Windows 11’s AI Recall feature is blasted by a security expert as ‘one of the most ridiculous security failings I’ve ever seen’

Microsoft has already been dragged over the coals regarding its Recall functionality inbound for Windows 11 by security researchers and privacy watchdogs alike – and it’ll need a flame-retardant suit for the latest fiery outpouring against the AI-powered feature.

This comes from security expert Kevin Beaumont, as highlighted by The Verge. The site notes that Beaumont worked for Microsoft briefly a few years ago.

To recap – in case you missed it somehow – Recall is an AI feature for Copilot+ PCs, which launches later this month and acts as a photographic timeline – essentially a history of everything you’ve done on your PC, recorded via screenshots that are taken regularly in the background of Windows 11.

Beaumont got Recall working on a normal (non-Copilot+) PC – which can be done, though it isn’t recommended performance-wise – and has been messing around with it for a week.

He’s come to the conclusion that Microsoft has made a giant mistake here, at least going by the feature as currently implemented – and it’s about to ship, of course. Indeed, Beaumont asserts that Microsoft is “probably going to set fire to the entire Copilot brand due to how poorly this has been implemented and rolled out,” no less.

So, what’s the big problem? Well, principally, it’s the lack of thought around security and how there’s a major discrepancy between Microsoft’s description of the way Recall is apparently kept watertight and what Beaumont has found.

See more

As you can see in the above post on X (formerly Twitter), one of the security expert’s main beef with Microsoft is that it informed media outlets that a hacker can’t possibly nab Copilot+ Recall data remotely. In other words, an attacker would need to access the device physically, in-person – and this isn’t true.

In a long blog post on this topic, Beaumont explains: “This is wrong. Data can be accessed remotely.” Note that Recall does work entirely locally, as Microsoft said – it’s just that it isn’t impossible to tap into the data remotely, as suggested (if you can access the PC, of course).

As Beaumont elaborates, the other big problem here is the Recall database itself, which contains all the data from those screenshots and the history of your PC usage – as all of this is stored in plain text (in an SQLite database).

This makes it very easy to snaffle all the Recall-related info of exactly how you’ve been using your Windows 11 PC – assuming an attacker can get access to the device (either remotely, or in-person).


Analysis: Recall the Recall feature, or regret it

There are lots of further concerns here, too. As Microsoft pointed out when it revealed Recall, there are no limits to what can be captured in the AI-powered history of the activity on your PC (save for some slight exceptions, like Microsoft Edge’s private browsing mode – but not Chrome Incognito, tellingly).

Sensitive financial info, for example, won’t be excluded, and Beaumont further points out that auto-deleting messages in messaging apps will be screenshotted, too, so they could be accessed via a stolen Recall database. Indeed, any message you delete from the likes of WhatsApp, Signal, or whatever could be read via a Recall compromise.

But wait a minute, you might be thinking – if your PC is remotely accessed by a hacker, aren’t you in deep trouble anyway? Well, yes, that’s true – it’s not like these Recall details can be accessed unless your PC is actively exploited (though part of Beaumont’s problem is Microsoft’s apparently errant statement that any kind of remote access to Recall data wasn’t possible at all, as mentioned above).

Hacker

(Image credit: Milan_Jovic)

The real kicker here is that if someone does access your PC, Recall seemingly makes it very easy for that attacker to grab all these potentially hugely sensitive details about your usage history.

While info stealer Trojans already exist and scrape victims at a large scale on an ongoing basis, Recall could enable this kind of personal data hoovering to be done ridiculously quickly and easily.

This is the crux of the criticism, as Beaumont explains it: “Recall enables threat actors to automate scraping everything you’ve ever looked at within seconds. During testing this with an off the shelf infostealer, I used Microsoft Defender for Endpoint – which detected the off the shelve infostealer – but by the time the automated remediation kicked in (which took over ten minutes) my Recall data was already long gone.”

This is a major part of the reason why Beaumont calls Recall “one of the most ridiculous security failings I’ve ever seen.”

If Microsoft doesn’t take action before it ships, mind – as there’s still time, in theory anyway, although the release of Copilot+ PCs is very close now. (However, Recall could still be kicked temporarily to touch while it’s further worked on – perhaps).

If Recall does ship as it’s currently implemented, Beaumont advises turning it off: “Also to be super clear you can disable this in Settings when it ships, and I highly recommend you do unless they rework the feature and experience.”

Herein lies another thorny issue: the AI-powered functionality is on by default. Recall is highlighted during the Copilot+ PC setup experience, and you can switch it off, but the way this is implemented means you have to tick a box to enter settings post-setup, and then turn off Recall there – otherwise, it will simply be left on. And some Windows 11 users will likely fall into the trap of not understanding what the tick box option means during setup and just end up with Recall on by default.

