Charlie StrossJun 4, 2024

Welp, I knew Microsoft's CoPilot+ Recall was going to be a privacy disaster but I didn't expect it to turn into an enterprise computing catastrophe for Microsoft *quite* this fast!

But this can't be a one-off. Any large enterprise that has to comply with a regulated privacy environment—HIPAA in the USA, GDPR in the EU, banking/insurance/finance globally—must be considering a ban on Microsoft installations on laptop/desktop computers right now or be breaking the law.

https://infosec.exchange/@SecurityWriter/112558224281615019

Security Writer :verified: :donor: (@[email protected])

If you’re wondering how the Microsoft Recall scandal is going, I’ve just had a client tell me they’ve replaced their order for 10k Microsoft Surfaces with new MacBook Airs, at nearly twice the cost, and that we need to start the ongoing 6 month endpoint security project over.

Infosec Exchange
Show threadRivetgeek (He/Him)
@cstross The silver lining is that Recall is only on Surfaces with "NPUs". It's not all Windows 11 or all Microsoft laptops (yet). But still as much backlash as possible is needed, the concept of Recall needs to be burned out before it spreads. Myself I bounced from considering buying a Surface to looking at ThinkPad Yoga.
Jun 4, 2024 at 1:04pmWeb
Show threadCharlie StrossJun 4, 2024

@rivetgeek Intel just now announced next-gen CPUs with an NPU suitable for running this crap ("Lunar Lake"). And there are rumours about them pushing Recall onto Win11 machines that *don't* have an NPU, because Line Must Go Up or something.

I'm just glad, as an Apple user, that Microsoft jumped on this particular landmine first: the probability of Apple announcing anything like this functionality at WWDC next week must now be approximately zero.

Show threadsocJun 4, 2024

@cstross @rivetgeek Apple has been quietly shipping similar stuff for quite a while already.

Or do you think "continuity features" are implemented with magic pixie dust?

Show threadSo‑Called VaughnJun 4, 2024

@soc @cstross @rivetgeek I see nothing in Continuity that requires anything intrusive or sinister: it’s just a zero conf PAN of devices, all must authenticate to a single user; proximity is enforced by BT. All the IP traffic is local, more likely tunneled peer-to-peer; your files, screen, clipboard contents and keystrokes aren’t flying across the public internet.

Someone correct me if I’m mistaken but there is no AI magick involved.

Show threadKatherine SenzeeJun 4, 2024
@vaughnsc @soc @cstross @rivetgeek The problem with Recall is the data storage, not the AI processing it. Remove the AI from the equation entirely and Recall is still a disaster.
Show threadSo‑Called VaughnJun 4, 2024
@ksenzee @soc @cstross @rivetgeek Agree that unregulated data retention is ripe for abuse.
Show threadRoland WallinJun 4, 2024

@ksenzee @vaughnsc @soc @cstross @rivetgeek

I agree that it's still a disaster without the AI, but the AI makes it possible to be truthful when saying "we don't send the data back to Microsoft", while still making it very possible for Microsoft to query the data and have the AI respond. That way, data is stored on your computer, and the AI "chatbot" can be used to ask questions about that data, without sending the actual data back. Your computer just acts as cheap storage.

Show threadFoolishOwlJun 4, 2024
@cstross @rivetgeek The CEO of the Boeing of microprocessors said in an internal video that going forward, the corporation will use AI tools in all design, coding, and validation.
Show threadCharlie StrossJun 4, 2024
@foolishowl @rivetgeek Waiting for the next Pentium FDIV bug to drop in 3 .. 2 .. 1 .. https://en.wikipedia.org/wiki/Pentium_FDIV_bug
Pentium FDIV bug - Wikipedia

Show threadJulesJonesJun 4, 2024
@cstross @foolishowl @rivetgeek I wish I still had that cartoon of a tin of worms labelled "Insel Intide". I think it may be about to come in handy.
Show threadEashwarJun 4, 2024
@rivetgeek @cstross I'm fairly certain that it has already been enabled on, and tested with, non-NPU systems
Show threadEashwarJun 4, 2024
@rivetgeek @cstross Yep, found it: https://cyberplace.social/@GossiTheDog/112546156689144936. Also there is this fun note: https://cyberplace.social/@GossiTheDog/112555262732490331
Kevin Beaumont (@[email protected])

Security and privacy researchers - You can now install Copilot+ Recall on any ARM hardware (doesn’t need an NPU) or in Azure VMs. Guide from @[email protected] The devices launch THIS MONTH to customers so I suggest people look at this. https://github.com/thebookisclosed/AmperageKit

Cyberplace
Show threadZimmieJun 4, 2024
@e_nomem @rivetgeek @cstross Sure, but you have to go out of your way as a user to do this. There’s a meaningful difference between things you can choose to do to make your system less safe, and defaults which the vendor pushes to make your system less safe.
Show threadEashwarJun 4, 2024

@bob_zim I can accept that, fair. It's not enabled on non-NPU systems by default (yet), nor is it available outside ARM builds of Windows AFAIK, and takes effort to turn on even then.

On the other hand, it _is_ possible to enable which means that it is a tool now available by default on ARM installations for malicious actors.

Show threadJayJun 4, 2024

@bob_zim @e_nomem @rivetgeek @cstross When talking about a private user’s risk, yes, and those who are in abusive situations should be concerned that this gives abusers the ability to look back and see what they had been researching.

On a larger scale, if the CEO’s personal computer is often in the secretary’s hands…

Show threadZimmieJun 4, 2024

@WhiteCatTamer @e_nomem @rivetgeek @cstross Again, *default configuration* versus *something someone must take active steps to enable*. This isn’t a complicated distinction.

The latter case has included stalkerware for decades. That’s not new. The only new thing about Recall is the first case.

Show threadb4ux1t3 #1️⃣Jun 5, 2024

@rivetgeek @cstross Nope.

Someone (I forget who) on Mastodon has enabled copilot+ _remotely_ on a machine that does not have the hardware.

:/