Should Microsoft Recall ever reappear I plan to keep checking how secure it is, because the next evolution of security cannot be Microsoft pouring petrol onto the infostealer fire.
Infostealer malware is swiping millions of passwords, cookies, and search histories. It’s a gold mine for hackers—and a disaster for anyone who becomes a target.
https://www.wired.com/story/infostealer-malware-password-theft/
XDA Developers, who were a good source of behind the scenes info during the Microsoft Recall saga, are saying Microsoft have kicked Recall into the long grass and they think it may never launch. https://www.xda-developers.com/thread/microsoft-wants-you-to-forget-about-copilot-recall-it-seems/
It’s been almost two months since Microsoft said it would launch for Insiders in “weeks” instead.
Microsoft now say Recall will available for Insider testing in October on select Copilot+ PCs.
As a community we’ll need to test the security implications out extensively.
Due to hardware requirements this will obviously be a problem, unless we can hack it to install on non-NPU systems again - I don’t know if that has been ‘fixed’ or not.
https://www.theverge.com/2024/8/21/24225439/microsoft-recall-windows-ai-feature-october-testing
Recall is back.
Overall the planned changes here are much more robust.
Some of the things are boomerangs - eg they said it wasn’t uninstallable weeks ago, but it is now. Also they said it wasn’t developed under Secure Future Initiative a few months ago.. but now say it was originally under SFI.
The proof is in the pudding obviously so hands on tests will be required. They’ve locked it to Copilot+ PC systems now, which will limit research.
Microsoft have recalled Recall again.
It still hasn't even made it to Insider preview yet, that's been delayed too, now in December.
Good, by the way. They should take the time to get it right. I still don't know what they were thinking when they had the CEO stand on stage and say it was launching on devices 6 months ago and would be fully secure, when they hadn't even done a basic security review of it.
https://www.theverge.com/2024/10/31/24284572/microsoft-recall-delay-december-windows-insider-testing
I'd be surprised if it is released in December btw, as Redmond is a ghost town in the office from basically now until mid January.
I guess a cynical version is they're trying to rush out the Insider preview during Christmas so nobody actually reviews it.. but, well, I don't think that would happen as it'd be another own goal. It probably needs 6 months in Insider release with a bug bounty, to avoid exploits dropping like Joker 2 at the box office on release.
In a newly released blog entitled "Windows: AI-powered, cloud-enabled, and secure", Microsoft say the business versions of Windows will ship with Recall disabled by default - IT departments will have to enable the feature before it is available.
This is a smart move and frankly it was incredible that the original idea was to ship this enabled by default in business - it was never, ever going to fly and hopefully Microsoft is rightly humbled by the experience.
Microsoft are getting positive press for calling Recall “one of the most secure experiences it has built”.
I’d point out - they haven’t provided a Preview build to Insiders still, and there’s been no externally provided build (outside of NDA), so nobody has been able to assess the security and talk about it. There’s no specific bug bounty for it either.
When they first announced Recall, they called it totally secure - which was laughably inaccurate. It feels like a lot of premature high fiving
Microsoft Recall is now available for testing.
https://www.theregister.com/2024/11/22/microsoft_recall_release/
It’s only available on Qualcomm Snapdragon-powered Copilot+ PCs. My feeling is we’re probably going to want to hook one up to the internet and hack RDP for unlimited sessions, to allow research - I’ll look into it.
I’ve been told Recall is eligible for bug bounty as part of the Insider programme. I think the process is supposed to be sandboxed so in theory (my reading) the payout limit should be $20k.
Microsoft are rolling out Recall to users in Windows Insider (testing) before a wider rollout to all compatible systems.
It's definitely one to watch (and yes, I am) from a security point of view.
I've took a look at the past year of work Microsoft has done on Recall, which is due to roll out to compatible Windows devices soon
tl;dr it's much better from a security and privacy point of view. My partner managed to hack my Recall memory in 5 minutes to browse prior Signal discussions, by guessing my Windows Hello PIN.
