- cross-posted to:
- hackernews@lemmy.smeargle.fans
- cybersecurity@sh.itjust.works
- cross-posted to:
- hackernews@lemmy.smeargle.fans
- cybersecurity@sh.itjust.works
this rootless Python script rips Windows Recall’s screenshots and SQLite database of OCRed text and allows you to search them.
First, false equivalency.
Second, we’re not okay with cookies and session being in a place that could leak — it’s why we’re doing everything possible to stop that from happening (I mean GDPR alone is one effect of this).
Third, the fact that you can’t see a difference between cookies, which actually can be secured via proper encryption and signing, and a literally unencrypted database driven by OCRed screenshots (taken every couple of minutes) that requires an opt-out and is a very small slippery slope to that data making its way back to Microsoft’s own servers for their own greedy pursuits….then I’m not sure what to tell you.
Recall is wrong. And it’s indefensible. Period.
If you think it’s okay, then feel free to open everything up to Microsoft of who you are and what you do on your Copilot+ PC. I, for one, among many, will choose to secure my information as best as possible, including never using another Microsoft product again, if at all possible. And I’ve already done so for myself.
GDPR has little to do with this. People use site cookies to remember sessions and not have to login again, etc. I’d guess most browser users use and want to use this functionality. If you’re fully opting out to not even have persistent sessions, I’m guessing you’re in the far minority of users here.
I’m not aware of any non-trivial readily available built-in encryption for cookies. There are easy to find libraries that exist to just pull out cookies (stored locally including session tokens).
To clear up a bit more misinformation from your response: this is an offline feature. The data doesn’t go back to Microsoft. It works even if your computer is disconnected from the internet. If you consider their word to be a lie on this part, that’s you’re right to believe, but until proven, isn’t a fact.
Not at all true, GDPR is the exact reason why you see all of the sites these days letting users know that their site stores cookies and requesting acceptance of it. Hence why I said we, as a global society, are trying to do something about this, even if it’s something as simple as cookie use disclosure on sites – it’s a start.
Never once said I did.
You’re correct, data-at-rest encryption doesn’t exist for cookies, but data-in-flight does with SSL. Also, signing cookies and samesite origin is a thing being done these days, which makes them quite improbable, if implemented properly, to be hacked for any actual use in terms of leaking logins to said sites.
For the moment, that’s what they say, yes. And that’s the problem, especially since it’s turned on, by default. This – is not – something – Microsoft has earned trust for.
But you are free to believe them all you want – the rest of us who have seen what Microsoft has done these past 40 years use that as a guide to judge – and history is usually a very good judge.