For those who aren’t aware, Microsoft have decided to bake essentially an infostealer into base Windows OS and enable by default.
From the Microsoft FAQ: “Note that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers."
Info is stored locally - but rather than something like Redline stealing your local browser password vault, now they can just steal the last 3 months of everything you’ve typed and viewed in one database.
I've written up my thoughts on the Copilot Recall feature in Microsoft Copilot+ PCs
I think it will enable fraud and endanger users, and is not the sign of a company who are committed to security first.
Copilot+ Recall has been enabled by default globally in Microsoft Intune managed users, for businesses.
You need to enable DisableAIDataAnalysis to switch it off. https://learn.microsoft.com/en-us/windows/client-management/manage-recall
Two quick updates -
A) if you disallow recording of a website in Control Panel or GPO, in Chrome it is still recorded - disallow recording only works in Edge browser
B) Firefox and Tor Browser is recorded always, including in private mode - the exception is Hollywood DRM’d videos
I got ahold of the Copilot+ software.
Recall uses a bunch of services themed CAP - Core AI Platform. Enabled by default.
It spits constant screenshots (the product brands then “snapshots”, but they’re hooked screenshots) into the current user’s AppData as part of image storage.
The NPU processes them and extracts text, into a database file.
The database is SQLite, and you can access it as the user including programmatically. It 100% does not need physical access and can be stolen.
You have to admit that's quite an endorsement for SQLite. But maybe the SQLite license should be updated to deny its use in implementing a Torment Nexus.
@jonhendry @starchy @GossiTheDog
Given the politics of the SQLite project, I shudder to think what sort of thing they would allow/disallow.
@passenger @starchy @GossiTheDog
It's mostly just the one guy, isn't it?
@jonhendry @starchy @GossiTheDog
Richard Hipp, yeah. As with many projects, a lot of the grunt work of development was done by other people though.
My original comment was related to the notorious code of ethics which he got those other devs to pledge to while working on the project.
If you haven't read it, it's here:
https://sqlite.org/codeofethics.html
(Richard, if you're reading this toot, I deeply respect you as a database engineer, but also wtf?)
@Andres4NY @passenger @starchy @GossiTheDog
I mean, it's the rules for an order of monks, so in that context it makes sense there'd be a lot.
As a code of ethics for a software project... ehhhhh.
@Andres4NY @jonhendry @starchy @GossiTheDog
And none of those rules are "don't sexually harass people", despite that being the proximal reason why we're now doing codes of conduct. "Don't be a transphobe", "don't be a misogynist" and "don't be a racist" are also things I'd have thought to include.
But then, I'm not a literal saint, so what do I know?
@passenger @Andres4NY @starchy @GossiTheDog
Those probably could fit under various rules in a rather fuzzy and non-specific way.
I mean, “Do no wrong to anyone, and bear patiently wrongs done to yourself.” if diligently followed would probably cover all the things you mentioned.
Of course the problem is that the perpetrator probably doesn't think what they did WAS wrong, thus the need for specifics.
@mikebabcock @passenger It was meant as an ethical pledge, but the language is so overloaded that it reads as an introduction to a cult.
Having worked on the #ContributorConvenant v3 @ethicalsource and knowing a few profissional codes of ethic, maybe it is time I work on some like time.
Kevin Beaumont
Vanta Puce
Jonathan Hendry
Passenger
Petrus Hilarius
Andres
Michael T Babcock
Gerardo Lisboa