Q. Is this really as harmful as you think?
A. Go to your parents house, your grandparents house etc and look at their Windows PC, look at the installed software in the past year, and try to use the device. Run some antivirus scans. There’s no way this implementation doesn’t end in tears — there’s a reason there’s a trillion dollar security industry, and that most problems revolve around malware and endpoints.
We should have let the government actually break up microsofts monopoly long ago. Now they will abuse it to force millions of Americans to use their spyware.
I get the security issues, sure, those are valid, but the privacy ones are even worse. Imagine a teenager trying to search information on being gay, or possible intrusive thoughts on their family computer, only for their super maga right wing parent to find it in the screenshots.
Or someone being abused at home and searching for support facilities, deleting history and being outed by recall.
Wait, how about credit card fraud as a result of EVERYONE who has access to this computer can read your cc data?
Or, my husband was looking at jewelry online yesterday and he hasn’t told me, he must be cheating, right? Oh sorry, I forgot, our anniversary is next week… Hahahaha, don’t be upset babe.
Best one ever though, imagine your search history, your porn watch history accessible to anyone with access to your computer? The fucking horrific existence of having an employer process this data at scale using fancy staff monitoring program 7, and run stats on the fact that you had a toilet break while working from home, and they want to know if it was a number 1, or a number 2 so they can work a mean time to shit metric into your KPA/scorecard.
Guys, whatever benefit you think this is. It’s not worth it.
It’s subpoenable information. Absolutely no one is addressing that aspect.
I’ve done quite a bit of work in IT within the sphere of investigative law enforcement and this sets off major alarm bells to me.
I cant believe they are including this in enterprise edition too.
They usually keep their dirty spyware out of the enterprise editions to avoid losing corporate clients who dont want their secrets easily pluckable.
Maybe in the future it can be used by managers to keep an eye on what their underlings are doing at all times. I suggest calling the manager’s remote version Microsoft Panopticon.
My hospital will be freaking the fuck out about this right… about…. Now.
Your hospital likely won’t allow it because of HIPAA laws.
Ask yourself what this feature is actually useful for. Ignore the concerns of privacy just what can this really do.
Its not really needed for copilot, if it wanted to capture what you were doing it would directly update the internal model, no reason for the slide show of your action.
No besides wasteing disk space this is for:
- Gaming youtubers to get a screen shot of something when they were not recording
- Some screen shots of history when searching not better than the file/website preview really
- Tracking and logging what the end user is doing so when audited by the manager/it they can use it as proof you are not doing it right/are inefficient /should ve fired
By all means a company can disable this in policy im sure, but its for the enterprise not the end user. (and yes stored locally, but if you delete the laptop when they want to inspect it that likely is all the excuse they need)
Benefit to my org is getting billers to look for untracked time, which would equate to some percentages of revenue increase in my opinion.
Just need to balance it with security concerns…
enable for roles with more locked down PCs and tasks the companies hope to automate, and disable on more core mission critical IT…
Does anyone yet know how to break stuff like Copilot?
I don’t have Win11, but I also never really trust that MS won’t surreptiously push this kind of thing in the background to legacy systems, and I don’t trust UI toggles within Windows to actually do anything.
Do we know if there are services or files that Co-pilot needs to function?
Couldn’t you use a separator to make it one line of code? That way it’d be even more dangerous
Are you… Are you saying EVERYTHING can be hacked with one line of code?
Unpopular Opinion: This is why Microsoft were such assholes about making sure Windows 11 required a modern TPM and this is also why they are forcefully rolling out Bitlocker encryption turned on by default on all Windows 11 PCs.
Is Recall still a fucking stupid idea? Yes, resoundingly so. But they’ve half-ass considered the risks, it seems. The forceful rollout of Bitlocker is dumb and short-sighted in its own right, and it wouldn’t make a person completely secure from outside attacks rooted in a Recall exposure.
This is a feature hundreds of millions of people will use and very likely won’t cause any security issues. These doomsday scenarios every Linux user here is predicting is a bit much, don’t you think so?
Are you braindead? Yes yes taking regular screenshots of the desktop can’t possibly be a security risk, right?
