Andrei Petre - Askit | Solutii si rezolvari pentru diverse situatii IT

Inchiderea Piilopuoti de pe Dark Web

Posted 10 October 2023
By Andrei Petre
-1
57

Într-o mișcare determinată de a combate infracțiunile cibernetice și traficul de droguri, autoritățile finlandeze, în colaborare strânsă cu cele germane și lituaniene, au reușit să închidă Piilopuoti, una dintre cele mai cunoscute piețe ilegale de pe Dark Web specializate în vânzarea de droguri.

Utilizatorii care obișnuiau să acceseze această piață ilegală de droguri sunt întâmpinați acum de un mesaj care anunță că “Acest domeniu a fost confiscat”. Cu o simplă frază, autoritățile au reușit să distrugă o întreagă operațiune criminală. Potrivit Europol, pe această platformă cu limbă finlandeză, au fost vândute droguri și alte bunuri ilegale în cantități semnificative. Această piață funcționa pe rețeaua Onion Router (Tor).

Un aspect notabil al acestei operațiuni este colaborarea strânsă dintre autoritățile finlandeze, germane și lituaniene. Acest nivel de coordonare transfrontalieră este esențial pentru combaterea crimei cibernetice la nivel global.
Europol, organizația europeană de poliție, a avut un rol crucial în facilitarea comunicării între aceste țări și în coordonarea acțiunii. Acest efort comun a permis autorităților să obțină succesul în închiderea acestei piețe ilegale de droguri și să prevină răspândirea mai departe a activităților ilegale desfășurate prin intermediul acestei platforme Dark Web.

Cu toate că internetul ascunde multe pericole, acest caz arată că există speranță în lupta împotriva infracțiunilor online și că autoritățile pot lua măsuri decisive pentru a proteja societatea.

[mai mult...]

AtlasVPN remediaza o vulnerabilitate

Posted 10 October 2023
By Andrei Petre
-4
56

Dezvoltatorii AtlasVPN lucrează la remedierea unei vulnerabilități de scurgere a adresei IP, ale cărei detalii au fost făcute publice de un cercetător care a ales să opteze pentru divulgarea completă după ce încercările de divulgare responsabilă au fost ignorate.

Breșa de securitate afectează clientul AtlasVPN pentru Linux și poate fi exploatată atrăgând utilizatorul țintă pe un site web care găzduiește codul de exploatare. Exploatarea determină deconectarea AtlasVPN, ceea ce duce la dezvăluirea adresei IP reale a utilizatorului către site-ul atacatorului.

Clientul AtlasVPN pentru Linux constă în două părți. Un daemon (atlasvpnd) care gestionează conexiunile și un client (atlasvpn) pe care utilizatorul îl controlează pentru a se conecta, deconecta și a lista serviciile. Clientul nu se conectează printr-un socket local sau prin alte mijloace sigure, ci deschide în schimb o interfață API pe localhost pe portul 8076.

Codul de exploatare a fost făcut public și nu este dificil de utilizat în scopuri dăunătoare. Un atacator trebuie doar să-l încarce pe un site pe care îl controlează. Vulnerabilitatea afectează clientul Atlas VPN pentru Linux, versiunea 1.0.3. Din cauza vulnerabilității, aplicația și, implicit, traficul criptat între utilizator și gateway-ul VPN pot fi deconectate de un actor rău intenționat. Acest lucru ar putea duce la dezvăluirea adresei IP a utilizatorului.

Începând cu septembrie 2023, vulnerabilitatea nu va mai fi prezentă în aplicația Linux în cea mai recentă versiune a sa. În urma acestei rezolvări, AtlasVPN va informa utilizatorii să-și actualizeze aplicațiile la versiunea 1.1 remediată.

[mai mult...]

How to set up email addresses in Plesk

Posted 06 September 2023
By Andrei Petre
-1
66

Follow these steps to create a new email address in Plesk with the Power-user interface:

Open the Mail menu from the left column of the Plesk panel
Click the Create email address button
Enter the local part of the address (before the @ symbol) alongside the Email Address field
Select the domain name for the address from the drop-down to the right of the @ symbol
Select if you want to allow access to the customer Plesk panel using this email address using the tick-box for Access to the Customer Panel
Enter a password for the email and re-enter into the confirm password field or select Generate to automatically generate a password for the address
You can select to apply the default mailbox size or select Another size to set a disk space quota for the mailbox
Optional: You can enter a description for the email address into the Description in Plesk field, or you can leave this field blank
Click OK at the bottom of the page to create the address.

Service Provider interface

Follow these steps to create a new email address in Plesk with the Service-provider interface:

Open the domains menu from the left column of the Plesk panel.
Click the domain name that you want to create an email address for from the list on the following page
Click the Mail or Email Addresses link from the domain control panel page
Click the Create email address button to add a new address
Enter the local part of the address (before the @ symbol) alongside the Email Address field
Enter a password for the email and re-enter into the confirm password field or select Generate to automatically generate a password for the address
You can select to apply the default mailbox size or select Another size to set a disk space quota for the mailbox
Optional: You can enter a description for the email address into the Description in Plesk field, or you can leave this field blank
Click OK at the bottom of the page to create the address.

Email Client Settings

The following settings can be used to add the address to an email client application/device:

Account type: POP or IMAP
Incoming server: mail.yourdomain.com
Username: full email address
Password: Enter the mailbox password for the address
Incoming Port: 110 for POP accounts, 143 for IMAP accounts.
Outgoing server: mail.yourdomain.com
Authentication: Authentication is required for outgoing mail, using the same username/password as incoming settings.
Outgoing Port: 25

[mai mult...]

How to set up Plex Media Server on Windows

Posted 06 September 2023
By Andrei Petre
-3
95

With the proliferation of set-top boxes like Google TV, Roku and others, as well as the popularity of Android devices, there is a growing need to share media content across a home network. It’s not the most complicated operation in the world, but it does require some setup work at the onset.

There are several solutions for setting up a media server right in your home, but perhaps the simplest solution is to use Plex. The service provides both backend (the server) and the front end, which is in the form of apps for computers, mobile devices and set-top boxes.

To get started, you’re going need to setup the server on a computer within your network, preferably one that is always on, as the apps won’t get media unless the server is on and connected. Head over to PlexApp and download the program. It will work with Windows, Mac, Linux, FreeBSD and NAS.