There's a bunch of risks people who enable it need to understand.
Tabletop scenario for you:
Employee gets into a dispute with employer, leaves, had sensitive role. Employer revokes access, devices etc. Employee had logged in via BYOD to email, IM etc.
Due to Recall, employee walks away with 6 months of screenshots of everything she's ever worked on in a text indexed form - every email, chat, document, Teams call with video snapshots, transcripts of verbal calls etc - even if they set M365 to not store documents locally.
What does the employer do now?
Signal have rolled out an update to all users that stops Microsoft Recall from capturing Signal conversations.
I’ve tested this and it works. Brilliant work by the @signalapp team. 💪
They call on Microsoft to build better, as there was no standardised way as an app developer to do this. Because Signal is open source, now app developers have a template to protect their users from Windows.
Signal Desktop now includes support for a new “Screen security” setting that is designed to help prevent your own computer from capturing screenshots of your Signal chats on Windows. This setting is automatically enabled by default in Signal Desktop on Windows 11. If you’re wondering why we’re on...
I found an interesting Microsoft Recall issue with the latest version - Recall is enabled on my PC, but the tray icon (bottom right) saying it is running is missing.
Edit: after a reboot, it's back. I'll keep an eye on it. After the latest Windows Update the UI wasn't visible, but it was still recording.
The Register took a look at Microsoft Recall and found it captured personal information, such as social security numbers and such in its database.
They also found they could access it remotely using TeamViewer, using just a PIN.
https://www.theregister.com/2025/08/01/microsoft_recall_captures_credit_card_info/
I still use Recall on my development laptop, and actually use the feature quite a lot through testing Recall... and yet, I've started to get regular engagement prompts to use it lately.
To me this strongly suggests people aren't actually using it in the wild as MS are trying to juice numbers via nudge prompts.
On a separate note I also got prompted to change my default browser to Edge (I use Vivaldi) and my search engine to Bing when switching on my laptop today 🤦
Microsoft are upselling security controls for Microsoft Recall, which allow orgs to limit what it records specifically - if the org pay for Microsoft Purview.
I’ve had a look at how this works under the hood, it is using undocumented features in Recall. https://learn.microsoft.com/en-us/purview/dlp-recall-get-started
Microsoft is reviewing its Copilot+ integrations, and is saying internally that Microsoft Recall has failed.
People familiar with Microsoft's plans say that the company moving to streamline or remove certain Copilot integrations across in-box apps like Notepad and Paint in 2026, after pushback from users.
So @xaitax has cracked Microsoft Recall, he's got access to the encrypted database and has automated dumping of screenshots and all text from screenshots.
I've looked at most recent Recall and yep, you can just read the database as a user process. The database also contains all manner of fields which aren't publicly disclosed for tracking the user's activity.
No AV or EDR alerts triggered, world's #1 in infostealer 😅
* you can just read it in plain text
@Pibert @GossiTheDog @xaitax linux has a lot of developers indeed. More people fix security vulnerabilities in linux than in windows.
More programs work on windows, but windows does most things poorly.
Something interesting happened in the software of windows once, not sure when...
Supposedly at one point it was changed from YOURPC to THISPC.
Like before windows 8.1, I forget when.
But that is a sign that enshittification was coming lol.
@skedarwarrior @Pibert @GossiTheDog @xaitax
It was Windows 95 that had the first onboard ads API. The "developers developers developers" chant was from Ballmer promoting the .net framework at launch in 2000 or so.
@Sempf @skedarwarrior @GossiTheDog @xaitax
It’s just cheaper to just serve windows if the pre-existing software is made for windows APIs.
This is why NVIDIA values so much, it’s because all the software was industrial standardized as CUDA.
@Pibert @Sempf @GossiTheDog @xaitax Still, windows is such an inefficient OS. It does just about everything wrong and in a bloated manner. Especially with each new version. There is 0 reason windows 11's installer image should be over 7GB.