This is not the way a feature like this should operate – particularly given the privacy concerns highlighted here – and we’ve made our feelings on this quite clear before. Anything with wide-ranging abilities like Recall should be off by default, surely – or users should have a very clear choice presented to them during setup. Not some kind of weird ‘tick this box, jump through this hoop later’ kind of shenanigans.

You might also like…

TechRadar – All the latest technology news

Read More

I’ve had enough of password frustrations – here’s how I’m finally fixing them in 2024

Passwords are a pain, let’s be honest – a necessary evil to keep us secure. None of us wants to have to deal with these cumbersome little beasties, but they’re an inescapable part of online life. In the future, things will change – as a new passwordless reality comes to fruition and passkeys evolve. But for now, traditional typed passwords remain prevalent and in need of taming.

There are simple ways to deal with passwords, some of which are terrible. Like having ridiculously simple passwords that are easy to guess. Or ‘remembering’ them by writing them all down in a notepad, where a nosy person might find them and get access to your online accounts, if they’re a nefarious sort.

I don’t do anything like that, of course – perish the very thought – I use mnemonics to help make passwords complex enough, but still memorable, so they don’t have to be jotted down. However, even that’s not an ideal way of dealing with passwords, and so I have some (admittedly dull) new year’s resolutions to vastly improve my relationship with passwords and my overall online security.

A person using the ExpressVPN Keys password manager on their phone and their laptop.

(Image credit: ExpressVPN)

Taking the plunge with a password manager

This is the main pillar of my reformed relationship with passwords – yes, getting someone else to do them. Or rather, getting something else to do them in the form of an application.

Password manager software automatically generates passwords for all online accounts without me having to lift a finger. These are incredibly secure passwords, too – lengthy strings of garbage that I wouldn’t have a snowball’s chance in hell of remembering.

Taking the plunge with a password manager is something that’s been on my computing to-do list for quite some time, and one of those things I simply haven’t got around to doing. Mainly because it seems easier to carry on as I’ve been doing for a long, long time now (I owned a PC before the worldwide web even existed). So, 2024 is the year it’s going to happen, and I’ll relinquish my old system for a more convenient and secure way of dealing with passwords.

Which password manager am I going to run with? After weighing up the pros and cons of the various options out there, I narrowed it down to either Dashlane or NordPass – but in the end, the latter won out. Why? NordPass scored with its wide-ranging support across multiple platforms, regular updates – and plentiful features – not to mention that it represents a great value proposition.

It’s also the top-ranked product in our roundup of the best password managers, so comes with the TechRadar Pro seal of approval (and a deal to make it even better value, it should be noted). For those after the top freebie option, by the way, check out the best free password managers.

Hand increasing security protection level by turning a knob

(Image credit: Shutterstock)

2FA achievement complete

3 tips for avoiding the worst password pitfalls

1. Never, ever, use stupidly simple passwords
‘Password’ is not a good password, much like a riot shield is a bit pointless if it’s made out of tissue paper. Choose a complex password with a decent mix of characters, and a mnemonic to remember it (or better still, use a password manager).
2. Don’t reuse passwords
Never reuse the same password for multiple online accounts. It may seem tempting to do so for easy recall, but if a hacker or other ne’er-do-well gets hold of that password, obviously they could then access more than one of your services.
3. Don’t keep the same password forever
You don’t have to change any given password much, but it’s worth doing so every now and then. Especially if a company you have an account with has a data breach, it’s a good pre-emptive move just to change your password, even before you’ve been told if you’re affected.

Getting a password manager isn’t necessarily bulletproof, of course. What if that company or their systems are somehow breached in some manner? It’s very unlikely that this will happen with a reputable vendor, but it has happened in the past.

At any rate, a robust approach to security doesn’t rely on a single solution, and 2FA (two-factor authentication) is a seriously valuable addition as a second line of defense to back up passwords. This often takes the form of a code texted to your phone, or emailed, after your initial login to an account.

My problem in this department is that I don’t have 2FA enabled on all my online accounts yet. I do have it running on most important services, mind you, but I need to go through my array of various online accounts, check where it’s supported – in theory, on most big sites and services – and implement it, if 2FA isn’t already active.

Much like migrating over to a password manager, this is something I’ve been meaning to do for some time now – and it’s been nagging away at the back of my mind all that time as a task that really needs attending to. In most cases, it'll simply be a case of going into my account > settings > security (or a variation of that process), and turning on two-factor authentication. So, I shall get it done, and tick another niggle off my list of password blues for 2024.

Biometrics

(Image credit: Shutterstock)

Biometric bonus

While I’m fixing password security issues, my final resolution is to actually use biometrics wherever possible. Until fairly recently, I used a hardware token for logins to my online banking, but have since switched to use the fingerprint sensor on my phone (via the bank’s app). It’s a much more convenient and secure way of logging in, and wherever there’s an option to use a fingerprint login, I’ve resolved to switch to it.

