Hacker Read top | best | new | newcomments | leaders | about | bookmarklet login
Microsoft Will Switch Off Recall by Default After Security Backlash (www.wired.com) similar stories update story
25 points by georgehill | karma 9278 | avg karma 14.23 2024-06-07 16:47:28 | hide | past | favorite | 561 comments



view as:

Then they'll enable it by default once people forget

Doubting they'll even disable it at all.

It’s one thing to be critical of the feature.

But this is a pretty cut and dry announcement. There isn’t any ambiguity they could stand behind if they are lying.

I would fully expect it will be disabled by default (for now)


This is Microsoft we are talking about. "embrace, extend, and exterminate".

Why would anyone trust anything Microsoft says is beyond me.

Their own internal security is like Swiss cheese, hardly reassuring.


They'll just say it is a bug when it is turned on.

People will opt-in to it during setup the same way people opt-in to logging in via a Microsoft account instead of a local account.

Local accounts are almost impossible to set up for the normal user in win11

It is pretty easy now if you use Rufus to create your installation usb.

It will prompt you (and select by default) to disable the need for an online account. I installed the Pro version and then just said I was setting it up for work or school, chose domain and then I set it up just fine as a local account.

I don't know for sure how much of this is rufas or the pro version. But I just installed Windows 11 within the last hour.


> normal user

> use Rufus to create your installation usb

Pick one. "Normal" users don't use specialized software to create installation media. They boot the laptop with the OS already installed and go on from there.


I mostly agree, but installing Windows is not as daunting of a task as it used to be.

It is also not uncommon for 'normal' gamers to use a custom built PC which would require installing Windows.

Maybe normal is the wrong word, but it would be a pretty quick and easy to understand guide to do this.


Normal gamers aren’t representative of normal users on a whole. Gamers are just a tiny fraction of the overall user base. Normal users buy cheap-ass laptops with their manufacturers’ opinionated Windows installation, including boatloads of bloatware. And they don’t ever change any of the defaults.

> if you use Rufus to create your installation usb.

You've already scared away all the normal users


Normal user, agreed. You can find tutorials online, though, for those of us who still remember that the PC was something the user used to own.

That's the hidden joke. In early Win10 it used to be a simple dark-pattern screen with a prominent button "use a Microsoft account" and a text link in the corner "use a local account". Then they made it increasingly ridiculous with subsequent updates until the current point where you need a tutorial on how to even make the option visible.

"game pass is only available with Recall enabled!"

"microsoft office features y and j require Recall! please click here to enable it"

etc etc


Will have to wait and see if the extra security measures actually improve anything or not.

However regarding it being opt out… what would prevent a virus from just enabling it on a bunch of machines silently. Sure it would be caught but the damage done and most won’t be bothered to go in and disable it after.

Or Microsoft just decides they need to really market the hell out of AI and it gets turned on my default anyways.


It will be re-enabled accidentally by an update anyways.

Please stop with the unmercenary assumptions.

There's no such thing as accidental enablement at stuff like this, as if it's switch o single employee at Microsoft can push with their elbow and ends up in production without anyone else noticing.

Either they decide to intentionally enable it or not.


I'm not sure the use of 'accidentally' was sincere. But I like this choice of words in your post in your first version:

> unmercenary assumptions


Yet despite all that I've witnessed accidents still make it in production...

I think OP forgot the quotes around "accidentally". You're right it won't be a true accident; it will be intentional and just called an "accident".

> Either they decide to intentionally enable it or not. There are no accidents , when stuff like this needs to go through a committee of people for approval before it makes it into production.

Absolutely. And all of them decided to screw largely defenseless non-technical consumer to make short-term profits. That's not a fantasy, that's our reality.


Yeah, but like I said, that's by intention, not by accident. How does your comment disprove my point?

Or by intent - it seems I was reading about an early proof of concept attack that turned Recall on and hid a systray indicator that it was on.

"accidentally"

What would prevent a virus from directly stealing the data it wants without going through this feature?

Just like in biology a virus can be simpler if it can co-opt existing machinery.

I agree, the ability to take screenshots is unsafe and should be removed. A virus is just a PRT SCRN away from stealing everything! (/s)

You realize sneaking in code to arbitrarily exfiltrate user data is much simpler if a trusted source (in this case Recall), is doing the collecting

Without Recall, an attacker needs to get a program to stay resident in memory to log keystrokes, screen contents, etc. for an extended period of time without getting detected. With Recall, they can get the same end effect by exfiltrating the Recall database file whenever it's convenient (i.e. an infected version of a text editor could send it while pretending to check for updates). This significantly lowers the barrier to entry for getting a victim's data, while also making it much easier to avoid detection.

> Without Recall, an attacker needs to get a program to stay resident in memory to log keystrokes, screen contents, etc

Or it could just steal your cookies which are out there in the open.


Cookies are of relatively low value compared to a database of everything the user has typed and seen.

What value is that? My auth cookies are far more valuable than anything I typed out in the open today.

Your auth cookie expires.

The username/password you type in next time it expires is far more valuable.

And it might not even be necessary to obtain cookies or credentials if I can just see whatever you could see when you’re logged into various sites.


This is all moot anyway because Microsoft has already said they are now going to encrypt everything behind Windows Hello making it as secure as my password manager.

Microsoft has made misleading statements regarding encryption [0] and it doesn’t help much. Encryption at rest doesn’t much matter if the user being logged in is enough for the data to be decrypted. This is the context malware runs in.

https://doublepulsar.com/recall-stealing-everything-youve-ev...


That's old information. This is how Microsoft is intending to change Recall based on these criticisms:

Microsoft will also require Windows Hello to enable Recall, so you’ll either authenticate with your face, fingerprint, or using a PIN. “In addition, proof of presence is also required to view your timeline and search in Recall,” says Davuluri, so someone won’t be able to start searching through your timeline without authenticating first.

This authentication will also apply to the data protection around the snapshots that Recall creates. “We are adding additional layers of data protection including ‘just in time’ decryption protected by Windows Hello Enhanced Sign-in Security (ESS) so Recall snapshots will only be decrypted and accessible when the user authenticates,” explains Davuluri. “In addition, we encrypted the search index database.”

https://www.theverge.com/2024/6/7/24173499/microsoft-windows...


"Old" is a bit of a stretch here ;)

But I'm glad to hear they've committed to making changes. Given the misrepresentations they made regarding the initial rollout plan (the target of most criticism, mine included), Microsoft has to prove themselves here and I'll wait until qualified security folks get their hands on this before coming to any conclusions.

What we know is that the initial version was a non-starter, and this new info validates the concerns we've all been expressing.

I truly hope Microsoft does an acceptable job of addressing this. It remains baffling and worrisome that it took a public outcry for them to implement what sounds like a baseline level of acceptable protection.


Well it's not "old" since the article is about Microsoft's blog post where they discuss all these changes!

https://blogs.windows.com/windowsexperience/2024/06/07/updat...

> It remains baffling and worrisome that it took a public outcry for them to implement what sounds like a baseline level of acceptable protection.

It's possible this was the intention all along but as a early-beta feature this was just the MVP. The reason it was rolled out to early testers at all was to get feedback.


> It's possible this was the intention all along ... to get feedback

If they're relying on public feedback to realize how completely unacceptable the initial rollout was, that again points to deep problems at Microsoft and is why I'm saying this is baffling.


Microsoft is a big organization with different teams. It wouldn't surprise me if this front-end AI team didn't consider the larger security implications -- having it stored in your profile probably seemed sufficient. It's the same security all your documents have, your browser cache, etc.

They clearly did not consider the larger security implications. That is both the point and the problem.

This points to structural issues at Microsoft.


Maybe security oversight happens later in the process. No need to bother with that if the feature doesn't even work.

If so, that's a problem. It might explain why this happened, but that doesn't mean it's an acceptable practice, especially after recently claiming that security is a primary focus for all project teams.

Security requirements often completely change the architecture of a product. Things can be built without security that are significantly more challenging to accomplish when strict data security requirements are in place. Architectures that assume no security often completely break down when security is tacked on top.

If this is a matter of a product not yet getting "security added", that again raises major concerns about how Microsoft is building products.


It doesn't sound like they're going to have significant problems adding more security to this product. For advanced as it sounds, it's not that complicated of a technology. It's just plugging together a bunch of existing technologies. I could probably MVP this app in a week myself given what is available.

I think that exploratory development is, in general, a good thing. Bogging down all development with middle-management procedures might certainly have caught this early. But that doesn't necessarily make that a better way to build products.

The scary thing about Recall isn't actually Recall itself. It's that AI makes this kind of product possible and really easy. I'm sure we're going to see implementations of this idea everywhere and not just on PCs. Imagine AIs watching security cameras.


Why would someone trust microsoft on security?

HN is a weird place. 95% of the world runs on Microsoft technology to some degree. (95% also runs on Linux to some degree as well)

Yeah, and places I work with ms stuff keep getting hacked (big important stuff) and leaking stuff and places with linux, or anything else as, far as I can tell don't. Or ar least not in the same number or quantity.

I have never seen a crypto locker ransomware on a server except for windows servers. I haven't seen another OS with ads. So many terroble things happen only in the windows/ms ecosystem that it really makes me wonderhow it sticks around but I have ideas about that and they will just make you think I am wierd.


What if Microsoft is the party I do not trust?

Virus turns on recall, user might not notice much. A real Microsoft service is running. It can then just wait and activate later. If the user notices recall on, they'll just blame Microsoft. You can then just turn it on again. You can already see that many users are suspect that it'll go back to being on by default sometime in the future too. It's not uncommon to see system updates change settings.

The virus doing the same things as recall will be much noiser and much more suspicious. Making it much more likely to be removed.

Not to mention that once recall has been running a virus only needs to extract the data. It records far more than what a password manager does and is far easier to search through. It just makes a very large attack surface.

Basically, why would anyone develop keyloggers anymore? Microsoft did it for you. And it'll never be tripped by antivirus software because it's an official and legitimately signed program. You don't see a problem with this?


> what would prevent a virus from just enabling it

If that occurs, the malware won't have access to months or years of data to sift through.


Yet.

Malware that scrapes it and malware that turn it don't need to be the same.


> Or Microsoft just decides they need to really market the hell out of AI and it gets turned on my default anyways.

This is what will happen. And when you turn it off again, it'll be turned back on by the next update. Enjoy.


They can't even do their own infra securely, or did you forget a advanced persistent threat entity was in their system and minting certs to access all of azure recently?

On LinkedIn someone in my network pointed out that, apart from the security and privacy disaster, the name Recall was a bad choice because of negative events like product recall.

They should take note and recall Recall.

this is one of the first things mentioned in the article

"Total Recall", aka "We Can Remember It For You Wholesale"

"Total Recall" in quotes makes me think you're trying to get your ass back to Mars and that you're trying to remember something because you had your memories wiped. It makes me think of nothing about a friendly service being offered forcefully upon you from your friendly and malevolent OS provider.

It's a story about false memories, and how that can change your identity.

The Philip K. Dick short story was a direct inspiration for the Paul Verhoeven movie starring Arnold Schwarzenegger, as it happens.

Get your ass back to libre software!

We Can Remember It For You Enterprise Edition

It would actually be a fantastic name if this were a real concern. Imagine, a well-known feature to mask any searches of a product recall. The only problem with this theory is that computer QA is so incredibly shit that the concept of a recall more or less doesn’t exist in the first place.

They should have named it “I Know What You Did Last Summer”. ;)

Hopefully any debloat tools will remove it quickly. Can't wait until Microsoft force pushes this spyware to the masses.

Looking forward to the update that accidentally re-enables it.

This. I won't be surprised at all if i' silently enabled in a future update that has nothing to do with it.

I still don't understand how this got this far. Enabling this in any corporate setting would be a compliance nightmare.

Corporate is never on the bleeding edge of Windows feature updates. They bring security updates first, but feature updates are at least one generation behind, maybe more waiting for Microsoft to fix bugs and doing their own regression testing, plus they get to choose wich features employees receive or are enabled by default via group policy. In other worlds, recall was never making it into any corporation anyway.

maybe 50% of US business users have an admin of any kind who oversees their IT ops

everyone else just gets a laptop, unboxes it, turns it on, uses it, does whatever they want to it

see: any retail location in a strip mall, any mom/pop business, etc etc


This is generally true, but Windows is the standard for far more SMBs than larger enterprise customers, and in that context it’s not nearly so straightforward. I have a client, a health insurance benefits broker for other local businesses. They do very well for themselves, but it’s just 2-3 full-time people, so there’s never been much cause for a full-on domain with GPO policies to maintain a strict, stable state across their equipment. Traditionally, off-the-shelf systems with SMB-targeted software had been more than sufficient.

When Microsoft decided to push a feature upgrade last year that automatically enabled OneDrive backups for their home directories, it technically violated HIPAA by moving electronic patient health information contained within their scanned files folder onto OneDrive servers without any prior consent or authorization. They literally called me when they were unable to find their files, Microsoft had (laughably, if it weren’t so serious) placed a text file on the desktop titled “Where Did My Files Go.txt”, and then directed them to the OneDrive folders where it had moved their desktops, documents, and pictures without their knowledge or approval.

I have since moved them to Microsoft 365 accounts where I can apply GPO, but my clients were understandably unhappy about having a new annual subscription that didn’t add any tangible benefit, rather they’re now on the hook for a couple hundred bucks a year for what’s essentially a shake down. Pay for the new service that adds nothing meaningful to their experience, or else face the consequences of Microsoft ruining your business on a whim.


Yeah, MS will continue to do this kinds of abuse, it’s in they DNA by now

I would have agreed with you until revently. And now, everyone is throwing email, chat, code, everything into cloud based AI tools at a highly regulated company. This happened 6 months after they just locked everything down for actual employees because of an IP leak. Very strange times…

With Chat Control[1] coming up in EU, it would be awfully convenient to have the technological capability readily available to deliver a solution.

Once you have the Recall capabilities, it doesn't take much to start collecting and searching the data.

[1]: https://www.patrick-breyer.de/en/posts/chat-control/


I bet there are a trillion companies and governments who want to know what all of their employees are doing every second of the workday. compliance won't stop them from trying.

Corporate clients get whatever they want. I am certain that their Windows 10 support won't be pulled in Oct 2025 as MS has threatened for everyone else. And when they migrate to Win11, it will almost certainly be a separate OS image free of the garbage bloatware and ads that the consumer devices are plagued with.

Am I just imagining their saying that Windows 10 would be the last Windows? I had thought they would be moving to an Apple-esque model where OS updates would just become iterative and avoid the old EOL/upgrade cycle. It’s how I justified all of their tangential money-grabs on other fronts.

You aren't the only one, from my understanding it was a misspoken thing by one higher up. It spread, so much so people I knew working at Microsoft spouted it as fact.

Not really a problem for enterprises.

Any company that has compliance requirements to keep devices supported with security updates, it's the same as Win 7 to Win 10; you either update everyone to Win 11 or you pay for the security updates for Win 10 (IIRC you have 3 years to update before you can't pay anymore). Many will likely already be on Win 11 as the upgrade path is easier/quicker than Win 7 to 10.

Also they will not have the gunk installed anyway as they will almost certainly have Windows Enterprise which has more policies that can be set, and then they will also be ordering devices from an OEM or distributor that doesn't have the junk included.

