I feel like while the concern raised over Recall is valid, much of it has missed the mark. The real root of the problem is that Windows is not a secure OS. If software is allowed to run, it can...
Exemplary
I feel like while the concern raised over Recall is valid, much of it has missed the mark. The real root of the problem is that Windows is not a secure OS. If software is allowed to run, it can access almost everything. There are a few areas that are loosely cordoned off (like system files), but for the most part once you have malware, your system has been completely pwned.
This is why cryptolockers are so devastating to businesses. Techniques like append-only writing need to be utilized because otherwise they can wipe out your whole system. This is also why schools and organizations tend to run extremely stripped down computers like Chromebooks, and rely heavily on VPNs. They can't trust your PC, so they build a wall and offer extremely limited ways to interact through it.
Recall is really not much worse than other backup systems like Shadow Copies or Apple's Time Machine. It's easily searchable due to its database, but it doesn't do anything conceptually different. If you get malware, your files and their history can be accessed just as usual. I don't find it surprising then that Microsoft didn't foresee the problem when designing Recall. The problem cuts deeper, and Recall only exposes it.
For obvious reason it isn't possible to rearchitect Windows at this stage. Tens of thousands of software tools are written with the assumption that they can do whatever they want once running, and introducing new walls will cause them to crash or fail in unexpected ways. Arguably Windows on ARM could have been the time to go back and redesign things, but that task is a massive undertaking, and would have made it even more difficult to create compatibility layers to support x86 applications on ARM. Most attempts at doing Windows "right" from the ground-up have failed within Microsoft.
It's too bad, because I'd love to see a modern redesign of desktop operating systems (most of them have these problems). They weren't built to be multi-user, connected to the web, or with sandboxing in mind. Everything we do is just layering on top of these legacy decisions. A lot of lessons were learned when mobile OSes were designed, so they offer much better sandboxing, isolation, and security layers. But outside of niche projects like immutable filesystems, a complete desktop overhaul is probably not going to happen soon.
It might actually be argued that one of the biggest boons to security has been the move to the web browser. Browsers are sandboxed, as well as they can be, and full sandbox escapes are rare. Even when a website is as evil as it can be, there's not a lot of damage it can actually do today. Now imagine if every website you visited required running an exe on your computer instead. Not great, right?
So today we have this problem. Windows Recall is a genuinely useful feature - especially for people like me with ADHD that constantly lose track of things. Being able to query for information instead of needing to remember exactly where it was could be tremendously helpful. But if running a feature like this (or backups, or storing anything important at all on your PC), you need to understand the risks that malware of other intrusions can also gain access. Maybe they'll be able to improve the security with some form of real-time encryption, but it's likely all stopgap measures.
Still, should the feature ever come to x86 PCs, I think I would at least try it. It's been nearly two decades since I've had a virus, and I already treat my PC with some level of suspicion. I'm also interested in AI applications, especially those that run locally. I think it's just a matter of deciding if the value proposition justifies any increase in attack surface for you. Just bear in mind that if your PC is pwned, it's probably going to be bad whether Recall is installed or not.
Apple has brought some of these mobile OS learnings to macOS with things like gating third party apps’ access to the filesystem, camera, mic, etc behind a permission dialog (or where they feel...
It's too bad, because I'd love to see a modern redesign of desktop operating systems (most of them have these problems). They weren't built to be multi-user, connected to the web, or with sandboxing in mind. Everything we do is just layering on top of these legacy decisions. A lot of lessons were learned when mobile OSes were designed, so they offer much better sandboxing, isolation, and security layers. But outside of niche projects like immutable filesystems, a complete desktop overhaul is probably not going to happen soon.
Apple has brought some of these mobile OS learnings to macOS with things like gating third party apps’ access to the filesystem, camera, mic, etc behind a permission dialog (or where they feel increased friction is justified, requiring the user to manually add the app in question to an allowlist) as well as making the system immutable via SIP (system integrity protection). They’ve also been progressively kicking more things out of the kernel into userspace. Unfortunately, though resistance hasn’t been nearly as bad as it would be in the Windows world, there’s still a highly vocal subset of power users and devs bemoaning all of this (as frequently seen in HN comments).
