Hacker News new | ask | show | jobs
by planb 743 days ago
I understand that this feature is highly controversial and I myself have mixed feelings about it. But I don’t understand what is being “pwned” here: isn’t providing a photographic memory of everything you do on your PC exactly what this is supposed to do? Yes, you can access the data through other means than the official UI - this is the case for every software that runs on my PC.
4 comments
lolinder 743 days ago
> isn’t providing a photographic memory of everything you do on your PC exactly what this is supposed to do?

Yes, but look at the Q&A at the bottom: apparently Microsoft told the BBC that hackers would have to have physical access to the device in order to access the data. This repo proves that's nonsense because all an attacker would have to do is install this code on your computer, which is something we already know they could do.

> Yes, you can access the data through other means than the official UI - this is the case for every software that runs on my PC.

I don't have software on my PC that indiscriminately takes screenshots of what I'm working on every few seconds, OCRs it, and indexes it in a convenient searchable database. A hacker can get a ton of information off my computer as it is, but a lot of what Recall will be saving has been hitherto ephemeral.

link
planb 743 days ago
So MS lied in an interview. Or the press person was not very knowledgeable. But how would that even work, that data can only be accessed locally? How does a computer decide if the intent to access a file is coming from the user in front of the PC or from someone who installed malware that sends keystrokes or mouse clicks on behalf of the user?
link
smarx007 743 days ago
https://doublepulsar.com/recall-stealing-everything-youve-ev...

Apple maintains some databases on macOS that are not sudo-accessible.

link
wvenable 743 days ago
Yes, this is what Raymond Chen calls being on the other side of the airtight hatchway. Once you're admin, you can do anything. You can install keyloggers, install remote access tools, etc.

The only thing that Recall enables is that it creates this data. And since the data exists, it can be stolen. Data that doesn't exist cannot be stolen.

link
oefrha 743 days ago
Previously, malware/stalkerware can monitor anything after they’re installed. They don’t get much if they’re purged quickly.

Now, immediate treasure trove upon installation. No matter how quickly you catch it.

There’s a fairly substantial difference here.

link
cbsmith 743 days ago
As you point out though, the data does exist. It just tends to be more ephemeral. There's some question as to whether the ephemeral aspect of it is more feature or bug.
link
smarx007 743 days ago
See the README under "Q: But the BBC said data cannot be accessed remotely by hackers."
link
nicce 743 days ago
I am not sure if that justifies this.

If hackers pwn your desktop computer and you do not notice it, they get all the data you have access by yourself. Nothing new here.

link
smarx007 743 days ago
If MS claims the data is not accessible [by malware] remotely and can only be accessed if the attacker has physical access, a POC just just fopens the file and prints it is a fair exploit POC. No matter how trivial that looks to you.
link
Dylan16807 743 days ago
Where's the disproof of that? Am I missing something?

"this is wrong" is not a sufficient counterargument.

link
smarx007 743 days ago
The repo is along the lines of "2+2=4". GP said there is nothing interesting in that, to which I pointed to the QnA entry which shows that MS did tell a journalist that "2+2=22", so to speak. What else is there to disprove?

The significance of the repo is not to show 2+2=4 but that 2+2 != 22

link
Dylan16807 743 days ago
The BBC quote says "a would-be hacker". I interpreted that as a general claim about windows security, not saying that this particular feature is invisible to malware. They have to break the security of your particular device, the data is nowhere else.
link
smarx007 743 days ago
> I interpreted that as a general claim about windows security

Sure, because you understand that the other interpretation is nonsensical. All the publications that are popping up showing that the Recall DB is locally accessible are aimed at all the other Windows users.

Now, I would fully agree if you question what's the benefit of posting this on GH and not on FB, for example, and what's in there to surprise the HN crowd.

link
pseudalopex 743 days ago
> Now, I would fully agree if you question what's the benefit of posting this on GH and not on FB, for example, and what's in there to surprise the HN crowd.

The author posted Wired's article about the tool on LinkedIn. Does Facebook host code and render Markdown? Does the author have a Facebook account? Would you bet your Facebook account they wouldn't consider it distributing a hacking tool and lock the account?

Must it be surprising? Some in the HN crowd would want to explore their own databases I think. Some will have family and friends ask them about Recall security.

link
Dylan16807 743 days ago
> All the publications that are popping up showing that the Recall DB is locally accessible are aimed at all the other Windows users.

See, that's the thing. Proving it's locally accessible...

Microsoft never even implied it wasn't locally accessible.

link
pseudalopex 743 days ago
You interpreted a statement about saved screenshots in an article about Recall as a general claim about Windows security even the general public would know was false?
link
Dylan16807 743 days ago
I guess I worded that badly. Let me try again:

I interpreted that line as analogous to normal Windows security.

As a general rule, a would-be hacker can't get to any of your on-device data, Recall included, without a local user giving them access.

So the intent of the statement is to say it's immune to anything else being hacked, like servers. Not to say they finally invented a completely hack-proof system... and only used it for this single program.

link
planb 743 days ago
Nothing in this FAQ is in any way surprising. If someone (“hackers”) gains remote access to your PC, they can also install a key logger and take screenshots. They just don’t have access to the historic data.
link
notatoad 743 days ago
"this is wrong. Data can be accessed remotely" is not a super illuminating FAQ item. how can it be accessed remotely?
link
smarx007 743 days ago
With any available information stealing malware: https://doublepulsar.com/recall-stealing-everything-youve-ev...
link
notatoad 743 days ago
okay, so the only "pwning" of recall is that if your computer is already hacked, the hackers can get the recall data along with all the other data on your computer...
link
smarx007 743 days ago
Yes. With the difference that now the have the DB which they can interrogate with a prompt like "list all credit card numbers entered in the past 3 months". The post touches on your question/remark.
link
croes 743 days ago
The data is supposed to be stored secure and encrypted.

It's not, so it's a selfpwn by MS

link