4GB is big enough honestly. And only if you are including a lot of software that people want built in.
Unless people are using a bloated distro like ubuntu, archlinux (yes its bloated, it has a lot of linux frameworks that further bloat the system even though it starts with less) and others as well.
@skedarwarrior @Sempf @GossiTheDog @xaitax
My windows 11 with proprietary drivers use 11GB of RAM and the fans are always noisy, as well as the CPU being like 30% used
@Pibert @Sempf @GossiTheDog @xaitax How many apps are open and which?
Not that this should matter... but I am curious.
I am sure it is using 8x more ram then needed though.
@skedarwarrior @Sempf @GossiTheDog @xaitax
When you open it just opens a bunch of useless process. The Antimalware Service Executable is just 400MB of RAM. And all the process just sum up to be 10-11GB of RAM.
I’m not joking, this OS is bloated to its core.
You need AT LEAST 6GB of RAM if you don’t have any 3rd party proprietary drivers nor any nonsense
@Pibert @Sempf @GossiTheDog @xaitax oof... that is a lot of ram.
I don't even use 2GB of ram mostly unless i go beyond window manager/basic stuff and web browser.
Btw, I didn't mention this, but dual booting is best done with two different SSDs.
Otherwise microslop will try to overwrite your linux partition like a bunch of dbags.
@skedarwarrior @Sempf @GossiTheDog @xaitax
Wtf I read this, no way!!
Maybe I’ll buy a computer just for Linux. You recommend thinkpad?
@skedarwarrior @Sempf @GossiTheDog @xaitax
The Lenovo computers aren’t that bloated right? It’s Chinese hardware, I think China is less invasive lol
@skedarwarrior @Sempf @GossiTheDog @xaitax
Thinkpad is private?
I heard intel CPUs had like the Intel Assistant that like “reads” your content at hardware level. How much or it is paranoia and how much is real?
@Pibert @Sempf @GossiTheDog @xaitax Sounds like it is true if intel me is enabled.
Thinkpads can only be private on a remote level if you disable intel me's network stack and have libreboot or coreboot on said thinkpad and for extra security use ath9k wifi card instead of the default.
People know what ath9k wifi cards actually do, due to them having open source licenses attached to them. They were liberated another words.
They might still do non-remote stuff that if they get physical access to your computer they get a lot of info.
This being said, network stack issue is the real issue.
I refuse to let my computers be ruled by stuff like intel me network stack.
I am sure my computer collects data about me, but if it doesn't transmit it over the internet, that is a major plus to me.
Most computers don't even limit it to that! Alas...
@skedarwarrior @Sempf @GossiTheDog @xaitax
Thanks for sharing!
@skedarwarrior @Sempf @GossiTheDog @xaitax
How do you know it doesn’t transmit? You verify the ports via tcpdump or smth?
@skedarwarrior @Sempf @GossiTheDog @xaitax
What's the "ultimate stack" you recommend to a fully private notebook?
Thinkpad + Libreboot + Verify ports via tcpdump or checking connections + Devuan + Brave without javascript enabled?
Is there a "roadmap" or smth over the web so i can make a better understanding about privacy?
@Pibert @Sempf @GossiTheDog @xaitax I actually use firejail + either icecat or palemoon and have ublock origin, privacy badger and noscript for icecat and for palemoon, ublock origin-legacy, ematrix a umatrix fork.
I don't really check with tcpdump
And the 2nd setup my hyperbola one. the first is my devuan setup and both are FDE - /boot
LUKS2, etc...
You don't have to do all of this.
But that's how far I take it.
I want corporations to have to work to get my data and still no get as much as they want.
If the comp is only for gaming, libreboot + intel me disabled, ath9k wifi card, Devuan without blobs and using wine-staging is what I tend to do.
Obviously the latter is less secure, but if you don't store your best info on it, then no big deal.
As a final note, avoid systemd especially given the age verification nonsense that is being pushed.
Kevin Beaumont
pibert π
skedarwarrior
Bill