There are Linux distributions doing the immutable thing like Fedora Silverblue, but not a lot is being done on the permissions and sandboxing front on the system level. Instead, most efforts seem focused on per-package solutions, which strikes me as odd… it’s a bit like equipping every device that could potentially start a fire with a fire extinguisher instead of building a fire suppression system into the building that the devices will be placed in. I’m not an OS designer or security expert though so maybe there’s something I’m missing.
I actually like this a lot for security reasons, but I wish there was a better way to deal with giving them permissions than the popups that happen when you want something to happen. There's also...
I actually like this a lot for security reasons, but I wish there was a better way to deal with giving them permissions than the popups that happen when you want something to happen. There's also a lot of developers who do not do best practices. I have a logitech mouse and the software to customize it is constantly updating. That's not a bad thing, but every time it happens I get an annoying notification that tells me that a new app has been granted accessibility permissions.
On the other hand, the way Apple handles unsigned applications is downright user hostile. "I see the people who made this app didn't pay the Apple Tax. Why don't I just delete it for you?"
For the first issue, I think there’s something that Logitech is/isn’t doing that’s triggering prompts after each update. If I’m not mistaken, once an app has been granted permission, it should...
For the first issue, I think there’s something that Logitech is/isn’t doing that’s triggering prompts after each update. If I’m not mistaken, once an app has been granted permission, it should persist between updates so long as the signing certificate doesn’t change (which is why people noticed that Bartender had changed hands a week or so ago).
For the second, it’s kinda tricky. If they made it the warning a more typical lightweight OK-button dialog (e.g. just a notice that it’s not signed and could be dangerous), a lot of people would blaze through it without so much as a second thought. Some extra friction is good because it encourages users to think more closely about the where the app came from and if the needs it meets are worth the risks.
I think it could make sense for Apple to grant free memberships (and thus signing/notarization) to well-documented FOSS projects, though.
My deeper concern was with telemetry. Even if they have you doing the processing locally, what's to keep it from summarizing its work and phoning it back home? I'm also holding off on using AI at...
My deeper concern was with telemetry. Even if they have you doing the processing locally, what's to keep it from summarizing its work and phoning it back home?
I'm also holding off on using AI at home until it cooks a bit longer and perhaps the open source community can do a similar tool for Linux.
A couple of points Recall isn't a backup system, it's a semantic history of your activities on a single PC. Microsoft did re-architect their entire app ecosystem with WinRT which introduced apps...
A couple of points
Recall isn't a backup system, it's a semantic history of your activities on a single PC.
Microsoft did re-architect their entire app ecosystem with WinRT which introduced apps that had protected files, permissions requirements, and are fully sandboxed. People hated it for a couple of reasons, but the file security being one of them. People want apps to have full power to do whatever they want, so they can modify the OS, add mods, etc.
Schools buy Chrombooks due to marketing, cost, and being locked down for other reasons than security.
I'm also personally not convinced recall is going to be useful. I've very rarely needed to find content that I remember but can't locate.
I do understand that Recall is not a backup system. One of the primary concerns being raised though is that if your PC is compromised, that it's not just current data but historical data that is...
I do understand that Recall is not a backup system. One of the primary concerns being raised though is that if your PC is compromised, that it's not just current data but historical data that is put at risk. That's why I draw the comparison to local backups, as they present a similar concern but haven't received the same scrutiny. The differences between the two isn't really important though, since I was making the larger point that the issue isn't so much about the data being stored, but that it's so easily accessed by local software.
Windows has received a number of security features over the years, such as address layout randomization, kernel driver protection, and permission requirements for some system directories (as you mentioned). These do undoubtedly help. But the problems I was talking about go deeper.
For example, software can be (and sometimes has to be) installed at the system-level instead of the user level. This means that one user can affect what another user has installed. Though I've not tested it, I bet that software can be set to auto-run.
Additionally, passwords are little more than suggestions. While it may be difficult to log in directly as a user without their password, it's trivial to read their files by spinning up the hard drive and mounting it manually. Yes both of these attacks require some kind of local access, but in the case of Recall we're assuming that the PC has already been pwned, so it's not such a reach.
Just to mention, yes I do know about BitLocker. But it's not typically used on consumer devices, and it requires a second password which is a big turn off. I would much rather see its features integrated into an encrypted filesystem, or even full-disk encryption for single-user devices.
