Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Microsoft AI Security Windows

Is the New 'Recall' Feature in Windows a Security and Privacy Nightmare? (thecyberexpress.com) 140

Slashdot reader storagedude shares a provocative post from the cybersecurity news blog of Cyble Inc. (a Ycombinator-backed company promising "AI-powered actionable threat intelligence").

The post delves into concerns that the new "Recall" feature planned for Windows (on upcoming Copilot+ PCs) is "a security and privacy nightmare." Copilot Recall will be enabled by default and will capture frequent screenshots, or "snapshots," of a user's activity and store them in a local database tied to the user account. The potential for exposure of personal and sensitive data through the new feature has alarmed security and privacy advocates and even sparked a UK inquiry into the issue. In a long Mastodon thread on the new feature, Windows security researcher Kevin Beaumont wrote, "I'm not being hyperbolic when I say this is the dumbest cybersecurity move in a decade. Good luck to my parents safely using their PC."

In a blog post on Recall security and privacy, Microsoft said that processing and storage are done only on the local device and encrypted, but even Microsoft's own explanations raise concerns: "Note that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers. That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry." Security and privacy advocates take issue with assertions that the data is stored securely on the local device. If someone has a user's password or if a court orders that data be turned over for legal or law enforcement purposes, the amount of data exposed could be much greater with Recall than would otherwise be exposed... And hackers, malware and infostealers will have access to vastly more data than they would without Recall.

Beaumont said the screenshots are stored in a SQLite database, "and you can access it as the user including programmatically. It 100% does not need physical access and can be stolen.... Recall enables threat actors to automate scraping everything you've ever looked at within seconds."

Beaumont's LinkedIn profile and blog say that starting in 2020 he worked at Microsoft for nearly a year as a senior threat intelligence analyst. And now Beaumont's Mastodon post is also raising other concerns (according to Cyble's blog post):
  • "Sensitive data deleted by users will still be saved in Recall screenshots... 'If you or a friend use disappearing messages in WhatsApp, Signal etc, it is recorded regardless.'"
  • "Beaumont also questioned Microsoft's assertion that all this is done locally."

The blog post also notes that Leslie Carhart, Director of Incident Response at Dragos, had this reaction to Beaumont's post. "The outrage and disbelief are warranted."


This discussion has been archived. No new comments can be posted.

Is the New 'Recall' Feature in Windows a Security and Privacy Nightmare?

Comments Filter:
  • Yes. (Score:5, Informative)

    by Known Nutter ( 988758 ) on Sunday June 02, 2024 @02:13PM (#64517993)
    How could it not be? Next question.
    • Re:Yes. (Score:5, Insightful)

      by Joce640k ( 829181 ) on Sunday June 02, 2024 @02:33PM (#64518037) Homepage

      It's the exception that proves Betteridge's law.

    • Instead of creating an underlying data store that all programs could and would want to use, let's pretend we can understand one way the programs talk with users and extract information from it.

      No, this is not a privacy issue (by stealing anything you can see). No this is not a security issue (by copying visible information that might have been segregated in other ways like by VM).

      It's a feature!

      • by clovis ( 4684 ) on Sunday June 02, 2024 @04:41PM (#64518317)

        I've been in IT since the 1970's, and this is the biggest wtf by far.
        I'd rather have a mandatory goatse wallpaper than this feature .

        But speaking as a BOFH, I know who does want this for the other people, and that is corporate management. The kind that requires people to have monitoring software and webcams on the computer.

        • I'd rather have a mandatory goatse wallpaper

          Shit, I feel old remembering accidentally stumbling upon Goatse back in the dayt.

        • by Luckyo ( 1726890 )

          Most people forget that ever since win10, you already gave all your passwords and such to Microsoft. And only morons like myself protested by not downgrading to it, while everyone else moaned for a bit and then accepted it.

          Congratulations, you're getting even more of the shaft in your rectum. What, you kept believing they wouldn't go deeper when they said "just the tip" and then shoved it half way in?