Once you have completed the installation, it’s time to begin playing with the settings and letting the server know where to find your various media.
Clicking the app will open a dashboard window in whatever web browser you have set as your default, meaning that if you were to install it on a NAS, it’s still easy to administrate.
By default, you will have several media categories, including movies, music, photos and TV. You can easily add additional ones like home movies or music videos, or whatever you wish. To add a new category, simply click the Plus button and choose “add a section”, then give it a name.
Click on each section to begin adding your media. You will notice a folder icon in the left column, and if not, click the “options” button to reveal the column. From here, you can browse an available computer on your network to locate your files and then add them to the section. You can also change the view between tiles and list and filter content in a number of ways. You can even edit the media content.
Once you have completed adding the media, you will want to head into settings by clicking the screwdriver-wrench icon at the top right. From here, you can set things how you wish. If you frequently add new content, such as recorded TV shows, then the Library option should be your first stop.
The important part here is the Library Update Interval. If you wish to watch your new show as soon as possible, then set this to 15 minutes, which is the fastest available option.
Options also allow you to sign into your MyPlex account, enable DLNA, set network discovery, give your server a name, and much more. For most people, the default options, other than library refresh interval, should function just fine.

With your server up and running and everything set the way you want, it’s time to take care of the end-user. Plex apps are available for both Android and iOS, though, unlike the server, they aren’t free. Apps are also available for many of today’s set-top boxes, such as Roku and Google TV. If you are using the latter, then I recommend a third-party app called Serenity, which is available in the Google Play store.

[mai mult...]

Setting up mail server

Posted 18 August 2023
By Andrei Petre
5
71

These are some notes on setting up a small mail server suitable for a single user or a few users.

This setup uses the following projects to enable sending and receiving mail using SPF, DKIM, and DMARC for email authentication:

Postfix for mail transfer and delivery to Dovecot via LMTP.
Dovecot for IMAP access and SASL for Postfix with Pigeonhole for Sieve message filtering support
Rspamd for spam filtering, email authentication validation, and DKIM signing (with Redis for caching)
Let’s Encrypt and certbot to provide SSL certs

Moreover this configuration enables support for sending and receiving mail on two domains whereby the two domains mirror each other.

CERTIFICATES AND KEYS

SSL/TLS CERTS

Obtain an SSL certificate from Let’s Encrypt. This particular server did not have an existing HTTP server, so I used certbot in standalone mode:

# certbot certonly --standalone -d domain1.tld,domain2.tld

This produces a single certificate for both domains. Alternatively, one could invoke certbot for each domain to produce separate certificates.

DKIM KEYS

Rspamd includes a utility to generate DKIM keys. I created a directory within /etc/rspamd, protected it, and generated keys according to Rspamd’s dkim_signing guide.

# mkdir -p /etc/rspamd/dkim/keys
# chown -R rspamd:rspamd /etc/rspamd/dkim
# chmod -R 700 /etc/rspamd/dkim
# rspamadm dkim_keygen -s 'mail' -b 2048 -d domain1.tld -k /etc/rspamd/dkim/keys/domain1.tld.mail.key > /etc/rspamd/dkim/keys/domain1.tld.mail.txt
# rspamadm dkim_keygen -s 'mail' -b 2048 -d domain1.tld -k /etc/rspamd/dkim/keys/domain2.tld.mail.key > /etc/rspamd/dkim/keys/domain2.tld.mail.txt
# chown rspamd:rspamd /etc/rspamd/dkim/keys/*
# chmod 600 /etc/rspamd/dkim/keys/*

If you are having trouble splitting up the public key into multiple chunks within the DNS TXT record, you may need to use -b 1024 and live with the weakened security.

DIFFIE-HELLMAN PARAMETERS FOR DOVECOT

This is actually optional because I disabled non-ECC Diffie-Hellman ciphers in the Dovecot configuration.

# touch /etc/dovecot/dh.pem
# chmod 600 /etc/dovecot/dh.pem
# chown root:root /etc/dovecot/dh.pem
# openssl dhparam -out /etc/dovecot/dh.pem 4096

POSTFIX CONFIGURATION

The following Postfix configuration enables SASL through Dovecot, delivers mail to Dovecot’s LMTP service, enables TLS, and enables Rspamd as a milter.

I’ve only listed variables that differ from the defaults as of Postfix 3.7.

# based on Postfix 3.7.0
compatibility_level = 3.7

# Restrictions
# smtpd_recipient_restrictions includes the following features:
#   1.  prohibit specific senders via check_sender_access
#       create a list of prohibited domains in the following format
#           baddomain.tld   REJECT
#       save to /etc/postfix/sender_access and run `postmap /etc/postfix/sender_access`
#   2.  prepend X-Original-To for LMTP via check_recipient_access and set
#       lmtp_destination_recipient_limit
#       see https://dovecot.dovecot.narkive.com/jYiqyZYr/differences-in-delivered-to-header-between-deliver-and-lmtp#post7
smtpd_recipient_restrictions =  check_sender_access hash:/etc/postfix/sender_access,
                                check_recipient_access pcre:{{/(.+)/ prepend X-Original-To: $$1}}
lmtp_destination_recipient_limit = 1

# Aliases
alias_maps = hash:/etc/postfix/aliases
alias_database = $alias_maps

# Network
# set because $myhostname is domain.tld (not server.domain.tld)
mydomain = $myhostname
# set in order to add secondary domain
#   alternative is to use virtual domains: http://www.postfix.org/VIRTUAL_README.html
mydestination = $myhostname, localhost.$mydomain, localhost, localhost.localdomain, domain2.tld

# TLS support
smtpd_use_tls = yes
smtpd_tls_loglevel = 1
smtpd_tls_cert_file = /etc/letsencrypt/live/domain1.tld/fullchain.pem
smtpd_tls_key_file  = /etc/letsencrypt/live/domain1.tld/privkey.pem
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtp_tls_session_cache_database  = btree:/var/lib/postfix/smtp_scache

# SASL support
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

# Milters
#smtpd_milters = unix:/var/lib/rspamd/milter.sock
# or for TCP socket
smtpd_milters = inet:localhost:11332
non_smtpd_milters = $smtpd_milters
#milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
# skip mail without checks if something goes wrong
milter_default_action = accept

# Delivery
mailbox_transport = lmtp:unix:private/dovecot-lmtp

# Others
recipient_delimiter = +
biff = no

To enable “Submission” (port 587) for client usage, the following can be added to /etc/postfix/master.cf:

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

Edit 2021-09-29: smtpd_tls_cert_file now points at the full chain instead of the individual cert.

Edit 2022-02-13: smtpd_recipient_restrictions uses Postfix 3.7’s inline pcre:{{}} syntax rather than requiring a separate file.

SUPPORTING MULTIPLE DOMAINS

In this configuration, I opted to serve multiple domains in the simplest way, by adding the second domain to mydestination. Postfix’s guide on this subject describes this way as being useful for the situation where each user receives mail in each domain, which was the case that applied to me. For more complex usages, one could use virtual alias domains, also described in that guide.