I'm happy to concede that Microsoft has made some gains here. In particular the NTFS file system and Windows Vista's stricter rules on drivers were huge improvements to stability. Windows though is still a massive house of cards. In every release they add a new layer of paint, but those first million lines of code decisions will probably be there forever.
One quick note about bitlocker: it is used on consumer systems. I don’t know what year this changed, but it was many years ago. All windows device manufacturers (or at least all the names you have...
One quick note about bitlocker: it is used on consumer systems. I don’t know what year this changed, but it was many years ago. All windows device manufacturers (or at least all the names you have heard of) have bitlocker enabled by default on all new computers. The bitlocker recovery key is stored in your Microsoft account, which was one of the reasons for Microsoft trying to force those accounts for windows logins. So it isn’t the most secure mode bitlocker can be configured for, but it addresses the “casual theft” threat model.
That's interesting, thanks for sharing. I haven't bought an OEM PC in a long time so I didn't know that had policy had changed. I wonder then if they've made it a little more seamless, as in the...
That's interesting, thanks for sharing. I haven't bought an OEM PC in a long time so I didn't know that had policy had changed. I wonder then if they've made it a little more seamless, as in the past it's felt very disconnected from Windows as a whole.
I'd definitely not want to upload a private key like that to an online account, but I suppose it's easier for them than having tens of thousands of people lose access to their files because they forgot their password.
It’s perfectly seamless now. There is no extra password at boot, or even for most recovery scenarios. I think if you use an external windows recovery image, it will prompt you to enter a user...
It’s perfectly seamless now. There is no extra password at boot, or even for most recovery scenarios. I think if you use an external windows recovery image, it will prompt you to enter a user password or the bitlocker recovery key. I would be willing to bet you couldn’t even tell that bitlocker was enabled on a new system without opening the bitlocker section in settings. Microsoft really did a good job at that feature.
I agree with you about the recovery key in the cloud, but it definitely depends on your security posture. I think it’s also somewhat easy to change the recovery key and not upload it, although it’s hidden and you have to click through a bunch of scary “I know what I am doing” dialogues. A typical user definitely shouldn’t be changing those settings.
I just went ahead and enabled BitLocker to test, and sure enough it appears seamless now. That's great to see! Honestly I'm really happy that Windows file systems won't be laid bare by default...
I just went ahead and enabled BitLocker to test, and sure enough it appears seamless now. That's great to see! Honestly I'm really happy that Windows file systems won't be laid bare by default anymore.
Risk management of Pros/Cons. Like most, my immediate reaction to it was bad, but all you have said is valid. My problem is this march that M$ has been of moving users to the "cloud".
Risk management of Pros/Cons. Like most, my immediate reaction to it was bad, but all you have said is valid. My problem is this march that M$ has been of moving users to the "cloud".
It makes no difference if they postpone it. The feature will come out and be widely accepted by businesses for two very important reasons: It will allow micromanaging to be streamlined. Businesses...
It makes no difference if they postpone it. The feature will come out and be widely accepted by businesses for two very important reasons:
It will allow micromanaging to be streamlined.
Businesses are, as a whole, hilariously bad at security and just take whatever the OEM says as good enough.
Postponing it matters more because they've at least claimed they're going to fix some of its major security flaws, including the fact that it's on by default. Whether businesses choose to use it...
Postponing it matters more because they've at least claimed they're going to fix some of its major security flaws, including the fact that it's on by default. Whether businesses choose to use it or not, that's hugely important for preventing it from absolutely decimating the security of average not-so-computer-literate users.
Businesses, sure. Government agencies, lawyers and other industries that deal with highly sensitive documents might move away from Windows entirely though. United States Congress doesn't even...
Recall is MUCH more risky in comparison. Even if Microsoft creates a more secure government version, not sure they'd want to take the risk of anything that regularly screenshots the screen. If a hacker ever gets into it... Yeah, that's terrifying. I've seen laywers express similar concerns, and also the potential for Recall data being leveraged in court.
Maybe they could just fix the search bar instead. All my troubles finding things would be fixed if typing the exact name of a file showed you where it was. I'll never understand why Microsoft...
