Its kind of naive satire that looks silly on second thought. Recall was not bad because of the concept but implementation details, rollout communication and of course the microsoft part. Recall by an open entity with data ownership, security and transparency would have none of those issues and its just a new take on the universal desktop search that is enabled by ai being able to utilise pixels. I refuse to be shamed by e2e encryption freaks that i want to be able search anything I encountered and having universal data control and ownership vs locked in app silos.
All of that data sent to a third party server is going to be public on the Internet at some point. Security? Don't make me laugh. Countries that required government IDs to participate online have already made this mistake and those IDs have been leaked. Just because it's open source or run by $NOT_MICROSOFT won't make it any safer.
The problem with other people consenting to it is that it makes every one else less safe. People get compromised and scammers can use that compromised data to work against people who didn't share their data with the, "Benevolent Open Source Recall Service."
This is correct - it was all on-device, with security guarantees that were instantly proven incorrect. Microsoft withdrew Recall, then brought it back with a newer, more secure implementation that was also proven insecure.
It also claimed that it wasn't going to record sensitive information but it did, to the point where some apps, like Signal, used available Windows APIs to set DRM flags on their windows so that Windows wouldn't capture those regions at all.
What Microsoft could have offered is an easy-to-implement API for application developers to opt into (but users can opt out of), and a blanket recall-esque toggle that users can apply to applications without explicit support. Applications like Firefox or Chrome could hook into the API to provide page content to the API along with more metadata than a simple screenshot could provide, while at the same time not providing that data when sensitive fields/data is on the page (and possibly providing ways for the HTML to define a 'secure' area that shouldn't be indexed or captured, useful in lots of other circumstances).
But, as with everything AI, they don't want users to want it; they want users to use it regardless of whether or not they want it. This is the same reason they forced Copilot into everyone's Office 365 plans and then upped the price unless you tried to cancel; they have to justify the billions they're spending and forcing the numbers to go up is the only way to do that.
I have to wonder what edge AI would look like on a laptop. Little super mini Nvidia Jetson? How much added cost? How much more weight for the second and third batteries? And the fourth and fifth batteries to be able to unplug for more than a few minutes?
They're called NPUs and all recent CPUs from Intel, AMD, or Apple have them. They're actually reasonably power efficient. All flagship smartphones have them, as well as several models down the line as well.
IIRC linux drivers are pretty far behind, because no one who works on linux stuff is particularly interested in running personal info like screenshots or mic captures through a model and uploading the telemetry. While in general I get annoyed when my drivers suck, in this particular case I don't care.
Conceptually a feature similar to Recall doesn't have to involve sending any data to third parties. It should not need to be a service just a piece of software running locally, doing OCR and full text search indexing using local compute.
Incidentally I often tell my friends I run an app on my phone that captures my location 24/7 and they would initially sound horrified. But then I tell them all my location data is not sent to anywhere on the Internet, and ask them specifically what is horrifying about it. There is none.
> I often tell my friends I run an app on my phone that captures my location 24/7 [...] But then I tell them all my location data is not sent to anywhere on the Internet
Your phone is on the Internet.
It takes only one attack (for instance, someone sends you an image which exploits an RCE on the image decoder and then chains into a privilege escalation exploit), or a careless mistake (like marking the wrong folder to be synchronized), or even an automatic update of the app (which adds a helpful "sync across your devices through the cloud" feature or similar), to have all that saved location data copied elsewhere.
You can't leak what you don't have; if you never saved your location history, there's no risk of it being leaked after the fact.
>if you never saved your location history, there's no risk of it being leaked after the fact
Very Buddhist in principle. I still prefer having my GPX tracks though, because they're useful to me, as well as notes, journals, logs... Local security is a separate question, and it's light years apart from stuff like Recall.
Wasn't there a HN post a few weeks ago, describing how your phone's location can be tracked without anything installed and without leaving any trace on your phone? I think it was an exploit of CSS7 protocol used by networks?
The problem is that the data has to go somewhere. If you don't have the compute power locally, you have to send it to a server you control. At a point, this starts to break down because your attention to detail isn't sufficient to protect other operators. I think there are some happier mediums, but I wouldn't be as strident as saying there is no risk even if this is stored locally.
“I store all my location data and I see no problem because it's stored locally” is the new “I store all my passwords on a post-it and I see no problem about it”.
The more you store, the higher the risk, simple as that.
> All of that data sent to a third party server is going to be public on the Internet at some point.
Windows Recall is on-device only (for now). The captures stay on device in a local sqlite database, and all the processing is done on device on the NPU.