          • by jhoegl ( 638955 ) on Sunday June 02, 2024 @08:56PM (#64518773)
            This is the first part of them saying "if you dont want it, subscribe", after paying for the OS up front.

            ITs the first part of their increased scamming of people to milk more money out of them.

            This all started when Microsoft decided to sell us fixes to their shitty OS by forcing us to buy the next iteration. Want Windows Vista fixed? Buy 7... want Windows 8 fixed, buy 10.... same shit different style.
            • by Luckyo ( 1726890 )

              Pretty sure that's not it and they just want to slowly ease people into the brave new world where all your data is accessible to them.

          • I've been on linux for 6 years now because of shit like this.
            • by Luckyo ( 1726890 )

              I really, REALLY wish Linux people would get their shit together and make a competitive distro for desktop. Instead of the shit show that is countless distros that have questionable interoperability with each other, much less popular windows software.

              Not to mention the troubleshooting needs. If I want to go back to windows 95 era of having to do a lot of things in command line, I'll just get that.

              • I find it's more of an application accessibility issue then anything else. Been on Linux exclusively for about 5 years and my only "issue" is really certain programs written for Windows don't work. Well, gee, of course they don't, they weren't compiled for linux.

                With that said, it's getting a lot better but it's also the exact same problem I'd have if I went Apple.

                The platform doesn't really matter so long as the software you want to run is available. A lot of business software is very much windows only. Ma

                • by Luckyo ( 1726890 )

                  You're probably at least partly right.

                  But it really doesn't help that a lot of functionality on linux still requires command line. It works fine for experienced admins who have to do that shit for a living. Your typical home power user that is stuck on windows and would love to move to something that doesn't need to be castrated to not be out of box malware and spyware would love an OS that's good enough at emulating his/her favourite software, while being fully configurable and troubleshootable through men

                  • I've been "playing" with Linux for a decade or more prior to actually using it as my full time, exclusive OS. These days, I almost never NEED to use the commandline to get things done. Sure, I do because it's usually faster to find and edit a config file but I'm not usually doing that. The system just works.

                    Day to day operations literally is just clicking icons on the desktop to launch programs. That's no different on Windows, Mac, IOS or Android.

                    The #1 thing that piqued my interest in Linux was in fact the

    • Re:Yes. (Score:4, Informative)

      by thegarbz ( 1787294 ) on Sunday June 02, 2024 @02:58PM (#64518089)

      How could it not be? Next question.

      Because you're running Windows. You have neither security or privacy left to destroy.

      • Because you're running Windows. You have neither security or privacy left to destroy.

        Says person unironically whilst using social media.....

        • Yes, some person or bot called Computershack might know what some person or bot called thegarbz thinks about security! OH THE INSECURE HUMANITY!11!1!!

        • Says person unironically whilst using social media.....

          I would hardly consider Slashdot to be any form of "social media".....

    • Re:Yes. (Score:4, Funny)

      by penguinoid ( 724646 ) on Sunday June 02, 2024 @03:13PM (#64518123) Homepage Journal

      Politicians have been denouncing it for decades -- "I don't Recall"

    • Here's the next question.

      Is it *more* invasive than Windows already has been? Your every move has been tracked for years already. What specifically is worse about this Recall feature? Help me understand!

      • Re:Yes. (Score:5, Insightful)

        by postbigbang ( 761081 ) on Sunday June 02, 2024 @04:40PM (#64518315)

        By default, yes, but in reality, no.

        Edge marketshare is puny. OK, Chrome, you say.... well Google is tracking you now. OK-- Firefox!!! If you use enough plugins on Windows, yes; most plugins are disabled on Firefox on Android. Don't get me started about Apple.

        But let's say you disabled telemetry and for added assurance, downloaded readily-available hosts files with the DNS names and IPv4 and 6 addresses where MS tracks you.

        Well, yes, you can effectively turn off Windows tracking and the apps and machine work-- unless you made the mistake of using Microsoft apps, including games.

        Empirically, Recall is even worse, and there is your misunderstanding,You have other choices; some of us must put nose clips on our nose and use Win11/10. But we'll be damned if we're going to wittingly feed our assets-- our data! to Microsoft, Google, whomever we choose to deny it. It's OUR information.

