Microsoft makes Recall feature off-by-default after security and privacy backlash

Windows Hello authentication, additional encryption being added to protect data.

https://arstechnica.com/gadgets/2024/06/microsoft-makes-recall-feature-off-by-default-after-security-and-privacy-backlash/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

periodic reminder: you cannot "pass" a security audit. anybody selling you a passable security audit is selling you a lie, and anybody selling you a product that has "passed' an audit is lying to you.

a security audit can uncover bugs, or not uncover bugs, and can (in the words of the recipient) demonstrate positive or negative qualities about the codebase. but it cannot be "passed" or otherwise *endorse* the product or program itself.

I would equate writing your own parsers for fiddly formats that lack formal single specification and may even require implementers to know the right undocumented or verbally passed down lore with doing your own gas plumbing.

If you’re a pretty competent plumber and can turn the gas on and off you could try it right? Somebody has to do it and they usually get it right. And you’ve fixed a leaky sink tailpipe once or twice in your day.

But should *you* as a non gas plumber? My vote is no, your house could explode or you could die of noxious gas inhalation if you get it wrong.

I would equate using FFI to shoehorn such parsers from, say C++ into your nice “safe” main codebase language to then using an inappropriate connector type to attach a new gas range to your DIY job.

Should you do it? My vote is no, please let someone who is trained to do it. *Could* you do it? Nobody laid down a personal challenge, mate.

The worst thing about #recall is not that it's a security and privacy disaster, it’s that the root cause of the security problems is also the reason it will be completely useless.

Imagine that you are scrolling through some news aggregator or social media page and you spot something that’s interesting. You forget and then a few days later ask recall to find it for you. Recall has access only to screenshots and so will tell you ‘yes, that thing you found interesting, it was at http://mastodon.social’ and you will say ‘you are a total waste of battery life and I hate you’. It does not have access to the structure of the page, so it cannot extract the link to the specific post, it just does optical character recognition on the address bar. Most of the sites where it’s hard to find things do infinite scrolling, so knowing that ‘this thing was somewhere in this infinite-scrolling page’ is unhelpful.

If it had been designed as a solid piece of engineering, rather than a ‘please find a use case for this AI thing’ project, it would work more like Spotlight on macOS, exposing hooks for apps to provide structured data. Edge would extract the permalink fields and index them along with post content. If it had been designed like this, apps would be able to choose what to provide and so Edge could automatically skip any content of sites that you log into unless you opt in, and also opt out anything in a private browsing window. Office apps would be able to exclude files marked as sensitive (e.g. anything with PII or medical or financial data). The privacy implications would be much less bad, the performance would be better, and it would actually be useful.

This is fairly representative of a lot of the AI hype. By using machine learning, you can build something that could be done a lot better without AI. That’s not to say that there’s no use for ML models in such a system. Providing a feature extraction model for indexing would be useful, so I can search for ‘that paper I read that had a picture of an orange cat on the first page’ and it would be able to record ‘orange cat’ in the metadata for that picture when it indexed the PDF. It’s not the right foundation, because an existing off-the-shelf PDF parser can extract the table of contents and text with 100% accuracy, whereas ML-driven OCR on screenshots will fail if I’ve scrolled some of it off the window.

libarchive 3.7.4 released with 2 security fixes

@taviso 's analysis of CVE-2024-26256 explains the concept of RarVM and how it may relate to the now fixed vulnerability:

https://seclists.org/oss-sec/2024/q2/270

This may have impact on a bunch of downstream software (khm..AVs) too.

Edit: See also the analysis of @thezdi here: https://www.zerodayinitiative.com/blog/2024/4/17/cve-2024-20697-windows-libarchive-remote-code-execution-vulnerability

The only feeling I have about starship is dread.

They want to use that to launch batches of HUNDREDS of Starlinks at once. And guess where all those Starlinks will end up? The pieces that don't make it to the ground will end up in our upper atmosphere, screwing up the stratosphere, the ozone layer, who knows what else because SpaceX isn't required to do any environmental assessments of this.

Shit. Maybe a good time to post this essay I wrote yet again: https://theconversation.com/an-astronomers-lament-satellite-megaconstellations-are-ruining-space-exploration-215653

if you have a github integration that just started crashing, it's because the comment IDs have surpassed signed 32-bit range.

twitter citation

I just got reminded of this masterpiece:

https://en.wikipedia.org/wiki/Kazohinia

Can recommend to anyone who wants to see our societies from a different, enlightening perspective.

There's a new edition in #Hungarian (and also a couple of pirate ebooks online) too! English versions seem to be a rarity, but you should definitely grab a copy if there is a chance.

#bookstodon

📣 Announcing the availability of:

- PHP 8.3.8
- PHP 8.2.20
- PHP 8.1.29

‼️ These SECURITY releases fix:

- Argument Injection in PHP-CGI
- Bypass in filter_var FILTER_VALIDATE_URL
- proc_open workaround Windows with escaping arguments for bat/cmd files
- openssl_private_decrypt vulnerability to the Marvin attack

Please upgrade ASAP.

Changelog: https://www.php.net/ChangeLog-8.php
Source: https://www.php.net/downloads
Windows: https://windows.php.net/download/

Oooh a bypass of CVE-2012-1823?! 📈 (https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/)

https://fosstodon.org/@php/112570710411472992

Companies that bought a metric shit load of Nvidia processors want you to know how very badly you need a virtual assistant who spies on you and makes stuff up in order to justify it.

On a related note: It's significantly easier to find a pirate copy of Windows Security Internals than a EU distributor...

'It’s not a security vulnerability that users can access files that they have access to, even if the file is a little hard to find' by Raymond Chen seems relevant to the #Recall discussion:

https://devblogs.microsoft.com/oldnewthing/20200113-00/?p=103322

Indeed, you can even find @tiraniddo in the comments, who wrote about the topic recently:

https://www.tiraniddo.dev/2024/06/working-your-way-around-acl.html

I still don't see how *cross-user* access might be achieved *without admin* (as reported by @gossithedog ).

"...Suddenly every PC becomes a target for Discovery during legal proceedings. Lawyers can subpoena your Recall database and search it, no longer being limited to email but being able to search for terms that came up in Teams or Slack or Signal messages, and potentially verbally via Zoom or Skype if speech-to-text is included in Recall data..."

ah the clarity of @cstross

https://www.antipope.org/charlie/blog-static/2024/06/is-microsoft-trying-to-commit-.html

look i am not going to be a recall defender, nor am i a fan of the “uac is not a security boundary” bit, but this commentary seems… disingenuous. yes, your data is restricted to your user. yes, admins have full control over the machine meaning they can access your data. this shouldn’t be surprising. windows admin security boundaries are basically non-existent, i wish that wasn’t the case but that’s how it’s always been and will be for the foreseeable future

AhnLab researchers warn about phishing HTML files attached to emails that prompt users to directly paste (CTRL+V) and run commands. https://asec.ahnlab.com/en/66300/

Ooh cool @travisgoodspeed has written a book on Microcontroller Exploits. Will certainly be adding this to my collection!

https://nostarch.com/microcontroller-exploits

[RSS] Debugging the Windows kernel on VMware Part Two

https://cra0.net/blog/posts/debugging-the-windows-kernel-vmware-p2/

I'm posting this again to my main timeline, because it's really frustrating (emphasis mine):

"Beaumont says *admin access to the system isn’t required* to read another user’s Recall database. *Another user with an admin account* can easily grab any other user’s Recall database and all the Recall screenshots by clicking through a simple UAC prompt."

https://arstechnica.com/ai/2024/06/windows-recall-demands-an-extraordinary-level-of-trust-that-microsoft-hasnt-earned/2/

How is this not a contradiction? All demos I've seen clearly show that UAC elevation (from an admin account) is needed to access the DB.

I find the idea of #Recall as baffling as anyone, but as professionals we must clearly communicate the risks, so that *real* threats (e.g. abusive spouse with local admin access) are highlighted and MS can't dismiss them as FUD.