Another point on this subject: while initially I wasn’t convinced about the tech, I now love the Windows Hello login on my Surface Pro tablet – it has got better over time, and works pretty much flawlessly now, even in different lighting conditions. 

I’d advise strongly in favor of using facial recognition, fingerprints, or other biometrics wherever you can turn them on, which is usually a case of exploring an app's settings for security options that can enable hardware like fingerprint sensors. None of this is exactly fun, but you'll go into 2024 feeling all the more secure and smug for it.

You might also like

TechRadar – All the latest technology news

Read More

I review VR headsets for a living, and I’ve never seen a better Oculus Quest 2 deal

Amazon is offering a fantastic Oculus Quest 2 deal that not only scores you the impressive VR headset for $ 51 off, but you’ll also get a $ 50 gift card. It’s one of the best Black Friday deals I’ve seen.

Right now the Meta’s Quest 2 (128GB) model is down to $ 249 at Amazon – instead of its MSRP of £299. But if you act fast the holiday bundle will score you the discount and a free $ 50 Amazon voucher; effectively, this will save you $ 100 on the popular VR headset which we gave four–and–a–half stars in our Oculus Quest 2 review

I say you should act fast, because an identical deal was available in the UK for a few days – but it has now sold out. If history repeats itself in the US you don’t have long left to nab yourself one of the best Oculus Quest 2 Black Friday deals this year. 

I've been writing about VR for years and I haven't seen a better deal; so there's no point waiting for something better to come around this Black Friday if you're after a VR headset.

Get the best ever Oculus Quest 2 deal here:

Meta Quest 2 + Amazon Gift Card: was $ 349.99 now $ 249.00 at Amazon
Right now you can save $ 51 on the Meta Quest 2 (128GB) and get a free $ 50 Amazon gift card as well as part of this holiday bundle. I’ve never seen a better Meta Quest 2 deal, and I expect this may sell out before Black Friday, so act fast.View Deal

The only VR headset deal I think you should consider instead of this Oculus Quest 2 offer is the Meta Quest 3 deal that's available everywhere. That is you get the Meta Quest 3 for $ 499 and a free copy of Asgard's Wrath 2.  Alongside Amazon, you can find the same deal at  WalmartBest Buy, and Target among others.

While this isn't the best deal (the headset is full price) I think the Meta Quest 3 is a massive step up over the Quest 2; that's why I awarded it five stars in our Meta Quest 3 review. Yes, it's pricier, but it's worth the extra cost if you can afford it.

If you are on a tight budget then Meta's Oculus Quest 2 is still fine, and the above deal is a fantastic offer to take advantage of. But if you can afford to splash out on a Meta Quest 3 then I'd strongly suggest doing so.

For more on this topic, check out my guide to whether you should buy an Oculus Quest 2 or Meta Quest 3 this Black Friday.

More Black Friday deals

TechRadar – All the latest technology news

Read More

Meta AI is coming to your social media apps – and I’ve already forgotten about ChatGPT

Meta is going all out on artificial intelligence, first developing its own version of ChatGPT as well as implementing Instagram’s AI ‘personas’ to appeal to a younger audience. Now, the company has announced a new AI image generation and editing feature during Meta’s Connect event, which will be coming to Instagram soon. 

If you’re familiar with OpenAI’s ChatGPT or Google’s Bard, Meta AI will feel very familiar to you. The all-general purpose assistant can help with all sorts of planning and organizational tasks, and will now offer the ability to generate images via the prompt ‘/imagine’. 

You’ll also be able to show Meta AI on Instagram a photo you wish to post and ask it to apply a watercolour effect, make the image black and white and so on. Think of the Meta assistant as a more ‘social’ version of ChatGPT, baked right into your social media apps.

Alongside the assistant, the initial roster of 28 AI characters is beginning to roll out across the company’s messaging app. Most of these characters are based on celebrities like Kendall Jenner, Mr. Beast, Paris Hilton and my personal favourite, Snoop Dogg! You can chat with these ‘personas’ directly and finally ask Paris what lipgloss she uses. As you chat with the characters their profile image will animate based on the topic of conversation, which is pretty cool considering chatting with most AI chatbots is kind of… boring, at least from a visual standpoint.

ChatGPT may have started it, but Meta could finish it

It’s clear that Meta is taking AI integration very seriously, and I love to see it! By integrating its virtual assistant and AI tools into the apps billions of people use every day it’s guaranteed an existing user base, and in my opinion, shows that the company has taken the time to really understand why users would approach their product. 

Instead of just unleashing an assistant that will give you recipes and do your homework, it looks like Meta AI is tailored to suit everyday purposes and feels like a really clever way to implement the tool in people’s lives. The assistant is right there in the app if and when you need it, so you don’t have to leave the app to engage with the assistant.

