Microsoft Recall still storing credit card, social security numbers(tomshardware.com) |
Microsoft Recall still storing credit card, social security numbers(tomshardware.com) |
"Microsoft continues to have a terrible abusive relationship with its customers. It's what Microsoft wants, not what the customer wants."
Yup, that pretty much sums up why I left for Linux.
I got Ubuntu, Lubuntu, Manjaro, Endeavour, Mx Linux, Fedora, Red Hat, Debian, Gentoo galore. Desktop Linux has come a long way, and if you like true unix here let me tell you some more. I got GhostBSD (https://www.ghostbsd.org/) rocking MATE IDE, if you want lightweight Linux desktop I got LXDE, LXFC, Gnome, KDE, and a whole lot more.
If you want true freedom, ditch the spyware and head on over to desktop Linux where we'll welcome you with open arms.
The excuse of 'But this... and that...' let me stop you right there.
You don't need to configure anything. Download Kubuntu and have fun with customizing everything in the settings.
When it comes to Windows and Microsoft products the answer is 'No.'
Keep it that way. Freedom matters.
Or are you just trying them all out to let us know? Because you've named a few that are all the same family.
People who are unfamiliar with Linux will look at this list and just ignore it as too complicated. When in reality it's much simpler.
The same pretty much goes for any of its many derivatives. Redhat is no longer open. Arch and alpine based have hardware issues.
The choices you once had with Linux are far less today than they have been in the past. You almost need to know how to build a distro from scratch to get comparable features and privacy to yesteryear.
My Google Pixel continuously asks me if I want to enable photo backup.
Uber Eats continuously asks me to enable notifications.
I tell the software no, again and again, day after day, and it keeps prompting me.
Most software I use is like this, it seems to be inescapable.
Google Photos does this on non-Pixel android phones too. Many times when I open the gallery app I'm confronted with a dialog where the backup checkbox is enabled and there's a continue button. It's like Google is trying to trick me into enabling it. This is an incredibly user hostile design. One day I will do it by mistake.
I mentioned this to a friend once and he said his kid got ahold of his phone for a few minutes and did enable it, causing a massive upload that put his Google account over quota. Of course it's a huge hassle to go through and unsync the photos without deleting them from the device.
FOSS software does not have these misfeatures.
Telemetry by default is unacceptable as well, but not to that degree.
Then Wine and especially Steam and Proton started to get to work, and Windows started to turn anti-consumer to a degree. At that point, I was kinda on the fence. Actively switching seemed somewhat scary, but if I had to setup something new, it was kinda... meh either way.
Then my Windows-OS SSD died. So I had to reinstall my OS anyway. Then I made the choice to install Fedora and switch back to Windows when it grows annoying. That was... two or three or more years ago? And the thing is, games work. Apps work. Funny enough, old games work better with DosBox and Wine than on windows. I have like two old games I can't get to run, but that's mostly because I don't have the energy to figure out QEMU with Direct3D support, which VirtualBox dropped some time ago for security reasons.
And now I'm looking at stuff like this.
I managed Linux and BSD on servers all over the place. I worked pretty much exclusively using a Linux VM ... under Windows. Keeps most of the gremlins at bay. Hardware stuff's all handled by Windows, so it generally just works. Trying to play a game? Just run it in Windows and don't worry about it.
Every year or so I'd grab a live image and boot it and see what happened. But always ended up at "okay, too much hassle still".
Then a few things happened:
1. Valve invested heavily in Proton. They released the Steam Deck so suddenly developers _wanted_ their games to work in Proton.
2. One day I booted up a linux live image and stuff like my webcam just worked out of the box.
3. Microsoft released Windows 11.
Upgraded my computer at one point and I just went ahead and threw Debian on it and haven't really run Windows since. (Though I still have it installed. I still haven't found a good alternative to Adobe Lightroom.)
I too am really glad I got off of that ride when I did.