Maybe they could just fix the search bar instead. All my troubles finding things would be fixed if typing the exact name of a file showed you where it was. I'll never understand why Microsoft things I want to use it as a web browser
Windows 11 really grinds my gears, slowly. Our workplace recently upgraded all the workstations to it. I keep track of many work details in a spreadsheet on a network share. This file is open...
Windows 11 really grinds my gears, slowly. Our workplace recently upgraded all the workstations to it. I keep track of many work details in a spreadsheet on a network share. This file is open every day, all day long, and the search bar still cannot find it at all. If I open Excel itself, the file is never the first one in the list of recent documents, but other files I've not touched in months are.
Another annoyance: I've made some registry edits to add some programs to the right click context menu; now it requires an extra click to do anything I was doing before.
I don't use any of the new features (improvements? Are there even any?) of the OS. I just need the office apps, PowerShell, VS Code and SSH terminal. But there's still more pointless friction for most of my interactions with Windows.
I honestly don't get why they keep changing stuff for the sake of changing it, without providing some sort of benefit to the end user.
This drives me nuts. If I even open a tab to view an online spreadsheet from sharepoint, it puts it in my recent list in Excel itself. These often bury the things I was actually working on.
If I open Excel itself, the file is never the first one in the list of recent documents, but other files I've not touched in months are.
This drives me nuts. If I even open a tab to view an online spreadsheet from sharepoint, it puts it in my recent list in Excel itself. These often bury the things I was actually working on.
Have you tried PowerToys Run? It's a really nice suite that Microsoft packages and supports. The default Windows search behavior is pretty strange, so I was super happy with how slick Run is. It's...
Have you tried PowerToys Run? It's a really nice suite that Microsoft packages and supports. The default Windows search behavior is pretty strange, so I was super happy with how slick Run is. It's very similar to Command+Space on Mac.
I feel like while the concern raised over Recall is valid, much of it has missed the mark. The real root of the problem is that Windows is not a secure OS. If software is allowed to run, it can access almost everything. There are a few areas that are loosely cordoned off (like system files), but for the most part once you have malware, your system has been completely pwned.
This is why cryptolockers are so devastating to businesses. Techniques like append-only writing need to be utilized because otherwise they can wipe out your whole system. This is also why schools and organizations tend to run extremely stripped down computers like Chromebooks, and rely heavily on VPNs. They can't trust your PC, so they build a wall and offer extremely limited ways to interact through it.
Recall is really not much worse than other backup systems like Shadow Copies or Apple's Time Machine. It's easily searchable due to its database, but it doesn't do anything conceptually different. If you get malware, your files and their history can be accessed just as usual. I don't find it surprising then that Microsoft didn't foresee the problem when designing Recall. The problem cuts deeper, and Recall only exposes it.
For obvious reason it isn't possible to rearchitect Windows at this stage. Tens of thousands of software tools are written with the assumption that they can do whatever they want once running, and introducing new walls will cause them to crash or fail in unexpected ways. Arguably Windows on ARM could have been the time to go back and redesign things, but that task is a massive undertaking, and would have made it even more difficult to create compatibility layers to support x86 applications on ARM. Most attempts at doing Windows "right" from the ground-up have failed within Microsoft.
It's too bad, because I'd love to see a modern redesign of desktop operating systems (most of them have these problems). They weren't built to be multi-user, connected to the web, or with sandboxing in mind. Everything we do is just layering on top of these legacy decisions. A lot of lessons were learned when mobile OSes were designed, so they offer much better sandboxing, isolation, and security layers. But outside of niche projects like immutable filesystems, a complete desktop overhaul is probably not going to happen soon.
It might actually be argued that one of the biggest boons to security has been the move to the web browser. Browsers are sandboxed, as well as they can be, and full sandbox escapes are rare. Even when a website is as evil as it can be, there's not a lot of damage it can actually do today. Now imagine if every website you visited required running an exe on your computer instead. Not great, right?
So today we have this problem. Windows Recall is a genuinely useful feature - especially for people like me with ADHD that constantly lose track of things. Being able to query for information instead of needing to remember exactly where it was could be tremendously helpful. But if running a feature like this (or backups, or storing anything important at all on your PC), you need to understand the risks that malware of other intrusions can also gain access. Maybe they'll be able to improve the security with some form of real-time encryption, but it's likely all stopgap measures.