      • Re:Yes. (Score:5, Interesting)

        by dlarge6510 ( 10394451 ) on Monday June 03, 2024 @04:26AM (#64519195)

        > What specifically is worse about this Recall feature?

        https://en.wikipedia.org/wiki/... [wikipedia.org]

        When you have a local database of everything you have looked at, including secret project work (I have worked in secret IT, government etc, they use windows and I had to ADMIN them and consider the security) that becomes a new attack surface.

        As an admin who must think about security threats, simply this code existing as a standard part of windows is insane. We would usually want something taking regulat screenshots to be blocked from doing so, detected as a virus and the machine automatically isolated from all network connections.

        This feature better be fully controllable by pro and enterprise as it is a true treasure trove for anything that installs itself onto the machine and can lift the encrypted database for cracking attempts. We all know that there will be flaws and bugs, so malicious code may simply be able to hijack the correct rights and gain access legit!

        For home users, using lower versions of windows this might be a useful feature, but employees on enterprise and pro installs must have this UNINSTALLED by default. I dont want any part of the code to be in the filesystem. Windows is full of uneeded crap already, I have servers that have Xbox crap installed I mean WTF.

        Anyway, do you remember the security advice about never taking a photo that incluses a shot of your credit card, say in the open on the table? Well, there was malware able to lift your card details from such photos, installed on your phone when you sideloaded a game or... installed a valid game/app from the app store that had been hijacked. Now your PC is automatically screenshotting your card numbers.

        The problem is invisible to those who think security is possible. The fact is. IT ISNT. Security isnt possible, we dont have the OS' or the hardware architectures to make security possible so all we do, to "have security" is to patch bugs when they are found. YOu dont have security unless it's been patched and it only gets patched wen nice, kind people, the right people find it.

        The best security of all is to not have access to random code thrown at you by compromised websites. That means to be offline, all the time. To install the OS from read only media confirmed to have a known good copy of the OS code (which could have been compromised before the media was made), like from good old read only CD-ROM etc or read only flash media manufactured as such.

        But that offline system would only be usefull for offline purposes.

        Once you plug anything into the net, Yeeehaww, you are in the wild west.

        So it's better to remove unwanted code and features, stop or even uninstall unneeded services that you don use. This reduces the attacj surface, it wont save you but it will make you a harder target.

        This new featre is a golden goose laying golden eggs for anyone who can lift the data... Even though "you can turn it off", it could be turned on again by the attacker. Why do you have a webcam privacy sheild? Because of just that, webcams are turned back on, the little light made not to light, and snappy snappy.

        Iphone cracks sell for loads-a-money on the dark web... There wil be loads of cracking going on with this feature.

        Do you get it now?

    • Someone please resurrect it.
    • by xeoron ( 639412 )
      If it takes snapshots every second... how long does it take to fill the systems disk space from a standard machine with 256GB of space?
      • The default settings are to use 25 GB, so, never?

      • CCTV does this all the time.

        A 1fps video takes up barely any room.

        A png screenshot of by dual monitors = 540KiB

        271,056,869KiB / 540 = 501,957 seconds = 139 hours = 5.7 days

        However, seems like the service is limited to using 25GiB so it deleted the oldest stuff which assuming the file size is 540KiB and nothing smaller, gives this feature a 13 hour memory.

        • Microsoft will probably back this up for you in their cloud and will give this feature more hours of screen time. It will be sold as a "feature" and premium tiers will exist. Personally it sounds like a horrible idea for all the reasons people have already mentioned.

          But if you run Windows, you don't really own your own data or privacy and you never really had security so this seems par for the course.

  • by ctilsie242 ( 4841247 ) on Sunday June 02, 2024 @02:14PM (#64518003)

    I do know that in businesses, this will be a bonanza for attorneys seeking motions of discovery. It will be at beast a headache, at worst pure hell for sysadmins.

    Then toss in data exfiltration issues, if, as mentioned, this data does go outside of the PC or network.