RELAY VS. RECIPIENT RESTRICTIONS

Postfix has a document that describes access restrictions. It notes that as of Postfix 2.10, the smtpd_relay_restrictions takes care of preventing Postfix from acting as an open relay. As such, many Postfix configuration tutorials do not have up-to-date guidance; instead, they opt to carefully configure smtpd_recipient_restrictions. As Postfix’s document illustrates, either way will work, so long as one of them prevents Postfix from acting as an open relay. In this configuration, I am relying on the sane default configuration of smtpd_relay_restrictions, which postconf -d smtpd_relay_restrictions reports to be:

smtpd_relay_restrictions = ${{$compatibility_level} < {1} ? {} : {permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination}}

Optionally, you can use smtpd_recipient_restrictions to prohibit certain domains. In my case, an attacker has been trying to sign up for an unprotected service by using fake emails from my domain name. I reject all emails from that service.

Edit 2020-07-06: Per this discussion, I have added a check_recipient_access entry that adds an X-Original-To header containing the original address that the email was intended for. Paired with the adjustment of the Dovecot configuration variable lda_original_recipient_header, this makes Sieve filtering based on address and “detail” (label after the + in an address) fairly simple.

I structured /etc/dovecot to follow the example template provided with Dovecot.

# mkdir -p /etc/dovecot
# cp -R /usr/share/doc/dovecot/example-config/conf.d /etc/dovecot
# cp -R /usr/share/doc/dovecot/example-config/dovecot.conf /etc/dovecot

Importantly, I had to make a few changes to the files in conf.d/:

Because I am using passwd-file authentication, I commented out the inclusion of auth-system.conf.ext in conf.d/10-auth.conf:
```
#!include auth-system.conf.ext
```
Because SSL certs are located in /etc/letsencrypt, I commented out the attempts to read in those certs in conf.d/10-ssl.conf:
```
#ssl_cert = </etc/ssl/certs/dovecot.pem
#ssl_key = </etc/ssl/private/dovecot.pem
```
I suppose one could symlink the certs to these locations instead.

I then made changes from the default configuration (as of Dovecot 2.3.10.1) by creating the following /etc/dovecot/local.conf. Dovecot will merge this configuration with the existing defaults.

protocols = imap lmtp

# conf.d/10-auth.conf

auth_mechanisms = plain login
!include conf.d/auth-passwdfile.conf.ext


# conf.d/10-mail.conf

mail_location = maildir:~/.mail


# conf.d/10-master.conf

service lmtp {
    unix_listener /var/spool/postfix/private/dovecot-lmtp {
        mode  = 0600
        user  = postfix
        group = postfix
    }
}

service auth {
    unix_listener /var/spool/postfix/private/auth {
        mode  = 0666
        user  = postfix
        group = postfix
    }
}


# conf.d/10-ssl.conf

ssl_cert = </etc/letsencrypt/live/domain1.tld/fullchain.pem
ssl_key  = </etc/letsencrypt/live/domain1.tld/privkey.pem
ssl_min_protocol = TLSv1.2
ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
ssl_prefer_server_ciphers = yes


# conf.d/15-lda.conf

lda_original_recipient_header = X-Original-To


# conf.d/20-imap.conf

protocol imap {
    mail_max_userip_connections = 20
}


# conf.d/20-lmtp.conf

protocol lmtp {
    mail_plugins = $mail_plugins sieve
}

As a consequence, Dovecot provides a SASL service to Postfix for authentication and receives mail from Postfix via LMTP. It enables an IMAP service for mail user agent connection.

Edit 2020-07-06: The adjustment to lda_original_recipient_header (which also applies to LMTP) tells Dovecot to use the X-Original-To header to specify the original recipient.

Following Mozilla’s TLS guide, the minimum protocol is set to TLSv1.2. A more restrictive set of ciphers are allowed as well (in particular, no non-ECC Diffie-Hellman support).

Edit 2021-09-29: ssl_cert now points at the full chain instead of the individual cert.

USER AUTHENTICATION

This configuration uses a simple password file for authentication.

touch /etc/dovecot/users
chown dovecot:dovecot /etc/dovecot/users
chmod 600 /etc/dovecot/users

Passwords can be generated with dovecot pw -s SHA512-CRYPT as per Dovecot’s password scheme guide.

Then, following Dovecot’s Passwd-file guide, one can create a mostly-empty row:

in /etc/dovecot/users:

user:{SHA512-CRYPT}<hash>:sys_user:sys_user_group::/home/sys_user::

This configuration allows for a virtual mapping from user to the system account sys_user with its corresponding group sys_user_group and home directory /home/sys_user. user should be the account that you map all of your aliases in /etc/postfix/aliases to.

Edit 2022-01-29: The Rspamd-Redis connection now uses UNIX sockets.

Per Rspamd’s Quick Start guide, I adjusted a few Redis configuration settings slightly, namely setting a memory limit and policy and enabling access via UNIX socket. To do that, I added include /etc/redis.d/local.conf to the end of /etc/redis.conf and created the following /etc/redis.d/local.conf:

# settings recommended by Rspamd
#   https://rspamd.com/doc/quickstart.html

maxmemory 500mb
maxmemory-policy volatile-ttl
unixsocket /var/run/redis/redis.sock
unixsocketperm 770

I also followed the suggestion of setting vm.overcommit_memory = 1 with sysctl and in /etc/sysctl.d/.

RSPAMD

Rspamd is a powerful spam filtering tool that can also be used to add DKIM signatures to outgoing messages. I have used it since ~v1.2 (mid-2016); it has grown significantly since then, and there have been a few configuration-breaking changes in that time. However, I have not encountered such issues recently.

I made changes exclusively within /etc/rspamd/local.d and only included settings that changed the defaults as of Rspamd 2.5.

GLOBAL CONFIGURATION SETTINGS

I have Unbound configured as the local nameserver, so Rspamd will automatically use it (/etc/resolv.conf points to 127.0.0.1). Rspamd can generate a lot of DNS requests, so I have found this to be a valuable solution. Using a public nameserver will likely result in rejections over time.

Therefore, local.d/options.inc looks like:

# same as postfix $mynetworks minus loopback addresses (`postconf mynetworks`)
local_addrs = [
    <self IP addresses>
];

# DNS tuning for local DNS server
#   probably not necessary
dns {
    timeout = 10s;
    retransmits = 50;
}

# server does not support SSE3
disable_hyperscan = true;

PROXY WORKER AS MILTER

The Rspamd proxy worker acts as a milter by default, but should be configured to scan outbound mail to DKIM sign messages. That can be accomplished by setting the following in local.d/worker-proxy.inc:

upstream "local" {
    self_scan = yes;
}

# spawn more processes in self-scan mode
count = 4;

DKIM SIGNING

Because each DKIM key follows a structured file naming format, local.d/dkim_signing.conf is relatively simple:

# the same settings apply for all domains

selector = "mail";
path = "/etc/rspamd/dkim/keys/$domain.$selector.key";
allow_username_mismatch = true;

SPAM BLOCKING CONFIGURATION

For testing, it’s best to avoid outright rejecting emails that have a high spam score. The following adjustment in local.d/actions.conf adds spam headers to pretty much all messages that exceed the (default) add_header threshold.

