Microsoft is reworking Recall after researchers point out its security problems

the_doktor , 24 days ago

Anyone who trusts Microsoft for anything anymore will get what they deserve.

swordgeek , 25 days ago

Bullshit.

This whole endeavour is looking like a careful plan to implement a smaller, slightly less horrible idea in Win11, and then creep forward from there.

Remember the model to move the goal line, folks:

• Overreach
• Capitulate publicly and fall back to your true target
• Repeat

Best of all, these large steps can be supplemented by nudging things forward with 'adjusttments.'

Crozekiel , 24 days ago

They'll probably come to the "logical conclusion" that storing the data locally on the machine poses "too much risk" and just move the storage to their servers "for your safety"...

shneancy , 26 days ago

they needed researchers to tell them that?

NutWrench , 26 days ago

Well . . . the smart people they ignored when CoPilot was first proposed.

Omgpwnies , 25 days ago

It's PR bullshit to give an excuse for backtracking basically

Lizardking13 , 25 days ago

Internally people probably talked about how there were huge issues. Others probably said those issues are over stated and it's no big deal. They decided to release it and the press says there are issues. Then, the company decides there are issues. That simple.

CancerMancer , 25 days ago

Having been the guy in an org shouting not to do something only for it to come back to us this way, the finger-pointing that begins is nuts. Often the people who tried to stop the "feature" from rolling out are the first to get blamed for it being shit.

Classic CYA, make sure everything you said is in writing somewhere.

Lizardking13 , 24 days ago

I have as well. I won't pretend I'm always right - I've thought some ideas that worked out incredibly were horrible. Also had the situation you describe happen. It's okay when you're working with reasonable people. Show them the slide deck, the email, the analysis, whatever... "Look you didn't approve this". "Here is an alternative ". That can work.

Just telling folks "I told you so" isn't usually a great form of communication.

Lifter , 25 days ago

That's just what we call people spending some time to figure something out. Security research is basically just trying to learn the technology and then trying to break it.

shneancy , 25 days ago

it did not take me long to figure out that maybe spyware that takes screenshots of what you're doing is a bad idea

Lifter , 24 days ago

Agreed but someone actually tried it - did the research.

lazylion_ca , 25 days ago

Why would anyone opt in to this? What is the point of it?

Spotlight7573 OP , 25 days ago

It's like an automated tipofmytongue but for everything you do on your computer.

GoodEye8 , 25 days ago

So that you can find that one porn video you watched six months ago that really got you off but you don't remember how you found it.

cley_faye , 25 days ago

Oh, yeah, thanks for these researchers to have provided insightful feedback such as "don't record private activity", "don't store data in a plaintext user-accessible sqlite database", and "don't do that automatically to everyone elligible, what are you thinking no stop". No way anyone could ever figure these out beforehand. Microsoft was totally stumped when these showed up and most certainly is very honest when they say they're reworking it now, and not at all abusing the PR outrage to slip us something as bad in the meantime.

CrazyLikeGollum , 26 days ago

So, between the inherent security nightmare that is this feature and the myriad of other things in Windows that push ads, steal user data, and generally make the simple act of using the computer less secure, when do we give Microsoft an APT designation and start treating them as the world's largest vendor of malware on the planet?

ruse8145 , 26 days ago

I think you should take a calm and sober look at what Microsoft actually does.

You may be right, I don't know, but what I do know is any time I ask people for facts I get "read the end user license agreement" which is typically the furthest from factual a lawyers will get (it's filled with claims that are designed to not hold up, but give a legal leg to stand on for other moves) or "remember candy crush!?!?" But few things in the realm of concrete facts.

CrazyLikeGollum , 26 days ago

The candy crush thing, or more generally the fact that since Windows 8 they preload third-party applications, is a relatively speaking small problem. However, the fact the specific applications that get preinstalled are based on a targeted advertising profile for the user signed into the PC, assuming you sign in with a Microsoft account is a bigger problem. While I'm sure they take every possible effort to make those profiles anonymous the data in aggregate is impossible to anonymize. There is a setting in Windows to disable that data collection, at least for advertising purposes, but it gets toggled back on "accidentally" after some updates.

They also have a number of features, like copilot (the chat bot), previously they had Cortana, that do similar kinds of data extraction. Mostly, in order to actually process the user request, but also to be used to train the model. They store it in an anonymized form, but again, it's impossible to actually do that in practice.

That's just two things that are installed and enabled by default that: collect user data for, what I and many others find to be unwanted purposes, don't give the user the option to disable that data collection (only limit it), and seemingly doesn't even consistently respect the users choice in that matter. That is by definition spyware.

