this post was submitted on 01 Jun 2024
1017 points (97.9% liked)

Technology

60033 readers
2990 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS
 

Q. Is this really as harmful as you think?

A. Go to your parents house, your grandparents house etc and look at their Windows PC, look at the installed software in the past year, and try to use the device. Run some antivirus scans. There’s no way this implementation doesn’t end in tears — there’s a reason there’s a trillion dollar security industry, and that most problems revolve around malware and endpoints.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 153 points 6 months ago (2 children)

They OCR the entire screen and store it in plaintext?! There is no way... I know it's Microsoft we're talking about, but are they really this stupid?

[–] [email protected] 102 points 6 months ago* (last edited 6 months ago) (6 children)

It's encrypted; the author is pointing out that it has to be decrypted to be used, and then the data can be obtained.

Security and privacy concerns aside, I saw someone commenting on the use case, asking who would ever want something like this.

One problem I hadn't appreciated for a long time was that some people apparently have real problems with dealing with the Windows UI in terms of file access. They don't know where their data is being saved. This, in my opinion, is in significant part a Microsoft UI problem induced by various virtual interfaces being slapped on top of the filesystem ("Desktop", "My Documents", application save directories, etc) to try to patch over the issue that the filesystem layout was kinda organically-designed in a kind of cryptic way back in the day.

But if you can remember a snippet of text in what you were working on, you can find that thing again even if you have no idea where you stored it. Like, it's content-keyed file access.

That's not very useful to a techie. They know how to navigate their system's filesystem, and even if they lose track of a particular thing, they know how to use the system's filesystem search tools to search for filenames or content. They can search for recently-modified files. They know how to generally get ahold of stuff.

But for the people who can't do that, reducing their interface to a single search box might make file access more approachable.

Now, let me reiterate that I think that a whole lot of this is Microsoft repeatedly patching over UI problems they created in the past rather than fixing them. And they've done this before over the decades with stuff other than document access. It's hard to navigate the filesystem to find an installed program a la the MS-DOS era, so they stick stuff in a Start Menu to make it more accessible. That gets too crowded, installers start slapping shortcuts on the desktop. That gets too crowded, installers start adding system tray icons. That gets too crowded, the Start Menu becomes searchable. Each interface just becomes progressively less-usable and the solution each time is to stick a new interface in on top of the old one, which in turn contributes to the complexity of the system as a whole.

But that doesn't mean that they aren't trying to address a real problem.

I think that they'd do better with something like having a rapidly-accessible log of recently-accessed files (like, maybe have the filesystem maintain a time-based doubly-linked list of those) and be able to rapidly search the content of documents based on mod time so that recent stuff gets hit quickly, then trying to make their existing search tools more accessible. That doesn't replicate data across the system and produce some of the problems here. It also permits for fully-searching content, rather than just the stuff that was on a screen when the Recall system grabbed a screenshot and OCRed it. Maybe they've done something like that in recent years; I'm many years out-of-date on Windows.

I'd also add that I think that personal computer systems in general would benefit from giving users better control over where their data is replicated to. It's kind of confusing...you've got swap (well, encrypted swap probably helps somewhat with this). Browser history. Any clipboard manager's retention. Credentials stores. Application-saved copies of in-progress files. Various caches. If you use some kind of cloud-based storage, you're pushing data out to other computers. Backups. Just a lot of state that can be replicated all over the place and is hard to go back and track down and remove. That's even before stuff like issues with doing secure deletion on existing filesystems (which we had a conversation about the other day, everything from log-structured filesystems to wear-leveling on SSDs inducing data replication). If you want something definitely gone, be able to manage your data's lifetime, something that I think that a lot of people -- even non-techies -- would like, you really have to have a lot of technical knowledge of the system's internals as things stand today. This Recall thing is egregious, replicates data all over, but it's far from the first feature that makes it harder for people to understand and control the lifetime of data on their computer.

I don't think that the software world has done a great job of letting people control that data lifetime. And I think that it's something that a user should reasonably be able to expect out of their computer.

[–] [email protected] 46 points 6 months ago (18 children)

There was an article going around a while ago that was arguing most users these days, including the youth we often stereotype as "digital natives" who "get computers", don't understand file systems. They might not even know they exist as a concept.

Which makes sense if you've only ever really used modern UIs. You don't have to know anything about files and folders. I bet a lot of people don't even know they exist in any meaningful way.

Most users are shockingly ignorant, and a lot of them are not really paying enough attention or interested enough to learn much.

load more comments (18 replies)
[–] [email protected] 24 points 6 months ago* (last edited 6 months ago) (1 children)

Yeah this is why Apple has been slowly peeling away traditional file / folder features from front and center. The user doesn’t care where or how they get their files, they just want them at any given time. Spotlight being the most successful at obfuscating where anything is yet allowing access to everything. Microsoft has started to pick up on that and attempt to solve the same problems.

[–] [email protected] 26 points 6 months ago (3 children)

The bizarre thing is, they have solved it. PowerToys Run is the Spotlight omnibar of everything and they bizarrely haven’t chosen to bake it into Windows proper. I can’t use Windows without it now. Search files and folders everywhere faster than the start menu search, search running processes, execute commands, do maths, calculate hashes, open web pages. It’s fantastic.

load more comments (3 replies)
[–] [email protected] 19 points 6 months ago* (last edited 6 months ago) (1 children)

Do you really need screen snapshot to do fine grained search though? It sounds like you’re describing Spotlight in some way https://en.m.wikipedia.org/wiki/Spotlight_(Apple)

load more comments (1 replies)
load more comments (3 replies)
load more comments (1 replies)
[–] [email protected] 132 points 6 months ago* (last edited 6 months ago) (3 children)

Are Microsoft a big, evil company?

A. No, that’s insanely reductive. They’re super smart people, and sometimes super smart people make mistakes. What matters is what they do with knowledge of mistakes.

I have no doubt there are smart employees, but they don't call the shots. Case in point.

The dude set up a strawman argument, then didn't even bother to burn it down properly.

[–] [email protected] 42 points 6 months ago (12 children)

Being super smart and super evil are NOT mutually exclusive. Intelligence =|= morality.

load more comments (12 replies)
load more comments (2 replies)
[–] [email protected] 109 points 6 months ago* (last edited 6 months ago) (5 children)

Unpopular Opinion: This is why Microsoft were such assholes about making sure Windows 11 required a modern TPM and this is also why they are forcefully rolling out Bitlocker encryption turned on by default on all Windows 11 PCs.

Is Recall still a fucking stupid idea? Yes, resoundingly so. But they've half-ass considered the risks, it seems. The forceful rollout of Bitlocker is dumb and short-sighted in its own right, and it wouldn't make a person completely secure from outside attacks rooted in a Recall exposure.

[–] [email protected] 69 points 6 months ago (4 children)

Hardware controls are meaningless if an attacker gets you to click on a dodgy link in a phishing email or you fall for a social engineering scam when "Microsoft" calls you because your computer has a virus.

load more comments (4 replies)
[–] [email protected] 60 points 6 months ago

Umm, no. Just...yeah, no.

The main problem with this theory is that Microsoft is absolutely abysmal at user end security, and they always have been. Frankly, they do not understand the issue.

But, more to the point, the whole TPM/secure boot stuff is a compromise; originally (I think this was about the time of Vista), they partnered with OEMs to have them include a DRM chip that made it literally impossible to install any non-windows OS on your laptop. They've managed to still get an implementation of TPM that makes switching your OS too confusing/difficult for the average user.

Anyway, bottom line is they only care about money, and they neither care or even understand the security needs of the end user.

[–] [email protected] 20 points 6 months ago (1 children)

Because Windows not only encrypts the system disk (C:) but also all connected hard drives

And they're gonna just enable it without asking if i want all my hard drives encrypted first?

load more comments (1 replies)
[–] [email protected] 20 points 6 months ago* (last edited 6 months ago)

Nah dude. TPMs have always been about implementing DRMs. These companies hate that they can't control our PCs, they want to be sure we can only run their approved apps. Like it works in iOS and (to a lesser degree for now) in Android. And even there they are pushing hard for even more restrictive DRM.

For example, some years ago I worked with a SaaS that implemented and sold some security products. One of our customers was a big retailer (for specialized products, not going into more details to avoid doxxing) that was having a problem with scalpers buying all their inventory as soon as they released it. So they were trying to put a show for regulators about stopping scalpers because their customers were complaining. We suggested that the only real solution was to have some real life verification of purchases. But in the end they went with the awful attestation APIs offered by Apple and Google to "fix" this. And in case you are not familiar, these APIs are just TPM based DRMs. So now, if you have a rooted/jailbroken phone you can't even buy with this retailer anymore.

Note that this company wasn't trying to fuck customers directly, they were just lazy and incentivised to not really fix the problem (a sale is a sale, even if to a scalper). But even then the end result is that their customers got their digital freedom rights restricted. It's just a terrible technology IMO, the incentives from companies are all terrible. And that's before we start considering the real intentions of awful companies like Microsoft, Apple and Google. IMO they are actually pushing for techno feudalism, but that's my conspiracy theory hahaha.

So no, I doubt they were thinking about security with this recall bullshit. As other people have explained in their comments it doesn't really protect much in practice. Plus this whole AI push has just been a stupid scramble from these companies to grab a big piece of the stupid AI pie from other companies hahaha, there is no long term plan here, don't lie to yourself and us.

load more comments (1 replies)
[–] [email protected] 80 points 6 months ago (2 children)

I get the security issues, sure, those are valid, but the privacy ones are even worse. Imagine a teenager trying to search information on being gay, or possible intrusive thoughts on their family computer, only for their super maga right wing parent to find it in the screenshots.

Or someone being abused at home and searching for support facilities, deleting history and being outed by recall.

Wait, how about credit card fraud as a result of EVERYONE who has access to this computer can read your cc data?

Or, my husband was looking at jewelry online yesterday and he hasn't told me, he must be cheating, right? Oh sorry, I forgot, our anniversary is next week... Hahahaha, don't be upset babe.

Best one ever though, imagine your search history, your porn watch history accessible to anyone with access to your computer? The fucking horrific existence of having an employer process this data at scale using fancy staff monitoring program 7, and run stats on the fact that you had a toilet break while working from home, and they want to know if it was a number 1, or a number 2 so they can work a mean time to shit metric into your KPA/scorecard.

Guys, whatever benefit you think this is. It's not worth it.

load more comments (2 replies)
[–] [email protected] 58 points 6 months ago (9 children)

Couldn’t you use a separator to make it one line of code? That way it’d be even more dangerous

load more comments (9 replies)
[–] [email protected] 53 points 6 months ago (7 children)

As much as I lean to hate this despite it not even affecting me as a Linux user...

I’m going to structure this as a Q&A with myself now, based on comments online

What is that? "I'm going to pretend to ask questions that I'll then answer myself the way I think it'll outrage that most people do I'll get a lot of clicks on this shitty article"? What crappy excuse for content creation is this? I hate it.

[–] [email protected] 50 points 6 months ago (2 children)

I follow Kevin on Mastodon. He’s the real deal and is absolutely not interested in the clicks or outrage. He’s trying to make it accessible.

[–] [email protected] 22 points 6 months ago

Agreed. The way i took it was "i am going to write 'questions' based on the concerns people are commenting online and give the answers to those things people are interested/worried about"

[–] [email protected] 19 points 6 months ago

Yeah, I gotta say that I read the article and it seemed pretty reasonable in terms of content. The fake-Q-and-A thing wasn't quite my cup of tea either, but eh, I don't think it was all that problematic.

[–] [email protected] 19 points 6 months ago

Eh, they could have written it differently, each time hypothesizing that someone might wonder XYZ, but I appreciate the brevity of this format. And I do not think that the questions or answers are unreasonable.

load more comments (5 replies)
[–] [email protected] 39 points 6 months ago (7 children)

Nah…. Just… just nah. This will never fly in enterprise environments

[–] [email protected] 39 points 6 months ago (1 children)

Not just enterprise. Some organizations handle extremely sensitive information of victims of crimes, survivors of wars, potential political targets, just to name a few. A feature taking a screenshot and registering all of that data is a nonstarter. MS will have to prove that the feature doesn't run with certain gov clients, the privacy risk is way too high.

[–] [email protected] 20 points 6 months ago* (last edited 6 months ago)

On the other end of the spectrum, the vast majority of home users have no idea how to disable this or that it's even activated. There will be folders of Recall shit filling up everywhere, waiting for someone who knows it's there to access it.

If any of them access their work data on the Microsoft 365 web apps, it's now sitting in that folder, and they will not know.

This is honestly the biggest evidence yet of a need for some sort of regulation that certain privacy related things should not be allowed to be activated by default. They should always be opt-in, period.

[–] [email protected] 33 points 6 months ago* (last edited 6 months ago) (1 children)

Enterprise will love it because it will allow them timestamped access to everything their employees are doing during the day.

They will have it set up to alert on a various things...

"So, Bob, you were playing Minesweeper from 9:45 to 9:53, was that a scheduled break for you?"

"Jane, your screen showed no substantive changes from 1:03 to 4:15, you weren't in a meeting, what were you doing?"

[–] [email protected] 21 points 6 months ago (1 children)

The surveillance would be a double edged sword. If they were to be hacked, all sensitive information that was going through their PCs could be compromised.

[–] [email protected] 37 points 6 months ago (1 children)

They will convince themselves it can't be compromised. Never under-estimate the stupidity of middle management.

load more comments (1 replies)
load more comments (5 replies)
[–] [email protected] 35 points 6 months ago

Even supposing I didn't care about the security implications of this, why on earth would I want this functionality? I can barely keep up with all my activities in the present moment, let alone the past. It's like a morbid and pathological unification of nostalgia and hoarding.

[–] [email protected] 34 points 6 months ago (4 children)

THIS IS NOT CURRENTLY RUNNING ON MY WINDOWS COMPUTER, right?

This obvious first question hasn’t been clarified (maybe by one comment in this thread, but not in the article)

[–] [email protected] 43 points 6 months ago* (last edited 6 months ago) (5 children)

From The Verge’s obsequious article:

Recall won’t work with every Windows 11 computer. You’ll have to buy one of several fresh new “Copilot Plus PCs” powered by Qualcomm’s new Snapdragon X Elite chips, which have the neural processing unit (NPU) required for Recall to work.

load more comments (5 replies)
load more comments (3 replies)
[–] [email protected] 28 points 6 months ago* (last edited 6 months ago) (8 children)

I cant believe they are including this in enterprise edition too.

They usually keep their dirty spyware out of the enterprise editions to avoid losing corporate clients who dont want their secrets easily pluckable.

load more comments (8 replies)
[–] [email protected] 27 points 6 months ago

The full article is well worth reading. It's good to find a lucid, logical deconstruction of why, precisely, this will be a complete disaster.

[–] [email protected] 18 points 6 months ago* (last edited 6 months ago)

We should have let the government actually break up microsofts monopoly long ago. Now they will abuse it to force millions of Americans to use their spyware.

[–] [email protected] 18 points 6 months ago (6 children)

I'm really hoping valve does a public steamdeck OS release. I'd like to replace windows on my PC with Linux and have windows as a backup, but the Linux distro I'm the most familiar with is the steam deck's distro, and that's not available outside of steam decks yet.

[–] [email protected] 26 points 6 months ago

SteamOS is arch based and uses KDE Plasma as the default DE, so you could probably run Endeavour OS and be pretty darn close

load more comments (5 replies)
load more comments
view more: next ›