Meta’s huge scale of potential users gives it a good chance of being the AI assistant people will use for the first time and could be the AI assistant people will end up using on a day-to-day basis. No extra app to download or account to make, and no swiping away from your conversation to get to what you need. I think Meta made a smart choice taking its time and has now come out the gate swinging – and I really do think ChatGPT creators OpenAI should be a little bit worried. 

You might also like

TechRadar – All the latest technology news

Read More

ChatGPT Chrome extensions are mainly junk – but I’ve found 4 worth installing

With the popularity of ChatGPT, the amount of Chrome extensions out there is ever-expanding. Some are helpful, though a lot of them… aren’t that great. However, we’ve found a few of the best extensions out there to minimise the search and maximise the ChatGPT experience on Chrome. 

You can’t be part of daily internet culture, or at the least be a person with access to the internet, and escape the ChatGPT discourse – whether you want to or not. That, and South Park just covered it, so you know, it’s a pretty big deal right now.

For anyone needing a quick refresher, ChatGPT is the language-based chatbot created by OpenAI that allows you to generate text-based answers to questions about the universe, prompts for poems or brainstorm ideas (and much more). You can use ChatGPT for many things, with the only fundamental limitations being your imagination (and the fact that the responses are text-based, of course). 

If you’re using ChatGPT for free or paying for the Plus membership, interacting with the bot is definitely an experience, to say the least. The conversational tone is almost disarming when you’re trying to probe whether or not it’s planning to take over the world or asking it for love life advice. 

However, the user interface of ChatGPT is pretty basic compared to its capabilities. While we await further updates and feature expansions, third-party browser extensions are your friend if you want easier, quicker access to ChatGPT and add features to make the most of the AI bot. 

ChatGPT for Google

The chrome extension ChatGPT for Google is a must-have if you’re looking to integrate AI more into your daily life and make the most out of that vast fountain of knowledge. The extension will show results from the chatbot alongside standard Google search results, so you can get a quick brief of whatever you’re googling while you scan results for the right page. 

Some queries will work better than others with this: you won’t get the latest weather or sports reports, but you can get pretty in-depth answers to questions about human biology, basic cleaning hacks and history facts. Most of your queries will likely be accompanied by a ChatGPT response, but do be prepared for the bot to draw a blank sometimes. 

A little box in the corner is integrated alongside the usual search results, and you’ll be able to launch a conversion with ChatGPT right off the page if you want to chat about it or learn more. 

Morgan Freeman screenshot with ChatGPT

(Image credit: Future)

Use Voice Commands – Promptheus

Fan of Alexa or Siri? Want to take the conversation into the real world (on your end anyway) and get responses quickly without having to type it all out? Promptheus is for you! This Chrome extension lets you talk directly to ChatGPT using the spacebar on your keyboard so you can skip typing and get answers to all your burning questions by using your voice.

Once you install the extension, open up Chrome, head to ChatGPT and hold the spacebar to start talking. We used it a few times when writing this article, and it does speed up the workflow, since you’re just swapping tabs, asking your question, reading the answer and moving on. 

ChatGPT Export and Share

Currently, if you want to get content out of ChatGPT into other places you have to rely on the old faithful cut and paste, but with ChatGPT Export and Share (which works with Chrome, Edge and Firefox) you can streamline the export process in ChatGPT.

It may take a minute to set it up in the browser, but once you’re all done you’ll get new export buttons near the prompt box to make things a whole lot easier when you’re ready to save your content. 

You’ll have options to save your conversations as images or PDFs, and you can create shareable links too if you have something special you want to share quickly.

Merlin

With Merlin you can have ChatGPT at the tips of your fingers and pull it up with no problems. The extension lets you summarize large blocks of text or reply to an email at any time, essentially giving you a little AI assistant at your beck and call!

Once you’ve got the extension installed, select a block of text and then hit Ctrl + M on Windows or Cmd + M on macOS, and then tell Merlin what you want ChatGPT to do. Summarize, reply, write etc. If you’ve got a tricky email you need to respond to, just select the text in the email thread, bring up Merlin and have ChatGPT write a diplomatic response for you.  

Since there’s a simple keyboard shortcut to activate the extension, it’s really easy to incorporate Merlin into your daily grind very quickly, though do keep in mind that you’re limited to about 31 requests per day. 

We’ve only listed a few extensions in this article so far, but we hope to add more extensions as they crop up and as people come to grips with ChatGPT. We’re only just seeing how ChatGPT fits into our lives as it becomes more mainstream, so there’s no doubt that as the technology cements itself into the day-to-day and more people find interesting ways to utilise ChatGPT we’ll be seeing a lot more useful extensions.

TechRadar – All the latest technology news

Read More