As reasonable the concerns are... it seems like there's quite a bit of fearmongering over software and hardware that haven't even really gotten into the mainstream yet.
Agreed that there is a bit of exgaerated dread.. but honestly this has all the hallmarks of a monkey knife fight in an elevator, it's hard to imagine how this won't end in disaster
Do you think it would be a better idea to wait until it’s installed and active on every Windows computer before we start a discussion on how bad Copilot is?
Only computers that can run it.... are pretty much none of the computers running 11 today. The CPU needs to have an NPU, as the AI functionality is run locally on the PC.
Go look at all the Windows PCs announced in the last few months and you will see they have NPUs. So again, why would we wait until it is too late to try to stop this nonsense?
Also the “AI” may run locally but it saves the info into an easily accessible and readable SQLite database in the users AppData. It will be trivial for malicious actors to access.
Does anyone yet know how to break stuff like Copilot?
I don't have Win11, but I also never really trust that MS won't surreptiously push this kind of thing in the background to legacy systems, and I don't trust UI toggles within Windows to actually do anything.
Do we know if there are services or files that Co-pilot needs to function?
Hmm that didn’t sound right so I had to look it up. Microsoft says there’s a way to pause the recall snapshot functionality for a set amount of time, like an incognito mode:
Pause or resume snapshots
To pause recall, select the Recall icon in the system tray then Pause until tomorrow. Snapshots will be paused until they automatically resume at 12:00 AM. When snapshots are paused, the Recall system tray icon has a slash through it so you can easily tell if snapshots are enabled. To manually resume snapshots, select the Recall icon in the system tray and then select Resume snapshots.
You don't understand why there's so much fear, uncertainty, and doubt about an on-by-default program that records everything you do? Are you being serious right now?
Yeah not to be obtuse here, but I think the fear is over sensationalized. I haven’t seen it in person, but it seems like this is a totally new product that is similar to idea of browser history, but adds in some modern features. I would like to check it out.
on-by-default
That’s not correct. Based on the documentation, Windows Setup has an option to enable/disable the feature on first boot.
The documentation also says it doesn’t capture incognito windows and I mentioned in my other comment that you can turn it off temporarily and permanently. It doesn’t run all the time no matter what, like some of the comments have suggested.
Disabling the AI snapshotter requires a trip into Settings for ordinary users
Over the weekend, The Verge's Tom Warren posted (on twitter) screenshots showing Microsoft's latest Out-of-Box Experience (OOBE), in which the Recall feature can't be turned off unless the user opens Settings after completing setup.
Now, it's possible things have changed in the last few days, but I wouldn't really expect them to based on the last time I used windows. I also didn't know this before I tried looking it up, so I'll admit I'm a little biased against microsoft.
But the real question is, what documentation are you looking at where you're pulling all this information from? Can you provide a link?
This is a feature hundreds of millions of people will use and very likely won't cause any security issues.
These doomsday scenarios every Linux user here is predicting is a bit much, don't you think so?
We've seen it before, it's not idle speculation. Windows machines have been the hosts of the largest botnets in the world. Whenever a company does something stupid like this it invariably gets into the wrong hands. It's not even a question of if it will happen just when it will happen.
Oh and it's not "Linux users" saying it, it's everybody with an ounce of technical common sense. We're all here shouting at Microsoft "it's a bad idea" and they won't care and it will go exactly as badly as predicted.
Yes, we have seen it many times before. Much ado about nothing.
New feature that will mean some new security measures. Everybody will move on and in a year nobody will remember how some people in the Linux community were panicking.
You can define almost anything as a security risk. But we aren't children to play such stupid games.
We are talking about someone gaining that information and the probability of that happening without even knowing what security mesaures will be in place. I think the risk is negligible even today with the limited information about it that we have now. Other People here, presumably you as well are hysterical about it.
Thats what the discussion is. You actually believe Microsoft will launch this and then everybody will be hacked or something. I think that is... not smart.
Not if it's encrypted and if sensitive information is not saved.
Main point is still that gaining control of someone's computer against their will is practically impossible today. If someone manages to do it, they already have your files and all the sensitive information they could want. They won't even bother with this recall. And if you are worried about it, you will be able to just turn it off.
But it doesn't save completely everything. It does snapshots as far as I understand. So it's unlikely a whole password would be there on a snapshot. And again, it had to be mentioned that anything can be excluded from recall or disabled completely.
At this point it has to be again highlighted that gaining access to a computer is very hard and that in itself is game over scenario. More information can be gained from a keylogger than this recall feature.
A keylogger isn't retroactive to before the keylogger was installed though. Recall is. Also, with Recall you don't need to write keylogging software and get it past antimalware scans (and keep it from getting detected), you just have to get an infostealer past them one single time to take the Recall database.
The video posted by Moorshou literally shows someone getting a password and a credit card number from it. Yes, the password was due to someone clicking the show password button momentarily but do we just never expect people to use those or to not use a password manager that would show the password on screen at some point? Due to it doing text recognition, you would literally be able to just search for "credit card" to find all the times when it was displaying a credit card field on a checkout page or "password" to find all the times someone is logging in or using their password manager. And that's using the built in search, not even exfiltrating the data and processing it with more specialized tools.
You really need to watch that video to see what it can do and how easily it can do it.
So even if it does ship like this guy thinks it will, it will take someone gaining control of the computer and having the victim click show password at the wrong time.
How does any virus run itself? Are you seriously this dense?
Hint: there are many attack vectors, including no-click drive-by downloads, programs from Softonic, etc.
