Suzanne Stone’s Post

Open Letter to Microsoft Requesting the Shutdown of the "Recall" Feature https://lnkd.in/gJMZaBjx Dear Microsoft Team, While its potential benefits are clear, the significant security and privacy risks it introduces far outweigh them. Therefore, I urge you to shut down the Recall feature entirely. Sensitive Information Exposure Recall captures screen snapshots every five seconds, inevitably recording sensitive information like passwords and private communications. The risk of inadvertent exposure is too high, even with local storage. Local Storage Security Relying on PC security to protect these snapshots is insufficient. If an attacker gains access, they could exploit this data. The current measures do not provide adequate security for such sensitive information. Temporary File Handling Temporary files created when interacting with snapshot content pose another risk. If not managed securely, these files could be exploited. Ensuring prompt and secure deletion is crucial but challenging. User Configuration and Exclusions The manual exclusion of sensitive apps and websites is prone to human error, leading to unintended captures of private information. Pre-configured exclusions for common sensitive apps and websites could mitigate this risk but still present a security challenge. Privacy during Capture Snapshots taken when Recall is launched or the Now option is selected, even if not saved, pose significant privacy risks. These momentary captures can be accessed by unauthorized individuals, representing a significant security issue. Voice Search Concerns Voice search may inadvertently capture background conversations or sensitive information, introducing further privacy issues. Clear user notifications and stringent privacy controls are necessary to secure this functionality. User Education and Trust Even with comprehensive user education and best practice guidelines, the complexity and risks associated with Recall are too great. Users cannot be expected to manage these risks effectively, leading to potential erosion of trust in Microsoft's commitment to privacy and security. Responsible AI and Privacy Commitment While Microsoft has made commendable strides in responsible AI, the Recall feature undermines these efforts due to its substantial risks. The potential for significant privacy breaches and misuse of sensitive data conflicts with the principles of responsible AI and user trust that Microsoft has worked hard to build. Conclusion In light of these substantial security and privacy concerns, I strongly urge Microsoft to shut down the Recall feature in Windows 11. The risks to user data and privacy are too significant to justify its continued operation. Microsoft’s commitment to responsible AI and user trust must prioritize the safety and security of user data above all else.

"Because Recall is "default allow" (it relies on a list of things not to record) ... it's going to vacuum up huge volumes and heretofore unknown types of data, most of which are ephemeral today. The "we can't avoid saving passwords if they're not masked" warning Microsoft included is only the tip of that iceberg. There's an ocean of data that the security ecosystem assumes is "out of reach" because it's either never stored, or it's encrypted in transit. All of that goes out the window if the endpoint is just going to ... turn around and write it to disk. (And local encryption at rest won't help much here if the data is queryable in the user's own authentication context!) Put another way: no one has been writing their apps or libraries assuming that this data might be captured somewhere. Some suuuuper deep assumptions about that will only come to light once they've been painfully exploited - and may take a ton of time to remediate. Most {organizational, ecosystem, societal} threat models don't include "run infostealers on steroids on every endpoint that anyone in the user's authentication context can query". Ransomware of unprecedentedly juicy exfil (enabled by maliciously configuring it to strip out any "do not record" exceptions for a while) will have a field day. PCI / GDPR / etc implications are mind-boggling. And Recall's users and Microsoft are going to learn all this the hard way." https://lnkd.in/e3SVaxn9

[1] "...we’re committed to making confidential computing and other complementary technologies accessible to everyone." As Google adopts Confidential Computing, Secretarium is already leading the way with Klave. Our cutting-edge platform securely processes encrypted data using trusted execution environments (TEEs), ensuring that even the most sensitive information remains unseen. We provide verifiable security and complete privacy, even while data is in use. Since day one, we’ve prioritised data privacy, and evolving regulations continue to reinforce its critical importance. From AI to finance to data collaboration, Secretarium isn’t just keeping pace, we're driving innovation and inspiring the future of secure computing. Confidential computing is where the world is heading, and Secretarium is making it a reality. 🚀 If you’re interested in learning how our platform, Klave, can secure your business operations through confidential computing, don’t hesitate to get in touch. [1] https://lnkd.in/gyFpDRaW. #Secretarium #Klave #ConfidentialComputing #DataPrivacy #DataProtection #CyberSecurity #Google #GoogleAds

Every year since 2020 Hive Systems has studied passwords, and how long it would take to crack based upon various criteria.  An interesting read, that kind of makes one think about password length, representations, password leaks or reuse across multiple sites. #security #passwords #hivesystems

Keep calm and stay secure with OneDrive! Your files deserve the best protection – and OneDrive is delivering just that. Here's how Microsoft is redefining file security: 🔑 Advanced 2FA: Your data stays safe, even if your password slips up. 📍 Access Monitoring: Track where and how your files are used. 🔔 Real-Time Alerts: Stay informed about any suspicious activity. Ready to experience next-level protection? 📖 Check out the latest updates: https://bit.ly/3XUFpQD 👉 Connect with us: Empathy Technologies 📧 Have questions? Email us at it@empathy-technologies.com #SecureTheFuture #FileProtectionDoneRight #OneDrive #Ai #Technology

This page was last edited on 29 April 2023, at 08:26. Files are available under licenses specified on their description page. All structured data from the file namespace is available under the Creative Commons CC0 License; all unstructured text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site, you agree to the Terms of Use and the Privacy Policy. Privacy policyAbout Wikimedia CommonsDisclaimersCode of ConductDevelopersStatisticsCookie statementMobile view Help:Login notifications Don't worry! Hello there! Are you here because you received a notification about a login attempt to your account? Don't worry! Your account is still secure. The notifications were generated by LoginNotify, a feature introduced in 2017. Please note that this feature relies on cookies to keep track of the devices you have used to log in. Deleting the cookies or using your browser's "incognito/private browsing" feature will cause the device to be regarded as new and, therefore, trigger the above notification as a "false positive" warning. What should I do? If you made this login attempt, no action needs to be taken at this time, though you should always have a strong and unique password for your account. If you don't think this is the case, you should change your password as soon as possible. According to one study of leaked account passwords, nearly 17% of 10 million internet user accounts have “123456” as their password.[1] Don't be one of them! "As a rule of thumb, a password that is reasonably long, with a mixture of upper and lowercase letters and numbers, and not mostly made up of dictionary words or names or personal information (date of birth, cat's name, etc.) is likely to be reasonably strong for everyday use. Passwords that consist of just lowercase letters can also be reasonably strong, but they must be significantly longer". (Source: User account security on English Wikipedia). References Iyer, Kavita. ‘123456’ is the most common password of 2016, reveals study Category: Security

🚨 Breaking News: on June 13th Microsoft has announced that the release of Recall (the AI based security issue they introduced in Windows) will be delayed. Thankfully, the Redmond tech company had a moment of sanity and thought carefully about what they were about to unleash. Hopefully, the delay will be long enough for a full redesign of Recall's architecture and, possibly, to avoid storing very sensitive information. It's a user's choice to allow an AI to have access to sensitive information, and it's a choice that should be made in the moment, leaving no stored sensitive information behind (locally or on a remote server). This is what developers should always keep in mind when designing AI-based tools. It doesn't matter what type of extra requirements a company may have received from external entities, for example (yeah, just an example!) 😂 Imagine a network in a government office having that level of private and even classified information potentially being stored (even opting out may not necessarily prevent malware or malicious users from activating Recall anyway). No wonder Microsoft President Brad Smith had to testify to the US House and mistakenly said that Recall was secure by design (link to the full interview in the comments below). Again, nothing against Microsoft, but dangerous software practices should be pointed out to ensure they are avoided for the safety of everyone, users and Microsoft themselves. Imagine a class action against Microsoft after many users ended up with their personal data stollen because CVE-2024-30078 (that allowed a malicious actor to install malware on Windows through WiFi becasue of a bug in a driver) was still not patched? (Yup, Microsoft claims they patched this one last Tuesday!). Imagine going to your favorite cafe and getting your whole life stolen... What a wonderful combo CVE-2024-30078 and Recall would have been! 😂 Jokes and sarcasm aside, thank you, Microsoft, for being reasonable. 🙏

This is an interesting perspective from Microsoft. Installing software at the kernel level has advantages in that if a malicious actor were to do so and the security software was not, the security software would likely not effectively stop the threat. However, the downside is that crowdstrike can push a bad update and disrupt 8.5 million machines. While I appreciate some of the tech changes the EU has forced, I also feel they overstep in the tech area at times ( like cookies, please stop making us click on the accept cookies buttons! We get it!). We can debate if blocking Kernel access is more secure and /or the right way to do things, but it seems odd to me that 2 major OS companies have different regulations. They are both global companies with huge market share. I digress, I thought this was an interesting commentary regardless. What are your thoughts? https://lnkd.in/gUKk3jhq

Guinness World Record for Largest File Transfer? 🤔 Ever tried sending a massive 4K video or a hefty scientific dataset? Files are only getting bigger, and we need high-speed, reliable transfer solutions more than ever. But here's the catch—most current technologies just can't keep up. We need robust, secure systems to handle these huge data transfers efficiently. The market gap is glaring, and it's time for some serious innovation in managed file transfer solutions. 👉 Ream more: https://gag.gl/uMWAr1 Like what you see? Follow Kason Yu for daily insights on technology and cybersecurity. Click the 🔔 to get a notification so you don't miss my new posts. #cybersecurity #filetransfer #internet