# always add headers instead of rejecting
reject = 500;

The following files enable and configure their respective modules to use Redis as a backend.

Edit 2022-01-29: The Rspamd-Redis connection now uses UNIX sockets.

Rspamd connects to Redis via a UNIX socket (per these instructions). To provide Rspamd access, its user must be added to the redis group via usermod -a -G redis rspamd (note that some installations may have different usernames for Rspamd).

local.d/classifier-bayes.conf:

backend = "redis";

local.d/mx_check.conf:

enabled = true;

local.d/redis.conf:

servers = "/var/run/redis/redis.sock";

Adding the following to ~/.dovecot.sieve will send mail marked as spam to the Junk folder:

require ["fileinto"];

if header :is "X-Spam" "Yes" {
    fileinto "Junk";
    stop;
}

The firewall should open SMTP ports 25 and 587 and IMAP ports 143 and 993 to appropriate network traffic. For nftables, the following configuration can be added to an input inet filter chain:

tcp dport { 25, 587 }  accept comment "Allow SMTP/Submission"
tcp dport { 143, 993 } accept comment "Allow IMAP/IMAPS"

DNS entries need to be added for reverse DNS, SPF, DKIM, and DMARC. These tools all help other mail servers realize that your mail is not spam. Of course, an MX record is required as well.

For the domain name that matches $myhostname in Postfix (not any other domains), a PTR record is necessary. For example, for an IP address of 1.2.3.4:

4.3.2.1.in-addr.arpa. 3599 IN    PTR     domain1.tld.

An equivalent IPv6 PTR record is necessary, too. This tool is helpful in generating the record.

For all domains, an SPF record is required:

domain1.tld.    3599    IN      TXT     "v=spf1 ip4:<IPv4 Address> ip6:<IPv6 Address> -all"

Each of the DKIM keys generated above also generated a DNS record in /etc/rspamd/dkim/keys/$domain.$selector.txt. Each domain’s record must be added.

Adding a DMARC record to each domain helps other mail servers understand what to do with mail that failed SPF or DKIM checks. For testing, it makes sense to ask the mail server to keep the mail but send reports back to you.

_dmarc.domain1.tld. 3599    IN      TXT     "v=DMARC1; p=none; pct=100; rua=mailto:dmarc-reports@domain1.tld"

By changing to p=reject, the other server will reject mail that failed these checks.

[mai mult...]

Phishing and Spam and Junk Email

Posted 18 August 2023
By Andrei Petre
1
65

Detecting whether email is junk, spam, or phishing is a challenge at the University of Washington. This is due primarily to the UW’s unusual email routing, which has been designed to support the UW community’s highly distributed IT infrastructure. The UW provides two centrally managed productivity platforms with email services (UW Google and UW Office 365). UW email also allows emails addressed from UW email addresses to be sent from anywhere, and incoming emails addressed to UW email addresses to be forwarded to anywhere.
Email sent to and from UW email addresses generally passes first through UW’s Email Infrastructure service infrastructure where it is scanned by Proofpoint, a software package that filters the majority of junk, spam, and phishing email, as well as email containing malware.

Once email has passed through the Email Infrastructure service, email is then delivered to the destination mailbox as selected on the UW email forwarding manage page. Upon delivery to the destination mailbox (e.g. UW Gmail, UW Office 365, consumer Gmail, Outlook.com, Yahoo!, etc.) email is then filtered again by the platform managing the destination mailbox (e.g. Google, Microsoft, Yahoo!, etc.) as junk, spam, or phishing email.
Read more about how the Email Infrastructure service filters email and how you can protect your email.
Determining if email is junk, spam, or phishing is up to each email service vendor (Proofpoint, Google, Microsoft, Yahoo! etc.) and is based on a wide variety of potential parameters that can change minute-by-minute. Additionally, user-implemented email filtering rules can also influence whether an email is filtered as junk, spam, or phishing.

If you send an email to or from a UW email address and receive a Non-Delivery Report (NDR) email
Non-Delivery Reports (NDR) are emails sent to a sender to report that an email has failed to deliver. These emails come from the last successful system to receive the email, not from the system that rejected or failed to accept the email. These reports should have details on why the email failed to deliver. Many times, the reason will simply be because the email address the email was sent to is no longer valid.
However, if the NDR email says an email was rejected as spam, try these steps:
• Send from a system officially “allowed” by your email domain’s Sender Policy. For those sending from @uw.edu email addresses, these include UW Google and UW Office 365 email services
• This does not currently include smtp.washington.edu and smtp.uw.edu that may be used with POP or IMAP clients to access UW Google and UW Office 365 mailboxes
• Never include links that immediately require a login
• Avoid using ALL CAPS in emails
• Avoid using excessive exclamation marks early and often in emails
• Remove any links or HTML from your signature
• Avoid using excessive HTML in emails with relatively little content
• Remove any potentially controversial or words commonly used in spam emails
If you try the above without success, try these steps:
• Switch to sending emails as plain text (instructions for Gmail and Outlook on the web)
If you are sending email that is being delivered to recipients’ spam/junk folders
If you are sending email that is being delivered to spam/junk folders for recipients utilizing UW Gmail, UW Office 365, commercial Gmail, Outlook.com, etc., try these steps:
• Send from a system officially “allowed” by your email domain’s Sender Policy.
• Never include links that immediately require a login
• Avoid using ALL CAPS in emails
• Avoid using excessive exclamation marks early and often in emails
• Remove any links or HTML from your signature
• Avoid using excessive HTML in emails with relatively little content
• Remove any potentially controversial or words commonly used in spam emails
If you try the above without success, try these steps:
• Switch to sending emails as plain text (Instructions for Gmail and Outlook on the web)
• Try sending the email from a different email address. If this works but you already have gotten this far down the list, then likely your specific email address has been marked as a problem. If you are using a UW email address, please contact help@edu for help in evaluating your situation. If you are using an outside address, please contact that organization for help
Read more about Gmail’s sender guidelines and Microsoft’s sender guidelines.
If you have tried all of the above which are practical for your situation, the recipient(s) will need to contact their email provider.

