen
- Info for users on an eSpeak-NG change
- An update on our earlier Task Manager article
- and more!
Read it all at: https://www.nvaccess.org/post/in-process-19th-october-2022/



--
Quentin Christensen
Training and Support Manager


Gene
 

Are you in the Windows folder with nothing selected?  You can create a folder then.  In any folder, if nothing is selected, the new option will be available.  If you are at the Windows folder and it is selected, you won't see the new option because something is selected.

Gene

On 10/19/2022 7:22 PM, William wrote:

Hello,

According the article

'4. If it does not exist, “Personalization” may need to be created as a folder in “Windows”.'

Sorry, I do not know how to do this step.

I find that “Personalization” folder doesn't exist, then I try to trigger the context menu when my focu sis on “Windows”, but there is no option to create a new folder there.



Quentin Christensen 於 19/10/2022 19:26 寫道:
Hi everyone,

There is lots to share in our In-Process blog this week!
- All the details on NVDA 2022.3.1 and NVDA 2022.4 Beta 2
- How to disable the Windows lock screen
- Info for users on an eSpeak-NG change
- An update on our earlier Task Manager article
- and more!
Read it all at: https://www.nvaccess.org/post/in-process-19th-october-2022/



--
Quentin Christensen
Training and Support Manager



 

On Wed, Oct 19, 2022 at 08:22 PM, William wrote:
'4. If it does not exist, “Personalization” may need to be created as a folder in “Windows”.'
-
This is very poorly phrased indeed, in my opinion.  The Windows Registry does not have folders, but keys & subkeys, and what's being said is that if a Personalization Subkey does not already exist under the Key, Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows, you may have to create it.

After navigating to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows, and checking its subkeys, if there is not already one for Personalization, it would be created as follows.

1. With focus on the previously noted parent key, hit SHIFT + F10 to open the context menu.
2. Hit N, followed by D  (New, DWORD)
3. In the edit box for the Subkey name, enter NoLockScreen, then hit Enter.
4. Hit Shift + F10, followed by M  (Opens the Modify dialog for the NoLockScreen subkey you have focus on).
5. Enter 1 in the Value edit box, then hit the OK button.
6. Hit ALT + F4 to close the registry editor.
--

Brian Virginia, USA  Windows 10, 64-Bit, Version 22H2, Build 19045  

There are many people who can only make themselves feel better about themselves by making themselves feel better than others.

    ~ Commenter Looking_in on the Washington Post, 7/10/2014


 

By the way, I have yet to encounter any Windows 10 machine in its default state that will have a Personalization subkey under the Registry Key, Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows.

Count on having to follow my previously noted steps to create it and set its value to 1.
--

Brian Virginia, USA  Windows 10, 64-Bit, Version 22H2, Build 19045  

There are many people who can only make themselves feel better about themselves by making themselves feel better than others.

    ~ Commenter Looking_in on the Washington Post, 7/10/2014


Quentin Christensen
 

Brian,

Thanks for the help for William on this one - I must admit, I just copied those steps from a previous recommendation we had put up with another security fix related to the lock screen.   I had a lot of content this week (and already a few items held over for the next post) so I didn't analyse those steps as closely as I might have another time.  I did note that the steps weren't as fully written as I would have with every keystroke, although being the registry, my original thought was that people should know what they are doing before going in and editing it - but then again maybe that is just more reason why the steps should be provided in full as well...

Quentin.

On Thu, Oct 20, 2022 at 12:01 PM Brian Vogel <britechguy@...> wrote:
By the way, I have yet to encounter any Windows 10 machine in its default state that will have a Personalization subkey under the Registry Key, Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows.

Count on having to follow my previously noted steps to create it and set its value to 1.
--

Brian Virginia, USA  Windows 10, 64-Bit, Version 22H2, Build 19045  

There are many people who can only make themselves feel better about themselves by making themselves feel better than others.

    ~ Commenter Looking_in on the Washington Post, 7/10/2014



--
Quentin Christensen
Training and Support Manager


Jackie
 

Perhaps it might be a good idea to create a .reg file that folks can
just download & use? Caution them to only download it from the NVDA
site, of course. I get nervous as a cat in a room full of rocking
chairs when folks who aren't well versed in doing so try registry
modifications unassisted. Things can go extremely pear-shaped very
very quickly.

On 10/19/22, Quentin Christensen <quentin@...> wrote:
Brian,

Thanks for the help for William on this one - I must admit, I just copied
those steps from a previous recommendation we had put up with another
security fix related to the lock screen. I had a lot of content this week
(and already a few items held over for the next post) so I didn't analyse
those steps as closely as I might have another time. I did note that the
steps weren't as fully written as I would have with every keystroke,
although being the registry, my original thought was that people should
know what they are doing before going in and editing it - but then again
maybe that is just more reason why the steps should be provided in full as
well...

Quentin.

On Thu, Oct 20, 2022 at 12:01 PM Brian Vogel <britechguy@...> wrote:

By the way, I have yet to encounter any Windows 10 machine *in its
default state* that will have a Personalization subkey under the Registry
Key, Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows.

Count on having to follow my previously noted steps to create it and set
its value to 1.
--

Brian - Virginia, USA - Windows 10, 64-Bit, Version 22H2, Build 19045

*There are many people who can only make themselves feel better about
themselves by making themselves feel better than others. *

~ Commenter *Looking_in* on the *Washington Post*, 7/10/2014


--
Quentin Christensen
Training and Support Manager

Web: www.nvaccess.org
Training: https://www.nvaccess.org/shop/
Certification: https://certification.nvaccess.org/
User group: https://nvda.groups.io/g/nvda
Facebook: http://www.facebook.com/NVAccess
Twitter: @NVAccess <https://twitter.com/NVAccess>





--
Jackie McBride
Be a hero. Fight Scams. Learn how at www.scam911.org
Also check out brightstarsweb.com & mysitesbeenhacked.com


Cyrille
 

Hello

Quentin, you have copied the content of a security advisory. However security advisories and "In-Process" do not target the same audience.
I do not know if In-Process are usually edited after having been released but this case would be an opportunity.

If possible, I would:
1. put the .reg file option before the manual registry edition option
2. put a big warning for people before editing the registry as we can find everywhere (e.g. here) on the internet when dealing with registry edition.
3. fix the steps with the correct wording (key instead of folder) and make the steps according to what is most commonly found ("Personalizatino" missing); people already having the "Personalization" key can just ignore the step for creating it.
or
3 bis. Remove the steps to edit the registry and just link the security advisory.

Cheers,

Cyrille




On Thu, Oct 20, 2022 at 04:48 AM, Quentin Christensen wrote:
Brian,
 
Thanks for the help for William on this one - I must admit, I just copied those steps from a previous recommendation we had put up with another security fix related to the lock screen.   I had a lot of content this week (and already a few items held over for the next post) so I didn't analyse those steps as closely as I might have another time.  I did note that the steps weren't as fully written as I would have with every keystroke, although being the registry, my original thought was that people should know what they are doing before going in and editing it - but then again maybe that is just more reason why the steps should be provided in full as well...
 
Quentin.