    • by 93 Escort Wagon ( 326346 ) on Sunday June 02, 2024 @02:22PM (#64518017)

      It will be at beast a headache, at worst pure hell for sysadmins.

      I imagine this can be readily disabled via Group Policy*. I'm frankly more worried about data theft from home users.

      *Although I won't be surprised when we start hearing stories about remote threat actors socially engineering their way into critical networks and quietly re-enabling this feature, then using the snapshots to steal sensitive data.

      • Even if it likely can be disabled company wide... I'll bet users will get used to it at home, and then start to require it at work. With enough pressure and lack of publicly reported issues, IT may have to support something they know is a terrible idea.

        Wonder what could be done to narrow the problems? Like switching to a whitelist instead of blacklist, or scheduling/flagging time as work versus otherwise (only record 9-5, or when active meetings are happening from calendar, or 'calls' to business contact

        • by pixelpusher220 ( 529617 ) on Sunday June 02, 2024 @03:30PM (#64518171)
          The best take on this was, CEOs will not allow this because what they actually fear is not security issues, but opposing counsel in discovery lawsuits.

          Corps already do surveillance on their users for legal reasons. They will either control the surveillance or they will block it.
        • by ctilsie242 ( 4841247 ) on Sunday June 02, 2024 @03:43PM (#64518195)

          MS has not a great track record for stuff getting disabled and staying disabled. Telemetry, disabling apps, disabling upgrade paths, adding hurdles to using another browser other than Edge... even if a GPO does happen, it may not get applied.

          What is needed is for this feature to just go away. Can you imagine the hell of a legal hold? As a sysadmin, I'd have to pull machines from users, undo BitLocker, so forensics guys can attach a write blocker and make a forensic image for the opposing side.

          Even without the legal issues, this is a gold mine for attackers who are looking to exfiltrate data. Even if files are erased and browser history is cleaned, this would allow a bad guy to find anything the user worked on.

          MS just needs to kill this, just like they did with Private Folders. If they can't kill it, they need to do have a "permanently disable" option, where even on reinstall where Windows runs a PC serial number check, it would block Recall from being installed or enabled.

          This is something that can get businesses to move to Red Hat for their desktops... or even Macs, because Macs with a solid MDM can be well managed, and even if someone reinstalls them, the Mac can be blocked from reactivating.

        • I'll bet users will get used to it at home, and then start to require it at work.

          Go ahead and require it, peons. The BOFH has the final word here, and he says NO! All sensitive documents must be stored on the corporate file server on pain of instant dismissal for cause, and the file server doesn't run Windows.
        • > With enough pressure and lack of publicly reported issues, IT may have to support something they know is a terrible idea.

          IT departments need to grow backbones in this day and age. Where I work security is more important than anything so we simply say NO. Users can’t even plug in wireless mice and keyboards, they are banned.

          Where I used to work (a pub company) it was very different. IT was seen as a bunch of computer people who should work to make IT work for the user. I once had an argument wi

    • Maybe a government (the EU?) has protections like how they struck down 'non-competes' in the US recently. But hasn't the EULA has always been the solution for software when it comes to legal issues. To force arbitration in secret, and to take what they can. Or do what they can get away with until caught.

      Hide the problems in deep legalese, and force users to agree before they can do even basic work. We've been indoctrinated to click 'I agree' for decades now (assuming people are that old).

      Wish AI was poi

    • by kmoser ( 1469707 )
      The instant this gets released, somebody will write a utility that lets you edit the contents of the DB, including faking screenshots. I hope the mere existence of such a tool will throw into doubt the validity of any screenshots subpoenaed.
    • by slack_justyb ( 862874 ) on Sunday June 02, 2024 @10:17PM (#64518885)

      if, as mentioned, this data does go outside of the PC or network

      This isn't even an "IF". It will. And for all the folks affected they'll get a $5 gift certificate to Dunkin Doughnuts, but only AFTER all the data leaking has become public knowledge. Because we don't live in a society that wants to act smart, they want to make buck and then when they've destroyed way too much in the process, they'll just tell everyone they're very sorry they were caught. This will absolutely get exploited and massive amounts of data will be flying out of people's computer at alarming rates.