I don't get the deal with requiring govt Ids. Back home the government has an OpenId provider and you could link your governmental account if you wanted without leaking your Id/DL/Passport which has data that's considered more private than your Id number.
I refuse to be shamed by AI and surveillance freaks who can't be bothered to take notes of important things and instead demand their and by extension "my" daily computing habits are recorded "just in case."
I cannot even tell Windows that I manage updates myself, how can Recall not be an insane paternalism fail?
In my opinion the product owners of Windows lack the maturity do implement anything like Recall responsibly. Perhaps there is pressure in the background, but as the consumer that isn't my problem.
I could see something like Recall be helpful for a lot of users, but the politics of Windows would need to be changed considerably.
e2e encryption freaks should know about the limits of encryption for that matter.
Also I still don't have a Microsoft account. A private one at least.
To me it felt like just shoving more AI for the sake of it, pretending that there is a problem to solve while making no case for it, and boiling oceans along the way as an acceptable externality.
Taking screenshots of your whole desktop every other second and sending it to a third part, just in case their OCR and cheap search built on top of it might come up with something useful? I haven't found a single situation where I would rather take that above more conventional and established approaches (browser history search, bookmarking, file management hygiene, etc)
The problem of "where did I see that" is something I suspect most people have encountered before. How that's actually done, though, is the devil. The vision -- semantic search of human experience -- is cool. The implementation -- always recording cameras piping every minute of your life to TotallyTrustworthyPeople's servers -- not so.
General chatbots are great for things they have general data about. "What was that movie where..." type things. They don't help with individualized information, unless you feed the same type of information as Recall type solutions gather anyways. Perhaps you don't have much individualized information, or perhaps you just remember it all very aptly - it shouldn't be hard to imagine differently though.
My main usage problem with Recall type solutions is less with lack of something to promise and more with lack of ability to deliver. Especially for local-only solutions. The concept can be great as can be, but it needs to be damn near foolproof to beat out how much we already remember.
>I haven't found a single situation where I would rather take that above more conventional and established approaches (browser history search, bookmarking, file management hygiene, etc)
But all of those are terrible for the use case at hand. It's like searching for the book that contains a passage without being able to search passages, rather searching by title, author or subject.
Aren't screenshots just one implementation specific variant of the possible solutions? Recall immediately made me think about a universal API that all kinds of applications write history to. That data can then be searched, or you could possibly even have global undo/redo.
Screenshots are just "easier" to use, because you don't need to implement anything for individual apps. "Easier" only if you have data centers full of compute and the capital to very inefficiently throw a bunch of silicon and electricity at the problem.
ostensibly - and I'm in your camp, so this is just devilish advocacy - the idea is that you will be wondering, "who said X to me the other day?" or "what was that article I saw about Y?" and you'll be able to just ask one unified search interface instead of searching in 5 different messengers or poring through your browser history.
I don't know that I need that. Certainly not at the privacy cost involved.
>and boiling oceans along the way as an acceptable externality
Can we stop this? It's like saying it takes 2500 litres of water to make a hamburger. Distorting reality to make it seem worse than it is implicitly justifies it.
I still recall (duh) a post here from a guy who literally made a recall feature on his mac way before them. I would love to find that post...
It was screenshotting all the time, storing that locally, and then you could ask it any questions and roll back to that moment. Processing was also fully local.
I think you hit the nail on the head. Recall was problematic because of the lack of information provided when they announced it. How would it handle sensitive details like banking account pages. Can developers opt out for best security practices? How is the managed in an enterprise environment?
Once they delayed and got all their ducks in a row it's a much more solid feature. Not for everyone, but a good way to leverage your PC as a source of information that you can search without having to save everything.
The post reads a little childish to me. Very "Micro$hit are greedy and want to steal your data" level of criticism.
What irritates me most about all these unwanted "innovations" is that they always make them opt-out. "If it's opt-in, nobody's gonna use it - and it's such a flawless feature, we should be shoving it down everyone's throats"
Recall is absolutely horrible in concept irregardless of implementation. Would you accept a big brother security camera over your shoulder recording every minute of your life? No? That’s the equivalent of what Recall is.
Its a pure unhidden giveaway: ai is not about anything you want as a user, its about busting the last shreds of privacy and security for the vast majority of computer users
You're criticizing a joke. Worse, you seem to be aware that you're criticizing a joke, and still went through with it.
I also disagree with your premise: Recall by an open-source entity would have many of the same problems. The threat model for most people isn't that Microsoft might tailor ads to their interests. The threat model is that you're giving that ransomware gang, or an abusive spouse, a new tool with devastating capabilities.