They also place advertising on the desktop for things like OneDrive subscriptions, MS Office, and other paid Microsoft services. Those preinstalled apps I mentioned before are effectively ads for those applications, many of which are paid apps or have paid components to them. That is by definition adware.

Spyware and adware are forms of malware. Which makes Microsoft a malware vendor.

ruse8145 , 25 days ago

And when you make hyperbolic comparisons between people who actually make malware that actively destroys people data or is used for identity theft etc and a company advertising it's own products within it's own product, I think that makes you a bad faith actor.

Do I think either of the things you listed are good? Absolutely not, I only still use Windows because I'm technical enough to disable most everything I find objectionable and that level of effort is less than making Linux work for me as a daily driver. But this is like when the Linux nerds started calling Ubuntu spyware. If you accept a definition so broad most companies fall into it it becomes useless and so bereft of nuance it actively damages the efforts of those who want change for the better.

ArcaneSlime , 25 days ago

"It's not spyware if the spying isn't criminally used" is one school of thought, I suppose.

Frankly I agree with the other individual that spying for reasons legal or otherwise constitutes spying enough to say the ware that does it fits the description of spyware. Idgaf if it was only spying on me in order to give me free ice cream and it just wants my favorite flavor, that is still intrusive and I don't like it. If they want to know something they can ask and if I want to tell them I will.

Kekzkrieger , 26 days ago

Best Solution is to not use Microsoft, i just setup an old Laptop with Linux Mint to see if it can work for my requirements.

If all goes well ill just use that for my main pc.

ArcaneSlime , 25 days ago

Good luck! If you need any help typically there's a stackoverflow somewhere out there with the answer to your problem and if not, linux communities are typically decent about helping these days. Welcome to the club!

jabathekek , 26 days ago

The fact that it took people not involved with Microsoft to point out and initiate internal change should be everything anyone needs to know.

webghost0101 , 26 days ago

To be fair I think they mentioned a button to temporarily disable the spying. Either for a time or blacklist an entire application.

Still highly recommended people move away from windows.

Soundhole , 26 days ago

Right, but the problem is users should be able to use the feature and be confident it's secure. It most assuredly is not as multiple people with access to the pilot program have demonstrated.

I bet some lower level folks within MS knew this would be an issue and screamed into the void about it.

ruse8145 , 26 days ago

You're right, nobody should ever rely on external feedback for anything. 🙄

nova_ad_vitum , 26 days ago

Not storing this shit unencrypted was pretty fucking obvious dude.

ruse8145 , 25 days ago

Pretty straightforward systemic failure -- Dev team, I would guess, assumed full disk encryption would cover it, and nobody checked the assumptions. Or to rephrase: it was fucking obviously encrypted dude.

Spotlight7573 OP , 26 days ago

It should never have gotten to the external feedback stage because internal feedback should have been sufficient to kill the idea before it even got a name due to it being such a security and privacy risk. The fact that it didn't is worrying from a management perspective.

ruse8145 , 25 days ago

You're on Lemmy so I assume you're in a tech job, so honestly I'm surprised by your surprise.

lightnsfw , 25 days ago

Yea, if it's anything like my tech job the peons were raging about it in their group chats while every successive manager up the chain raved about how great it was and how much progress they were making to the guy above him and silencing any dissent.

ruse8145 , 25 days ago

Exactly, we are on the same page.

That's why external feedback is needed. When you exist within a hierarchy you can discount your "lessers". Everyone needs feedback. "They should've known better" is a fine thing to say but not helpful in a system as devoid of morality or hope as capitalism is.

Spotlight7573 OP , 25 days ago

I'm not sure I'm surprised at this point any more, just disappointed. All they have to do is just make a stable and secure platform to run apps on. They're going to run out of foot to shoot themselves in sooner or later if they keep this kind of thing up. Too many unforced errors.

h3mlocke , 26 days ago

Derp a derp

ruse8145 , 25 days ago

Is this supposed to mean something? I'm old and not up to date on the new script kiddy slang.

conciselyverbose , 26 days ago

You shouldn't need external feedback to know that putting security cameras inside bathroom stalls is completely deranged.

This is that level.

ruse8145 , 25 days ago

No, it's not. Check your priorities.

conciselyverbose , 25 days ago

Yes, it is. Easily. It's that invasive.

