Mastodawn

Markus👨🏻‍💻May 21, 2024

For those who aren’t aware, Microsoft have decided to bake essentially an infostealer into base Windows OS and enable by default.

From the Microsoft FAQ: “Note that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers."

Info is stored locally - but rather than something like Redline stealing your local browser password vault, now they can just steal the last 3 months of everything you’ve typed and viewed in one database.

Jon Greig May 21, 2024

@GossiTheDog are they just holding "worst security ideas" contests every week

NosirrahSec 🏴‍☠️ guillotine enthusiast May 21, 2024

@GossiTheDog I can't see this going live without a literal and figurative revolt, within Microsoft and outside of it.

NosirrahSec 🏴‍☠️ guillotine enthusiast May 21, 2024

@GossiTheDog I will watch Microsoft burn if this shit keeps up and roast marshmallows on its smoldering corpse with glee.

Robert Wilson May 22, 2024

@NosirrahSec @GossiTheDog It kind of sucks for PC gamers though. They don't really have a choice.

Skyper 💻🎧☕📖May 22, 2024

@Robertcw @NosirrahSec @GossiTheDog Oh they do. You should see how great Windows games can run on GNU/Linux systems thanks to projects like Proton. It's the runtime environment used by the Steam Deck.

Some games run even better with Proton than with a Windows system:

https://mastodon.social/@gamingonlinux/112484756956318819

NosirrahSec 🏴‍☠️ guillotine enthusiast May 23, 2024

@Skyper @Robertcw @GossiTheDog I can personally vouch for this.

Jule May 25, 2024

@NosirrahSec
Me, too
@Skyper @Robertcw @GossiTheDog

Matt Hardy 3.11 for Workgroups May 21, 2024

@NosirrahSec @GossiTheDog So every unlocked workstation, every compromised device. "Recall show me the last adult material I viewed." I can see printed porn coming back into fashion. Or Linux

NosirrahSec 🏴‍☠️ guillotine enthusiast May 21, 2024

@TechnicalAdept @GossiTheDog I don't give a shit who knows about my sexual fantasies or my porn habits. (I am not saying that isn't a threat, but it isn't to me lol)

I just fear for those that ARE afraid of this threat, because to them it IS a threat.

Matt Hardy 3.11 for Workgroups May 21, 2024

@NosirrahSec @GossiTheDog remember those fake extortion scams that pretend to have caught you looking at porn - Ever been tempted to reply to them - You haven't got my collection of Dwarf Latex Nuns have you? My original got corrupted.

Stuck Here May 21, 2024

@TechnicalAdept @NosirrahSec @GossiTheDog

Microsoft is doing in one OS update what once took visiting hundreds of porn sites over the course of a week once did to inject malware into your PC.

(Read a similar comment earlier today. The thought is not original.)

wrosecrans May 21, 2024

@NosirrahSec @TechnicalAdept @GossiTheDog Yeah, the abuse use cases are basically unbounded.

Sysadmin looks at password manager once, hacker has credentials to migrate from laptop to every device on the network. Politician looks at the "wrong" thing, high level blackmail. Woman looks at abuse shelters to leave her husband, becomeS homicide statistic. HR person looks at employee spreadsheet, hacker has PII for whole company.

You can't spend 5 seconds and not feel morally obligated to stop it.

Morten May 24, 2024

@wrosecrans @NosirrahSec @TechnicalAdept @GossiTheDog Tangential thought to the HR thing:
Why don't hackers ever release things like salaries and benefits on all employees? Seems like a more chaotic / fun blackmail.
Before you dismiss it as too evil remember that in Norway you can look up anybody's tax return. And they haven't descended into savagery. Much.

Graydon May 21, 2024

@TechnicalAdept @NosirrahSec @GossiTheDog "Show me the adult material you think I'd like most" seems like an additional substantial hazard, even if it somehow doesn't wind up in your training data set because now it's in Edge's cache.

ACG May 21, 2024

@TechnicalAdept @NosirrahSec @GossiTheDog with generative AI "art" becoming more popular, soon the only refuge for true porn may become the one thing generative AI can't (yet) crack.

That's right. Bring back ASCII art porno, you cowards

Mark May 21, 2024

@NosirrahSec @GossiTheDog Since Windows 10 I suspected they've been doing this with telemetry so I moved all important stuff other than my Steam account off my Windows boxes years ago. Sucks cause it is a nice OS otherwise.

kazord May 21, 2024

@NosirrahSec @GossiTheDog it will be label as AI features and people won't give a shit until too late

black_sparkling_heart

@NosirrahSec @GossiTheDog

Probably no revolt within Microsoft... after the massive downsizing, most of their people are either "toxic enablers, willing to support any awful shit 'to get ahead'".... or they're just phoning it in doing the 'internal retirement" thing while expecting to be let go in next reorg.