      There are zero other ways this is going to go down. This will absolutely be a privacy nightmare in the near future.

  • If it worries you (Score:5, Informative)

    by RitchCraft ( 6454710 ) on Sunday June 02, 2024 @02:17PM (#64518007)

    If it worries you (AND IT SHOULD) switch to a different operating system. You have a so-so alternative, Apple, or an excellent alternative, Linux. The so-so alternative unfortunately will be an easier switch. Stop bitching and start switching.

    • by Schoenlepel ( 1751646 ) on Sunday June 02, 2024 @02:25PM (#64518025)

      Don't forget about *BSD, Haiku, and ReactOS.

    • Apple will do it too, because it's a pretty good idea. It will also be local and suddenly everyone will clap.

    • by labnet ( 457441 )

      Then how do I run Altium Designer, TurboCAD, Solidworks, Simtrix, TinaTI, PSOC Creator and the list goes on and on.

      • You don't. You and others that use the software need to make requests to the companies to start looking into Linux, or other alternate OS, versions. State the obvious to them, trust in Microsoft has eroded.

      • by piojo ( 995934 )

        Clean out your current Windows drive, fill it with nulls for compressibility, and make a copy of your disk. Install Linux and use your disk image to build a VM to run those things, maybe just during your workday.

        I haven't done this yet, so I don't know what problems you might run into. Maybe using a VM has too much performance cost for those heavy applications.

    • Most users can’t/wont switch due to the fact that they are used to windows.

      They either moan about how unusable Linux is (I started on 2000 or just before and trust me, I found it pretty usable back then (once set-up and installed) so I can’t tell why they have a problem today).

      They always complain on reddit that X or Y doesn’t run or work. The drivers for A or B are not there etc. One guy thought that editing /etc/fstab was too much.

      Thing is, if they just stick to it, all that goes away.

      • I'd argue that outside of nerdom, those normal people expect the computer to be an appliance. Like a toaster or a tv.

        Most people seem to be perfectly content with the hell they know then some unknown, even if that unknown has the potential to be so much better.

  • by Murdoch5 ( 1563847 ) on Sunday June 02, 2024 @02:23PM (#64518019) Homepage
    This feature is stupid on a new level of overdrive, never seen before. Microsoft can claim what ever they want, but the OS is closed, and we know they have abusive privacy practices. If Microsoft ran Airbnb units, they have cameras everywhere, and microphones, then claim the shower and toilet cams weren't harmful, because the videos were stored on a NAS, but you could never verify the NAS was internet isolated.

    Putting this in another prospective, would you hire NAMBLA or a pedophile to run your daycare? Even if nothing bad happened, you still made a decision so dangerous, that you have no defence. Running Windows is like hiring those people, and proving safety is easy, they just refuse to do it.

    Open the OS completely, get it third party independently audited, provide build / feature keys, and the logs to every interaction. Making this problem worse, this feature is on by default, not off, and even if it's entire isolated and safe, Microsoft's track record is terrible, so the faith this is safe is non-existent. This feature is a big enough issue, that no competent tech person can run Windows, it's over, it's dead, Microsoft hired the pedophile.
    • This feature is stupid on a new level of overdrive, never seen before. Microsoft can claim what ever they want, but the OS is closed, and we know they have abusive privacy practices.

      So on this basis why is Recall a stupid feature? No seriously you've already said you have no privacy running their OS. Why choose this specific hill to die on? All your base are belong to them already, so you may as well run the privacy destroying feature since you don't have privacy in the first place.

      • I already have trouble getting clueless people to stop sharing private information, this takes the screen share issue, and feeds it steroids. Now you don't need to share your screen and show your email, Windows till take a picture for anyone to use, abuse, and violate. This will lead to those same people getting mad when their data is stolen, and blame the IT people, instead of the Microsoft.