Even for people legitimately worried about law enforcement / the government, the same applies. You're gifting your adversary a database of everything you've ever done that understands context and can literally be queried for "just show me the bad things". It's slightly better if it lives locally rather than in the cloud, but it can be used to nab you just the same.
Recall would be fine, I guess, on Linux, because we could be fairly certain it wouldn’t be slipped in under the radar. But… actually installing it seems like a pretty bad idea. Too big a target.
I know this is satire, but there is actually one and one you actually control. May be useful to remember who said what and where. It can be useful. Just not the way a megacorp implements it.
It's 10+ GB per 8 hours based on some testing I did. Could be useful for short term uses like tracing some technical troubleshooting or pulling screenshots for documentation.
It's an actual useful feature, it's just the tracking by microsoft that makes it meh.
I also track my activities with ActivityWatch (Open Source, https://activitywatch.net/) to remember missing time entries for billing clients. It's all local, so perfectly fine.
Ah nice. I was hoping this was real - just yesterday someone was asking about something and I knew I had written up a description of it but couldn't remember where - Mattermost? GitHub Gist? Random text file? Confluence? Turned out to be Stackoverflow, but it took me quite a while to find it.
Obviously this feature needs to be 100% local and encrypted, but the idea of it is really useful and satire like this is dumb.
For the first time since the 1980's I'm not going to be running a PC with a Microsoft OS on anywhere (I dual boot my main desktop since I use it for work and gaming) but the Windows 11 install is getting binned.
Tired of having to read release notes carefully and make sure I've done just the right things to stop it doing things I never asked it to do.
Good job MS, you lost a customer who's never likely to come back.
Been running windows/linux alongside each other since the late 90's and outside of gaming my computing life is linux (even my TV is connected to a fedora box) so not a hard switch.
I've directly moved at least 3 people out of Windows, and indirectly I'd guess at least a dozen. If all of us techies did the same, it'd be over pretty soon.
I've no one left to convert, my mums been running Linux since ~2016 when I got tired of her breaking windows (and in fairness it was her doing it most of the time) so I switched her to mint.
Her only requirement for her new computer is "it has to run that minty thing?" (it's actually running Fedora and has been for quite a while but that's the nice thing - she doesn't need to know or care) - it's still the same for her either way.
This is irrelevant to consumer adoption. The Chinese government uses their own Linux-based OS, which should be a common-sense national security policy, and it would certainly be a good idea for the rest of the world's governments to catch up and not rely on a US for-profit corporation. But even in China, 99% of regular people are using Windows.
The dominoes really aren't going anywhere. The average consumer has an extremely high tolerance for security and privacy violations, which is why the state of the market is the way it is, completely dominated by companies that are the antithesis of security and privacy. If a service offers utility to them, nothing else matters. And Windows offers a tremendous amount of utility to the average consumer relative to Linux. The things the general public cares about are not the same things anyone who uses this website cares about.
While I think you're mostly right, I disagree with the "tremendous utility [...] relative to Linux". My relatives are certainly no users of this website, and yet they get all the utility they need out of Linux. They don't care about the OS, they mostly just want to use a browser and a few other tasks that work perfectly fine with their Debian installs.
I'm curious what they think the future looks like, Linux is growing on the desktop/laptop (in part driven by Valve/Steam), Users care less and less about PC's outside of the office generally - the primary computing device of most people is a phone not a PC doubly so if you exclude work - gaming has been a huge part of why many people still have PC's in the home and see above.
Not sure what their actual moat is in preventing a slow bleed out from multiple factors over the long term.
I think they'll hold businesses that are already on Windows for everything - like it/love it/loathe it Active Directory/Exchange etc do work for businesses but there has always been a halo effect from the same OS been used in the office as at work, i.e. people knew how to use word when they got into work because they'd used word at school (Chromebooks are very strong there) or home etc.
Based on how aggressive Microsoft is becoming with ads/upsells and data collection I think they'd still call it a loss. Do home users even use Microsoft support?
I self built my desktop as I have for decades, I've always bought MS licenses retail (since I could afford them, not so much as a kid..).
So yeah, they got my money 3 and a bit years ago but that'll be the last money they get from me and obviously no future version of windows will.
I simply no longer trust they are acting in my best interests as a consumer and I was already using Windows 11 as a glorified console OS to open steam.
> ...outside of gaming my computing life is linux...
If you've games purchased through Steam, try running them on Linux with the officially-supported-and-written-for-Linux Steam client. Over the past decade+, a ton of work has been put into making games work fine under Wine and Valve's fork of Wine called Proton.
I've found that nearly every game in my embarrassingly-large Steam library works fine on Linux.
I was very skeptical of the claim that gaming on linux is good now, but fully switched over last weekend.
