Kevin BeaumontSomebody made a tool called Total Recall to dump Recall database and screenshots. https://x.com/xaitax/status/1797349055917416457?s=46
Recent DHS published report handed to the US President which said it had "identified a series of Microsoft operational and strategic decisions that collectively pointed to a corporate culture that deprioritized enterprise security investments and rigorous risk management"
Microsoft: let’s use AI to screenshot everything users do every 5 seconds, OCR the screenshots, make it searchable and store it in AppData!
Searching Recall database for passwords with @awakecoding
If anybody is wondering if you can enable Recall on a machine remotely without Copilot+ hardware support - yep.
I’ve also found a way to disable the tray icon.
I went and looked at YouTube for Recall to get out of the echo chamber and I can only find one positive video. Even the people at the event are slating it, including people with media provided Copilot+ PCs.
There’s some content creators who’ve realised it records their credit cards, so they’re making videos of their cards going walkies.
It’s going to be interesting to see how Microsoft get out of this one. They may have contractual commitments to ship Recall with external parties.
I thought they were risking crashing the Copilot brand with this one, but I was wrong looking at the videos and comments on them - I think they’re crashing the Windows consumer brand.
The reaction to photographic memory of what people do at home has - you’ll be surprised to know - not been seen as a reason to buy a device, but a reason why not to.
Windows Central, about the only outlet giving Recall positive coverage and having articles tweeted by Microsoft staff - have updated their take after being hands on with a device. https://www.windowscentral.com/software-apps/windows-11/microsoft-should-recall-windows-recall-security-researcher-finds-microsofts-new-ai-tool-woefully-insecure
Microsoft has been declining to comment on criticism of Recall for a week - but they have apparently told a journalist off the record at Future that changes will be made before Copilot+ devices drop in the coming days.
This may include an attempt to invalidate researcher criticism, we’ll see.
WIRED has a piece about Total Recall, a now released tool which dumps keypresses, text and screenshots (they’re JPEGs) from Microsoft Recall
https://www.wired.com/story/total-recall-windows-recall-ai/
Total Recall software by @xaitax https://github.com/xaitax/TotalRecall
Example search for ‘password’:
🪟 Captured Windows: 133
📸 Images Taken: 36
🔍 Search results for 'password': 22
📄 Summary of the extraction is available in the file:
C:\Users\alex\Downloads\TotalRecall\2024-06-04-13-49_Recall_Extraction\TotalRecall.txt
I hadn’t been aware until today of the external reaction to Recall. Holy shit. Tim Apple must be pleased.
Everything from media coverage to YouTube to TikTok is largely negative. All the comments are negative.
These videos have tens of millions of views and hundreds of thousands of comments.
I knew it would be bad but.. it’s worse. I’ve spent hours looking at the sentiment and.. well, they probably would have got better coverage from launching an NFT of pregnant Clippy.
A key element of Recall is Microsoft say only you can access your Recall, it is per user.
ArsTechnica enabled Recall on Windows 11 box and tested the claim. By logging in as another user they could access the database and screenshots.
If you want to know how Microsoft have got themselves into this giant mess with Recall, here’s what the documentation says between the lines:
you, the customer, are a simpleton who doesn’t want to be an AI genius yet. Have a caveman mode.
Recall and Copilot+ is also coming to ASUS systems, including AMD, in a deal with Microsoft.
ASUS Announces Complete Portfolio of AI-Powered Copilot+ PCs https://www.asus.com/us/news/pnm9tg6qccql6ern/
Nvidia announced they are bringing Copilot+ and Recall to PCs, in a deal with Microsoft: https://www.theverge.com/2024/6/2/24169568/microsoft-copilot-plus-gaming-pc-nvidia-amd
Three Copilot+ Recall questions that keep coming up.
Q. Can you alter the Recall history?
A. Yes. You can change the OCR database and change the screenshots as the logged in user or as software running as the local user. There is no audit log of changes.