On Thu, Oct 20, 2022 at 12:01 PM Brian Vogel <britechguy@...> wrote:
By the way, I have yet to encounter any Windows 10 machine in its default state that will have a Personalization subkey under the Registry Key, Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows.

Count on having to follow my previously noted steps to create it and set its value to 1.
--

Brian Virginia, USA  Windows 10, 64-Bit, Version 22H2, Build 19045  

There are many people who can only make themselves feel better about themselves by making themselves feel better than others.

    ~ Commenter Looking_in on the Washington Post, 7/10/2014

 

 


 
--
Quentin Christensen
Training and Support Manager
 


Gene
 

I question even discussing this in a manner that may make people inexperienced with using the registry think that maybe they should do so.  If I don't know something, I'd be glad to find out, but these lock screen vulnerabilities appear to me to be so obscure and unlikely to be exploited that the risk is 0 for most users.

Here is an excerpt from a recent Microsoft security bulletin about such a vulnerability.  It requires someone to have physical access to the person's computer and, of course, to know about the vulnerability and how to exploit it.
https://learn.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-112
An elevation of privilege vulnerability exists when Windows improperly allows web content to load from the Windows lock screen. To exploit the vulnerability, an attacker with physical access to a user’s computer could either connect to a maliciously configured WiFi hotspot or insert a mobile broadband adaptor in the user’s computer. An attacker who successfully exploited the vulnerability could potentially execute code on a user's locked computer.

This sounds to me to be a vulnerability to be of interest to those worrying about espionage or industrial espionage, not remotely to almost all users.
Also, a patch for this Windows vulnerability has been distributed in Windows update.

I haven't checked the rest, but the first two vulnerabilities in NVDA required someone to have access to the computer as well, to know about the vulnerability and how to exploit it.  I have no objection to offering security updates to NVDA but I don't think discussing disabling the lock screen is a good idea.  I don't think people should take even small risks when there is no benefit and I don't think there is any benefit to most or perhaps even just about all users.

Gene
On 10/20/2022 2:26 AM, Cyrille via groups.io wrote:

Hello

Quentin, you have copied the content of a security advisory. However security advisories and "In-Process" do not target the same audience.
I do not know if In-Process are usually edited after having been released but this case would be an opportunity.

If possible, I would:
1. put the .reg file option before the manual registry edition option
2. put a big warning for people before editing the registry as we can find everywhere (e.g. here) on the internet when dealing with registry edition.
3. fix the steps with the correct wording (key instead of folder) and make the steps according to what is most commonly found ("Personalizatino" missing); people already having the "Personalization" key can just ignore the step for creating it.
or
3 bis. Remove the steps to edit the registry and just link the security advisory.

Cheers,

Cyrille




On Thu, Oct 20, 2022 at 04:48 AM, Quentin Christensen wrote:
Brian,
 
Thanks for the help for William on this one - I must admit, I just copied those steps from a previous recommendation we had put up with another security fix related to the lock screen.   I had a lot of content this week (and already a few items held over for the next post) so I didn't analyse those steps as closely as I might have another time.  I did note that the steps weren't as fully written as I would have with every keystroke, although being the registry, my original thought was that people should know what they are doing before going in and editing it - but then again maybe that is just more reason why the steps should be provided in full as well...
 
Quentin.

On Thu, Oct 20, 2022 at 12:01 PM Brian Vogel <britechguy@...> wrote:
By the way, I have yet to encounter any Windows 10 machine in its default state that will have a Personalization subkey under the Registry Key, Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows.

Count on having to follow my previously noted steps to create it and set its value to 1.
--

Brian Virginia, USA  Windows 10, 64-Bit, Version 22H2, Build 19045  

There are many people who can only make themselves feel better about themselves by making themselves feel better than others.

    ~ Commenter Looking_in on the Washington Post, 7/10/2014

 

 


 
--
Quentin Christensen
Training and Support Manager
 


 

This is not an attempt to toot my own horn, but to make people aware that a REG file that does this edit for you was created by me, checked by Quentin, and the following added to In-Process last night:

Alternatively, you can download this registry patch to disable the lock screen on Windows Home. Thanks to Brian Vogel from the NVDA user email group for his help and suggestion here.

No one need do this registry edit by hand and, unless you are someone who's already intimately familiar with doing so and comfortable making by-hand edits, you shouldn't.  I hope that moving forward on the odd occasions where a registry tweak is needed (and it does happen, rarely) that it will become policy to distribute a REG editing script rather than giving instructions for hand editing.  This eliminates all possibility of error.

The REG file is the only thing contained in the ZIP file in the noted link.  Because REG files are sometimes classed as executables, they may not be allowed to be downloaded by certain security suites.  That's why placing them in a ZIP archive is necessary, so that they can be downloaded without a hassle.  Once this file has been unzipped somewhere, you just select it and activate it.  You'll get a series of two "Are you sure you want to run this?" type prompts from Windows, followed by a confirmation that the key has been successfully created.  [That's the typical pattern when running any REG file, though if more than one key is created/deleted/modified the confirmation message will indicate that keys have been created/deleted/modified.]
--

Brian Virginia, USA  Windows 10, 64-Bit, Version 22H2, Build 19045  

There are many people who can only make themselves feel better about themselves by making themselves feel better than others.

    ~ Commenter Looking_in on the Washington Post, 7/10/2014


Howard Traxler
 

Do you have this registry patch for windows 10 pro 64 bit?  I could use that one.


Howard

On 10/20/2022 9:47 AM, Brian Vogel wrote:

This is not an attempt to toot my own horn, but to make people aware that a REG file that does this edit for you was created by me, checked by Quentin, and the following added to In-Process last night:

Alternatively, you can download this registry patch to disable the lock screen on Windows Home. Thanks to Brian Vogel from the NVDA user email group for his help and suggestion here.

No one need do this registry edit by hand and, unless you are someone who's already intimately familiar with doing so and comfortable making by-hand edits, you shouldn't.  I hope that moving forward on the odd occasions where a registry tweak is needed (and it does happen, rarely) that it will become policy to distribute a REG editing script rather than giving instructions for hand editing.  This eliminates all possibility of error.

The REG file is the only thing contained in the ZIP file in the noted link.  Because REG files are sometimes classed as executables, they may not be allowed to be downloaded by certain security suites.  That's why placing them in a ZIP archive is necessary, so that they can be downloaded without a hassle.  Once this file has been unzipped somewhere, you just select it and activate it.  You'll get a series of two "Are you sure you want to run this?" type prompts from Windows, followed by a confirmation that the key has been successfully created.  [That's the typical pattern when running any REG file, though if more than one key is created/deleted/modified the confirmation message will indicate that keys have been created/deleted/modified.]
--

Brian Virginia, USA  Windows 10, 64-Bit, Version 22H2, Build 19045  

There are many people who can only make themselves feel better about themselves by making themselves feel better than others.

    ~ Commenter Looking_in on the Washington Post, 7/10/2014


 

On Thu, Oct 20, 2022 at 11:41 AM, Howard Traxler wrote:
Do you have this registry patch for windows 10 pro 64 bit?  I could use that one.
-
The registry edit script should work under any version of Windows.

It's just more conventional for many Pro users to have familiarity with using gpedit.msc to tweak policies which, in turn, is what tweaks the Windows Registry.

My machine is actually running Windows 10 Pro, and it's the box on which I developed that simple REG Edit script.

I didn't state it earlier, because I presume this is known already, but if you're going to do any registry edits, regardless of method, you do have to be logged in to Windows with an account that has administrator privileges.  Many people use a standard account unless they're doing administrative work, and if you're one of those make sure you log in to your account with administrator privileges to do this work.
--

Brian Virginia, USA  Windows 10, 64-Bit, Version 22H2, Build 19045  

There are many people who can only make themselves feel better about themselves by making themselves feel better than others.

    ~ Commenter Looking_in on the Washington Post, 7/10/2014


Howard Traxler
 

I don't even know how to login with administerator privileges; or maybe I just don't remember.  The only thing I've done was to shift enter when I was pointed at a shortcut or an executable.  That doesn't seem to work for me any more.  Thik I'm getting too old for all this.

Howard

On 10/20/2022 11:02 AM, Brian Vogel wrote:

On Thu, Oct 20, 2022 at 11:41 AM, Howard Traxler wrote:
Do you have this registry patch for windows 10 pro 64 bit?  I could use that one.
-
The registry edit script should work under any version of Windows.

It's just more conventional for many Pro users to have familiarity with using gpedit.msc to tweak policies which, in turn, is what tweaks the Windows Registry.

My machine is actually running Windows 10 Pro, and it's the box on which I developed that simple REG Edit script.

I didn't state it earlier, because I presume this is known already, but if you're going to do any registry edits, regardless of method, you do have to be logged in to Windows with an account that has administrator privileges.  Many people use a standard account unless they're doing administrative work, and if you're one of those make sure you log in to your account with administrator privileges to do this work.
--

Brian Virginia, USA  Windows 10, 64-Bit, Version 22H2, Build 19045  

There are many people who can only make themselves feel better about themselves by making themselves feel better than others.

    ~ Commenter Looking_in on the Washington Post, 7/10/2014


 

Howard,

If you are on a Windows machine, and it has only one account, that account has administrator privileges.  Any computer has to have an account with administrator privileges.

A REG file and an executable file are, as far as how you activate them, indistinguishable from each other.  If you're able to install new versions of NVDA and other software on your computer with the account you use daily, then that account has administrator privileges.

Standard accounts are very limited in what they can do as far as changing anything about system configuration or adding/removing software, and that's by design.  If you're not using a standard account, then it's a non-issue.

For anyone who wants to check whether the account they're using is a standard account versus an administrator account, open Settings, Accounts, Your account pane and start reading down.  You will hit the designation Administrator if you're an administrator.  I can't remember if a standard user account reads "standard" or something else, as I am always logged in with an account with administrator privileges.
--

Brian Virginia, USA  Windows 10, 64-Bit, Version 22H2, Build 19045  

There are many people who can only make themselves feel better about themselves by making themselves feel better than others.

    ~ Commenter Looking_in on the Washington Post, 7/10/2014


David Goldfield
 

Cyrille wrote:

security advisories and "In-Process" do not target the same audience.

 

With respect I’m not sure that we can make such a general statement. I’m sure there are many In-Process readers who don’t care about the details of security advisories who would just skip over such material. However, I’d be willing to bet that many readers would have an interest in such things and who would review all of the details. In-Process likely is seen by experts as well as novices. If I’ve misunderstood your assertion by all means please feel free to correct me.

David Goldfield,

Blindness Assistive Technology Specialist

NVDA Certified Expert

 

Subscribe to the Tech-VI announcement list to receive news, events and information regarding the blindness assistive technology field.

Email: tech-vi+subscribe@groups.io

www.DavidGoldfield.org

 

From: nvda@nvda.groups.io <nvda@nvda.groups.io> On Behalf Of Cyrille via groups.io
Sent: Thursday, October 20, 2022 3:27 AM
To: nvda@nvda.groups.io
Subject: Re: [nvda] In-Process is out

 

Hello

Quentin, you have copied the content of a security advisory. However security advisories and "In-Process" do not target the same audience.
I do not know if In-Process are usually edited after having been released but this case would be an opportunity.

If possible, I would:
1. put the .reg file option before the manual registry edition option
2. put a big warning for people before editing the registry as we can find everywhere (e.g. here) on the internet when dealing with registry edition.
3. fix the steps with the correct wording (key instead of folder) and make the steps according to what is most commonly found ("Personalizatino" missing); people already having the "Personalization" key can just ignore the step for creating it.
or
3 bis. Remove the steps to edit the registry and just link the security advisory.

Cheers,

Cyrille




On Thu, Oct 20, 2022 at 04:48 AM, Quentin Christensen wrote:

Brian,

 

Thanks for the help for William on this one - I must admit, I just copied those steps from a previous recommendation we had put up with another security fix related to the lock screen.   I had a lot of content this week (and already a few items held over for the next post) so I didn't analyse those steps as closely as I might have another time.  I did note that the steps weren't as fully written as I would have with every keystroke, although being the registry, my original thought was that people should know what they are doing before going in and editing it - but then again maybe that is just more reason why the steps should be provided in full as well...

 

Quentin.

 

On Thu, Oct 20, 2022 at 12:01 PM Brian Vogel <britechguy@...> wrote:

By the way, I have yet to encounter any Windows 10 machine in its default state that will have a Personalization subkey under the Registry Key, Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows.

Count on having to follow my previously noted steps to create it and set its value to 1.
--

Brian Virginia, USA  Windows 10, 64-Bit, Version 22H2, Build 19045  

There are many people who can only make themselves feel better about themselves by making themselves feel better than others.

    ~ Commenter Looking_in on the Washington Post, 7/10/2014

 

 


 

--

Quentin Christensen
Training and Support Manager

 


Quentin Christensen
 

Indeed, it is tricky to generalise as we do have a wide audience.  I would agree with the comment earlier that basically all of these security releases we have put out have been generally theoretical in nature - exploitations which COULD happen under the right circumstances, and in all cases, requiring either access to the machine, or remote access (eg using NVDA Remote or other similar connections) - worth fixing, but not an immediate threat to the majority of users.

Is it worth the average user disabling the lock screen?  Or conversely you could ask, does the lock screen provide any actual benefit to most users?  The idea behind the lock screen seems to stem from mobile phones where having a screen before you are asked to enter your password or pin is helpful to prevent random button presses in a pocket or bag, which, on your pin, could potentially lock you out of your device.  On a Windows tablet, in a bag, that's theoretically possible (though I'd strongly recommend a relatively sturdy cover at least).  Given the general lack of usefulness (unless I've completely missed something obvious?), I'm surprised Microsoft haven't offered a simply way to disable the lock screen.

As Brian noted, I did include a link to the registry patch he created in In-Process (thanks Brian) and corrected a couple of things in the steps - I didn't go through and fully rewrite them - the points made are all valid, although what is there SHOULD be enough for someone experienced to go through it manually if desired, otherwise the registry patch would be recommended..

Meanwhile what I will do, is put the suggestion around a simple toggle for the feature to Microsoft.