Heck, if they aren't doing Autopilot from the OEM or distributor, they will almost certainly be applying their own Windows image.


The corporate settings that care already do this to the employee screens ...

Compliance doesn't say "company can't watch employee" -- in many cases it mandates surveillance.

This just lets the employee leverage that too.


Depends on the compliance. If this monitoring sucks up any personal data there are erasure and data subject access requirements, for instance.

Security compliance generally does not require a third-party company, unaffiliated with the corporation, to be sent a copy of everything shown on a user's screen.

I think on the product side it’s pretty straight forward. They saw RewindAI talking up a bunch of traction and people seemingly interested. Someone assumed customers wanted this because of that data, and it’s a pretty easy thing to build, so they went ahead. I am surprised it got past security reviews but I can understand how it came to be from the product side.

They’ll probably think twice before jumping into the fray again with the Microsoft branded Informant Wire (I mean AI wearable) ;)


I don't understand how Outlook isn't a compliance nightmare. Especially since it's moved to the cloud. The amount of very sensitive data Microsoft must have on just about every single business/industry thanks to outlook and excel is insane.

At one place I worked when the company replaced my old machine with a new windows 10 system it was configured to send every single keystroke back to Microsoft. There was zero concern over privacy or compliance, just an assumption that MS would never abuse that data for any reason. I did not have their faith and disabled that "feature" then changed a massive number of other policies to try and keep as much data out of Microsoft's hands as I could.


What configuration setting does that?


Using Windows OS xp


[flagged]

Doesn't Microsoft have a long history (and present) where they just enable privacy invasive "features" after a windows update even though the user has disabled or removed the "feature"?

Yeah. You tell everyone you learned your lesson and then just go back and do it anyway a year later.

Bethesda are basically trying again to make paid mods stick with their Fallout 4 update.

Softwar never changes.


Twitter used to do this all the time; they'd make the notification email options more granular and opt you in to the three new options that used to make up the one option you already unchecked.

Yes.

Windows is soo low quality. It feels cheap. It feels like you are at a car dealership.

Fedora, feels like you are at some futuristic office that has buttons that do multiple steps. I was literally angry last year that it took me so long to learn about up-to-date linux. Canonical's marketing of debian-family linux gave Desktop Linux a bad name.


Yeah, which is why I'm over on Linux now.

What exactly is a good usecase for Copilot Pro (I'm assuming Recall will be powered by that in some form)? I'm on the free trial and I'm not finding it to be any more useful than the free version, and pretty similar to ChatGPT.

It can't really do anything.

Can someone smarter than I chime in on this?


It'll be the other way around I expect. Recall will provide more context to CoPilot.

It's not really about looking back at your own activity in case you forgot. But the AI will use it to learn about your habits, wants and hates, interests, people you deal with, usual schedule etc.

An assistant is after all much more effective if it knows you through and through. The one problem is: I don't want Microsoft to be that assistant and know all that about me. Even if "it's all local". They still control what gets done with that info and can change it at any time.


Lawyers, law enforcement, and three letter agencies everywhere are going to be extremely disappointed by this development.

and abusive partners/stalkers.

[flagged]

But Satya got the stock price so high!

My 401k is doing great!

The reality is that most people who aren't tech people don't care about the changes Microsoft has done, and shareholders especially don't care. Clearly what Satya is doing is working.


[delayed]

how would the recall data get expanded if it is not plugged in all the time? hopefully you can see while it's not designed that way

[delayed]

I've been a Windows user since 3.1, but this was the straw for me. They have always provided an OS that just worked for my home needs, even with the creeping privacy invasions in the last update.

I've been dual booting for a while and last weekend I went full Linux at home. My day job revolves around being truly good at solving Windows issues, and I will happily continue doing that, but at home I'm still just liking for something that "just works" I hope I'm part of a trend, and that 2024 is the year of the....


Any Recs? i've just gotten a Kubuntu image. I am thinking if i dual boot that and SteamOS i should have everything i want covered.

No reason to use SteamOS, it's just immutable Arch with an A/B partition scheme. Modern SteamOS is designed specifically for the Steam Deck and they only ship it as a recovery image for the Deck.

You can install Steam on whatever distribution you want, I use the Flatpak, and just enable Proton in the compatibility settings.


And if someone’s after that console-like functionality, ChimeraOS is the right choice in this area. It behaves like SteamOS, but is more compatible with PC hardware.

Ok awesome suggestions.

I got set on SteamOS as i was contemplating buying an SBC with similar hardware and giving it a custom case.

But this looks better!


I'm pretty excited for the Cosmic DE later this year. Here is a demo given by the CEO and the design lead. The audio isn't the best, but good enough. This is probably the most excited I've been to try out a new operating system since OS X Tiger. It is being developed by the Pop OS team, but they are making it so anyone can use it, Fedora plans on having a spin, I believe it's out there for Arch, and I'm sure others will have it as an option. Though I wouldn't use it as a daily driver until it's actually released.

https://www.youtube.com/watch?v=JHLfsWhDvz0


Yes, it's a really tough thing to manage this whole Recall thing philosophically and it makes me concerned about this OS. Even if MS is backtracking somewhat, they have shown their cards now and how they prioritize positioning themselves as an AI company above even rudimentary privacy. It's hard to just regain trust as if nothing happened.

I'm considering Linux with a Windows VM for Visual Studio. I've had my Linux detours in the past and it honestly works pretty well for me. I personally enjoy Fedora with Gnome which I think strikes a good balance between stability, security, and freshness. But if being stable and worryfree is of top importance (like where you are "unpaid tech support", haha), why not just go Debian. :)


If you want Linux isn't "just working" over time, give macOS a look. My dad was a lifelong Windows user and sung the praises of Microsoft's monopoly over the industry. As much as he was disappointed and upset with Borland Software dying off, he thought the benefit of a single document format everyone used was a huge benefit for the industry early on when Word started to take over, and by extension all of the standardization through a single player rather than through actual standards. He always said it worked great and didn't see why he'd ever want to change, or why anyone would want anything different.

He ended up switching to Apple around 15 years ago after a series of bad experiences. He was very nervous about it, and really hedged his bets early on. It took him some time to get used to how the OS worked, to find new apps to replace some that he had used since the Windows 3.1 days, and sort out his workflows. He eventually gave up his Windows VM when he realized the only thing he ever used it for was to run Windows Update.

I grew up on Windows, with the views from my dad instilled in me. In college I tried Linux and ultimately moved to the Mac about 21 years ago. I still used Linux on and off for the past 22 years (and currently have a music server running it). I do find Linux to still be much more finicky than macOS. No system is perfect, but macOS is more of a "just works" operating system than Linux (imo), likely due to the focus on polishing that last 10% of the user experience, that never seems to get the attention it needs in Linux. While I am excited to see what Cosmic has to offer later this year on Pop OS, I'm always ending up having to deal with some level of nonsense, even my most recent install of Mint just last week had a few annoying things where things didn't work, and they should have worked.


This seems to be a feature that execs wanted, and people find creepy, and no one has the gumption to push back on the exec request.

How can you have the number of employees they do and not have a single non-sychophant employee?

The layer of management reporting to leadership are yes-men.

Company-wide internal push to shoehorn AI into every product and service. All recognition and rewards are given to the sychophants, no matter how ludicrous their proposals. Even Principal and Senior developers are dragged into meetings with senior leadership to provide suggestions on how AI can be used in their microcosm. Whether it should be used is completely out of the question.

It’s a complete circus right now. Plenty of us just ignoring it and opting-out but it might reflect on our bonuses.


Yeah, it is weird.

About a year ago my mom had said "you worked at these powerful international companies, I'd expect you to have confidence in the people working in their ranks to protect the things that you deem valuable", my response was "unfortunately that's exactly the reason why I have no hope that anyone will stand up".


Because you get fired when bringing dissenting opinions

Other than it potentially being abrupt and not on your terms, it's probably for the best

Non-sycophant employees are shut down and ignored once the whole corporate culture has bought in to the hype du jour. If you are the sole dissenter, it can even make you look like a “bad” employee for not recognizing the “opportunity” that the new hyped thing will supposedly bring.

AKA type to leave

In this job market? Employee leverage is at a low ebb right now.

Yeah, cause MS has gotten this way "right now".

Why don't tech unions (if there's any) strike against these types of features, the?

Are you aware of any software developer unions? I’ve never encountered any in my 9 year career so far

As someone who has tried to push back against what execs ask for many times, if they want it bad enough, it doesn't matter. They will push forward no matter what the objections are. And if the person objecting won't give in, they'll find someone else to do it.

I only have a windows partition for games. I would occasionally use it for other stuff because it's sometimes inconvenient to switch back and forth. After recall, I'm only using it for gaming and nothing else.

I'm surprised by how good proton is at running windows games on steamdeck. Because of this and nonsense like recall and the adverts in windows I'm considering just getting rid of windows all together, I'll just run mint Linux probably.

I run Ubuntu on nearly all of my machines, but I build it up manually from the Ubuntu Server installation to reduce bloat. If anyone was going to have problems with Proton on an Ubuntu machine, it's me. Yet, every game I've tried works fine. Everything from Among Us to Metro Exodus runs great.

Some games require a little fiddling, sure, but I've never had an issue that couldn't be resolved using some copy-pasting from ProtonDB. As you may have surmised from the way I set up my machines, I may have a higher tolerance for fiddling than most folks. YMMV.


I am curious about your Ubuntu setup. Any particular technical reason? Any especially thorny bits? Do you see improved performance or fewer background processes? I am well past the point of enduring this kind of OS pain, and will use the path well trodden by others.

I have always assumed that distros layer on so many extensions, customizations, etc that Gnome or KDE would be alien if naively installed.


> Any particular technical reason?

Fully de-GNOME'ing desktop Ubuntu is Sisyphean. It's easier to build up Ubuntu Server from a plain terminal.

> Any especially thorny bits?

Nvidia drivers. Just check that all apt packages with the word "nvidia" in them have the same version number. Otherwise Xorg and/or torch will go boom.

> Gnome or KDE

I'm using neither! I have no login manager. I type my username and password into a login shell, run "startx" and that starts i3.

And yes, it is somewhat alien. GTK and Qt based applications will have no theme, so they all default to that black-on-gray circa Windows 95 look.

> Do you see improved performance or fewer background processes?

Yes and yes. With i3wm loaded, my desktop idles at about 100MB of RAM used. My desktop compares favorably to similarly-specced entries on openbenchmarking, especially in IPC-related tests.


Wild. Well glad it works for you, but way too many headaches for when things go awry.

I note that my Ubuntu derived system idles at multiple gigs of ram


[delayed]

[flagged]

Oh man this is totally going to affect:

>My workplace

It wont affect me personally, because I dont use crappy operating systems on my personal time. Microsoft products are just an efficiency loss, I still bill the same.

I literally get everything done faster on Fedora, no linux prayer needed anymore. Its just better.


It's interesting to compare this to the Chrome/Safari/Edge browsing history, which is stored in an unencrypted SQLite database, and tracks what you do for the last 90 days. It's just a bit less visual, Incognito/Private modes work, and some users clear it more often.

But a whole lot of the surveillance attacks people imagine about Recall apply just the same to the browser. I think it's the "little brother" casual attacks that are so well enabled by Recall - it makes it faster, easier, and way more visual.


Browsing history doesn't contain what's displayed on the page, and what you input into the input boxes, or POST requests. It's sorta like telephone metadata.

On the other hand, I am always freaked out by Chrome extensions that "can read and change your data on all websites". Can't they have more granular permissions? You gotta have a lot of trust for those extensions LMAO. They can read your bank passwords, probably!! And if they are ever sold...


Exactly - knowing the content of each webpage is pretty easy if you're "big brother" surveilling millions of people, even more so if you have a Chrome extension to help.

It's "little brother" that benefits a lot here: bosses, spouses, parents, etc., who otherwise wouldn't click on 1000 links in your history.


To be fair for me the extensions that get that are uBO, Privacy Badger, and Tampermonkey.

I trust gorhill and the EFF to not fuck me over on my data, and Tampermonkey kinda needs those sorts of permissions to work. My password manager has read access to every website but I'm already trusting it with all of my passwords so...


Seems like a very juicy target.

These extensions should not store any data without a master password that you input every time.

What if someone stole the signing key, and submitted an update to Chrome store, even for a little? Oh wait that is only for Chrome Apps. For extensions, they can literally update themselves anytime. Someone would just have to steal the certificate.

If an extension that reads all data uses a CDN (like CloudFlare) that CDN can execute a MITM attack against it and download new code, that would he catastrophic even if it was caught 1 day later.


>Oh wait that is only for Chrome Apps. For extensions, they can literally update themselves anytime. Someone would just have to steal the certificate.

Mozilla reviews signed extension updates. Something tells me uBO is one of the most scrutinized given how very many users it has.

>If an extension that reads all data uses a CDN (like CloudFlare) that CDN can execute a MITM attack against it and download new code, that would he catastrophic even if it was caught 1 day later.

My threat model doesn't include state actors targeting me specifically. Not sure much of anything works against that threat model besides maybe iOS in Lockdown Mode as your only device.


Extensions can simply download and update their own code, eg by loading new stuff from localStorage.

I have seen Metamask update itself randomly, and it has access to read every website


Crypto wallets in web browser extensions seems like an absolutely terrible idea compared to any of my example.

I have an extension like that called uBlock. If that ever gets compromised or sold, I will have much bigger problems ...

Yes, they can change it, that's what Manifest V2 deprecation is about. It will break a lot of ad blockers, because they rely on being able to read anything and change anything on all websites. Many people feel that Google is doing it to make more people watch more ads, not to improve security.

Yeah, I think this entire debate is uninformed hysteria and manufactured outrage. "If an attacker has administrator access, they can see everything you have done on your computer!". OK? That has literally always been the case? "Attacker is root" is game over and always has been. The original writeup from DoublePulsar tried to justify that Recall is somehow different from other such scenarios, but I found it totally unconvincing.

I think it's the right move to have it off by default, but I'm just not convinced by the outrage here.


Recall FEELS like being watched. Your browser history does not.

To be clear, I am not in favor of Recall or dismissing its intrusiveness. However, the correct comparison is not just "browser history". Google is also tracking your search history, passwords (built-in password manager), location history (Google Maps), ad clicks, and more. All-in, it's a LOT of data.

I'm with you -- I avoid Google products for the reasons you listed and am staunchly anti-surveillance capitalism. I just meant to say that even for a person with my very plugged-in perspective on these topics, Google's violations of my privacy still don't feel quite as invasive as Recall feels, even if on paper it's just as egregious and dangerous.

Browser history doesn't show my passwords, everything I typed out and did on the machine.

In comparison browser history is nothing.


You’re missing the point. An attacker can only see the passwords in your Recall database if they have root, but if they have root there are (and always have been) a thousand other ways they can get your passwords. There is no new attack vector being introduced by Recall.

If an attacker got root with recall they might not need to wait the user to type their password and risk detection. The information they want to know might be already in the recall database.

One difference is that you can get root access after the fact and get however much prior data Recall recorded vs only going forward.

It is possible to access to Recall database without admin access.

https://x.com/GossiTheDog/status/1798832390070276500


RTA, Microsoft announced changes to the security model to prevent that.

I did read the article. The person I'm replying to claims the entire debate was "uninformed hysteria", which means they thought the previous security model already required admin.