        Those same people refuse to use professional operating systems, because they think they're experts, but in realit
        • Windows till take a picture for anyone to use, abuse, and violate

          This is my point. Microsoft says it doesn't. If you believe Microsoft you're safe. If you don't believe Microsoft then why do you think people can't already abuse and violate what is on your screen? Precisely what do you know about "telemetry" being sent to Microsoft? You don't trust what they tell you about Recall, so why trust them about Windows?

          • Microsoft has never established a reason to trust them, and has at multiple points been caught with their hand in the cookie jar. If Microsoft wants to gain trust, they need to go hard and double down. This means open sourcing all software, and getting it third party independently reviewed and audited. This means having a fully transparent auditing system that can't be bypassed. This mean releasing build keys so proper auditing of the released build / features can be carried out.

            Maybe this is safe, b
      • Because, as the summary says, it will store secret data that is currently not stored.

        • The summary falls under the same trap. Either they trust Microsoft in the way this data is stored (encrypted and locally accessible only to the logged in user), or they don't trust Microsoft and therefore have zero basis to say that data isn't currently stored.

          It's like having a killer in your house threatening to murder you holding a gun, but you being afraid that he *may* have a knife. You've already lost the privacy game by running an OS from someone you don't trust.

      • So you've been raped already, so... you're saying send in the rest of the gang? I didn't mind *that* much.

        I find that argument... weak... and unconvincing. I personally liked it better before getting raped.

        Ok seriously here's 1 good reason. They need to make data to feed to their AI's. As ludicrous as that sounds. The data you "generate" becomes monetizable. They won't stop.
      • What are the supposed benefits of this software, anyway? All I can think of are all the ways this could go wrong. How does taking screenshots of my computer every few seconds and making that searchable possibly empower the user?

        I could see if this was strictly something for businesses to use to keep tabs on their workers. It's a benefit to management.

        A home user though, how would they find usefulness out of this shit?

        Furthermore, MS search isn't anything to write home about. Will searching of this new datab

    • I hadn't even considered it until reading the first bit of your post, but what if Microsoft made the interpreter (or whatever tries to extract data from the visuals) an option. Like the browser.

      Sure they can make it hard to change away, but if it's really that important then maybe the government can/will force them to allow competition there too. And people could choose an open source, likely worse in some ways, alternative. Guess you need to suggest it to the EU and maybe they can tweak a law in a few y

      • Well really, at this point I suspect NAMBLA is running the daycare, but going ahead with Recall will just prove it.
  • by spaglia ( 1163639 ) on Sunday June 02, 2024 @02:24PM (#64518023)
    Problem solved. BUT Microsoft has a history of turning stuff back on (updates, whatever). This is just a nightmare all the way around.
    • by Schoenlepel ( 1751646 ) on Sunday June 02, 2024 @02:31PM (#64518035)

      Remember that torrent of some application or game you downloaded last night? Yeah, it contained malware. Now this Windows feature is enabled again with no way to disable it and once in a while all those screenshots are uploaded behind your back to some server on the internet which is ran by a ransomware gang or some sicko looking to harass you.

      YOU will probably not be stupid enough to get into such situations, but there are hordes of idiots out there who are.

    • Problem solved. BUT Microsoft has a history of turning stuff back on (updates, whatever). This is just a nightmare all the way around.

      So you don't trust Microsoft with a setting, why is recall a privacy problem? You shouldn't be running their OS period if you don't trust them. You haven't vetted windows. That would be impossible.

    • by PPH ( 736903 ) on Sunday June 02, 2024 @03:01PM (#64518093)

      Citizen. You have turned off your Windows recall. This is prima facie evidence that you have something to hide.

      Only Inner Party members may turn off their telescreens.

  • Obviously (Score:5, Insightful)

    by gweihir ( 88907 ) on Sunday June 02, 2024 @02:49PM (#64518065)

    One of the fundamental principles of the GDPR is "Datensparsamkeit", i.e. do not collect data unless you have to. The "recall" violates this on steroids. With it, an attacker gets everything, including habits, friends, pictures, political leanings, religious and philosophical views, porn-habits, etc. And, worst of all, it is enabled by default, so a lot of people will not even know that there now is a creep in their PC that watches everything.

