Controversial Windows Recall AI Search Tool Returns (securityweek.com)
- Reference: 0175144821
- News link: https://it.slashdot.org/story/24/09/27/1722216/controversial-windows-recall-ai-search-tool-returns
- Source link: https://www.securityweek.com/microsofts-controversial-recall-returns-with-proof-of-presence-encryption-data-isolation-opt-in-model/
> Three months after [2]pulling previews of the controversial Windows Recall feature due to public backlash, Microsoft says it has [3]completely overhauled the security architecture with proof-of-presence encryption, anti-tampering and DLP checks, and screenshot data managed in secure enclaves outside the main operating system.
>
> In an [4]interview with SecurityWeek, Microsoft vice president David Weston said the company's engineers rewrote the security model of Windows Recall to reduce attack surface on Copilot+ PCs and minimize the risk of malware attackers targeting the screenshot data store.
[1] https://slashdot.org/~wiredmikey
[2] https://it.slashdot.org/story/24/06/14/0318213/microsoft-postpones-windows-recall-after-major-backlash
[3] https://www.securityweek.com/microsofts-controversial-recall-returns-with-proof-of-presence-encryption-data-isolation-opt-in-model/
[4] https://www.securityweek.com/microsofts-controversial-recall-returns-with-proof-of-presence-encryption-data-isolation-opt-in-model/
Surface Area (Score:2)
I'll reduce the surface area by shutting it off and disabling the feature, thank you very much.
Re: (Score:1)
Next update enables it again without your approval
You're screenshotting my desktop (Score:4, Interesting)
and using that to train your AI without my consent. Mr. Weston, YOU are the attacker.
Re: (Score:3)
Exactly. This is a blatant attack on the users, nothing else.
This is even worse (Score:3, Interesting)
Now it provides cryptographically secure proof of whatever your abusive spouse thinks it says. Sorry women, a whole lot of you are going to die horrible deaths because of Microsoft.
Re: (Score:2)
I'm sorry, I don't follow.
Re: (Score:2)
I'm happy you raised this. Having to make a leap of faith to the "think of the abused women" destination means that all other problems with Recall have been addressed right?
Re: (Score:2)
Do you really not understand the problem?
What this means is that an abused spouse can't clandestinely access resources designed to help them. The evidence is always there, just waiting for their abuser to check. Yes, this can get them killed.
There's a reason that it's recommended that mobile apps and websites have a "boss button" or some other way to immediately hide what the user is looking at. [1]For example [thehotline.org].
Why are you so hot to defend this shit anyway?
[1] https://www.thehotline.org/
Badges? (Score:3)
I don need no steenkin' CoPilot, I don need no steenkin' Recall, I don need your untested buggy security.
Period.
What about PII and proprietary data (Score:2)
A consultant may be granted temporary access to proprietary data and PII that they are required by contract and possibly by law to be deleted when the contract ends. How do they do this? Its not clear that physically destroying the computer is sufficient because a lot of Microsoft data is shared between computers on the same account.
That is separate from the insane security risk that now all passwords that are used on the computer will be visible in the screen shots.
I don't know if this is pushed by
Re: (Score:2)
I think it is desperation. MS has sunk tons of money into AI and applications or profits are not materializing. Hence crap like this. Obviously, it is going to be abused and obviously, attackers are going to get in.
My one hope at the moment is that this is likely turning out to be completely illegal in the EU and even the possibility may be illegal already.
1984 corporate style (Score:1)
Who need the govt to spy on you when the corporations can do it for fun, profit? The profit, of course, being when they sell the spying data to the govt.
Why was there a rush? (Score:2)
Assuming security works like described, why was there a rush to get this feature out the door way before it was secured. Remember Recall was advertised as "encrypted" previously but that meant if the drive had Bit-Locker turned on, then the files were encrypted.
Re: (Score:3)
MS has poured billions into AI and applications or profits are not materializing. They are desperate.
Re: (Score:2)
because AI, blockchain, cloud
Dumb (Score:2)
You don't get a second chance to make a first impression. They put so very very little thought into the first iteration, that the second one is DOA. Its like trying to sell a fire safe made out of FlashPaper. Yes thats a bad idea, and no I won't be interested in their follow up now that they admit they have no brains.
Re: (Score:2)
> You don't get a second chance to make a first impression.
You would think MS learned that after the Xbox One launch, but no.
That's nice, but... (Score:2)
> Microsoft says it has completely overhauled the security architecture with proof-of-presence encryption, anti-tampering and DLP checks, and screenshot data managed in secure enclaves outside the main operating system
That's nice, but have they bothered to overhaul their answer the following question: why the hell would anybody want or need this?
Re: (Score:2)
That's easy. Their customers asked for it.
Their customers. You know, advertisers. They're all asking "How do I choose which users' eyes are worth paying for?"
Opt-in by default and can be removed (Score:2)
From TFA:
> Recall will now be an “opt-in experience” during setup. “If a user doesn’t proactively choose to turn it on, it will be off, and snapshots will not be taken or saved,” he explained, noting that Windows users can remove the feature entirely.
> “You can remove it completely, never be turned on in future,” Weston said.
Also:
> Under the hood, the Microsoft VP said snapshots and any associated information in the vector database are always encrypted with keys that are protected by the TPM (Trusted Platform Module), tied to a user’s Windows Hello Enhanced-Sign-in Security identity.
> “You have to have proof-of-presence to turn it on,” Weston said.
