Hacker News new | ask | show | jobs
by tssva 740 days ago
"Beaumont says admin access to the system isn’t required to read another user’s Recall database. Another user with an admin account can easily grab any other user’s Recall database and all the Recall screenshots by clicking through a simple UAC prompt."

The person quoted in the article says admin access isn't required and to bolster this gives an example of someone with admin access being able to access the recall database. I'm confused.
1 comments
sunaookami 740 days ago
The research is... kinda bad. Beaumont critzies that Microsoft stores the data... locally in an SQLite database? Because it's "easy to steal with malware" (just like your browser history, etc). Blew up in the media though...
link
firebaze 740 days ago
What's the difference between stealing some random sqlite database and the history of OCRs of screenshots of anything ypu did on that PC?
link
tssva 740 days ago
What's the difference between stealing the history of OCRs of screenshots on anything you did versus the ability to steal my tax/financial documents, business trade secrets, private letters, photos and other information commonly stored on a computer which can be taken in the same manner whether it is on Windows, Linux or macOS?
link
lolc 740 days ago
This Recall feature keeps text of emails typed and never sent, of documents viewed and deleted.
link
tssva 740 days ago
And that makes the security associated with it any more important than my kept documents how?
link
wkat4242 739 days ago
It's the more exposed thought process that shines a strong light into your mind. It's not just what you do but the why.

It's no wonder collecting this info is a priority. It will be a goldmine for dataminers with the right correlation. Sure right now it's not collected centrally but I'm sure sooner or later there'll be a quick "just click off this tiny T&C update before you continue" crossing our paths.

Also, it means that this confidential info is now in more places than one. It's no longer sufficient to encrypt a file and lay it on a usb stick in the safe.

And it's also there in centralised place ripe for the taking. Not even any need to scan the system to find valuable information.

link
lolc 739 days ago
Text on screen can be more confidential than text on disk.
link
sunaookami 739 days ago
If someone has admin access to your PC (which they need to access the SQLite file) they could also just install malware that sends everything you do and type over the network.
link
pohuing 739 days ago
One difference is the speed apparently. You'd need the malware to be installed for a while. With recall you need to exfiltrate a couple kb of data that's already there on disk.

That said, yeah, if the user interacts dumping saved passwords is trivial as well.

link
hulitu 739 days ago
Someone like Microsoft ? /s
link