this rootless Python script rips Windows Recall’s screenshots and SQLite database of OCRed text and allows you to search them.

  • a1studmuffin
    link
    fedilink
    English
    1105 months ago

    Wow, it’s pretty wild they didn’t even attempt to encrypt or protect this data, even if it is local to your machine. What a treasure trove for malware to sift through.

    • @BradleyUffner
      link
      English
      215 months ago

      It IS encrypted. Not well, but it’s encrypted.

      • @[email protected]
        link
        fedilink
        English
        125 months ago

        I thought that it was encrypted if your home directory was encrypted? The impression that I got was that it was just a SQLite database stored in the clear. The user must certainly be able to make queries of that database in order for it to work, so even if it’s hosted by a non-user service, malware running locally will still be able to exfiltrate the data.

        • @BradleyUffner
          link
          English
          65 months ago

          All true, which is what I meant by “not well” encrypted. It’s technically encrypted, but for all practical purposes it might as well not be.

      • a1studmuffin
        link
        fedilink
        English
        15 months ago

        Is it? I skimmed the GitHub source code and couldn’t see anything involving encryption, but it’s totally possible I missed something. Perhaps just accessing the database from python is enough to decrypt it.

    • @jaybone
      link
      English
      65 months ago

      Now ransomware hackers can sell all your shit to someone else if you refuse to pay.

  • @[email protected]
    link
    fedilink
    English
    945 months ago

    Please go through the FAQ section of the git project. It’s an eye-opener.

    Q. Does this enable mass data breaches of website?

    A. Yes. The next time you see a major data breach where customer data is clearly visible in the breach, you’re going to presume company who processes the data are at fault, right? But if people have used a Windows device with Recall to access the service/app/whatever, hackers can see everything and assemble data dumps without the company who runs the service even being aware. The data is already consistently structured in the Recall database for attackers. So prepare for AI powered super breaches. Currently credential marketplaces exist where you can buy stolen passwords — soon, you will be able to buy stolen customer data from insurance companies etc as the entire code to do this has been preinstalled and enabled on Windows by Microsoft.

    • @[email protected]
      link
      fedilink
      English
      135 months ago

      It’s worst than that (as bad as this is)…

      Today getting some data on a user is bad as smart hackers can put together the context … However any guessing the hacker has to do may alert the user before the hacked data can successfully be exploited

      Now, a hacker would know exactly where each password goes and worse, they’d could learn the entire workflow of internal systems to successfully imitate a trained user…

      This means the hacker could use the stolen bank data and legitimately issue credit cards to anyone they want (for example)

      It’s no longer “we’ll expose some data”, now it’s “we can use this data to infiltrate your systems and wreak havoc in whatever way we want”

    • @Pieisawesome
      link
      English
      45 months ago

      I doubt that. It’s preinstalled and enabled for personal users.

      Even if it is enabled by default on pro/enterprise, there will probably be a group policy to disable it.

      • @[email protected]
        link
        fedilink
        English
        7
        edit-2
        5 months ago

        It feels like this was intended for buisnesses to monitor for phrases on your screen like “coolmath games unblocked free”

        or to extract and upload a summary of what happened every second of every day to the server defined in the group policy.

        • @[email protected]
          link
          fedilink
          English
          25 months ago

          I doubt it. There are plenty of tools that already do this if that was what they wanted, they’d just model it after those. Storing it locally isn’t how such tools usually work, they get shipped off to a remote server for ingestion.

    • @[email protected]
      link
      fedilink
      English
      85
      edit-2
      5 months ago

      For the kids

      Sony BMG copy protection rootkit scandal

      Morons:

      Sony BMG initially denied that the rootkits were harmful. It then released an uninstaller for one of the programs that merely made the program’s files invisible while also installing additional software that could not be easily removed, collected an email address from the user and introduced further security vulnerabilities.

      • @barsquid
        link
        English
        165 months ago

        In a just society the Sony execs would have been jailed for CFAA violations.

    • Obinice
      link
      English
      05 months ago

      OBJ to you too, friend 🙇‍♀️

  • @[email protected]
    link
    fedilink
    English
    705 months ago

    Hilarious to me that it OCRs the text. The text is generated by the computer. It’s almost like when Lt. Cmdr. Data wants to get information from the computer database, so he tells the computer to display it and just keeps increasing the speed — there are way more efficient means of getting information from A to B than displaying it, imaging it, and running it though image processing!

    I totally get that this is what makes sense, and it’s independent of the method/library used for generating text, but still…the computer “knows” what it’s displaying (except for images of text), and yet it has to screenshot and read it back.