They got lucky once, as WinRT ERA didn't took off as Microsoft expected.
Next time maybe not.
And a world were you provision apps only through the Windows Store is pure hell. Perhaps it was a strategic decision to not support "legacy" apps. If so, Windows RT was killed by just that.
That undesirable outcome doesn't surprise me at all. Even if someone coded up logic to look for surrounding clues that X is a secret, that other data ("X is a password") might only become available seconds or weeks later.
For the foreseeable future, these idiot-savant systems (especially with append-only autocomplete at their core) will continue to be smart enough to get into trouble but not smart enough to get out of it.
So I guess my question is: is a company as big as Microsoft that approaches this problem space doomed to fail from the start, because of the perception issues? Would this be any different if say Apple had developed a Recall alternative and they also found it impossible to censor credit card information in an arbitrary Notes window someone whipped up as an edge case, like in the article? Or could a stricter (outward) stance on privacy make it palatable again?
Suppose if everything were assured to be kept under enough layers of encryption and the data wasn't synced online at all, would storing a credit card number surreptitiously captured on my computer be seen as much better if it's Microsoft/Apple I have to trust to engineer their AI recall feature in a secure manner?
With Recall, it seems false positives for PII-type protection rules would be more acceptable than false negatives. But with the negative press already around the technology. I'm not sure it will ever gain acceptance.
And while we're at it, length of credit card numbers is not fixed, can go from 12 to 19 numbers (both Luhn and non-Luhn).
I always thought it's basically an industry standard and no network issues cards that don't have a correct checksum.
I wonder if people with such cards have inexplicable problems with certain payment systems?
Edit: just saw the sibling comment, was viewing an old copy of the page
Because PII detection is a probabilistic exercise. You will miss things.
Add to that the fact that missing a credit card number is way higher stakes than missing something like a zip code, you can understand why something like this is just not acceptable in a product like this, with the resources Microsoft has at their disposal.
Granted, we're a somewhat technical bunch here, so I have to ask: do regular people not know that Microsoft is so bad at security and self awareness that they literally can't do something like protect users from their own products? Do people still think, "Oh, well - 80% of the world can't be wrong"?
I bet they're going to make it exceedingly difficult to disable or uninstall, like Edge, once it becomes a mandatory part of Windows, aren't they?
Yes and “if they’re so big they must be doing something right”
And “if they did something wrong the govt would come down on them”
And “they already have all my data anyway so who cares?”
I’ve heard all of those and more.
Some people don't know, some are paid to not know. /s
The law makes it so.
Replace "problem" with "legal liability" and you're probably right. It's still very much your problem, though.
Please correct me if I'm wrong, but IIRC Recall is opt-in and keeps data on-device, and doesn't share it with any other systems or parties. And if one's device is compromised, they're screwed either way (keyloggers, password managers' data, etc), so while Recall data can be an interesting target, it's not like it's some game changer. I could be wrong, but I believe first iteration was user-accessible SQLite3 database (which was an issue), but Microsoft had tightened the permissions and isolated those files, so AFAIK it now requires additional authentication to access. I don't currently use Windows, so I can't really check, but that's what I've read.
If something is opt-in, local-only and partitioned away (inaccessible to regular-user processes to avoid easier abuse by malware and exploits) that sounds like a decent privacy-respecting option to me. There are plenty of crappy anti-user moves Microsoft had pulled with Windows, but Recall doesn't seem like one to me.
Unless, of course, they're forcing this on people (like how they aggressively do with Edge and OneDrive), or pull this data somewhere despite saying they don't do it, etc etc.
But generally for PII, passwords etc there is no way to know when something is or isn’t secret or sensitive so either you should accept that the recordings are protected enough or just not record.
Did this controversy arise from Microsoft first assuming that the ”recordings are safely stored” would be enough but then public reception was negative and now they are trying to ”fix” it?
What's up with companies giving these kinds of non-answers? It rubs me the wrong way every single time. This is definitely not an answer to the author specifically telling MS that their defense measures aren't working.
