This 'feature' means that someone in an abusive relationship now has a canonized part of the OS monitoring their activities that can be then invoked and studied by the abuser.
You do not put the capability to automate screen-scraping into the OS as a canonized feature.
Yes, this does not stop screen scraping from being possible - it's been around for years.
Disallowing it from the canonical image -of- the OS, however, means that there is an increased barrier in the way of implementing this: an abuser will need to learn how to implement this, and will need to rely on third-party software not integrated into the OS as expected functionality.
This in turn means that abuse victims are able to rely on tools already in-use to remove third-party software from the computer in order to have more assurance of private operation.
Yes, no single measure is capable of ensuring safety.
This is why it's a security -system- and not a security -item-; systemic effects require an understanding of the entire context in order to evaluate the safety or unsafety of the system.
that's the thing that really terrifies me. not that it will eventually become impossible to disable, but the fact that it being baked in to the OS means an attacker or abuser can just re-enable it. probably with a single PS command.
it's making a keylogger and half the functionality of a RAT with full history into a LOLbin. and it won't be flagged or disabled by any security tools.
the productivity measurement tools MS has already been marketing for years were bad enough, how long until recall becomes a part of the legal hold workflow? how long until your boss watches every single thing you do because let's be honest, plenty of shitty bosses are just petty cops deep down. what about the creepy sysadmin with a crush on someone, who then harvests their email password with recall? how much damage could someone do with those credentials?
the possibility for abuse is so intensely, wildly outsized with any actual utility that anyone can imagine, you would have to be completely out of touch with even basic human decency to think this is a good idea.
Speaking in my aspect as an anti-malware researcher, using onboard components to enable malicious behavior is already a standard pattern in malware development - ransomware does this, for example, using built-in encryption capabilities.
If the capability exists as a canonized part of the system, it is available as a means of causing malicious behavior for anyone on the system, and detecting it -as- malicious becomes difficult if not impossible.
@dko I want to cry thinking of how to respond to a client, "You see, this was silently turned on months ago by a threat actor and we didn't detect that because it was via a method no one had seen yet."
ad nauseam because new ways to enable it and silently/bypass controls and detections will be CONSTANT
Perhaps we're all panicking a little too hard? I know I'm an optimist, but maybe I shouldn't be for this. It raises the hairs on my neck proverbially. I can just sense danger so-to-speak, I guess.
This is why I'm using the compliance argument for the biz-side folks. It's one which will be more effective - "this makes you noncompliant, which means you lose all your customers who require compliance" aligns with biz incentives.
Also, the insurance argument: "This won't be covered by your employer's insurance company, so anyone using it will be held personally liable."
This is being used in Florida right now. The reason that cash-only customers are preferred is that the banks can't get mortgage insurance for the coming flood-zones.
@dko This. > the productivity measurement tools MS has already been marketing for years were bad enough, how long until recall becomes a part of the legal hold workflow? how long until your boss watches every single thing you do because let's be honest, plenty of shitty bosses are just petty cops deep down. what about the creepy sysadmin with a crush on someone, who then harvests their email password with recall? how much damage could someone do with those credentials?
I was under the impression they were already doing that. Never do anything on a work computer that you don't want the rest of the company to know about! (Unless you are the entire IT department, in which case go crazy I guess.)
even if they cannot take advantage of it in the near term, I think there's huge value in people knowing there's a viable alternative. I think discouraging that reflex in people to 'help' is poorly considered, especially when they follow the 'well, you could move to Linux' with 'let me know how I can help you'. Even if that results in 'well, I can't move to Linux', it plants the seed so the afflicted has the knowledge to make different choice at some future opportunity.
@lightweight True. On the other hand, in far too many cases it's "you should switch to Linux and you're a loser for not doing that", regardless of the actual situation someone is in and whether switching operating systems is even a viable alternative.
"Let me know how I can help you switch to software that respects your privacy" completely changes the framing. Maybe the answer is along the lines of "I need a safe space and a computer $abuser has zero access to". You can work with that.
@johntimaeus @lightweight I've seen AT LEAST two people right here on the Fediverse who have *specifically* cited Windows Recall as reason why they are actually going to migrate away from Windows and asking for help or input with that. That may not be entirely representative because people on the Fediverse are probably slightly more technically inclined than average, and of course I only observe a tiny fraction of Fediverse activity, but even so.
Someone with better computer skills should code a program that either disables screen capture, or botches the recorded data (as far as I understand, it's stored locally at this point). I can only offer a name for such program: Windows Dementia.
I do not blame. But I know Linux since university in the mid 2000's. I started using it myself occasionally a few years ago on dual boot, someone helped me getting a better dual boot combination two months ago and now, I feel ready to go 100% Linux soon.
There are several distributions that are transparent and very Windows-users friendly.
I am also ready to advise to use Linux and help switching !
The structural unsafety is indeed terrible, and absolutely needs to be called out.
On the other hand, I think relatively few people even have awareness that there *might* be a choice that they can make. Maybe they ask, and the answer is still no. Maybe, just maybe, the awareness leads to being able to make a constructive choice.
Pointing out possible alternatives is still useful.
It's like when I voice my concerns (and that's a nice way of putting it) about the direction my state of residence is taking, and somebody says "well....move."
I'm like cool. Is there a job with the same rate of pay, city government benefits, and willing to hire a 57 year old with very arthritic knees magically waiting for me? WELL?!
@TheLastOfHisName Also, "the linux experience" is still far, far away from the convenience of using Windows or Apple products. It's like the difference between driving a Toyota, and driving some Mad Max style kludge. Yeah, the kludge looks cool, some kludges are way better than Toyotas (while some just aren't), if you know what you are doing you can kludge up some vehicle that's ideally fit for purpose. But for people that just need to get from point A to B and back, Toyota is reasonable.
For many people, being advised to use Linux is about as helpful as being advised to live in a yurt.
It's not that they can't see the advantages of living in a yurt. They may even find the yurt-dwelling lifestyle intriguing. But they can't see how they would ever be able to rearrange their life such that a yurt is an option.
So, please read upthread for context: this is about domestic violence situations, where the persons in question may not be able to change the OS of a computer.
