@GossiTheDog@evacide This sounds like employer surveillance ware that can also be abused by any family admin. I can’t think of any reason I would want such a thing, as a user.
Also, if browser password managers are insecure, we should be shouting that from the rooftops.
@skry they're not, and people do, but nobody cares. anyway to be clear: browsers' password managers are totally insecure.
good options include bitwarden or keepassxc/keepassdx (the former is easier, and a good option if you dont want to invest energy on your password manager; latter is more tedious but is strictly offline which may be preferable)
@evacide that feature has abuse written all over it. WTF.
They already had some sort of history feature in Win 10. Scared the crap out of me when I ran into it.
I guess it's one more thing to switch off on a Windows box.
It's starting to become a long list...
I've not bothered to read up on the announcements but so far haven't heard mention of any supposed benefits to this incredibly invasive feature and massive security and privacy risk.
It's as if they just can't be bothered pretending any more.
The benefits are to users who are so disorganized they cannot find their data or formerly visited web pages any more. "A photographic memory". Which in an audited, open OS could be called a feature.
So, the benefits are to 90% of windows users ... If you got anything to hide from your employer or your spouse or the state, then you thrown under the bus. The desire for privacy is anyway shady in the 2st century...
@evacide Oh they need to get physical access to the device and input passwords?
Or, and stay with me on this journey, microsoft is not a godlike being that never rolls out code with bugs. And any, ANY exploit here is going to be such a ridiculously awful fail state.
@evacide I find it interesting that I have been reading about this on multiple pages, and there was literally no single comment (or article) that thought this "feature" was a good idea.
What sort of plank managed to get this through internal approval at MS?
Uh, "For example, users can opt out of capturing certain websites" = "please make an intentional document attesting to the complete list of websites you are most embarrassed by visiting. what could go wrong?"
@evacide Yeah, it's really kind of frustrating when the retort from someone like Raymond Chen is that "But the attacker is already through the air-tight hatch by then." That doesn't mean you should make their job easy, what the heck?
@evacide Between Apple's AirTags being very good stalker tools and Microsoft releasing Recall, are they trying to one-up each other for who can enable domestic abuse the most?
... as opposed to all the would-be hackers who have never thought to try to unlock a device and sign into it, or access data without proper credentials.
It's like Microsoft is just sort of taunting hackers to try and get it broken as quickly as possible for some reason. Is this feature being implemented because somebody lost a bet, or the NSA has compromat on Nadella, or what?
@evacide I absolutely believe you there. But I still struggle to understand why it got implemented. There are a zillion other obvious reasons it's a bad feature that one would notice even if they weren't sensitive to that specific issue.
This is gonna have screenshots of HIPAA protected data. Trade secrets. API keys. Passwords. HR department PII. GDPR protected stuff. On and on and on.
@wrosecrans@evacide Nobody consulted a policy and compliance specialist about this. It’s shocking that Microsoft didn’t get input from at least one. This would violate a lot of data protection policies for many enterprise customers.
@MisuseCase If I had to guess, the feature is not compliant with Microsoft's own legal department's retention policy, and Microsoft's lawyers are about to scream about the fact that if MS gets sued, the blast radius for document discovery just exploded if they don't disable it internally.
@wrosecrans@MisuseCase I would be extremely surprised if this doesn't ship with a GPO to disable it.
(Also, MS not enabling group policy on consumer focused windows editions probably ranks alongside the Win8 start menu destruction as one of the worst design decisions they've ever made)
@azonenberg Sure, but the biggest risk is to people and orgs that aren't executing infosec perfectly. Ooops we had a bad password policy multiplied by ooops we left Recall's GPO default.
In a hypothetical perfect IT environment where all GPO's and such are perfectly managed, Recall probably poses little risk to start with. It's only dangerous in the real world.
@wrosecrans Yeah agreed. It's just one of 500 catastrophically horrible anti features that people will need to turn off to regain some semblance of a secure baseline.
Why the hell risk everyone's security and privacy AND require far more space and processing power requirements (this is going to be a complete nightmare for gamers who run highest settings, even with the privacy issues aside - it will make these machines literally unusable for running high-demand anything)?
@wrosecrans@evacide (also, since gaming, graphic design, animation, film editing, and other high demand graphical applications are reasons people use Windows machines - e.g. because their favorite game or the program/app they need to use won't work/work well on Linux ... this is going to shoot them in the foot even outside of privacy issues, by making slow, buggy machines unsuited for those uses)
Add comment