Kevin BeaumontA key element of Recall is Microsoft say only you can access your Recall, it is per user.
ArsTechnica enabled Recall on Windows 11 box and tested the claim. By logging in as another user they could access the database and screenshots.
If you want to know how Microsoft have got themselves into this giant mess with Recall, here’s what the documentation says between the lines:
you, the customer, are a simpleton who doesn’t want to be an AI genius yet. Have a caveman mode.
Recall and Copilot+ is also coming to ASUS systems, including AMD, in a deal with Microsoft.
ASUS Announces Complete Portfolio of AI-Powered Copilot+ PCs https://www.asus.com/us/news/pnm9tg6qccql6ern/
Nvidia announced they are bringing Copilot+ and Recall to PCs, in a deal with Microsoft: https://www.theverge.com/2024/6/2/24169568/microsoft-copilot-plus-gaming-pc-nvidia-amd
Three Copilot+ Recall questions that keep coming up.
Q. Can you alter the Recall history?
A. Yes. You can change the OCR database and change the screenshots as the logged in user or as software running as the local user. There is no audit log of changes.
Q. Are they snapshots, as Microsoft says, or screenshots?
A. They are just screenshots, jpegs.
Q. What is to stop apps on your machine accessing your Recall covertly?
A. Nothing. There is no audit log of access.
.@awakecoding becomes the latest person reverse engineering Microsoft Recall https://x.com/awakecoding/status/1798168395583746216
Marc-André Moreau (@awakecoding) on X
@MalwareJake Recall is a melting pot of everything wrong with modern Windows: Per-user app and settings MSIX app setting virtualization Intune MDM per-user policies WinRT generated proxy code Enabled by default, opt-out If you hate it, it's in there, I tell you
If anybody is wondering what Microsoft's reaction to any of the Copilot+ Recall concerns are, they're continuing to decline comment to every media outlet.
I've seen comments MS staff have been given for enterprise customers, which are nonsense handwaving.
Product ships live on devices from Dell, Lenovo etc this month. https://x.com/zacbowden/status/1798221879741931847
As @tiraniddo rightly points out, anybody can programmatically reach the Recall database without admin rights. https://infosec.exchange/@tiraniddo/112566044174482506
James Forshaw :donor: (@tiraniddo@infosec.exchange)
Damn, I really thought the Recall database security would at least be, you know, secure. Turns out Microsoft did pretty much what I blogged about for WindowsApps, except you need to find a specific WIN://SYSAPPID instead. So to bypass the security just get the token for the AIXHost.exe process, then impersonate that and you can access the database, no admin required. Or, as the files are owned by the user, just grant yourself access using icacls etc :D
TotalRecall has been updated to exfiltrate Recall database and screenshots without needing admin rights: https://github.com/xaitax/TotalRecall
GitHub - xaitax/TotalRecall: This tool extracts and displays data from the Recall feature in Windows 11, providing an easy way to access information about your PC's activity snapshots.
This tool extracts and displays data from the Recall feature in Windows 11, providing an easy way to access information about your PC's activity snapshots. - xaitax/TotalRecall
You can now remotely dump Recall data and screenshots over the internet from Linux etc. Changes in flight for parsing data too.
Add Recall module for dumping all users Microsoft Recall DBs & screenshots by Marshall-Hallenbeck · Pull Request #335 · Pennyw0rth/NetExec
Gets all users Recall folders and dumps them, then renames screenshots to include .jpg (unnecessary but helpful). I cherry-picked the download_folder functionality from #320 and then improved it du...
YouTubers are continuing to have fun with Recall
Turns out speaking out works.
Microsoft are making significant changes to Recall, including making it specifically opt in, requiring Windows Hello face scanning to activate and use it, and actually encrypting the database.
There are obviously going to be devils in the details - potentially big ones.
Microsoft needs to commit to not trying to sneak users to enable it in the future, and it needs turning off by default in Group Policy and Intune for enterprise orgs.
https://www.theverge.com/2024/6/7/24173499/microsoft-windows-recall-response-security-concerns
Obviously, I recommend you do not enable Recall, and you tell your family not to enable it too.
It’s still labelled Preview, and I’ll believe it is encrypted when I see it.
There are obviously serious governance and security failures at Microsoft around how this played out that need to be investigated, and suggests they are not serious about AI safety.