No one fucking wants it (Score:3)
Normally I'd like to avoid cursing and put well thought out words into the world but are you fucking kidding me? No one fucking wants it, no one, no one fucking wants it.
Ohhhh we made it more secure to add...you missed the part where no one fucking asked for it, and no one fucking wants it. The only person who wants it, is fucking microsoft to collect more data.
I don't care how secure and proof of security for a feature NO ONE FUCKING WANTS is. It shows your clear deception to gather data WE DO NOT WANT TO FUCKING GIVE YOU.
Maybe it'll be mega quantum forever secure! Great NO ONE FUCKING WANTS IT STILL. The miscommunication, is we don't fucking want it.
Address that concern by fucking off.
Re: (Score:2)
Time will tell. Microsoft is giving the users the ability to uninstall it, completely. [1]https://www.theverge.com/2024/... [theverge.com] let's see after release if you're right, or if (as I suspect) only a few vocal minority of people don't want it / give a shit enough to care about it.
By the way I remember the iPhone announcement here like it was yesterday. I'm sure someone said NO ONE FUCKING WANTS IT in all caps when they were shown a phone without a keypad as well. More power to you as an individual but I suspect you a
[1] https://www.theverge.com/2024/9/27/24255721/microsoft-windows-recall-ai-security-improvements-overhaul-uninstall
Re: (Score:2)
Yes, odds are good that users won't know about it or understand it. That doesn't make it okay. That makes it far more nefarious.
There's a reason that this is "opt-out" and not "opt-in". They're trying to force it on as many people as possible, most of whom don't understand what it does or what danger it presents. Do you honestly think this is a good thing? Do you not understand the problem?
Also, Microsoft has developed a habit of changing user preferences after normal updates. They also make it difficu
Not minimized (Score:2)
The risks of screenshot data being targeted is ZERO if there is no screenshot data. Anything above that is not an example of minimized risk.
They mean they THINK they made the risk smaller but if the customer doesn't even want the feature, the risk/reward ratio is still infinity.
This is happening whether we like it or not (Score:2)
The data we generate on our computers is worth trillions to a AI trainer and Microsoft is going to get that data whether we like it or not. The time to stop this was back in 2004 during the Bush v Gore election. It was one of the smaller issues that folks didn't pay attention to.
Gore was in favor of continuing the antitrust fight and Bush had made it very clear he had no intentions of doing so. George Bush won and so Microsoft was never broken up and so we have no significant competition in the PC marke
What's this? (Score:2)
What's this process called ThirdEye.exe that shows up in Task Manager?
Some bad ideas do not die... (Score:5, Informative)
This is essentially the Panopticon. Sad times when the OS supplier has to be regarded as an enemy of all users.
Sure, they _pretend_ this is secure, but do you really think the usual authoritarian assholes in law enforcement and the TLAs can really restrain themselves? They have to think the Holy Grail of surveillance has been found!
Re: (Score:2)
[1]Be careful of what you say [youtube.com]
Be careful in every way
Be careful of what you do
Big brother is watching you
Be circumspect and discreet
Stay light on your mental feet
One slip and you know you're through
Big brother is watching you
Conform with all directives
Remember obedience pays and when you watch that TV
Screen remember it works both ways You'll disappear in a wink
Unless you can doublethink
You'll vanish into the blue
Big Brother is watching You
[1] https://www.youtube.com/watch?v=YQyue_X4Pk4
Re: (Score:2)
But imagine the compliance and oversight potential of businessmen, elected officials, and bureaucrats? (smiling intensifying)
Re:Some bad ideas do not die... (Score:5, Informative)
Most users don't care. And we can't make them care. So, for the most part, Microsoft is right in their beliefs.
They have the means, motive, and opportunity to spy on their users for their own profit. So, they will.
I only use windows for work. And I don't do anything relating to my personal life on my work computer. So, this is my employer's problem, not mine.
Re: (Score:2)
> Sad times when the OS supplier has to be regarded as an enemy of all users.
People have had decades to accept that they run software which is intended to serve other parties' interests above their own. And still to this day, we argue over the definition of "malware."
Re: (Score:2)
"... authoritarian assholes in law enforcement and the TLAs..." that's the problem with our elected officials, they hear the " authoritarian assholes in law enforcement and the TLAs" say that 'they can't do their job' without this level of surveillance, and some variant of 'think of the children' then the all vote to give ' authoritarian assholes in law enforcement and the TLAs' the powers they ask for.
The thing is, that no matter how much power you give the ' authoritarian assholes in law enforcement and
Re: Some bad ideas do not die... (Score:2)
Who's the more stupid, the elected officials that do this or the voters who keep re-electing them?
Re: (Score:2)
Assholes always need plenty of useful idiots to give them power. And the human race provides.
Re: (Score:2)
Are they an enemy of the user though, or do you just think so due to lack of information? One of the key things from the announcement not mentioned in this article, but covered in others is that Recall is fully optional and Microsoft will allow the user to completely uninstall it.
[1]https://www.theverge.com/2024/... [theverge.com]
> Sure, they _pretend_ this is secure
Literally every attack on the preview has required elevated system privileges. When an attacker has that already you are no longer using your own machine, you're using theirs. Windows recall isn't
[1] https://www.theverge.com/2024/9/27/24255721/microsoft-windows-recall-ai-security-improvements-overhaul-uninstall
Re: Some bad ideas do not die... (Score:2)
Many users have experienced updates silently re-enabling features that the users previously disabled. Besides is it *really* off or just hidden?