Quentin.

On Fri, Oct 21, 2022 at 10:39 AM David Goldfield <david.goldfield@...> wrote:

Cyrille wrote:

security advisories and "In-Process" do not target the same audience.

 

With respect I’m not sure that we can make such a general statement. I’m sure there are many In-Process readers who don’t care about the details of security advisories who would just skip over such material. However, I’d be willing to bet that many readers would have an interest in such things and who would review all of the details. In-Process likely is seen by experts as well as novices. If I’ve misunderstood your assertion by all means please feel free to correct me.

David Goldfield,

Blindness Assistive Technology Specialist

JAWS Certified, 2022

NVDA Certified Expert

 

Subscribe to the Tech-VI announcement list to receive news, events and information regarding the blindness assistive technology field.

Email: tech-vi+subscribe@groups.io

www.DavidGoldfield.org

 

From: nvda@nvda.groups.io <nvda@nvda.groups.io> On Behalf Of Cyrille via groups.io
Sent: Thursday, October 20, 2022 3:27 AM
To: nvda@nvda.groups.io
Subject: Re: [nvda] In-Process is out

 

Hello

Quentin, you have copied the content of a security advisory. However security advisories and "In-Process" do not target the same audience.
I do not know if In-Process are usually edited after having been released but this case would be an opportunity.

If possible, I would:
1. put the .reg file option before the manual registry edition option
2. put a big warning for people before editing the registry as we can find everywhere (e.g. here) on the internet when dealing with registry edition.
3. fix the steps with the correct wording (key instead of folder) and make the steps according to what is most commonly found ("Personalizatino" missing); people already having the "Personalization" key can just ignore the step for creating it.
or
3 bis. Remove the steps to edit the registry and just link the security advisory.

Cheers,

Cyrille




On Thu, Oct 20, 2022 at 04:48 AM, Quentin Christensen wrote:

Brian,

 

Thanks for the help for William on this one - I must admit, I just copied those steps from a previous recommendation we had put up with another security fix related to the lock screen.   I had a lot of content this week (and already a few items held over for the next post) so I didn't analyse those steps as closely as I might have another time.  I did note that the steps weren't as fully written as I would have with every keystroke, although being the registry, my original thought was that people should know what they are doing before going in and editing it - but then again maybe that is just more reason why the steps should be provided in full as well...

 

Quentin.

 

On Thu, Oct 20, 2022 at 12:01 PM Brian Vogel <britechguy@...> wrote:

By the way, I have yet to encounter any Windows 10 machine in its default state that will have a Personalization subkey under the Registry Key, Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows.

Count on having to follow my previously noted steps to create it and set its value to 1.
--

Brian Virginia, USA  Windows 10, 64-Bit, Version 22H2, Build 19045  

There are many people who can only make themselves feel better about themselves by making themselves feel better than others.

    ~ Commenter Looking_in on the Washington Post, 7/10/2014

 

 


 

--

Quentin Christensen
Training and Support Manager

 



--
Quentin Christensen
Training and Support Manager


David Goldfield
 

I should point out that Winaero Tweaker does have an option to disable the lock screen which you can find in the Boot and Logon section. This program is accessible with screen readers. I don’t recommend it casually as it does contain some settings which I don’t feel should be altered without good reason. That being said it’s a powerful program for modifying the way your OS behaves beyond the tools supplied by Microsoft.

 

 

David Goldfield,

Blindness Assistive Technology Specialist

NVDA Certified Expert

 

Subscribe to the Tech-VI announcement list to receive news, events and information regarding the blindness assistive technology field.

Email: tech-vi+subscribe@groups.io

www.DavidGoldfield.org

 

From: nvda@nvda.groups.io <nvda@nvda.groups.io> On Behalf Of Quentin Christensen
Sent: Thursday, October 20, 2022 8:28 PM
To: nvda@nvda.groups.io
Subject: Re: [nvda] In-Process is out

 

Indeed, it is tricky to generalise as we do have a wide audience.  I would agree with the comment earlier that basically all of these security releases we have put out have been generally theoretical in nature - exploitations which COULD happen under the right circumstances, and in all cases, requiring either access to the machine, or remote access (eg using NVDA Remote or other similar connections) - worth fixing, but not an immediate threat to the majority of users.

 

Is it worth the average user disabling the lock screen?  Or conversely you could ask, does the lock screen provide any actual benefit to most users?  The idea behind the lock screen seems to stem from mobile phones where having a screen before you are asked to enter your password or pin is helpful to prevent random button presses in a pocket or bag, which, on your pin, could potentially lock you out of your device.  On a Windows tablet, in a bag, that's theoretically possible (though I'd strongly recommend a relatively sturdy cover at least).  Given the general lack of usefulness (unless I've completely missed something obvious?), I'm surprised Microsoft haven't offered a simply way to disable the lock screen.

 

As Brian noted, I did include a link to the registry patch he created in In-Process (thanks Brian) and corrected a couple of things in the steps - I didn't go through and fully rewrite them - the points made are all valid, although what is there SHOULD be enough for someone experienced to go through it manually if desired, otherwise the registry patch would be recommended..

 

Meanwhile what I will do, is put the suggestion around a simple toggle for the feature to Microsoft.

 

Quentin.

 

On Fri, Oct 21, 2022 at 10:39 AM David Goldfield <david.goldfield@...> wrote:

Cyrille wrote:

security advisories and "In-Process" do not target the same audience.

 

With respect I’m not sure that we can make such a general statement. I’m sure there are many In-Process readers who don’t care about the details of security advisories who would just skip over such material. However, I’d be willing to bet that many readers would have an interest in such things and who would review all of the details. In-Process likely is seen by experts as well as novices. If I’ve misunderstood your assertion by all means please feel free to correct me.

David Goldfield,

Blindness Assistive Technology Specialist

Error! Filename not specified.

NVDA Certified Expert

 

Subscribe to the Tech-VI announcement list to receive news, events and information regarding the blindness assistive technology field.

Email: tech-vi+subscribe@groups.io

www.DavidGoldfield.org

 

From: nvda@nvda.groups.io <nvda@nvda.groups.io> On Behalf Of Cyrille via groups.io
Sent: Thursday, October 20, 2022 3:27 AM
To: nvda@nvda.groups.io
Subject: Re: [nvda] In-Process is out

 

Hello

Quentin, you have copied the content of a security advisory. However security advisories and "In-Process" do not target the same audience.
I do not know if In-Process are usually edited after having been released but this case would be an opportunity.

If possible, I would:
1. put the .reg file option before the manual registry edition option
2. put a big warning for people before editing the registry as we can find everywhere (e.g. here) on the internet when dealing with registry edition.
3. fix the steps with the correct wording (key instead of folder) and make the steps according to what is most commonly found ("Personalizatino" missing); people already having the "Personalization" key can just ignore the step for creating it.
or
3 bis. Remove the steps to edit the registry and just link the security advisory.