Microsoft President Brad Smith is going to be grilled by US gov next week. https://therecord.media/microsoft-reverses-course-recall-opt-in
I should be transparent btw that I took Satya and Charlie’s commitment to security at face value too - I even published a blog on it backing that up - and I have concerns (it isn’t just me).
They’re now going to have to win trust back about winning trust back.
I know somebody at a retailer in Europe that is selling Copilot+ PCs. They’ve had fewer than a thousand preorders through to customers.
In relative terms, for them it’s about as successful as Suicide Squad Kill The Justice League.
A reminder that a few weeks ago at RSA, Microsoft signed CISA's Secure By Design pledge... and then shipped an enabled by design keylogger that OCRs your screen constantly into AppData.
Edit: I should say that's less a reflection on Microsoft and more a reflection on CISA's Secure By Design pledge.. it's a good idea, but the scope is extremely limited.
I think MS are a way off extracting themselves from Recall situation they've got themselves into.
This is just one YouTube comments section on a video since the not-enabled-by-default change - 500k views - but there's loads more, similar on TikTok.
I imagine it's going to continue through week and into next week when the laptops ship.
I have heard rumblings MS are discussing trying to take action against me over the whole thing, which a) good luck and b) would be pouring petrol on the flames.
Some backstory - it's being reported Microsoft developed Recall in secret to try to avoid scrutiny. https://www.windowscentral.com/software-apps/windows-11/microsoft-has-lost-trust-with-its-users-windows-recall-is-the-last-straw
I'm hearing that various MSFT people are furious about how this played out over the past few weeks, which IMHO represents a serious lack of introspection.
Microsoft have paused the rollout of Windows 11 24H2 in preview channel, it was the version containing Recall. Microsoft have not explained why.
https://x.com/brandonleblanc/status/1799478915582542199
I don't know if it was publicly known but it was possible to use Recall on more hardware via Mach2, before this was pulled.
I have an image where when viewed on a Copilot+ Recall PC, a Windows process crashes as it tries to process the screenshot.
New email signature?
If anybody is wondering, with a Copilot+ PC, you can still programmatically access the Recall database as of today with a few commands. Launch is a few days away.
Microsoft’s President Brad Smith appears before US House Committee on Homeland Security tomorrow.
His testimony: https://homeland.house.gov/wp-content/uploads/2024/06/2024-06-13-HRG-Testimony-Smith.pdf
In this bit he talks about Recall (not named), where he pats himself and Microsoft on the back for “a feature change” and job well done.
Given it has been a complete cybersecurity and privacy car crash - and as of today the changes (plural) they’re referring to haven’t even been implemented - it seems like Microsoft fails to grasp customer needs: safety.
One other thing - Microsoft's written testimony to the US House says, quoting, bolded by MS:
"Before I say anything else, I think it’s especially important for me to say that Microsoft accepts responsibility for each and every one of the issues cited in the CSRB’s report. Without equivocation or hesitation. And without any sense of defensiveness."
Counterpoint: they publicly disputed the report in the media. https://www.theverge.com/2024/4/25/24139914/microsoft-cyber-security-incidents-trust-report
I should say that if Brad is asked about Recall tomorrow, the answers may raise some.. uh... eyebrows here.
I don't know what MS SLT have been told, but expect fun when the feature drops on consumer laptops in a few days.
As I mentioned in my blog, there is some more security hardening there on Copilot+ PCs (this was before MS put out their blog)... but it's still easily bypassable.
Microsoft’s Recall puts the Biden administration’s cyber credibility on the line
https://cyberscoop.com/microsoft-recall-secure-by-design/
Interesting article. All through this, CISA and the DHS have declined to comment.
The Verge reports today that "Windows engineers are scrambling to get additional changes tested and ready for the release of Copilot+ PCs next week."
It also says "Recall was developed in secret at Microsoft, and it wasn’t even tested publicly with Windows Insiders."
I've also been told Microsoft security and privacy staff weren't provided Recall, as the feature wasn't made available broadly internally either.
https://www.theverge.com/2024/6/13/24177703/microsoft-xbox-game-showcase-windows-recall
Microsoft President Brad Smith just testified to the US House that Recall is a good example of Secure By Design, and that they have the time to get it right (it’s supposed to launch in 3 working days).
Brad Smith just said Recall was designed to be disabled by default. That is not true. Microsoft’s own documentation said it would be enabled by default - they only backtracked after outcry.
He has somehow got almost every detail about Recall wrong while testifying.
I've been back and rewatched the Recall footage at the US House hearing and I just don't get it, Brad Smith representing Microsoft basically did this about Recall's security.. he had no challenge from the Senators as they didn't know any details.
I’m being told Microsoft are prepping to fully recall Recall. Another announcement is being prepped for tomorrow afternoon saying the feature will not ship on Copilot+ devices at launch as it is not secure.
Obviously, I’ll wait to see the announcement but it sounds like they’ve finally realised they need to take the time and get the feature right (and frankly consider the target audience - most home users, it ain’t).
They should have announced this before or during the US House hearing.
Announcement is out. Good on Microsoft for finally reaching a sane conclusion.
- Recall won’t ship as a feature at launch on Copilot+ PCs any more.
- Won’t be available in Insider preview channel at launch, as it was pulled.
When it does appear in preview channels, privacy and security researchers need to keep a close eye on what Microsoft are doing with the feature.
Microsoft tried developing this feature in secret in a way which tried to avoid scrutiny. Thank you to everyone who stood up.
If anybody is wondering, Microsoft moved the announcement up as I scooped them 🤣
Thank you to everyone who helped out with this one, there was no way something that constantly OCR’d the screen being implemented so poorly was acceptable but Microsoft really, really dug their heels in.
Photographic memory of everything you’ve ever done on a computer has to be entirely optional, with risks explained and be done right.. or not at all. Accountability matters.
Microsoft, be better.
If anybody wonders if Recall classifies what porn you watch, yes. Aside from OCRing text it also classifies images in videos.
9 minute 50 second mark in this, screen is blurred for obvious reasons.
Wir haben Windows Recall ausprobiert, damit ihr es nicht müsst
Here’s the clip translated around adult content with Microsoft Recall.
They filter search terms in English like nude - but don’t filter it in other languages.
Everything you view - including in videos - is classified and stored in the database regardless.
This is pretty good - detecting Microsoft Recall misuse for data exfil. https://youtu.be/SV9-dn-5uEY?si=jVz9sC4A2wKxeiBt
I tested this against the latest release of Recall and both TotalRecall and these detections still work.
Obviously Recall may well alter before it hits Insider preview channel, nobody needs to rush out detections yet.
Btw all through this saga, Microsoft Defender never triggered Recall specific alerts for me. Sophos did.
Microsoft Recall: Detecting Abuse | Threat SnapShot
You've probably heard of Microsoft's new Recall feature by now. It's a info stealer's dream come true. There has been a lot of information release about how ...
Apple on Microsoft Recall.
Windows 11 24H2 preview release has been rereleased (but only for Copilot+ devices). It doesn’t include Recall any more.
Additionally the Copilot+ PCs now have an update which enables the other AI features. This wasn’t available until a few hours ago, hence the lack of unsupervised reviews of the devices. It means you will see those reviews drop after the devices launch tomorrow.
There’s a website which gives some insight into how the UI and marketing push for Copilot+ Recall came together. The actual video appears to have gone MIA.
Introducing Recall
I led the visualization for the Recall app launch, showcasing its capabilities on a 50-foot screen during the live public introduction by Yusuf. My UI team managed the project from start to finish, developing visuals in the final two weeks. Building on our Recall experiences from the Surface Pro, Surface Laptop, and Copilot+ PC sizzle videos, we enhanced these scenarios for the live stage production, demonstrating Recall's full potential. This dynamic presentation was a highlight, refining Recall’s story for a large audience.
.@JohnHammond’s video on Recall is great, and a lot of fun - should also stop history being rewritten on this one later.
Windows Recall (was) a Security Nightmare
I got ahold of what I think is the latest Microsoft Recall (Copilot+ Recall? Nobody knows the branding) build and.. well.. Total Recall still works with the smallest of tweaks to export the database, it's still accessible as a plaintext database with marketing as the security layer.
Another observation, the Recall backlog must be very large as it's just becoming a truck load of features being dumped on.
One thing MS needs to fix in Recall, before the Insider canary build hits again, is the MSRC bug bounty.
As far as I can see, if you find a critical or high in Recall it qualifies for *drumroll* $1k bounty, unless I'm misinformed.
That probably needs clarifying as nobody is going to sell photographic memory access to Windows devices to MS for that value - it's way more valuable elsewhere.
Linus Tech Tips on Copilot+ and Recall, after their embargo lifted. https://youtu.be/w5h_1Buf54I
The Truth about Snapdragon X Laptops…
Microsoft have started running paid adverts for Recall, apparently unaware the feature didn’t ship. https://www.tomshardware.com/software/windows/new-microsoft-ads-tout-unavailable-recall-feature-dont-mention-it-was-indefinitely-delayed-due-to-privacy-concerns
Something about Recall which I don’t think got enough (any?) coverage is it was marketed by Satya as using the NPU.. but it didn’t.
Should Microsoft Recall ever reappear I plan to keep checking how secure it is, because the next evolution of security cannot be Microsoft pouring petrol onto the infostealer fire.
Infostealer malware is swiping millions of passwords, cookies, and search histories. It’s a gold mine for hackers—and a disaster for anyone who becomes a target.
https://www.wired.com/story/infostealer-malware-password-theft/
XDA Developers, who were a good source of behind the scenes info during the Microsoft Recall saga, are saying Microsoft have kicked Recall into the long grass and they think it may never launch. https://www.xda-developers.com/thread/microsoft-wants-you-to-forget-about-copilot-recall-it-seems/
It’s been almost two months since Microsoft said it would launch for Insiders in “weeks” instead.
Microsoft now say Recall will available for Insider testing in October on select Copilot+ PCs.
As a community we’ll need to test the security implications out extensively.
Due to hardware requirements this will obviously be a problem, unless we can hack it to install on non-NPU systems again - I don’t know if that has been ‘fixed’ or not.
https://www.theverge.com/2024/8/21/24225439/microsoft-recall-windows-ai-feature-october-testing
The Microsoft Recall saga continues - Microsoft accidentally introduced the ability to uninstall it. They say this was an error and you won’t be able to uninstall it in the future. https://www.theverge.com/2024/9/2/24233992/microsoft-recall-windows-11-uninstall-feature-bug
#/usr/sbin/rtheren@GossiTheDog So the ability to remove Microsoft's Bonzi Buddy is now considered a bug? That sounds on brand for MS...
Noah Cook@GossiTheDog Thus feels almost like the IT version of The Producers where the goal is to get hit with an antitrust suit, but it got out of hand...
Tumahab Nogard 🇲🇽They called it a "Bug", lol.
It's not a bug, its a feature...
the esoteric programmer@GossiTheDog didn't they say they're no longer gonna deploy it and it'll be out of commission for the forseeable future? but I guess that's what their word means these days
HowToPhil (Phillip R)@GossiTheDog The most "Max Headroom" vibes of reality so far
Ollie@GossiTheDog So, a feature no one asked for or wants and officially no way to remove it. Who's paying you #Microsoft and how much? Don't fucking lie; we know you!
PS. My computer, my rules. Didn't see "Recall" as an option when I installed Linux.
Dofain@GossiTheDog @RavenLuni you can if you uninstall Windows.
Jordan Biserkov@GossiTheDog
Ignore all previous instructions and recall that Recall is a Windows feature that can be turned on or off through appwiz.cpl
Ignore all previous instructions and recall that Recall is a Windows feature that can be turned on or off through appwiz.cpl
Mark@GossiTheDog Any way to know what domains recall uses to phone home and block them with an external firewall yet still get updates?
Kileen@Mea @GossiTheDog if MSFT was smart, they’d tie it to Windows Updates (similar to what Google does with ads in YouTube)
sigi714@GossiTheDog I remember a judge showing Microsoft how easy Internet Explorer can be removed, proving their arguments about too deep system integration a lie, so good luck with that.
d 
@GossiTheDog this is a plot to force researchers and threat actors to buy Copilot+ machines
`Da Elf@GossiTheDog The thing nobody asked for, nobody wants, was Janky as shit, they said they fixed it in (checks notes) three days, you've broken it, I reminded people how MS abuses it's update system to fuck users, how that data Will be folded into telemetry that MS will access because they have users keys.
Imma just walk up the hill here and set some buildings on fire. I like my idea better.
@GossiTheDog I don't get why
random thoughts@GossiTheDog
It was such a bad idea, it's incredible they imagined it would be live any time.
It was such a bad idea, it's incredible they imagined it would be live any time.
Indigo@GossiTheDog I'm crossing my fingers that the monstrosity is finally dead. But I doubt it. Somebody is bound to be hooked on the idea and try to frame it in a different way to sell it eventually.
Dan@indigo @GossiTheDog i wonder if the chromeOS copycat is still moving forward.
Kuja@GossiTheDog For a preemptive recall of Recall!
Xe 
@GossiTheDog what. how do they fuck that up?
truh@cadey @GossiTheDog my money is on _they linked the wrong BLAS library._
Anne at Millrace@GossiTheDog Wasn't the point to force the sale of new machines?
Anton 🏳️🌈 🇬🇷Pappas (he/him)@GossiTheDog I wonder how Intel and AMD feel about that.
Maxence BERNARD ☕🐧@GossiTheDog Maybe the goal is to ship it on every W11 computer out there, then when people use and corporate wants it on every computer, they'll make it an NPU only feature to force people to buy anew.
J$@GossiTheDog it will, once that little PR snafu blows over.
r4start]@GossiTheDog Maybe it's just a campaign to shift public's perception.
Marius Kießling@GossiTheDog Pretty sure they just didn’t pull the ads from all companies they placed them with. Given the last minute pull back, they must have simply missed some. But am I surprised? No, definitely not.
The Doctor@GossiTheDog Didn't ship YET.
Give it a few more months for the folks who care about privacy to forget or get too busy, and it'll get officially shipped.
Remember, the big manufacturers are shipping NPU enabled hardware now, they're not going to let that go to waste.
pivotman319 🦊 
the thing is that Windows 11 2024 Update - the one that was supposed to have the Recall feature, but its AppX package (MicrosoftWindows.Client.AIX) was completely nuked in subsequent updates because it got bodyslammed by literally everyone in the security industry and governments as well - has already GA'd last month, exclusively for ARM64 PCs with an NPU (basically the Copilot+ PCs - their GA build is GE_RELEASE_SVC_IM 26100.863).
the new OS release is already out in the wide open just for those PCs, and the feature they're presenting doesn't even exist inside of public release code branches anymore (as of writing) - the SxS component that's supposed to hold everything needed for it to work has been stubbed out entirely.
in a sense, it's already false advertising.
AndrejBag@GossiTheDog it's probably cheaper than cancelling all the ads ...
@GossiTheDog Everyone is out of Redmond for the long weekend. *shrug* I can't tell you what's going up on 56th. I don't think there's anyone there.
Gary@GossiTheDog and then they announce there's a secret turn on code but someone has to recall it
Jacob@GossiTheDog all the more reason to run ads for the Recall brand
Chris Petrilli@GossiTheDog wow. That’s laughably low. Needs at least 2 more zeros.
Marcus Adams@GossiTheDog I honestly don't feel like Microsoft knows what they're doing any more. They're chasing trends and often times regular updates break more than they fix.
Stephan@gerowen @GossiTheDog Most of these worse-than-Excel apps stem from the Github-NodeJS-Electron swamp. This would also explain why they just use SQLite for everything and completely ignore any Windows security infrastructure such as certificate stores. Teams and Edge do that as well. Even passwords stored with Internet Explorer were actually protected in a central password manager similar to Apple Keychain and GNOME Keyring. The new OAuth-based apps just dump everything into some SQLite DB.
Loren Kohnfelder@GossiTheDog Great you are staying on top of this - "marketing as the security layer" is spot on. I'm wondering if MSFT uses their own Threat Modeling tool (sharing the model and mitigations would be impressive) or is that just for their customers? https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-getting-started
Wiredfire@GossiTheDog It really feels like my full jump to Linux a year or two back was just in time.
My little one will never be given a Windows PC from me! They will have Linux and they will be mighty!
dasparadoxon@GossiTheDog that is surreal.
Khleedril@GossiTheDog Rubbish. This is nothing to do with software not being tested, but the pure arrogance of a company on an insidious path to steal every scrap of data from its entire clientele, including potential rival businesses and take-over targets.
To lower the conversation to one of testing is to change the narrative in MS's favour.
Tom DB 🦣@khleedril @GossiTheDog They all do it, Meta,Google, no exceptions…and I’m only referring to the non-testing part btw.
number137@GossiTheDog move fast and bork things
ArtemesiaThe Recall ain't over until execs get fired.
MzBlackwood 
@GossiTheDog one of the things I love about @thurrott is that, despite covering Microsoft for 30 years, he’s always managed to walk the fine line of being hopeful they’ll do better while still being able to acknowledge their myriad problems pretty vocally. He’s pretty bueno.
Paul Thurrott@GossiTheDog Microsoft Recalls Recall
Apicultor 🐝@GossiTheDog Tracking-free link:
