Microsoft told media outlets a hacker cannot exfiltrate Copilot+ Recall activity remotely.
Reality: how do you think hackers will exfiltrate this plain text database of everything the user has ever viewed on their PC? Very easily, I have it automated.
HT detective

It's just an SQLite database, feature ships in a few weeks - I've already modded it into an Infostealer hosted on Microsoft's Github (a few lines of code)
Microsoft are going to deliberately set cybersecurity back a decade & endanger customers by empowering low level criminals.

Thread'o'rama at the link: @GossiTheDog/112531054138802168" target="_blank" rel="noopener" onclick="event.stopPropagation()">cyberplace.social
I've tested this with messaging apps like WhatsApp, Signal and Teams.
Somebody message you with disappearing messages? They're recorded anyway. Write a disappearing message? It's recorded. Delete a message? It's recorded.

This memo was sent this month.
My feeling is unless Microsoft's senior leadership actually *does something* about reviewing Recall, the US Government and others should consider they haven't taken the CSRB report seriously at all.
x.com

Watch as Microsoft staff gain access to the Recall database files at the 24 second mark here, you'll be shocked by their elite hacking skills.

I should write an FAQ up on this whole thing as it is one of the most ridiculous security failings I've ever seen, people inside MS don't seem to understand the implications of any of this and they've even enabled it on their own systems (while dealing with customer data).
Q. This needs SYSTEM rights to access the database though, right?
A. No. You don't need Admin either btw, there's an easy bypass.
Q. But if it did need admin, nobody runs admin, right?
A. According to Microsoft's own website created for the Recall announcement, "Most people run as full admins". Including MS staff.

Also to be super clear you can disable this in Settings when it ships, and I highly recommend you do unless they rework the feature and experience (they're working to add it to AMD and Intel, too - and doesn't actually need an NPU, I don't have one).
For enterprises and governments, I strongly recommend you disable it via Group Policy ("If you disable or don't configure this policy setting, Windows will save snapshots of the screen and users will be able to search for or browse through a timeline of their past activities using Recall.")
#disableaidataanalysis" target="_blank" rel="noopener" onclick="event.stopPropagation()">learn.microsoft.com

I wrote an FAQ about this here, to loop it into the thread. doublepulsar.com

Here’s Recall happily saving DuckDuckGo private browsing, Signal secret chats: @wdormann/112554330862658219" target="_blank" rel="noopener" onclick="event.stopPropagation()">infosec.exchange
Firefox Private Browsing: @wdormann/112554381079289041" target="_blank" rel="noopener" onclick="event.stopPropagation()">infosec.exchange
The privacy documentation for Recall says Firefox Private Browsing is excluded from Recall - but it actually records it.

How long until the Honest Trailers version of this?

The ‘encrypted’ Recall database that you can’t access remotely or steal as another user 🤥

We’re in the ‘LinkedIn has Recall memes’ phase now.