This is a most excellent place for technology news and articles.
It barely matters if the database is encrypted or not. If the user has access to it, they have the keys to it, and so would anybody else with access.
The real danger is that intruders will have access to your entire history from before they had access to your machine, and it's all in one place.
With easily searchable text, search for "bank" and get all accounts login. Yay no need to wait for the hacked user to get on his banking site he's been there before. Quick in and out without being noticed and you got all you need to empty his account. Thanks Microsoft I knew you where so helpful to hackers while making my life shittier all the while.
Every banking site I've been on jumps through all sorts of hoops to make sure the browser doesn't save the password, usually with some 2FA thrown into the mix.
But I'd imagine that a lot of older people have a helpful passwords.txt file sat smack bang in the middle of their desktop, or just use the same one for everything. I mean, we're in an age where you need a username and password to update your graphics drivers for some godforsaken reason. It's not going to be hard to find that The One True Password with access to this.
I've encountered IT departments with an unencrypted passwords.xlsx file that they store on the network. Not always super small companies too.
Cool, now do remotely.
Done https://cyberplace.social/@GossiTheDog/112555262732490331
And since it lives in user space without needing nt/system, it should be as stealable over remote as any other file
The best part of this 'hacking tool' is that it's 5 lines of Python and the rest is just fluff lol
It's just looking in a sqlite file and listing the jpeg directory. The only extra step is running icacls to let the user read the files.
Hacker tool. What a weird name for a software that shows you readily accessible data to the user.
That was my thought when I read the title too.
I'm hoping MS pushes this "feature"; between this and the vulnerability Tenable published a few days ago, maybe some people will actually consider moving away from MS.
Who is this 4chan guy anyway?
Like you don't know it's the hacker in the white mask who created bitcoin.
don't worry they'll cancel the whole project the instant some idiot crooked corporate executive asshole gets his incriminating data stolen and used for blackmail
I saw someone on mastodon say something like, "don't tell your IT department not to use recall to protect employee or customer data. Tell your legal department that all your recall data can be subpoenaed for discovery."
Why on earth aren't they encrypting the database? It could have adressed much of the criticism but they just decided to leave the whole thing completely unprotected.
It requires full disk encryption doesn't it? If someone already has access to your account then they can access this data the same way you can. The new issue here is that this silos a load of private data in one easy to grab location. Users would have to set up the filters perfectly to prevent recall capturing anything more sensitive than what's already accessible to their account. This is in a world where many users are probably storing their passwords in a Word document on the desktop.
It could be that anything you encrypt has to have its encryption key in some place inaccessible to these same hacker tools. If your computer uses Bitlocker, for instance, you need to enter a 6-digit code each time you turn it on.
Best guess, they had such a high expectation of "convenience" for this feature that they couldn't justify any kind of security key. Which is still a dumb explanation, obviously.
They encrypt the damn start menu and they cannot encrypt this?
They do?
Seriously??
Yep. Trying to maintain a consistent startmenu for computer labs with Windows 11 is annoying.
The layout is stored in an encrypted file that cannot be editted directly. You have to manually setup the start menu on one profile then copy the file to all the others. This works fine for intial deployments, but is a massive pain if you need to add any other apps later.
The old powershell commandlet for importing layouts does not work in Win11. The old group policy settings don't work either. The actual DLL calls used by the end user to manually configuring the start menu are deliberatly coded to prevent being called from a script.
It is freaky how much work Microsoft has done to prevent scripting changes to the start menu.
The only officially supported method for an IT department to manage the start menu is intune, but microsoft's device licensing for intune is a mess out folks have yet to figure out.
Ah, so user can't interfere with ads, hm?
Likely because there was too much CPU overhead decrypting and having the LLM query the Recall image database all dynamically
In the grand scheme of things, the LLM is the bottleneck, not the decryption.
I dunno, they could've kept some of it in-memory, it's just a bunch of plaintext.
So the next step is: M$ encrypts their local database.
Later they want to upload it to their servers to further exploit your data. But then it is encrypted (and of course only M$ has the key), therefore the upload will be very hard to detect.
Hmpf.
So... how does the user actually ®ecall™ anything? Do they have to ask M$ Co-pilot™ AI to get it from The Azu®e™ Cloud? Because I'm pretty sure a hacker could do that just as easily.
What exactly can recall see? Is it just what’s on screen?
Because, if I’m like most people when I type my password, I keep my passwords hashed on the screen as I type it.
Do you do any online banking? Do you ever log into any sort of health provider website? These are just two examples of a nearly infinite list of highly private information you would not want other people seeing.
Good points. I can see a few workarounds for this.
Stop using such services on a copmputer and go back to the old way of banking, going there physically.
Most normal people won't use Linux, where could they go? Besides Windows? Chromeos? Probally not Google may copy and paste the concept of recall there. Mac os is too expensive, and Linix is complex to install. Where do normies go?
Has your company been involved in some legally dubious activities and you typed up an email concerned about your legally dubious activities before you realize sending an email could be creating a paper trail so you delete the email to talk to someone in person?
i don't need your password if i can read your email from the screenshot it took of it
Skype used to store all history unencrypted for years after MS bought it, this seems to be a tradition of not caring enough
not caring ~~enough~~
Now where did I leave my PowerGlove…