    Remember those extortion emails where some asshole claims to have watched you via webcam and you better pay him now? Apparently, Microsoft thinks this guy is not making enough money and needs some help.

    The only good thing is that such a software is illegal to be active by default in the EU.

    • They'll argue it's fine because they're not collecting it, it's still on your hard drive, like a log file or something

      • by gweihir ( 88907 )

        Well, I doubt that. A default-on recording feature runs afoul of more things than just the GDPR. But let's wait and find out.

  • by thegarbz ( 1787294 ) on Sunday June 02, 2024 @02:54PM (#64518077)

    If you have questioned Microsoft you have already lost. You are running their OS, one that is widely known to transmit all sorts of untold data to them, which they can modify code at a whim, which you most certainly don't know how it works. If you don't trust Microsoft, you shouldn't be running their OS. If you do trust Microsoft, why question?

    The mental gymnastics people are going to about Recall as if *THIS THING* is suddenly the problem is insane. If you consider this a problem you shouldn't be touching Windows with a 10ft pole anyway. Recall isn't the issue here, we're not talking about trusting code, we're talking about trusting a company. All or nothing is the correct approach to take.

    • The mental gymnastics people are going to about Recall as if *THIS THING* is suddenly the problem is insane. If you consider this a problem you shouldn't be touching Windows with a 10ft pole anyway. Recall isn't the issue here, we're not talking about trusting code, we're talking about trusting a company. All or nothing is the correct approach to take.

      What is even funnier is they bang on about privacy whilst posting on a social media platform that tracks you.

  • by RossCWilliams ( 5513152 ) on Sunday June 02, 2024 @03:03PM (#64518095)
    is an oxymoron. The reason for that is that companies are not held liable for security breaches they create. I guarantee if Microsoft could be held liable for financial and personal damage done by someone using this "feature" they would be a lot more careful. As it is, internet security is a little like locking your doors. It keeps honest people honest and discourages some criminals. But if you have anything that someone really wants to steal simply locking the door isn't going to stop them.
  • So after trying to engineer the next population-reducing pandemic and trying to eliminate agriculture, Bill Gates is _ALSO_ trying to turn every PC into government spyware. I'm especially glad now that we never "upgraded" to Windoze 11.

    And now that I've stopped playing World of Warcraft, there is no longer anything holding me to Microsoft, so I can switch to Linux. Perhaps not "with ease", but it'll be possible.

  • Does the Pope hi in the woods :o

    > .. Copilot Recall will be enabled by default and will capture frequent screenshots, or "snapshots," of a user's activity and ..

    And the ability of which to send the contents back to the mother-ship can be secretly enabled anytime.
  • by RockDoctor ( 15477 ) on Sunday June 02, 2024 @03:47PM (#64518203) Journal
    So ... is there something effective that would prevent another Administrator-approved application from reading this database, and blanking every new submitted image? Or don't Windows administrators have the ability to run their choice of code on their machines? I assume that the Black-hat people are looking at raping this database for the good stuff. So ... what is there to prevent a Whiite-hat from blanking every image sent to the database (ditto, URLs, document pathnames ...)

    I'd bet that Cupertino are already working on breaking into this tool, even if (especially if!) Redmond claim it is impossible or useless. It may be their "black-ops" department ... so, Tel-Aviv? not Cupertino ... instead of undeniable assets. But they're doing it, I bet.

  • by joe_frisch ( 1366229 ) on Sunday June 02, 2024 @03:49PM (#64518215)
    It will be interesting to see if MS enables this on their internal computers that handle sensitive internal documents, development code, and PII. Will their executives have this enabled?
    • Sure, why not. It's management spyware. It's not meant to benefit the user in any way I can see.

      • If their CFO's computer gets hacked and financial information released before the official report is released they are in a world of trouble. Recall seems like a vector for a wide range of hacks so I wonder if they will use it themselves
  • What is the purpose of this 'feature' anyway?

