By pushing this onto people in a hard way they open the door to come up with a mitigating solution that later is far beyond what we had before recall but not as bad as what they pushed onto people in the first place. So they will reach their goal, as it was never 11, it was always 9.

iirc they officially stated it was because of how much people disliked win8.

I gave ChromeOS a try for some machines I might otherwise have run Windows on, but I kept the Windows machines around for gaming and for the occasional oddball proprietary software package that some family member just had to have. About the time Google dropped its unofficial motto "Don't Be Evil" I started moving away from ChromeOS and back to trusty old Debian.

I've recently purchased a Framework 16 with an AMD Radeon RX 7700S GPU and installed Arch Linux and Steam on it. All the games I care about playing at the moment, including Elden Ring and Baldur's Gate 3, run phenomenally well on it. It's 100% stable driving a 2560x1600 display at 60+fps with high graphics settings. I can plug in a PS5 controller and it "just works."

With that I now feel truly free of anything Microsoft, in the sense that I don't feel like I'm making any compromises at all with how I want to use my computers by using Linux rather than Windows. I'm going to be installing Arch or Debian Linux on my remaining Windows boxen over the summer.

So this is my final adieu, my old friend Microsoft. How far our paths have diverged since we first parted ways. Hit me up again when you've extricated your OS from your cloud and stopped showing ads and integrating privacy-hostile features. I won't be holding my breath though.

I'm curious how the culture was though. I always get the vibe that Microsoft has never been "end user oriented" if that makes sense. They always seemed to be making a product for other businesses. To this day, Windows, Office, and especially stuff like MS Teams feel like they were designed from the ground up for a heavily managed business environment with heavy surveillance and tight controls.

Stuff like Telemetry and requiring MS accounts for logging into Windows 10+ seem more of a nod to employers. It's really amazing how much MS has been able to convince users to give controls of their own devices to MS/employers/others. Stuff like using Outlook on a personal phone giving the employer the ability to wipe the employee's phone.

Like I don't think they have ever, in their years, seen end users of their products as "customers". I think they see businesses, sometimes independent developers, and advertising firms as their real customers.

I started on Windows XP and left on Windows 10 (skipping Vista and Win 8.0, and part of 8.1). Windows was always a tool to get things done. Buy a software license and you can be pretty sure you can run things indefinitely on it. Everything (almost?) was accessible by clicking, so ultimately discoverable. No need to learn arcane commands, just follow and imitate. And you mostly have to do the training once. Linux was an expert tool and macOS (I used it since Mojave) always felt like it's for people who compute, but mostly as a secondary activity (shiny and pleasant, but always lacking the remaining bit).

I've never thought of myself of being a Microsoft customer, just like you don't think of being a Dell customer or HP customer when using their monitors or printers. You need to get something done and Windows was the bedrock for that. Especially if you were hiring people to do it.

But now it's like seeing your workbench animating and contorting itself in new shapes every time you come close. Insulting your intelligence all the while.

Between Recall and the mandatory account login to install Windows 10 I am progressively reverting to how I felt about them.

I think that they've been trying very hard to give out that image without really changing who they are.

It's not the first time that they try hard to look like they've changed, and it won't be the last.

Typical IT guy (not head) cannot spend money without 3 approvals from different departments.

In developers world, pushing open source, or in gaming - xbox game pass is just best value that there is.

But for every cool department, there also exists one that still behaves as a predatory corpo. And it seems to me like their main target are 'normie' users.

“The only good thing about Recall is that it has been the definitive decider of moving away from Microsoft permanently because for them to create such a ‘feature’ shows a complete lack of care about people’s private data - they’ll be leaving a huge jackpot prize for anyone who breaks into a system.”

And only 4 days later, it is shown.

Microsoft was the company that used to add bespoke code to Windows to maintain compatibility with old third party software, patch explorer.exe to stop third party customizations from crashing it, etc. While the whole Recall thing is a pretty bad idea for most users, the lack of care extended to the third party browser with overwhelming market share among their users is just sad. Are they counting on people switching to Edge because “PSA: you’ll be recorded if you watch pr0n in Chrome!”?

I dunno, and I say this as someone who works for a competitor and has no love for MS... a lot of the responses here seem really uncharitable. This isn't bad faith, it's just a rushed product with some poor planning. If Apple had rolled this same feature out with glitz and a giant slideshow about privacy and explained how everything was encrypted and never left the device, we'd all be crowing about how great it is even if it too was screenshotting incognito windows.