If you are receiving email that is incorrectly being delivered to your spam/junk folder
UW Gmail
If you are using UW Gmail and are finding emails in your spam folder that are being incorrectly delivered as spam, try these steps:
• Unmark an email as spam
• Add the sender as a contact
• Verify that you do not have a Gmail rule that filters these emails
• Verify that all devices and email clients you have configured to check your UW Gmail account have no rules or filtering in place
• If you have taken all of these steps and email is still incorrectly being delivered to your UW Gmail spam folder, please forward the email as an attachment to help@edu
If you try the above without success, you can:
• Add a Gmail rule to explicitly not filter the sender. Take this step with great caution and only for email addresses that are known and important to you, as it opens you to junk, spam, and phishing attacks sent from the email address(es) you exclude.
As a last resort, you can:
• Join this UW Group to opt out of all UW Gmail junk, spam, and phishing email protections
UW Office 365
If you are using UW Office 365 and are finding emails in your Junk E-Mail folder that are being incorrectly delivered as spam, try these steps:
• Under Filters, select “Trust email from my contacts” (Outlook on the web)
• Add the sender as a contact (Outlook on the web)
• Add the sender to Safe senders and domains (Outlook on the web)
• To add a domain, enter only the text after the @ symbol e.g. “edu” instead of “@edu”)
• Remove senders and their domains from Blocked senders and domains (Outlook on the web)
• Verify that you do not have rules or sweeps that could send emails to your Junk E-Mail folder (Outlook on the web rules, Outlook on the web sweeps)
• Verify that all devices and email clients you have configured to check your UW Office 365 account have no rules or filtering in place.

[mai mult...]

How to manage services using Services on Windows 11

Posted 19 July 2023
By Andrei Petre
-1
89

If you want the easiest way to stop, start, disable, or enable a service on Windows 11, you can use the “Services” app.

Stop a service
To stop a service on Windows 11, use these steps:
1. Open Start.
2. Search for Services and click the top result to open the app.
3. Double-click the service to stop.

4. Click the Stop button.

5. Click the Apply button.
6. Click the OK button.
Once you complete the steps, the service should stop. If the service doesn’t stop running, you may be trying to stop a critical service required for the system to operate correctly.

Start a service
To start a service on Windows 11, use these steps:
1. Open Start.
2. Seach for Services and click the top result to open the app.
3. Double-click the service to start.

4. Click the Start button.

5. Click the Apply button.
6. Click the OK button.
After you complete the steps, the service should start immediately.

Disable a service
To disable a service, use these steps:
1. Open Start.
2. Search for Services and click the top result to open the app.
3. Double-click the service to disable.

4. Click the Stop button (if applicable).
5. Select the Disabled option from the “Start menu” drop-down menu.

6. Click the Apply button.
7. Click the OK button.
Once you complete the steps, the service will no longer run on the device after restarting the computer. If you click the “Stop” button, the service will stop immediately.

Enable a service
To enable a service on Windows 11 using the Services app, use these steps:
1. Open Start.
2. Search for Services and click the top result to open the app.
3. Double-click the service to enable.

4. Click the Start button.
5. Select the how to start the service option:
a. Automatic: Starts the service automatically during start.
b. Automatic (Delayed Start): Starts the service automatically but after the system loads.
c. Manual: Allows users to start the service manually or through another service that the user tries to start.
d. Disabled: Keeps the service stopped regardless of whether it is needed or not.

6. Click the Apply button.
7. Click the OK button.
After you complete the steps, the service will enable after restarting the computer. If you want to run the service immediately, you also need to click the Start button.
You can also right-click the service and select the state. Or you can choose the service and choose the action (start, stop, pause, or restart) from the command bar at the top of the app.

How to manage services using Task Manager on Windows 11
On Windows 11, Task Manager includes the “Services” tab that allows you to manage services.
To stop or restart a service through Task Manager, use these steps:
1. Open Start.
2. Search for Task Manager and click the top result to open the app.Quick note: You can also right-click the Start button and select the Task Manager. Or use the Ctrl + Shift + Esc keyboard shortcut to open the app.
3. Click the Services tab.
4. Right-click the service and select the action:
• Start.
• Stop.
• Restart.

Once you complete the steps, the service will start, stop, or restart, depending on your selected option.
When using Task Manager, consider that you can’t disable or configure the service to start automatically.

How to manage services using Command Prompt on Windows 11
You can also use Command Prompt with the “net” (legacy) and “sc” (modern) command to disable, enable, stop, or start services on your computer.
Stop a service
To stop a service from an app or Windows 11 with Command Prompt, use these steps:
1. Open Start.
2. Search for Command Prompt, right-click the top result, and select the Run as administrator option.
3. Type the following command to view the available services and press Enter:sc queryex state=all type=service

4. Type the following command to stop one service with Command Prompt and press Enter:net stop “SERVICE-NAME”In the command, replace “SERVICE-NAME” for the name of the service. The quotation marks are only needed if there’s a space within the name.This example stops the printer spooler from using the service name on Windows 11:net stop “spooler”

5. (Optional) Type the following (different) command to stop a service and press Enter:sc stop “spooler”
6. After you complete the steps, the Command Prompt command will stop the Windows 11 or app service.

Start a service
To use Command Prompt to start a service, use these steps:
1. Open Start.
2. Search for Command Prompt, right-click the top result, and select the Run as administrator option.
3. Type the following command to view the available services and press Enter:sc queryex state=all type=service

4. Type the following command to start a service with Command Prompt and press Enter:net start “SERVICE-NAME”In the command, replace “SERVICE-NAME” for the name of the service.This example starts the printer spooler using the service name on Windows 11:net start “spooler”

5. (Optional) Type the following (different) command to start a service and press Enter:sc start “spooler”
6. After you complete the steps, the command will start the service on your computer.

Disable a service
To disable a service on Windows 11 with commands, use these steps:
1. Open Start.
2. Search for Command Prompt, right-click the top result, and select the Run as administrator option.
3. Type the following command to view the available services and press Enter:sc queryex state=all type=service

4. Type the following command to disable a service with Command Prompt and press Enter:sc config “SERVICE-NAME” start=disabledIn the command, replace “SERVICE-NAME” for the name of the service. The quotation marks are only needed if there’s a space within the name.This example disables the printer spooler using the service name on Windows 11:sc config “spooler” start=disabledQuick note: When you use the disable option on Windows 11, it doesn’t stop the current state of the service. If you want to stop immediately, you can restart the computer or stop the service using the following command.

Once you complete the steps, the Command Prompt command will be disabled on Windows 11.