Fishd May 21, 2024

@GossiTheDog Well, if this doesn't make Year of the Linux Desktop a thing, we're all doomed.

Simon B May 21, 2024

@GossiTheDog about 20 years ago, Google introduced the option to press down arrow and match recent searches in the Google search box. I let a crafty colleague type into my browser momentarily and within a nanosecond, he tried to catch me out by typing the start of a smutty search query to see if there were any matches. I passed the test but learned a lesson about the speed at which someone could reveal something about you.

Hegel May 21, 2024

@GossiTheDog even if it's true that everything concerning #Recall happens locally and is stored locally now, it will be monetized eventually. Either #Microsoft changes some policy or some Zero Day makes it possible to exfiltrate the data. I'm looking forward to the first hack that simply lets a hacker ask your PC for compromising facts...

smallerdemon May 21, 2024

@GossiTheDog I'm sure there's no problem with this being used in healthcare and banking environments at all. Or even in environments assisting vulnerable communities. I mean, it's not like Microsoft has had any well publicized security issues recently.

Ozzy May 21, 2024

@GossiTheDog I think this is excellent progress by humans.
"App developers will be able to hook into Recall to provide a more seamless experience between snapshot and app."

https://www.windowscentral.com/software-apps/windows-11/microsoft-details-how-apps-can-integrate-with-windows-11s-new-ai-recall-feature

Microsoft details how apps can integrate with Windows 11's new AI Recall feature

App developers will be able to hook into Recall to provide a more seamless experience between snapshot and app.

Windows Central

TransitBiker May 21, 2024

@ozzy @GossiTheDog ok bot.

Ozzy May 21, 2024

@TransitBiker @GossiTheDog 🤖

JJ May 21, 2024

@GossiTheDog At no point in this video do they mention anyone asking for this. We didn't.

I love that they're leaning hard on the fact that the data is protected from other users. That... doesn't matter. You're running automated enumeration for anyone that gets access under my user context. Don't do that. Jesus.

Glitch (over count 1999)May 21, 2024

@GossiTheDog how in the name of fuck are they going to explain this one under shit like the GDPR.

Jon Greig May 21, 2024

@GossiTheDog it’s like they got a focus group of cybercriminals together when making this

Fi 🏳️‍⚧️May 21, 2024

@jgreig @GossiTheDog
@hacks4pancakes

Speaking from my compliance aspect, this comprehensively fails PCI and GDPR immediately and the SOC2 controls list ain't looking so good either.

@munin @jgreig @GossiTheDog the outrage and disbelief are warranted.

Fi 🏳️‍⚧️May 21, 2024

@hacks4pancakes @jgreig @GossiTheDog

This situation has me absolutely livid - https://infosec.exchange/@munin/112480357946214139

Fi, infosec-aspected (@[email protected])

Hey so, This windows recall thing? Enables domestic abuse.

Infosec Exchange

@munin @jgreig @GossiTheDog abused by spouses, abused by employers, by shitty AI developers, abused by criminals… not a single ethic was considered.

Fi 🏳️‍⚧️May 21, 2024

@hacks4pancakes @jgreig @GossiTheDog

I want to know the name of the individual who shepherded this system for abuse into the OS, and I want to ask him some -very- fucking pointed questions about why he has chosen to create an unsafe, abusive environment.

Michael Hughes May 21, 2024

@munin @hacks4pancakes @jgreig @GossiTheDog Found him

Asta [AMP]May 21, 2024

@munin @hacks4pancakes @jgreig @GossiTheDog I remember having to take security training at Microsoft and this literally fails every single piece of advice they give for their own fucking employees (because duh, of course it does).

Even if a company thinks they want this on their employee's PCs, no, they don't. Really? You want a searchable movie of everything your worker has done available to anyone with physical access to their machine? Huh.

Asta [AMP]May 21, 2024

@munin @hacks4pancakes @jgreig @GossiTheDog Like we literally had to watch slickly produced movies about how people overhearing your work conversations or powerpoint slides accidentally being seen by the wrong people because they didn't have correct security controls on them could be a disaster. It's hilarious.