Still, should the feature ever come to x86 PCs, I think I would at least try it. It's been nearly two decades since I've had a virus, and I already treat my PC with some level of suspicion. I'm also interested in AI applications, especially those that run locally. I think it's just a matter of deciding if the value proposition justifies any increase in attack surface for you. Just bear in mind that if your PC is pwned, it's probably going to be bad whether Recall is installed or not.
Apple has brought some of these mobile OS learnings to macOS with things like gating third party apps’ access to the filesystem, camera, mic, etc behind a permission dialog (or where they feel increased friction is justified, requiring the user to manually add the app in question to an allowlist) as well as making the system immutable via SIP (system integrity protection). They’ve also been progressively kicking more things out of the kernel into userspace. Unfortunately, though resistance hasn’t been nearly as bad as it would be in the Windows world, there’s still a highly vocal subset of power users and devs bemoaning all of this (as frequently seen in HN comments).
There are Linux distributions doing the immutable thing like Fedora Silverblue, but not a lot is being done on the permissions and sandboxing front on the system level. Instead, most efforts seem focused on per-package solutions, which strikes me as odd… it’s a bit like equipping every device that could potentially start a fire with a fire extinguisher instead of building a fire suppression system into the building that the devices will be placed in. I’m not an OS designer or security expert though so maybe there’s something I’m missing.
I actually like this a lot for security reasons, but I wish there was a better way to deal with giving them permissions than the popups that happen when you want something to happen. There's also a lot of developers who do not do best practices. I have a logitech mouse and the software to customize it is constantly updating. That's not a bad thing, but every time it happens I get an annoying notification that tells me that a new app has been granted accessibility permissions.
On the other hand, the way Apple handles unsigned applications is downright user hostile. "I see the people who made this app didn't pay the Apple Tax. Why don't I just delete it for you?"
For the first issue, I think there’s something that Logitech is/isn’t doing that’s triggering prompts after each update. If I’m not mistaken, once an app has been granted permission, it should persist between updates so long as the signing certificate doesn’t change (which is why people noticed that Bartender had changed hands a week or so ago).
For the second, it’s kinda tricky. If they made it the warning a more typical lightweight OK-button dialog (e.g. just a notice that it’s not signed and could be dangerous), a lot of people would blaze through it without so much as a second thought. Some extra friction is good because it encourages users to think more closely about the where the app came from and if the needs it meets are worth the risks.
I think it could make sense for Apple to grant free memberships (and thus signing/notarization) to well-documented FOSS projects, though.
Yikes. I’ve been a happy Bartender user for years and completely missed this. Thanks for the heads-up.
My deeper concern was with telemetry. Even if they have you doing the processing locally, what's to keep it from summarizing its work and phoning it back home?
I'm also holding off on using AI at home until it cooks a bit longer and perhaps the open source community can do a similar tool for Linux.
And yeah I don't want to be micromanaged at work.
A couple of points
I'm also personally not convinced recall is going to be useful. I've very rarely needed to find content that I remember but can't locate.
I do understand that Recall is not a backup system. One of the primary concerns being raised though is that if your PC is compromised, that it's not just current data but historical data that is put at risk. That's why I draw the comparison to local backups, as they present a similar concern but haven't received the same scrutiny. The differences between the two isn't really important though, since I was making the larger point that the issue isn't so much about the data being stored, but that it's so easily accessed by local software.
Windows has received a number of security features over the years, such as address layout randomization, kernel driver protection, and permission requirements for some system directories (as you mentioned). These do undoubtedly help. But the problems I was talking about go deeper.
For example, software can be (and sometimes has to be) installed at the system-level instead of the user level. This means that one user can affect what another user has installed. Though I've not tested it, I bet that software can be set to auto-run.
Additionally, passwords are little more than suggestions. While it may be difficult to log in directly as a user without their password, it's trivial to read their files by spinning up the hard drive and mounting it manually. Yes both of these attacks require some kind of local access, but in the case of Recall we're assuming that the PC has already been pwned, so it's not such a reach.