All of the games I play on a regular basis just worked out of the box with no fiddling at all (nVidia graphics card, X11, pop_OS - but I'm pretty sure any modern distribution would work just as well). Fresh OS install (nvidia drivers just worked), install the steam flatpack, click "download", click "play". That's it.
This includes "modern" games such as Borderlands 4 and e.g. Helldivers 2.
Running steam itself as a flatpak may cost you between 10-15% in overhead if what I've read is true. Installing from repo on fedora/debian/etc should work in most cases just fine.
> I've found that nearly every game in my embarrassingly-large Steam library works fine on Linux.
I have on occasion been scared off of buying a package from Humble Bundle when the games are available on Steam but not explicitly marked as linux. (Some of the games are marked with linux and some are not.) Are you saying I am being unnecessarily cautious?
For example, there is a "momcore" bundle at the moment where some games claim linux support and others do not, if you want to see what I'm talking about.
> Are you saying I am being unnecessarily cautious?
Yes.
If a game is marked with Linux, that means it has a native Linux port. However, Proton has gotten so good in recent years that some of the native Linux ports actually perform _worse_ than just downloading the Windows exe and running it with the compatibility layer.
The investment in Proton makes sense in retrospect, since SteamOS is based on Arch Linux, and most of these games you mention should run just fine on a Steam Deck.
Check protondb.com. Current protondb status for Lake, Calico, We should talk, Beasts of Maravilla Island: Platinum, Apico: Gold, Kana Quest, Bombfest, Where the Bees Make Honey: Uknown, Onsen Master: Uknown (but has native build), Beans: The Coffee Shop Simulator: Playable.
Plus, Epic and Gog work through the third-party launcher "Heroic Game Launcher", for Ubisoft, EA and Blizzard, you can just install their launcher using Steam compatibility, or Lutris, then run games from it.
The major hurdle is games plagued with Windows-only Kernel-level anti cheat software (mostly competitive multiplayer games): https://areweanticheatyet.com/
I recently went back to full time Linux and the gaming aspect is fine with my RTX-3090. I don't really play anything like COD or Battlefield with all the invasive anticheat though, so your mileage may vary
Nice, I'm running a 7900XTX/7950X3D so I may give it a try - I don't game anything like as much as I used to though anyway so if the odd game did cause issues it's no biggie.
I just nuked my home server Ubuntu and installed Windows. Canonical is still unable to make reliable TPM-unlocked full disk encryption, unacceptable for me as a data hoarder. https://bugs.launchpad.net/snapd/+bug/2045417
This is something that's bugged me about BitLocker for ages: What's the point of encrypting your disks if the computer automatically decrypts them anyway? The only situation I can see where this helps you is if someone steals your disk but not your computer, but that seems very unlikely to me. Maybe if someone just clones the disk, but again, it seems much more likely to me that if you're a high enough value target to do that, a bad actor would just grab your device.
> What's the point of encrypting your disks if the computer automatically decrypts them anyway?
The important detail you're missing is: the computer automatically decrypts your disks if you're booting into that operating system. Try booting into something else (like a Linux CD), and you'll see that the TPM does not release the encryption key (the way it works is that each step of the boot sequence records into the TPM what's going on, and the TPM will only release the key if the sequence matches what it expects).
The point is that the disks will only be decrypted when booting into the expected OS, and that this OS will require you to login before giving anyone access to your files.
> The only situation I can see where this helps you is if someone steals your disk but not your computer, but that seems very unlikely to me.
It'll also help if someone steals the computer but does not have your login password; they can boot into Windows, the files will be decrypted while booted into Windows, but without logging into your account, they are not accessible. Of course, unless you're using memory encryption (which I don't think is normally available on normal non-server devices), someone with the right hardware knowledge and an expensive set of hardware tools could in theory manipulate the RAM to get access.
But somehow the malware infested/backdoored alternative has more appeal? Even more than the myriad of other distros, or DIY options for that matter? Doesn't click.
> myriad of other distros, or DIY options for that matter
Have you ever seen a working configuration? The only other distro that advertises it out of the box is Fedora. And maybe it is better in this respect than Ubuntu, but I already wasted a few days dealing with the fallout, so maybe I'll try it next year.
Manual - maybe. But is spending time learning yet another distro worth the Windows license?
re: malware/backdoored
I am not running self-wafered CPU, so backdoors at certain levels are outside of the threat model.
> After entering a valid key, Ubuntu Core will decrypt the device, proceed with the boot, and restore the TPM from the recovered key. The recovery keys will remain the same and do not need to be retrieved again.