Regularly capturing screenshots of their entire desktop, that 90% of users likely do not comprehend, and obviously associate with malware behavior. Screenshots. They're not even capturing the forms, or the specific input data. Taking entire desktop pictures of typing on Notepad.
Using a software that's difficult to tell whether it's installed. And then it keeps the credentials, makes it difficult to tell whether they've been stored, what info has been stored, whether they've been deleted correctly, and makes it difficult for the actual computer user to even access the stored images.
The screenshots appear to be files in a subfolder called AsymStore.
I couldn’t open those either and I tried to open them as PNGs, BMPs or JPGs.
Perhaps hackers will figure out how to open these files, but as far as I could tell, a typical user can’t open them outside of the Recall app.
This reads like a virus pattern.Several notable examples of malware, creepware, Remote Access Trojans (RAT) that do almost this exact activity: Agent Tesla [1], Dark Comet [2], Bifrost [3], and just the general category of Remote Access Trojans [4]. Corporate malware.
[1] https://en.wikipedia.org/wiki/Agent_Tesla
[2] https://en.wikipedia.org/wiki/DarkComet
[3] https://en.wikipedia.org/wiki/Bifrost_(Trojan_horse)
[4] https://en.wikipedia.org/wiki/Remote_desktop_software#RAT
Why do I have a feeling its the later given all of the other issues around this entire thing.
With a DLP policy, you can identify, monitor, and automatically protect sensitive items across:
Microsoft 365 services such as Teams, Exchange, SharePoint, and OneDrive accounts
Office applications such as Word, Excel, and PowerPoint
Windows 10, Windows 11, and macOS (three latest released versions) endpoints
non-Microsoft cloud apps
on-premises file shares and on-premises SharePoint
Fabric and Power BI workspaces
Microsoft 365 Copilot (preview)
DLP detects sensitive items by using deep content analysis, not by just a simple text scan. Content is analyzed:
For primary data matches to keywords
By the evaluation of regular expressions
By internal function validation
By secondary data matches that are in proximity to the primary data match
DLP also uses machine learning algorithms and other methods to detect content that matches your DLP policies
https://learn.microsoft.com/en-us/purview/dlp-learn-about-dl...The whole point of Recall seems to be to allow you to…recall previous work you were doing.
It reminds me a lot of whole-device backups. If you have some secrets in plain view then the backup itself is going to need to be secured.
From the Microsoft website:
> To use Recall you need to opt in to saving snapshots, which are screenshots of your activity. Snapshots and the contextual information derived from them are saved and encrypted to your local hard drive. Recall does not share snapshots or associated data with Microsoft or third parties, nor is it shared between different Windows users on the same device. Windows will ask for your permission before saving snapshots. You are always in control, and you can delete snapshots, pause or turn them off at any time. Any future options for the user to share data will require fully informed explicit action by the user.
Snapshots present a new way of circumventing data protection implemented by other apps and websites (if it was visible on your screen, that data is now copied somewhere else).
Yes you can delete snapshots AFTER you've determined something sensitive has been inappropriately captured, but you are not warned or prompted to do so and at that point why even use the feature.
How anyone can have trust that rewind won't be misused is baffling to me, I wouldn't trust a Janitor at M$ to not sell their own family out for a 1% YoY profit increase, yet alone the engineers working there and their psychotic C-suite.
===
But these are incredibly solvable problems! If a series of digits on screen passes the Luhn algorithm (https://en.wikipedia.org/wiki/Luhn_algorithm), or matches AAA-BB-CCCC, prevent that screen/area from being captured! And Microsoft literally owns the code for https://docs.github.com/en/code-security/secret-scanning/int... for determining other high-entropy secrets.
We're not nearly at the level of https://xkcd.com/1425/ - and even that canonical example has been entirely solved by now.
