Kevin BeaumontMay 21, 2024

For those who aren’t aware, Microsoft have decided to bake essentially an infostealer into base Windows OS and enable by default.

From the Microsoft FAQ: “Note that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers."

Info is stored locally - but rather than something like Redline stealing your local browser password vault, now they can just steal the last 3 months of everything you’ve typed and viewed in one database.

Show threadJon GreigMay 21, 2024
@GossiTheDog it’s like they got a focus group of cybercriminals together when making this
Show threadFi 🏳️‍⚧️

@jgreig @GossiTheDog
@hacks4pancakes

Speaking from my compliance aspect, this comprehensively fails PCI and GDPR immediately and the SOC2 controls list ain't looking so good either.

May 21, 2024 at 6:43pmWeb
Show threadLesley Carhart May 21, 2024
@munin @jgreig @GossiTheDog the outrage and disbelief are warranted.
Show threadFi 🏳️‍⚧️May 21, 2024

@hacks4pancakes @jgreig @GossiTheDog

This situation has me absolutely livid - https://infosec.exchange/@munin/112480357946214139

Fi, infosec-aspected (@[email protected])

Hey so, This windows recall thing? Enables domestic abuse.

Infosec Exchange
Show threadLesley Carhart May 21, 2024
@munin @jgreig @GossiTheDog abused by spouses, abused by employers, by shitty AI developers, abused by criminals… not a single ethic was considered.
Show threadFi 🏳️‍⚧️May 21, 2024

@hacks4pancakes @jgreig @GossiTheDog

I want to know the name of the individual who shepherded this system for abuse into the OS, and I want to ask him some -very- fucking pointed questions about why he has chosen to create an unsafe, abusive environment.

Show threadMichael HughesMay 21, 2024
@munin @hacks4pancakes @jgreig @GossiTheDog Found him
Show threadAsta [AMP]May 21, 2024
@munin @hacks4pancakes @jgreig @GossiTheDog I remember having to take security training at Microsoft and this literally fails every single piece of advice they give for their own fucking employees (because duh, of course it does).

Even if a company thinks they want this on their employee's PCs, no, they don't. Really? You want a searchable movie of everything your worker has done available to anyone with physical access to their machine? Huh.
Show threadAsta [AMP]May 21, 2024
@munin @hacks4pancakes @jgreig @GossiTheDog Like we literally had to watch slickly produced movies about how people overhearing your work conversations or powerpoint slides accidentally being seen by the wrong people because they didn't have correct security controls on them could be a disaster. It's hilarious.
Show threadFi 🏳️‍⚧️May 21, 2024

@aud @hacks4pancakes @GossiTheDog @jgreig

having worked in an environment handling classified materials before, and having had to -clean up- from leakage of them,

Show threadAsta [AMP]May 21, 2024
@munin @hacks4pancakes @GossiTheDog @jgreig I would be very surprised if this wasn't force disabled on the computers of Microsoft people.
Show threadBig Kumera EnergyMay 21, 2024
@aud @hacks4pancakes @GossiTheDog @jgreig @munin I have heard that the US govt version of win11 is the unshittified one. They're not shitting where they sleep.
Show threadCareyMay 21, 2024
@aud @hacks4pancakes @GossiTheDog @jgreig @munin Or available to a rival company in a lawsuit with good enough lawyers?
Show threadNosirrahSec 🏴‍☠️ guillotine enthusiastMay 21, 2024

@aud @hacks4pancakes @GossiTheDog @jgreig @munin

As Sr/T3 infrastructure and support at an MSP, let me tell you how misinformed clients are. (You know. I'm just saying rhetorically lol)

They will want this. They don't understand risk.

Show threadtipjipMay 21, 2024
@aud I would say it’s probably illegal at least in Germany, too.
Show thread🆘Bill Cole 🇺🇦May 21, 2024

@aud @munin @hacks4pancakes @jgreig @GossiTheDog What shocks me is that MS would create a *discoverable record of activity on every one of their own PCs.

*: In the legal sense, i.e. subject to pretrial subpoena

Show threadeddy berthierMay 21, 2024
@munin @jgreig @GossiTheDog @hacks4pancakes this is anecdotal at this point, but it also seems to effectively disable the private browsing feature of every browser but Edge
Show threadGustavo LitovskyMay 22, 2024

@munin @jgreig @GossiTheDog @hacks4pancakes

Are we expecting a company like Microsoft, which is small and has no cybersecurity experience, to care about this?