It will record your porn if you use a functional browser instead of edge. It will record your nudes if you ever see them on your PC. And on top of that, it will also record all sorts of other sensitive personal information that can be used for identity theft if you just do basic shit like using banking websites. Looking at your passwords at some point in your life is also perfectly normal behavior, and it will expose that too.

ruse8145 , 25 days ago

This is more akin to you taking a picture of your own junk in a public bathroom stall. Or using face unlock while you're on the toilet.

Obviously nobody's gonna win in an internet argument but you should really take a look at the extremes with which you view this stuff. /Serious.

conciselyverbose , 25 days ago

Only if your phone is moving that picture to a place that's very easy for anyone who wants to get.

The user is not doing shit. The operating system is massively compromising their expectation of privacy by packaging all their sensitive activity into an easy to grab and go bundle.

Viewing actual extreme behavior as extreme is how it's supposed to work. This is obscenely invasive.

Vanth , 26 days ago (edited 12 days ago)

[Thread, post or comment was deleted by the author]

Spotlight7573 OP , 26 days ago (edited 26 days ago)

I'm pretty sure the main picture on the article is what the revised opt in/out message looks like. Previously it was opt-out with just a message describing the feature with a check box to have it open Settings when you were finished with the out of box experience so that you can look at the options later.

Edit: Fixed mention of opt-in to opt-out, thanks tal.

MudMan , 26 days ago

That's how this works, isn't it? Nobody reads past the headline. Everybody feels about it super strongly, just not strongly enough to actually read about it.

corbin , 26 days ago

This might not be Reddit, but the Reddit behavior is still here.

phdepressed , 26 days ago

Might just be internet/human behavior really.

0xD , 26 days ago

Meatbags gonna meatbag.

Bimfred , 26 days ago

It's not Reddit behavior. It's just the limited capacity we have for dealing with the flood of information we're exposed to. Between that and the daily stresses of work, family and whatever else a given person has going on, there's no time to filter out what is or isn't important, there's no time for nuance or thought, there's only time enough for a knee-jerk reaction before the next aggravating thing comes along.

corbin , 25 days ago

I mean, there's a difference between not reading an article, and several people arguing back and forth over the article that none of them have read. Reddit and Lemmy people do a lot of the latter.

Bimfred , 25 days ago

Cause no one wants to look like the idiot. And when no one has read the article, it's a lot harder to dispute the claims of what the article is about. It's a vicious cycle - someone who hasn't read the actual article makes claims about it, others who also haven't read it react and before you know it, you're ten posts deep, arguing about something that may or may not have happened. All it takes is one person to make an under-informed post and another to pick up on it. The difference between thousands and millions of users affects only the probability of it happening.

tal , 26 days ago

It was opt out before, not opt in, and you made the changes subsequent to install.

Spotlight7573 OP , 26 days ago

Whoops, I mixed them up. It was definitely opt-out before.

Etterra , 25 days ago

Oh boy, sunk cost fallacy time! They'll now waste millions of dollars to salvage this popularly unwanted nightmare in an effort to make it juuust acceptable to shove it down everyone's throats.

Either that or they'll spend all that money and then pinky-promise that they've made it acceptable, only for all their work to be immediately overcome by bad actors (criminals, corporations, governments, law enforcement, is there even a difference) and be the exact same nightmare anyway.

bigkahuna1986 , 26 days ago

I can never again log into my email or other private account on someone else's computer.

tal , 26 days ago

I mean, it could always have been compromised and had some kind of keylogger or something installed.

Scrollone , 26 days ago

But with Windows 11, you are sure it's compromised.

SkyNTP , 26 days ago

To be fair the possibility of compromise was enough not to do it. Being sure of compromise doesn't change that math all that much.

FrostyCaveman , 26 days ago

That’s the Microsoft™️ Guarantee!

Kraven_the_Hunter , 26 days ago

Yes, but now it definitely does

lud , 26 days ago

Not definitely, recall will be opt-in and only available on arm computers with a very specific ARM CPU

100 , 26 days ago

still dont understand why you would ever want to save screenshots of your desktop and also waste disk space

JPAKx4 , 26 days ago

To get the idea of always being watched into your head !

jabathekek , 26 days ago

Literally 1984. No, like, literally literally.

Soundhole , 26 days ago

The AI scans all those screenshots visually and tags them for search later so, for example, an artist could open a file they don't remember the location of from thousands of folders by typing text describing it. That's actually awesome. I imagine lots of people could come up with really useful ways to use something like that. I mean, if it wasn't an Orwellian nightmare.

Spotlight7573 OP , 26 days ago

Yeah, it sounds like it might actually be a useful feature if it wasn't impossible to do it securely and in a privacy respecting way.