Enable a service
To enable a service with Command Prompt, use these steps:
1. Open Start.
2. Search for Command Prompt, right-click the top result, and select the Run as administrator option.
3. Type the following command to view the available services and press Enter:sc queryex state=all type=service

4. Type the following command to enable a service and press Enter:sc config “SERVICE-NAME” start=autoIn the command, replace “SERVICE-NAME” for the name of the service.This example enables the printer spooler:sc config “spooler” start=auto

5. (Optional) Type the following command to start a service with the “Manual” option and press Enter:sc config “SERVICE-NAME” start=demand
6. (Optional) Type the following command to start a service with the “Automatic Delayed” option and press Entersc config “SERVICE-NAME” start=delayed-auto
7. (Optional) Type the following command to start a service immediately and press Enter:sc start “SERVICE-NAME”
8. After you complete the steps, the service will start immediately.

How to manage services using PowerShell on Windows 11
If you need to create a script or use commands, PowerShell also lets you manage system and app services.

Stop a service
To stop a service with PowerShell, use these steps:
1. Open Start.
2. Search for PowerShell, right-click the top result, and select the Run as administrator option.
3. Type the following command to view the available services and press Enter:Get-Service

4. Type the following command to stop a service on Windows 11 and press Enter:Stop-Service -Name “SERVICE-NAME”In the command, change “SERVICE-NAME” with the name of the service to stop. If you want to use the service’s display name, then replace -Name for -DisplayName and specify the service name.This example stops the printer spooler on Windows 11:Stop-Service -Name “spooler”

5. (Optional) Type the following variant of the command also to stop a service and press Enter:Set-Service -Name “SERVICE-NAME” -Status stoppedIn the command, change “SERVICE-NAME” with the name of the service to stop.
6. (Optional) Type the following command to force stop a service that results in dependency errors using the previous commands and press Enter:Set-Service -Name “SERVICE-NAME” -Force
Once you complete the steps, the PowerShell command will stop the Windows 11 or app service.

Start a service
To start a service on Windows 11 with PowerShell, use these steps:
1. Open Start.
2. Search for PowerShell, right-click the top result, and select the Run as administrator option.
3. Type the following command to view the available services and press Enter:Get-Service

4. Type the following command to start a service on Windows 11 with PowerShell and press Enter:Start-Service -Name “SERVICE-NAME”In the command, change “SERVICE-NAME” with the name of the service to start.This command starts the printer spooler service on Windows 11:Start-Service -Name “spooler”

5. (Optional) Type the following variant of the command also to start a service and press Enter:Set-Service -Name “SERVICE-NAME” -Status runningIn the command, change “SERVICE-NAME” with the name of the service to start.
After you complete the steps, the command will start the service immediately.

Disable a service
To disable a service with PowerShell commands, use these steps:
1. Open Start.
2. Search for PowerShell, right-click the top result, and select the Run as administrator option.
3. Type the following command to view the available services and press Enter:Get-Service

4. Type the following command to stop a service and press Enter:Stop-Service -Name “SERVICE-NAME”In the command, change “SERVICE-NAME” with the name of the service to stop. If you want to use the service’s display name, then replace -Name for -DisplayName and specify the service name.This example stops the printer spooler on Windows 11:Stop-Service -Name “spooler”
5. Type the following command to disable a service on Windows 11 and press Enter:Set-Service -Name “SERVICE-NAME” -Status stopped -StartupType disabledIn the command, change “SERVICE-NAME” with the name of the service to disable. You can also use the -DisplayName option instead of -Name to use the service’s display name.This example disables the printer spooler service:Set-Service -Name “spooler” -Status stopped -StartupType disabled

6. (Optional) Type the following command to disable the service without stopping it immediately and press Enter:Set-Service -Name “SERVICE-NAME” -StartupType disabled
Once you complete the steps, PowerShell will disable the service you specified.

Enable a service
To enable a service with PowerShell on Windows 11, use these steps:
1. Open Start.
2. Search for PowerShell, right-click the top result, and select the Run as administrator option.
3. Type the following command to view the available services and press Enter:Get-Service

4. Type the following command to enable a service and press Enter:Set-Service -Name “SERVICE-NAME” -Status running -StartupType automaticIn the command, change “SERVICE-NAME” with the name of the service to enable. You can also use the -DisplayName option instead of -Name to use the service’s display name. In this case, you may be able to use the display -DisplayName option. However, the command may prompt you to enter the name of the service, adding an extra step to the overall process. This example enables the printer spooler service:Set-Service -Name “spooler” -Status running -StartupType automatic
6. (Optional) Type the following command to enable the service without starting it immediately and press Enter:Set-Service -Name “SERVICE-NAME” -StartupType automatic

After you complete the steps, the PowerShell command will enable the service on Windows 11.

[mai mult...]

Addressing Employee and Executive Burnout

Posted 17 July 2023
By Andrei Petre
-2
112

While job burnout has risen in recent years, leaders can take steps to mitigate it and promote sustainable productivity for employees and executives.

The World Health Organization has defined job burnout as an occupational phenomenon characterized by exhaustion, cynicism, and reduced professional efficacy as a result of chronic workplace stress.1 Burnout can lead to voluntary turnover, lost opportunity cost, preventable medical costs, and ultimately, lower revenue and higher operating costs.

Insights for What’s Ahead
• Understand the implications of employee burnout on organizational profitability. Poor mental health due to workplace factors, compounded over time by lack of resources or support to address it, has made employee burnout an epidemic in the workforce with staggering financial implications.

• Help remove the stigma of talking about mental health. Survey data show that many employees are reluctant to speak with their manager about their mental health. Managers should help remove the stigma by openly discussing mental health with their teams and encouraging team members to look out for and support one another.

• Address workplace factors that can lead to burnout. To reduce the impact of burnout on your organization, train managers to set clear expectations, communicate empathetically, and promote psychological safety on their teams. Make the well-being of employees a performance metric for managers.

• Allow employees to truly take time off and balance work and life. Individual workloads and project timelines should be structured to allow employees to take time off so they can rest and recharge without feeling they are leaving colleagues unsupported or having anxiety about falling behind or being expected to be “on call.”

• Attend to executive and manager well-being and encourage leaders to lead by example. Executives and managers have the highest rates of burnout. To address this, create an organizational culture that empowers them to practice and promote wellbeing and set an example for their team members.

What Organizations Can Do to Address Employee Burnout

While stigmas surrounding mental health have greatly reduced in recent years, our recent survey of US
employees indicates that 40 percent of workers still do not feel comfortable speaking to their manager
about their mental health. Additionally, 59 percent of survey respondents say they have needed to take
time off to address their mental health, but only 15 percent felt comfortable asking for a day off for mental
health.
8 This means that managers cannot wait for their employees to tell them they are at risk of
burnout; they need to be proactive in discussing it with their teams.
Rather than singling out individuals who may be at risk of burnout but reluctant to talk about it, managers
should have team conversations about mental health and encourage team members to look out for and
support one another. Leaders can train and encourage managers at all levels to have these
conversations, setting a tone across the organization that discussing mental health is acceptable and will
not result in negative repercussions.