The problem isn't that these things are fundamentally impossible. And the problem isn't even that Microsoft decided speed to market was more important than safeguarding their users' data - I get speed to market!
The problem, allegedly, is that Microsoft said these things were fixed without actually fixing them [EDIT: see above], and didn't think that their users' data was important enough to assign a red team or even an empowered SDET to do even the simple tests this journalist did before making that announcement.
Building it into the OS, potentially default on, is the same sort of technology. It's not the same sort of consent.
Recall, by virtue of being a core OS feature - and the one enabled by default at that - got a lot more coverage.
Windows 11 is practically a cloud OS when paired with office365 and OneDrive, users may be forgiven for expecting their history will be exfiltrated from their machine, employers will have access to their screen recordings etc.
If you end up with a large history of causing problems for banks they will drop you as a customer and it becomes your problem.
It is opt-in, which makes it equivalent of user explicitly setting up a camera to record their work, for a well-intended ability to review those recordings if they need to recall something.
If we'll start saying that end-users are somehow incapable of comprehending what screen recording means, then we're basically giving up our agency and arguing we need a nanny. I sincerely hope we don't. Like, literally, it's a screen recording, anyone with a working brain (no matter whenever they're technically literate or not) should be able to tell what consequences - positive and negative it would have.
I found a screenshot - the opt-in prompt literally says "Allow Windows to save snapshots of your screen?" If that's not clear or comprehensible, I don't know what is. People who are caught by this must simply ignore and not read what it says on the screen.
"You're using Microsoft Edge, would you like to record your (specific) usage of passwords, personal data, and form entries?" (that can be found encrypted (here) if you're interested)
Not some large scale screenshot operation. The issue is with taking "snapshots of your screen" with no real knowledge of what is even going to be worked on or recorded afterward. How horrible are the identity theft issues? (BS non-threats requiring logins: social blab / news website account with no money attached, Normal dangerous stuff: credit card use (cancel/contest), Somewhat rare: bank accounts (long bank fight), Rare and dangerous: scanned federal IDs (endless nightmares with the feds)) It even makes the task a greater difficulty because there's so little specificity about what's being recorded or what form the recorded information is going to take. And the results are notably spotty like the article mentions.Also, 95% users. [1] "Across 33 rich countries, only 5% of the population has high computer-related abilities, and only a third of people can complete medium-complexity tasks" Even if we put this in the "only Poor and Terrible skill users would fail" that's still ~50% of the population.
How many click through stuff with "Yet another BS alert to get rid of. Go away, I want to actually use my computer." The WWW has long ago deadened most to annoying spam popup authorizations.
[1] The Distribution of Users’ Computer Skills: Worse Than You Think: https://www.nngroup.com/articles/computer-skill-levels/
Dig into tracker-miner-fs, d-bus activation re-parenting, as well as the snap callbacks that can trigger arbitrary local code execution. Usually found in a directory under /usr/libexec in addition to its regular install location, not touching on the spiderweb of cross-connections.
If you try to remove or pull out parts of those distro integrations in Ubuntu, you will find that it keeps launching, despite making a clear choice for not wanting those features. There is a spiderweb of cross connections where if you shut down various parts, it fixes and regenerates its capabilities... like malware.
They clearly aren't giving people the choice to do what they want on their own hardware.
tracker-miner-fs collects metadata, and Recall is just an accessible interface to metadata that is already collected. The underlying metadata is for the most part similar.
You will find this also in the package repository where they have named packages, that those packages have been corrupted in a way that makes the corrupt packages indistinct from their legitimate counterparts (to the package manager), the manager launches fixup scripts without notification, and which are embedded to force and regenerate your use of snap.
Debian is certainly not immune since tracker-miner-fs is embedded in Gnome.
As for hardware, that is also incorrect. There are very few manufacturers that meet full compatibility requirements, they may allow you to boot into a shell (only as a result of the linux kernel devs), but compatibility for standard desktop or server use is not guaranteed.