Soundhole , 26 days ago

I don't know about impossible. I could see this working on a Linux distro with a local model doing all the work and storing it encrypted locally. Buuuuuut, it still feels risky! That's a giant traunch of juicy, searchable data that just begs to be stolen.

Spotlight7573 OP , 26 days ago

To be fair to Microsoft, this was a local model too and encrypted (through Bitlocker). I just feel like the only way you could possibly even try to secure it would be to lock the user out of the data with some kind of separate storage and processing because anything the user can do can be done by malware run by the user. Even then, DRM and how it gets cracked has shown us that nothing like that is truly secure against motivated attackers. Since restricting a user's access like that won't happen and might not even be sufficient, it's just way too risky.

nova_ad_vitum , 26 days ago

Features like this can almost never be privacy-friendly because they're developed expressly to violate your privacy. The value it provides you , as cool as that could be, is just how it's sold.

TheGrandNagus , 26 days ago

I can definitely see the utility in the feature, it's just that it, conceptually, is such a security risk that it's simply not worth it, even ignoring the data harvesting/storage penalty.

You enter a discussion and you need to refer to an article you know you've read but can't find? Now you can find it. You want a backpack and remember seeing one you liked but can't remember where you saw it? Ask it to show backpacks you looked at - great now you've tracked it down in seconds rather than spending half an hour.

But yeah, the security and privacy implications of this are so bad that it's really not worth the tradeoff.

Lettuceeatlettuce , 26 days ago

Go easy on them, they're only a 3 trillion dollar company. It's hard for them to get the resources to build well thought out and secure software.

Pathetic, so glad I've been on Linux for years. I don't miss Micro$oft one bit.

ichbinjasokreativ , 26 days ago

Right? Before they even officially rolled it out, there are already python scripts on github that can extract your entire recall database. They need to just stop.

Lettuceeatlettuce , 26 days ago

Wild for sure. It's pretty clear that M$ isn't interested in making their OS anything more than a portal for their cloud products.

The overall percentage of revenue that Windows produces for them directly has been steadily shrinking for years while their Azure and cloud services/licensing has grown dramatically.

I guess it makes sense from that perspective. Call me old fashioned, but I still prefer my OS to be a platform for me to compute locally on and use as I see fit. Not be a bloated ad-ridden portal to a walled garden of proprietary web software.

Windows has gotten so bad in the last year or so, that I've actually started telling people, "Try Linux, but if that doesn't work for you, just go with Apple."

Both are scummy, evil mega corps that try to lock you into their platform forever. But at least with Apple, the cage is 24K gold with a little cushion, and you're fed avocado toast & kombucha.

Windows is a rusty, filthy prison cell where the guards randomly come in to rough you up and you're fed a steady diet of stale bread heels and gruel.

TheGrandNagus , 26 days ago

I'm pissed off I have to use Windows for work.

My job is almost entirely SSH-ing onto 40 different Linux servers, and doing some networking/bash script stuff, and sending emails.

It makes zero sense for my workplace to force me to use Windows, but they do. And my god, the laptop is slow. I keep thinking damn I have a laptop 10yrs older than this running Fedora just fine, and Fedora isn't even pegged as a lightweight distro.

eksb , 26 days ago

I feel for the hundreds of engineers at Microsoft who have been yelling about these security issues since day one, but cannot say "I told you so" because they'd get fired.

snekerpimp , 26 days ago

This is exactly what I was thinking. There are plenty of smart people that work there that would have said something before release. They were told to not rock the boat by the yes men and now Microsoft has to backpedal and pretend no one there thought about THOSE implications.

jordanlund , 26 days ago

I survived a similar incident, telling our CEO at the time "you know our product can't do that, right?" I had to show my receipts, present usability studies, and faced incredible pressure, but 2 CEOs later, I'm still here... :)

Document everything. Keep good notes. You never know when it will be useful.

woelkchen , 26 days ago

Sure but at Microsoft they fire people based on dice rolls

jordanlund , 26 days ago

Or no dice rolls! "Bad luck, you! Bye!"

thurstylark , 26 days ago

Cave Johnson intensifies

tsonfeir , 26 days ago

The damage to their reputation is already done.

FaceDeer , 26 days ago

Don't be so sure. This forum is a bubble, 99% of Windows users have never heard of this feature in the first place let alone any of the details about how it works.

chaosCruiser , 26 days ago

Normies noticed when MS took away the start menu in W8, but didn’t notice when W10 shipped with a ton of spyware “features”.

tsonfeir , 26 days ago

99% of windows users don’t update anyway.

FaceDeer , 26 days ago

Windows Update is automatic by default.