Address workplace factors that can lead to burnout

Our survey also found that the top factors contributing to workplace burnout are workload, poor
communication, work-life balance, time spent in meetings, and decreased connection to the mission.
Managers have the highest direct impact on their employees’ experiences and are thus uniquely
positioned to alleviate the factors that lead to burnout on their teams.

When asked what would help support their mental health, 47 percent of all respondents said training
managers to promote a healthy work-life balance and 23 percent said encouraging managers to
redistribute work more evenly. To tackle burnout at the ground level, managers should be trained to recognize signs of burnout and given the resources and support to advocate for their team’s well-being, ensure work-life balance, and promote psychological safety as a part of the operational strategy.10 CHROs should consider the following:
• Initiate programs that train managers to recognize the signs of distress and navigate available
resources for those who exhibit these signs;
• Incorporate employee well-being metrics into the performance metrics for managers, holding
them accountable for their team’s well-being;
• Work with CFOs to articulate the financial impact of employee and executive burnout to justify the
time and support given to employees and, in particular, managers.

Much like athletes who take time to recover after competitive events, employees need time for rest to
perform at their best. Many organizations try to address this need by implementing policies such as
unlimited personal time off and mental health days/sick days. However, time off without proper workload
management, along with changes to organizational culture around time off, is an ineffective solution to
burnout. Employees don’t just need time off, they need time off without guilt or adverse repercussions
when they return to work.
To make time off both acceptable and beneficial, have managers review deliverables and timelines so
that team members can creatively flex individual workloads and project timelines while still ensuring
fairness and business results. Managers can also be encouraged to carefully assess the need for a
meeting, versus a simple email or announcement, and determine who actually needs to attend those
meetings that are necessary.

Many organizations have found success with such strategies as
organizational policies restricting the sending of emails outside of traditional working hours, or email
signatures indicating that responses outside of work hours are not expected; shortened meeting times;
“no meeting” workdays; company-wide days off; and four-day workweeks.
In our survey, a flexible/hybrid work schedule ranked second in a list of workplace policies that would
support employee mental health.12 Organizations can explore creative ways to offer flexibility for their
employees tailored to their preferences to promote work-life balance and thus alleviate one of the major
contributing factors to burnout.
Attend to executive and manager well-being and encourage leaders to lead by example
Our survey indicates that executives and managers are reporting higher rates of burnout than ever,
commonly citing low work-life balance and rising job demands as the cause. Other recent surveys
revealed that:
• 35 percent of managers reported feeling burnt out frequently, compared to 27 percent of
individual contributors.13
• 70 percent of executives said they were seriously considering quitting their job to find one that
supports their well-being.14
• 81 percent said that a job that supports their well-being is more important than advancing their
career.15
Attend to executive and manager well-being by encouraging such practices as delegating tasks when
possible, setting strong work-life boundaries, or even enlisting a well-being coach. These practices can
have exponential impact, as not only will executive well-being improve, but executives will be setting a
powerful example for their team members. By taking care of themselves, executives signal to their
employees that doing so is not only permissible, but preferable. Leaders at all levels can have a
significant impact on workplace burnout by promoting a healthy work-life balance and modeling
prioritizing well-being in the workplace.
Burnout is an important indicator of deteriorating employee experience. Anticipating and addressing
burnout should be part of an overall organizational strategy to create a differentiated employee
experience, which results in sustainable productivity and strong competitive advantage.

[mai mult...]

How to use Focus on Windows 11

Posted 21 June 2023
By Andrei Petre
0
90

How to use Focus on Windows 11, By disabling notifications and hiding the Taskbar, Windows 11 22H2’s new Focus feature makes it simpler to focus on a single task. This feature is also compatible with the Clock app’s session timer. The Microsoft To Do app can help you prioritise your tasks and check them off as you complete them, and you can use Spotify to listen to your favourite tracks as you work if you need a little extra inspiration.

The Clock app can help you develop good routines by letting you establish daily challenges to push yourself toward a healthier lifestyle. The methods to activate the Focus function in the Windows 11 are outlined in this tutorial. Focus sessions can be initiated in Windows 11 22H2 in at least three different ways: via the Quick Settings flyout, the Settings app, or the Clock app.

These are the steps you need take to initiate a concentration session via the Quick Settings flyout:

A system’s date and time can be accessed via a button in the tray.
As a quick hint, you can also use the Windows key plus the N key combination.
Just head to the Calendar section and pick a time that works for you.
Just hit the “Focus” button.

Initiate a meditation session from the Settings app by following these steps:

Launch the preferences menu.
Select System and click it.
To access the Focus page, select it from the menu on the right.
Limit your time in the session.
Select the button labelled “Start focus session”

Follow these steps in the Clock app to initiate a concentrated work session:

Start the Clock programme.
Just go to the Focus sessions link.
Limit your time in the session.
(Optional) If you want to skip the breaks, you can do so by clicking the Skip breaks box.
Select the button labelled “Start focus session”

Follow these steps to begin your session and turn off app notifications and badges. When the countdown reaches zero, the Clock app will launch in a compact mode, complete with a timer, and all alerts will be silenced.

The Clock app allows you to customise your working time by adjusting the length of your concentrate times, the volume of your session’s finish and break sounds, and the degree to which Spotify and To Do are integrated into your workflow. I’ll show you how:

Ahead, Go!
Try it out for yourself by typing “Clock” into your search bar and then opening the first result.
For customization options, use the gear icon in the leftmost area.
Select the Time to concentrate option.
To set the duration of the time, head to the Focus period settings.
You can set the time duration for breaks using the Break period option.
To have a sound play whenever a session ends, turn on the End of session sound switch.
To modify the tone played when the session ends, select the desired option from the corresponding drop-down menu.
To have an audible signal play when a session ends, turn on the End of break sound switch.
To alter the sound played once a break is over, select it from the corresponding menu.
In order to activate the Spotify integration, simply flip the switch on (if applicable).
To modify your Spotify account’s preferences, select “Settings” from the menu.
You can activate Microsoft’s To Do integration by toggling the To Do switch on (if applicable).

[mai mult...]

Generative AI and the future of HR

Posted 19 June 2023
By Andrei Petre
0
88

Two recent pieces provide a high-level view of generative AI in HR. In a piece from May 2023, the Conference Board looks at key questions and impact areas. The piece suggests that, through the strategic application of AI, HR has an opportunity to impact financial outcomes in the company in relation to job design, organizational processes, analytics, talent acquisition, rewards, DEI, and employee engagement. In a June 2023 podcast, talent leaders Bryan Hancock and Bill Schaninger talk with McKinsey about the opportunities and risks of generative AI in HR, particularly in recruiting, performance management, and talent development. Taken together, the two pieces provide an up-to-date perspective.