Cheers,

Cyrille




On Thu, Oct 20, 2022 at 04:48 AM, Quentin Christensen wrote:

Brian,

 

Thanks for the help for William on this one - I must admit, I just copied those steps from a previous recommendation we had put up with another security fix related to the lock screen.   I had a lot of content this week (and already a few items held over for the next post) so I didn't analyse those steps as closely as I might have another time.  I did note that the steps weren't as fully written as I would have with every keystroke, although being the registry, my original thought was that people should know what they are doing before going in and editing it - but then again maybe that is just more reason why the steps should be provided in full as well...

 

Quentin.

 

On Thu, Oct 20, 2022 at 12:01 PM Brian Vogel <britechguy@...> wrote:

By the way, I have yet to encounter any Windows 10 machine in its default state that will have a Personalization subkey under the Registry Key, Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows.

Count on having to follow my previously noted steps to create it and set its value to 1.
--

Brian Virginia, USA  Windows 10, 64-Bit, Version 22H2, Build 19045  

There are many people who can only make themselves feel better about themselves by making themselves feel better than others.

    ~ Commenter Looking_in on the Washington Post, 7/10/2014

 

 


 

--

Quentin Christensen
Training and Support Manager

 


 

--

Quentin Christensen
Training and Support Manager

 


Jackie
 

I think it needs to be considered that NVDA is not always used simply
in a "consumer" (or perhaps, more accurately, a single user milieu. It
can also be used in an enterprise scenario where these security flaws
can have devastating implications. If NVDA is to market itself as a
competitor to Jaws, for example, then it had dog-gone well better take
these advisories seriously & implement fixes ASAP, which it does
indeed seem to be doing. & although it's tempting for single users to
blow off the implications of these security flaws, remember that blind
folks can only be employed in the technical field only if they use
some sort of screen reader, & those need to be seen as not being a
security threat. It amazes me to this day how many computer issues get
blamed on the screen reader, & many times those problems occur before
the screen reader ever actually loads. I remember in my previous life
as an adaptive technologist I got blamed 1 time that my scripting work
on behalf of a client took down the network. The problem w/that logic
was that I had taken the computer offline before ever doing any
scripting. The view towards our software is often pretty hostile. To
try to allay it, at least somewhat, we've got to demonstrate that we
pose no greater risk than any other user. So whether you as an
individual are interested in these things or not, they are nonetheless
extremely significant & need to be dealt with accordingly.

On 10/20/22, Quentin Christensen <quentin@...> wrote:
Indeed, it is tricky to generalise as we do have a wide audience. I would
agree with the comment earlier that basically all of these security
releases we have put out have been generally theoretical in nature -
exploitations which COULD happen under the right circumstances, and in all
cases, requiring either access to the machine, or remote access (eg using
NVDA Remote or other similar connections) - worth fixing, but not an
immediate threat to the majority of users.

Is it worth the average user disabling the lock screen? Or conversely you
could ask, does the lock screen provide any actual benefit to most users?
The idea behind the lock screen seems to stem from mobile phones where
having a screen before you are asked to enter your password or pin is
helpful to prevent random button presses in a pocket or bag, which, on your
pin, could potentially lock you out of your device. On a Windows tablet,
in a bag, that's theoretically possible (though I'd strongly recommend a
relatively sturdy cover at least). Given the general lack of usefulness
(unless I've completely missed something obvious?), I'm surprised Microsoft
haven't offered a simply way to disable the lock screen.

As Brian noted, I did include a link to the registry patch he created in
In-Process (thanks Brian) and corrected a couple of things in the steps - I
didn't go through and fully rewrite them - the points made are all valid,
although what is there SHOULD be enough for someone experienced to go
through it manually if desired, otherwise the registry patch would be
recommended..

Meanwhile what I will do, is put the suggestion around a simple toggle for
the feature to Microsoft.

Quentin.

On Fri, Oct 21, 2022 at 10:39 AM David Goldfield <
david.goldfield@...> wrote:

Cyrille wrote:

security advisories and "In-Process" do not target the same audience.



With respect I’m not sure that we can make such a general statement. I’m
sure there are many In-Process readers who don’t care about the details
of
security advisories who would just skip over such material. However, I’d
be
willing to bet that many readers would have an interest in such things
and
who would review all of the details. In-Process likely is seen by experts
as well as novices. If I’ve misunderstood your assertion by all means
please feel free to correct me.

David Goldfield,

Blindness Assistive Technology Specialist

[image: JAWS Certified, 2022]
<https://www.freedomscientific.com/Training/Certification>

NVDA Certified Expert <https://certification.nvaccess.org/>



Subscribe to the Tech-VI announcement list to receive news, events and
information regarding the blindness assistive technology field.

Email: tech-vi+subscribe@groups.io

www.DavidGoldfield.org



*From:* nvda@nvda.groups.io <nvda@nvda.groups.io> *On Behalf Of *Cyrille
via groups.io
*Sent:* Thursday, October 20, 2022 3:27 AM
*To:* nvda@nvda.groups.io
*Subject:* Re: [nvda] In-Process is out



Hello

Quentin, you have copied the content of a security advisory. However
security advisories and "In-Process" do not target the same audience.
I do not know if In-Process are usually edited after having been released
but this case would be an opportunity.

If possible, I would:
1. put the .reg file option before the manual registry edition option
2. put a big warning for people before editing the registry as we can
find
everywhere (e.g. here
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.howtogeek.com%2F325096%2Fhow-to-make-windows-10s-taskbar-clock-display-seconds%2F&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EZpWVnJ1GhKvERxnrXXWQrhOqiyEnRUOGFWPN5zddIk%3D&reserved=0>)
on the internet when dealing with registry edition.
3. fix the steps with the correct wording (key instead of folder) and
make
the steps according to what is most commonly found ("Personalizatino"
missing); people already having the "Personalization" key can just ignore
the step for creating it.
or
3 bis. Remove the steps to edit the registry and just link the security
advisory.

Cheers,

Cyrille




On Thu, Oct 20, 2022 at 04:48 AM, Quentin Christensen wrote:

Brian,



Thanks for the help for William on this one - I must admit, I just copied
those steps from a previous recommendation we had put up with another
security fix related to the lock screen. I had a lot of content this
week
(and already a few items held over for the next post) so I didn't analyse
those steps as closely as I might have another time. I did note that the
steps weren't as fully written as I would have with every keystroke,
although being the registry, my original thought was that people should
know what they are doing before going in and editing it - but then again
maybe that is just more reason why the steps should be provided in full
as
well...



Quentin.



On Thu, Oct 20, 2022 at 12:01 PM Brian Vogel <britechguy@...>
wrote:

By the way, I have yet to encounter any Windows 10 machine * in its
default state* that will have a Personalization subkey under the Registry
Key, Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows.