You can define almost anything as a security risk. But we aren’t children to play such stupid games.
We are talking about someone gaining that information and the probability of that happening without even knowing what security mesaures will be in place. I think the risk is negligible even today with the limited information about it that we have now. Other People here, presumably you as well are hysterical about it.
Thats what the discussion is. You actually believe Microsoft will launch this and then everybody will be hacked or something. I think that is… not smart.
No, I don’t think “everyone will get hacked or something”, don’t put words in my. I mouth for the sake of your argument.
What it is, and this is undeniable, is a massive fucking privacy and security hole if someone gains control of your computer.
I didn’t want to put words in your mouth, but wanted to clear up where each of us stand so there is no missunderstanding.
If somebody gains control of your computer today, that’s a massive privacy and security hole in itself.
If you didn’t want to put words in someone’s mouth then you shouldn’t have said something like
You actually believe Microsoft will launch this and then everybody will be hacked or something.
Oh a knight in shining armour trying to defend my dialogue partner?
Did you ask anyone needed defense? Because I’m pretty sure they don’t.
If you read carefully I wrote “or something” at the end implying that I don’t know exactly what they believe. It was not that subtle of invitation for them to agree with my first assessment or correct me. I will try to be really blunt in the future, so that you don’t missunderstand again.
? I’m not defending anyone, I’m calling out bullshit when I see it
I don’t really care that you like watching kids through their bedroom windows or whatever
If that doesn’t accurately describe your views, no worries—I said “or whatever,” so it’s fine
Absolutely, but even with control of your computer, if you’re smart, other accounts etc will still be inaccessible by the attacker.
Not when they get access to the Windows built in desktop spy saving everything it sees.
Not if it’s encrypted and if sensitive information is not saved.
Main point is still that gaining control of someone’s computer against their will is practically impossible today. If someone manages to do it, they already have your files and all the sensitive information they could want. They won’t even bother with this recall. And if you are worried about it, you will be able to just turn it off.
Much ado about nothing.
“If sensitive information is not saved” is doing a lot of heavy lifting for you there. The issue is that it saves everything.
Did you read the article?
This system basically do a character recognition on EVERYTHING the user is displaying and save the results in a very small file not that well protected.
The data is very small (I guess because it’s basically text?), seems easy to find. That means the history of all you did on your computer (apparently only for the last three feays by default,but well…) can be stolen at once, in a minuscule file.
I’m not an IT specialist, but I don’t see in which world this can remotely be a good idea…
As I understand not everything will be read and stored, storage will be encrypted. We don’t even know what exactly will be stored and everybody here is losing their mind.
We already have a lot of sensitive information on our computers and nobody is panicking.
I guess it’s hard to get used to new stuff. Or maybe Linux users are afraid that their favourite system won’t be able to compete anymore.
You didn’t read the article.
We do know the answers to these questions. And if I can use a 2 line script to exfiltrate all your screen data for days/weeks in under a few MB of data.
So better hope you, never, ever, ever run unauthorized or malicious code, because now it basically has a honeypot of top priority data, always stored in a known location and compressed for easy uploads.
What kind of malicious code would be able to do that?