AI, and in particular generative AI, has the potential to radically enhance HR processes and decision-making by sourcing, selecting, negotiating with, and then hiring candidates; generating custom
individual development plans and performance evaluations; monitoring worker productivity; writing reports; and conducting research on HR trends or legislative developments, all while controlling for suspicious activity and alerting managers to potential turnover risks. If done correctly, the ROI can be tremendous. At the same time, there are legal, reputation, and business risks, especially around bias and transparency.

Insights for What’s Ahead

• Besides enhancing HR processes and decision-making, generative AI has the potential to change the way work gets done and the way workers are managed. Sixty-five percent of CHROs expect AI to have a positive impact on the HR function over the next two years, according to The Conference Board CHRO Confidence Index, making proficiency in this technology a high priority for the function that is responsible for talent in the organization.
• However, risks associated with generative AI must be carefully considered and managed to avoid potential damage to an organization’s reputation, customer relationships, and strategic plans. It must be vetted through the same rigorous process as all business risk decisions.
• With people-related costs representing roughly half of most organizations’ operating budgets, the HR function has a tremendous opportunity to impact financial outcomes. CHROs will need to prioritize investments in new HR technology. Making the business case by articulating the longer-term positive impacts to the organization—whether those are in job redesign, organizational processes, information, analytics, markets, and employer brand—is critical.

• Generative AI offers significant opportunities for talent acquisition; total rewards; diversity, equity & inclusion; and employee engagement—the functions most likely to experience significant disruption. This is because of AI’s ability to analyze vast amounts of data, identify patterns, and make predictions about the likelihood of a candidate’s success or an employee’s likelihood of leaving.
• When adopting this new technology, CHROs will need to determine how workers and leaders are engaging with generative AI and developing guidelines to leverage this technology. HR serves a critical role in protecting the assets, strategic plans, client data, and intellectual property of the organization. Mastering the use of generative AI will become table stakes for successful employment and be considered a core skill for HR leaders.
• Asking the right questions before adoption will be critical to optimizing the implementation of generative AI applications. For CHROs the goal is to supervise its adoption in HR, implement it successfully and ethically, monitor its use, manage the impact of technology on job design and organization processes, and protect and upskill workers and those who lead them.

Generative AI: The Promise and the Peril

Many HR organizations already employ several types of AI in their processes, such as chat bots, to address benefit questions and applicant tracking systems (ATS) to sift through thousands of resumes to find the closest match to open job criteria. In a recent study by Eightfold AI, HR leaders reported they use AI to support many core functions, with at least 64 percent reporting that they use some form of AI as support for employee records management, payroll processing and benefits administration, recruitment and hiring, performance management, onboarding new employees, retaining current employees, cross-skilling and reskilling employees, company culture and rewards management, and managing talent mobility.

However, it is important to note a vast array of digital solutions, many of which are touted as artificial intelligence (AI), are already available to the HR function, yet, strictly speaking, few of those products qualify as AI. The term AI is often applied more loosely to mean the use of computer systems or agents to perform any task that, up until now, humans had to do. The disconnect between the expert’s view and the popular one often causes some confusion in the business world. (See our report AI for HR: Separating the Potential from the Hype.)

Estimates vary, but as many 70 percent or more of workers are already using generative AI citing higher productivity, speed, or the ability to get a jump start on a topic or project; few have had training on it, and most are keeping their usage very low key with employers.2 3 4 5Looking ahead, Microsoft expects to integrate generative AI into its suite of office applications used by most businesses today.

Other common HR platforms will likely do the same
The second quarter 2023 edition of The Conference Board CHRO Confidence Index found that 65 percent of CHROs expect AI in all forms to have a positive impact on their function within the next two years. To contrast, our C-Suite Outlook 2023 reported that CEOs are more focused on enterprise-wide digital transformation and less on enhancing AI and analytics competencies in the HR function, despite the increasing demand from investors and regulators for evidence-based, quantitative human capital disclosures. According to the survey, CEOs do not place a high priority on investing in improving skills in HR data analytics or implementing AI/generative AI in optimizing human capital management efficiencies.7 This creates an even bigger challenge for CHROs seeking to introduce this technology. CEOs must have a clear understanding of the technology’s value and be able to demonstrate the payback for the incremental cost.
Generative AI has the potential to radically enhance HR processes and decisions. Generative AI’s impact on the HR function, and by extension, workers and the workplace, is a game changer. Potential applications include the ability to source, select, communicate/negotiate with and then hire candidates; create jobs; write behavior-based interview questions; generate custom individual development plans and performance evaluations; and monitor worker productivity, thus augmenting the productivity of HR professionals. In addition, generative AI has the potential to change the way work gets done (including job design and human capital deployment) and the way workers are managed (including leadership and accountability).
Generative AI will offer workers (in most professions or jobs) options that will improve efficiency and speed as well as productivity. This new technology can create personalized marketing and social media campaigns for marketing pros, write or review code for IT professionals, support pharmaceutical research and development efforts in the creation of new medications, draft annual reports for corporate communication professionals, draft legal documents for general counsels, and analyze vast amounts of customer feedback for every organization.8 Every HR process is an opportunity for generative AI. For example, AI-driven pay transparency and equity audits provide greater insights and enable faster decision-making. The functions where generative AI can provide almost limitless opportunities for efficiency include talent acquisition, total rewards, DEI, and employee engagement.

While the HR function has a tremendous opportunity to impact financial outcomes, CHROs will need to not only make a strong business case for investments in new HR technology but also articulate the longer-term positive impacts to the organization—whether those are in job redesign, organizational processes, information, analytics, markets, and employer brand—and ultimately evaluate the risks/rewards associated with any new technology. Generative AI introduces new risks to organizations, workers, and those who lead them.
In its current state, information and analysis offered by generative AI may reflect the biases of a society—either coded by flawed humans or built from biased or incomplete information used to “train” it. In some cases, the data itself may be dated or reflect a history of decisions that, looking back, we would not want to repeat or codify. Current shortcomings include:
• Based on inaccurate information and dependent on the sources used to train it, AI sometimes “hallucinates,” meaning it confidently generates inaccurate information9 without flagging that shift for the user of the app;

• Uploading proprietary data into the AI apps for processing could pose organizational risks that include forfeiting ownership of information, intellectual property, patents, and copyrights;
• Confidentiality and data privacy policies may not be verifiable;
• Generative AI does not (currently) understand concepts and frameworks; it simply gathers data and makes predictions and/or creates a narrative;
• Transparency may be lacking about how algorithms work and how important safety, privacy, and fairness guidelines are to protect the organization, its people, its customers, and other stakeholders.
Don’t underestimate legal and ethical issues.

[mai mult...]