Obviously, I’ll wait to see the announcement but it sounds like they’ve finally realised they need to take the time and get the feature right (and frankly consider the target audience - most home users, it ain’t).

They should have announced this before or during the US House hearing.

Announcement is out. Good on Microsoft for finally reaching a sane conclusion.

- Recall won’t ship as a feature at launch on Copilot+ PCs any more.

- Won’t be available in Insider preview channel at launch, as it was pulled.

When it does appear in preview channels, privacy and security researchers need to keep a close eye on what Microsoft are doing with the feature.

Microsoft tried developing this feature in secret in a way which tried to avoid scrutiny. Thank you to everyone who stood up.

If anybody is wondering, Microsoft moved the announcement up as I scooped them 🤣

Thank you to everyone who helped out with this one, there was no way something that constantly OCR’d the screen being implemented so poorly was acceptable but Microsoft really, really dug their heels in.

Photographic memory of everything you’ve ever done on a computer has to be entirely optional, with risks explained and be done right.. or not at all. Accountability matters.

Microsoft, be better.

If anybody wonders if Recall classifies what porn you watch, yes. Aside from OCRing text it also classifies images in videos.

9 minute 50 second mark in this, screen is blurred for obvious reasons.

https://youtu.be/2GTI00pFcLc?si=EiBEaJ7Lh66fqRff

Here’s the clip translated around adult content with Microsoft Recall.

They filter search terms in English like nude - but don’t filter it in other languages.

Everything you view - including in videos - is classified and stored in the database regardless.

This is pretty good - detecting Microsoft Recall misuse for data exfil. https://youtu.be/SV9-dn-5uEY?si=jVz9sC4A2wKxeiBt

I tested this against the latest release of Recall and both TotalRecall and these detections still work.

Obviously Recall may well alter before it hits Insider preview channel, nobody needs to rush out detections yet.

Btw all through this saga, Microsoft Defender never triggered Recall specific alerts for me. Sophos did.

Windows 11 24H2 preview release has been rereleased (but only for Copilot+ devices). It doesn’t include Recall any more.

https://www.pcworld.com/article/2370043/windows-11s-latest-update-is-kind-of-insane-in-a-bad-way.html

Additionally the Copilot+ PCs now have an update which enables the other AI features. This wasn’t available until a few hours ago, hence the lack of unsupervised reviews of the devices. It means you will see those reviews drop after the devices launch tomorrow.

There’s a website which gives some insight into how the UI and marketing push for Copilot+ Recall came together. The actual video appears to have gone MIA.

https://www.iamp.at/work/introducing-recall

.@JohnHammond’s video on Recall is great, and a lot of fun - should also stop history being rewritten on this one later.

https://youtu.be/JujkOmvbgGw

I got ahold of what I think is the latest Microsoft Recall (Copilot+ Recall? Nobody knows the branding) build and.. well.. Total Recall still works with the smallest of tweaks to export the database, it's still accessible as a plaintext database with marketing as the security layer.

Another observation, the Recall backlog must be very large as it's just becoming a truck load of features being dumped on.

One thing MS needs to fix in Recall, before the Insider canary build hits again, is the MSRC bug bounty.

As far as I can see, if you find a critical or high in Recall it qualifies for *drumroll* $1k bounty, unless I'm misinformed.

That probably needs clarifying as nobody is going to sell photographic memory access to Windows devices to MS for that value - it's way more valuable elsewhere.

Should Microsoft Recall ever reappear I plan to keep checking how secure it is, because the next evolution of security cannot be Microsoft pouring petrol onto the infostealer fire.

Infostealer malware is swiping millions of passwords, cookies, and search histories. It’s a gold mine for hackers—and a disaster for anyone who becomes a target.

https://www.wired.com/story/infostealer-malware-password-theft/

XDA Developers, who were a good source of behind the scenes info during the Microsoft Recall saga, are saying Microsoft have kicked Recall into the long grass and they think it may never launch. https://www.xda-developers.com/thread/microsoft-wants-you-to-forget-about-copilot-recall-it-seems/

It’s been almost two months since Microsoft said it would launch for Insiders in “weeks” instead.

Microsoft now say Recall will available for Insider testing in October on select Copilot+ PCs.

As a community we’ll need to test the security implications out extensively.

Due to hardware requirements this will obviously be a problem, unless we can hack it to install on non-NPU systems again - I don’t know if that has been ‘fixed’ or not.

https://www.theverge.com/2024/8/21/24225439/microsoft-recall-windows-ai-feature-october-testing

Recall is back.