This needs to be laser-engraved on a baseball bat and used to percussively educate that miserable fraction of Linux users that keep saying "jUsT uSe LiNuX" as if that was ever a universal solution to anything. I've been a mostly happy Linux user since around 1994 and I cannot tell you the number of times I've wanted to shove obtuse evangelistas into traffic over this. Christ, they're awful.
They make up all kinds of 'but awareness of options' excuses but it's ultimately variously flavored victim blaming and I'm not at all interested in arguing with their choice to enable abusive behaviors.
The "Just use Linux" brigade seem entirely uncomprehending of how the other 99% of the population approach and use technology. Which is to find out how to do what they need to do, as best they can. And that's all. I have a 'nux machine. I wouldn't impose it on myself for routine stuff or on my family ever.
"Use Linux" is a bit of a nerd reaction on complaints about MS. Switching to Linux usually poses lots of problems, and often you end up with having to install something like VMWare to run Windows programs, which cannot be a good solution from a pure technical point of view. I think politics should start looking into this, and there should be laws which end the ongoing changes in Windows, pestering people to buy new computers and pay again for their programs, not to mention the data loss.
Basically anything that makes it easier on newbies I see a lot of rage over.
It's more vocal minority than widespread issue, but a vocal minority can cause problems far beyond what their size would suggest.
As for Unity... I wouldn't have an issue with that but certainly doesn't need to be a priority, certainly not community wide. If someone wants to do something with it I don't really care though.
@anniethebruce Fair in some cases then, but not when it just degrades the experience as a whole, e.g. having to jump through a load of hoops to get a proper Firefox install on Ubuntu because Snap is so shit...
it would be impossible to, given that many people will still be using a single user on the family computer, share laptop passwords etc - and a victim suggesting they and their partner change this Will Not Go Well
Yeah, I don't have any that deal in corporate law to refer to, unfortunately.
But given the corp infosuck policy training I have to go through every year, I'm pretty certain my people would be screaming holy hell about discovery. Hell, I'm surprised they haven't disabled the Spotlight feature on my Mac, or whatever the Windows equivalent is.
In fairness, my situation's a lot more compliance and malware research flavored, and the DV implications have me -extremely- shook given some past context.
But that's what friends are for, to give different points of view.
lol, I mean, hell, I more or less vanished from -everywhere- for a couple years while I was reworking my head around this whole "wait I'm a -girl-?!" thing. Been slowly rebuilding things since and....the world changed a lot.
@bluknight I’m currently researching the impact of AI on employee monitoring tools. Even though this is not meant to do that, I can imagine it being used to do just that.
a mindset that I find to be helpful is to work out the 'shape' of the workflow that this enables first, and then look for the populations that can make use of this.
And since I'm infosec, that means I start with those causing harm.
I'm curious how easy this "feature" will be to turn off. Or filter/limit. Or in any way control. We haven't seen that yet. But there has to be some way to exclude or disable the feature. And if not out-of-the-box, I assume some PowerToys or other 3rd party utility will soon be available to do just that.
You do not put the capability to automate screen-scraping into the OS as a canonized feature.
Yes, this does not stop screen scraping from being possible - it's been around for years.
Disallowing it from the canonical image -of- the OS, however, means that there is an increased barrier in the way of implementing this: an abuser will need to learn how to implement this, and will need to rely on third-party software not integrated into the OS as expected functionality.
This in turn means that abuse victims are able to rely on tools already in-use to remove third-party software from the computer in order to have more assurance of private operation.
Yes, no single measure is capable of ensuring safety.
This is why it's a security -system- and not a security -item-; systemic effects require an understanding of the entire context in order to evaluate the safety or unsafety of the system.
I’m not sure if that is really relevant in the DV scenario. Whether this feature is, or could be, reliably controlled via GPO ( for domains) or local security policy ( for standalone) doesn’t change the fact that in domestic abuse situations you have to assume the abuser has top level admin access.
So (as you said) putting this in as a core feature is just flat out dumb, no internal OS control feature helps in any way. That horse has bolted.
Fortunately it's only on "Copilot Plus PCs" instead of just enabled for everyone without their awareness. The tinfoil hat side of me expects that we'll eventually see "lawful access" requests for that information and restrictions on tampering with it or turning it off.
or just one of those weirdo micro managers that wants to see and control every bit of their underlings work lives instead of just making sure the job gets done.
@rabbit As I translated @pluralistic 's DRM talk given at Microsoft oh so long ago I still remember it well. It includes: When his defense asked "Which computer has Jon trespassed upon?" the answer was: "His own." craphound.com/msftdrm.txt Cory, you need to go to Microsoft and repeat the talk, they forgot it in these twenty years.
This does not address the situation, because not everyone has the agency to choose their own OS environment - especially those persons who are in abusive relationships.
If the infrastructure creates the unsafe situation, it's unsafe for everyone, regardless of whether or not another option exists.
Speaking as a person with specific memory issues, yes, the use-case for those is obvious. However, the implementation of it is -not safe- for users by default.
Speaking as someone who has been in situations in the past where this capability would have absolutely been used to cause me harm, I find nothing whatsoever about this to be even slightly funny.
Yes. It is another nail in the coffin (alongside browser history) for "If you do not control your machine environment, your privacy is fundamentally upper-bounded."
@mark browser history is mitigable by 'private mode' and is, in fact, why that mode was invented in the first place, and is in place as an expected, canonized part of the browser workflow.
domestic abuse. law enforcement abuse. government overreach abuse. greedy ad bastard abuse. account security disclosures. privacy leaks. the things wrong go on and on. workplace micromanagement.
everyone this is good for is not the end user's friend.
This is the formal end of privacy. If Hackers get the Language Model (and I suppose they also do Action models of the users). If the AI model of the user is captured by a Hacker. Then the Hacker owns Everything. Favours, the behaviour, probably bank accounts and he knows the friends and secret habbits
Microsoft ist also bigest stakeholder at GPT and the yellownpress like Axel Springer provides data. Microsoft now is the biggest thread to privacy and democracy.
Thank you. I thought of the "Black Mirror" thing independently but I didn't enjoy finding out it was also what Elon Musk thought about it when I went to look up the episode.
I think recall would be fine and even beneficial IF there was a way to get it to lie undetectably.... I hid discord and my queer friends from parents by making an app called pepper that launched different apps in a mode where going hone closed the apps, it just used the keypad for the app launch and unlock codes. Being able to lie about history is even more powerful than not having history IMO
Unfortunately, this kind of situation has a severe bootstrapping problem - when the surveillance is structural like this, how do you -get- to the point where it's possible to configure it to your benefit?
No amount of mitigative measures makes up for this; it has to be addressed structurally.
By proving that it will have deleterious business effects and thus impact their profitability as an organization.
Describing how it violates compliance standards that their customer base -must- follow in order to stay in business - and thus, remain as customers, and thus continue to pay MS - is an effective way of addressing MS's incentive as an organization.
I'm watching the Microsoft Build keynote and one thing that's very noticeable is how in the (scripted) demos the users are anthropomorphising Copilot by being polite to it to the extent of praising it.
Yeah believe it or not that's an artifact of how openai llms work - given that they're trained on the social corpori, they select strategies according to what got praised in the original context; thus, giving them praise is the incantation to get them to use the 'good' stuff.
Yes. If you tell it that it's good at something, it will give results better than a neutral or critical affect.
If you want that capability - and, yes, I'm also someone who has frequent memory issues and who needs to keep exocortical state regarding things - then have it as a third-party add-on, that needs -specific consent- from the user to invoke.
As someone with working memory issues due to ADHD that make me forget what I'm doing while I'm doing it, I do kind of like the idea of a version of the recall concept whereby I could say "monitor this application, this one and this browser window" and do it for the next two hours, and I have to opt in. I can see it has uses. Maybe other platforms will do that.
Amusingly the keynote stream has just failed and won't restart. For all these things they've built. Microsoft still can't make a conference web site that works.
Like, I have genuinely seen some people's workflows that, when tuned to their specific uses, enable them to create what they're looking for quickly and efficiently - someone I know has a very well-tuned Rust-centric environment for which copilot provides the requisite boilerplate when they're writing that kind of thing about...I think they cited 80%ish of the time?
So in specific, restricted use-cases, where it's specifically being used to augment an expert's expertise and where the output is being scrutinized to ensure it's appropriate, yes, it's useful.
Which has led to a number of thoughts on my part that maybe the gpt-style "general purpose assistant" modes are an evolutionary mistake, and that a more effective model would be -worse- LLMs that are single-focused for specific workflows and tasks.
I'm interested to see if AI tools do increase our ability to take on cognitive load (including that of neurotypicals) how and if Jebbon's paradox applies and the amount of cognitive bombardment increases.
I'm not entirely sure I understand. Do you mean in terms of data protection (e.g. GDPR) or other regulation?
Even though OneDrive is nominally GDPR compliant (which seems like it should be a contradiction given Microsoft can read it) I put sensitive data in my own ownCloud which is E2EE.
My citation of GDPR violation is: your data appears on a GDPR-enforced entity's screen during entry. Let's say, you check into a hotel and they need your billing address; this is part of the requisite collections for the workload being processed - the hotel needs to know your billing address in order to manage billing you.
Windows screen-scrapes this billing address.
The hotel is -still on the hook- for windows scraping this info, and has to be able to attest, when you demand its deletion later, that they extracted every instance of this information - and further, that this information did not percolate to -someone else-, like, for instance, Microsoft, for whom that information is -not- requisite for the processing of the workload in question.
Never mind just cybercriminals. What happens when law enforcement gets a decontextualised history of everything I've done on my computer? Including, ironically, this comment.
Oh, their motivations for collection? yeah, that, and the whole delusion as regards "data is a valuable resource to be collected" contra "data is radioactive waste to be minimized".
It's mainly that I was trying to think "why do they want machines to collect this data" even if in theory it won't be uploaded anywhere (I obviously don't trust them on that, but I expect it to come out if/when they do). I wondered if for once it might actually be partly the old fashioned "sell new Windows boxes". But the value of having this data out there to certain actors, even if it isn't collated is huge.
at this point I have no data, and thus I'm not inclined to speculate further on the motivations absent specific discussion with people involved with this pile of horseshit.
Preferably the kind of discussion where I'm given the latitude to make my disquiet known palpably.
I'm thinking specifically of Recall which they claim will be on-device, unlike most of it where they admit to collecting it. I wonder if the rationale is a sort of data collection loss leading to convince us they're trustworthy with the other data. Simplest explanation is if they're not lying is that it will just change a year or two after it's normalised.
You know Microsoft is just going to say something like, "We understand that Recall isn't appealing to all users. Here's how you can turn it off with administrator permissions," like that's going to protect anyone who doesn't have any personal autonomy.
You do not put the capability to automate screen-scraping into the OS as a canonized feature.
Yes, this does not stop screen scraping from being possible - it's been around for years.
Disallowing it from the canonical image -of- the OS, however, means that there is an increased barrier in the way of implementing this: an abuser will need to learn how to implement this, and will need to rely on third-party software not integrated into the OS as expected functionality.
This in turn means that abuse victims are able to rely on tools already in-use to remove third-party software from the computer in order to have more assurance of private operation.
Yes, no single measure is capable of ensuring safety.
This is why it's a security -system- and not a security -item-; systemic effects require an understanding of the entire context in order to evaluate the safety or unsafety of the system.
@julie There's two primary audiences to address for this: corp users and home users, each of whom has different incentives and concerns.
For corp users, making the case that this product will harm profitability by making compliance certifications that are necessary to do business at all impossible is the effective argument; it speaks to business incentives.
For home users, making the case that MS is implementing something that will cause direct harm to them is the more useful stance.
I've been following this news throughout the day. Yes, M$ looking to implement this is going to be a disaster for all.
As to the home environment, I hope that no one who is at risk of abuse ever trusts their PC. Ever. Controlling parents or spouses will always figure a way to spy. If your device is not 100% under your control it should be considered suspect. This includes phones.
As to everyone else, your only right is to vote w/ your $$. And that's not easy.
my idiolect version tends to stick in people's head via the unexpected concept of a "security item" being contrasted with the 'system' as well as having the -em rhyme and similar stress cadence, as well as allowing me an opening to discuss systemic vs. iterative thinking patterns in evaluating security. It's been fun developing an aphorism that has those affordances.