I thought this was a serious take for a second (until I looked at microsoft_recall_linux.exe - lol).
Having said that, I would actually be keen for something similar that is both open-source and totally local so that I could use the output as AI fodder (for a local inference model of course).
It's a joke yes but it does work, in a really crude way. The exe is actually a short bash script, it takes a screenshot every 5 seconds, feeds it to tesseract (OCR) and dumps the result in ~/.recall.
When I was working in audits, I used to record everything happening on my screen with 3 fps and then rewatching it with 10x speed, just not to forget anything.
When Recall was announced, I was in minority who thought it was super cool technology.
As long as it's stored and processed locally, I don't really see the implications being that much worse than someone getting all your local IRC/IM/email logs. (Those or their equivalents are stored in the cloud nowadays but disregard that for now for the sake of argument.)
It has been over a decade that big tech has been playing this script:
* Introduce a feature that is abysmal for user privacy
* Promise it's okay because $reasons
* Make the feature opt-out
* Change the EULA so that $reasons are no longer applicable/valid
* Roll out an update that "accidentally" turns the feature back on for everyone
* Apologize, deny, divert, deflect
* Siphon off all that sweet sweet user data
Rinse and repeat. Get away with it every time. People still go "oh I don't see the problem, they said $reasons". This time "it's stored locally". Until it won't.
You are merely objecting to Microsoft being the developer behind Recall. Great I don't fault you for that. But now consider hypothetically what if the Linux Foundation developed and announced Recall?
If it was any other company than Microsoft, I might have agreed with you that it's fine as long as those things happen.
But if history is any indication of the future, as soon as the tool gets popular, Microsoft will try to claw back whatever data it can about it's users, or add Pro features only available to signed up Microsoft users who pay, or something similar.
I think many of us have been burned by these companies doing bait-and-switch so many times, that it's almost impossible to not see the writing on the wall here and even spend five minutes trying it out.
I much rather wait for the inevitable (serious) FOSS clone that will be safer to use instead.
> I much rather wait for the inevitable (serious) FOSS clone that will be safer to use instead.
Yep - though I've no interest in a tool like Recall (I don't really see the point, it doesn't do anything for me I'd want) I do understand that others may feel differently but even if I did want it, I'd wait for the FOSS version as well.
Anything stored locally can be exfiltrated by malware. Run OCR on the archives, check when someone opens their password manager, copy and exfiltrate the password.
Oh and partners, ex-partners and children can also abuse such data. Even if you clear your browsing history, forget about clearing the Recall cache and whoops, they can see your browsing habits post-facto.
Employers and law enforcement agencies are another bad actor that's to guard against. Even if laws such as GDPR or employee safety regulations prohibit companies from screenrecording, there's not much stopping them from using a feature Microsoft tries its hardest to prevent people from opting out of.
the privacy implications are really no worse than people who have a web browser cache/history, use a password manager, and have their entire email/message history available for offline perusal on their computer/device.
just like an attacker can go after the recall data, they can go after those well known sources of data as well, which are generally not encrypted.
Which is why, for example, the changes signal made to prevent recall from working when it was visible, were pure virtue signalling. By default signal on the PC keeps all messages sent available in a db that any attacker can easily download.
The entire criticism aimed at recall ignored all the other ways this data is stored on one's PC.
I think there is a difference between "I can audit the code, it's encrypted, I want to run this and want to use this" and "Microsoft installs it, it's not encrypted and wants to turn it on by default, potentially sharing data to them soon(tm)"
> When Recall was announced, I was in minority who thought it was super cool technology.
I think almost every serious computer professional want something like Recall, I don't think you were in the minority at all.
But the amount of people who want the least security-minded company of probably all time to manage that software, and for that program to ignore the last three decades of security/privacy methodologies, is probably something way less people want, and is why Recall is being shit on.
If a non-profit managed it, it had a security/privacy-first mindset/goals, and was run by non-Microsoft people, I think it could be a really useful tool.
Like several modern pieces of technology, it would in fact be "super cool" if only it ran locally and respected your privacy, and if it weren't in fact just a paper-thin excuse for massive and constant surveillance.
https://github.com/mediar-ai/screenpipe is promising, however it has some issues with my setup. I'm personally just dumping all the data with ffmpeg + x11grab, will figure out what I want to do with it later
> I would actually be keen for something similar that is both open-source and totally local
Did you actually look at it? Or just look at it? Because it is actually open-source and totally local.
# ... nonsense
while true; do
grim - | tee ~/.recall/$(date "+%Y-%m-%dT%H-%M-%S").png | tesseract stdin stdout 2>/dev/null >~/.recall/$(date "+%Y-%m-%dT%H-%M-%S").log
# ... other nonsense
done
I think all the nonsense/emojis are supposed to be funny, but that actually does the thing. Replace "tesseract" with whatever local AI you want; replace grim with some other screenshotting tool if you like.
I've done something like this for over a decade (although I have a diff that deletes duplicate frames) and I like to partition by date (do that "T" becomes a "/") because that makes other things easier, but my script isn't much more complicated than that.
That's the biggest problem I have with Recall. Not that the idea or functionality is bad, but that the probability that the company behind it will abuse it is so large that it's not worth the risk.
If the system worked fully locally, didn't come from Apple/Microsoft/Google/Facebook/etc., and had decent data isolation, I would probably turn it on.
Unfortunately I find that getting basic OCR to work reliably on Linux is a challenge in itself compared to Windows' APIs and quality of OCR results, so I doubt an honest, well-intentioned implementation will make it to Linux.
Mac only but if you want a local only version of this (which has been mentioned in other comments), Dayflow[1] looks decent. I think I'd actually love something like this but can't quite bring myself to run it.. even with local models
I would say do not run it (I only skimmed it), but if you 'wget' the script or grab it in your browser and just read it it's quite funny :) hats off to the developer.
This satire is amusing. Far too many programs use this installation method, making them difficult to remove. Seeing this is an immediate deterrent to installation.
Admittedly, a distro agnostic equivalent to the PKGBUILD or Nix Flakes would have been great. But it's hard to excuse them when so many better alternatives are available. Even apps that could easily be built into a single binary use these odd installation methods.
And while Flatpak gets a lot of criticism, I honestly think it's far better than these `script| bash` methods.
> Even apps that could easily be built into a single binary use these odd installation methods.
Yeah because the curl bash script can deal with automatically selecting the right binary (even on Mac) and adding it to your PATH.
> And while Flatpak gets a lot of criticism, I honestly think it's far better than these `script| bash` methods.
I agree but does Flatpak actually work for CLI tools (which is where I see most use of curl-bash). E.g. could I install Rust using Flatpak? My understanding was it's more suited for sandboxed GUI apps.
> I agree but does Flatpak actually work for CLI tools (which is where I see most use of curl-bash). E.g. could I install Rust using Flatpak? My understanding was it's more suited for sandboxed GUI apps.
Distrobox is basically flatpak for CLI apps. Not exactly, but it accomplishes a similar goal.
No. It is absolutely ridiculous to suggest that one must read some unknown script just for the simple task of adding a binary to the directory on PATH. Unless, of course, you're the type of person who just runs any script without verification.
Furthermore, for files installed 'automatically' like that, it's nearly impossible to remember what was done and where. This means that to remove it, you have to find and read 'that specific version' of the script you ran, and then delete the files. It's not like the script is always in a place with a persistent history, like a git repository. Good luck with that.
Yeah uninstallation is a flaw, but what alternative are you suggesting?
And yes I am the type of person that uses heuristics to trust what software to run. You aren't magically safer if you audit the install script and not the actual binary.
The smaller the attack surface, the better. There is no need to expand it unnecessarily. By your logic, we shouldn't even use the binaries provided by the official package manager, because they also cannot be trusted.
We are talking about the dangers of the installation method. Not the program itself.
Yeah, honestly, package your thing up as either a .DEB or an .RPM. 'alien' [0] will handle converting from one to the other, and that will take care of like 90->98% of the Linux users out there.
The "OMFG there's no standard way to package things on Linux!" complaint kinda sucks.
Ingenious! Now imagine an M$ ad:
"Are you forced to work with Linux?
Do you miss the convenience of Microsoft spying on you and keeping track of everything?
Fear not! This amazing tool will bring back all those great Windows Recall features that you have been missing: WINDOWS 11"
I know this is satire, but a program that logs what you were doing and when is quite helpful. I have a script that fires every ten seconds and stores the current active window's metadata to a sqlite database. Other scripts log battery level, system load and free space. I use Zeitgeist to store my clipboard history and it's backed up regularly. Another script, run by Audacious (with the "song change" plugin), logs the music I'm playing.
Wonderfull satire.
Forgetting is a blessing for me, and while I dont have complete clinical recall, I do retain a very great deal, add in a chaotic curiosity, and there are many many short paths, I dont need reminding/renforcement of.
Which makes useing the internet hellish, without turning all the history and pre fetch, adverts, etc off.
Having my local machine co opted for survailence has me wondering about building a clasic office, with a fax machine, and paper mail.
Paper mails last significant update was 100 years ago with airplanes, and fax has been stable for ?50 years?
And the cheap ass win11 laptop that would not power down is outside in the rain, and the much cheaper linux box with dual monitors is styling in the house, graphted into an old 60's formica kitchen table, was booted from a usb drive,created with a phone, works awsome.
Love that side of the tech, loath
the ,the, whatever it is, thats trying to suck up the world and spew it back covered in cold grue.
It's not impossible that an AI was asked to sprinkle in a few typos for effect, but perhaps it really is just written by a person who really loves emojis.
These recall apps disappoint me. They screenshot all the time.
It's not enough data. They should be adding event driven window history reporting, accessibility tree scraping, and filesystem deltas too. I want a better exocortex!
Look up eidetic os - it runs a micro kernel and captures all the inputs to it, to be able to perfectly deterministicly replay everything. Like running all your programs under a time travel debugger.
Recall signaled the coming end of networked compute resource usefulness. The writings on the wall. All those fancy shmancy crypto systems developed over decades reduced to nothing. Apart from it having no practical usefulness to the end user and only apparent usefulness to oligarchs and state actors, its offensive the way these schemes are always sold as though they're good for us. Can you call it gaslighting? Mental abuse? I dont know.
I never understood the hate for Recall. The idea is definitely good. In fact I want this sort of feature to work across my devices. I guess people don't trust Microsoft to implement it in a secure way?
Because every time someone checks it, it turns out it's not implemented in a secure way. You really don't want an accidental transcript of your PII and payment details to just stay there, readable to anyone with access to your user. And that's even without being sceptical and expecting the information to be mined and sold soon.
I think people already just don't want their screen recorded "24/7" regardless of Microsoft, but then when you add Microsoft into the mix, and potentially sending stuff off-host for AI etc, it gets worse?
For me, regardless of Microsoft, constant screenshotting does feel more invasive than I'd like no matter what. It's already bad enough that websites do it on their own properties.
Its kind of naive satire that looks silly on second thought. Recall was not bad because of the concept but implementation details, rollout communication and of course the microsoft part. Recall by an open entity with data ownership, security and transparency would have none of those issues and its just a new take on the universal desktop search that is enabled by ai being able to utilise pixels. I refuse to be shamed by e2e encryption freaks that i want to be able search anything I encountered and having universal data control and ownership vs locked in app silos.
It's bad in concept as well.
All of that data sent to a third party server is going to be public on the Internet at some point. Security? Don't make me laugh. Countries that required government IDs to participate online have already made this mistake and those IDs have been leaked. Just because it's open source or run by $NOT_MICROSOFT won't make it any safer.
The problem with other people consenting to it is that it makes every one else less safe. People get compromised and scammers can use that compromised data to work against people who didn't share their data with the, "Benevolent Open Source Recall Service."
I'm pretty sure recall was specifically a selling point for laptops with ai chips which could do the processing locally and reasonably efficiently?
Though storing the data locally still could make getting compromised by a targeted attack more dangerous.
This is correct - it was all on-device, with security guarantees that were instantly proven incorrect. Microsoft withdrew Recall, then brought it back with a newer, more secure implementation that was also proven insecure.
It also claimed that it wasn't going to record sensitive information but it did, to the point where some apps, like Signal, used available Windows APIs to set DRM flags on their windows so that Windows wouldn't capture those regions at all.
What Microsoft could have offered is an easy-to-implement API for application developers to opt into (but users can opt out of), and a blanket recall-esque toggle that users can apply to applications without explicit support. Applications like Firefox or Chrome could hook into the API to provide page content to the API along with more metadata than a simple screenshot could provide, while at the same time not providing that data when sensitive fields/data is on the page (and possibly providing ways for the HTML to define a 'secure' area that shouldn't be indexed or captured, useful in lots of other circumstances).
But, as with everything AI, they don't want users to want it; they want users to use it regardless of whether or not they want it. This is the same reason they forced Copilot into everyone's Office 365 plans and then upped the price unless you tried to cancel; they have to justify the billions they're spending and forcing the numbers to go up is the only way to do that.
I have to wonder what edge AI would look like on a laptop. Little super mini Nvidia Jetson? How much added cost? How much more weight for the second and third batteries? And the fourth and fifth batteries to be able to unplug for more than a few minutes?
They're called NPUs and all recent CPUs from Intel, AMD, or Apple have them. They're actually reasonably power efficient. All flagship smartphones have them, as well as several models down the line as well.
IIRC linux drivers are pretty far behind, because no one who works on linux stuff is particularly interested in running personal info like screenshots or mic captures through a model and uploading the telemetry. While in general I get annoyed when my drivers suck, in this particular case I don't care.
