The Verge: https://www.theverge.com/2024/6/7/24173499/microsoft-windows-recall-response-security-concerns
Tech

Microsoft will switch off recall after security backlash

admin

What Have We Learned about Microsoft and How Do We Continue to Provide a Better Experience for Our Customers? A Response to Davuluri on Recall Security

“As we always do, we will continue to listen to and learn from our customers, including consumers, developers and enterprises, to evolve our experiences in ways that are meaningful to them,” says Davuluri “We will continue to build these new capabilities and experiences for our customers by prioritizing privacy, safety and security first. We are thankful for the feedback of customers who continue to communicate with us.

Microsoft made a number of dramatic changes to its recall feature on Friday which will include allowing it to be used as an opt-in feature in Copilot+ compatible versions of Windows where it had previously been turned on by default, and new security measures designed to better keep data and ciphers.

Davuluri references Microsoft’s SFI principles in today’s response, noting that the company is taking action to improve Recall security. But it appears to be largely down to security researchers flagging these issues rather than Microsoft’s own security principles because surely these issues should have been flagged internally far before this launch.

It has been called on employees to make security Microsoft’s top priority if that means being more focused on new features. In an internal memo, he says that if you are faced with a tradeoff between security and another priority, you have to do security. In certain cases, this will mean sacrificing other things, such as releasing new features or giving ongoing support for legacy systems, in favor of security.

Using Windows Hello to Enable Recall: A Comment on Aitel’s “Sacrificial Threats” to the PC and “Compromises with the Security of My Computer”

Microsoft will also require Windows Hello to enable Recall, so you’ll either authenticate with your face, fingerprint, or using a PIN. “In addition, proof of presence is also required to view your timeline and search in Recall,” says Davuluri, so someone won’t be able to start searching through your timeline without authenticating first.

The Recall database is extracts by TotalRecall so that you can easily view what text is in there and the screenshots that have been generated. NetExec appears to be getting its own Recall module soon that can access Recall folders and dump them so you can view the screenshots easily. There is currently no full protection on the recall database, so all these tools are possible.

“It makes your security very fragile,” as Dave Aitel, a former NSA hacker and founder of security firm Immunity, described it—more charitably than some others—to WIRED earlier this week. “Anyone who penetrates your computer for even a second can get your whole history. Which is not something people want to do.

In
Previous post The bomb that was used in the school strike was made in the U.S
Next post You might think that Microsoft’s recall feature is hackable

More Stories

Hezbollah’s top leader was killed

admin

Israel on Saturday said that it carried out an airstrike on the headquarters of Hezbollah, the Lebanese militant group, in Beirut, killing its leader Hassan Nasrallah and several others. The strikes were the first major attack on a Hezbollah stronghold since the 2006 war between Israel and Hezbollah. Israel had launched airstrikes in Lebanon earlier this week.

Voters in Nevada think the South should be prepared for a Hurricane

admin

Israel’s Ambassador to the UN Danny Danon said that the country is pushing for certain terms in any deal to end the conflict in the region. “If we can achieve the goals of the war through diplomacy, we prefer that,” Danon said outside the United Nations Security Council on Friday. The conflict erupted in August last year after Israel carried out an operation in Lebanon.