this rootless Python script rips Windows Recall’s screenshots and SQLite database of OCRed text and allows you to search them.
Please go through the FAQ section of the git project. It’s an eye-opener.
Q. Does this enable mass data breaches of website?
A. Yes. The next time you see a major data breach where customer data is clearly visible in the breach, you’re going to presume company who processes the data are at fault, right? But if people have used a Windows device with Recall to access the service/app/whatever, hackers can see everything and assemble data dumps without the company who runs the service even being aware. The data is already consistently structured in the Recall database for attackers. So prepare for AI powered super breaches. Currently credential marketplaces exist where you can buy stolen passwords — soon, you will be able to buy stolen customer data from insurance companies etc as the entire code to do this has been preinstalled and enabled on Windows by Microsoft.
It’s worst than that (as bad as this is)…
Today getting some data on a user is bad as smart hackers can put together the context … However any guessing the hacker has to do may alert the user before the hacked data can successfully be exploited
Now, a hacker would know exactly where each password goes and worse, they’d could learn the entire workflow of internal systems to successfully imitate a trained user…
This means the hacker could use the stolen bank data and legitimately issue credit cards to anyone they want (for example)
It’s no longer “we’ll expose some data”, now it’s “we can use this data to infiltrate your systems and wreak havoc in whatever way we want”
I doubt that. It’s preinstalled and enabled for personal users.
Even if it is enabled by default on pro/enterprise, there will probably be a group policy to disable it.
It feels like this was intended for buisnesses to monitor for phrases on your screen like “coolmath games unblocked free”
or to extract and upload a summary of what happened every second of every day to the server defined in the group policy.
I doubt it. There are plenty of tools that already do this if that was what they wanted, they’d just model it after those. Storing it locally isn’t how such tools usually work, they get shipped off to a remote server for ingestion.
Wow, it’s pretty wild they didn’t even attempt to encrypt or protect this data, even if it is local to your machine. What a treasure trove for malware to sift through.
It IS encrypted. Not well, but it’s encrypted.
I thought that it was encrypted if your home directory was encrypted? The impression that I got was that it was just a SQLite database stored in the clear. The user must certainly be able to make queries of that database in order for it to work, so even if it’s hosted by a non-user service, malware running locally will still be able to exfiltrate the data.
Is it? I skimmed the GitHub source code and couldn’t see anything involving encryption, but it’s totally possible I missed something. Perhaps just accessing the database from python is enough to decrypt it.
Iirc chrome stores your local cookies/session in a place malware could also attack. Probably the same idea for other browsers.
I’m not sure I fully understand the issue here. If we’re ok with that info being trivially retrievable by a bad actor, why isn’t this ok?
Like I get you may not like it, and it’s a target, but there are already lots of targets that have gotten a pass based on user permissions. Is it just the breadth of potential info? With the cookies you could potentially log into someone’s bank account.
browser data is a potential liability, sure, but you have tools to manage it. you can delete pages or entire websites, you can use private windows, you can purge history older than 6 months or something like that, and at least a few browsers have a “forget” button that wipes out the last two hours of history. similar deals with cookies and other data, and we’ve collectively decided the benefit of having browser data is worth the risk.
not so here. Recall is a record of everything you’ve ever done on your PC. you can’t selectively delete things like you can with browser history, the app and website exclusion is only as good as whatever Recall is using to detect apps and websites, and you can’t redact sensitive info after the fact. people are generally okay with browser history and data because they know they have fine-grained controls to manage it, controls Recall doesn’t have
So if they had a ui with buttons to ‘pause for X length (could be forever)’, buttons to 'forget last X length (once again could be forever), but everything else stayed the same, would it be acceptable?
Like I’m genuinely curious here.
When you go on the internet you are accessing content on other people’s computers. You are saying, “I want such and such document”. There’s an inherent lack of privacy in browsing the internet. You can try to be private about it, but ultimately you’re not changing that you’re requesting data from other people’s computers and sending them data.
When you are doing something else on your PC besides browsing the web, Recall is still taking screenshots and tracking you. What apps you use, pictures you view, and many other things that might be completely offline and you don’t necessarily want a history of stored on your PC, with screenshots and searchable summaries. Do you want each and every one of your fap sessions recorded? Why would you want any of your offline activity recorded?
What if you forget to pause this feature and someone finds these screenshots? Who cares, right? What if your a closeted gay teen living in a conservative country and your family finds the history?
Then there are people who don’t understand computers using offline business software for accounting, or whatever, and even if they store their data files on an encrypted drive or something, Recall is taking screenshots of everything they do. If they don’t even know its happening, their PC could have years of data that could be stollen from them at any point in the future. Even if they never open those encrypted files again. Obviously, if their computer is pwned, then the hackers could just take the enencrypted files when they’re next accessed, but Recall snapshots everything all the time, even if you delete it.
Edit a self nude photo on your PC and forget to turn off Recall, and then layer decide to delete the photo… Too bad, Recall still has it.
It’s a feature that’s… ok if you want it, but it should not be part of the operating system, and it definitely shouldn’t be opt-out. It should be an app that you install with deliberate purpose if and only if you want itand understand the security and privacy risks.
Microsoft instead wants to install it by default and probably turn it on by default. Even if it ends up being opt-in, MS has a long history of asking people to enable features in misleading ways. And the vast majority of Windows users don’t understand computers!
Imagine if they zero day this.
Someone has already demonstrated using an off-the-shelf infostealer to steal the Recall database from a test computer. It won’t take any special skills or technology for this to be a problem.
Lol “if”. This thing is going to be a massive target.
How could the db be all plaintext unencrypted?!? I mean this is amateur hour at display here
How are they supposed to feed it into their LLMs later if it’s encrypted??
Decrypt it server side like all other encrypted data
If we believe it doesn’t leave the machine then the ai can have a decryption layer
That takes up precious cpu cycles
If only Microsoft required a second prossesor like some sort of module just for encrypting and decrypting things without using additional CPU cycles… What if we also stored the encryption keys on that module so we could trust that platform…
In a hilarious and infuriating side note, MS is obviously doing their absolute best to blame-shift here.
It’s code. It’s a project someone made to graphically illustrate and demonstrate, in the wild, why the entire concept of MS Recall is an absolutely awful, foundationally-flawed idea. It is not a “hacker tool”. The MS c-suite and board members are just pissed that stock go down as a result of their stupidity, and they’re looking for people to blame who aren’t themselves.
Where is the blame shifting? The article says they made no comment and the only MS quotes are just random pr feature blurbs
Dude the headline:
this hacker tool
It’s absolutely not a “hacker tool”. It’s a proof of concept. It’s just code. The author and/or editor is leaning on ingrained negative kneejerk reactions from less knowledgeable members of the general public towards the term “hacker”.
MS is obviously doing their absolute best to blame-shift here
There is not a single word in that article that says anything about blame shifting. That title was written by wired.com