    • @Wispy2891
      link
      English
      285 months ago

      It happens the same on android for some reason

      Like 5-8 years ago the google assistant app was able to select and copy text from any app when invoked, I think it was called “now on tap”. Then because they’re google and they’re contractually obligated to remove features after some time, they removed this from the google app and integrated it in the pixel app switcher (and who cares if 99% of android users aren’t using a pixel, they say). The new implementation sucks, as it does ocr instead of just accessing the raw text…

      It only works fine with us English and not with other languages. But maybe it’s ok as it seems that google’s development style is us-centric

      • @nawa
        link
        English
        135 months ago

        Now on Tap also used OCR. Both Google Lens and Now on Tap get the same bullshit results on any languages that are not Latin. Literally, Ж gets read as >|< by both exactly the same.

        • @Wispy2891
          link
          English
          95 months ago

          They changed it, in the beginning it was using the text and not ocr

          For example this app could be set as assistant and get the raw text https://play.google.com/store/apps/details?id=com.weberdo.apps.copy

          But only the app set on system as assistant can do it

          I was very disappointed when they changed it around 2018 as it produced garbage in my language when it was working so good…

    • @[email protected]
      link
      fedilink
      English
      25
      edit-2
      5 months ago

      Hey, yeah… why aren’t they just tapping the font rendering DLL?

      are they tapping the front rendering dll??

      • @[email protected]
        link
        fedilink
        English
        25 months ago

        My guess is that they looked at their screen reader API, saw that it wasnt 100% of the text on screen and said fuck it! Were using OCR!

    • @[email protected]
      link
      fedilink
      English
      245 months ago

      Having worked on a product that actually did this, it’s not as easy as it seems. There are many ways of drawing text on the screen.

      GDI is the most common, which is part of the windows API. But some applications do their own rendering (including browsers).

      Another difficulty, even if you could tap into every draw call, you would also need a way to determine what is visible on the screen and what is covered by something else.

    • @[email protected]
      link
      fedilink
      English
      205 months ago

      That’s the thing, it doesn’t really know what it’s displaying. I can send a bunch of textboxes, but if they’re hidden, or drawn off-screen, or underneath another element, then they’re not actually displayed.

    • Eager Eagle
      link
      English
      95 months ago

      Text from OCR is one kind of match. Recall also runs visual comparisons with the image tokens stored.

    • @TheGrandNagus
      link
      English
      35 months ago

      To be fair, Data was designed to be like a human, and was made in the image of his creator. He has a number of design decisions that are essentially down to his creator wanting to create something like a human. Including that which you describe.

      Data was never intended to work like a PC, it’s very normal that he can’t just wirelessly interface with stuff.

  • Neshura
    link
    fedilink
    English
    665 months ago

    Wait so the malware won’t even need a rootkit first? Damn this is worse than I thought…

    • @[email protected]OP
      link
      fedilink
      English
      265 months ago

      the screenshots and text are just sitting in the appdata folder, which requires no special permission to access

      • @[email protected]
        link
        fedilink
        English
        115 months ago

        Nice 😂 having extra pw manager n stuff in secret encrypted file only temporary handle decrypted PWs in RAM etc. But then, if you accidentally click on the eye, boom screenShot PW saved as pic of clear Text, nice. Also all personal eBanking stuff etc. And of Course, if you stream Netflix, tons of copyright protected material, lol.

        • @Spotlight7573
          link
          English
          125 months ago

          And of Course, if you stream Netflix, tons of copyright protected material, lol.

          Nope, DRM protected content like Netflix is one of the few things it doesn’t capture, it’s even mentioned in Recall’s privacy section. I’ll admit that that’s likely due to technical reasons with how the video stream is decrypted and decoded on the GPU and is never actually accessible to the user, not necessarily because they wouldn’t want to save that as well.

    • @Spotlight7573
      link
      English
      125 months ago

      Malware won’t even need to wait for the user to access something sensitive, they can just go back through the user’s Recall history and get the data for immediate exfiltration. No chance for anti-malware software to update and catch it before it does anything truly bad, it will just always be too late if given even a minute.

  • @Wispy2891
    link
    English
    645 months ago

    Imagine how easy is the life of law enforcement now.

    Before if they seized a laptop encrypted with bit locker they could not do anything.

    Now they just need to ask Microsoft the encryption password, which is automatically and silently saved in the Microsoft account (now mandatory) and they can have all the history of what the subject of the investigation did in the past years

    • umami_wasabi
      link
      fedilink
      English
      345 months ago

      What? Bitlocker key tied to MS account and mandatory? What’s the point of encryption if the key isn’t secret any more?

      • @Spotlight7573
        link
        English
        30
        edit-2
        5 months ago

        To protect against casual theft of a device causing the data to be in the thief’s hands in addition to the actual device.

        The average person unfortunately is not likely to properly backup their encryption keys so if they forget their password (or don’t use one and rely on the default of just TPM), they’ll complain about losing their data. Having the key backed up gives them a way to get their data back in non-theft situations.