@alex_02 yeah, as a former closeted queer kid it's fucking -devastating- the kind of power parents hold over kids in these scenarios, and the amount of harm they can do is immeasurable.
@crankylinuxuser This is the same BS argument by everyone else supporting asocial maniacs in exchange for convenience - against non-megacorp social media ("but I'd lose followers temporarily"), public transport ("but with the current time tables, it would take 10 mins longer"), EVs, heat pumps, renewables, etcpp.
People are not willing to take even minor inconveniences to make the world a better place, then cry when indeed the Leopard Company ate their face as predicted, and then demand that those of us who predicted this and invested some time and money and inconveniences to protect themself from that and got ridiculed for that to save them.
One dimension of the always-on "Recall" scraping feature makes me very certain it will a) happen b) be default and c) probably will become impossible turn off (i.e. just work in the background)
And it's because of the advertising industry. With it, you can sell attention metrics and guarantee that the target has been subjected to an ad.
Most people don’t think too much of vending machines. They’re just those hulking machines that lurk around on train stations, airports and in the bowels of school and office buildings, …
Fi, infosec-aspected 🏳️⚧️
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Like, flat-out.
This 'feature' means that someone in an abusive relationship now has a canonized part of the OS monitoring their activities that can be then invoked and studied by the abuser.
clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.
reshared this
DJ Sundog - from the toot-lab, peter hessler @openbsd, mcc, Cassandra Granade 🏳️⚧️, Alex P. 👹, Fi, infosec-aspected 🏳️⚧️ and Lesley Carhart reshared this.
Fi, infosec-aspected 🏳️⚧️
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Ain't no amount of -group policy- bullshit gonna fix this,
because Microsoft -doesn't allow- the granularity of administration required to defuse this for non-corporate users.
reshared this
peter hessler @openbsd and Fi, infosec-aspected 🏳️⚧️ reshared this.
Fi, infosec-aspected 🏳️⚧️
in reply to Fi, infosec-aspected 🏳️⚧️ • • •"Use Linux" is not an appropriate response.
People do not always have the agency to choose their operational environment and you cannot fix structural unsafety with individual choice.
This is not a jape nor a joke, and I am not willing to countenance this as an argument.
Do not perpetuate abusive situations by blaming a victim for the environment they are in.
clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.
reshared this
Tindra, bluestarultor, TProphet, abadidea, The 500 Hats of LambdaCalculus, Ruben Schade 🇦🇺🇸🇬, Site Reliability Enby🏳️⚧️🏁🔦📈🐺👗😷 and Fi, infosec-aspected 🏳️⚧️ reshared this.
Fi, infosec-aspected 🏳️⚧️
in reply to Fi, infosec-aspected 🏳️⚧️ • • •How -do- you fix this?
You do not put the capability to automate screen-scraping into the OS as a canonized feature.
Yes, this does not stop screen scraping from being possible - it's been around for years.
Disallowing it from the canonical image -of- the OS, however, means that there is an increased barrier in the way of implementing this: an abuser will need to learn how to implement this, and will need to rely on third-party software not integrated into the OS as expected functionality.
This in turn means that abuse victims are able to rely on tools already in-use to remove third-party software from the computer in order to have more assurance of private operation.
Yes, no single measure is capable of ensuring safety.
This is why it's a security -system- and not a security -item-; systemic effects require an understanding of the entire context in order to evaluate the safety or unsafety of the system.
clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.
Fi, infosec-aspected 🏳️⚧️ reshared this.
Dan
in reply to Fi, infosec-aspected 🏳️⚧️ • • •that's the thing that really terrifies me. not that it will eventually become impossible to disable, but the fact that it being baked in to the OS means an attacker or abuser can just re-enable it. probably with a single PS command.
it's making a keylogger and half the functionality of a RAT with full history into a LOLbin. and it won't be flagged or disabled by any security tools.
the productivity measurement tools MS has already been marketing for years were bad enough, how long until recall becomes a part of the legal hold workflow? how long until your boss watches every single thing you do because let's be honest, plenty of shitty bosses are just petty cops deep down. what about the creepy sysadmin with a crush on someone, who then harvests their email password with recall? how much damage could someone do with those credentials?
the possibility for abuse is so intensely, wildly outsized with any actual utility that anyone can imagine, you would have to be completely out of touch with even basic human decency to think this is a good idea.
clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.
alcinnz reshared this.
Fi, infosec-aspected 🏳️⚧️
in reply to Dan • • •@dko
Speaking in my aspect as an anti-malware researcher, using onboard components to enable malicious behavior is already a standard pattern in malware development - ransomware does this, for example, using built-in encryption capabilities.
If the capability exists as a canonized part of the system, it is available as a means of causing malicious behavior for anyone on the system, and detecting it -as- malicious becomes difficult if not impossible.
Fi, infosec-aspected 🏳️⚧️ reshared this.
NosirrahSec 🏴☠️
in reply to Fi, infosec-aspected 🏳️⚧️ • • •@dko I want to cry thinking of how to respond to a client, "You see, this was silently turned on months ago by a threat actor and we didn't detect that because it was via a method no one had seen yet."
ad nauseam because new ways to enable it and silently/bypass controls and detections will be CONSTANT
Perhaps we're all panicking a little too hard? I know I'm an optimist, but maybe I shouldn't be for this. It raises the hairs on my neck proverbially. I can just sense danger so-to-speak, I guess.
Fi, infosec-aspected 🏳️⚧️
in reply to NosirrahSec 🏴☠️ • • •@NosirrahSec @dko
This is why I'm using the compliance argument for the biz-side folks. It's one which will be more effective - "this makes you noncompliant, which means you lose all your customers who require compliance" aligns with biz incentives.
Bee O'Problem
in reply to Fi, infosec-aspected 🏳️⚧️ • • •@NosirrahSec @dko that's what I did RE Slack's AI thing and am doing to lobby against this.
Starting by pointing out recall is an OS feature that implicitly violates data retention policies at the absolute best.
Billy Smith
in reply to Fi, infosec-aspected 🏳️⚧️ • • •@NosirrahSec @dko
Also, the insurance argument: "This won't be covered by your employer's insurance company, so anyone using it will be held personally liable."
This is being used in Florida right now. The reason that cash-only customers are preferred is that the banks can't get mortgage insurance for the coming flood-zones.