Another big, big difference, anybody, not just some black-hat pro with a long kill chain of zero-days, has a fantastic source of data to exfiltrate.

Perhaps you didn't note before, or are one yourself, but this includes e.g. abusive spouses. Sure, maybe the abusive spouse could hire a black hat, but this is very different to a drunk low-life wife-beater casually snooping through "recall".

It might not be a "new" attack vector, but its absolutely a complete degradation to any computer security.


You can get cookies/tokens from chrome databases so its the equivalent to passwords in alot of cases

Except that before today you didn’t even need admin for access to the database, any process that is allowed to read things could access the Recall database.

In a typical bigcorp environment, laptops are loaded with silently installed spyware. Certainly equivalent to taking a screenshot every second or an always-on keylogger.

The horse is out of the barn for many people during work hours. But in the OS and on by default is a different story!


Someone with root access can't see anything that has been deleted, or the contents of secure web pages I've visited, like my banks, doctor, or email. Very different.

If there's AI involved, everyone's panic level skyrockets.

No one retweets "Attacker gaining root access reveals all user information", but instead "Attacker gaining root access reveals all user information collected by AI program" will go viral for sure.


Does Recall run entirely locally? I don't think your browser history gets sent out

I expect it does, if you're using Chrome outside of Incognito Mode. Iirc, there is an opt-out about "web history" on the google account - which then disables some other things so that it annoys enough people into keeping it on.

It does, that's why it needs an NPU to run.

It does, but who's to say insights in gains won't ever be sent back and used/sold?

The vulnerability is that the first thing any malware that happens to run on the PC will do is upload the Recall database, giving the attacker your entire usage history since installation (and of any other user account on the same PC). This can then be analyzed for worthwhile targets for scams and blackmailing.

My browser history does. It's synchronized with every edge instance that I have running. I can open up the tabs from my mobile browser on my desktop and I could see the browser history from everything on everything.

no it isnt the same, you may know I went to my health care provider's website, maybe even to make an appointment depending on the url, but with recall, everything that is on the page will be stored, not just the url. It's totally different. So the message I sent my healthcare provider that is discussing some of my most sensitive medical issues will be available to read and a record is kept of it... not just the url. Do you not see the difference?

Yes, but one product cycle and there's metadata (like a background texture) that tells the OCR to skip this page. Or ask your local LLM if the user is talking about medical conditions? If you like the feature at all you can make these things work.

"If you like the feature at all you can make these things work."

It's not on the individual users to take steps to preserve their basic human dignity. It's not Microsoft to not take that dignity away by default as was their plan before this fiasco predictably blew up in their faces just like the Xbox One always-online Kinect requirement before it.


Another product cycle and it’s up on Azure. So thanks but no thanks.

Don't worry it's ok if you don't want to use Recall, someone will just get that information by hacking your provider anyways.

Your browser history doesn't contain screen recordings of what you do on websites

Their is a very different scope at the OS level.

Most of us know that the public Internet is based on surveillance capitalism, no matter if we hate it or are just complacent or ignorant.

OS wide is far more problematic and of low value to the user.


Your browsing history is unlikely to contain personal information, secrets, porn images etc. And if you use Chrome, they get your full browsing history by default.

I get your point, but Microsoft's Recall can capture anything onscreen - emails, personal info, porn, passwords and the like. And it feels, bizarrely for 2024, that little thought has gone into privacy or security.


It's analogous to phone call metadata vs. the contents of the phone calls.

Yes, it's a good way to put it. Though it's worse in some respects, since AI will add "context" to the "contents" too.

Perhaps. A key difference though - history files can include the individual pages I requested from the same host. Right now I have like 50 entries for the various posts I read just from HackerNews, all as separate line items etc etc.

In the case of the phone, one simply sees recipient of call, duration etc, regardless of how much information was exchanged. The phone I'm calling is arguably analogous to the server I request a page from, in the metadata context.

I'd argue browser history is significantly richer in some regards due to this.


It won't save your passwords in clear text though.

No but it can reveal all of your accounts if you have more than one.

The language spoken by participants during a phone call is also easily classified as “metadata” and could be defended as non-identifiable info with a straight face. So are the number of speakers on the call, the topics of conversation, the intensity of emotions displayed, voice stress levels, and the presence of certain keywords, if you squint a little. The lack of a literal call transcript does not matter much in terms of privacy.

I don’t know anything about this system, but the fact that screen shots are not ultimately stored on the user’s PC doesn’t mean anything if the content has already been classified and indexed. It will be fished.


> that little thought has gone into privacy or security.

I think the thought is proportional to the amount of thought a non-tech customer will put into it. Nobody seems to care about or understands privacy these days. Everyone knows they're being tracked everywhere they go physically and on the web. People use their real names, address, etc for every junk service they sign up for, without seeing any reason not to. If you tell people that their TV is tracking and taking screenshots of what they watch [1], they say "yeah, Netflix knows too".

It's literally, "how it's always been" for any non tech person under 30.

[1] https://themarkup.org/privacy/2023/12/12/your-smart-tv-knows...


> I think the thought is proportional to the amount of thought a non-tech customer will put into it.

Part of me wonders if this is the consequence of how accessible tech has become, and the prevalence of increasingly non-technical product managers. I'm a former PM, so I'm not here to denigrate the PM role, but the fact that a product like Recall got shipped says a lot about the makeup of the product org that shipped it.

While I get that younger people tend to see privacy differently, I'd argue this isn't really a privacy issue, it's a security conversation, albeit with obvious privacy implications. Leaking what apps I use or what sites I visit is mostly a privacy issue. Leaking what I type into the boxes on those sites is a security issue. If the end result of leaking this info is the attacker can pwn all of my bank accounts, we're solidly into security territory.

The fact that this got shipped means that multiple levels of leadership either didn't think about the consequences or didn't care about the consequences. I hope it's the former, because that means they can learn from the backlash and hopefully recalibrate.

Microsoft is in a position of power that IMO requires a significant duty of care and responsibility to their customers, and lapses like this need to be judged through that lens, i.e. it is their entire business to make sure features like this are safe.


> The fact that this got shipped means that multiple levels of leadership either didn't think about the consequences or didn't care about the consequences. I hope it's the former, because that means they can learn from the backlash and hopefully recalibrate.

There was probably from lower decks, where they are closer to reality. However, people are scared for their jobs in this economy and likely didn’t take it farther.


I think it’s a good point - these are still privacy issues, and being fatigued with the impossibility of defending privacy is indication of a power imbalance, not an acceptable default for humanity.

It's not surprising once you consider that all the big tech firms hire MBAs for their PM roles. The ideal PM profile for these companies is someone with consulting experience who just finished an MBA.

As an engineer with an MBA and in an executive level twchnokogy role, an MBA is part of what I would consider a good background. That said, OP was talking about non-technical PMs. That is the issue. You can teach a tech person to understand business, vision, strategy, finance, etc. You cannot teach very well the business person who has all that the intricacies of technology.

That's not really a fact though is it?

> ... an MBA is part of what I would consider a good background.

Emphasis on "part." I'm totally guessing on this, but I think OP may have been talking about PMs where the MBA is their only notable feature rather than those where the MBA is just one part of a well balanced whole.

> You can teach a tech person to understand business, vision, strategy, finance, etc. You cannot teach very well the business person who has all that the intricacies of technology.

I'm inclined to agree with this. The thing about business degrees is that they are so minimal effort that actually understanding business isn't a prerequisite to being awarded one. I would know, I have 2 of them.

There's no guarantee a "business person" actually learned business, much less that they are capable of learning tech. Don't get me wrong, I'm not by any means implying that all business people are inept or that they are collectively unable to learn tech; it's often unrealistic, but not impossible.

When going to school for tech, such as an MS in engineering, CS, etc., typically requires enough effort that one will end up learning their respective field (I have met exceptions to this and interacting with them is infuriating) whereas going to school for an MBA is one of the easiest ways I know of to get government financing for a decade of partying.


> an MBA is one of the easiest ways I know of to get government financing for a decade of partying.

Well this wasn't in the brochure. Best look into it!


> but the fact that a product like Recall got shipped says a lot about the makeup of the product org that shipped it.

Microsoft is just tripping over themselves right now bringing AI to market because they don't want to miss the boat. Their copilot for office 365 stuff is hardly working, it's real beta quality. No normal company would have released it to market in this state. But they're just terrified that Google will eat their lunch.

I don't think security and privacy concerns are much on the radar there anymore. They just want to establish their name in this new market at all costs. And I think in their eyes it makes sense, they've always succeeded because they had the biggest installed base, not because they were the best. It makes sense they see value in being first mover at all costs.

It's just a bit frustrating as a customer. As usual with something they launch it's more promise than substance. I have to say that usually they do have the follow-through to really make it a success. But it does take time.


> Everyone knows they're being tracked everywhere they go physically and on the web

That sounds good to some people. But if I mentioned it to most people in my family they would probably be rather weirded out by it. They probably also would have no idea of the scope of the size of it and how it is being used against them.


Do you listen to music only with earbuds? Do you cover your face when going outside? Do you transform your voice for each person you’re talking to? Are you buying only with cash that you handled with gloves?

Privacy is not a binary concept. There are actions and information that some people are ok being public, and there are some they prefer to remain private.

What is not OK is spying and exploitation. I should know what data you’re collecting and preferably specify which I’m ok with. I also should know what is intended for and preferably for most of it to be anonymized.

Most people expect reasonable privacy policies from companies and they believe that there’s some regulation in place.


> Most people expect reasonable privacy policies from companies and they believe that there’s some regulation in place.

Absolutely, but if you ask/inform these people they will say "Well, guess I have nothing to hide." because they can't comprehend going without all their devices/services.


Most people think that "anonymized" data can protect them https://www.eff.org/deeplinks/2023/11/debunking-myth-anonymo...

It's how it's always been, always.

Many here may be too young to remember when many consumer products came with a "product registration" card. This was basically a postcard that asked for all sorts of information, such as your name, address, phone number, birthdate, sex, SSN, marital status, annual income, interests, other products owned, whether you own or rent your home, etc.

People willingly filled these out and sent them in. All the info went into databases that were merged with other sources and traded around various marketing agencies on 9-track tape reels. Advertisers could get mailing lists segmented by age, sex, income level, geographical region or specific zip codes, etc. for their campaigns.

It's all much more pervasive and invisible now, but it's basically what has always been done.


> It's how it's always been, always.

I don't know, I don't think sending in product registration cards could/would often result in your bank account being drained...

> It's all much more pervasive and invisible now, but it's basically what has always been done.

So you admit it is far worse today than it was before? But the second half of your sentence seeks to disingenuously pretend that it has "always" been bad.

I can be sick with a cold or I can have stage-four brain cancer. People have "always" been sick but one is serious (terminal cancer) one is not (a non persistent cold).


> It's all much more pervasive and invisible now, but it's basically what has always been done.

Basically is doing a lot of work here, the level and degree of how much data is vacuumed, processed, and used for targeting nowadays is orders of magnitude of difference from these primitive ways.

A tent and a house are basically the same: a shelter.


Right, the pervasivenes today is much higher. But marketers/advertisers have always hoovered up and exploited as much information as was technically possible. That attitude isn't new.

Another thing that is absolutely new is the vast number of people using this data for things other than ads/marketing. The data on registration cards was never used to decide if you get a job or not, or how much you pay for a hotel room vs the next person, or how long you wait on hold when you call a customer service line, or how much your insurance rates go up, or whether or not you're a suspect in a criminal investigation, or if you get custody of your child in a divorce proceeding. The amount of things our data ends up being used for is on a scale that simply was not possible when people started filling out product registration forms.

For better or worse, those use cases are at least somewhat legitimate. Marketing is purely malicious.

I can't recall a time where I or anyone I knew filled those out and sent them in. I realize this is anecdotal but it a lot easier to not mail in a form than to try to find the opt-out option in some computer OS.

> And it feels, bizarrely for 2024, that little thought has gone into privacy or security.

No, no. They thought about the privacy and security aspect. They decided that it's better for their bottom line if Windows users don't have privacy from the mother ship. Really, they already decided that way back when Windows Vista first came out and periodically asked Microsoft HQ if you should continue being allowed to use your computer.


I mean, you can't even install Windows 10 without it telling you several times that unless you opt out (again and again), it's going to send just about anything you do to Microsoft…

I can see malware secretly enabling Recall and hopping on it as a really good keylogger which they don’t need to code themselves.

That was XP, and that was the beginning of my separation from Microsoft stuff in earnest. The Windows XP background and UI is a source of nostalgia for millennials just like Windows 3.x, old-school Mac, or Amiga would be for people my age... but I feel no nostalgia at all for it because I let that generation of Windows, and most subsequent ones, simply pass me by, fortune having smiled upon me and enabled me to work in Linux almost exclusively since around that time.

I think they actually did consider that - that's why they emphasized it was all on device. They thought about it, they just didn't think about how little we would trust that promise.

I'm perplexed that anybody thinks Microsoft were being dumb. They know exactly what they are doing and putting the pieces in place to violate users' security is the point.

Theyre just boiling the frog slowly. It'll be turned on by default soon enough and then theyll start looking for excuses to upload it.

This can be used to make them a shedload of money one day.


I agree, these decisions in 2024 are thoroughly vetted. I think the only thing these companies don't know is when the news cycle will pick up on something they're doing and they get blowback, and they'll have to pretend this was some little oversight.

Honestly, it has the smell of an NSA pressure campaign which would also rake in the money like nobodies business.. an easy choice for Microsoft. They are as guilty as sin for turning everything they create into a surveillance product.

I was just remembering today what they did to the security/encryption as soon as they bought over Skype… they removed it. And who would that benefit - the spies.

No-one cared about that. No-one ever cares. Except for this rare occasion - tides are turning and people are starting to care a tad more.


Totally. They just thought nobody would give a fuck. Except, people did. And now Adobe is getting it too.

Adobe figures that if MS can get away with it why can't they? Companies will just keep chipping away at our privacy every chance that they get because our data is extraordinarily valuable and we can't stay hypervigilant and outraged forever. Eventually, they'll get what they want, and then they'll push a little more.

Yes, it feels like the world is about to implode.

I don’t have any friends that care about their own security and privacy. Wanna be my friend? Lol


"noncon:" an abbreviation for "nonconsensual;" describes Microsoft's behaviour towards users.

Even if they kept that promise and they never uploaded the data off our devices, someone else (a hacker, a cop, a stalker, a lawyer, a thief, an abuser) will. Their promise is that everything you ever do on your device will be stored anywhere and can be used against you at any time. It turns out that not many people actually want that.

on the contrary, i think a LOT of thought went into privacy and security. specifically, how to ignore and bypass it.

> Your browsing history is unlikely to contain [...] porn images

Of all the places on your computer that might contain porn images, that would be one of the very top candidates.


Nope - links to porn sites (but who browses porn without Incognito Mode! :), but it's not going to contain actual images.

As far as metadata versus data, the URL of a static image automatically discloses the image itself. The only way to claim that the history doesn't actually contain the image is if you assume that the site has gone defunct.

Unless, of course, you're willing to argue that a porn image stored on the local hard drive isn't contained in any folders on the same PC that soft-link it. You might have an interesting time trying to justify why it is contained in folders that hard-link it.


