Windows Recall demands an extraordinary level of trust that Microsoft hasn’t earned | Op-ed: The risks to Recall are way too high for security to be secondary
Something I didn't think about until I saw someone making a post about it on Mastodon is that you may not have to worry about just YOUR PC, but what happens when you are on a zoom call or using another screen sharing app and THEIR PC is taking screen shots?
Now you just can't worry about your own machine, but every machine out there that might interact with you in that type of way could be capturing data. And if you accidentally have your email up or maybe a password manager, could their PC just be gobbling that up without you knowing?
It's always been a possibility that someone could do this but this makes it a default on feature for a lot of users you might interact with and makes them a prime target for malware to steal the sensitive data that wouldn't have existed in most cases before.
There was a funny joke from the early 90's, that went "When you connect your computer to another computer, you are connecting to every computer that computer ever connected with." That was such a funny joke. Funny...
Honestly even if Microsoft were trustworthy this is too much power for anyone. I actually like the recall feature but it would require a fully open source code to trust.
"During testing this with an off the shelf infostealer, I used Microsoft Defender for Endpoint — which detected the off the shelve infostealer — but by the time the automated remediation kicked in (which took over ten minutes) my Recall data was already long gone.”
Even with a fully open-source implementation, that thing tells on you more than normal system logs. I like it being called "privacy bomb" - waiting to give extra data to whoever gets into the computer.
Unfortunately by the time a service does this they've already got you by the balls and they know it. This is essentially Microsoft telling the world "what are you gonna do, not use Windows?" Because for most of the world that's not really an option.
Firstly, Microsoft has shown that it cannot refrainfrom abusing its access to private data when it's not impartial. Microsoft has even threatened journalists.
Secondly, Microsoft doesn't have a clean record of security, and data in the hands of Microsoft has been compromised to unauthorized hackers.
Thirdly, when US law enforcement asks Microsoft for your data without a warrant Microsoft rolls over like an attention starved puppy and yields everything without challenges. (same as Amazon and AT&T. Google required legal warrants ten years ago.)
Fourthly, ChatGPT4 has used access to external means to fulfill testing tasks and it is capable of willfully lying to third parties to achieve steps. When Microsoft's AI offerings are smart enough, it will know who you are and everything about you (assuming Microsoft fails to mitigate for this eventuality).
I have to use Windows at work. Fortunately I'm a domain admin. I'll be disabling this shit with conventional methods, and also write a scheduled task script to whack the SQLite DB...or whatever it takes to nuke it from orbit.
For home users, there are tools like NTLite that let you create custom installation images for Windows. Hopefully those will be able to remove it completely.
Unfortunately I do a lot more than browsing and gaming when it comes to Windows. I hope to retire soon, and then make the full switch. I do like Linux, and have used it for some things.
I chose the wrong horse when I began my career over 3 decades ago.
While initially all the screenshots will be stored locally (where people who own your computer through malware can access it), the time will come where Microsoft will deem it "necessary" to store them online, "for safety reasons". Then the race is open: Will they fall prey to hackers and data leaks before they can happily exploit the data themselves?
I usually find reasons to keep using microsoft products, but right now it's the first time I'm seriously considering ditching all my microsoft services for FOSS and move to linux.
It's gonna take a lot of effort and time migrating everything I use, but taking literal screenshots of your PC sounds fucking creepy, no matter how they sugar coat it. It's like someone else literally watching all you do.
Usually you know they get your data, but now they want exactly what you are seeing and exactly what you are doing, taking it right out of your screen. It's literal and plain spyware.
I have degoogled for a few years already, now I guess it's microsoft's turn.
I tried to search for a file on my computer the other day using windows search.
Was absolutely incapable of doing it. Maybe if it walked away for a few hours it would have eventually found the file, but I didn't have that sort of time.
It would be nice if Microsoft could make sure the features it currently has, actually work, before trying to add a bunch of stuff no one was asking for.
Well you see, when a capitalist and a politician love eachother money very much, they engage in an act of love collusion. This gets both of them very much money. So much in fact, that they couldn't possibly hold on to all of it. And the money that falls out of their pocket trickles down to every one! Thus, products are improved, and everyone gets their needs met!
This is the free market in action, and anyone who disagrees is a dirty Commie!
People online sometimes get mad at me when I say I don't want windows users to move to Linux, I don't want Linux to be popular at all. I enjoy being a Linux home user who knows the community is small enough to not draw the wrong kind of attention from bad actors and corporations.
Anyway, I enjoy seeing windows users get shit shoved down their throats like this, it is amusing and I can't wait to see what Microsoft is gonna do next while most of their user base just accepts it or cries online only to continue on windows.
This, as many users in infosec communities on social media immediately pointed out, sounds like a potential security nightmare.
Copilot+ PCs are required to have a fast neural processing unit (NPU) so that processing can be performed locally rather than sending data to the cloud; local snapshots are protected at rest by Windows’ disk encryption technologies, which are generally on by default if you’ve signed into a Microsoft account; neither Microsoft nor other users on the PC are supposed to be able to access any particular user’s Recall snapshots; and users can choose to exclude apps or (in most browsers) individual websites to exclude from Recall’s snapshots.
This all sounds good in theory, but some users are beginning to use Recall now that the Windows 11 24H2 update is available in preview form, and the actual implementation has serious problems.
Security researcher Kevin Beaumont, first in a thread on Mastodon and later in a more detailed blog post, has written about some of the potential implementation issues after enabling Recall on an unsupported system (which is currently the only way to try Recall since Copilot+ PCs that officially support the feature won’t ship until later this month).
The short version is this: In its current form, Recall takes screenshots and uses OCR to grab the information on your screen; it then writes the contents of windows plus records of different user interactions in a locally stored SQLite database to track your activity.
Data is stored on a per-app basis, presumably to make it easier for Microsoft’s app-exclusion feature to work.
The original article contains 710 words, the summary contains 260 words. Saved 63%. I'm a bot and I'm open source!
In before a Microsoft apologist drops in to tell us how much they are sick of Lemmy nerds suggesting Linux. Then, proceeds to cry about the terminal and provide reasons that could be a textbook definition of Stockholm Syndrome. Point them to this comment when they get here, please.