Q. The data is processed entirely locally on your laptop, right? A. Yes! They made some smart decisions here, there’s a whole subsystem of Azure AI etc code that process on the edge. Q. Cool, so hackers and malware can’t access it, right? A. No, they can. Q. But it’s encrypted. A. When you’re logged into a PC and run software, things are decrypted for you. Encryption at rest only helps if somebody comes to your house and physically steals your laptop — that isn’t what criminal hackers do. For example, InfoStealer trojans, which automatically steal usernames and passwords, are a major problem for well over a decade — now these can just be easily modified to support Recall. Q. But the BBC said data cannot be accessed remotely by hackers. A. They were quoting Microsoft, but this is wrong. Data can be accessed remotely. Q. Microsoft say only that user can access the data. A. This isn’t true, I can demonstrate another user account on the same device accessing the database. Q. So how does it work? A. Every few seconds, screenshots are taken. These are automatically OCR’d by Azure AI, running on your device, and written into an SQLite database in the user’s folder. This database file has a record of everything you’ve ever viewed on your PC in plain text. OCR is a process of looking an image, and extracting the letters. Q. What does the database look like? A:https://twitter.com/GossiTheDog/status/1796218726808748367?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1796218726808748367%7Ctwgr%5E2eccf634534245a77c4f931d8722f1b8c6f23595%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fcdn.embedly.com%2Fwidgets%2Fmedia.html%3Ftype%3Dtext2Fhtmlkey%3Da19fcc184b9711e1b4764040d3dc5c07schema%3Dtwitterurl%3Dhttps3A%2F%2Fx.com%2FGossiTheDog%2Fstatus%2F1796218726808748367image%3D Q. How do you obtain the database files? A. They’re just files in AppData, in the new CoreAIPlatform folder. Q. But it’s highly encrypted and nobody can access them, right?! A. Here’s a few second video of two Microsoft engineers accessing the folder: https://cyberplace.social/system/media_attachments/files/112/535/509/719/447/038/original/7352074f678f6dec.mp4 Q. …But, normal users don’t run as admins! A. According to Microsoft’s own website, in their Recall rollout page, they do: https://miro.medium.com/v2/resize:fit:1100/format:webp/0*WGE1jcRzhe6WAGQS In fact, you don’t even need to be an admin to read the database — more on that in a later blog. Q. But a UAC prompt appeared in that video, that’s a security boundary. A. According to Microsoft’s own website (and MSRC), UAC is not a security boundary: https://miro.medium.com/v2/resize:fit:1100/format:webp/1*TTjYNH15IoP_d8JhhG3cEA.png Q. So… where is the security here? A. They have tried to do a bunch of things but none of it actually works properly in the real world due to gaps you can drive a plane through. Q. Does it automatically not screenshot and OCR things like financial information? A. No: https://miro.medium.com/v2/resize:fit:1100/format:webp/1*OZMjujpALL3IfAQYT64x7Q.pngDo I have to continue or do you think you could actually read the article for the rest? It’s clearly a bigger deal than “linux users mad because windows better” and your poor excuse for a troll just makes it look like you’re too stupid to read the article laid out in front of you. Well, now you have no excuse so get good.
Sorry I don’t take everyones word as truth. This guy is just one guy. One guy against the whole Microsoft corporation whose entire fortune depends on this not to fail in the way he said it certainly will. Absurd.
Then don’t believe one guy, read the other reports on the feature, or the reports from Microsoft’s BUILD conference that confirm these details.
It’s stored in the appdata folder in plaintext.
Nah…. Just… just nah. This will never fly in enterprise environments
Enterprise will love it because it will allow them timestamped access to everything their employees are doing during the day.
They will have it set up to alert on a various things…
“So, Bob, you were playing Minesweeper from 9:45 to 9:53, was that a scheduled break for you?”
“Jane, your screen showed no substantive changes from 1:03 to 4:15, you weren’t in a meeting, what were you doing?”
The surveillance would be a double edged sword. If they were to be hacked, all sensitive information that was going through their PCs could be compromised.
They will convince themselves it can’t be compromised. Never under-estimate the stupidity of middle management.
THIS IS NOT CURRENTLY RUNNING ON MY WINDOWS COMPUTER, right?
This obvious first question hasn’t been clarified (maybe by one comment in this thread, but not in the article)
From The Verge’s obsequious article:
Recall won’t work with every Windows 11 computer. You’ll have to buy one of several fresh new “Copilot Plus PCs” powered by Qualcomm’s new Snapdragon X Elite chips, which have the neural processing unit (NPU) required for Recall to work.
And from the article in the OP:
I got ahold of the Copilot+ software and got it working on a system without an NPU about a week ago,
They are using that to sell NPU bullshit to the stupid people crazy enough to be excited by it.
Then down the road they’ll push it in an update for everyone, I wager.
What even is a NPU, if it’s not necessary for the software to work?
Most of the newer CPU’s have an NPU already, Microsoft just set a higher performance requirement for NPUs to be officially labeled an “AI PC” which they are pushing hard.
