this rootless Python script rips Windows Recall’s screenshots and SQLite database of OCRed text and allows you to search them.
Wow, it’s pretty wild they didn’t even attempt to encrypt or protect this data, even if it is local to your machine. What a treasure trove for malware to sift through.
I thought that it was encrypted if your home directory was encrypted? The impression that I got was that it was just a SQLite database stored in the clear. The user must certainly be able to make queries of that database in order for it to work, so even if it’s hosted by a non-user service, malware running locally will still be able to exfiltrate the data.
Now ransomware hackers can sell all your shit to someone else if you refuse to pay.
Please go through the FAQ section of the git project. It’s an eye-opener.
Q. Does this enable mass data breaches of website?
A. Yes. The next time you see a major data breach where customer data is clearly visible in the breach, you’re going to presume company who processes the data are at fault, right? But if people have used a Windows device with Recall to access the service/app/whatever, hackers can see everything and assemble data dumps without the company who runs the service even being aware. The data is already consistently structured in the Recall database for attackers. So prepare for AI powered super breaches. Currently credential marketplaces exist where you can buy stolen passwords — soon, you will be able to buy stolen customer data from insurance companies etc as the entire code to do this has been preinstalled and enabled on Windows by Microsoft.
It’s worst than that (as bad as this is)…
Today getting some data on a user is bad as smart hackers can put together the context … However any guessing the hacker has to do may alert the user before the hacked data can successfully be exploited
Now, a hacker would know exactly where each password goes and worse, they’d could learn the entire workflow of internal systems to successfully imitate a trained user…
This means the hacker could use the stolen bank data and legitimately issue credit cards to anyone they want (for example)
It’s no longer “we’ll expose some data”, now it’s “we can use this data to infiltrate your systems and wreak havoc in whatever way we want”
I doubt that. It’s preinstalled and enabled for personal users.
Even if it is enabled by default on pro/enterprise, there will probably be a group policy to disable it.
It feels like this was intended for buisnesses to monitor for phrases on your screen like “coolmath games unblocked free”
or to extract and upload a summary of what happened every second of every day to the server defined in the group policy.
For the kids
Sony BMG copy protection rootkit scandal
Morons:
Sony BMG initially denied that the rootkits were harmful. It then released an uninstaller for one of the programs that merely made the program’s files invisible while also installing additional software that could not be easily removed, collected an email address from the user and introduced further security vulnerabilities.
Hilarious to me that it OCRs the text. The text is generated by the computer. It’s almost like when Lt. Cmdr. Data wants to get information from the computer database, so he tells the computer to display it and just keeps increasing the speed — there are way more efficient means of getting information from A to B than displaying it, imaging it, and running it though image processing!
I totally get that this is what makes sense, and it’s independent of the method/library used for generating text, but still…the computer “knows” what it’s displaying (except for images of text), and yet it has to screenshot and read it back.
It happens the same on android for some reason
Like 5-8 years ago the google assistant app was able to select and copy text from any app when invoked, I think it was called “now on tap”. Then because they’re google and they’re contractually obligated to remove features after some time, they removed this from the google app and integrated it in the pixel app switcher (and who cares if 99% of android users aren’t using a pixel, they say). The new implementation sucks, as it does ocr instead of just accessing the raw text…
It only works fine with us English and not with other languages. But maybe it’s ok as it seems that google’s development style is us-centric
Now on Tap also used OCR. Both Google Lens and Now on Tap get the same bullshit results on any languages that are not Latin. Literally, Ж gets read as >|< by both exactly the same.
They changed it, in the beginning it was using the text and not ocr
For example this app could be set as assistant and get the raw text https://play.google.com/store/apps/details?id=com.weberdo.apps.copy
But only the app set on system as assistant can do it
I was very disappointed when they changed it around 2018 as it produced garbage in my language when it was working so good…
Hey, yeah… why aren’t they just tapping the font rendering DLL?
…are they tapping the front rendering dll??
Having worked on a product that actually did this, it’s not as easy as it seems. There are many ways of drawing text on the screen.
GDI is the most common, which is part of the windows API. But some applications do their own rendering (including browsers).
Another difficulty, even if you could tap into every draw call, you would also need a way to determine what is visible on the screen and what is covered by something else.
To be fair, Data was designed to be like a human, and was made in the image of his creator. He has a number of design decisions that are essentially down to his creator wanting to create something like a human. Including that which you describe.
Data was never intended to work like a PC, it’s very normal that he can’t just wirelessly interface with stuff.