Fi, infosec-aspected 🏳️⚧️ reshared this.
Site Reliability Enby🏳️⚧️🏁🔦📈🐺👗😷
in reply to NosirrahSec 🏴☠️ • • •@NosirrahSec @dko Configure your EDR to detect if it's enabled?
Agreed you should need to have to do that though...
Madeline Nostromo 🏳️⚧️
in reply to Dan • • •@dko This.
> the productivity measurement tools MS has already been marketing for years were bad enough, how long until recall becomes a part of the legal hold workflow? how long until your boss watches every single thing you do because let's be honest, plenty of shitty bosses are just petty cops deep down. what about the creepy sysadmin with a crush on someone, who then harvests their email password with recall? how much damage could someone do with those credentials?
#recall #Microsoft
argv minus one
in reply to Madeline Nostromo 🏳️⚧️ • • •@MsNostromo
I was under the impression they were already doing that. Never do anything on a work computer that you don't want the rest of the company to know about! (Unless you are the entire IT department, in which case go crazy I guess.)
@dko @munin
Fi, infosec-aspected 🏳️⚧️
in reply to argv minus one • • •@argv_minus_one @MsNostromo @dko
The thread context as initiated was discussing domestic abuse
kelleynnn
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Dave Lane 🇳🇿
in reply to Fi, infosec-aspected 🏳️⚧️ • • •mkj
in reply to Dave Lane 🇳🇿 • • •@lightweight True. On the other hand, in far too many cases it's "you should switch to Linux and you're a loser for not doing that", regardless of the actual situation someone is in and whether switching operating systems is even a viable alternative.
"Let me know how I can help you switch to software that respects your privacy" completely changes the framing. Maybe the answer is along the lines of "I need a safe space and a computer $abuser has zero access to". You can work with that.
@munin
John Timaeus
in reply to mkj • • •@mkj
Its looking more and more like I'll be holding a monthly Linux migration-fest at the local pub.
I've gotten two requests for help doing it today.
They can buy me Sunday beer and I'll move data around and reinstall old lappies with new Alma.
@lightweight @munin
mkj
in reply to John Timaeus • • •@johntimaeus @lightweight I've seen AT LEAST two people right here on the Fediverse who have *specifically* cited Windows Recall as reason why they are actually going to migrate away from Windows and asking for help or input with that. That may not be entirely representative because people on the Fediverse are probably slightly more technically inclined than average, and of course I only observe a tiny fraction of Fediverse activity, but even so.
#Windows #MicrosoftRecall #WindowsRecall
Site Reliability Enby🏳️⚧️🏁🔦📈🐺👗😷
in reply to mkj • • •Luka Rubinjoni
in reply to Fi, infosec-aspected 🏳️⚧️ • • •razze
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Niavy :bearn: :verified:
in reply to Fi, infosec-aspected 🏳️⚧️ • • •I do not blame. But I know Linux since university in the mid 2000's. I started using it myself occasionally a few years ago on dual boot, someone helped me getting a better dual boot combination two months ago and now, I feel ready to go 100% Linux soon.
There are several distributions that are transparent and very Windows-users friendly.
I am also ready to advise to use Linux and help switching !
Tim Lavoie
in reply to Fi, infosec-aspected 🏳️⚧️ • • •The structural unsafety is indeed terrible, and absolutely needs to be called out.
On the other hand, I think relatively few people even have awareness that there *might* be a choice that they can make. Maybe they ask, and the answer is still no. Maybe, just maybe, the awareness leads to being able to make a constructive choice.
Pointing out possible alternatives is still useful.
Fi, infosec-aspected 🏳️⚧️
in reply to Tim Lavoie • • •@tim_lavoie
No.
Knowledge that alternatives theoretically exist is not helpful when a victim does not have the agency to apply that change.
Systemic unsafety -cannot- be addressed by individual choice, because individual choice can be coerced or prevented.
Unsafe infrastructure is not fit for purpose.
Dane
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Fi, infosec-aspected 🏳️⚧️
in reply to Dane • • •@TheLastOfHisName
I had several people pop up saying "use linux instead" and decided to textually indicate why that was not acceptable.
Dane
in reply to Fi, infosec-aspected 🏳️⚧️ • • •It's like when I voice my concerns (and that's a nice way of putting it) about the direction my state of residence is taking, and somebody says "well....move."
I'm like cool. Is there a job with the same rate of pay, city government benefits, and willing to hire a 57 year old with very arthritic knees magically waiting for me? WELL?!
Fi, infosec-aspected 🏳️⚧️
in reply to Dane • • •@TheLastOfHisName
Yeah. Been chewing on how to communicate "personal choice cannot fix structural unsafety" effectively.
Luka Rubinjoni
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Isaac Freeman
in reply to Fi, infosec-aspected 🏳️⚧️ • • •For many people, being advised to use Linux is about as helpful as being advised to live in a yurt.
It's not that they can't see the advantages of living in a yurt. They may even find the yurt-dwelling lifestyle intriguing. But they can't see how they would ever be able to rearrange their life such that a yurt is an option.
clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.
Fi, infosec-aspected 🏳️⚧️
in reply to Isaac Freeman • • •@isaacfreeman
So, please read upthread for context: this is about domestic violence situations, where the persons in question may not be able to change the OS of a computer.
nonlinear
in reply to Fi, infosec-aspected 🏳️⚧️ • • •clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.
arclight
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Fi, infosec-aspected 🏳️⚧️
in reply to arclight • • •@arclight
They make up all kinds of 'but awareness of options' excuses but it's ultimately variously flavored victim blaming and I'm not at all interested in arguing with their choice to enable abusive behaviors.
F4GRX Sébastien
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Graham Sutherland / Polynomial
in reply to F4GRX Sébastien • • •F4GRX Sébastien
in reply to Graham Sutherland / Polynomial • • •Graham Sutherland / Polynomial
in reply to F4GRX Sébastien • • •F4GRX Sébastien
in reply to Graham Sutherland / Polynomial • • •Fi, infosec-aspected 🏳️⚧️
in reply to F4GRX Sébastien • • •@f4grx @gsuberland
Yup. It is.
stony kark
in reply to Fi, infosec-aspected 🏳️⚧️ • • •gkrnours
in reply to Fi, infosec-aspected 🏳️⚧️ • • •dibi58
in reply to Fi, infosec-aspected 🏳️⚧️ • • •TerryB
in reply to Fi, infosec-aspected 🏳️⚧️ • • •petros
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Alright.
