Mastodawn

Kevin Beaumont May 21, 2024

For those who aren’t aware, Microsoft have decided to bake essentially an infostealer into base Windows OS and enable by default.

From the Microsoft FAQ: “Note that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers."

Info is stored locally - but rather than something like Redline stealing your local browser password vault, now they can just steal the last 3 months of everything you’ve typed and viewed in one database.

@GossiTheDog it’s like they got a focus group of cybercriminals together when making this

Fi 🏳️‍⚧️May 21, 2024

@jgreig @GossiTheDog
@hacks4pancakes

Speaking from my compliance aspect, this comprehensively fails PCI and GDPR immediately and the SOC2 controls list ain't looking so good either.

@munin @jgreig @GossiTheDog the outrage and disbelief are warranted.

Fi 🏳️‍⚧️May 21, 2024

@hacks4pancakes @jgreig @GossiTheDog

This situation has me absolutely livid - https://infosec.exchange/@munin/112480357946214139

Fi, infosec-aspected (@[email protected])

Hey so, This windows recall thing? Enables domestic abuse.

Infosec Exchange

@munin @jgreig @GossiTheDog abused by spouses, abused by employers, by shitty AI developers, abused by criminals… not a single ethic was considered.

Fi 🏳️‍⚧️May 21, 2024

@hacks4pancakes @jgreig @GossiTheDog

I want to know the name of the individual who shepherded this system for abuse into the OS, and I want to ask him some -very- fucking pointed questions about why he has chosen to create an unsafe, abusive environment.

Michael Hughes May 21, 2024

@munin @hacks4pancakes @jgreig @GossiTheDog Found him

Asta [AMP]May 21, 2024

@munin @hacks4pancakes @jgreig @GossiTheDog I remember having to take security training at Microsoft and this literally fails every single piece of advice they give for their own fucking employees (because duh, of course it does).

Even if a company thinks they want this on their employee's PCs, no, they don't. Really? You want a searchable movie of everything your worker has done available to anyone with physical access to their machine? Huh.

Asta [AMP]May 21, 2024

@munin @hacks4pancakes @jgreig @GossiTheDog Like we literally had to watch slickly produced movies about how people overhearing your work conversations or powerpoint slides accidentally being seen by the wrong people because they didn't have correct security controls on them could be a disaster. It's hilarious.

Fi 🏳️‍⚧️May 21, 2024

@aud @hacks4pancakes @GossiTheDog @jgreig

having worked in an environment handling classified materials before, and having had to -clean up- from leakage of them,

Asta [AMP]May 21, 2024

@munin @hacks4pancakes @GossiTheDog @jgreig I would be very surprised if this wasn't force disabled on the computers of Microsoft people.

Big Kumera Energy May 21, 2024

@aud @hacks4pancakes @GossiTheDog @jgreig @munin I have heard that the US govt version of win11 is the unshittified one. They're not shitting where they sleep.

Carey May 21, 2024

@aud @hacks4pancakes @GossiTheDog @jgreig @munin Or available to a rival company in a lawsuit with good enough lawyers?

NosirrahSec 🏴‍☠️ guillotine enthusiast May 21, 2024

@aud @hacks4pancakes @GossiTheDog @jgreig @munin

As Sr/T3 infrastructure and support at an MSP, let me tell you how misinformed clients are. (You know. I'm just saying rhetorically lol)

They will want this. They don't understand risk.

tipjip May 21, 2024

@aud I would say it’s probably illegal at least in Germany, too.

🆘Bill Cole 🇺🇦May 21, 2024

@aud @munin @hacks4pancakes @jgreig @GossiTheDog What shocks me is that MS would create a *discoverable record of activity on every one of their own PCs.

*: In the legal sense, i.e. subject to pretrial subpoena

eddy berthier May 21, 2024

@munin @jgreig @GossiTheDog @hacks4pancakes this is anecdotal at this point, but it also seems to effectively disable the private browsing feature of every browser but Edge

Gustavo Litovsky May 22, 2024

@munin @jgreig @GossiTheDog @hacks4pancakes

Are we expecting a company like Microsoft, which is small and has no cybersecurity experience, to care about this?

Andrew Davies May 21, 2024

@jgreig @GossiTheDog So they're more willing to protect against potential lawsuits from Disney than someone trying to gain access to your banking information.

Krupo May 22, 2024

@andrewdaviesuk @jgreig @GossiTheDog complying with the DRM angle was very much the bad chef's kiss.

Pēteris Krišjānis May 21, 2024

@jgreig @GossiTheDog jesus christ what a absolute fuck 😳

Les Orchard May 21, 2024

@jgreig @GossiTheDog "We're going to hide Disney content because they're big and it'd hurt if they sue us. We're not hiding your content because you're small and 🤷‍♂️ "

@jgreig @GossiTheDog also, it won’t take screenshots of private browsing windows, but only if you use their browser. If you want the option to choose then it’s a big “fuck you”.

This is some of the most technological dystopian bs I’ve seen in some time

Big Kumera Energy May 21, 2024

@jgreig @GossiTheDog love how it explicitly says it won't watch your porn but only if you use the 'definitely private mode' in the edge browser, brought to you by the people who turned your whole OS into a surveillance-first experience

Kroc Camen May 21, 2024

@jgreig Move fast, break people

George Baily May 21, 2024

@jgreig @GossiTheDog utterly bonkers

Darrin West May 21, 2024

@jgreig @GossiTheDog Probably fails the disabilities act, too. Some people need to enable show-password. And there are unavoidable times everyone needs to view an account number. It’s like there are no adults on that team. And here we are spending huge collective energy/time defending ourselves against something they could have thought about for five minutes. Makes one wonder if this is one of those distraction things people worry about.

Matt May 21, 2024

@jgreig @GossiTheDog @dangoodin won’t protect your data, but it does protect someone else’s (DRM)

Ysegrim May 21, 2024

@jgreig @GossiTheDog I hate "cloaking password entry" like the plague. Cloaking password entry is a guarantee for insecure passwords in any environment that uses multiple or stateful keyboards or -layouts.

Jobu Tupaki May 21, 2024

@jgreig
magically vindicates copyright interests of giant media companies, yet can't be bothered to protect sensitive user data 🤷🏻

infosec zathras May 21, 2024

@jgreig @GossiTheDog as @munin recently pointed out to me, it's also a domestic violence perpetrators dream...

0bondo7 May 21, 2024

@jgreig @GossiTheDog

Hopefully these new security features will mean data generated on the device cannot be tempered with.

https://www.zdnet.com/article/microsofts-latest-windows-11-security-features-aim-to-make-it-more-secure-out-of-the-box/#ftag=RSSbaffb68

Microsoft's latest Windows 11 security features aim to make it 'more secure out of the box'

Many of these new Windows 11 security features and upgrades will be enabled by default. Here's why.

ZDNET

[email protected]May 21, 2024

@jgreig @GossiTheDog WHAT CAN POSSIBLY GO WRONG?

Greg Bell May 22, 2024

@jgreig @GossiTheDog @hacks4pancakes "we already found some really big problems fundamental to the idea and here they are. Yes we are absolutely still doing it and it'll be on by default of course.

No, we have no intent to solve any of the problems."