Or, session cookies. They don't need special privilege to access, and if you grab all of someone's cookies, you can probably get some valid session cookies for logged in accounts just by checking for some common domains in one/by keyword.

From there, it would be trivial to get into email, social media, and other accounts to do other things with.

It would be trivial to add a "please click 'yes' to the UAC prompt to allow verification" screen, so that isn't really going to stop anyone.

I've seen a bit of office malware in the past that did that, where it had a bunch of images instructing you to enable macros and that.

That's probably why they "helpfully" include a little picture of the symbol on the key, so you know what it looks like.

This feature is extremely insecure now that there’s several AIs that can replicate voices. If a scammer calls you and you say a few words (like if you say “hello” and “sorry, I think you’ve got the wrong number”), a recording of that can be enough for them to replicate your voice.

It honestly wasn't really that secure to begin with, since the audio would have the daylights crushed out of it through the phone system. Though AI probably makes it easier by just letting you have a computer at the end of it spit out some words.

Someone could probably get away with it by sounding vaguely enough like the person calling.

Or just do the tried and true method of going through the in-person support. Voice recognition, at least in my experience, over the phone, has trouble with accents, so someone calling to get around that isn't uncommon. It never works with me, for example, it just goes "please try again" until it redirects me to an agent.

From the Browser's viewpoint, would there be any difference if the webpage has a JS button to put something in the clipboard, or it having code running in the background that puts things into the clipboard at page load?

It's not like there's that much of a difference, as far as the Browser is concerned.

Depends on how dedicated they are. It's not implausible that some might just shuffle it away as "computer verification stuff", and faithfully paste and execute the code, since it's the computer doing a computery thing, that it says it is doing, and asks you to do, all must be well.

Just make the screen one gargantuan pixel, and infer the other 2-million.

I have personally found generative-text LLMs quite good for creating titles. As an example, I have a few hundred tweets that I'm trying to put into a file, and I'll use an LLM to create a human-readable name for them. It's much better than a lot of the other summarisation mechanisms (like BERT) I've tried with it, but it's still not perfect, because the model tends to output the same thing in slightly different words each time, so repeat runs will often result in the same thing with a different title.

But, that is also a fairly limited use case.

At the same time, the trouble with local LLMs is that they're very resource heavy. Your average household computer isn't going to be able to run one with much usability or speed.

What is a "trustworthy software environment"?

Does that mean that it will get mad and fail you for having Developer options enabled? Having F-Droid installed? Having it plugged into a computer?

I didn't, actually, but thank you.

The Star Trek ones over on startrek.website. They weren't the most active to begin with, though their activity has dropped a bit more over time.