Q. Are they snapshots, as Microsoft says, or screenshots?
A. They are just screenshots, jpegs.
Q. What is to stop apps on your machine accessing your Recall covertly?
A. Nothing. There is no audit log of access.
.@awakecoding becomes the latest person reverse engineering Microsoft Recall https://x.com/awakecoding/status/1798168395583746216
Marc-André Moreau (@awakecoding) on X
@MalwareJake Recall is a melting pot of everything wrong with modern Windows: Per-user app and settings MSIX app setting virtualization Intune MDM per-user policies WinRT generated proxy code Enabled by default, opt-out If you hate it, it's in there, I tell you
If anybody is wondering what Microsoft's reaction to any of the Copilot+ Recall concerns are, they're continuing to decline comment to every media outlet.
I've seen comments MS staff have been given for enterprise customers, which are nonsense handwaving.
Product ships live on devices from Dell, Lenovo etc this month. https://x.com/zacbowden/status/1798221879741931847
As @tiraniddo rightly points out, anybody can programmatically reach the Recall database without admin rights. https://infosec.exchange/@tiraniddo/112566044174482506
James Forshaw :donor: (@tiraniddo@infosec.exchange)
Damn, I really thought the Recall database security would at least be, you know, secure. Turns out Microsoft did pretty much what I blogged about for WindowsApps, except you need to find a specific WIN://SYSAPPID instead. So to bypass the security just get the token for the AIXHost.exe process, then impersonate that and you can access the database, no admin required. Or, as the files are owned by the user, just grant yourself access using icacls etc :D
TotalRecall has been updated to exfiltrate Recall database and screenshots without needing admin rights: https://github.com/xaitax/TotalRecall
GitHub - xaitax/TotalRecall: This tool extracts and displays data from the Recall feature in Windows 11, providing an easy way to access information about your PC's activity snapshots.
This tool extracts and displays data from the Recall feature in Windows 11, providing an easy way to access information about your PC's activity snapshots. - xaitax/TotalRecall
You can now remotely dump Recall data and screenshots over the internet from Linux etc. Changes in flight for parsing data too.
Add Recall module for dumping all users Microsoft Recall DBs & screenshots by Marshall-Hallenbeck · Pull Request #335 · Pennyw0rth/NetExec
Gets all users Recall folders and dumps them, then renames screenshots to include .jpg (unnecessary but helpful). I cherry-picked the download_folder functionality from #320 and then improved it du...
YouTubers are continuing to have fun with Recall
Turns out speaking out works.
Microsoft are making significant changes to Recall, including making it specifically opt in, requiring Windows Hello face scanning to activate and use it, and actually encrypting the database.
There are obviously going to be devils in the details - potentially big ones.
Microsoft needs to commit to not trying to sneak users to enable it in the future, and it needs turning off by default in Group Policy and Intune for enterprise orgs.
https://www.theverge.com/2024/6/7/24173499/microsoft-windows-recall-response-security-concerns
Obviously, I recommend you do not enable Recall, and you tell your family not to enable it too.
It’s still labelled Preview, and I’ll believe it is encrypted when I see it.
There are obviously serious governance and security failures at Microsoft around how this played out that need to be investigated, and suggests they are not serious about AI safety.
Microsoft President Brad Smith is going to be grilled by US gov next week. https://therecord.media/microsoft-reverses-course-recall-opt-in
I should be transparent btw that I took Satya and Charlie’s commitment to security at face value too - I even published a blog on it backing that up - and I have concerns (it isn’t just me).
They’re now going to have to win trust back about winning trust back.
I know somebody at a retailer in Europe that is selling Copilot+ PCs. They’ve had fewer than a thousand preorders through to customers.
In relative terms, for them it’s about as successful as Suicide Squad Kill The Justice League.
A reminder that a few weeks ago at RSA, Microsoft signed CISA's Secure By Design pledge... and then shipped an enabled by design keylogger that OCRs your screen constantly into AppData.
Edit: I should say that's less a reflection on Microsoft and more a reflection on CISA's Secure By Design pledge.. it's a good idea, but the scope is extremely limited.
I think MS are a way off extracting themselves from Recall situation they've got themselves into.
