Security Researcher Calls Windows 11 AI 'Recall' Screenshotting Feature a Disaster [Updated]

[Abazigal]

It also gains access to passwords in Windows' password manager, payment methods in your browser, cookies, access to all your drives, etc.

Recall or not, you're cooked if a bad actor gains that much access to your machine.

Hacking into my account won't give the perpetrator access to a password-protected document; Recall would.

The more I think about it, the more this feels like the folks at Microsoft being tasked by management to come up with AI-infused software tools just so they have something to show to investors, never mind how inane or useless it may be. The end result is something like Recall, which while technically impressive, strikes me as a solution looking for a problem.

I am still struggling to see the point of this feature. Let's say I can't find a document or delete it by mistake. I can use recall to .... hopefully search for a screenshot of me working on it some time in the past, and then I still have to recreate the file from scratch?

Nobody in their right mind would be hitting "print screen" on their keyboard every 5 seconds while they work, so why would I want the OS doing it for me?

 

[ProbablyDylan]

Hacking into my account won't give the perpetrator access to a password-protected document; Recall would.

Finally, a good point! You're absolutely right. They mentioned it would not be able to capture DRM-protected content, but a password protected word file for example isn't traditional DRM.

I wonder if developers could exclude their program from being reordered via a flag or something.

 

[Crowbot]

Finally, a good point! You're absolutely right. They mentioned it would not be able to capture DRM-protected content, but a password protected word file for example isn't traditional DRM.

I wonder if developers could exclude their program from being reordered via a flag or something.

Flags can be flipped. It would be a prime attack vector. I just don't see how they could turn this into a good thing.

 

[maxoakland]

The user would need to deliberately grant admin rights to the malicious program. it is not on Microsoft to prevent users from running (and elevating!) potentially malicious software.

That’s not how admin rights work on Windows

 

[ProbablyDylan]

That’s not how admin rights work on Windows

I'm pretty sure it is. If a program wants to run as administrator, or a user wants to run the program as administrator, they get a UAC prompt to grant it permission.

 

[maxoakland]

I'm pretty sure it is. If a program wants to run as administrator, or a user wants to run the program as administrator, they get a UAC prompt to grant it permission.

I guess if that's what you mean by explicit, it's technically accurate but a UAC prompt is not quite what I would call "explicit" permission. Or at least it's not explicit enough. Most of the time people get a prompt like that and click OK without reading it

Having to enter your password is better but still not great

The way Apple does it for things like screen recording should be the lowest bar for access to that database of information since it can have such sensitive data and the user most likely doesn't realize that

 

[NT1440]

I guess if that's what you mean by explicit, it's technically accurate but a UAC prompt is not quite what I would call "explicit" permission. Or at least it's not explicit enough. Most of the time people get a prompt like that and click OK without reading it

Having to enter your password is better but still not great

The way Apple does it for things like screen recording should be the lowest bar for access to that database of information since it can have such sensitive data and the user most likely doesn't realize that

It's "explicit" in the way that MFA prompts that don't require paying any attention are. User's just get used to having to do this extra step and become blind to what its actually asking. Basically, it is "explicit" consent in mumbo jumbo land of compliance language.

I'm actually implementing a block on Recall right now, well before the W11 update for it is even out for our environment.

 

[purplerainpurplerain]

Recall getting recalled

Microsoft Will Switch Off Recall by Default After Security Backlash

After weeks of withering criticism and exposed security flaws, Microsoft has vastly scaled back its ambitions for Recall, its AI-enabled silent recording feature, and added new privacy features.

www.wired.com

 

[Delivered]

And Apple's proposal to scan pictures for CSAM data locally on iPhones? Apple hasn't always gotten it right, but at least they listened to reason in the end and retracted the proposal.

I had my issues with that same as the next person. In the end I'm happy they listened (at least according to their public approach who knows if privately they're doing it anyway). You're correct apple does make mistakes.

I will say even if they aren't 100% earnest at least they still talk about privacy like it's important New Microsoft and New Google in the AI era have given up all pre-tense and just trying to drive a final nail in the coffin of privacy by telling us the convenience is worth our data.

As much as I've worried about apple's control over so many of my daily devices (I'm one that wants side loading and ability to install other OSs on all my devices so I feel in control of them), at this current point it feels to me that Microsoft and google have come across as just as much villains as amazon and Facebook (maybe one tier below) but apple seems the least evil of all these tech companies.

it helps that I still feel like apple cares about the quality of devices they put out there.

 

[Macalway]

I'm going to use it. You get these conspiracy, big brother arguments, no surprise there LOL. I can't be certain, but I wouldn't think this puts me at any more risk than I already am at.

Will risk (not made up risk, but actual) increase? At present, it most likely won't decrease, but AI+recall itself may actually be useful to prevent malware. It's just weighing the pros and cons, the usual.

(Am I alone here? Help!....)

 

[Crowbot]

I'm going to use it. You get these conspiracy, big brother arguments, no surprise there LOL. I can't be certain, but I wouldn't think this puts me at any more risk than I already am at.

Will risk (not made up risk, but actual) increase? At present, it most likely won't decrease, but AI+recall itself may actually be useful to prevent malware. It's just weighing the pros and cons, the usual.

(Am I alone here? Help!....)

To me, it seems like something that will work...until it goes bad. Holes in the system will be found.

 

[Queen6]

Microsoft & Trust, is not something that resonates. They burnt that bridge way back. I run W10 & W11 but well & truly locked down for good reason. I'd have more trust in a drunken monkey on acid then MSFT, self-serving lying bastards who couldn't walk a straight line if their life depended on it...

Whoever came up with the idea of Recall clearly has no clue of the companies history...LOL. Microsoft is just a necessary evil today. I use their OS for gaming that's it. Real work is done on macOS or Linux nor on their Office package binned that rubbish over a decade ago...

Recall is just spyware plain & simple and a disaster waiting to happen. I Don't trust Apple explicitly, but is a step up on Microsoft...

Q-6

 

[Crowbot]

Microsoft & Trust, is not something that resonates. They burnt that bridge way back. I run W10 & W11 but well & truly locked down for good reason. I'd have more trust in a drunken monkey on acid then MSFT, self-serving lying bastards who couldn't walk a straight line if their life depended on it...

Whoever came up with the idea of Recall clearly has no clue of the companies history...LOL. Microsoft is just a necessary evil today. I use their OS for gaming that's it. Real work is done on macOS or Linux nor on their Office package binned that rubbish over a decade ago...

Recall is just spyware plain & simple and a disaster waiting to happen. I Don't trust Apple explicitly, but is a step up on Microsoft...

Q-6

Gee. Don't hold back. 😆

 

[ifxf]

Apple does the same thing. They introduced a feature that allowed their apps to bypass firewalls and VPN, eventually they removed it. All companies want access to your dat even Apple.

 

[ghanwani]

Sad what big tech is always trying to get away with. They are perpetually pushing the boundaries. It's like their Chief Ethics Officers are all on vacation or something.

 

[Crowbot]

Apple does the same thing. They introduced a feature that allowed their apps to bypass firewalls and VPN, eventually they removed it. All companies want access to your dat even Apple.

But as far as I know, Apple isn't selling our data. They may get a little grabby but it generally stays within the family.

 

[VulchR]

Sad what big tech is always trying to get away with. They are perpetually pushing the boundaries. It's like their Chief Ethics Officers are all on vacation or something.

Thais is what happens when engineers and CEO's, both with huge financial conflicts of interests, are left to police themselves with regard to new technology.

 

[ghanwani]

But as far as I know, Apple isn't selling our data. They may get a little grabby but it generally stays within the family.

For how long? There was a time when they didn't do ads, but now they do. Eventually, there's only so many areas for growth, especially when they have been unsuccessful launching any new significant hardware product.

 

[Crowbot]

For how long? There was a time when they didn't do ads, but now they do. Eventually, there's only so many areas for growth, especially when they have been unsuccessful launching any new significant hardware product.

Apple making the jump to selling data would be a very big deal.