Overall the planned changes here are much more robust.

Some of the things are boomerangs - eg they said it wasn’t uninstallable weeks ago, but it is now. Also they said it wasn’t developed under Secure Future Initiative a few months ago.. but now say it was originally under SFI.

The proof is in the pudding obviously so hands on tests will be required. They’ve locked it to Copilot+ PC systems now, which will limit research.

https://www.theverge.com/2024/9/27/24255721/microsoft-windows-recall-ai-security-improvements-overhaul-uninstall

Microsoft have recalled Recall again.

It still hasn't even made it to Insider preview yet, that's been delayed too, now in December.

Good, by the way. They should take the time to get it right. I still don't know what they were thinking when they had the CEO stand on stage and say it was launching on devices 6 months ago and would be fully secure, when they hadn't even done a basic security review of it.

https://www.theverge.com/2024/10/31/24284572/microsoft-recall-delay-december-windows-insider-testing

I'd be surprised if it is released in December btw, as Redmond is a ghost town in the office from basically now until mid January.

I guess a cynical version is they're trying to rush out the Insider preview during Christmas so nobody actually reviews it.. but, well, I don't think that would happen as it'd be another own goal. It probably needs 6 months in Insider release with a bug bounty, to avoid exploits dropping like Joker 2 at the box office on release.

In a newly released blog entitled "Windows: AI-powered, cloud-enabled, and secure", Microsoft say the business versions of Windows will ship with Recall disabled by default - IT departments will have to enable the feature before it is available.

This is a smart move and frankly it was incredible that the original idea was to ship this enabled by default in business - it was never, ever going to fly and hopefully Microsoft is rightly humbled by the experience.

https://techcommunity.microsoft.com/blog/windows-itpro-blog/windows-ai-powered-cloud-enabled-and-secure/4299069

Microsoft are getting positive press for calling Recall “one of the most secure experiences it has built”.

I’d point out - they haven’t provided a Preview build to Insiders still, and there’s been no externally provided build (outside of NDA), so nobody has been able to assess the security and talk about it. There’s no specific bug bounty for it either.

When they first announced Recall, they called it totally secure - which was laughably inaccurate. It feels like a lot of premature high fiving

Microsoft Recall is now available for testing.

https://www.theregister.com/2024/11/22/microsoft_recall_release/

It’s only available on Qualcomm Snapdragon-powered Copilot+ PCs. My feeling is we’re probably going to want to hook one up to the internet and hack RDP for unlimited sessions, to allow research - I’ll look into it.

I’ve been told Recall is eligible for bug bounty as part of the Insider programme. I think the process is supposed to be sandboxed so in theory (my reading) the payout limit should be $20k.

Microsoft are rolling out Recall to users in Windows Insider (testing) before a wider rollout to all compatible systems.

It's definitely one to watch (and yes, I am) from a security point of view.

https://www.bbc.co.uk/news/articles/cj3xjrj7v78o

I've took a look at the past year of work Microsoft has done on Recall, which is due to roll out to compatible Windows devices soon

tl;dr it's much better from a security and privacy point of view. My partner managed to hack my Recall memory in 5 minutes to browse prior Signal discussions, by guessing my Windows Hello PIN.

There's a bunch of risks people who enable it need to understand.

https://doublepulsar.com/microsoft-recall-on-copilot-pc-testing-the-security-and-privacy-implications-ddb296093b6c

Tabletop scenario for you:

Employee gets into a dispute with employer, leaves, had sensitive role. Employer revokes access, devices etc. Employee had logged in via BYOD to email, IM etc.

Due to Recall, employee walks away with 6 months of screenshots of everything she's ever worked on in a text indexed form - every email, chat, document, Teams call with video snapshots, transcripts of verbal calls etc - even if they set M365 to not store documents locally.

What does the employer do now?

@sawaba @GossiTheDog Sure, but not everyone does that as a regular habit, so it's usually not a big problem. But now, anyone with a Windows machine will be doing that without even knowing it.

I'm not sure what the security around it looks like, but this could be a massive way to leak a ton of data that wouldn't normally be local on a machine. Especially for stuff that's typically accessed via "secure” gateways. Sales folks will have screenshots of client lists, engineers could potentially have screenshots of passwords and configurations.

This feels like a really, really bad idea to me..