EDIT: Does this person seriously believe that because Microsoft made it, it must be secure, despite that literally having just been proven wrong? And that pointing that out means I need to be smarter than everyone at MS? That explains the delusional argument they're going with.
Oh a knight in shining armour trying to defend my dialogue partner?
Did you ask anyone needed defense? Because I'm pretty sure they don't.
If you read carefully I wrote "or something" at the end implying that I don't know exactly what they believe. It was not that subtle of invitation for them to agree with my first assessment or correct me. I will try to be really blunt in the future, so that you don't missunderstand again.
This system basically do a character recognition on EVERYTHING the user is displaying and save the results in a very small file not that well protected.
The data is very small (I guess because it's basically text?), seems easy to find.
That means the history of all you did on your computer (apparently only for the last three feays by default,but well...) can be stolen at once, in a minuscule file.
I'm not an IT specialist, but I don't see in which world this can remotely be a good idea...
As I understand not everything will be read and stored, storage will be encrypted. We don't even know what exactly will be stored and everybody here is losing their mind.
We already have a lot of sensitive information on our computers and nobody is panicking.
I guess it's hard to get used to new stuff. Or maybe Linux users are afraid that their favourite system won't be able to compete anymore.
Based on what Microsoft themselves said we know: everything will be stored (except edge private session...).
They specifically say they don't do content moderation: they log everything.
Did you read the article?
Q. Cool, so hackers and malware can’t access it, right?
A. No, they can.
Q. But it’s encrypted.
A. When you’re logged into a PC and run software, things are decrypted for you. Encryption at rest only helps if somebody comes to your house and physically steals your laptop — that isn’t what criminal hackers do.
If you are so afraid, you can just turn it of. You are aware of this are you not?
OK if you think I'm trolling, why did you answer?
I give you the benefit of the doubt you are a reasonable person who can go beyond their emotions of a feature of an os. And the emotions this article stirred.
We do know the answers to these questions. And if I can use a 2 line script to exfiltrate all your screen data for days/weeks in under a few MB of data.
So better hope you, never, ever, ever run unauthorized or malicious code, because now it basically has a honeypot of top priority data, always stored in a known location and compressed for easy uploads.
Q. The data is processed entirely locally on your laptop, right?
A. Yes! They made some smart decisions here, there’s a whole subsystem of Azure AI etc code that process on the edge.
Q. Cool, so hackers and malware can’t access it, right?
A. No, they can.
Q. But it’s encrypted.
A. When you’re logged into a PC and run software, things are decrypted for you. Encryption at rest only helps if somebody comes to your house and physically steals your laptop — that isn’t what criminal hackers do.
For example, InfoStealer trojans, which automatically steal usernames and passwords, are a major problem for well over a decade — now these can just be easily modified to support Recall.
Q. But the BBC said data cannot be accessed remotely by hackers.
A. They were quoting Microsoft, but this is wrong. Data can be accessed remotely.
Q. Microsoft say only that user can access the data.
A. This isn’t true, I can demonstrate another user account on the same device accessing the database.
Q. So how does it work?
A. Every few seconds, screenshots are taken. These are automatically OCR’d by Azure AI, running on your device, and written into an SQLite database in the user’s folder.
This database file has a record of everything you’ve ever viewed on your PC in plain text. OCR is a process of looking an image, and extracting the letters.
Q. What does the database look like?
A:https://twitter.com/GossiTheDog/status/1796218726808748367?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1796218726808748367%7Ctwgr%5E2eccf634534245a77c4f931d8722f1b8c6f23595%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fcdn.embedly.com%2Fwidgets%2Fmedia.html%3Ftype%3Dtext2Fhtmlkey%3Da19fcc184b9711e1b4764040d3dc5c07schema%3Dtwitterurl%3Dhttps3A%2F%2Fx.com%2FGossiTheDog%2Fstatus%2F1796218726808748367image%3D
Q. How do you obtain the database files?
A. They’re just files in AppData, in the new CoreAIPlatform folder.
Q. But it’s highly encrypted and nobody can access them, right?!
A. Here’s a few second video of two Microsoft engineers accessing the folder: https://cyberplace.social/system/media_attachments/files/112/535/509/719/447/038/original/7352074f678f6dec.mp4
Q. …But, normal users don’t run as admins!
A. According to Microsoft’s own website, in their Recall rollout page, they do: https://miro.medium.com/v2/resize:fit:1100/format:webp/0*WGE1jcRzhe6WAGQS
In fact, you don’t even need to be an admin to read the database — more on that in a later blog.
Q. But a UAC prompt appeared in that video, that’s a security boundary.
A. According to Microsoft’s own website (and MSRC), UAC is not a security boundary: https://miro.medium.com/v2/resize:fit:1100/format:webp/1*TTjYNH15IoP_d8JhhG3cEA.png
Q. So… where is the security here?
A. They have tried to do a bunch of things but none of it actually works properly in the real world due to gaps you can drive a plane through.
Q. Does it automatically not screenshot and OCR things like financial information?
A. No: https://miro.medium.com/v2/resize:fit:1100/format:webp/1*OZMjujpALL3IfAQYT64x7Q.png
Do I have to continue or do you think you could actually read the article for the rest? It's clearly a bigger deal than "linux users mad because windows better" and your poor excuse for a troll just makes it look like you're too stupid to read the article laid out in front of you. Well, now you have no excuse so get good.
Sorry I don't take everyones word as truth. This guy is just one guy. One guy against the whole Microsoft corporation whose entire fortune depends on this not to fail in the way he said it certainly will.
Absurd.
doublepulsar.com
Top