Count on having to follow my previously noted steps to create it and set
its value to 1.
--

Brian *- *Virginia, USA *- *Windows 10, 64-Bit, Version 22H2, Build
19045

*There are many people who can only make themselves feel better about
themselves by making themselves feel better than others. *

~ Commenter *Looking_in* on the * Washington Post*, 7/10/2014








--

Quentin Christensen
Training and Support Manager



Web: www.nvaccess.org
<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nvaccess.org%2F&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=dUNPdO4sxoYL0UUQlzETKtZpLqHgEP3cjJmSkfU6g%2FQ%3D&reserved=0>


Training: https://www.nvaccess.org/shop/
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.nvaccess.org%2Fshop%2F&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=COibmOeb1vIUgWMPldqEed1ayKti00V8Mlhg4cTGylM%3D&reserved=0>

Certification: https://certification.nvaccess.org/
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcertification.nvaccess.org%2F&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=scbPBzfe6z5KtE4ZOhiXLA5ef%2Fz5F0pmxg8qunmUf9c%3D&reserved=0>

User group: https://nvda.groups.io/g/nvda
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvda.groups.io%2Fg%2Fnvda&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=64W4HmLaMMqXYpYk3hGvQvv22%2FbeMAP3FbJA0LPO8s4%3D&reserved=0>

Facebook: http://www.facebook.com/NVAccess
<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2FNVAccess&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=TUqlBOIqMg5UgpMLmT9%2FoCQn%2BZ3TtwGh0zxlTr%2FAMRQ%3D&reserved=0>

Twitter: @NVAccess
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FNVAccess&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ka6MDBPN%2BCLumEszO3fhHy765Had5Di%2F1yBdWByGFkM%3D&reserved=0>



--
Quentin Christensen
Training and Support Manager

Web: www.nvaccess.org
Training: https://www.nvaccess.org/shop/
Certification: https://certification.nvaccess.org/
User group: https://nvda.groups.io/g/nvda
Facebook: http://www.facebook.com/NVAccess
Twitter: @NVAccess <https://twitter.com/NVAccess>





--
Jackie McBride
Be a hero. Fight Scams. Learn how at www.scam911.org
Also check out brightstarsweb.com & mysitesbeenhacked.com


Quentin Christensen
 

Good point Jackie, and indeed, as you mentioned, we do take security seriously.  I have no idea whether similar things are exploitable with Jaws, but as closed source software, it can be harder to identify sometimes.  Indeed, the majority of the ones we have had reported recently have been because once one was found, people looked a bit closer at that behaviour and navigating in a similar way.  In fact, these aren't things broken in NVDA, they are issues with Windows not correctly presenting the lock screen, it's just that it's most obvious with software such as a screen reader, and knowledge of how to use some of the advanced navigation features like object navigation.

In fact I wasn't questioning the validity of fixing them - I think, as you noted, we have taken these very seriously - my query was around the usefulness of the lock screen in general.

On Fri, Oct 21, 2022 at 11:55 AM Jackie <abletec@...> wrote:
I think it needs to be considered that NVDA is not always used simply
in a "consumer" (or perhaps, more accurately, a single user milieu. It
can also be used in an enterprise scenario where these security flaws
can have devastating implications. If NVDA is to market itself as a
competitor to Jaws, for example, then it had dog-gone well better take
these advisories seriously & implement fixes ASAP, which it does
indeed seem to be doing. & although it's tempting for single users to
blow off the implications of these security flaws, remember that blind
folks can only be employed in the technical field only if they use
some sort of screen reader, & those need to be seen as not being a
security threat. It amazes me to this day how many computer issues get
blamed on the screen reader, & many times those problems occur before
the screen reader  ever actually loads. I remember in my previous life
as an adaptive technologist I got blamed 1 time that my scripting work
on behalf of a client took down the network. The problem w/that logic
was that I had taken the computer offline before ever doing any
scripting. The view towards our software is often pretty hostile. To
try to allay it, at least somewhat, we've got to demonstrate that we
pose no greater risk than any other user. So whether you as an
individual are interested in these things or not, they are nonetheless
extremely significant & need to be dealt with accordingly.