Am I confused about what browser history is or what? Unless you open a static image in a new tab to look at it or you download it (as opposed to simply looking at it on the page it's on), then how on earth would its URL show up in browser history, which by definition tracks user-visited webpages (i.e. top-level links) and not every single URL the browser makes a request to?

Sure, info about non-top-level links is extractable from e.g. request caches, but that's a different thing from the browser history SQLite DB.


It sounds like you're mostly just confused about how web pages work.

Here is the URL of an image as it appears in your browser history: https://cheezburger.com/10357071872/if-i-fits-i-sits

See if you can figure out what image I was looking at.


That's not the URL of a static image, that's the URL of a web page that happens to have a static image as the only content of worth in it and puts the description of said image in the URL.

Calling it the URL of an image seems to me like quite a bit of confusion about how web pages work.


That all depends. Is "1835 73rd Ave NE" Bill Gates' address, or would it be more natural to call it the address of his house?

I always joked around that Firefox made the incognito shortcut CTRL-Shift-P for Porn mode

(I really wish they followed the “standard” keyboard shortcut)


What is the standard one?

Well obviously the one Chrome decided to use ... /s

It’s also in Safari and I’m guessing Edge as well. It’s not a big deal, I just get surprised by Firefox the first time I try to open a private window

No, the browsing history isn't likely to (data URLs I guess make it technically possible, but...); your browser cache might.

No thought at all. Just by default auto exclude private browser windows and password managers. No thought at all.

It's a turn of phrase; it doesn't mean literally no though at all!

On a more relevant note, how can it know when a private browser window is open in anything other than Edge? Same question with the password manager - is there going to be some new API that apps have to "opt in" to to enable Windows to recognise them?


What about the browser cache? And isn't there some capability in many browsers to store form field contents when navigating back/forward too?

At this point browser cache is known to everyone, and many people do clear it regularly. Browsers save passwords and form data but as far as I know they don't upload that data to Google. Still, chrome is very popular and it sends google people's browsing history and all their DNS traffic.

Yeah, but in theory Recall doesn't upload anything either, which is why it's analogous. And in fact Chrome does upload passwords, and they're not even E2E encrpyted in the default configuration.

They're quite obviously very different, as browser history doesn't tend to include things like financial details or information subject to an NDA.

The browser history may not, the cache and other local storage may well.

The take-away is simple though: Modern desktop operating systems need a security model where individual applications are sand-boxed and protected from each other.

Legacy systems have security models that protect users from each other, but this isn't the personal computing world we live in anymore.


Only if major browsers are disregarding HTTP cache headers, which is a pretty major allegation. Do you have any evidence to support that?

You're assuming that all sensitive information is served with sensible cache policies. There's a lot more websites than browsers.

This doesn't make Recall any better.

The ickier parts are on the unintended capture side, like enabling "show password" on a site doesn't affect browser history but Recall may capture it in the clear.

Or from history you may see that you accessed a site, but not what you did on it (what comments you typed for example).


This is a horrible comparison. Browsing history doesnt show the contents of the page. It doesnt show you what you were doing on that page. It doesn't reveal anything other than you went there and maybe how long.

Well, on old school sites where there are static pages each pointed to by an unique url, yes it does show the contents of the page :)

Publicly available content, yes. But not the content entered by the user themselves (security question answers, for example), and not contents behind a login, which is usually the case for sensitive information. Screenshots capture them all.

It's like the difference between sniff https and http traffic

One difference is that Web browser history has been there 30 years, since before most people at the time had even touched a Web browser.

At the time, it wasn't very thinkable that someone would have the audacity to take and abuse that information.

It dates from Internet people overall were more savvy about privacy than users overall today are, but it was also when the Internet was closer to a trustworthy environment, and before Wall Street sociopath types took over the tech and the culture.

Lots of kinds of abuse that today are routine and almost universal, for even startup tech companies, (e.g., embedding third-party trackers into Web site, and getting even worse from there), I think would've gotten them ostracized, and outraged demands for criminal charges.

During the dotcom gold rush, there was such a flood of totally new posturing people, and so much money being thrown wildly at everything, that any remaining outrage was lost in the noise.

And now virtually no one knows any different.

But if you're trying to push some new abuse today, I think ordinary people are starting to have some awareness of what vicious sociopathic buttholes tech companies have become, and so acceptance might not be a slam-dunk.


1. Browsing history doesn't show what the user is doing on the page. There is a big difference between logging "user visited his e-banking app", and logging his actual credentials as they are entered.

2. Browsing history watches one app. Screenshots watch everything across the entire OS.


Not just credentials - account balances, account numbers, etc. There's a big difference between your browser history recording that you opened your bank or healthcare provider's web site and Recall recording everything that appeared on the screen while you did.

People might use Incognito mode to browse porn, but I imagine it's a lot less common when looking at other sensitive sites.


Talk on zoom to the wife while bathing the kid, stored on recall. VC the girlfriend, stored on recall.

Does your browser history store pictures of your family?


Continuing with the comparsion, Recall applies to everything not just one application. To avoid it, one has to avoid Windows.

Whereas to avoid browsing history, one only has to avoid the popular, graphical, advertising corporation browser. As I am not interesting in graphics, I do this everyday, with ease, because there are countless clients besides "Chrome/Safari/Edge" that work with the www for consuming information.


At least on macOS, I can't navigate to the directory holding Safari's data with other apps (without special full-disk read permissions).

There's also always private browsing, which exists specifically because people are aware of the implications of a browsing history and a persistent cookie jar.

That awareness will be much harder to build for an always-on screen recorder.


> It's interesting to compare this to the Chrome/Safari/Edge browsing history, which is stored in an unencrypted SQLite database ...

Recall seems to be storing its info locally in an unencrypted SQLite database as well.

At least, that's according to the instructions here on how to access and view the contents:

https://www.heise.de/en/news/First-experiences-with-Recall-9...

From the submitted article, it seems like Microsoft will change/secure the access (and maybe storage) in some way, though there's no details on the specifics.


I hate that most browsers do not let you set them to keep history for longer than 90 days.

I want to be able to find things I've seen before. Recall would've been great if using it didn't require me to update to a version of Windows that contains "Copilot".


[flagged]

All I can say is LOL. Off by default for Windows 11 24H2, on by default in Windows 11 25H2, impossible to disable in Windows 11 26H2 (except in enterprise versions of course). Microsoft's history with respecting the user's wishes speaks for itself.

Not to mention all the dark pattern lying nag dialogs that will trick you into turning it on, or just wear you down.

I saw a yellow dot alert next to the restart/shutdown button on my Windows machine the other day. Those historically indicate a request to restart to apply critical updates. But no, it was a message recommending I sign into a Microsoft account.

That was the last straw for me when it comes to Windows BS---designs that only serve Microsoft, and disrespects all the other times I've said no to their crap. I switched everything over to Linux the next day.


Given their eagerness, I'd guess:

> on by default in Windows 11 25H1, impossible to disable in Windows 11 25H2


Their GA branch is now the annual channel, not the semiannual, so the next release would be "on by default in 25H2, impossible to disable in 26H2, not available in 27H2".

I'm a little more optimistic. Cortana was mandatory at first. Not easy for the average user to disable. Then Cortana was optional. Easy to turn off and uninstall. Then Cortana was just gone. Floated off to the big orbital in the sky.

If Recall continues to inspire grumbling and receives very little praise, I could see it unceremoniously removed in a Windows 12 26H2 Feature Update.


It is puzzling to me that so many people seem to think this concept has no value. To me the concept is obviously good and something I have wanted for a long time.

Of course the security of the implementation is important and I agree with some of the criticism there. And it should be optional and easy to disable permanently, and I know Microsoft has a bad track record with that e.g. with OneDrive, or Microsoft account login in Windows. But I see a lot of people arguing that the feature is worthless, or that it doesn't make sense at the OS level, or that Microsoft specifically should not be allowed to add it to Windows, and I have to strongly disagree.


The concept itself has value, but the ethical and legal concerns are severe, not to mention the issue of Recall also capturing sensitive stuff like passwords.

Microsoft, Google, Apple - everyone is scared shitless of some AI startup kicking their nutsacks, and is launching products that should have gone through extensive ethics discussions beforehand in a matter of weeks.


passwords are the last of it, think about women inquiring about abortions in states where they aren't legal. Or people trying to get away from an abusive partner, on and on it goes.

Agree on the "abusive partner" scenario, but regarding abortions, local police already can abuse dragnet orders on Google Maps [1] - even though they promised to auto-delete anything regarding abortion clinics, there are more than enough other ways for police to target pregnant people.

[1] https://www.npr.org/2022/07/11/1110391316/google-data-aborti...


the concept is valuable but so ripe for abuse that even it existing at all is a threat to everyone's privacy.

I have been a windows user basically my whole life. 3 years ago I got an ipad pro (2018, 12.9") for drawing and I hate the operating system. 7 months ago I got a steam deck and its fine for games but doing anything in the OS is confusing and annoying.

Microsoft announced recall and suddenly I'm using a spare computer to test linux distros, and I suck at everything to do with linux and I'm doing it anyways.

It's too dangerous, to much an invasion of privacy, and too easily enabled completely outside of my control.


Hmm. I think I can respond here.

No one is really saying this feature has no value. For a user, there is value to being able to get to a previous point in time. That feature, however, is clearly not very well designed and implemented if it took days for it to be cracked on the internet for everyone to see. If I could trust that it STAYS local, maybe I would be less paranoid. But this is MS we are talking about.

Personally, I am glad this thing was created. It may be finally make people hesitate over the evolution of PCs.


Indeed since this is MS you can guarantee this is just a first step to them expanding their ability to monitor your habits for further monetization.

> clearly not very well designed and implemented if it took days for it to be cracked on the internet for everyone to see

I really don't understand this line of thinking. What was cracked? That the database is readable, unencrypted? How could it be encrypted and usable at the same time?

> If I could trust that it STAYS local

This I agree with. While it's local now, not trusting MS is a valid belief, given their past behavior. If they feel sending some of the info to the cloud could get them $$$, then they will do it. Although I feel regulators might be pretty quick on this one...


<< I really don't understand this line of thinking. What was cracked? That the database is readable, unencrypted? How could it be encrypted and usable at the same time?

I am admittedly mildly confused by this response. Do online portals typically use unencrypted passwords? Do they let data flow unecrypted? Are those portals somehow unusable?

Could you elaborate a little bit? It is possible I am misunderstanding your point.


I have only been somewhat paying attention, but there were lots of stories about someone "cracking" the implementation of Recall and getting access to the locally-stored database. The criticism is that it is easily accessible, but it's hard for me to imagine it any other way and have it still be useful. It's still encrypted at rest, but must be unencrypted for data to be written to it.

There is plenty to criticize about Microsoft, but that one seems manufactured.

As far as I know, the database is local, and Recall does not use the cloud at all. That also means that you can't view the history from one computer on another. But I agree that trust that it will stay that way is not particularly wise.


<< "cracking" the implementation of Recal

I think you have a point there. Would you accept reverse engineering[1] as a more accurate term instead of cracking?

<< I have only been somewhat paying attention

We are in the same boat. I saw the thing pop in my feeds in the past weeks. I skimmed it, thought it was a bad idea, but since I don't have a PC that would be affected, mostly ignored it. I think I only pay more attention today, because it is the weekend and somehow my testing is not ready for me..

[1]https://en.wikipedia.org/wiki/Reverse_engineering [2]https://www.wired.com/story/microsoft-windows-recall-privile...


Ah I see. I guess that came across as criticizing your terminology, but it was more aimed at the general hype around those reverse-engineering articles, which seemed a bit over the top to me :)

Either way, I'm holding off on buying one of these PCs until some real-world info comes out (no one really has this capability yet, so it's all largely speculative).


I have also only been skimming the info but the issues seem to be:

1) Recall takes snapshots of user’s activity and then copilot analyses it and keep the info in a plain text database.

2) The database is accessible to other accounts in the same computer.

3) The database is kept very small in order to save storage space. The trouble is that it is so small that it takes no time at all to upload it. One researcher infected his machine with a know piece of malware. By the time the AV software recognized it the database had already been sent.

4) Oncenthe database is in hand it is trivial to see whatever the person was working on and what information was involved. Apparently you can literally see some things.

So yeah, collecting large amounts of sensitive data makes for a very juicy target.


> No one is really saying this feature has no value

Oh yeah?

> I have a really hard time understanding the use case for something like this. Stuff that I want to remember I just write down https://news.ycombinator.com/item?id=40612277

> the only people that really want this feature are the ones trying to push it down everyones collective throat. Why is MS pushing something so hard when nobody asked for it? https://news.ycombinator.com/item?id=40611263

> It really doesn't [sound like a cool feature]. Not a single person I've spoken to likes the idea of this, at all https://news.ycombinator.com/item?id=40445335

> i have never wanted to go back in history [...] what’s the use case https://news.ycombinator.com/item?id=40544521

etc.


> It is puzzling to me that so many people seem to think this concept has no value. To me the concept is obviously good and something I have wanted for a long time.

The issue is not that the concept has no value. The issue is that the risks and drawbacks are so severe, that they override any value the concept would have.

It's like asbestos, or leaded fuel; these have several useful properties, but their drawbacks are bad enough that they have been banned in many places.


OK, that's your opinion, but you can't deny there are a lot of people arguing that the concept is bad. Even on this very page.

> I have a really hard time understanding the use case for something like this. Stuff that I want to remember I just write down https://news.ycombinator.com/item?id=40612277

> the only people that really want this feature are the ones trying to push it down everyones collective throat. Why is MS pushing something so hard when nobody asked for it? https://news.ycombinator.com/item?id=40611263

> It really doesn't [sound like a cool feature]. Not a single person I've spoken to likes the idea of this, at all https://news.ycombinator.com/item?id=40445335

> i have never wanted to go back in history [...] what’s the use case https://news.ycombinator.com/item?id=40544521


I switched to Macs in 2006 and haven’t felt like Windows’ grass is greener once since then. Until today.

Maybe it shouldn’t be on by default, but this looks amazing.


make it a separate program that people can install if they want to. if its really that great then people will download it

And how are they going to convince people to be surveilled voluntarily?

This isn't new technology. Apple has had "Rewind" for some time, which is basically the same thing, and it's widely used.

The major difference is that it's a 3rd party software, not bundled with the OS, and you would have to intentionally go out and buy it and install it.

Microsoft has just taken it for granted that everyone would want this and then forced it on everyone.


We will never see Microsoft ship a major product like this and not have it bundled in to a windows update. (Rather than specific install)

After their success with installing Teams, Microsoft has seen that the regulators will not proactively stop this kind of thing anymore


Do we know anything about Linux support for Snapdragon X.. Personally, I don't trust Qualcomm with Linux support. Their WiFi adapters don't work properly with Linux. Their mobile SoC that supposedly have mainline support only have the CPU part working, but GPU, modem, Bluetooth, etc. won't.

Also, wasn't their history of closed source drivers and their short support timeline was the reason Android devices only ever got 2 years of updates only a few years back?


Here's what Qualcomm is saying: https://www.qualcomm.com/developer/blog/2024/05/upstreaming-...

They claim they're all in on making Linux work seamlessly on the Snapdragon X. I'll leave it up to you on whether or not to believe them.


Funny enough, that's the article I read before commenting. They've made bold claims in the past and failed to deliver.

In all the MS Recall drama, I've yet to hear or read one single person utter something to the effect of "Wow - great!!! - I've been waiting for something like this for years! This will solve at least one of the major issues I face regularly!". In fact, it seems to me the only people that really want this feature are the ones trying to push it down everyones collective throat. Why is MS pushing something so hard when nobody asked for it?

Rewind.ai is the Mac version of this and many is the same talking points apply. However, it’s a third party tool, and as such isn’t enabled by default.

I think most, if not all, of the overwhelmingly negative feedback is tied to this being enabled by default, and shipped by default


I use the search inside Windows all the time. To me, this seems like a 2% improved version of that. Probably useful, mostly mundane, something I would use but not get excited about.

I assume they would push it for the same reason they would push any other mildly-useful feature improvement.


I've heard Microsoft wants to do away with on-device Windows entirely for consumer devices, and go with a "dumb client" form factor that is always connected to a remote Windows server.

I'm not sure who at the org is pushing for this as it would essentially hand the PC games market to SteamOS. I suppose they saw how well it's worked for enterprise customers that essentially already use a Windows VM through Citrix or some other provider, and think this would solve the virus/malware problem once and for all.


> as it would essentially hand the PC games market to SteamOS

... or they will just stop developing windows games and do only xbox/playstation games ...


> I'm not sure who at the org is pushing for this as it would essentially hand the PC games market to SteamOS.

PC games can already be played on a remote server, using services like Stadia, so it would not necessarily hand the PC games market to local Linux-based devices running SteamOS (like the Steam Deck).


Stadia? That got shut down years ago.

It's because there's a huge cloud first push internally. Leadership is trying to find any way they can find to leverage Azure and recurring revenue.

Rent-seeking is not new human behavior, it’s just been enough generations that the lesson must be collectively learned again.

When this was announced I actually saw a post by someone who used a similar tool for time tracking in OS X and they claimed it was really helpful.

To be frank, I would not mind having this feature on linux provided it was entirely local, and encrypted.


Local, encrypted, and kept in a secure enclave where such things are available. That TPM needs to do us some good once in a while.

As long as stockholders think it'll be good, that's what matters. Perceived value is easier to create than real value.

[delayed]

On the contrary, executives at the office have been coming to me about various such tools for months now. It really picked up last fall.

Microsoft was last to the party.


Honestly this whole thing reeks of some sort of data grab dressed up as an "innovative" new feature. They probably wanted a bunch of new training material for their AI projects, and this is what they came up with.

> when nobody asked for it

It's easy to say if you aren't one to benefit from this, but that doesn't mean no one will or that no one asked for it.


I can be that guy. I use Rewind for Mac, which is almost identical to Recall in functionality. I love it, and I've used it frequently to find things that otherwise would have been lost forever.

Most recently I used it to refresh my memory on a particularly convoluted way to authenticate with a third-party oauth system (it involved using an online oauth debugger and curl commands). I had gone through the process once successfully weeks ago, but by the time I had to do it again I'd forgotten every detail. Rather than have to go through the process of figuring it out again, I went back to my successful attempt, watched it, and basically retraced my steps. Rewind probably saved me an hour or two.

My take on Recall is that, like with almost everything, it's a trade-off of security for convenience. I find it valuable enough that I'm willing to make the trade-off, but others might not.


Just go to Windows Central, and you will get a couple of editors shouting exactly that.

Security nightmare aside, it seems like it would be handy all the time. Surely everyone has had trouble finding a website or document or email again, days or weeks later?

Documents and emails are probably easier to find via old-school text searching, though.

What if you don't know where it was though? What if you saw a bit of text, but don't remember if it was in outlook, confluence (if so, which), mattermost (if so, which server), or teams (maybe a screen share?). Those are all systems I use at work, and while I've never been quite that lost about where to start, it's also not wildly exaggerated.

Most or indeed all of that doesn't need screen-scraping though.

It could be handy if the data was stored locally and was managed by the users.

It is.

> In all the MS Recall drama, I've yet to hear or read one single person utter something to the effect of "Wow - great!!! - I've been waiting for something like this for years! This will solve at least one of the major issues I face regularly!".

There were definitely some comments in a previous HN post about it that attempted defend it and to paint everyone else as overreacting. Several of them even said that they thought it would be useful for something they might hypothetically like to remember or search for... I don't really remember, because the whole thing is crazy to me and I think it's crazy for any tech-savvy person to be running Windows in 2024.

> Why is MS pushing something so hard when nobody asked for it?

I assume this is a rhetorical question, but just in case it isn't: this is not a feature/product for Windows USERS. This is a feature to help train/test MS's AI stuff- YOU are the product, not the customer.


Well let me set that straight: I’ve been waiting for something like this for years. But given what looks to be a rushed rollout from a vendor hyper-focused on monetization over privacy… well, I’m still waiting.

Has the new Copilot devices even launched? Because I don't think that aside journos anybody else has even tried to play with the Recall yet.

If I knew that the data could be absolutely kept safe and private to me, I’d love a feature like this. Keeping track of my work over time would be so much easier.

The natural next step is to have a local model trained on everything I’ve ever done, and for all of my computing tasks to be contextual to that history.

I could see this transforming how we use computers.

But I wouldn’t go anywhere near Recall.

I suspect Microsoft is pushing this so hard because they want to do what I just described, and they want to start collecting the data necessary to enable it ASAP.

I can easily see a future capability that people might love that they wouldn’t have even known to ask for. But the way they’re willing out Recall is certainly not a good foundation.


[delayed]

For tech savvy people, it's a bewildering feature. Why would you want some weird unpredictable AI thing when you've already got filesystem search, browser bookmarks, the neatly categorized PDF collection, and my Zettelkästen/2GB Org.mode doc/Joplin notes?

But for non-technical people, of course, computers are already unpredictable. They routinely (appear to) misplace files and overwrite them with previous versions, and if the URL falls out of autocomplete the site might as well not exist. For people who google to find the Facebook login page, this would simply be how computers should work. You tell it to give you the thing and it gives you the thing. How that happens is immaterial.


I’m plenty savvy and I’d like that AI thing. I’d just like it to be more discerning about what it records, and managed in a way that’s not a pinkie-swear promise to protect my privacy. MS has a track record both long and recent that shows they’re not the appropriate stewards of this data. I don’t even see MS as mustache-twirling villains in general, just incompetent at an organizational level to stand up to whatever scheme any individual mustache-twirling marketing middle manager comes up with.

I can, and am, using a locally running LLM with RAG on my personal wiki already.

The difference between that and Recall: I decide what goes into the wiki.


I know it’s generally unhelpful to discuss voting on this site, but I must point out the irony that this particular comment chain started with “I haven’t heard anybody saying they want this” and then the one comment saying “I want this” was rejected so hard it was threatening to disappear if I didn’t save it.

Why are you conflating being tech savvy with being organized? Only a subset of people in tech that I know have the type of organization you describe. I personally rely on local search for everything.

This applies to most AI features that have been released recently. It feels like almost every business that wants to think of itself as a tech company has been desperate to throw out as many new features as possible that they can slap an AI label onto.

Most of those features are garbage and make the product worse, either because they don't address an actual problem or because they are implemented poorly. But of course improving the product is at best a secondary concern, chasing the hype is far more important, both for the company itself and the individuals building this stuff.


> Why is MS pushing something so hard when nobody asked for it?

Because they bet big on AI, and hardware suppliers bet big on AI-enabled hardware, and so they trying to find use cases for it.


I've heard some people say this, but those people either don't understand what's going on, or they have to start off by staying, "security issues aside," which is basically saying that they'd like it in a magical world where they could have the feature without anything the system is doing to enable the feature.

All the replies ignoring the elephant in the room: three letter pressure. To me such large moves could indicate an event is in the near/medium future.

An event?

Imagine you could use Recall to train a model to do all the interactions that knowledge workers do on their computers using the exact same software, do you think there would be value in that?

I can also imagine that Recall could grow and cook my food for me, but it can’t so that either so I don’t really understand your point.

point is that microsoft may have a secondary objective further down the road that recall can be a stepping stone towards

To be fair, people recording their full terminal and browsing history forever is a topic that has come up regularly in HN submissions. It’s certainly something people find a worthwhile idea.

I do want it but I want it to be optional and preferably something built from source. That being said, it won’t be that hard for someone to build their own Recall with an onboard sandboxed LLM. That way users will benefit from the power and know exactly how it works so that they have no questions about the security behind it. It’s a more powerful and useful search.

It's interesting that for years Safari stored page screenshots in its history to allow a "coverflow" view and there wasn't broad concern.

I think the main difference there (apart from the feature being deprecated over a decade ago) is that Coverflow stored a single thumbnail, from which you couldn't derive much information - it's metadata alongside your browsing history, but not much more than that.

Meanwhile Recall takes a stream of high-quality images, from which a full reconstruction of your entire computer-use activity over the last 90 days can be reconstructed in high fidelity and searched through.

From a security point of view, the threat models are a world apart.


Good progress, but to take it just over the trust threshold for me, I'd like it to be a component that you can add/remove (like Hyper-V or IIS); removing literally uninstalls the associated services, applications, DLL registrations, scheduled tasks, etc.

> requiring that users prove their identity via its Microsoft Hello authentication function any time they either enable Recall or access its data,

So now I need MS permission to read my own data stored on my own machine? Insane.


Hello is biometric authentication and it’s entirely local. You need permission from Windows and that’s its job.

‘course, I recently had to unregister my fingerprints from my gf’s laptop because it kept signing her in as me, but that’s a different problem…


It's sad that Microsoft (or any big company) wouldn't take a step back from such privacy intrusive or anti-user behavior unless there's a public backlash.

Can't we just have a peaceful life without wasting time on constantly following and analyzing every single move from these companies?


Have you not seen Windows 11 lately?

I have, and I am still happy to be on Linux as my daily driver for over 20 years now.


I almost want to start using Windows as a daily driver just so I can leave again.

Honestly I haven't. Thankfully my company still allows MacOS and for my personal PC I have Arch Linux at home. However luckily I follow enough HN, so I don't need to test it myself.

[dead]

Microsoft will go ahead with Recall, will temporarily make it opt-in. Eventually, when weather is good they’ll default it to opt-out. If new backlash ensues they’ll PR that it was a a bug and turn it off only to bundle it later with something that can’t be turned off.

At this point MS is a toxic company that you’re better off, as a user, to steer away from.


I think they'll abandon it after a few years like they did with Cortana, when the reality of no one wanting to use it sets in.

> Can't we just have a peaceful life without wasting time on constantly following and analyzing every single move from these companies?

Not if you're using Microsoft products, no.

People continue to get irritated when "we" do this, but here I go: you should be running Linux exclusively on your personal computers. You should also stop buying "smart" shit.


I've been running linux (ubuntu) for last 2 years, for the 3rd time in my life.

All I can say is:

Linux does just about everything more efficiently than Windows, but Windows does just about everything better than Linux. What makes Linux so great is also what keeps it perpetually at ~5% adoption.

I'm probably going to go back to Windows again soon. I'm just not interested in needing to learn a bespoke computer language to get the most of of my PC.


Okay. And? I still think it's not in your best interest to do that, but I'm just some guy on the internet and you can do whatever you want. I also recommend that you don't smoke cigarettes, but I'm not going to lose sleep if you tell me you're going to do that, too.

I'm not like so many who seem to have to rationalize their choice of Linux or other free software by pretending it's actually technically better than the proprietary for-profit stuff. It's not about that.

Linux could get 10% of the battery life of Windows, have zero games, no Netflix/whatever support, and be slow as hell--I'd still choose it over proprietary options out of principle.

I want to own my computer. I don't want my computer to spy on me. Microsoft is literally adversarial to its users (Apple and Google are, too, but Apple at least has slightly different incentives that might make them less bad). Why would I invite that negativity into my life? Life is hard enough without trying to fight against a trillion dollar company for my privacy when I don't have to. It's that simple for me: I'm not inviting a Trojan horse in. But, people act like I'm some tinfoil hat nutjob. I think everyone else is crazy for sacrificing their privacy for "but Windows has a game I like".

Apologies for the preaching, but I don't know how to explain my point of view without it sounding like that!


>Can't we just have a peaceful life without wasting time on constantly following and analyzing every single move from these companies?

No, we can't. Peaceful, content, satisfied, private, conscious makes less rent than disturbed, displeased, unsatisfied, surveilled. So while some people desire the first set, some others desire the second, and so, the cat-and-mouse game continues.


Recall got recalled(ba dum tss).

It could still just be switched on and used to spy on an unknowing spouse for example... its just so creepy. Who asked for this feature?? No one did.

In theory you could have always just installed a screen recorder to record your spouse even before this.

The AI training team asked for this feature

(I’m being a bit provocative and assume today it stores locally only but a future TOS change will secretly and “anonymously” upload your data ‘for training purposes’ —- that’s what everyone else is doing these days)


The same thought did cross my mind... would not surprise me.

Microsoft keeps attempting to violate HIPAA on my clients’ behalf. Before this, they turned on OneDrive backups via updates, and began moving sensitive documents onto their servers without prior authorization or consent. I documented the incident, because I honestly wasn’t sure whether or not a lawsuit would result from it. I notified Microsoft, but never got a response.

If your clients are storing sensitive PII on their desktop or my documents folders, they're already likely way the fuck out of compliance. Nice FUD though.

I hope it can be uninstalled altogether. Actually I wish it was a Microsoft Store app. I mean, I don't want that codepath dormant in my OS for malware to enable via a Windows Registry value or whatever. No, not a screenlogger please.

Would love to know if any product research was done on this at all, or if it was a mandate from someone high up in Microsoft. I cannot imagine they'd go very long talking to potential users without hearing the exact same fears they seem to be surprised about today.

“Your main quarterly KPI is AI integration. Do what you have to, go nuts.”

There’s no vision, only the collective ambitions of small men.


Recall certainly validates China's government decision to try to get rid of Windows on government computers (https://www.marketwatch.com/story/china-reportedly-seeks-to-...). Of course recall wouldn't have been enabled on those, but the company providing the OS has made it clear they're willing to make such a sloppy attempt to AI all the things

This is nothing.

An abusive spouse will easily switch it to on. It's very likely Windows will downright push you to do so anyways.

How does Microsoft intend to mitigate that harm?

Because AirTags worked out just fine:

> AirTags have been a tool for stalkers and domestic abusers since Apple launched them in 2021. Police records show that this is a problem, and the legal system has failed women who were targeted by stalkers using AirTags. There have been several instances where AirTag stalking has turned violent, and in at least two cases, resulted in the tracker murdering their target.

https://www.404media.co/email/ce4cec4d-51c3-4101-b2b4-2c9a64...

How many women will beaten and murdered because of Recall? Why is it that Microsoft reacts to software security concerns but not to the concerns of women?


This is sheer moral panic. Of course tools can be misused by bad people, but that doesn't make it the tool's fault ("how many women will be beaten and murdered because of Recall"). It is the fault of the person misusing the tool to do bad things.

Thank god. I've been selling front door locks that don't actually work, and I'm glad that when people are robbed, it will be the criminal's fault, not mine. Instead of me selling locks that work, what needs to be done first is that all potential criminals should be made not to be criminals.

Yes, much as airtag was sheer moral panic.

Techbros never admit their myopic view.


Knowing you could turn on recall to spy in this way implies an individual with the technical know how to grab a freeware keylogger anyways.