    Ignoring all the obviously horrific doors it opens for a moment, what is the alleged benefit to the user?

    I see none for my circumstances. Maybe in some high security military lab or bank or something they might want this in a super controlled no public net environment. But for anyone e else? Why?

  • How is this any more invasive than Windows already is? Pretty much everything you do is tracked already. Very certainly every website you visit is tracked, and that's most of what you do on a computer these days.

    Serious question; What makes this any more invasive than what's been happening for years?

    • They have presumably not been collecting your image data regularly because that would have cost them money. That means they couldn't actually see what you were seeing, so the contents of e.g. zoom conferences were still your business — any meaning you chose to convey visually was yours alone. Now your system will be taking snapshots, and in order to meet Microsoft's current requirements for all of the functionality they "offer" you will have to have enough processing power lying around that those imag

      • Ah, I see. Well your company's IT department will no doubt have policies (including Group Policies) to make sure the contents of your Teams meetings don't leak.

        • Ah, I see. Well your company's IT department will no doubt have policies (including Group Policies) to make sure the contents of your Teams meetings don't leak.

          My job requires broad access to the PII of millions of people including health-related data, most of which is displayed unobscured.

          In a prior position I had full read access to all databases in a casino, as I was doing database reporting.

          I'm quite sure that everything you do is that trivial, but some of us have a need for security.

          • My job requires broad access to the PII of millions of people including health-related data, most of which is displayed unobscured.

            It sounds like your company's security practices are already compromised. No one person requires access to that many people's unobscured PII. One at a time, yes, if you are dealing with specific claims or patient calls. But broad-spectrum access, no. And I'm very familiar with the healthcare world, having managed the software team for multiple companies in that space. Security is often lax, to be sure. In that case, it's not Microsoft Recall that's the problem, it's your security policies and implementation

  • I forget the exact story, but there was this story a few years ago about a mother suing Ring because hackers had gotten into her account and were talking to her kid and stuff, watching them over the mics. It was a prank, but creepy.

    But you read the details, and I think it was the third time something similar had happened. And she still hadn't just removed the damn cameras from her house.

  • Copilot and Recall are completely managed Device Side.

    It would have been simpler for microsoft to roll it out "in their cloud" instead of insisting on a 40TOPS NPU on each machine, requirement that neither Intel nor AMD can reach.

    So, the only way for your data to leave the machine (a machine with a TPM 2.0, SecureBoot and Bitlocker) is for either Microsoft exfiltrating it, or a hacker getting it.

    So, the question is: Do you trust microsoft to not exfiltrate your copilot and Recall data?

    • Is this a trick question? As I recall we aren't allowed to know that that data Win10 and later constantly uploads form out private laptops to M$ is.

  • Utilities that "help" you by keeping copies of, or records about, stuff you do not want to have preserved (and without telling you).

    OS's like MacOS and Windows have long been annoying about not actually deleting stuff you want to delete. The MacOS lets you "trash" stuff, but a separate action unsing a different part of the UI is needed to actually delete it so that it does not take up space and does not come back. Windows has copied stuff you are trying to get rid of, so that it has back-up of it (or someth

  • Affirmation that I made the right choice to punt on using Windows (or MacOS) for anything of consequence.

    F them all.

    We should all be following the dollars back to the advertising Voldemorts and just not do business with companies that are empowering that noise.

  • Really if you don't want it then turn it off. literally hundreds of security and backup tools are subject to the exact same issue, this isn't something new to IT departments or people that deal with sensitive data on a daily basis.
  • ...and hate the implementation.

    If I could actually have this, secured, in an OS not built around collecting my data and sharing it to pretty much the whole world...sure. For years I intentionally ran a local keylogger on my own system. Handy for look-back and various other things. But now that everything is internet-based *aaS so they can needlessly charge a monthly fee I've got zero interest in that level of data ever existing again.

    From a business perspective this is DOA. Heck, it's beyond DOA - it wi

"Mach was the greatest intellectual fraud in the last ten years." "What about X?" "I said `intellectual'." ;login, 9/1990

Working...