Use Linux if you can.
I understand that not everybody can use it but it is certainly the best advice.
It is saying: Stop the water where it's leaking.
It is easier than cleaning up the mess after you're flooded.
karlggest
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Peter Motte
in reply to Fi, infosec-aspected 🏳️⚧️ • • •I think politics should start looking into this, and there should be laws which end the ongoing changes in Windows, pestering people to buy new computers and pay again for their programs, not to mention the data loss.
Annie
in reply to Fi, infosec-aspected 🏳️⚧️ • • •the energy spent on advertising Linux in these situations should be spent improving it and the market in general to make it a more practical choice.
Then you run into the asshole greybeards who bemoan Windows dominance but absolutely rage at anything that would actually close the gap.
Site Reliability Enby🏳️⚧️🏁🔦📈🐺👗😷
in reply to Annie • • •@anniethebruce What are these things that would close a gap, exactly?
If you say Unity I am going to scream.
Annie
in reply to Site Reliability Enby🏳️⚧️🏁🔦📈🐺👗😷 • • •Basically anything that makes it easier on newbies I see a lot of rage over.
It's more vocal minority than widespread issue, but a vocal minority can cause problems far beyond what their size would suggest.
As for Unity... I wouldn't have an issue with that but certainly doesn't need to be a priority, certainly not community wide. If someone wants to do something with it I don't really care though.
Site Reliability Enby🏳️⚧️🏁🔦📈🐺👗😷
in reply to Annie • • •NO NAME
in reply to Fi, infosec-aspected 🏳️⚧️ • • •For those who must use Windows 11 - here is how to disable Recall:
- Open a command prompt as Administrator (Local Admin should do)
- Type: Dism /Online /Disable-Feature /FeatureName:Recall
Disclaimer
Do understand and Please Read - This may hinder some features of the new file explorer. Because Microsoft never learns.
dugglebutt
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Petra
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Fi, infosec-aspected 🏳️⚧️
in reply to Petra • • •@PetraOleum
Exactly. No amount of individual "choice" matters when the structural situation is comprehensively unsafe.
infosec zathras
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Fi, infosec-aspected 🏳️⚧️
in reply to infosec zathras • • •@bluknight
I'm genuinely curious to hear from corp lawyers, tbh. I have an -idea- about what they'd say, but I would genuinely value that point of view for this.
infosec zathras
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Yeah, I don't have any that deal in corporate law to refer to, unfortunately.
But given the corp infosuck policy training I have to go through every year, I'm pretty certain my people would be screaming holy hell about discovery. Hell, I'm surprised they haven't disabled the Spotlight feature on my Mac, or whatever the Windows equivalent is.
Fi, infosec-aspected 🏳️⚧️ reshared this.
Fi, infosec-aspected 🏳️⚧️
in reply to infosec zathras • • •@bluknight
Oh hells, I hadn't even gotten to considering the 'discovery' threat surface to this. Yowza, that's gonna be spicy as fuck.
infosec zathras
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Ya think, DiNozzo? 🤣
Discovery was the third thing that came to mind, after "advertising" and "AI training for *redacted* purposes".
Fi, infosec-aspected 🏳️⚧️
in reply to infosec zathras • • •@bluknight
In fairness, my situation's a lot more compliance and malware research flavored, and the DV implications have me -extremely- shook given some past context.
But that's what friends are for, to give different points of view.
infosec zathras
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Like you not thinking discovery, I hadn't thought of DV implications. Sweet Tester.
Maybe I should take every computing device newer than my 40-year-old pocket calculator out into the driveway and set it on fire now.
Just to be on the safe side.
Fi, infosec-aspected 🏳️⚧️
in reply to infosec zathras • • •@bluknight
Problem is, can't really participate in society -without- modern information processing devices - try getting your tax info from the IRS, for example.
infosec zathras
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Dude, we both hang in the same circles of people.
Remind me again how participating in society any more is a good idea? 🤣
Fi, infosec-aspected 🏳️⚧️
in reply to infosec zathras • • •@bluknight
To be fair, I did opt out of the normative social structure a while back with the whole 'trans' thing.
Hanging out with the queer folks is a lot more chill.
infosec zathras
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Not the point I was making, but you're not necessarily wrong.
Unfortunately, I'm not certain I fit in either circle well, or at all any more.
Fi, infosec-aspected 🏳️⚧️
in reply to infosec zathras • • •@bluknight
lol, I mean, hell, I more or less vanished from -everywhere- for a couple years while I was reworking my head around this whole "wait I'm a -girl-?!" thing. Been slowly rebuilding things since and....the world changed a lot.
infosec zathras
in reply to Fi, infosec-aspected 🏳️⚧️ • • •The world didn't change as much as your perception of it did.
My perception has changed a lot, too. Maybe for different reasons.
Fi, infosec-aspected 🏳️⚧️
in reply to infosec zathras • • •@bluknight
O what a brave new world that has such people in't!
infosec zathras
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Fi, infosec-aspected 🏳️⚧️
in reply to infosec zathras • • •@bluknight
the usual retort is " 'tis new to thee "
infosec zathras
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Fi, infosec-aspected 🏳️⚧️
in reply to infosec zathras • • •@bluknight
And I'm somehow still a shakespere weeb lol
0px auto
in reply to infosec zathras • • •Fi, infosec-aspected 🏳️⚧️
in reply to 0px auto • • •@melis @bluknight
a mindset that I find to be helpful is to work out the 'shape' of the workflow that this enables first, and then look for the populations that can make use of this.
And since I'm infosec, that means I start with those causing harm.
pmbAustin
in reply to Fi, infosec-aspected 🏳️⚧️ • • •@bluknight
I'm curious how easy this "feature" will be to turn off. Or filter/limit. Or in any way control. We haven't seen that yet. But there has to be some way to exclude or disable the feature. And if not out-of-the-box, I assume some PowerToys or other 3rd party utility will soon be available to do just that.