This is just one YouTube comments section on a video since the not-enabled-by-default change - 500k views - but there's loads more, similar on TikTok.
I imagine it's going to continue through week and into next week when the laptops ship.
I have heard rumblings MS are discussing trying to take action against me over the whole thing, which a) good luck and b) would be pouring petrol on the flames.
Some backstory - it's being reported Microsoft developed Recall in secret to try to avoid scrutiny. https://www.windowscentral.com/software-apps/windows-11/microsoft-has-lost-trust-with-its-users-windows-recall-is-the-last-straw
I'm hearing that various MSFT people are furious about how this played out over the past few weeks, which IMHO represents a serious lack of introspection.
Microsoft have paused the rollout of Windows 11 24H2 in preview channel, it was the version containing Recall. Microsoft have not explained why.
https://x.com/brandonleblanc/status/1799478915582542199
I don't know if it was publicly known but it was possible to use Recall on more hardware via Mach2, before this was pulled.
I have an image where when viewed on a Copilot+ Recall PC, a Windows process crashes as it tries to process the screenshot.
New email signature?
If anybody is wondering, with a Copilot+ PC, you can still programmatically access the Recall database as of today with a few commands. Launch is a few days away.
Microsoft’s President Brad Smith appears before US House Committee on Homeland Security tomorrow.
His testimony: https://homeland.house.gov/wp-content/uploads/2024/06/2024-06-13-HRG-Testimony-Smith.pdf
In this bit he talks about Recall (not named), where he pats himself and Microsoft on the back for “a feature change” and job well done.
Given it has been a complete cybersecurity and privacy car crash - and as of today the changes (plural) they’re referring to haven’t even been implemented - it seems like Microsoft fails to grasp customer needs: safety.
One other thing - Microsoft's written testimony to the US House says, quoting, bolded by MS:
"Before I say anything else, I think it’s especially important for me to say that Microsoft accepts responsibility for each and every one of the issues cited in the CSRB’s report. Without equivocation or hesitation. And without any sense of defensiveness."
Counterpoint: they publicly disputed the report in the media. https://www.theverge.com/2024/4/25/24139914/microsoft-cyber-security-incidents-trust-report
I should say that if Brad is asked about Recall tomorrow, the answers may raise some.. uh... eyebrows here.
I don't know what MS SLT have been told, but expect fun when the feature drops on consumer laptops in a few days.
As I mentioned in my blog, there is some more security hardening there on Copilot+ PCs (this was before MS put out their blog)... but it's still easily bypassable.
Microsoft’s Recall puts the Biden administration’s cyber credibility on the line
https://cyberscoop.com/microsoft-recall-secure-by-design/
Interesting article. All through this, CISA and the DHS have declined to comment.
The Verge reports today that "Windows engineers are scrambling to get additional changes tested and ready for the release of Copilot+ PCs next week."
It also says "Recall was developed in secret at Microsoft, and it wasn’t even tested publicly with Windows Insiders."
I've also been told Microsoft security and privacy staff weren't provided Recall, as the feature wasn't made available broadly internally either.
https://www.theverge.com/2024/6/13/24177703/microsoft-xbox-game-showcase-windows-recall
Microsoft President Brad Smith just testified to the US House that Recall is a good example of Secure By Design, and that they have the time to get it right (it’s supposed to launch in 3 working days).
Brad Smith just said Recall was designed to be disabled by default. That is not true. Microsoft’s own documentation said it would be enabled by default - they only backtracked after outcry.
He has somehow got almost every detail about Recall wrong while testifying.
I've been back and rewatched the Recall footage at the US House hearing and I just don't get it, Brad Smith representing Microsoft basically did this about Recall's security.. he had no challenge from the Senators as they didn't know any details.
I’m being told Microsoft are prepping to fully recall Recall. Another announcement is being prepped for tomorrow afternoon saying the feature will not ship on Copilot+ devices at launch as it is not secure.
Obviously, I’ll wait to see the announcement but it sounds like they’ve finally realised they need to take the time and get the feature right (and frankly consider the target audience - most home users, it ain’t).
They should have announced this before or during the US House hearing.
Announcement is out. Good on Microsoft for finally reaching a sane conclusion.
- Recall won’t ship as a feature at launch on Copilot+ PCs any more.
- Won’t be available in Insider preview channel at launch, as it was pulled.
When it does appear in preview channels, privacy and security researchers need to keep a close eye on what Microsoft are doing with the feature.
Microsoft tried developing this feature in secret in a way which tried to avoid scrutiny. Thank you to everyone who stood up.
If anybody is wondering, Microsoft moved the announcement up as I scooped them 🤣
Thank you to everyone who helped out with this one, there was no way something that constantly OCR’d the screen being implemented so poorly was acceptable but Microsoft really, really dug their heels in.
Photographic memory of everything you’ve ever done on a computer has to be entirely optional, with risks explained and be done right.. or not at all. Accountability matters.
Microsoft, be better.
If anybody wonders if Recall classifies what porn you watch, yes. Aside from OCRing text it also classifies images in videos.
9 minute 50 second mark in this, screen is blurred for obvious reasons.
Wir haben Windows Recall ausprobiert, damit ihr es nicht müsst
Here’s the clip translated around adult content with Microsoft Recall.
They filter search terms in English like nude - but don’t filter it in other languages.
Everything you view - including in videos - is classified and stored in the database regardless.
Maxi 10x 💉
CMDR Yojimbosan 🅅⁂@GossiTheDog Yeah, I suspect that recording that porn is present on the machine is actually a primary design decision, to "add value" to the employer who owns the machine, or the parent who allows a kid to use one.
EvilGinger- Queen of Naps@GossiTheDog I wonder how it will react to cavers talking about finding new virgin cave passages that have never been explored or mapped yet- how deep does that virgin cave go?
v̾i̾t̾r̾i̾o̾l̾i̾x̾@GossiTheDog even your incognito sessions.
Tim Hergert@GossiTheDog finally a decent actual use case for Recall™! /s
whonose123@GossiTheDog hahaha - so true!
missed_sla@GossiTheDog Making windows more secure is dead simple. You delete it and learn to use Linux.
Erik MoellerThanks so much for all the analysis and coverage.
0xThylacine@GossiTheDog Of course they did. They need to distract attention away from the blatant lies that were just told to the house. It's SOP for companies to stamp out bad publicity before it gets traction in mainstream media, by luring them with another baitline.
Thanks for your efforts btw.
Pamela Barroway – Biz Editor@GossiTheDog Thanks for your great work on this!
Luke Diaz@GossiTheDog I also think this would cause performance issues too and not really much upside for users.
System Adminihater@GossiTheDog What was the point of the feature to begin with?
Andrew 
@GossiTheDog still trying to argue that security is a top priority? If it were, Recall would have never been announced. What a load of shit.
mhoye@GossiTheDog We wouldn't have made it here without your work.
CharlieG@GossiTheDog A good outcome, but an absolute humiliation surely.
trog@GossiTheDog : thanks for your work in looking into this and publicising it. As someone that was horrified by what I was reading, watching it get worse every day, I appreciated your efforts on behalf of Windows users.
Andrew Bartlett
Futuristic Robert [KJ5ELX] 
@GossiTheDog the damage is already done so why not? Reading through this entire thread made me realize I have seen the culture that led to this boondoggle during just about every meeting I’ve attended with Microsoft, and every trouble ticket I’ve opened. From technical to sales. I’m absolutely sure I’m not the only one.
Chester Wisniewski@GossiTheDog This whole thing feels like a desperate ploy to explain to people why they should throw out their PCs to get a new one with an "NPU". Don't want, don't need. They have to include something that "requires" it, even though as already proven, it isn't even needed for this.
Rairii (bootloader unlocked, MSR_LE set)@GossiTheDog totally recalled
Nonya Bidniss 🥥🌴
Tyler Griffin@GossiTheDog Wow! Wild if true. Maybe this has something to do with it: https://arstechnica.com/tech-policy/2024/06/microsoft-in-damage-control-mode-says-it-will-prioritize-security-over-ai/
Kinda hard to say your CEO is "personally responsible" for security whilst rolling out what is basically spyware.
Erik Johnson@GossiTheDog For once Microsoft nails product naming.
Darth Kilroy@GossiTheDog Good, that is really good news.
DiffieHellmanStan (Tony)@GossiTheDog Can't stop smiling and chuckling at "fully recall Recall"
Rick Hunter@GossiTheDog It's because no one on the committee is even in the same arena as the podium. They have no clue how to critically evaluate his responses.
Khalid Pro Max⚡️- Tarrifed@GossiTheDog Do you think these politicians would ask you to testify and give your expert opinion? Also, if they did, would you go?
We need people in power to be accountable for their words, especially when they’re blatantly false and easily disproven.
Gary@khalidabuhakmeh @GossiTheDog
He'd probably have to testify with pre-school level words for these politicians to come close to understanding. 😂
He'd probably have to testify with pre-school level words for these politicians to come close to understanding. 😂
Simon ZerafaClearly it appears that Brad has memory fault 😟🤷♂️
Gary Blosser@GossiTheDog Nah, he is just twisting words really well from a certain point of view.
There is a documented group policy to disable Recall which was shared and published long before their backtrack on making Recall start enabled. Microsoft, by default, always makes group policies to control 'features'. So it was designed to be disabled, 'by default.'
So yeah, scummy but passes lawyer muster. 🙄
Wow...working in government infosec has really corrupted me when I can see that wordplay junk instantly 🫤
Oriel Jutty 
@zombie042 @GossiTheDog Ooh, I see:
- Interpretation 1: "The default state of Recall is to be disabled. This is by design."
- Interpretation 2: "Recall was designed to have an off switch. Creating such an off switch is a matter of course according to Microsoft developer guidelines."
That's messed up.
sluggard 
@zombie042 I’m not watching, but if the Congressperson questioning him lets Smith get away with that statement, it’s a missed opportunity. It sounds like “technically true with his intended meaning, but misleading”.
Compuguy 🐱@zombie042
@GossiTheDog Agreed. Worked in Gov't IT for over a decade. Yes corporate and government agencies can disable it. The public and possibly smaller contractors may not be as informed....😬
@GossiTheDog Agreed. Worked in Gov't IT for over a decade. Yes corporate and government agencies can disable it. The public and possibly smaller contractors may not be as informed....😬
DieMadColonizer@GossiTheDog that's called perjury.
Sergiu Gatlan@GossiTheDog Looks like Brad is one of the guys in Recall's target market 🤷♂️
alphy"He has somehow got almost every detail about Recall wrong while testifying."
"somehow" - Uh, I think you misspelled "intentionally"
Fritz Adalis
Tom Bellin 
@GossiTheDog It's OK. It's not a lie. It's just a hallucination.
JL Johnson 
@GossiTheDog anyone doing the interviews competent enough to call him on his crap?
@GossiTheDog Contempt of Congress?
keithzg@GossiTheDog Even just from that ProPublica SAML story, this certainly would not be the first time he's very publicly lied about what Microsoft thought and when.
@GossiTheDog Kinda seems like a big part of Brad Smith's job is to lie to Congress for Microsoft
Karl Fredrik 🦊@GossiTheDog but is the security gonna be tested verified by external parties first?
I mean, the security is gonna be tested by external parties anyway, the question is if it's gonna happen before or after release.
@infosec_jcp 🐈🃏 done differently72+hr DogFoodHackathonGoGoGoGoGoGoooooHellooooGoGoGOgOooo! 😂
Dany@GossiTheDog Recall is the nightmare that just will not end. I am almost suspecting that they push through to draw attention away from today's ProPublica article on the vuln that enabled the Solarwinds breach.
flere-imsaho 🇺🇦
miketcope
Aut@GossiTheDog Don't worry, no one will be held responsible
Simon Rolfmore@GossiTheDog “we said secure by design, not secure by implementation! The design’s great, we’re just not there yet.”