[LookAtThatBacon]

This stood out to me:

"Dubbed TotalRecall—yes, after the 1990 sci-fi film—the tool can pull all the information that Recall saves into its main database on a Windows laptop. “The database is unencrypted. It’s all plain text,” Hagenah says."

[donkulous]

Is Microsoft intentionally making this exploitable? I knew it was only a matter of time before Recall would be compromised, but this shows they aren't even trying to secure it.

[Terr_]

The opposite extreme is also worrisome: Imagine if they tried to make it totally opaque and impossible to read even by the user generating the data--that'd be a different kind of Messed Up.

P.S.: I'm sympathetic to the concept that "whole-disk encryption will protect this from most thieves", but I hope there's at least a little more defense-in-depth against other programs running as the user, snooping on that data without user-permission.

I mean, a malicious third-party screen-capture/keylogger program might be detectable by heuristics, but not-so-much if it can just indirectly draw from the stream of data being generated by pre-approved default program from the OS manufacturer...

[rtev]

It’s supposedly only accessible to LocalSystem. If they were to encrypt it, it could just be decrypted anyway. Still, it’s a huge liability and a major blunder by Microsoft.

[tsujamin]

Wonder if they could enclave it similar to Cred Guard

[ziml77]

They recently added encryption separate from Bitlocker that applies per-user and only unlocks when you log in. It's possible they're using that.

[486sx33]

Seems like BitLocker is highly compromised… too bad it was a good concept

[conradev]

At least Rewind encrypts their database