Similarly with airtags, you have been able to buy cheaper cellular based GPS trackers for years prior to airtags existing.

In the airtag case, those GPS tags also do not alert the individual that there is a beacon following their person, and as such most likely go unnoticed and under reported.


> Knowing you could turn on recall to spy in this way implies an individual with the technical know how to grab a freeware keylogger anyways.

Strange that you were able to discover this. Has anyone asked you for your research? Does knowing how to grab a freeware keylogger imply that you know how to code up a keylogger for yourself, or did your study not go that far?


There is a massive difference between switching on your new laptop and having a flaming big "look how cool recall is, do you want to switch it on? No? Are you sure" versus finding recall.ai or openrecall.

It is much the same with airtag.


You are trying to appeal to morally corrupt people.

Instead you should hurt their business. Ditch Windows, switch to open source solutions, do not but their product and services. This is the only language they understand.


Even if it shows being turned off you can't be sure it really is. And yeah they have a tendency to secretly turn malicious features on with little updates. One would really be naive to believe them after their past bad behaviour. It is just another step in slowly boiling the frog to death. Maybe it will be off by default only for as long as people get used to it and normalise it and then, next step turn it on again, more quietly of course.

I am done with Windows, I really love .net, SQL Server, WSL, but I have been burnt on so many of their tools, features etc, Windows 11 was the last straw (task bar unmovable? Are you kidding me? ), and Recall will be the never look back for my personal computing.

Are you switching to Mac?

Already bought a MBP 16" M3 Max a couple months ago

I did - I had a Macbook air on and off on the side, but Windows was home base for 30 years. I ditched Windows for good when 11 came around, it has become untenable.

You don't need Windows for .NET, there are teams which actively use Rider and VS Code while using Mac or Linux laptops.

>If you’re faced with the trade-off between security and another priority, your answer is clear: Do security,” Nadella's memo read

Just insane that this wasn’t already the rule.


The first big mis-step of the Nadella era.

Will be interesting to hear what he has to say when he's inevitably asked to comment in his next public appearance.


From the lack of security we could assume Nadella himself created Recall over the weekend with the help of Copilot.

This is something nearly on par with the xbox launch debacle

Mind bogglingly tone-deaf and out of touch with what users want


I remember the giant astroturf campaign when he first took over and Microsoft started "heart"-ing open source and Linux. Everyone/bot on the internet said that Microsoft had really changed and that anyone who was still skeptical of them was being irrational and out of touch.

That's all.


Windows 11 and its hardware requirements arguably is a big misstep already.

I think Recall is really cool and it's a shame that it's disabled.

... then you can turn it on for yourself. Unless you think it's a shame it's disabled for other people? Why would you be concerned about that I wonder?

Why...?

Only to be enabled by default by the IT department of your mistrusting employer. Microsoft better remove Recall altogether if they want to avoid costly lawsuits.

where they can then verify, minute-by-minute that their remote employees are grinding away for every minute they are paid for. i'm convinced MS has two profit models here: 1) NSA/CIA/FBI/ETC 2) employer monitoring of remote workers.

3) schools, and 4) parents.

Employer IT departments already have access to and can install any number of tracking and screen-watching products to monitor their employess on work-issued computers. It's perfectly legal though in my view pretty scummy behavior.

What pisses me off is that they are just going to keep pulling shit like this, and it's up to everyone to push back ferociously every damn time. It's up there with "not now" instead of "get rekt and never ask me again" choices in terms of user-antagonism.

I'm aware that other OSes exist, but I happen to hate Windows least on the whole :/


> I'm aware that other OSes exist, but I happen to hate Windows least on the whole :/

Have you given Linux a try? Unless you have an Nvidia card or an Adobe workflow; it is usually good. The Nvidia issue may go away in a year.


What do you mean about NVIDIA? I find their drivers have become pretty good. Especially so if you're using them with containers.

Nvidia drivers are fine, it’s Wayland on older drivers that’s still an unmitigated clusterfuck. Wayland sounds nice but in practice it sends me back to the days of XFree86.

> What do you mean about NVIDIA? I find their drivers have become pretty good. Especially so if you're using them with containers.

Have they? What GPU? Are you using the new open source kernel driver? Wayland or X?


Yeah, a few times. Got burned very early on installing Slackware from about 10 billion stiffie disks, and have kept up reasonable effort to be a responsible nerd and keep trying it, but every time there's some roadblock; when I was younger gaming was one example, being an MSVC dev has been a constant throughout, and yeah the ordeal with drivers is also more or less a constant.

I'm an OpenCL guy, not even using CUDA, and have had a decent enough experience with AMD's drivers, but that wasn't enough. I still think MSVC, again with all its flaws, is the best C++ IDE (I've similarly tried them all, repeatedly over decades).


> Yeah, a few times. Got burned very early on installing Slackware from about 10 billion stiffie disks

Please do not use Slackware. With respect to Slackware, almost no one uses it because it is very old school. If I remember correctly you have to use a 3rd party tool to even download updates or packages. It took years for the maintainer to actually have a release. Please use a modern developer distro that has a regular release cycle and modern tools. Fedora or Ubuntu. If you need to use Nvidia, go with Ubuntu.

Also when did you use it? Linux distros haven't used floppy disks in so long.

> I'm an OpenCL guy, not even using CUDA, and have had a decent enough experience with AMD's drivers

That is not my field, but Fedora added the ROCm packages in 40. You can install those and give it a try.

> I still think MSVC, again with all its flaws, is the best C++ IDE (I've similarly tried them all, repeatedly over decades).

I still remember during my time in college (where they required us to use Visual C++) a friend and I were playing with the latest C++ features. We had this very difficult runtime bug. I later found notes in the news that Microsoft's implementation of C++ at the time was incomplete. Tried it in GCC-worked out of the box.


I'm glad that it's shining a light on the reality of Windows 11 as a subscription and data collecting vehicle.

If you still hate Windows least, that's almost certainly because it's what you know best. I work with Windows, Linux, and OSX on a daily basis and Windows is easily the most user-hostile of the three.

Edit: All you know -> What you know best


I've used them all, Mac OS most begrudgingly as needed for cross platform building and testing/support, Linux is alright (and obviously more powerful than Windows) but... just because I have programmer-level troubleshooting skills and computer knowledge, doesn't mean I want to / have the energy use the full force of that all the time for every random thing that could be solved with a simple dialog box and/or sane default.

It's true that I'm most familiar with Windows (given free choice, why would someone use an OS they dislike more?); I personally think Mac OS is more user-hostile (it's a whole lifestyle and worldview they really want to sell you!) but it's comparable.

What I actually want isn't Linux or Mac OS, but a Windows-like OS that isn't so goddamn user hostile and doing stupid shit like always-listening Cortana or this Recall feature or whatever they feel trumps what the user actually wants. If there were a "Windows but actually a user-first product and not a data collection vehicle" I bet it would utterly crush in the marketplace (inasmuch as there is a viable market for OSes).


Apple really likes to limit hardware interoperability because hardware is where they make their $, but there's a lot more overlap in software compatibility between OSX and Linux than Windows and anything else. Just having the familiar terminal environment alone is worth a lot to me.

>I'm aware that other OSes exist, but I happen to hate Windows least on the whole :/

Would you like to share what you like about windows that you don't have on other operating systems, or what puts you off about other OSes? Not trying to be passive aggressive, just curious


Sure; originally it was about having the best graphics and OpenCL drivers for my development needs, and that I've been an MSVC user since version 5. My hate for Windows pales in comparison to things like CMake / the overarching philosophy that every bit of software needs its own configuration language and cmdline arg convention, things like that.

Around the time of Windows 7 for example, to me there was just no contest whatsoever in terms of ease of use, no shaming / cargo culting (Apple can piss right off telling me that my scroll direction is "unnatural" and pushing me to use Apple-everything, users putting stickers on their cars etc), ... Windows is just the default for people coming from a gamedev and graphics background from the 90s, for better or worse. I'm painfully aware of its shortcomings, and I don't want to champion Windows, it's just what made me hate my life least on average :)


Hmm the real question is:

Will you be warned when sending information to someone who has Recall on?

Kinda defeats the purpose of all those confidential communication apps when everything is automatically screenshotted.


What’s funny to me in all of this is I’m pretty sure regular windows search is still really bad and I haven’t heard them mention the feature “search for a file on your pc you know exists”.

They should've left it disabled, and then "accidentally" enabled it, or nagged people into enabling it. I think it would've boiled the frog slower and been more successful.

Alternative cynical take: they needed to have a compelling story for press/launching the laptops they've been working with software/hardware partners on for years. They got to announce "Copilot+ PCs with Total^H^H^H^H^H Recall"! And now they get to walk it back enough controversy will die down and they can still do the first bit I mentioned. Hm.


Maybe a bit off-topic, but I sure wish they'd do this for OneDrive! I installed Windows for personal use for the first time recently (although I use it exclusively at work) and it drove me ABSOLUTELY BONKERS that my home drive was mapping to C:\Users\atribecalledqst\OneDrive.

What I hated the most was that the File Explorer just calls the folders in there e.g. "Documents" and "Pictures" without showing the full path. So it was hard to figure out just where in the file system you were looking -- a major annoyance if you do any work in the command-line!

Even after switching OneDrive off and doing as much as I can to try and get rid of the OneDrive folder structure, I haven't been completely successful. You can make some -- but not all -- home folders (like Downloads, Documents, etc.) point directly to their place in the local user folder, but others, particularly Pictures, don't seem to be movable. Additionally, some programs still seem to want to use the OneDrive folder by default, like I think Office programs still do their best to use them.

In the grand scheme of things it's a small annoyance but god it annoys the shit out of me! I didn't ask for cloud backup and it drives me nuts they tried to force it on me!


Yes, my company just went through a merger and for quite a while we had two OneDrives showing up and it was difficult to tell where the default folders were in addition to being a huge mess any time a file dialog opened. I've actually reverted to creating folders in C:\ to store files so I know where they are.

Yes, Onedrive started out as a pretty useful tool but has turned into a deceptive trojan that tries to force whatever growth metric MSFT managers are currently chasing through a combination of dark patterns (like hiding true file paths from view) and also simply refusing to operate in obviously useful ways which many users want and expect (like not having a built-in way to back up only specific sub-folders on different drives (forcing paying users to trick it by using junctions)).

There used to be no option to uninstall it - now there is.

You will still get it reinstalled during a major OS update, but at least it can easily be removed. Before it was a chore to clean up.

I would speculate there is even some way to prevent it from reinstalling during those major updates. That seems like the kind of capability they would build in because a huge Windows customer complained (i.e. realistically, the major check against dark patterns in Windows).


Not quite what you are describing, but you can prevent any specific executable from ever running by configuring a "debugger" for it in Image File Execution options (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options). You add a key with the executable name and then add a "debugger" value, then point that debugger at C:\Windows\system32\systray.exe. Every time the named executable tries to launch, Windows will try to "debug" it with systray, which immediately exits so the program never actually runs. After uninstalling OneDrive this can be set to prevent OneDriveSetup.exe from ever running for example.

You can also define software restriction policies to do similar things.

It id what SRP's are for (but yes, I would not put it past them to disable anything targeting OneDrive).


> I would speculate there is even some way to prevent it from reinstalling during those major updates.

The one positive about Windows is their need to cater to their enterprise IT fleet management base. So, as long as you have a Pro version of Windows, there is usually a way to lock down most things like this via Computer Policy settings. It's just not easy to discover nor time-efficient if you're managing a personal "fleet" of three PCs.


[dead]

I just got a new PC and went through the same thing! Incredibly frustrating that in something Godot I have to manually traverse through folders to get to where I want to actually save a file (like.. Documents)

Dear OS writers:

Internet access is not always guaranteed or reliable. Please do not assume that the cloud is a viable solution for every user.

I ran into this on my phone awhile back. I knew I would be out of service for some time but had some PDFs I needed to reference. So I downloaded them to "files". Que surprise when I later go to look up a value and there's a little cloud with a down arrow button next to the PDF in the files app, which of course fails because I'm nowhere near any internet access. Even more fun: turning off the cloud integration in files just causes the files to disappear, even if you are currently connected. It's allergic to local storage.


This is the number one thing that annoys me about so many apps, especially apps with clear use-cases for offline use like listening to music, reading, and learning apps. I don't understand how so many app writers have never gone for a run through a canyon or flown on an airplane. I specifically pay money to SoundCloud for instance just for the "feature" to cache the music locally and somehow it regularly gets stuck clearly from lack of internet. It's probably some metric collection or some other spyware to make sure all the bean counters get their money at the huge expense to usability. Pimsleurs language learning app, and many book reading apps all suffer and all I want to do is not be bored to tears on flights that don't have internet.

They just want live data on your activities and update without sync and stuff however expensive that is even for them, easier to be lazy too

Also every <35 years old person is a js/web dev, so that’s what they do on cloud


> I don't understand how so many app writers have never gone for a run through a canyon or flown on an airplane.

In the UK, every time I got on a train, I'd experience that. And it was worse than not having internet; you had internet, but with extreme packet loss and instability, meaning that every app out there would simply stall, even if it already had the data to do whatever it is I wanted it to do, because it was waiting on some background request to complete. And because I had internet, the request didn't just fail, but it also wouldn't complete in any reasonable amount of time.

Very frustrating.


Audible recently started doing this, to the point where I had to revoke its permissions to use cellular data just to get it to work right.

> learning apps.

So fun to spring for the paid duolingo only to realize you can only download the next lesson up, not like the entire course.

The lessons are like 5m long wtf am I supposed to do with that? I just want to spend my idle time on the plane or camping disconnected from distractions so I can learn, but app developers have made that effectively impossible

And this is why I don't pay for, or even use duolingo even though I'm actively learning a language


If this is the place to complain about broken patterns in Microsoft software, I wonder if anyone can fix this:

1. Create new office document (Word/PowerPoint/etc) and hit save.

2. No, the default location in OneDrive isn’t right so you click the down arrow to see more.

3. No, none of the other recent locations in the (short) list are right either, so you click “More locations”

4. Now you have to click Browse to see an actual Save As dialog that finally lets you navigate through folders. Even then the actual folders are right down at the bottom of the left hand “tree” pane, below a bunch of virtual folders, below OneDrive (aside: if you navigate “up” from here you get to “Desktop”, but it’s not the same “Desktop” that appears lower down in the list; that one is inside your OneDrive), below Music, Videos (you get no hint as to where these actually are), finally near the bottom there is This PC and Network which you can navigate sanely through. Oh, and right at the bottom there is “Microsoft PowerPoint”, as a save location. You can click on it and try to save a document in there, wherever “Microsoft PowerPoint” is. Just kidding, you are stopped by a dialog box telling you this isn’t a valid location.

JFC. No wonder people prefer the “everything is an app icon” approach. Windows is diabolical for managing files.


1,000% agree.

Saving files in Office has turned into a nightmare.

I don't understand what Microsoft is thinking with this behavior.

I'm fine with that being the default flow. But it can't even be turned off.

I imagine this design is better for non power users.

They no longer forget where they saved their files.

But for power users, this is terrible.


Yeah, my machine connects over WiFi on an external USB 3 adapter because I'm too lazy to finish my Ethernet project. The adapter requires drivers, which are handily included on the device itself as a mass storage device. But there's seemingly no way to get those drivers installed in the captive environment, I even tried using the "launch cmd" key shortcut and manually running the executable, but Windows wouldn't have it. And there's no option to install drivers so you can proceed with Microsoft Account sign in...