Fi, infosec-aspected 🏳️⚧️
in reply to pmbAustin • • •@pmbAustin @bluknight
Does not matter.
If the code is on the box, the box is systemically unsafe.
infosec.exchange/@munin/112480…
Fi, infosec-aspected 🏳️⚧️
2024-05-21 18:53:56
Joe Mansfield
in reply to Fi, infosec-aspected 🏳️⚧️ • • •I’m not sure if that is really relevant in the DV scenario. Whether this feature is, or could be, reliably controlled via GPO ( for domains) or local security policy ( for standalone) doesn’t change the fact that in domestic abuse situations you have to assume the abuser has top level admin access.
So (as you said) putting this in as a core feature is just flat out dumb, no internal OS control feature helps in any way. That horse has bolted.
Fi, infosec-aspected 🏳️⚧️
in reply to Joe Mansfield • • •@helvick
In the set of DV situations where the abuser has only intermittent access to the system, it could potentially be a mitigation.
But yes. That it's present at all is, itself, the problem, which I brought up two posts downthread from there.
rabbit
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Fi, infosec-aspected 🏳️⚧️
in reply to rabbit • • •@rabbit
I have no doubt that "eventually" is "sometime last week".
Patch Arcana
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Fi, infosec-aspected 🏳️⚧️
in reply to Patch Arcana • • •@patcharcana @rabbit
I personally am wondering if the director in charge of this project is a domestic abuser.
Bee O'Problem
in reply to Fi, infosec-aspected 🏳️⚧️ • • •or just one of those weirdo micro managers that wants to see and control every bit of their underlings work lives instead of just making sure the job gets done.
[It's the same picture.jpg]
chx
in reply to rabbit • • •own." craphound.com/msftdrm.txt Cory, you need to go to Microsoft and repeat the talk, they forgot it in these twenty years.
clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.
reshared this
clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 reshared this.
economística
in reply to chx • • •clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.
reshared this
clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 reshared this.
Fi, infosec-aspected 🏳️⚧️
Unknown parent • • •@crankylinuxuser
This does not address the situation, because not everyone has the agency to choose their own OS environment - especially those persons who are in abusive relationships.
If the infrastructure creates the unsafe situation, it's unsafe for everyone, regardless of whether or not another option exists.
clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.
Fi, infosec-aspected 🏳️⚧️
Unknown parent • • •@VulpineAmethyst
Speaking as a person with specific memory issues, yes, the use-case for those is obvious. However, the implementation of it is -not safe- for users by default.
Fi, infosec-aspected 🏳️⚧️
Unknown parent • • •@crankylinuxuser
Safety isn't something I can joke about.
Speaking as someone who has been in situations in the past where this capability would have absolutely been used to cause me harm, I find nothing whatsoever about this to be even slightly funny.
clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.
Asta [AMP]
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Fi, infosec-aspected 🏳️⚧️
in reply to Asta [AMP] • • •@aud
I expect that will be -very literal- as this rolls out.
Jade Angrboða
in reply to Fi, infosec-aspected 🏳️⚧️ • • •clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.
Mark T. Tomczak
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Fi, infosec-aspected 🏳️⚧️
in reply to Mark T. Tomczak • • •Mark T. Tomczak
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Oh shit, did Microsoft launch this new thing without a "private mode?"
That was very stupid of them.
Fi, infosec-aspected 🏳️⚧️
in reply to Mark T. Tomczak • • •@mark
It's ever so much worse than that.
ioc.exchange/@jgreig/112480136…
Jon Greig
2024-05-21 16:57:59
Mark T. Tomczak
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Paul_IPv6
in reply to Fi, infosec-aspected 🏳️⚧️ • • •yup.
domestic abuse. law enforcement abuse. government overreach abuse. greedy ad bastard abuse. account security disclosures. privacy leaks. the things wrong go on and on. workplace micromanagement.
everyone this is good for is not the end user's friend.
clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.
Steve Popovich
in reply to Fi, infosec-aspected 🏳️⚧️ • • •JackPearse
in reply to Fi, infosec-aspected 🏳️⚧️ • • •This is the formal end of privacy. If Hackers get the Language Model (and I suppose they also do Action models of the users). If the AI model of the user is captured by a Hacker. Then the Hacker owns Everything. Favours, the behaviour, probably bank accounts and he knows the friends and secret habbits
Microsoft ist also bigest stakeholder at GPT and the yellownpress like Axel Springer provides data. Microsoft now is the biggest thread to privacy and democracy.
Fi, infosec-aspected 🏳️⚧️
Unknown parent • • •@alastair
Sonata Arctica did it in 1999 with "Blank File"
Fi, infosec-aspected 🏳️⚧️
Unknown parent • • •@alastair
Oh aye, mostly noting that the tropes in question are well-trod in the realm of cyberpunk fiction.
alastair87
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Nova🐧✨
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Fi, infosec-aspected 🏳️⚧️
in reply to Nova🐧✨ • • •@technobaboo
Unfortunately, this kind of situation has a severe bootstrapping problem - when the surveillance is structural like this, how do you -get- to the point where it's possible to configure it to your benefit?
No amount of mitigative measures makes up for this; it has to be addressed structurally.
Nova🐧✨
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Fi, infosec-aspected 🏳️⚧️
in reply to Nova🐧✨ • • •@technobaboo
By proving that it will have deleterious business effects and thus impact their profitability as an organization.
Describing how it violates compliance standards that their customer base -must- follow in order to stay in business - and thus, remain as customers, and thus continue to pay MS - is an effective way of addressing MS's incentive as an organization.
alastair87
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Fi, infosec-aspected 🏳️⚧️
in reply to alastair87 • • •@alastair
Yeah believe it or not that's an artifact of how openai llms work - given that they're trained on the social corpori, they select strategies according to what got praised in the original context; thus, giving them praise is the incantation to get them to use the 'good' stuff.
Yes. If you tell it that it's good at something, it will give results better than a neutral or critical affect.
Fi, infosec-aspected 🏳️⚧️
Unknown parent • • •@alastair
It's not appropriate to build into the OS.
If you want that capability - and, yes, I'm also someone who has frequent memory issues and who needs to keep exocortical state regarding things - then have it as a third-party add-on, that needs -specific consent- from the user to invoke.
alastair87
in reply to Fi, infosec-aspected 🏳️⚧️ • • •alastair87
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Fi, infosec-aspected 🏳️⚧️
in reply to alastair87 • • •@alastair
how many years ago did they buy skype again
Fi, infosec-aspected 🏳️⚧️
Unknown parent • • •alastair87
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Fi, infosec-aspected 🏳️⚧️
Unknown parent • • •@alastair
It Depends.
Like, I have genuinely seen some people's workflows that, when tuned to their specific uses, enable them to create what they're looking for quickly and efficiently - someone I know has a very well-tuned Rust-centric environment for which copilot provides the requisite boilerplate when they're writing that kind of thing about...I think they cited 80%ish of the time?
So in specific, restricted use-cases, where it's specifically being used to augment an expert's expertise and where the output is being scrutinized to ensure it's appropriate, yes, it's useful.
Which has led to a number of thoughts on my part that maybe the gpt-style "general purpose assistant" modes are an evolutionary mistake, and that a more effective model would be -worse- LLMs that are single-focused for specific workflows and tasks.
alastair87
in reply to alastair87 • • •alastair87
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Fi, infosec-aspected 🏳️⚧️
in reply to alastair87 • • •@alastair
Then as a customer, I want to know why they are creating a situation where it is impossible to maintain compliance with my customers.
alastair87
in reply to Fi, infosec-aspected 🏳️⚧️ • • •I'm not entirely sure I understand. Do you mean in terms of data protection (e.g. GDPR) or other regulation?
Even though OneDrive is nominally GDPR compliant (which seems like it should be a contradiction given Microsoft can read it) I put sensitive data in my own ownCloud which is E2EE.
Fi, infosec-aspected 🏳️⚧️
in reply to alastair87 • • •@alastair
Here's a walkthrough infosec.exchange/@munin/112481…
Fi, infosec-aspected 🏳️⚧️
2024-05-21 21:31:34
alastair87
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Fi, infosec-aspected 🏳️⚧️
in reply to alastair87 • • •@alastair
Speaking as a person who is de-facto criminalized in multiple states, yes, that is a clear and present danger for me.
Fi, infosec-aspected 🏳️⚧️
Unknown parent • • •@alastair
Palantir advertises its partnership with microsoft on their website.
None of this is hypothetical.
alastair87
in reply to alastair87 • • •Fi, infosec-aspected 🏳️⚧️
Unknown parent • • •@alastair
Oh, their motivations for collection? yeah, that, and the whole delusion as regards "data is a valuable resource to be collected" contra "data is radioactive waste to be minimized".
alastair87
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Fi, infosec-aspected 🏳️⚧️
Unknown parent • • •@alastair
at this point I have no data, and thus I'm not inclined to speculate further on the motivations absent specific discussion with people involved with this pile of horseshit.
Preferably the kind of discussion where I'm given the latitude to make my disquiet known palpably.
alastair87
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Juliet Merida, Dum Tran Elf 🏳️⚧️
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Fi, infosec-aspected 🏳️⚧️
in reply to Juliet Merida, Dum Tran Elf 🏳️⚧️ • • •@julie Yes, I do, and that's why I wrote the followup here infosec.exchange/@munin/112480…
as well as taking the position that this is a violation of GDPR infosec.exchange/@munin/112481… amongst other compliance regimes.
Fi, infosec-aspected 🏳️⚧️
2024-05-21 18:53:56
Fi, infosec-aspected 🏳️⚧️
in reply to Fi, infosec-aspected 🏳️⚧️ • • •@julie There's two primary audiences to address for this: corp users and home users, each of whom has different incentives and concerns.
For corp users, making the case that this product will harm profitability by making compliance certifications that are necessary to do business at all impossible is the effective argument; it speaks to business incentives.
For home users, making the case that MS is implementing something that will cause direct harm to them is the more useful stance.
D. B. Stuck
in reply to Fi, infosec-aspected 🏳️⚧️ • • •@julie
I've been following this news throughout the day. Yes, M$ looking to implement this is going to be a disaster for all.
As to the home environment, I hope that no one who is at risk of abuse ever trusts their PC. Ever. Controlling parents or spouses will always figure a way to spy. If your device is not 100% under your control it should be considered suspect. This includes phones.
As to everyone else, your only right is to vote w/ your $$. And that's not easy.
Fi, infosec-aspected 🏳️⚧️
Unknown parent • • •@qqmrichter
my idiolect version tends to stick in people's head via the unexpected concept of a "security item" being contrasted with the 'system' as well as having the -em rhyme and similar stress cadence, as well as allowing me an opening to discuss systemic vs. iterative thinking patterns in evaluating security. It's been fun developing an aphorism that has those affordances.
Alex
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Fi, infosec-aspected 🏳️⚧️
in reply to Alex • • •Ryan Castellucci
in reply to Fi, infosec-aspected 🏳️⚧️ • • •Fi, infosec-aspected 🏳️⚧️
in reply to Ryan Castellucci • • •Retrace your steps with Recall - Microsoft Support
support.microsoft.comYsegrim
in reply to Fi, infosec-aspected 🏳️⚧️ • • •@crankylinuxuser This is the same BS argument by everyone else supporting asocial maniacs in exchange for convenience - against non-megacorp social media ("but I'd lose followers temporarily"), public transport ("but with the current time tables, it would take 10 mins longer"), EVs, heat pumps, renewables, etcpp.
People are not willing to take even minor inconveniences to make the world a better place, then cry when indeed the Leopard Company ate their face as predicted, and then demand that those of us who predicted this and invested some time and money and inconveniences to protect themself from that and got ridiculed for that to save them.
Helge Wurst
in reply to Fi, infosec-aspected 🏳️⚧️ • • •One dimension of the always-on "Recall" scraping feature makes me very certain it will
a) happen
b) be default and
c) probably will become impossible turn off (i.e. just work in the background)
And it's because of the advertising industry. With it, you can sell attention metrics and guarantee that the target has been subjected to an ad.
Many arrows point that way.
hackaday.com/2024/02/27/big-ca…
Big Candy Is Watching You: Facial Recognition In Vending Machines Upsets University
HackadayKliplet
in reply to Fi, infosec-aspected 🏳️⚧️ • • •