Email or username:

Password:

Forgot your password?
Kevin Beaumont

For those who aren’t aware, Microsoft have decided to bake essentially an infostealer into base Windows OS and enable by default.

From the Microsoft FAQ: “Note that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers."

Info is stored locally - but rather than something like Redline stealing your local browser password vault, now they can just steal the last 3 months of everything you’ve typed and viewed in one database.

83 comments
Jon Greig

@GossiTheDog are they just holding "worst security ideas" contests every week

Edvin Malinovskis

@0x00string @GossiTheDog is this not inline with what Microsoft has been doing for years, if not ever? 👀

DELETED

@nCrazed @0x00string @GossiTheDog Not like they were saints in Ballmer or even Gates times. But the amount of aggregated data just increased release after release. Windows 10 was a lot less invasive than 11, and 7 a tad less, then XP and so on and so on. Basically Nadella is cranking the shit lever to 11, frogs who didn't make it out in time are doomed.

NosirrahSec 🏴‍☠️

@GossiTheDog I can't see this going live without a literal and figurative revolt, within Microsoft and outside of it.

NosirrahSec 🏴‍☠️

@GossiTheDog I will watch Microsoft burn if this shit keeps up and roast marshmallows on its smoldering corpse with glee.

cR0w

@NosirrahSec @GossiTheDog I don't think it will. Microsoft will have "heard the concerns of customers" and scale it back so it looks like they care, but it'll still be unnecessarily intrusive.

Alun Jones

@cR0w @NosirrahSec @GossiTheDog Yeah, I was thinking about that time when the file system was going to become SQL Server, and that other time when the Windows kernel was going to be .NET, and that other time...

Bee O'Problem

@cR0w @NosirrahSec @GossiTheDog I wouldn't be surprised if they put easy opt-out into Pro or Enterprise options only and/or make it only controllable through Group Policy.

Matt Hardy

@NosirrahSec @GossiTheDog So every unlocked workstation, every compromised device. "Recall show me the last adult material I viewed." I can see printed porn coming back into fashion. Or Linux

NosirrahSec 🏴‍☠️

@TechnicalAdept @GossiTheDog I don't give a shit who knows about my sexual fantasies or my porn habits. (I am not saying that isn't a threat, but it isn't to me lol)

I just fear for those that ARE afraid of this threat, because to them it IS a threat.

Matt Hardy

@NosirrahSec @GossiTheDog remember those fake extortion scams that pretend to have caught you looking at porn - Ever been tempted to reply to them - You haven't got my collection of Dwarf Latex Nuns have you? My original got corrupted.

Mark

@NosirrahSec @GossiTheDog Since Windows 10 I suspected they've been doing this with telemetry so I moved all important stuff other than my Steam account off my Windows boxes years ago. Sucks cause it is a nice OS otherwise.

Fishd

@GossiTheDog Well, if this doesn't make Year of the Linux Desktop a thing, we're all doomed.

Simon B

@GossiTheDog about 20 years ago, Google introduced the option to press down arrow and match recent searches in the Google search box. I let a crafty colleague type into my browser momentarily and within a nanosecond, he tried to catch me out by typing the start of a smutty search query to see if there were any matches. I passed the test but learned a lesson about the speed at which someone could reveal something about you.

@990000@mstdn.social

@GossiTheDog holy cow I’m still trying to wrap my head around the dangers of this beyond the obvious. Like if someone gets their hands on the trained “edge” data, how much more dangerous is it than conventional hacking?

Hegel

@GossiTheDog even if it's true that everything concerning #Recall happens locally and is stored locally now, it will be monetized eventually. Either #Microsoft changes some policy or some Zero Day makes it possible to exfiltrate the data. I'm looking forward to the first hack that simply lets a hacker ask your PC for compromising facts...

smallerdemon

@GossiTheDog I'm sure there's no problem with this being used in healthcare and banking environments at all. Or even in environments assisting vulnerable communities. I mean, it's not like Microsoft has had any well publicized security issues recently.

Ozzy

@GossiTheDog@cyberplace.social I think this is excellent progress by humans.
"App developers will be able to hook into Recall to provide a more seamless experience between snapshot and app."

https://www.windowscentral.com/software-apps/windows-11/microsoft-details-how-apps-can-integrate-with-windows-11s-new-ai-recall-feature

JJ

@GossiTheDog At no point in this video do they mention anyone asking for this. We didn't.

I love that they're leaning hard on the fact that the data is protected from other users. That... doesn't matter. You're running automated enumeration for anyone that gets access under my user context. Don't do that. Jesus.

Glitch
@GossiTheDog how in the name of fuck are they going to explain this one under shit like the GDPR.
DELETED

@GossiTheDog

It seems like evey few months Microsoft adds another awful thing that makes me thankful for abandoning Windows.

Jon Greig

@GossiTheDog it’s like they got a focus group of cybercriminals together when making this

Not Simon 🐐

@jgreig @GossiTheDog Maybe Google has a point about diversifying from a monoculture: blog.google/technology/safety-

I specifically requested the opposite of this.

JeffTP

@GossiTheDog Info is stored locally until Microsoft decides to monetize it or until law enforcement makes an extralegal request for it. Or until the US sends a national security letter to Microsoft.

Mardoch

@GossiTheDog year of Linux on the desktop, let's fuckin go

Chris Merkel 🐀👨🏼‍🍳

@GossiTheDog I can't wait for the first malware to drop that hooks the API so they don't have to do their own info theft.

Noah Cook

@GossiTheDog Yes, by all means, copy the PHI on my government work laptop without my permission.

It will serve as an excellent lesson on the meaning of the phrase "sole monopoly on the legitimate use of force".

O'Schell

@GossiTheDog Microsoft is opening to a new market: HASS (Hack as a service)

It so bad, I bet even the NSA is like "actually, we didn't requested that one..."

railmeat

@GossiTheDog This sounds like it could be a very useful feature. You just have to trust Microsoft to manage your data responsibly. I don't trust MS.

Shaun Dyer

@GossiTheDog I wasn’t planning to go back to Microsoft anything but now I’m 100% out for good. This is an awful idea.

Martin Hamilton

@GossiTheDog I legitimately thought this was a leak from a whistle-blower at first :blobfoxeyes:

coffe☕

@GossiTheDog this is what I call a perfect clusterfuck! Wohooo keep your hands Inside the wagon and start to scream! 😂😂😂

Jan-Hendrik

@GossiTheDog good thing my Fedora install media is still good. Time to reinstall my Surface Pro as well :)
I haven't yet gotten around to it, but the way things are progressing it feels like now is a great time for a new OS.

ЯØ81И

@GossiTheDog OpenAI and Microsoft seemingly vying for who can be the bigger baddie

Nigbot
YOU GON MAKE ME HAVE YO QUADROON CHILE NIGGA FUCK NAW YOU AIN'T DOIN THAT NIGGA I'S AFRICAN MAIN WE DUH MASTER SEED YOU KEEP YO BITCH DNA TO ALL YALLSELF NIGGA BITCH FUCK YALL :glitter_4:
andybrwn

@GossiTheDog @somedude As an attorney with obligations of confidentiality and some strict rules about who can access what data, I can’t see how I could use this OS. I’m not an IT guy, but this sounds like a horrendous idea.

rrb

@GossiTheDog On the positive side, you will have lost your job to AI and be homeless by then, anyway. You won't have a computer and will therefore not be online.

There is no possible downside for this tech.

Rick Mycroft
@GossiTheDog I didn't buy a personal computer to let Microsoft enclose it.
smxi

@GossiTheDog i remember Microsoft. I used to work with their OS as sys admin but it was so buggy and poorly documented I figured they'd dropped that project long ago. So people still use windows? Interesting.

Their recent moves suggest strongly marketing is now firmly in control. Like apparently happened to Google search in 2019. In other words MBAs running the show. But this may be the long term fate of every large corporate run project so in a sense inevitable.

Xfce and i3 just chug along.

Sam Wronski

@GossiTheDog I just... I dont get this. I have never seen a company publish something so blatently harmful so enthusiasticly.

What about the queer kids who use a shared family computer to covertly access lgbt resources?

DELETED

@GossiTheDog This has to be (made) illegal at least in the EU 😃

Magenta Rocks

@GossiTheDog @briankrebs

So many companies use microsoft and now your recall can probably be examined or subpoenaed by regulators! Imagine the HR nightmare over employee spying. Good grief!

Crimea River

@GossiTheDog I can hear noyb loading up another salvo from here.

Guillaume Rossolini

@GossiTheDog dude can’t even count to 3 in his last bit, how…

Ivan

@GossiTheDog i thought that implementing "big brother" was something bad...it seems that i've misread the book

Aunt Swiggony

@GossiTheDog

I’ve never felt relief to find out about a vulnerability; I’ve been unable to sign into anything for Windows since well over two years ago and that’s now a lovely retroactive thing to not have to deal with. it’s also batshit terrifying for a lot of pedestrian reasons regarding my well being

mmby

@GossiTheDog yeah I'm going back to a Linux soon

Sumukha S

@GossiTheDog It’s basically this scenario. They have AI. They don’t how to integrate it properly and they are confident they will beat macs. It’s fucking hilarious.

Kristian Horwood :verified_paw:

@GossiTheDog I can't help but feel Microsoft are making a suicidal play here.

Rob\ViewdataUK

@GossiTheDog
My laptop keeps trying to get me to upgrade from Win 10 to 11. I've always refused, not really liking what I've seen of 11, but this moves it right to "over my dead body" and beyond. Might be time to look into Linux-on-the-desktop - definitely once they stop updates for 10.
(I run Linux, too, on a pile of servers, but it's all headless/cli. Last time I tried using a linux GUI was over a decade ago - is it any better now?)

DrGeraintLLannfrancheta

@GossiTheDog oh my god. And they call this a feature? OK, now perhaps next year is really the year of Linux on the desktop...

Ponygirl

@GossiTheDog When I retire, I'll not have a phone, computer, nor any clocks in my home. I just may boot the TVs too. I have tons of books and a young pony to keep me plenty busy.

BergerodeCyber

@GossiTheDog “all watched over by machines of loving grace”

Ryan Hamel

@GossiTheDog@cyberplace.social If it runs locally, how can they steal anything, exactly? Sounds like FUD.

David Plisken 🏳️‍⚧️ BLM!

@GossiTheDog gotta train the AI. Nothing is now important to MS than AI. Gotta create that corpus of data to sell to other AI companies. The products are no longer for us, we and its behaviors are just data to save and sell.

Andreas Bulling

@GossiTheDog The solution is simple and has been around for decades: Use Linux.

I don't understand why people bother with Microsoft and Windows at all anymore.

Positive side effect (out of many more): I don't even remember the last time that I've installed/used an "anti virus" software.

Kevin Beaumont

I've written up my thoughts on the Copilot Recall feature in Microsoft Copilot+ PCs

I think it will enable fraud and endanger users, and is not the sign of a company who are committed to security first.

doublepulsar.com/how-the-new-m

Kevin Beaumont

The UK’s ICO have opened an investigation into Copilot+ Recall. bbc.co.uk/news/articles/cpwwqp

Kevin Beaumont

Copilot+ Recall has been enabled by default globally in Microsoft Intune managed users, for businesses.

You need to enable DisableAIDataAnalysis to switch it off. learn.microsoft.com/en-us/wind

Kevin Beaumont

Here’s Copilot+ Recall search in action, showing instant text based search finding a WhatsApp chat and a PDF from 6 months ago being viewed on screen.

Kevin Beaumont

Two quick updates -

A) if you disallow recording of a website in Control Panel or GPO, in Chrome it is still recorded - disallow recording only works in Edge browser

B) Firefox and Tor Browser is recorded always, including in private mode - the exception is Hollywood DRM’d videos

Kevin Beaumont

I got ahold of the Copilot+ software.

Recall uses a bunch of services themed CAP - Core AI Platform. Enabled by default.

It spits constant screenshots (the product brands then “snapshots”, but they’re hooked screenshots) into the current user’s AppData as part of image storage.

The NPU processes them and extracts text, into a database file.

The database is SQLite, and you can access it as the user including programmatically. It 100% does not need physical access and can be stolen.

Kevin Beaumont

And if you didn’t believe me.. found this on TikTok.

There’s an MSFT employee in the background saying “I don’t know if the team is going to be very happy…”

They should probably be transparent about it, rather than telling BBC News you’d need to be physically at the PC to hack it (not true). Just a thought.

Kevin Beaumont

I ponder if Microsoft's engineers are following the SQLite code of ethics, since they're using it in Windows OS with Copilot+ Recall? :D sqlite.org/codeofethics.html

Kevin Beaumont

So the code underpinning Copilot+ Recall includes a whole bunch of Azure AI backend code, which has ended up in the Windows OS. It also has a ton of API hooks for user activity monitoring.

Apps themselves can also search and make themselves more searchable.

It opens a lot of attack surface.

The semantic search element is fun.

They really went all in with this and it will have profound negative implications for the safety of people who use Microsoft Windows.

Kevin Beaumont

If you want to know where tech companies are with AI safety, know Microsoft Recall won’t record screenshots of DRM’d movies..

..but will record screenshots of your financial records and WhatsApp messages, as corporate interests were prioritised over user safety.

And it’s enabled by default.

Kevin Beaumont replied to Kevin

I’ve managed to get Recall working in full on a non-Copilot+ system, without an NPU. Will accelerate testing.

Kevin Beaumont replied to Kevin

Copilot+ Recall feature pop quiz:

You deal with a sensitive matter on my Windows PC. E.g. an email you delete. Does Copilot Recall still store the deleted email?

Answer: yes. There's no feature to delete screenshots of things you delete while using your PC. You would have to remember to go and purge screenshots that Recall makes every few seconds.

If you or a friend use disappearing messages in WhatsApp, Signal etc, it is recorded regardless.

Kevin Beaumont replied to Kevin

It comes up a lot as people are rightly confused, but if you wonder what problem Microsoft are trying to solve with Recall:

It isn't them being evil, it's business leaders who are middle aged and can't remember what they're doing driving decision making about which problems to solve.

A huge amount of business leaders are dudes who have no idea what the fuck is happening. This leads to the Recall feature.

Microsoft exists in and is driven by that bubble.

Kevin Beaumont replied to Kevin

I asked Microsoft Copilot to write a song about Copilot+ Recall.

Go Up