Literally my only option was to use the local account bypass. How long before they fully remove that, though, remains to be seen.


Seriously, it drives me absolutely out of my mind. I tell everybody who listen, "Remember your users aren't software engineers who are always connected over fast reliable pipes, and program accordingly" but it's a hard problem. No PM ever wants to hear that you're spending time optimizes for no/low internet scenarios.

I've gotten burned by that "isn't really downloaded" thing a few times before too, to the point where I don't trust apps to download anymore. I just adb push files from my laptop to my phone before I go. Can't always do that though, but I try to.


you just have to use dopus as a file explorer replacement and just use dropbox (with cryptomator of course...) to yield (in most respects) best in class file management and sync

Always set Windows up with a local account to avoid this nonsense. Used to be relatively straightforward in Windows 10, but MS made it a lot harder to dodge in 11.

Hang around kids and even though they can be pretty good at using a computer, they have no clue how the thing actually works. They don't know what a file is anymore. Everything is a shiny little icon in a shiny little magic folder.

Not trying to make this sound like a value judgment, more an observation. But it makes you wonder, what do we lose by excessive abstraction.


Yeah my 82 year old mother knows more about files than my kids do.

This isn't excessive abstraction - this is just different abstraction. Files and folders are a human invention, and there's no law of nature forcing us to continue using them. It's like complaining about people forgetting how to use MS-DOS commands, when Windows (until PowerShell) was built on GUIs through and through and MS-DOS commands were only still there for compatibility. You don't have to learn MS-DOS command to copy files, you learn to use Explorer to copy files (which to a small extent is like using the MS-DOS command).

Or like complaining people forgot how to use teletypes. We didn't have to keep using teletypes, and we didn't keep using them. Our Linux terminals are still modeled after teletypes, but not in a way that has anything to do with using a real teletype. You don't learn teletypes, you learn terminals (which to a medium extent are like teletypes).

It isn't like when people don't learn to add numbers or how Quicksort works or assembly code. Those are still fundamental truths that help people understand things. It's more like not learning to write Roman numerals, or not learning ALGOL 60. Nothing is really lost except the ability to read old things. You don't learn Roman numerals, you learn western Arabic numerals, and they're better, not worse. You don't learn ALGOL 60, you learn C11, and some people would argue whether it's better, but it's not worse.


storing things "in apps" still makes a file on a filesystem, but it's less reliable and the user doesn't know where it is

Storing things "in files" still writes a CHS-addressed sector on a disk, but it's less reliable and the user doesn't know where it is.

Files are currently used to implement apps, but that can be seen as a transitional measure, like an OS that supports both files and raw disk access. A fully app-based OS without files, though not existing currently, would be possible.

Another idea the industry discarded was to make the disk a big SQL database, again without files.


Nah. The files and folders still exist on all of these systems. So hiding them away is actually more abstraction, not “different” abstraction.

UX prognosticators have been preaching for decades that anything that computer users find confusing should simply be hidden. Not made more clear, or easier to use, but just papered over so users can no longer identify a specific thing to complain about. It’s just like the weirdos who try to get rid of the address bar on web browsers every few years, but the filesystem haters have been a lot more successful, and computers are more confusing as a result. You don’t solve confusion by hiding it behind a thin layer of paint. All the same problems still exist, but there’s no longer a way for experts to even try to help. There are so many better ways to simplify computing than pretending it’s magic.


> It’s just like the weirdos who try to get rid of the address bar on web browsers every few years, but the filesystem haters have been a lot more successful, and computers are more confusing as a result.

They figure that the less users know about how their device/software works the more dependent they are on developers who can then act as gatekeepers of what the user can and can't do even when the system is capable of much more. They don't want users doing things differently, or disabling things, or seeing what's going on under the hood. Keeping users ignorant, controlled, and dependent gives them a very secure feeling.


Feels like a conspiracy to force power users to experience software the way noob users experience computers in general.

No, those shiny app icons are still using folders and files, that part is just being hidden from users to where they have less understanding of how things actually work.

Phones aren't secretly using Roman numerals or tiny embedded abacuses though. If they were for whatever reason, there would be plenty of value in learning those systems.


The proper way of doing it is to use the API calls that have existed for decades to get the paths of well-known folders. It is because they are known to move and in fact having a roaming profile on a server location dates to the mid 90s with WinNT.

If you're hard coding paths you're doing it wrong.


> The proper way of doing it is to use the API calls that have existed for decades

A user doesn't want to do this though.

I tried casually using a windows 11 machine for something the other day (I think I was fixing game folders for my girlfriend), using just explorer, and it was pretty obscenely bad how overly confusing it had gotten. I say this, and I fairly routinely debug old build systems with complex nesting file structures, I know my way around a file system.

This wasn't a case of "oh you're just a power user", this was a case of the system had broken, and the simple advice of "backing up your files" and "copy your files over here" wasn't working.

Telling everyone they need to use API calls is just ridiculous, the filesystem is just broken for the average user.


It is infuriating when I open the file explorer and it takes many seconds to populate the side bar. This wasn't the case wit windows 10. Everyting in one drive really makes things take a long time. OneDrive is great, but I want a OneDrive folder where things are sync'd, not transparently transforming the file system into OneDrive.

I recently tried to fully rid myself of OneDrive and it took me over 48 hours to accomplish. The only working method I found involved fully enabling OneDrive, signing in, and waiting for a full sync. Only then was I able to tell it to stop syncing and finally remap Documents, Downloads, Pictures, etc.

The fact that I needed to log in, wait 24 hours for my account to unlock due to inactivity (!!!), and enable sync in order to disable it was enough for me to finally decide that Windows 10 will be my last Microsoft product. It may be a small annoyance, but to me it was the straw that broke the camel's back.


And I can almost guarentee you it will magically all turn itself back on/reinstall itself eventually after the OS force updates/reboots itself in the not too distant future.

It's already re-created the OneDrive folder, but it hasn't moved any of my libraries back yet. Knock on wood.

That is truly insidious, but FWIW, you don't need to abandon Windows entirely because of this. There are ways of creating a custom Windows installation disk that removes OneDrive, along with other bloatware, spyware, and pretty much anything else you don't like. Look into tools such as Tiny11 Builder, MSMG Toolkit, NTLite, etc. This is a decent guide[1] for setting all of this up.

The process is quite tedious and takes a few hours, but in the end you end up with a personalized version of Windows, without any of the garbage. You still need to be vigilant of Windows Update undoing some of this, but you can also disable it altogether and manually cherry pick the updates you want to install.

It's insane that Microsoft is building such a user hostile OS that forces users to resort to this, but if you absolutely must use it, the experience after doing the above is not so bad. I've been running a custom install of Windows 11 for about a year now without any issues.

[1]: https://www.tomshardware.com/how-to/create-custom-windows-11...


[dead]

Maybe this tool is a bit more comprehensive. After configuring a stripped down image, Windows can be installed in what is almost like a headless mode in literally 5 minutes with no user intervention:

https://www.ntlite.com/


Yes, NTLite is good, but AFAIR, it doesn't allow deep customization of some things. The guide I linked to mentions it as the last step.

Thanks, I'll take a look into this! I'm still probably going to move to a linux distro for my desktop, but I'm always down to try breaking things on another system.

They are the house of dark patterns.

After a certain point anyone paying attention can see it's not accidental. Oops sorry! No. Their goal is your technological enslavement. Mis-features like that don't accidentally just always end up being evil and oops sorry when there is a real backlash. They wanted to see if they could get away with it, like they do.

I abandoned MS products in 1998 for good. Win98se pushed me over the edge.


Wim98SE was actually good though! Well, it was way way better than win98. Win2k and 7 (the last windows OS I ever had for personal use) were good too. The writing was on the wall back in the 98 days for sure though. MS decided that your computer was theirs.

If you think this is bad, there was a period last year that my documents folder would suddenly rename itself to "Documents" but in a different language. This would religiously change every few days. Other people have reported it as well.

I have disposed of my last PC now and have nothing to do with the infernal things, or onedrive, or any of that crap ever again!


I unfortunately had to use Windows last year, and the whole mix up between local folders and OneDrive folders meant that the only way to not go insane was to avoid using those folders altogether, create a C:\MyStuff folder and store everything there.

I like this video of Jonathan Blow ranting about the file explorer: https://www.youtube.com/watch?v=le6dvr95Z2Q


Interesting, our experiences are different here. I suspect it's because I installed Windows 11 (23H2) using a local account using the OOBE bypass (not because I particularly hate the Microsoft account thing, but because this machine uses an external WiFi adapter and requires drivers in order to work, so I could not have done it even if I wanted to). The drivers are actually included on the device, but there's not a clear way to accomplish a driver installation while in the captive OOBE, even given the ability to launch a command line.

I did later connect my Microsoft account. In my installation the OneDrive folder is empty and the entries in Explorer map to the normal places (C:\Users\X\Pictures etc). If I open one of the default folders, it does show a "Start backup" entry in the address bar that is referring to OneDrive, though. If I open the OneDrive folder, it asks me to sign in (entering password) and set it up-- which is funny, because the Windows user is signed in using a Microsoft account already- so seems like they haven't connected those dots properly yet. In theory this might be their way of implementing a security check for uploading all your files, but if so it's an awkward way to do it.

> Additionally, some programs still seem to want to use the OneDrive folder by default, like I think Office programs still do their best to use them.

If I remember correctly, there is an API that programs can use to locate common folder locations for users (such as Documents, Pictures, etc). My guess is that your account still points to the C:\Users\X\OneDrive\Pictures instead of C:\Users\X\Pictures. If you could adjust those directly (maybe in the registry?), I would imagine that it will work correctly in these programs, especially since I doubt those programs would break on my setup, where there is no OneDrive subfolders (though I don't use Office so I can't check). And in case you wonder if there really are no subfolders in OneDrive since I can't open it in Explorer without signing into it- it shows nothing when viewed via PowerShell.


This is especially obnoxious for Desktop and Remote Desktop Connection.

The former because my desktop is... where I want things just a certain way for THIS computer, not across the cloud. And because it's a PITA to undo and set it the correct way.

The latter because of course I use Remote Desktop on multiple computers, but it keeps saving a "default" file in the same place across computers, and throwing errors left and right because they conflict. So stupid.


Or better yet, make the OneDrive integration a public, documented API so we can plug in our own cloud storage and get all the same benefits (syncing settings, files, game saves, etc. but with the added benefit of choice). I'd love to get native integration with ownCloud / NextCloud and even other online competitors.

And for that matter, make Apple do the same for iCloud; I'd love to keep all my iPhone stuff in my own self hosted "cloud" and get 1st party integration.


You have to reinstall Windows and set up a local account instead of a Microsoft account. Everyone should install Windows with a local account.

For Windows 11: https://www.tomshardware.com/how-to/install-windows-11-witho...



It’s unlikely that they would completely block offline installations.

One drive is awful. It keeps crashing and forgetting where it was. I have 3 copies now. I have to waste time to sort it out. And it messes up the dates. It is disgustingly f our workplace enforces this.

The gateway to a monthly consumer subscription. Therefore important to Microsoft.

Apple also uses dark patterns to try and get a monthly income from customers. Apple has upsells and nag nag nag advertisements for iCloud.

The irony with Microsoft is that I would consider paying a monthly fee for a modern version of Windows 2000 without extra features. No adverts, no telemetry, no OneDrive, no cloud signin, no store, no games installed as part of the OS, no MS junkware, no bullshit. Aside: why is there no "Windows for developers" - even Balmer knew "developers developers developers" was worthwhile but Microsoft has deleted that from its DNA: even though Apple's competition is a mixed bag.


Add to these complaints that many folders are actually logical overlapping folders that pull from multiple places. I haven’t been able to bring myself to use Windows for years now, and I was a Windows sysadmin for over a decade! It’s basically impossible for someone like me who needs to feel in control of their computing environment to ever feel comfortable with.

I think this will be definitely a "for now" moment until they let us all become a little bit more used to the idea.

I have a really hard time understanding the use case for something like this. Stuff that I want to remember I just write down or reference something like my browser history or recently opened files. It's very low tech for sure but it works, is waaay more energy efficient, way easier to understand and audit, and doesnt have the same security concerns. I get that using "AI" has a Wow Factor that existing systems have but I cannot understand the thinking of folks that are OK with the trade-off. Ita just not even close for me.

I agree, I think the current state of the AI is absolutely incredible technology, but I just don't see a 'product' yet.

If chat and co-pilots are all we get out of this wave of investment, then I'm not sure if it's been worth it.


I see a lot of cool little use cases (eg, LLMs are genuinely fantastic for creative brainstorming), but I'm absolutely not seeing the multi-trillion dollar AI industry that all the big companies are clearly banking on.

Have a look at Rewind.ai for some idea about the use cases maybe. Some people are already paying for the feature, so it clearly has some value.

https://www.rewind.ai/

Personally, data privacy/protection and compliance aside, I’d find it fairly useful on my work computer.


I definitely get the use case. It's naive to ignore that there is utility.

But just because something has utility doesn't mean it comes at high costs. I mean it's a super powerful keylogger that is searchable without technical knowledge. Not to mention that it'll probably fail to LLM type of attacks, which even many non technical people are able to figure out.

But then again, I don't understand why people so passionately store all their chat logs (not just important/memorable messages) and take millions of photos. We kinda spy on ourselves


Yeah it can be very useful. The only way I'd trust it is if it was a box that MITM the HDMI/DP cable and has clearly no connectivity to the outside world. It can do OCR locally, store things locally, I don't even want it queryable from a computer. Maybe a standalone terminal.

Even then I wouldn't. Just the same way I wouldn't trust a keylogger on my system no matter what. This is more invasive than a keylogger.

And per my other comment [0], I think it just creates a big attack surface and makes extracting data and passwords from machines much easier. And as suggested by another user, I suspect this will be used to enforce Chat Control for those in Europe.

[0] https://news.ycombinator.com/item?id=40612851


I think the product itself can be useful, but Microsoft is the second last organization that I would ever trust to implement it correctly, only after governments.

Giving your screen recordings to Microsoft is like giving a loaded gun to a toddler.


We used to use a similar tool in QA. Often when you accidentally reproduce something - especially something rare - you don't even realize it happened until it happened and then you can't remember what you did to produce it. Being able to look back even just a few minutes can save you hours of attempting to figure out what the magic was.

Now that I'm a developer, I often get into the flow and find myself knee deep in some work, but I forget to write notes about what I was doing. Coming back the next day, I often can't remember what issue I ran in to or how I fixed it. Having a quick way to review what I did the previous day is very helpful.

I can see a lot of potential uses for this technology, but I'm quite wary of any service that involves sending all of that data to some third party. Regardless of how much they might swear they won't use it for anything else, every company eventually sells your data for extra profit - it's just too tempting.


Classic 2-step move, introduce what you want to ship but add a red herring, remove red herring on the outrage, ship it.

Microsoft isn't filled with morons, and they knew this would be the reaction. They always planned this "retreat," and this retreat is actually an advance: if you completely missed the media tempest in a teapot, the story would be that Windows is going to embed AI into every copy that will be able to track everything that is done on the machine and make inferences from it.

Now, the story is: Microsoft has been forced to retreat, through public pressure, from tracking everything that its users do by default.