The manufacturers that dominate the market are those who use proprietary firmware blobs through an embedded intermediate firmware based controller. The ideapad lines of Lenovo, and their many off-name rebrandings attest to the hardware compatibility issues even after significant re-engineering effort done to make it compatible still leaves features lacking.
When your thermal subsystem cannot expose temperature, power management, or has severe hysteresis gaps, lack of proper enumeration and lack of control of fans/advanced features, its hard to believe it doesn't cause trouble.
That's like saying a flaming pile of brick in your lap doesn't cause trouble. Research fails in the absence of source of truth information.
Manufacturers regularly omit, misadvertise/misinform, or don't provide documentation at all (i.e. WD with SMR), or correct technical specs to evaluate it prior to a buy, test, return strategy (which isn't research) and a risky approach.
I think you should take more than a cursory look around at the current market. Its pretty bad, expensive (for the circuitry involved) and with few choices.
This customer, at least, is firmly entrenched into "if I wanted you to remember it I'd tell you so", which actually describes many everyday activities like saving a document with a filename, clicking "save" in my password-manager, making a browser bookmark, etc.
In contrast, any assistant that is "constantly looking over my shoulder" (human or AI) to implicitly remember things needs to be trustworthy to (a) have my best-interests at heart, and (b) to understand what it's seeing and what my intent is. I don't think the current bleeding-edge is ready to provide both of those.
P.S.: An interesting exception might be automatically-kept data like bash history or browser-history, however I feel those are very different from "anything I type anywhere", since each is a narrow and regimented kind of data/purpose. Both also have "forgetting" rules as a required feature.
> but you are not warned or prompted
And perhaps not even capable of noticing the problem, such as where a semi-transparent border-decor of a window overlaps the secret password text just enough that you can't see it but an aggressive OCR proess can pick it out.
More generally, I fear a world where someone uses a botnet to make a funny picture go viral, and the picture contains subtle pixels to make each victim's Artificial Stupidity Assistant exfiltrate all their passwords back to the attacker.
For example, do you know what terms like "3-2-1 backup" and "swap file" mean?
If you answered yes to either, I don't think you are the primary customer. You are the type of person who will turn this off and move on with their day.
I think this argument you are making is essentially the same that a person would make for preferring a manual transmission car instead of automatic. But we all know that 90% of people just want the car to go when the right pedal is pressed down, they don't really care about their ability to tell the car exactly what to do.
Personally I think the average person would be very excited to have a feature that can recall things they were working on or looking at that they forgot to save. I don't know how many times I've had to tell the non-tech inclined "sorry you didn't save it, it's gone."
As far as capturing sensitive information, I'm not really sure it's all that much worse than anything else the non-technical people do. I think at all these attack vectors are no worse than someone convincing you to install conventional malware. Both require you to elevate permissions and dismiss strong warnings.
It's easy to make this argument when you believe you have the truth on your side but what happens when you're on the other side of someone else's obvious truth— secure boot can't be disabled, you can only install apps from the app store, programmatic ad blocking is too dangerous, replacement parts have to be genuine, you're forbidden from performing maintenance on your electric car, we can't let you have unrestricted AI access, we couldn't possibly let you see the source code of your cellular chip, we scan all your private photo uploads for csam, all for your safety of course.
> secure boot can't be disabled - arguing for the ability of fine scale control on "secure boot"
> only install apps from the app store - arguing for "install apps with known behaviors" and "specifically identified hardware access"
> programmatic ad blocking is too dangerous - arguing for fine scale filters that the user has awareness of and the ability to choose specific types of content to remove
> replacement parts have to be genuine - arguing for "parts with tested and verified behaviors" documented by a reliable testing agency with layers of verifiable history and previous known functional parts supported by users with well documented case study examples
> forbidden from performing maintenance on your electric car - arguing for "you as the user can do literally anything you want to your own car (within the known legal limits of your state or nationality)" rather than having the auto company install a bunch of secondary BS you have no idea what its actually doing
> we can't let you have unrestricted AI access - arguing "each user can download whatever variation of each 'AI' each user desires tailored toward their own specific use cases"
> let you see the source code of your cellular chip - arguing for the "right to maintain, disassemble, and repair your own hardware" if you've bought the hardware
> we scan all your private photo uploads for csam - arguing for "no one anywhere is allowed to have external access to your hardware without an extremely well documented rationale."They're all real life examples of some person or group arguing for denying users control of or access to their own systems under the pretense that denials are for the user's safety or best interest. And that interest is so self-evident that the decision should be made for them because we know better than they do.
You're making the exact same case for the scare screens Android uses.
I just love linux.
That world is still coming, see ongoing changes to Windows sandboxing model, now in Win32.
And that is the thing, Valve depending on Windows APIs translation, will only work until Microsoft feels like it.
Instead they could actually foster a GNU/Linux ecosystem, but not even studios targeting POSIX OSes care to port their stuff into GNU/Linux.
Google itself has one such alternative gallery app called Gallery:
https://play.google.com/store/apps/details?id=com.google.and...
Only other hurdle to open source nirvana is OsmAnd is not as slick and smooth as Google Maps. I spent a few days acclimating to it and once downloading the gigabytes of address-data-to-GPS-coords I could start enjoying offline navigation, but when it comes to finding local restaurants' and whether they're open its hard to beat the Goog.
The iOS app as well
For now, until Microsoft decides to silently enable it an update like they already do with all of the telemetry and similar features in Windows 10 and 11. Barring a legally binding promise that they will never reenable it without consent they are not trustworthy enough to believe on this
>And if one's device is compromised, they're screwed either way
With Recall the level of screwed we're talking can be significantly higher, because the kinds of information that can be captured are things that wouldn't necessarily be captured by other methods (and Recall will have been capturing data from before the computer was compromised too).
>but Microsoft had tightened the permissions and isolated those files, so AFAIK it now requires additional authentication to access
Which, as you yourself already mentioned, would be trivial to access because you can already put a keylogger or similar on the device to get what you need to access the Recall files.
Sure. And that's quite possible and something to be aware of. But can we agree that in its current state, it's as privacy respecting as it could be?
> the level of screwed we're talking can be significantly higher, because the kinds of information that can be captured are things that wouldn't necessarily be captured by other methods
The only difference it makes is immediately after the machine is compromised. Then - yes - after you get elevated privileges, you immediately have more information for malware to sweep. However, I've read that typical malware quietly lives on machines for a while - for months or even years. It can do its own screen recordings just fine, so it's all the same in the long run.
Let's not forget that Recall is not some malware forced on unaware people, but a legit opt-in feature with a reasonable use case - remembering things when our memory fails us. One can analyze this risk and make an informed decision if benefits overweigh the risks or not.
I have no love for Microsoft or any other big corporations, but I feel like defending this particular feature, because I do have some love for transhumanist ideals, where machines enhance and improve our capabilities - and it's one of those things I would like to have for myself. As long as Microsoft doesn't move away from opt-in and clear language, I'm on their side because they did it right (by my book) this particular time. But - of course you are correct - a caution is warranted (and that's why I don't use Windows, huh).
I read this and I think: are you the only person on Earth to never have used a Microsoft product?
OneDrive ? /s
(trust us, it is secure)
I have used Microsoft products. I have a Windows VM, and an old Windows laptop somewhere. I have no love for Microsoft, and is perfectly aware they can do user-hostile things. Yet, when analyzing something, I'm trying my best to avoid biases and remain neutral and detach from my feelings (or propaganda/ragebait/memes/whatever you call it) when I'm thinking of something. And this particular time, for this particular feature, so far, I believe they did alright.
Did you read Microsoft's privacy policy ? "Your privacy is _very important_ _for us_" ( emphasis mine) /s