> nor should there be, obviously, as it would defeat the purpose

No it doesn't. Incognito mode is about leaving no trace on disk, that's all. Recall is the one defeating that purpose right now, if TFA is accurate.

[1] Not saying it's impossible. Only that I can't think of a straightforward solution in a pinch with my limited Windows experience and hacking skills.

It's not hard to support this functionality in the major browsers: it'd take me all of 15 minutes.

That would prevent user-initiated screen captures as well. Not a good idea for browsers at least.

But it’s not the product people are criticizing, at all. Similar tools have existed for a long time and have not raised eyebrows except when it’s been forced by an employer or a school. It’s that it’s the OS putting an always on and enabled-by-default spyware on devices that are frequently shared by family members, when their average users who barely know what a web browser is and will just accept recommended defaults. Speaking of which, the whole spiel about Edge/IE is precisely their aggressive defaults. It’s the same here.

If you’re a startup building custom tools you can talk about rushed products and assume good intent. This software is built by a software company with some of the worlds best software engineers all the way up to the top. I mean, people trust them with everything from business secrets to payment details to mission critical services. This is clearly not a “rushed product oopsie”, it’s blatant disregard for privacy, and to a lesser extent, security.

I’m avoiding windows like the plague, but since seeing my mom get bombarded with “recommended Microsoft defaults” over the last decade or so, I’m convinced MS is deliberately exploiting uninformed users as much as they can get away with, while leaving hidden options for power users to disable the ads and the crapware so they don’t leave. This total recall debacle is probably a similar attempt at using their unknowing user base to train their new AI models, or similar. If it was a genuinely useful product it would not be enabled by default.

I don’t believe so, at least not if it’s enabled-by-default.

> MS doesn't get the same benefit of the doubt

Apple doesn’t rely on benefit of the doubt because they are very clear about how the privacy of new products work (say Touch and Face ID), and Microsoft is not. I mean just look at this very thread, it’s super unclear how it works and interacts with other windows feature (some of which are premium) like fde/bitlocker and whether there’s telemetry/training. That obviously contributes to the “harsh” response. As it should.

Windows is actually pushing for bitlocker by default now. I believe new Windows 11 installs either are already or will soon start defaulting to enabling bitlocker across the board.

> telemetry/training

It's really just timer triggered screenshots + OCR + an SLM (small language model) running on device on a TPU/NPU, GPU, or other ONNX compatible device.

I'm generally super uncharitable about Microsoft since a lot of their stuff is a nasty black box with unclear security assumptions however with Recall, it seems like people are really jumping to conclusions without really even looking into what all it is.

This is a largely "unsophisticated" product made by bolting a bunch of more or less preassembled components and the bulk of which is open source.

- Screenshot + OCR is almost certainly Microsoft Powertoys Text Extractor (https://github.com/microsoft/PowerToys)

- The DB is sqlite but the system is probably just kernel-memory which is a local .NET application: https://github.com/microsoft/kernel-memory

- The SLM is Phi-3 which is open and designed primarily to run locally https://azure.microsoft.com/en-us/blog/introducing-phi-3-red...

- The actual underlying tech stack is DirectML (https://github.com/microsoft/DirectML) and ONNX (https://github.com/microsoft/onnxruntime).

----

So the data is intended to be encrypted at rest along with the rest of the OS, it's all run locally (which isn't a handwaivy thing, the tech is all very much capable of running locally) and if you don't have hardware capable of running it, it shouldn't be enabled in the first place.

My confusion with all of this is why Recall didn't start out as a PowerToys feature. It sounds like the exact type of internal "look at this cool little toy I built" thing that generally makes it into PowerToys but I'm assuming some exec ran with the opportunity and said "this is awesome, let's ship it with the OS and make it a highliner feature for our AI push" which is how we got here.

I agree with you, but that’s not great evidence for your point. Bring up any random Apple feature and people will be quick to warn you about their misunderstandings of it. “Face ID means Apple has all our pictures now!” “Apple Keychain shares all your passwords with them!” Etc.

We are speed running into a neuromancer dystopia where tech companies control every facet of our lives. Why would I be ok with them making it easier to monitor my every keystroke?

I'm saying that thankfully they are not using the threat of your guarded personal data being exposed because you want this feature but don't want to use Edge.

Personally I don't think people should actually allow this type of feature. It's too much of a risk. But my point stands on its own, that at least they aren't creating an even more perverse incentive to use Edge, which they absolutely could have done, and seems the MO of the Microsoft today who would sacrifice all else to be able to say there's 1 or 2 more Edge or Bing users.

This is already basically in place with DRM since the windows screenshot utility won't screencap most DRMed content on win apps like netflix or even on firefox nowadays.

What MS is adding on top of this is an API to check which tabs/web pages are visible and selectively black out web pages that are added to a given user level blacklist.

On one level that's convenient, but on the other hand I'm not sure it's a very robust design.

A better solution would be to just pause the screen capture whenever incognito is open anywhere

- "iPhone's are generally more expensive, Android phones are generally cheaper", so having an iPhone signals financial "goodness". Same argument can be applied to lots of other products.

- "iPhones are generally better, so if you have Android you're compromising for some reason", e.g. lack of money to buy one, "weird" political/social/other beliefs, etc.

- Messaging systems are like accents; some people might prefer dating someone who speaks their language in a more similar accent, and others might prefer dating people who use the messaging system they prefer.

Also, a lot depends on your definition of "shallow".

I have heard at least 10 women JOKE about my android. I'd say atleast 2 gfs in those years eventually made some snide remark.

Will you get dumped for having an android? No. Is it a small -1 mark for most women? I would say so.

And no these aren't totally brainless women. It's been doctors, MBA grads, women in tech, a writer.. I honestly think more regular woman are more sane about it actually and wouldn't care as much as 'fancier' women.

I think the tech community is responsible for keeping companies like MS in check and pushing back against literal spyware being normalised in operating systems.

Doubt. Jobs was a deadbeat dad for many years, refused to acknowledge his daughter or even admit that he named a computer after her, treated employees and cofounders like crap, etc. I think Jobs had a very low EQ, perhaps even a sociopath. He was just lucky, shrewd, and ruthless. Accounts of his last days indicate that even he regretted his behavior.

> A lot of great artists were borderline or full on terrible people. We still appreciate their art.

Speak for yourself. Whenever I learn that an artist is a monster, I think appreciate their work much less. Thankfully much of Apple's success is due to the work of hundreds and thousands of others, not solely this "great man" whose worshipped among the faithful.

Wondering you can imagine a scenario you'd be ok with.

I for one know of a guy that was told by his gf she was on birth control. Turns out she purposely wasn't so that that she could have a baby with him. This isn't someone's guess. This was told to my sister by her best friend.

However. This is the holy grail of computer usage. A good version of this could be the killer app for modern AI. Because of that, ripple are going to keep trying to make this feature happen. There’s already a popular implementation on macOS. I’m excited for the end-state, but apprehensive about getting there.

i’ve seen this often and i’m trying to understand the issue. i have never wanted to go back in history or have a comprehensive history of all my actions. the only exception is the terminal and for that ctrl+r/history is more than enough. i learn, apply and move on.

what’s the use case for this recall thing?

Being able to search everything I've seen on my screen would address all of these. I think it would fundamentally change how we interface with computers, if we could do it reliably. Silos between applications can start to break down when you have sufficient intelligence about what's on the screen too, and that's a huge opportunity.

Surveillance, very obviously.

It'd be reasonable to see this as a waymark on a roadmap.

Which is why it makes little sense to users. Why it is counterintuitive in that it will drive people away instead of draw them to the product. And why it is being rammed out into the market regardless.

What's the waymark after this?

What the hell is the "wrong" way to use a computer? Emails, social media and doing your banking?

And why attack "moms and dads"? Speaking as a grandfather, I find it insulting, having used and programmed computers since the 1970s.

Searching for your bank's website rather than bookmarking it, and entering your credentials into the phishing site that's the top result.

Installing Anydesk or something for the "nice gentleman who called me from Microsoft to tell me my warranty had expired and he needed gift cards to pay for it."

Those are the two most obvious ones I can think of. There's a multi-billion dollar "industry" separating especially older people from their money using computers.

Frankly if you've even been around computers for 50+ years and haven't encountered the many and varied ridiculous ways people can use them "wrong," I have to wonder whether you've ever had to deal with regular people using them in the real world at all.

This isn’t wrong so much as a damning indictment of the tech industry’s inability to fix core issues despite having more money that god herself

Don't take so much joy out of the fact that youre currently the only member of your thousands of years old generic lineage that hasn't procreated.

One of the most common questions every computer user has at any given moment is some variant of "What/Where was it?".

I agree it's a holy grail, but it's also a road paved with good intentions.

Malware can probably read most of the user’s data in RAM, but if OS components keep getting more isolated from each other, maybe that can be secure enough.

Sure, memory isolation techniques may serve as a deterrent with extreme care. But if Microsoft increases the attack surface by sloppily integrating that feature everywhere in Windows, the yet-to-be-implemented-if-at-all encryption is going to be ineffective. And that’s going to happen more likely than not.

Also, it should be clear by now that government agencies are going to demand access to this data once this becomes widespread. VMs aren't going to protect against further assault on our civil liberties.

When there is a will, there is eventually a way, for anyone with enough resources.

And with 'no time', with a delay of less than 5-10 seconds on creating/restoring a snapshot.

On search, as they stated, Recoll did it fine over 20 years.

> A lot of Windows users just want their PCs so they can play games, watch porn, and live their lives as human beings who make mistakes

The vast, VAST majority of Windows users don't care about a feature like this. You might say "if we'd ask people what they'd wanted they'd have said a faster horse", but we've seen this play out time and time again since ~2014 where the tech industry believes some thing is going to be Next Big Huge, it doesn't stick, and Microsoft Office continues to make fifty billion dollars a year because, it turns out, we kinda solved PCs in the 90s and 78% of what We The Tech Industry has invented since then has a market 5% the size the hype would lead you to believe. Metaverse, VR, AR, Crypto, Decentralized Finance, AI, Voice assistants, tablets (what's a computer?), quantum computing, IoT (all consumers love our toasters connected to the internet, this is undeniable and people pay extra for this /s).

Sometimes people just want a faster horse; which in this case means "filesystem search that actually works". The techbro response to that is "well, you can have both" but there's fucking actually zero evidence of this, period, neither Microsoft nor Apple have demonstrated the capability to get the basics of their operating systems right anymore, We Their Customers should have zero faith in their ability to even get this right, as articles like this demonstrate.

> I used Microsoft Defender for Endpoint — which detected the off the shelve infostealer — but by the time the automated remediation kicked in (which took over ten minutes) my Recall data was already long gone.

This isn't a Microsoft problem; well, obviously it is, but its really an industry problem. Sorry for waxing abstractly here, but we've literally actually forgotten how to build software [1]. The smart & dedicated people have either left the industry or have been marginalized by MBAs, and the kids are rewriting the Windows Start menu in javascript [2].

[1] https://www.youtube.com/watch?v=ZSRHeXYDLko

[2] https://x.com/Zeko369/status/1791141890106290670

23 years later and here we are.

From todays's perspective, considering for example the Snowden and Wikileaks revelations that caused exactly these barely-nil reactions in the public, I know that I was right regarding this feeling.

In my observation it really was as I described:

- those who already deeply distrusted the government continued to do so

- the others (the huge majority) simply did barely care or even attempted to justify the crimes

Concerning your point about tech and security sectors: those who form the inner core of the people working in these sectors basically already knew what was happening since at least the 90s.

Perhaps Trump's support could be a far reaction to it, with no clear direction but just a strong wish to screw it all. We see the same in other countries where people go to the extremes as discomfort rises with no actionable way.

Even today, a non-CIA-grade camera head is probably 2-3mm across and the optics on a fibre optic can be far narrower.

You can only have a pinhole spy cam if you have a void directly behind the pinhole.

But even if you have some ultratiny thing hot out of a classified lab, fibre optics also keep the active electronics further away and harder to detect.

The only way to make that happen is to store that information somewhere. The best way to do anything, that I just want the benefits of, is automatically.

And now we are here. It feels monstrous but, to me, the above still stands. How to connect the dots to get to a place that feels good, I do not know. I would not be shocked if it turned out to be mostly about adjusting ourselves to it over time.

But I am almost 100% positive we will all* want this super power, in some much better and much more complete form, in our future lives. And not being able to have it will feel absolutely silly, from there on out forever.

People already have traded privacy and a comprehensive personality profile for silly streams of video, photos and text on social media for the past 20 years. Imagine what happens, when you get something immensely useful out of it.

Today, nobody will work with you, if you are unable to manage E-Mail. In the future, nobody will work with you, if you can't properly use the time information dimension that this technology enables. You will simply look demented by comparison.

A good delineation is your work PC will be spied on (assume anyone in the org can see what you are doing, even before this tech).

Opting out of it on personal devices is fine. You wont look like an idiot or be refused work I am sure.

With an eraser, entirely not interested.

I'm willing to make the bet on this FOMO that while people risk this, I'll still be just as employable by living like it's 1999

I provide the value, not what I did before

2024: People are forced to swallow keyloggers in order to continue to use their desktop PCs.

Most don't know what they're agreeing to, because most people don't have the time to be experts in tech despite it affecting every factor of their lives, much in the same way that tech people don't have the time to be be farming and agriculture experts in their free time despite it affecting every factor of their lives.

I used to think this maybe 20 years ago, but I think it's about time we shift gears to the realization that the reality is people don't care about tech privacy and security.

We have to remember: The internet as most people know it (the World Wide Web) is 33 years old, personal computing is even older. The 30- and 40-years olds literally grew up with all this. The 10- and 20-years olds are living all this from the moment they were born. Even legislation like GDPR came into force. The result is still nobody cares.

Lack of awareness isn't a problem anymore. Everyone knows, nobody cares.

Example: tap water quality (assuming you live where tap water is safe to drink). Do you know how it works? What steps are being taken? Could you fix that yourself for your house if things break down? And yet, you probably care.

Another example: car safety features. Could you add a crumple zone to an 80s car? A cage construction? Yet you probably care that any car you're in has those properly engineered and no part of your body will be crumpled in case of a collision.

I strongly doubt that based on what I've seen. People install random apps on their phone just because they wanted to crop a picture and frame it or trim a video and compress it is because they ultimately think that nothing will happen to them. Like you don't expect your fridge to blow just because you open the door.

Another issue is that people are trustful. They trust their government to have laws for that. And even if a few accidents happen, they shrug because for them, the system generally works. And they don't care, just like you don't care a business having security cameras while you're shopping. Because you trust they will be sensible with the recording.

Tech privacy and security is nebulous for people and we have hordes of companies marketing that it does not really matter and the government not doing anything. And most people don't feel the impact. Getting them to understand is hard. Because they think that when they click delete, it's gone. Or if they've not posted, only they have the only copy.

The people of Troy didn't "willingly" bring in a huge wooden horse full of enemy soldiers. They "unknowingly" brought in a horse full of enemy soldiers.

>A. No, that’s insanely reductive. They’re super smart people, and sometimes super smart people make mistakes. What matters is what they do with knowledge of mistakes.

Never attribute to malice that which can be adequately explained by neglect, ignorance or incompetence.

But

>Q. Did Microsoft mislead the BBC about the security of Copilot

>A. Yes.

>Q. Have Microsoft mislead customers about the security of Copilot?

>A. Yes. For example, they describe it as an optional experience — but it is enabled by default and people can optionally disable it. That’s wordsmithing.

Maybe at some point we should reconsider.

I sometimes (always) wonder which planet Microsoft leadership live on - it's certainly not the real world that you and I live on.

The idea behind Recall, universal, machine-assisted search, is a good one but it's embarrassingly clear that in terms of implementation, this ain't it, chief. Microsoft should do what Google has done with Sky -- withdraw the product, take the hit, and hope that something can be salvaged from this debacle, both in terms of an improved product, and better company-wide testing and rollout practices.

> I think it’s an interesting entirely, really optional feature with a niche initial user base that would require incredibly careful communication, cybersecurity, engineering and implementation. Copilot+ Recall doesn’t have these. The work hasn’t been done properly to package it together, clearly.

Definitely needed some copy editing however.

Also a clickbait: nobody is stealing anything.

If you get malware or you have other admins on your computer, they can already record anything you do at their will.

The data is NOT uploaded to M$.

The whole fuss is stupid and I am impressed 90% comments here seem to think otherwise.

It seems like you live in the same kind of detached echo chambers as the people at Microsoft who approved this feature. No wonder you find this nonsensical. I bet the product managers responsible for this also find this article nonsensical.

Of course it is critical that it does not also know what porn you watched in incognito, or what you had in snapchat messages.

Wait, scratch the snapchat. I don't think they have desktop client.

Still this is the worst spyware ever made. Have a telehealth appointment, lawyer conference, loan application, now Recall will store all that like it or not.

This made me decide to go with a non Snapdragon Laptop since I want nothing to do with this. Gonna dual boot with Fedora ( sorry Debain, but it looks like Stable is a bit behind what I need hardware support wise).

Microsoft is making a serious argument for going full Linux + maybe a PS5 for competitive gaming ( since anti cheat is Windows only by design).

I really really don't want to switch to OSX here since a 4TB drive is literally a 1200$ upgrade for Macs. Compared to 200$ when you can upgrade it yourself.

Music production isn't great on Linux.

bookworm-backports has kernel 6.6, which is the very latest LTS series. Is this not new enough?

There's about a year left in the Trixie development cycle so some mass migrations might still happen. If you choose to run testing anyway, make sure that all entries in sources.list refer explicitly to trixie and not testing -- because once trixie is released, testing will automatically point to the next Debian release and you'll get all the joys of the package transitions and mass migrations for trixie+1.

As they say, the greatest thing about Debian testing is that when it breaks you get to keep all the pieces.

Every internet connected windows computer is insecure by design and cannot be trusted to protect your privacy or security.

Having this power is inherent in making the OS. Whoever is the vendor of your particular Linux distribution has the same powers, it is just that you trust them not to use them (or, in a very small theoretical minority of cases, you’ve audited the code and binaries yourself).

So yes, you shouldn’t use an OS from a vendor you don’t trust, I agree completely.

I don’t understand why people are acting like this is earth shattering news though, this has always been the case since people started using software they didn’t write themselves.

No, it really isn't. For decades I owned computers with operating systems which didn't have that capability. Once installed and configured, the OS was consistent and (reasonably) stable. Someone would literally have to break into my house or office to modify my settings or install software against my wishes.

Even after I started connecting my devices to the internet the OS itself had no ability to do these things and couldn't gain that ability unless I explicitly chose to install updates that enabled that behavior. That's entirely different from the situation today where MS forces updates and restarts, installs unwanted software on our computers, and has files and folders that we (even using administrator accounts) don't have access to.

Linux too is very different. Linux is transparent about what it does, adds, or changes. You have the power to choose which updates to apply or not. You have the power to modify any part of your OS so that it does what you want. I can't speak to all distros out there, but I've never seen a linux system force a restart in the middle of the day, or reinstall applications users removed without notice. Can't say the same for Windows. Unlike Windows, linux typically respects its users and their wishes.

You really don't have to write your own software in order to have software that respects you and leaves you in control of your own devices. It's kind of crazy that you'd think there could be no other way.

My point is that there isn’t a technical reason that prevents Linus distros, or any other OS, from restarting your computer whenever it feels like it.

By definition the OS has control of the hardware and software and thus whoever writes the OS inherits that control.

I completely agree that there are good reasons to not trust Microsoft and people who don’t should not be using Windows.

I just dislike the framing of this issue as a recent development rather than an inherent problem of running software you didn’t write.

Go install MS-DOS 6.22 on a computer. You can leave that system up and wait your whole life and you'll never see it suddenly restart your computer without asking. The technical reason why it can't is because there is no code in that OS designed to check for and accept an order from someone at Microsoft to restart your machine without asking. It doesn't exist. You could choose to find or write and then install new software that gives that OS the capability to do it, but that capability just isn't there otherwise.

There's no rule that an OS has to include code to violate the rights and will of the people who install it on their devices. That's a choice that MS made. Far too many people have accepted that behavior from them so they keep pushing and pushing with new and increasingly user-hostile code and behavior but none of that is inevitable or unavoidable. That is what's a very recent development. For a very very long time no operating system would have dared to violate their users that way. None of them did.

Yes, at a certain level you have to be able to place some level your trust in your OS. Especially one with internet access. MS has shown themselves to be entirely untrustworthy, but they could still change all of that. They could strip out every line of code that allows them to remotely access your system without your explicit permission. They could be 100% transparent about what their updates will do to your computer if they are installed and they could give you the ability to not install any update you didn't like and revert to any previous state. They could give you full access to every file and directory and process and give you the ability to control every aspect of their OS. They could vow to never modify a setting after you've changed it. They just choose not to do those things, because they don't care about you or your privacy or your wishes, or your rights. As long as people continue to use windows, Microsoft stands to make a lot of money by ignoring those things.

Today, you have to consider commercial OS vendors (and third party application developers) to be remote attackers in your threat model. More and more, they write their software to serve themselves rather than their users, and to make computers do what they want them to do, not what the users want them to do. This was not the case decades ago, even if the technical ability was there all along.

Well said! I really miss when our products served us but I can't think of a recent purchase of anything internet capable that wasn't designed to work for someone else (and against me no less). I don't see "never own an internet capable product again" as a viable option here, and I'm not sure what else we can do to protest this besides push for government intervention. In the meantime, I try to firewall off whatever I can.

Wrong, the point of the operating system is to manage local state, hardware, etc.

The point of viruses, malware, and spyware is to exfiltrate data and control from a set of systems. This is getting to the point where Windows itself is a worse virus than just downloading the random shady program from the internet, with all anti-virus turned off...

And the technical distinction? You can turn off everything in linux, you can make it so the computer cannot update itself. The Operating System is unable to change itself in this configuration, the only way around this is for you to choose to update it.

This cannot be done with Windows, not without resorting to technical tricks that look at lot like what malware and viruses have to do. This a is pretty, and important technical distinction:

Operating Systems don't have built-in backdoors that you cannot turn off by design.

Malware and botnets, have built-in backdoors that you cannot turn off by design.

Yes, and to manage local state and hardware it needs to be able to control the hardware and other software.

You can build an OS that doesn’t take advantage of those capabilities but you can’t build an OS that doesn’t have them. Hence why the key is trusting your OS vendor.

> And the technical distinction? You can turn off everything in linux, you can make it so the computer cannot update itself. The Operating System is unable to change itself in this configuration, the only way around this is for you to choose to update it.

Sure you can do all that but what you can’t do is make it so your Linux based OS can’t control your hardware and software. At the end of the day, the key is still trust, either in your vendor or in your own audit.

You have presented a great many reasons why Linux is more trustworthy than Windows to many people but you cannot get around the problem of having to trust someone.

You still don't get it...

At the end of the day, I don't have to trust anyone with an OS that I fully control, with hardware that I fully control, because I can verify every bit of hardware, every bit of software, even stop the kernel from doing things if I want to (yes its possible, technically).

Sure, I can place some temporary trust in some components, but it doesn't matter really, because I can always swap/disable/remove audit/reaudit any component. You can choose to trust, as much or as little as you want. I don't have to use the kernel at all if I don't want to, I could swap in another one and still be good to go (more or less).

This is different from the case here, where by default, not of my choosing, actively and persistently nearly every aspect of a Windows computer is obfuscated, un-auditable, actively and without consent doing things that are not operating system things but spyware, bloatware, crapware, or just straight up malware. You can wave your hands around as much as you like waffling about "trusting someone" but there is a big big difference between someone acting reasonably, and choosing to allow them into your home, and "trusting" someone with a knife to your back not to shiv you.

One is reasonable, a choice, and low risk, the other is clearly none of those things. You don't have to "trust" low risk situations, they are just low risk, no trust involved.

In one case, someone discovering sketchy secret backdoor code causes a huge flap and damage to the company's brand and stock price etc.

In the other, some corporate drone bafflegabs about it enabling superior customer satisfaction synergies, while pointing to a tiny clause in an enormous contract of adhesion to claim everybody knowingly agreed to it.

if you're paranoid about the distribution of your pre-built distro you can compile everything by hand and some do that for fun.

so putting them on the same pedestal is weird mind gymnastics.

Since 99% of users don’t actually do any of that, then in practice there isn’t actually a difference.

* I am aware that there are shades of grey between the scenario I describe and proprietary software - I am just being hyperbolic for rhetorical reasons.

I understand the hyperbole, but in practice we have strong evidence that MS is willing to intentionally use their OS against you, while we don't for your typical linux OS. That really means a lot.

When linux distros disrespect their users even a little (see for example https://www.pcworld.com/article/436097/ubuntus-unity-8-deskt...) users really don't put up with it and they can switch to another distro with very very little effort/change and even have the ability to modify the source and fork the OS. That helps to keep people a little more honest.

The backdoored compiler problem is a bit harder. We can write our own, but it's turtles all the way down. Increasingly we also have to put a lot of trust in our hardware. There are only a small number of companies making CPUs and wireless chips. I imagine they're under enormous pressure from governments to compromise the privacy and security of the people using that hardware and we have less trust in our own devices the more we have "trusted computing" forced on us.

Your partner always has the capability to screw you over, cheat on you, embezzle from the shared account, whatever.

Linux is like a nerdy guy who stays at home, plays with Warhammer figures and cooks you dinner.

Windows is an OnlyFans model who goes on vacations for weeks at a time and ignores your calls.

Article: "This database file has a record of everything you’ve ever viewed on your PC in plain text"

Microsoft: "Snapshots are encrypted by Device Encryption or BitLocker, which are enabled by default on Windows 11."

https://support.microsoft.com/en-us/windows/privacy-and-cont...

The article is a little bit hand-wavy about how exactly the database comes to be decrypted and remotely exfiltrated. The headline says it takes "two lines of code" but unless I'm missing it, I don't see those lines discussed in the article.

The databases are plain-text sqlite files within the current user's %appdata% folder.

So, literally anything that can grab those files and put them somewhere else can qualify as exfiltration. Any backup product worth its salt would be covering these databases.

  Q. Have you exfiltrated your own Recall database?
  A. Yes. I have automated exfiltration, and made a website where you can upload a database and instantly search it.

  I am deliberately holding back technical details until Microsoft ship the feature as I want to give them time to do something. I actually have a whole bunch of things to show and think the wider cyber community will have so much fun with this when generally available.. but I also think that’s really sad, as real world harm will ensue.

2. The article says that they are not releasing PoC (my words not theirs) because this feature isn't out, and they want to give M$ a chance to fix it:

> I am deliberately holding back technical details until Microsoft ship the feature as I want to give them time to do something.

And for me it's not so much that I trust Microsoft less than any other company. It's that using their services require so much trust, yet they give so little trust in return.

I also wonder how "knowledge transfer" will happen when you get a new machine in the future? What about backups, do they sit in the cloud already? These all sounds like ways that this "local" AI PC will share data with the MS cloud in one form or another. With Apple doing similar things already on iPhones (I know there are differences, but its still analyzing your data etc), I wonder if Linux might actually become a more mainstream OS in the future.

Could also be that people stop using computers as much and just use tablets with docking stations + keyboard & monitors (again, there is work to be done, but its a possibility from a HW level). That would leave us with MacOS & Windows for business desktops (with some Chromebook & Linux sprinkled in there). Education would probably be more Tablet & Chromebook style compute, and gaming is already moving to the cloud (I guess the positive here is that we might finally be able to get rid of AntiCheat software:) ).

> I also wonder how "knowledge transfer" will happen when you get a new machine in the future? What about backups, do they sit in the cloud already?

Honestly, I guess this will become very expensive for Microsoft, and they won't find a good business case what to do with the collected data. So Microsoft is wasting a huge load of money, and additionally their AI spyware causes a huge reputation damage for Microsoft: a lose-lose situation. :-(

ads.

they've been clear about windows becoming more ads oriented.

guess they are testing the water to try and get a competitive edge over google in a few years with this new data trove.

No idea about this specific feature, but billions are being spent to train models in the cloud (including Azure), with the expectation that some models will be used for on-device inference. It remains to be seen whether those investments will return dividends. In the meantime, cloud and GPU vendors are making money on model training.

Most users buy a cheap HP from Costco for $300. Businesses will buy the same standard line OptiPlex they bought last year. Very, very few people will magically end up with Windows Recall who didn't intend to.

i.e. PC hardware for AI inference will not be limited to Windows.

> Most users buy a cheap HP from Costco for $300. Businesses will buy the same standard line OptiPlex they bought last year.

Both Intel and AMD announced upcoming chips with NPUs. Mediatek and Nvidia will likely join the Arm AI PC competition in 2025. Apple's 2024 OS updates are focused on AI features, both on-device and cloud partnership with OpenAI. Intel's Computex tagline a few weeks ago was literally "AI Everywhere".

In a few years, silicon for on-device AI inference will likely be pervasive in retail PCs, including Costco, HP and Dell Optiplex. It has been shipping in Apple Silicon Macbooks and iPads since 2020, mostly unused by software until now.

Perfect recall, no need for memory, available at your fingertips - with T&C that completely disregards your need for personal privacy.

The challenge though is the "better" alternatives where a mix of privacy and convenience is there is not always convenient. We have and continue to be marketed convenience at the cost of privacy.

What we need is consumer data privacy to really become a societal and government concern and for devices which infringe on this to really go through the same scruity as say a drug going thru FDA approval.