On 10/20/22, Quentin Christensen <quentin@...> wrote:
> Indeed, it is tricky to generalise as we do have a wide audience.  I would
> agree with the comment earlier that basically all of these security
> releases we have put out have been generally theoretical in nature -
> exploitations which COULD happen under the right circumstances, and in all
> cases, requiring either access to the machine, or remote access (eg using
> NVDA Remote or other similar connections) - worth fixing, but not an
> immediate threat to the majority of users.
>
> Is it worth the average user disabling the lock screen?  Or conversely you
> could ask, does the lock screen provide any actual benefit to most users?
> The idea behind the lock screen seems to stem from mobile phones where
> having a screen before you are asked to enter your password or pin is
> helpful to prevent random button presses in a pocket or bag, which, on your
> pin, could potentially lock you out of your device.  On a Windows tablet,
> in a bag, that's theoretically possible (though I'd strongly recommend a
> relatively sturdy cover at least).  Given the general lack of usefulness
> (unless I've completely missed something obvious?), I'm surprised Microsoft
> haven't offered a simply way to disable the lock screen.
>
> As Brian noted, I did include a link to the registry patch he created in
> In-Process (thanks Brian) and corrected a couple of things in the steps - I
> didn't go through and fully rewrite them - the points made are all valid,
> although what is there SHOULD be enough for someone experienced to go
> through it manually if desired, otherwise the registry patch would be
> recommended..
>
> Meanwhile what I will do, is put the suggestion around a simple toggle for
> the feature to Microsoft.
>
> Quentin.
>
> On Fri, Oct 21, 2022 at 10:39 AM David Goldfield <
> david.goldfield@...> wrote:
>
>> Cyrille wrote:
>>
>> security advisories and "In-Process" do not target the same audience.
>>
>>
>>
>> With respect I’m not sure that we can make such a general statement. I’m
>> sure there are many In-Process readers who don’t care about the details
>> of
>> security advisories who would just skip over such material. However, I’d
>> be
>> willing to bet that many readers would have an interest in such things
>> and
>> who would review all of the details. In-Process likely is seen by experts
>> as well as novices. If I’ve misunderstood your assertion by all means
>> please feel free to correct me.
>>
>> David Goldfield,
>>
>> Blindness Assistive Technology Specialist
>>
>> [image: JAWS Certified, 2022]
>> <https://www.freedomscientific.com/Training/Certification>
>>
>> NVDA Certified Expert <https://certification.nvaccess.org/>
>>
>>
>>
>> Subscribe to the Tech-VI announcement list to receive news, events and
>> information regarding the blindness assistive technology field.
>>
>> Email: tech-vi+subscribe@groups.io
>>
>> www.DavidGoldfield.org
>>
>>
>>
>> *From:* nvda@nvda.groups.io <nvda@nvda.groups.io> *On Behalf Of *Cyrille
>> via groups.io
>> *Sent:* Thursday, October 20, 2022 3:27 AM
>> *To:* nvda@nvda.groups.io
>> *Subject:* Re: [nvda] In-Process is out
>>
>>
>>
>> Hello
>>
>> Quentin, you have copied the content of a security advisory. However
>> security advisories and "In-Process" do not target the same audience.
>> I do not know if In-Process are usually edited after having been released
>> but this case would be an opportunity.
>>
>> If possible, I would:
>> 1. put the .reg file option before the manual registry edition option
>> 2. put a big warning for people before editing the registry as we can
>> find
>> everywhere (e.g. here
>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.howtogeek.com%2F325096%2Fhow-to-make-windows-10s-taskbar-clock-display-seconds%2F&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EZpWVnJ1GhKvERxnrXXWQrhOqiyEnRUOGFWPN5zddIk%3D&reserved=0>)
>> on the internet when dealing with registry edition.
>> 3. fix the steps with the correct wording (key instead of folder) and
>> make
>> the steps according to what is most commonly found ("Personalizatino"
>> missing); people already having the "Personalization" key can just ignore
>> the step for creating it.
>> or
>> 3 bis. Remove the steps to edit the registry and just link the security
>> advisory.
>>
>> Cheers,
>>
>> Cyrille
>>
>>
>>
>>
>> On Thu, Oct 20, 2022 at 04:48 AM, Quentin Christensen wrote:
>>
>> Brian,
>>
>>
>>
>> Thanks for the help for William on this one - I must admit, I just copied
>> those steps from a previous recommendation we had put up with another
>> security fix related to the lock screen.   I had a lot of content this
>> week
>> (and already a few items held over for the next post) so I didn't analyse
>> those steps as closely as I might have another time.  I did note that the
>> steps weren't as fully written as I would have with every keystroke,
>> although being the registry, my original thought was that people should
>> know what they are doing before going in and editing it - but then again
>> maybe that is just more reason why the steps should be provided in full
>> as
>> well...
>>
>>
>>
>> Quentin.
>>
>>
>>
>> On Thu, Oct 20, 2022 at 12:01 PM Brian Vogel <britechguy@...>
>> wrote:
>>
>> By the way, I have yet to encounter any Windows 10 machine * in its
>> default state* that will have a Personalization subkey under the Registry
>> Key, Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows.
>>
>> Count on having to follow my previously noted steps to create it and set
>> its value to 1.
>> --
>>
>> Brian *- *Virginia, USA  *- *Windows 10, 64-Bit, Version 22H2, Build
>> 19045
>>
>> *There are many people who can only make themselves feel better about
>> themselves by making themselves feel better than others. *
>>
>>     ~ Commenter *Looking_in* on the * Washington Post*, 7/10/2014
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>>
>> Quentin Christensen
>> Training and Support Manager
>>
>>
>>
>> Web: www.nvaccess.org
>> <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nvaccess.org%2F&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=dUNPdO4sxoYL0UUQlzETKtZpLqHgEP3cjJmSkfU6g%2FQ%3D&reserved=0>
>>
>>
>> Training: https://www.nvaccess.org/shop/
>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.nvaccess.org%2Fshop%2F&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=COibmOeb1vIUgWMPldqEed1ayKti00V8Mlhg4cTGylM%3D&reserved=0>
>>
>> Certification: https://certification.nvaccess.org/
>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcertification.nvaccess.org%2F&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=scbPBzfe6z5KtE4ZOhiXLA5ef%2Fz5F0pmxg8qunmUf9c%3D&reserved=0>
>>
>> User group: https://nvda.groups.io/g/nvda
>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvda.groups.io%2Fg%2Fnvda&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=64W4HmLaMMqXYpYk3hGvQvv22%2FbeMAP3FbJA0LPO8s4%3D&reserved=0>
>>
>> Facebook: http://www.facebook.com/NVAccess
>> <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2FNVAccess&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=TUqlBOIqMg5UgpMLmT9%2FoCQn%2BZ3TtwGh0zxlTr%2FAMRQ%3D&reserved=0>
>>
>> Twitter: @NVAccess
>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FNVAccess&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ka6MDBPN%2BCLumEszO3fhHy765Had5Di%2F1yBdWByGFkM%3D&reserved=0>
>>
>>
>>
>>
>
> --
> Quentin Christensen
> Training and Support Manager
>
> Web: www.nvaccess.org
> Training: https://www.nvaccess.org/shop/
> Certification: https://certification.nvaccess.org/
> User group: https://nvda.groups.io/g/nvda
> Facebook: http://www.facebook.com/NVAccess
> Twitter: @NVAccess <https://twitter.com/NVAccess>
>
>
>
>
>
>


--
Jackie McBride
Be a hero. Fight Scams. Learn how at www.scam911.org
Also check out brightstarsweb.com & mysitesbeenhacked.com







--
Quentin Christensen
Training and Support Manager


Jackie
 

It's likely not going away anytime soon, Quentin. Here's a scenario.
I'm in a multiuser environment. It's lunchtime & I'm starved. I'm also
planning on leaving the office for lunch. The last thing I wanna do is
wait for who knows however long when I come back to get logged back on
if I shut my machine down, because I really don't want someone
casually strolling by & accessing my machine while I'm away. Enter the
lock screen! I can lock the screen w/o actually shutting it down, & if
I'm running a bit late, it might help me sign in on time rather than
wait for a logon from a shutdown. Lol.

I can see that NVDA is taking these security concerns very seriously,
as it should. Part of my concern was directed toward some list members
who fail to consider the ramifications of these sorts of concerns in a
multiuser situation. It's true these considerations wouldn't be a
problem for those who operate their machine exclusively from their
homes. But that isn't the way all screen reader users use their
computers, & it's vital to take into account common business scenarios
in order to improve our chances of gaining employment.

On 10/20/22, Quentin Christensen <quentin@...> wrote:
Good point Jackie, and indeed, as you mentioned, we do take security
seriously. I have no idea whether similar things are exploitable with
Jaws, but as closed source software, it can be harder to identify
sometimes. Indeed, the majority of the ones we have had reported recently
have been because once one was found, people looked a bit closer at that
behaviour and navigating in a similar way. In fact, these aren't things
broken in NVDA, they are issues with Windows not correctly presenting the
lock screen, it's just that it's most obvious with software such as a
screen reader, and knowledge of how to use some of the advanced navigation
features like object navigation.

In fact I wasn't questioning the validity of fixing them - I think, as you
noted, we have taken these very seriously - my query was around the
usefulness of the lock screen in general.

On Fri, Oct 21, 2022 at 11:55 AM Jackie <abletec@...> wrote:

I think it needs to be considered that NVDA is not always used simply
in a "consumer" (or perhaps, more accurately, a single user milieu. It
can also be used in an enterprise scenario where these security flaws
can have devastating implications. If NVDA is to market itself as a
competitor to Jaws, for example, then it had dog-gone well better take
these advisories seriously & implement fixes ASAP, which it does
indeed seem to be doing. & although it's tempting for single users to
blow off the implications of these security flaws, remember that blind
folks can only be employed in the technical field only if they use
some sort of screen reader, & those need to be seen as not being a
security threat. It amazes me to this day how many computer issues get
blamed on the screen reader, & many times those problems occur before
the screen reader ever actually loads. I remember in my previous life
as an adaptive technologist I got blamed 1 time that my scripting work
on behalf of a client took down the network. The problem w/that logic
was that I had taken the computer offline before ever doing any
scripting. The view towards our software is often pretty hostile. To
try to allay it, at least somewhat, we've got to demonstrate that we
pose no greater risk than any other user. So whether you as an
individual are interested in these things or not, they are nonetheless
extremely significant & need to be dealt with accordingly.

On 10/20/22, Quentin Christensen <quentin@...> wrote:
Indeed, it is tricky to generalise as we do have a wide audience. I
would
agree with the comment earlier that basically all of these security
releases we have put out have been generally theoretical in nature -
exploitations which COULD happen under the right circumstances, and in
all
cases, requiring either access to the machine, or remote access (eg
using
NVDA Remote or other similar connections) - worth fixing, but not an
immediate threat to the majority of users.

Is it worth the average user disabling the lock screen? Or conversely
you
could ask, does the lock screen provide any actual benefit to most
users?
The idea behind the lock screen seems to stem from mobile phones where
having a screen before you are asked to enter your password or pin is
helpful to prevent random button presses in a pocket or bag, which, on
your
pin, could potentially lock you out of your device. On a Windows
tablet,
in a bag, that's theoretically possible (though I'd strongly recommend
a
relatively sturdy cover at least). Given the general lack of
usefulness
(unless I've completely missed something obvious?), I'm surprised
Microsoft
haven't offered a simply way to disable the lock screen.

As Brian noted, I did include a link to the registry patch he created
in
In-Process (thanks Brian) and corrected a couple of things in the steps
- I
didn't go through and fully rewrite them - the points made are all
valid,
although what is there SHOULD be enough for someone experienced to go
through it manually if desired, otherwise the registry patch would be
recommended..

Meanwhile what I will do, is put the suggestion around a simple toggle
for
the feature to Microsoft.

Quentin.

On Fri, Oct 21, 2022 at 10:39 AM David Goldfield <
david.goldfield@...> wrote:

Cyrille wrote:

security advisories and "In-Process" do not target the same audience.



With respect I’m not sure that we can make such a general statement.
I’m
sure there are many In-Process readers who don’t care about the
details
of
security advisories who would just skip over such material. However,
I’d
be
willing to bet that many readers would have an interest in such things
and
who would review all of the details. In-Process likely is seen by
experts
as well as novices. If I’ve misunderstood your assertion by all means
please feel free to correct me.

David Goldfield,

Blindness Assistive Technology Specialist

[image: JAWS Certified, 2022]
<https://www.freedomscientific.com/Training/Certification>

NVDA Certified Expert <https://certification.nvaccess.org/>



Subscribe to the Tech-VI announcement list to receive news, events and
information regarding the blindness assistive technology field.

Email: tech-vi+subscribe@groups.io

www.DavidGoldfield.org



*From:* nvda@nvda.groups.io <nvda@nvda.groups.io> *On Behalf Of
*Cyrille
via groups.io
*Sent:* Thursday, October 20, 2022 3:27 AM
*To:* nvda@nvda.groups.io
*Subject:* Re: [nvda] In-Process is out



Hello

Quentin, you have copied the content of a security advisory. However
security advisories and "In-Process" do not target the same audience.
I do not know if In-Process are usually edited after having been
released
but this case would be an opportunity.

If possible, I would:
1. put the .reg file option before the manual registry edition option
2. put a big warning for people before editing the registry as we can
find
everywhere (e.g. here
<
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.howtogeek.com%2F325096%2Fhow-to-make-windows-10s-taskbar-clock-display-seconds%2F&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EZpWVnJ1GhKvERxnrXXWQrhOqiyEnRUOGFWPN5zddIk%3D&reserved=0
)
on the internet when dealing with registry edition.
3. fix the steps with the correct wording (key instead of folder) and
make
the steps according to what is most commonly found ("Personalizatino"
missing); people already having the "Personalization" key can just
ignore
the step for creating it.
or
3 bis. Remove the steps to edit the registry and just link the
security
advisory.

Cheers,

Cyrille




On Thu, Oct 20, 2022 at 04:48 AM, Quentin Christensen wrote:

Brian,



Thanks for the help for William on this one - I must admit, I just
copied
those steps from a previous recommendation we had put up with another
security fix related to the lock screen. I had a lot of content this
week
(and already a few items held over for the next post) so I didn't
analyse
those steps as closely as I might have another time. I did note that
the
steps weren't as fully written as I would have with every keystroke,
although being the registry, my original thought was that people
should
know what they are doing before going in and editing it - but then
again
maybe that is just more reason why the steps should be provided in
full
as
well...



Quentin.



On Thu, Oct 20, 2022 at 12:01 PM Brian Vogel <britechguy@...>
wrote:

By the way, I have yet to encounter any Windows 10 machine * in its
default state* that will have a Personalization subkey under the
Registry
Key, Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows.

Count on having to follow my previously noted steps to create it and
set
its value to 1.
--

Brian *- *Virginia, USA *- *Windows 10, 64-Bit, Version 22H2, Build
19045

*There are many people who can only make themselves feel better about
themselves by making themselves feel better than others. *

~ Commenter *Looking_in* on the * Washington Post*, 7/10/2014








--

Quentin Christensen
Training and Support Manager



Web: www.nvaccess.org
<
https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nvaccess.org%2F&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=dUNPdO4sxoYL0UUQlzETKtZpLqHgEP3cjJmSkfU6g%2FQ%3D&reserved=0



Training: https://www.nvaccess.org/shop/
<
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.nvaccess.org%2Fshop%2F&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=COibmOeb1vIUgWMPldqEed1ayKti00V8Mlhg4cTGylM%3D&reserved=0


Certification: https://certification.nvaccess.org/
<
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcertification.nvaccess.org%2F&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=scbPBzfe6z5KtE4ZOhiXLA5ef%2Fz5F0pmxg8qunmUf9c%3D&reserved=0


User group: https://nvda.groups.io/g/nvda
<
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvda.groups.io%2Fg%2Fnvda&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=64W4HmLaMMqXYpYk3hGvQvv22%2FbeMAP3FbJA0LPO8s4%3D&reserved=0


Facebook: http://www.facebook.com/NVAccess
<
https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2FNVAccess&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=TUqlBOIqMg5UgpMLmT9%2FoCQn%2BZ3TtwGh0zxlTr%2FAMRQ%3D&reserved=0


Twitter: @NVAccess
<
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FNVAccess&data=05%7C01%7C%7C84232631de9a4dc3095908dab26c6bf2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018475986867901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ka6MDBPN%2BCLumEszO3fhHy765Had5Di%2F1yBdWByGFkM%3D&reserved=0




--
Quentin Christensen
Training and Support Manager

Web: www.nvaccess.org
Training: https://www.nvaccess.org/shop/
Certification: https://certification.nvaccess.org/
User group: https://nvda.groups.io/g/nvda
Facebook: http://www.facebook.com/NVAccess
Twitter: @NVAccess <https://twitter.com/NVAccess>






--
Jackie McBride
Be a hero. Fight Scams. Learn how at www.scam911.org
Also check out brightstarsweb.com & mysitesbeenhacked.com





--
Quentin Christensen
Training and Support Manager

Web: www.nvaccess.org
Training: https://www.nvaccess.org/shop/
Certification: https://certification.nvaccess.org/
User group: https://nvda.groups.io/g/nvda
Facebook: http://www.facebook.com/NVAccess
Twitter: @NVAccess <https://twitter.com/NVAccess>





--
Jackie McBride
Be a hero. Fight Scams. Learn how at www.scam911.org
Also check out brightstarsweb.com & mysitesbeenhacked.com