Fi 🏳️‍⚧️May 21, 2024

@aud @hacks4pancakes @GossiTheDog @jgreig

having worked in an environment handling classified materials before, and having had to -clean up- from leakage of them,

Asta [AMP]May 21, 2024

@munin @hacks4pancakes @GossiTheDog @jgreig I would be very surprised if this wasn't force disabled on the computers of Microsoft people.

Big Kumera Energy May 21, 2024

@aud @hacks4pancakes @GossiTheDog @jgreig @munin I have heard that the US govt version of win11 is the unshittified one. They're not shitting where they sleep.

Carey May 21, 2024

@aud @hacks4pancakes @GossiTheDog @jgreig @munin Or available to a rival company in a lawsuit with good enough lawyers?

NosirrahSec 🏴‍☠️ guillotine enthusiast May 21, 2024

@aud @hacks4pancakes @GossiTheDog @jgreig @munin

As Sr/T3 infrastructure and support at an MSP, let me tell you how misinformed clients are. (You know. I'm just saying rhetorically lol)

They will want this. They don't understand risk.

tipjip May 21, 2024

@aud I would say it’s probably illegal at least in Germany, too.

🆘Bill Cole 🇺🇦May 21, 2024

@aud @munin @hacks4pancakes @jgreig @GossiTheDog What shocks me is that MS would create a *discoverable record of activity on every one of their own PCs.

*: In the legal sense, i.e. subject to pretrial subpoena

eddy berthier May 21, 2024

@munin @jgreig @GossiTheDog @hacks4pancakes this is anecdotal at this point, but it also seems to effectively disable the private browsing feature of every browser but Edge

Gustavo Litovsky May 22, 2024

@munin @jgreig @GossiTheDog @hacks4pancakes

Are we expecting a company like Microsoft, which is small and has no cybersecurity experience, to care about this?

Andrew Davies May 21, 2024

@jgreig @GossiTheDog So they're more willing to protect against potential lawsuits from Disney than someone trying to gain access to your banking information.

Krupo May 22, 2024

@andrewdaviesuk @jgreig @GossiTheDog complying with the DRM angle was very much the bad chef's kiss.

Pēteris Krišjānis May 21, 2024

@jgreig @GossiTheDog jesus christ what a absolute fuck 😳

Les Orchard May 21, 2024

@jgreig @GossiTheDog "We're going to hide Disney content because they're big and it'd hurt if they sue us. We're not hiding your content because you're small and 🤷‍♂️ "

@jgreig @GossiTheDog also, it won’t take screenshots of private browsing windows, but only if you use their browser. If you want the option to choose then it’s a big “fuck you”.

This is some of the most technological dystopian bs I’ve seen in some time

Big Kumera Energy May 21, 2024

@jgreig @GossiTheDog love how it explicitly says it won't watch your porn but only if you use the 'definitely private mode' in the edge browser, brought to you by the people who turned your whole OS into a surveillance-first experience

Kroc Camen May 21, 2024

@jgreig Move fast, break people

George Baily May 21, 2024

@jgreig @GossiTheDog utterly bonkers

Darrin West May 21, 2024

@jgreig @GossiTheDog Probably fails the disabilities act, too. Some people need to enable show-password. And there are unavoidable times everyone needs to view an account number. It’s like there are no adults on that team. And here we are spending huge collective energy/time defending ourselves against something they could have thought about for five minutes. Makes one wonder if this is one of those distraction things people worry about.

Matt May 21, 2024

@jgreig @GossiTheDog @dangoodin won’t protect your data, but it does protect someone else’s (DRM)

Ysegrim May 21, 2024

@jgreig @GossiTheDog I hate "cloaking password entry" like the plague. Cloaking password entry is a guarantee for insecure passwords in any environment that uses multiple or stateful keyboards or -layouts.

Jobu Tupaki May 21, 2024

@jgreig
magically vindicates copyright interests of giant media companies, yet can't be bothered to protect sensitive user data 🤷🏻

infosec zathras May 21, 2024

@jgreig @GossiTheDog as @munin recently pointed out to me, it's also a domestic violence perpetrators dream...

0bondo7 May 21, 2024

@jgreig @GossiTheDog

Hopefully these new security features will mean data generated on the device cannot be tempered with.

https://www.zdnet.com/article/microsofts-latest-windows-11-security-features-aim-to-make-it-more-secure-out-of-the-box/#ftag=RSSbaffb68

Microsoft's latest Windows 11 security features aim to make it 'more secure out of the box'

Many of these new Windows 11 security features and upgrades will be enabled by default. Here's why.

ZDNET

[email protected]May 21, 2024

@jgreig @GossiTheDog WHAT CAN POSSIBLY GO WRONG?