Just to mention, yes I do know about BitLocker. But it's not typically used on consumer devices, and it requires a second password which is a big turn off. I would much rather see its features integrated into an encrypted filesystem, or even full-disk encryption for single-user devices.
I'm happy to concede that Microsoft has made some gains here. In particular the NTFS file system and Windows Vista's stricter rules on drivers were huge improvements to stability. Windows though is still a massive house of cards. In every release they add a new layer of paint, but those first million lines of code decisions will probably be there forever.
One quick note about bitlocker: it is used on consumer systems. I don’t know what year this changed, but it was many years ago. All windows device manufacturers (or at least all the names you have heard of) have bitlocker enabled by default on all new computers. The bitlocker recovery key is stored in your Microsoft account, which was one of the reasons for Microsoft trying to force those accounts for windows logins. So it isn’t the most secure mode bitlocker can be configured for, but it addresses the “casual theft” threat model.
That's interesting, thanks for sharing. I haven't bought an OEM PC in a long time so I didn't know that had policy had changed. I wonder then if they've made it a little more seamless, as in the past it's felt very disconnected from Windows as a whole.
I'd definitely not want to upload a private key like that to an online account, but I suppose it's easier for them than having tens of thousands of people lose access to their files because they forgot their password.
It’s perfectly seamless now. There is no extra password at boot, or even for most recovery scenarios. I think if you use an external windows recovery image, it will prompt you to enter a user password or the bitlocker recovery key. I would be willing to bet you couldn’t even tell that bitlocker was enabled on a new system without opening the bitlocker section in settings. Microsoft really did a good job at that feature.
I agree with you about the recovery key in the cloud, but it definitely depends on your security posture. I think it’s also somewhat easy to change the recovery key and not upload it, although it’s hidden and you have to click through a bunch of scary “I know what I am doing” dialogues. A typical user definitely shouldn’t be changing those settings.
I just went ahead and enabled BitLocker to test, and sure enough it appears seamless now. That's great to see! Honestly I'm really happy that Windows file systems won't be laid bare by default anymore.
Thanks for letting me know!
Risk management of Pros/Cons. Like most, my immediate reaction to it was bad, but all you have said is valid. My problem is this march that M$ has been of moving users to the "cloud".
It makes no difference if they postpone it. The feature will come out and be widely accepted by businesses for two very important reasons:
Postponing it matters more because they've at least claimed they're going to fix some of its major security flaws, including the fact that it's on by default. Whether businesses choose to use it or not, that's hugely important for preventing it from absolutely decimating the security of average not-so-computer-literate users.
Businesses, sure. Government agencies, lawyers and other industries that deal with highly sensitive documents might move away from Windows entirely though. United States Congress doesn't even allow Copilot on Congress-owned devices due to security leak concerns.
Recall is MUCH more risky in comparison. Even if Microsoft creates a more secure government version, not sure they'd want to take the risk of anything that regularly screenshots the screen. If a hacker ever gets into it... Yeah, that's terrifying. I've seen laywers express similar concerns, and also the potential for Recall data being leveraged in court.
Maybe they could just fix the search bar instead. All my troubles finding things would be fixed if typing the exact name of a file showed you where it was. I'll never understand why Microsoft things I want to use it as a web browser
Windows 11 really grinds my gears, slowly. Our workplace recently upgraded all the workstations to it. I keep track of many work details in a spreadsheet on a network share. This file is open every day, all day long, and the search bar still cannot find it at all. If I open Excel itself, the file is never the first one in the list of recent documents, but other files I've not touched in months are.
Another annoyance: I've made some registry edits to add some programs to the right click context menu; now it requires an extra click to do anything I was doing before.
I don't use any of the new features (improvements? Are there even any?) of the OS. I just need the office apps, PowerShell, VS Code and SSH terminal. But there's still more pointless friction for most of my interactions with Windows.
I honestly don't get why they keep changing stuff for the sake of changing it, without providing some sort of benefit to the end user.
This drives me nuts. If I even open a tab to view an online spreadsheet from sharepoint, it puts it in my recent list in Excel itself. These often bury the things I was actually working on.
Have you tried PowerToys Run? It's a really nice suite that Microsoft packages and supports. The default Windows search behavior is pretty strange, so I was super happy with how slick Run is. It's very similar to
Command+Spaceon Mac.