Hacker News new | ask | show | jobs
by mikehearn 754 days ago
I'm trying to square the claims in this article with what Microsoft says.

Article: "This database file has a record of everything you’ve ever viewed on your PC in plain text"

Microsoft: "Snapshots are encrypted by Device Encryption or BitLocker, which are enabled by default on Windows 11."

https://support.microsoft.com/en-us/windows/privacy-and-cont...

The article is a little bit hand-wavy about how exactly the database comes to be decrypted and remotely exfiltrated. The headline says it takes "two lines of code" but unless I'm missing it, I don't see those lines discussed in the article.
5 comments
MiguelHudnandez 754 days ago
The database is not encrypted while the system is running. Microsoft's claim that it's encrypted is due to the machine being encrypted at rest with Bitlocker.

The databases are plain-text sqlite files within the current user's %appdata% folder.

So, literally anything that can grab those files and put them somewhere else can qualify as exfiltration. Any backup product worth its salt would be covering these databases.

link
teraflop 754 days ago
BitLocker encrypts the hard drive contents at rest, but while the system is booted, the drive is transparently decrypted. So what Microsoft says is technically true, but doesn't necessarily present any kind of barrier to the database being exfiltrated by malware. It only protects against somebody stealing your hard drive.
link
rezonant 754 days ago
Well bitlocker (ie device encryption) is only protecting you from offline attacks, ie when someone pulls your hard drive to examine it. Code running on the machine itself wouldn't be affected by it.
link
walterbell 754 days ago
From the article:

  Q. Have you exfiltrated your own Recall database?
  A. Yes. I have automated exfiltration, and made a website where you can upload a database and instantly search it.

  I am deliberately holding back technical details until Microsoft ship the feature as I want to give them time to do something. I actually have a whole bunch of things to show and think the wider cyber community will have so much fun with this when generally available.. but I also think that’s really sad, as real world harm will ensue.
link
jmprspret 754 days ago
1. It is encrypted at rest, once you login its decrypted with the rest of the stuff running+on your drive. All this stops is someone with physical access and that's it.

2. The article says that they are not releasing PoC (my words not theirs) because this feature isn't out, and they want to give M$ a chance to fix it:

> I am deliberately holding back technical details until Microsoft ship the feature as I want to give them time to do something.

link