Complete success on Microsoft's part. And the public that angrily reads headlines and angrily tweeted twice, vigourously pats themselves on the back for their "victory."


How about they remove ALL AI features, including Copilot? This is clearly illegal bundling that deserves swift anti-trust action. Microsoft is worse than ever, and far more bold with abuse of their market position than they ever were in the 90s.

Off by default, means On by Default When They Change Their Mind [tomorrow, next week, next month, etc]. Antitrust yesterday already.

Security backlash?

Should be security concerns


Fairly certain it won't be switched off by default in most corporate environments. Recall is one of the more impressive foot-bazookas to come out of MS since WebDAV in Windows 2000!

... or make a OneDrive-connected folder have an icon that shows, clearly, that it's been taken over by OneDrive.

I'd give a setup option to provide a non-OneDrive Documents folder, that feature would be turned on automatically if OneDrive senses that there is a database residing in the Documents folder (ACT!, I'm looking at you!)


I don't understand how recall even got launched. No one should have spent money developing it.

Yes, the idea is cool. But even if you trust Microsoft it's obviously a privacy and security nightmare. How many people would install a keylogger on their own system? And then make that keylogger trivial to search through? It just makes windows computers extremely valuable targets for hackers and I'll ban them on my networks even if relay isn't enabled.


> I don't understand how recall even got launched. No one should have spent money developing it.

I disagree. I would feel quite comfortable using functionality like Recall on my personal computer, on which I of course run Linux, if it was opt-in. It's a great idea.

The problem is that it's an idea that's just not compatible with how Microsoft is running the Windows platform, the relationship the company has with its customers, and that it was originally announced as impossible to disable.

Recall as default-on for managed corporate devices is preposterous, for example.


> The problem is that it's an idea that's just not compatible with how Microsoft

You disagreed but ignored my entire point. No, I don't trust Microsoft, but my point was about even if we did

> I of course run Linux

I use Arch btw


What the default was going to be regardless, except by now everyone heard of the product to the value of probably millions if not billions worth of ads

The feature is dead and will only be a drag on Windows, Microsoft, and their public perception.

Throw in the towel, it has been besmirched to the point of no return.


wait wait wait- Are they going to do a recall on Recall? What a crappy name for anything sold in the history of all the things

i feel like an open source version of this would be really cool.

theres a lot of people who have a lot of data they wont want to put into this and run other people's closed source code and you dont really know what its doing.

is there an open source linux friendly equivalent?


What I think MS should do if they really believed this is a thing people want is make it an actual sold product. Not free. Not a sub.

Just like when we used to have boxed software back in the day. Of course it would be on Windows Store or whatever hogwash they use to push software.

Remember when you had to actually take market risk to publish something and not just "give it for free"? I get times are past that, but if the market is good enough for Cybertruck, surely it's good enough for Recall.

In fact, if I were the CEO I would do this just to allay FTC concerns about big-boi MS and their market power. Like how they made Office for the Mac when Jobs came back and to keep Mac afloat (or like how Google pays Firefox money).

Let the market decide, that's what these capitalists claim to love, right (yes, I know we see through their bluff from both left/right sides of the aisle - that's me calling it there).


Yes, call them out -- all of these "amazing AI innovations" are bollocks.

If they're that essential for our existence, then go ahead and sell it to consumers.

As the Rabbit (and Humane) before it demonstrated, none of these things are (a) essential, or (b) polished and ready for daily use.


When Recall is enabled, it should have an overlay stating that it is active so that all users are aware. Something at least as obvious as the old windows activation overlay.

Otherwise, every creepy roommate, bad partner, bad friend, etc... will take advantage of this to do bad things.


How is this different from having screen recording on?

If you mean Win-G, then clicking screen record, it shows an overlay. I don't think that you can hide that overlay.

there's a giant banner saying that screen recording is on, while there's nothing for recall? im not sure im following your question.

There are many screen recorders that do not show a "giant banner", and even if there weren't, it's ~200 LoC to implement an efficient screen recorder for Windows that's hidden.

You can install any app to do anything on Windows. The issue here is that this is built-in, so it will be everywhere, all the time.

If you had screen recording on by default you’d run out of disk space pretty quick.

MS just did what every other micromanagement company did and took screenshots every second or so.


According to that simile, Microsoft has became our boss, but for whatever reason, we have to pay Microsoft instead of Microsoft paying us.

They can already do that. Look at ActivTrak

Yes, but that's a third party app which requires install.

Recall will be pre-installed on Windows 11. The ubiquity is what scares me, and should make MS take a second thought about liability, as far as treating their uses right.


FF should create a DRM that uses the bullshit webdrm standards and apply it to the entire sandboxed experience. Lock MS the fuck out. Oh you want passwords? Sorry bucko. It's DRM'd. What's good for Hollywood execs is good for End Users. (but we don't get the phat stacks of cash).

The whole of Microsoft should be switched off

[delayed]

Why have it all then?

Truth is they will have it off at first then an update will only do the windows folder and slowly creep from there. Another update will “accidentally “ turn it on then more options will be available and more will be defaulted on.

There will not be a single option but multiple toggles at some point.


> Why have it all then?

Devil's advocate: if this type of thing was somehow done correctly, it could be amazing.

I would love to be able to automate the portion of my desktop OS actions which I repeat daily. Check multiple email accounts across various providers, find the new episodes of shows I like, etc.


What's funny about this and other "recalls" (pun intended) of "products" from so-called "tech" companies as a result of "feedback", or "backlash" as Wired calls it, is that the companies never asked for such input and AFAIK no one is contacting the companies to give it. AFAICT it is obtained through surveillance. To people born after the internet this might seem normal, but to me it is quite odd. The companies claim to be operating in service of "users" but there is generally no direct contact between these "users" and the company. With some isolated exceptions that have increased over time, there is no customer service. And in most cases the "customer" has not paid the company for the so-called "product". Generally, no one is asking a refund on their purchase of Windows because generally no one pays Microsoft for it. Instead people just complain into the ether.

No need to pay for being the target of surveillance. The "products" are free.


In this context, “feedback” means reputation compromising news cycles.

It's so weird to me that a company like Microsoft would care that much about "reputation". Everyone basically hates them already. Many of the most successful companies in the US are widely (if not universally) hated by the people who pay them. Nobody loves comcast, or exxonmobil, or centurylink, or EA, or equifax, or facebook. People feel trapped and unable to avoid paying some companies or using their products no matter how much they hate them. How many people have paid Microsoft for their OS at all? How much money would they really use if they ignored the bad press? How many grandmas would start downloading linux?

I'm glad Microsoft is making changes, but I wonder how much is out of fear for their reputation and how much is just to try and comfort people and get the news to stop talking about it so that everyone doesn't just disable it as soon as it rolls out.


So much of the youth use nothing but mobile OSs and Microsoft lost that - they’re not even a player! Macs have been selling more each year. Valve/Proton is bringing gaming to Linux. Microsoft is losing the non-corp consumers. The features are aimed at non-corp consumers.

Don't worry, even when you pay very high prices for products and service you're still being spied on. A company will always make more money by charging you as much as possible and then also collecting every scrap of data they can get their hands on. Every smart TV is spying on users and many are pushing ads. How many people do you think demanded their money back? Every game console sold still spies on you. Every car. Every cell phone. When there are no products that don't spy on us what will people do? Return them all and live in empty houses?

If there was an HN commenter with a username taken from a DOS batch file who complains about game console surveillance, then would it be safe to conclude this might be a non-enterprise Windows user.

A reply about tangible products that people can choose to purchase or choose not to purchase is not a response to the comment I am making. These are examples of conscious choices, coupled with payment.

With few exceptions, non-enterprise Windows users are not consciously choosing to purchase a Windows license. They are choosing to purchase a computer. The decision to purchase a Windows license was made by the OEM. If we ask these computer purchasers what they bought, they are likely to describe a tangible product, e.g., "I bought a computer", not a license to use an operating system.

If something is wrong with the computer, then the purchaser can generally contact the seller/manufacturer for redress. But when the problem is with Windows, consumers generally do not contact Microsoft. Instead they complain into the ether.

Good luck enforcing warranties or products liability laws against Microsoft with respect to a free copy of non-enterprise Windows that was pre-installed on a computer. Windows can be broken six ways to Sunday, it can be a defective "product", and Microsoft can take its time fixing the problems, or even just leave them as is.


Heres something I just don't get. Microsoft just got their ass handed to them by the US Government because os (lapses in) security. Extremely more than coincidentally, Satya Nadella told the entire Microsoft org that if anyone had to choose between features and security, to choose security. I'm hearing from Microsoft people that all product roadmaps are deferred for a few months while security features are addressed. Their whole corporate spiel is "Microsoft runs on trust" (see the famous standards of business training on youtube).

And then someone goes and invents Recall. This is not the work of a lone engineer and a principal PM fishing for Impact or whatever they call success at Microsoft. This had to have gone through multiple levels of review. Microsoft PMs, CVPs, their corpo legal people, marketing approval. And yet no one stopped to say, "wait, this could blow up in our faces"?


What's so hard to get? Security and trust are lip service. Corporations lie to make a buck. How is it not obvious?

Actions speak louder than words.


The user data is just too juicy a potential profit center to pass up on. So many models to create!

We should assume that everyone is on their worst behavior going forward.


I should have said fine-tunings, not models.

Untrue. Employees are asked to focus on sec. The org tells you that the company runs on trust. This is not lip service - it's not that internally they state otherwise, and it's certainly naive to think so.

What happens is that, meanwhile, business is happening. People are making (small) decisions that adds up to big things, and leadership tends to trust those below to make the right calls and implement technology correctly. Which, time and time again, doesn't happen.

Yes, maybe it need to be more of a priority, but, it also isn't a conscious decision.


I'll take a shot (not at MS, so I have no inside info).

GenAI is hotter than anything else right now. As Satya publicly stated, "we made them dance" -- which shows how high-priority it is to maximize "AI innovation" at MS.

If you disagree, think about how badly "Tay" blew up in MS's face and yet they still went ahead and bundled OpenAI LLM tech into all of Office365, just so they could have bragging rights about beating Google to it.

At this point, it's a race (to where? who knows) and no Big Tech Corp wants to be seen as "not at the forefront".

That's my $0.02, anyway :)


You are absolutely right. This AI race has been sort of funny to watch among the big tech incumbents.

Google kept on launching faked demos and hurriedly released an openly race biased image generator all in a bid to catch up with OpenAI.

Meanwhile Apple has been sort of lethargic. Recently annouced a deal with OpenAI to add GPT to their devices. They seem happy to continue playing catch up in this regard.

I think Meta is probably the only big tech giant that has kind of got their execution right straight from the jump. Can't point out any slip ups from their "AI announcements".


Note that Meta aren't trying to sell AI services to most people (with the exception of advertisers, for whom it kinda makes sense).

Much easier to avoid messing up, given this.


Llama 3 is available and in your face when you open WhatsApp these days. They're very much trying to get everyone to tell them / the AI their secrets.

You forgot Amazon eating paste in the corner.

> They seem happy to continue playing catch up in this regard.

Catch up with what? Does anyone else have an AI product actually worth having?

Is it somehow bad that Apple hasn't also released an AI that doesn't do what it's supposed do half of the time?


Apple plays “catch up” by quietly hunkering down for a few years and then suddenly leapfrogging everyone else.

Except they totally flopped with virtual reality.

Mixed Reality... the vision pro is not suitable for 80% of the VR use cases ie. Gaming/porn.

> Meanwhile Apple has been sort of lethargic.

If by lethargic you mean OCR of every single image on my computer so I can copy and paste text from anything, all running locally on the NPU on my M1 chip, then lethargic is A-OK.

That's what Apple does: they ship useful features. We'll see tomorrow if they fall in the trap and run in this race to nowhere.


I tried to use AI on (intentionally?) badly formatted bank statements for a family member. Tried Apple, Google, various startups. Nothing could do it. The easy stuff is easy (raw OCR) but the hard stuff (layout recognition and reformatting) is not yet doable.

>OCR of every single image on my computer so I can copy and paste text from anything, all running locally on the NPU on my M1 chip

This functionality is baked into Windows since 10. But for some reason you need a third party program to expose it.

https://learn.microsoft.com/en-us/uwp/api/windows.media.ocr?...

https://github.com/TheJoeFin/Text-Grab


Check out Microsoft PowerToys' TextExtractor.

Apple, as it exists now, is not much an innovator. They don't need to be. They can release improved versions of the products everyone already has. Best not to mess with that by introducing half-assed tech that breaks the user experience. Wait till its matured a bit then release a smooth and polished apple version.

I think this is for the better. I’ve been using LLMs pretty regularly lately for some side projects, and they’re interesting but they’re not particularly nice products. I’m not aware of anyone who has a legitimately polished offering. There’s definitely a lot to the tech, but the signal to noise on essentially every model I’ve tried is far below normal standards for feature reliability and quality.

> hurriedly released an openly race biased image generator all in a bid to catch up with OpenAI.

If you think the bias was due to timing constraints and not intentional then you are extremely naive.


> Heres something I just don't get.

> And then someone goes and invents Recall

Maybe you should read about the history of Microsoft, especially about its security.

But people forget easily.


Wasn't recall out in preview before the whole security snafus happened?

Wasn't recall out in preview before the whole security snafus happened?

No. Microsoft very frequently puts out new features into the normal releases of Windows 11 at the same time as insider testers get rollouts.

the reason they did this is because if they succeed in sneaking this out, MS would have been 'drinking the milkshake' of google, adobe, facebook and everyone else trying to do the same thing at an app level. it would be the holy grail of training data -- they could replace or simulate the entire user at an inter-app level for A/B testing anything they want, or worse. the idea of having full user behavior history of the majority of the worlds computer users is just too tempting not to try for them and im sure theyll try again despite any backlash.

[delayed]

Did no one think of recall posting your key wallet passwords in plain text…

I’m honestly not surprised they came up with this considering MS’ track record on security since the internet exists.

One more reason to resist their extend embrace extinguish strategy and not use their tools (vs code etc), this won’t end well and Microsoft will always be Microsoft.


Few things that Recall can do: - Make sure Recall is per user and not something that can be installed system wide for all users.

- When a user enable Recall, it should ask to setup a "Recall password" and generate a private public key and use the password to encrypt the private key.

- Use the above public key to encrypt all the data it stores.

- When user wants to search Recall history, ask for the password, decrypt the private key and use the decrypted private key to decrypt the data and show the data to user.

- Show some sort of indicator on taskbar that Recall is running, not a tray icon (which can be hidden), but a proper big red circle kind of thing.

To me this seems like another case of MS top executives telling every team that they have to do something with AI. Typical approach used by many executives and managers - "Here is a new tech, figure out a product to build with it".


Too late. I've used Windows for over 30 years. Was never a "fan", it just got the work done without getting in the way. Good tool.

But now I'm moving all my computers, including work computers, to Linux. Will miss out on some hardware/software I use for music production (biggest loss will be TotalMix FX for my RME audio interface), but MSFT leadership has shown they don't get it.

Also, Fusion360 for Linux when?


...until they can find a way for it to be introduced without resistance.

Let's not pretend several decades of unscrupulous behavior is going to change now. Unless regulatory structures get implemented to brutally, exactingly, unflinchingly and relentlessly punish firms, they won't stop trying.

Punitively maul them into submission.


Legal | privacy