Kevin BeaumontMicrosoft’s President Brad Smith appears before US House Committee on Homeland Security tomorrow.
His testimony: https://homeland.house.gov/wp-content/uploads/2024/06/2024-06-13-HRG-Testimony-Smith.pdf
In this bit he talks about Recall (not named), where he pats himself and Microsoft on the back for “a feature change” and job well done.
Given it has been a complete cybersecurity and privacy car crash - and as of today the changes (plural) they’re referring to haven’t even been implemented - it seems like Microsoft fails to grasp customer needs: safety.
One other thing - Microsoft's written testimony to the US House says, quoting, bolded by MS:
"Before I say anything else, I think it’s especially important for me to say that Microsoft accepts responsibility for each and every one of the issues cited in the CSRB’s report. Without equivocation or hesitation. And without any sense of defensiveness."
Counterpoint: they publicly disputed the report in the media. https://www.theverge.com/2024/4/25/24139914/microsoft-cyber-security-incidents-trust-report
I should say that if Brad is asked about Recall tomorrow, the answers may raise some.. uh... eyebrows here.
I don't know what MS SLT have been told, but expect fun when the feature drops on consumer laptops in a few days.
As I mentioned in my blog, there is some more security hardening there on Copilot+ PCs (this was before MS put out their blog)... but it's still easily bypassable.
Microsoft’s Recall puts the Biden administration’s cyber credibility on the line
https://cyberscoop.com/microsoft-recall-secure-by-design/
Interesting article. All through this, CISA and the DHS have declined to comment.
The Verge reports today that "Windows engineers are scrambling to get additional changes tested and ready for the release of Copilot+ PCs next week."
It also says "Recall was developed in secret at Microsoft, and it wasn’t even tested publicly with Windows Insiders."
I've also been told Microsoft security and privacy staff weren't provided Recall, as the feature wasn't made available broadly internally either.
https://www.theverge.com/2024/6/13/24177703/microsoft-xbox-game-showcase-windows-recall
Brad Smith just said Recall was designed to be disabled by default. That is not true. Microsoft’s own documentation said it would be enabled by default - they only backtracked after outcry.
He has somehow got almost every detail about Recall wrong while testifying.
Obviously, I’ll wait to see the announcement but it sounds like they’ve finally realised they need to take the time and get the feature right (and frankly consider the target audience - most home users, it ain’t).
They should have announced this before or during the US House hearing.
Announcement is out. Good on Microsoft for finally reaching a sane conclusion.
- Recall won’t ship as a feature at launch on Copilot+ PCs any more.
- Won’t be available in Insider preview channel at launch, as it was pulled.
When it does appear in preview channels, privacy and security researchers need to keep a close eye on what Microsoft are doing with the feature.
Microsoft tried developing this feature in secret in a way which tried to avoid scrutiny. Thank you to everyone who stood up.
If anybody is wondering, Microsoft moved the announcement up as I scooped them 🤣
Thank you to everyone who helped out with this one, there was no way something that constantly OCR’d the screen being implemented so poorly was acceptable but Microsoft really, really dug their heels in.
Photographic memory of everything you’ve ever done on a computer has to be entirely optional, with risks explained and be done right.. or not at all. Accountability matters.
Microsoft, be better.
If anybody wonders if Recall classifies what porn you watch, yes. Aside from OCRing text it also classifies images in videos.
9 minute 50 second mark in this, screen is blurred for obvious reasons.
Wir haben Windows Recall ausprobiert, damit ihr es nicht müsst
Here’s the clip translated around adult content with Microsoft Recall.
They filter search terms in English like nude - but don’t filter it in other languages.
Everything you view - including in videos - is classified and stored in the database regardless.
This is pretty good - detecting Microsoft Recall misuse for data exfil. https://youtu.be/SV9-dn-5uEY?si=jVz9sC4A2wKxeiBt
I tested this against the latest release of Recall and both TotalRecall and these detections still work.
Obviously Recall may well alter before it hits Insider preview channel, nobody needs to rush out detections yet.
Btw all through this saga, Microsoft Defender never triggered Recall specific alerts for me. Sophos did.
Microsoft Recall: Detecting Abuse | Threat SnapShot
You've probably heard of Microsoft's new Recall feature by now. It's a info stealer's dream come true. There has been a lot of information release about how ...
Windows 11 24H2 preview release has been rereleased (but only for Copilot+ devices). It doesn’t include Recall any more.
Additionally the Copilot+ PCs now have an update which enables the other AI features. This wasn’t available until a few hours ago, hence the lack of unsupervised reviews of the devices. It means you will see those reviews drop after the devices launch tomorrow.
There’s a website which gives some insight into how the UI and marketing push for Copilot+ Recall came together. The actual video appears to have gone MIA.
Introducing Recall
I led the visualization for the Recall app launch, showcasing its capabilities on a 50-foot screen during the live public introduction by Yusuf. My UI team managed the project from start to finish, developing visuals in the final two weeks. Building on our Recall experiences from the Surface Pro, Surface Laptop, and Copilot+ PC sizzle videos, we enhanced these scenarios for the live stage production, demonstrating Recall's full potential. This dynamic presentation was a highlight, refining Recall’s story for a large audience.
.@JohnHammond’s video on Recall is great, and a lot of fun - should also stop history being rewritten on this one later.
Windows Recall (was) a Security Nightmare
I got ahold of what I think is the latest Microsoft Recall (Copilot+ Recall? Nobody knows the branding) build and.. well.. Total Recall still works with the smallest of tweaks to export the database, it's still accessible as a plaintext database with marketing as the security layer.
Another observation, the Recall backlog must be very large as it's just becoming a truck load of features being dumped on.
One thing MS needs to fix in Recall, before the Insider canary build hits again, is the MSRC bug bounty.
As far as I can see, if you find a critical or high in Recall it qualifies for *drumroll* $1k bounty, unless I'm misinformed.
That probably needs clarifying as nobody is going to sell photographic memory access to Windows devices to MS for that value - it's way more valuable elsewhere.
The Truth about Snapdragon X Laptops…
Should Microsoft Recall ever reappear I plan to keep checking how secure it is, because the next evolution of security cannot be Microsoft pouring petrol onto the infostealer fire.
Infostealer malware is swiping millions of passwords, cookies, and search histories. It’s a gold mine for hackers—and a disaster for anyone who becomes a target.
https://www.wired.com/story/infostealer-malware-password-theft/
XDA Developers, who were a good source of behind the scenes info during the Microsoft Recall saga, are saying Microsoft have kicked Recall into the long grass and they think it may never launch. https://www.xda-developers.com/thread/microsoft-wants-you-to-forget-about-copilot-recall-it-seems/
It’s been almost two months since Microsoft said it would launch for Insiders in “weeks” instead.
Microsoft now say Recall will available for Insider testing in October on select Copilot+ PCs.
As a community we’ll need to test the security implications out extensively.
Due to hardware requirements this will obviously be a problem, unless we can hack it to install on non-NPU systems again - I don’t know if that has been ‘fixed’ or not.
https://www.theverge.com/2024/8/21/24225439/microsoft-recall-windows-ai-feature-october-testing
Recall is back.
Overall the planned changes here are much more robust.
Some of the things are boomerangs - eg they said it wasn’t uninstallable weeks ago, but it is now. Also they said it wasn’t developed under Secure Future Initiative a few months ago.. but now say it was originally under SFI.
The proof is in the pudding obviously so hands on tests will be required. They’ve locked it to Copilot+ PC systems now, which will limit research.
Microsoft have recalled Recall again.
It still hasn't even made it to Insider preview yet, that's been delayed too, now in December.
Good, by the way. They should take the time to get it right. I still don't know what they were thinking when they had the CEO stand on stage and say it was launching on devices 6 months ago and would be fully secure, when they hadn't even done a basic security review of it.
https://www.theverge.com/2024/10/31/24284572/microsoft-recall-delay-december-windows-insider-testing
I'd be surprised if it is released in December btw, as Redmond is a ghost town in the office from basically now until mid January.
I guess a cynical version is they're trying to rush out the Insider preview during Christmas so nobody actually reviews it.. but, well, I don't think that would happen as it'd be another own goal. It probably needs 6 months in Insider release with a bug bounty, to avoid exploits dropping like Joker 2 at the box office on release.
In a newly released blog entitled "Windows: AI-powered, cloud-enabled, and secure", Microsoft say the business versions of Windows will ship with Recall disabled by default - IT departments will have to enable the feature before it is available.
This is a smart move and frankly it was incredible that the original idea was to ship this enabled by default in business - it was never, ever going to fly and hopefully Microsoft is rightly humbled by the experience.
Microsoft are getting positive press for calling Recall “one of the most secure experiences it has built”.
I’d point out - they haven’t provided a Preview build to Insiders still, and there’s been no externally provided build (outside of NDA), so nobody has been able to assess the security and talk about it. There’s no specific bug bounty for it either.
When they first announced Recall, they called it totally secure - which was laughably inaccurate. It feels like a lot of premature high fiving
Microsoft Recall is now available for testing.
https://www.theregister.com/2024/11/22/microsoft_recall_release/
It’s only available on Qualcomm Snapdragon-powered Copilot+ PCs. My feeling is we’re probably going to want to hook one up to the internet and hack RDP for unlimited sessions, to allow research - I’ll look into it.
I’ve been told Recall is eligible for bug bounty as part of the Insider programme. I think the process is supposed to be sandboxed so in theory (my reading) the payout limit should be $20k.
Microsoft are rolling out Recall to users in Windows Insider (testing) before a wider rollout to all compatible systems.
It's definitely one to watch (and yes, I am) from a security point of view.
I've took a look at the past year of work Microsoft has done on Recall, which is due to roll out to compatible Windows devices soon
tl;dr it's much better from a security and privacy point of view. My partner managed to hack my Recall memory in 5 minutes to browse prior Signal discussions, by guessing my Windows Hello PIN.
There's a bunch of risks people who enable it need to understand.
Tabletop scenario for you:
Employee gets into a dispute with employer, leaves, had sensitive role. Employer revokes access, devices etc. Employee had logged in via BYOD to email, IM etc.
Due to Recall, employee walks away with 6 months of screenshots of everything she's ever worked on in a text indexed form - every email, chat, document, Teams call with video snapshots, transcripts of verbal calls etc - even if they set M365 to not store documents locally.
What does the employer do now?
Fi 🏳️⚧️I mean, clearly, this means BYOD cannot be allowed for windows shops;
credentials must only be managed in ways where they can be automatically rotated,
and offboarding must be centrally managed in a way that allows immediate and irrevocable lockdown of all access simultaneously.
Reijo Pitkänen@munin @GossiTheDog So, BYOD dies a messy death because the oroborus of capitalism decides it's cheaper to pay for work devices and real MDM instead of letting employees float the cost of their off-hours wage slavery?
Ugly, but sign me up.
Throw more self-interest entropy into this farce called Recall.
yes, but also that it means the shop has to fully and completely invest in the specific corporate infrastructure and controls to consciously manage all access and credentialing as a specific, intentional design principle for the organization's infrastructure.
That there?
that's -consultant- money.
Adrian Sanabria@reijomancer @munin @GossiTheDog 1. what’s the benefit of BYOD on the other side of the scale? Surely it is greater than the risk.
@sawaba @reijomancer @GossiTheDog
Excellent question.
Yes, all major operating systems do in fact allow screenshotting,
however!
Use of the snipping tool can be disabled for some or all users of a system with a registry entry; this control is made ineffective by Recall
Use of the snipping tool or a third-party application to make screen captures is an auditable action; Recall performs these captures automatically
User-controlled screen capturing is not inherently indexed nor processed in ways that make the contents machine-readable
User-controlled screen capturing does not necessarily have a consistent location on-disk where the records of such captures are stored, where an adversary would be able to script wholesale extraction of said records
There are other issues as well, but these are sufficient to make the point that recall's automated screenshotting, collation, and storage of captures without the specific agency or control of the user is sufficiently different from the prior model as to need a recontextualization and re-evaluation of extant controls to determine efficacy.
Christoph PetrauschAre there still employees that want BYOD? Honestly, why should I pay the IT cost of my employer with my personal budget. But maybe that is more of an US thing. Here in Germany, it never really took of.
Silent.Tom
Matt Hardy 3.11 for Workgroups
@richh has moved
soc@reijomancer @munin @GossiTheDog In which world does "BYOD" not include MDM?
So the obvious answer to Kevin's question is "the employer wipes the device" – case closed.
DHeadshot's AltWorrying certainly, but the article reads as the problem being limited to Copilot+ PCs, which are fairly unpopular anyway? I'm thinking it might be enough to ban BYOD for anyone who might have bought a Copilot+ PC, though erring on the side of caution may be necessary for users who aren't sure what they've bought...
@GossiTheDog
Simon ZerafaThe moral here is to reject BYOD devices with Recall enabled.
Issue your own strictly for business use devices without that nonsense even installed, if that's remains possible in the future.
James Wells@simonzerafa
You need to emphasize `PHYSICAL DEVICE` here, even more than normal. With VDIs, they still need a device to access said VDI's, and will often use their personal devices, which will have Recall on and happily chugging away on the data that is being displayed from the VDI's graphical interface.
As for @GossiTheDog , you really really need to hope that your company is dealing with honorable / honest people or this won't end well.
Carsten
Chris
Sadie@GossiTheDog
It should sue itself for allowing Recall in its environment.
Which I guess means no BYOD
Hugo Mills
Ricky Boone@GossiTheDog But think of the opportunities! This opens the door for Microsoft and security vendors to come up with new solutions to sell to concerned companies! It's a win/win scenario... If you exclude the customer/user.
/s
sortius
XenoPhage 
@sawaba @GossiTheDog Sure, but not everyone does that as a regular habit, so it's usually not a big problem. But now, anyone with a Windows machine will be doing that without even knowing it.
I'm not sure what the security around it looks like, but this could be a massive way to leak a ton of data that wouldn't normally be local on a machine. Especially for stuff that's typically accessed via "secure” gateways. Sales folks will have screenshots of client lists, engineers could potentially have screenshots of passwords and configurations.
This feels like a really, really bad idea to me..
@sawaba @GossiTheDog I may be, yes. But I guess my point is, folks screenshot specific things for the workflows they use. But they won't screenshot everything. Now they'll be screenshotting everything which makes the problem much worse.
Screenshotting has always been a way around DLP solutions. It makes me laugh when I deal with companies who think that locking developers into an AWS workspace with cut/paste to the host disabled will somehow keep their code secure. All they end up doing is frustrating the developers and losing good talent.
I'm just concerned that now the average user will suddenly have screenshots of all of their activity stored on their machines and may not even know it. That goes for home users too where it can be far more problematic since home users generally don't have encryption turned on, etc. Not to mention domestic situations where an abuser can now use this to spy on everything their partner is doing.
@XenoPhage @GossiTheDog yeah, I’ve been thinking about how using recall would change how people use their computers. Regularly seeing screenshots of your own activity might prevent you from doing personal stuff on a work computer, ironically.
But if you don’t realize it is on, it’s just a liability.
Either way, in a corporate setting, I imagine this would be useful for HR to abuse employees. Tons of evidence to use against you if they wanted to.
It would have to massively solve the “find my shit” problem for all the downsides to be worth it.
Phillip 
@GossiTheDog Ok it looks like recall excludes rdp sessions and drm streaming, so that’s good to know.
Face Thumb
riley is gay 
John Keates@GossiTheDog isn’t this the general issue with data access control anyway? As soon as you can see something with your eyeballs, so can a phone with a camera.
Putting a native infostealer in Windows is definitely another order of sillyness, but the idea that anyone can contain data while it’s visible to arbitrary eyeballs/cameras has not really held up for quite a while. I suppose DRM failed the same way, which recall also breaks.
A similar problem exists with a previous product that would have you carry around a camera so it could take pictures of your life for you; if you sat in front of your computer it would store that too. IIRC, Microsoft had one of those too. I guess history just keeps repeating.
Irenes (many)
NewkTaking advantage of a period when there's no pope. A classic Microsoft move!
Jernej Simončič �
raffitz
Jurjen Heeck 🍋
Stephen Borrill
Brian Clark
abadidea
T2R
Noodlemaz
Daniel AJ Sokolov
Robert Link
Asta [AMP]I really, really wish anyone making decisions at Microsoft had cared about that... but there's a long list of things I wish decision makers at Microsoft cared about that they do not.
arclight
Luuk
Ľuboš Moščovič 
It was dangerous idiocy in 2024, it's the same in 2025.
Why Not Zoidberg? 🦑
VessOnSecurity
Steven Op de beeck