        • @[email protected]
          link
          fedilink
          English
          145 months ago

          I like how people on lemmy seem to only think of the high stakes state sponsored theft. And not the theft that’s thousands of times more common.

        • umami_wasabi
          link
          fedilink
          English
          25 months ago

          Ok, I can saw value in that but why mandatory? While most doesn’t backup their keys, I do and I don’t need MS help.

          • @FierySpectre
            link
            English
            55 months ago

            On top of the reason the top level comment gave (easy for law enforcement) it also allows for better data collection (linking your activity to your account, no matter where, how or when it is recorded)

      • @Brkdncr
        link
        English
        75 months ago

        It’s secret to most, not all.

  • @[email protected]
    link
    fedilink
    English
    51
    edit-2
    5 months ago

    In a hilarious and infuriating side note, MS is obviously doing their absolute best to blame-shift here.

    It’s code. It’s a project someone made to graphically illustrate and demonstrate, in the wild, why the entire concept of MS Recall is an absolutely awful, foundationally-flawed idea. It is not a “hacker tool”. The MS c-suite and board members are just pissed that stock go down as a result of their stupidity, and they’re looking for people to blame who aren’t themselves.

    • @CrayonRosary
      link
      English
      6
      edit-2
      5 months ago

      MS is obviously doing their absolute best to blame-shift here

      There is not a single word in that article that says anything about blame shifting. That title was written by wired.com

    • @misterkiem
      link
      English
      25 months ago

      Where is the blame shifting? The article says they made no comment and the only MS quotes are just random pr feature blurbs

      • @[email protected]
        link
        fedilink
        English
        15 months ago

        Dude the headline:

        this hacker tool

        It’s absolutely not a “hacker tool”. It’s a proof of concept. It’s just code. The author and/or editor is leaning on ingrained negative kneejerk reactions from less knowledgeable members of the general public towards the term “hacker”.

        • @misterkiem
          link
          English
          25 months ago

          So that’s not Microsoft, that’s Wired doing that. Also it IS a hacker tool. It’s a tool to automate the scraping of data and sending it somewhere.

          He’s a white hat hacker, releasing the tool to raise awareness. If he was a black hat hacker he’d be holding onto it and praying Microsoft goes through with release so he could use it to compromise systems.

          I don’t see any blame shifting at all

  • @[email protected]
    link
    fedilink
    English
    465 months ago

    How could the db be all plaintext unencrypted?!? I mean this is amateur hour at display here

      • @[email protected]
        link
        fedilink
        English
        16
        edit-2
        5 months ago

        Decrypt it server side like all other encrypted data

        If we believe it doesn’t leave the machine then the ai can have a decryption layer

          • @[email protected]
            link
            fedilink
            English
            75 months ago

            If only Microsoft required a second prossesor like some sort of module just for encrypting and decrypting things without using additional CPU cycles… What if we also stored the encryption keys on that module so we could trust that platform

            • @CheeseNoodle
              link
              English
              2
              edit-2
              5 months ago

              Honestly I’m pissed that even if I switch OS I’m probably going to be paying more for CPUs from now on to account for microsofts blatant abuse of a monopoly.

              • @[email protected]
                link
                fedilink
                English
                1
                edit-2
                5 months ago

                How old of a system are you running because TPM have been included on CPUs since at least 2009. Microsoft requiring something already built into modern CPU isn’t the reason why CPUs cost more now.

  • NutWrench
    link
    English
    335 months ago

    So . . . MS wants to force Recall on us… Assures us that it’s “secure.” And it can’t be bothered to even lightly encrypt the data? This is just plain incompetent.

    Also, MS want to bundle CoPilot with Office 365, a subscription service. You will be paying for the privilege of spying on yourself.

  • @kayos
    link
    English
    265 months ago

    Imagine if they zero day this.

    • NιƙƙιDιɱҽʂ
      link
      English
      24
      edit-2
      5 months ago

      Lol “if”. This thing is going to be a massive target.

    • @Spotlight7573
      link
      English
      145 months ago

      Someone has already demonstrated using an off-the-shelf infostealer to steal the Recall database from a test computer. It won’t take any special skills or technology for this to be a problem.

  • @cm0002
    link
    English
    165 months ago

    I was gonna make a joke on how there’s no root on windows, but then I remembered sudo for windows is now a thing so…

  • bruhduh
    link
    English
    155 months ago

    Windows be like

  • @iAvicenna
    link
    English
    95 months ago

    good luck to people typing their passwords in visible mode

    • @[email protected]
      link
      fedilink
      English
      45 months ago

      Windows, pretending it can’t read what you’re typing in because you didn’t click “show password”: