Microsoft Recall is a Privacy Disaster
2024-6-7 01:20:11 Author: securityboulevard.com(查看原文) 阅读量:7 收藏

Microsoft CEO Satya Nadella, with superimposed text: “Security”It remembers everything you do on your PC. Security experts are raging at Redmond to stop Recall’s  release.

Recall, Microsoft’s “magical” AI tool that watches what you do and tells you about it later, is attracting huge criticism from all corners. Here’s my roundup of the best reactions so far.

TL;DR: Recall is “a gold mine for hackers and domestic abusers,” and “like punching customers in the face.” Yet “Microsoft brushed aside concerns,” perhaps because “AI is the freshest sucker-bait in town.” Microsoft is “making the worst things for the worst reasons,” because they’re “certain that they know better.” In today’s SB  Blogwatch, we need to know more.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  Black Alert.

Recall Recall?

What’s the craic? Matt Burgess reports: Cybersecurity researchers say the system is simple to abuse

Spyware or stalkerware
When Microsoft CEO Satya Nadella revealed the new Windows AI tool that can answer questions about your web browsing and laptop use, he said one of the “magical” things about it was that the data doesn’t leave your laptop. [But] security researchers have demonstrated how preview versions of the tool store the screenshots in an unencrypted database. The researchers say the data could easily be hoovered up by an attacker.

Since Microsoft revealed Recall in mid-May, security researchers have repeatedly compared it to spyware or stalkerware that can track everything you do on your device. [It] is intended to allow people to “retrieve” things you’ve done on your machine—whether it’s web pages you’ve visited or messages you’ve been sent—using natural language search queries. [It’s] a potential gold mine for criminal hackers or domestic abusers.

When you put it like that, it sounds like a disaster. Kevin Beaumont digs inside the Copilot+ Recall disaster:

No way this implementation doesn’t end in tears
The overwhelmingly negative reaction has probably taken Microsoft leadership by surprise. For almost everybody else, it won’t have. [It] is basically like punching customers in the face.

In the database [is] everything a user has ever seen. … Every bit of text the user has seen, with some minor exceptions. … Every user interaction, e.g., minimizing a window. There is an API for user activity, and third party apps can plug in to enrich data and also view store data. It also stores all websites you visit.

Organisations should absolutely consider the risk of processing customer data like this — Microsoft won’t be held responsible as the data processor, as it is done at the edge on your devices — you are responsible. … Go to your parents house, your grandparents house, etc. and look at their Windows PC, look at the installed software in the past year. … Run some antivirus scans. There’s no way this implementation doesn’t end in tears.

Microsoft isn’t officially commenting on the criticism. But Microsoft Research chief scientist has no issue with Windows Recall, says Thomas Claburn:

Security or privacy implications
Jaime Teevan, chief scientist and technical fellow at Microsoft Research, brushed aside concerns: … “This AI revolution that we’re in right now is really changing the way we understand data. … And there’s an opportunity to start thinking about how [and] what it means to be able to capture and use that. But of course we are rethinking what data means and how we use it, how we value it, how it gets used.”

And that was that — as if continuously recording one’s computing activities in a series of screenshots and activity logs has no security or privacy implications if the data is local and protected by Microsoft Account credentials — and not much of a reassurance. … Meanwhile, security researchers and analysts continue to pile on, calling for Recall – due to be released later this month – to be forgotten.

Is Redmond listening? Steve Gibson rights the spin:

Microsoft is like Godzilla – it does whatever it wants to do – all anyone can do is stay out of its way. But what’s so odd about this moment where we find ourselves, is that they have just made all this noise about how security is now job number one, [with] Satya Nadella saying, “If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security.”

Except that they’re not. The entire security industry is jumping up and down, waving their arms and saying “don’t do it,” … yet Microsoft is certain that they know better. … I would wager that today, the smarter people within Microsoft are wishing … that instead of screwing around with endless unnecessary features, … they had been taking the security of their existing system seriously.

Last month’s Patch Tuesday saw Microsoft patching 61 newly recognized vulnerabilities: … 44% of those were remote code execution, 11% were information disclosure and 28% were elevation of privilege – none of which suggests that Windows would be a safe place to store the data that will be used to drive an entity that can be queried about nearly any aspect of you and your life. … The entire professional security community understands this, which is the reason it’s going bat**** over Recall.

But it’ll be great in the workplace, right? Wrong, thinks Eric Bailey:

Talking to even one person who works in cybersecurity, political advocacy, domestic abuse prevention, LGBTQIA support, etc. would reveal the full, naked horror this sort of technology enables. To build from that, I’d like to suggest another potential negative consequence: discrimination based on ability.

Think of physical disability, neurodiversity, cognitive considerations, and cultural factors. What happens if you don’t precisely use a computer in the exact way a system deems as the most efficient? Disabled people have a difficult enough time getting employment, and this could be another obstacle in the way towards that.

It is a rushed solution that force fits a technology into people’s daily lives without communicating the full ramifications of its risks. … The worst people are making the worst things in the worst way for the worst reasons.

Ouch. But how did we get here? Charlie Stross has a crack at it:

“AI” [is] the latest hype bubble now that cryptocurrencies are no longer the freshest sucker-bait in town. … Unfortunately, human beings assume that LLMs are sentient, … rather than being unthinking statistical models that cough up the highest probability answer-shaped object generated in response to any prompt—regardless of whether it’s a truthful answer.

Surprise! It turns out that the unencrypted database and the stored images may contain your user credentials. … Got a porn habit? Congratulations, anyone with access to your user account can see what you’ve been seeing. Use a password manager like 1Password? Sorry, your … passwords are probably visible.

This is an utter privacy ****-show. … Recall blows a hole under the waterline of Microsoft’s trustworthiness … and once an institution loses trust it’s really hard to regain it.

I bet you can’t wait. EdwardDiego sounds slightly sarcastic:

Working at a company in the healthcare space, this raises so many HIPAA compliance questions for our customers it’s hilarious. And by “hilarious,” I mean bad.

Screenshots of PHI? Sweet as, just chuck them in an SQLite DB, no worries there.

Meanwhile, cyberdemon actually discovers people who welcome our new generative overlords:

Meanwhile, the Secret Police of the People’s Republic of China, the FSB/GRU, Mossad and the NSA all agree that this is a really good idea.

And Finally:

The Nitpicking Nerd delights in a dizzying fungal supercut

Previously in And Finally


You have been reading SB  Blogwatch by Richi  Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to  @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Geraldine le Meur (cc:by; leveled and cropped)

Recent Articles By Author


文章来源: https://securityboulevard.com/2024/06/microsoft-recall-privacy-richixbw/
如有侵权请联系:admin#unsafe.sh