Charlie StrossJun 4, 2024

Welp, I knew Microsoft's CoPilot+ Recall was going to be a privacy disaster but I didn't expect it to turn into an enterprise computing catastrophe for Microsoft *quite* this fast!

But this can't be a one-off. Any large enterprise that has to comply with a regulated privacy environment—HIPAA in the USA, GDPR in the EU, banking/insurance/finance globally—must be considering a ban on Microsoft installations on laptop/desktop computers right now or be breaking the law.

https://infosec.exchange/@SecurityWriter/112558224281615019

Security Writer :verified: :donor: (@[email protected])

If you’re wondering how the Microsoft Recall scandal is going, I’ve just had a client tell me they’ve replaced their order for 10k Microsoft Surfaces with new MacBook Airs, at nearly twice the cost, and that we need to start the ongoing 6 month endpoint security project over.

Infosec Exchange
Show threadRivetgeek (He/Him)Jun 4, 2024
@cstross The silver lining is that Recall is only on Surfaces with "NPUs". It's not all Windows 11 or all Microsoft laptops (yet). But still as much backlash as possible is needed, the concept of Recall needs to be burned out before it spreads. Myself I bounced from considering buying a Surface to looking at ThinkPad Yoga.
Show threadEashwarJun 4, 2024
@rivetgeek @cstross I'm fairly certain that it has already been enabled on, and tested with, non-NPU systems
Show threadEashwarJun 4, 2024
@rivetgeek @cstross Yep, found it: https://cyberplace.social/@GossiTheDog/112546156689144936. Also there is this fun note: https://cyberplace.social/@GossiTheDog/112555262732490331
Kevin Beaumont (@[email protected])

Security and privacy researchers - You can now install Copilot+ Recall on any ARM hardware (doesn’t need an NPU) or in Azure VMs. Guide from @[email protected] The devices launch THIS MONTH to customers so I suggest people look at this. https://github.com/thebookisclosed/AmperageKit

Cyberplace
Show threadZimmieJun 4, 2024
@e_nomem @rivetgeek @cstross Sure, but you have to go out of your way as a user to do this. There’s a meaningful difference between things you can choose to do to make your system less safe, and defaults which the vendor pushes to make your system less safe.
Show threadJay

@bob_zim @e_nomem @rivetgeek @cstross When talking about a private user’s risk, yes, and those who are in abusive situations should be concerned that this gives abusers the ability to look back and see what they had been researching.

On a larger scale, if the CEO’s personal computer is often in the secretary’s hands…

Jun 4, 2024 at 5:47pmWeb
Show threadZimmieJun 4, 2024

@WhiteCatTamer @e_nomem @rivetgeek @cstross Again, *default configuration* versus *something someone must take active steps to enable*. This isn’t a complicated distinction.

The latter case has included stalkerware for decades. That’s not new. The only new thing about Recall is the first case.