It looks like a MacBook Pro and (maybe) a Snapdragon X2 device
Conceptually a feature similar to Recall doesn't have to involve sending any data to third parties. It should not need to be a service just a piece of software running locally, doing OCR and full text search indexing using local compute.
Incidentally I often tell my friends I run an app on my phone that captures my location 24/7 and they would initially sound horrified. But then I tell them all my location data is not sent to anywhere on the Internet, and ask them specifically what is horrifying about it. There is none.
> I often tell my friends I run an app on my phone that captures my location 24/7 [...] But then I tell them all my location data is not sent to anywhere on the Internet
Your phone is on the Internet.
It takes only one attack (for instance, someone sends you an image which exploits an RCE on the image decoder and then chains into a privilege escalation exploit), or a careless mistake (like marking the wrong folder to be synchronized), or even an automatic update of the app (which adds a helpful "sync across your devices through the cloud" feature or similar), to have all that saved location data copied elsewhere.
You can't leak what you don't have; if you never saved your location history, there's no risk of it being leaked after the fact.
>if you never saved your location history, there's no risk of it being leaked after the fact
Very Buddhist in principle. I still prefer having my GPX tracks though, because they're useful to me, as well as notes, journals, logs... Local security is a separate question, and it's light years apart from stuff like Recall.
Wasn't there a HN post a few weeks ago, describing how your phone's location can be tracked without anything installed and without leaving any trace on your phone? I think it was an exploit of CSS7 protocol used by networks?
> You can't leak what you don't have
Your mobile provider has your location history
The problem is that the data has to go somewhere. If you don't have the compute power locally, you have to send it to a server you control. At a point, this starts to break down because your attention to detail isn't sufficient to protect other operators. I think there are some happier mediums, but I wouldn't be as strident as saying there is no risk even if this is stored locally.
What location-tracking app do you use? How does it impact the battery life? That sounds useful.
“I store all my location data and I see no problem because it's stored locally” is the new “I store all my passwords on a post-it and I see no problem about it”.
The more you store, the higher the risk, simple as that.
> All of that data sent to a third party server is going to be public on the Internet at some point.
Windows Recall is on-device only (for now). The captures stay on device in a local sqlite database, and all the processing is done on device on the NPU.
Who knows how many ways there are to exfiltrate data. Without software (and hardware) freedom, you can never tell what's going on.
I don't get the deal with requiring govt Ids. Back home the government has an OpenId provider and you could link your governmental account if you wanted without leaking your Id/DL/Passport which has data that's considered more private than your Id number.
They say it's, "age verification," and protecting children online.
We could speculate that this is an excuse and the real intent is... something else.
Regardless, the hubris is immense. Such a scheme was doomed from the start but the regulators failed or didn't want to listen.
Not only leaks, but anything on the cloud is subject to be inspected by the government.
*the goverment and foreign espionage agencies
FTFY
> e2e encryption freaks
I refuse to be shamed by AI and surveillance freaks who can't be bothered to take notes of important things and instead demand their and by extension "my" daily computing habits are recorded "just in case."
I cannot even tell Windows that I manage updates myself, how can Recall not be an insane paternalism fail?
In my opinion the product owners of Windows lack the maturity do implement anything like Recall responsibly. Perhaps there is pressure in the background, but as the consumer that isn't my problem.
I could see something like Recall be helpful for a lot of users, but the politics of Windows would need to be changed considerably.
e2e encryption freaks should know about the limits of encryption for that matter.
Also I still don't have a Microsoft account. A private one at least.
To me it felt like just shoving more AI for the sake of it, pretending that there is a problem to solve while making no case for it, and boiling oceans along the way as an acceptable externality.
Recall is an attempt at a solution all of us have encountered so many times in life.
Taking screenshots of your whole desktop every other second and sending it to a third part, just in case their OCR and cheap search built on top of it might come up with something useful? I haven't found a single situation where I would rather take that above more conventional and established approaches (browser history search, bookmarking, file management hygiene, etc)
The problem of "where did I see that" is something I suspect most people have encountered before. How that's actually done, though, is the devil. The vision -- semantic search of human experience -- is cool. The implementation -- always recording cameras piping every minute of your life to TotallyTrustworthyPeople's servers -- not so.
this happens to me less than once a week, not worth any real effort to avoid
general ai chatbots can usually answer any question that would be solved by magically summoning the exact page i looked at 2 weeks ago anyway
General chatbots are great for things they have general data about. "What was that movie where..." type things. They don't help with individualized information, unless you feed the same type of information as Recall type solutions gather anyways. Perhaps you don't have much individualized information, or perhaps you just remember it all very aptly - it shouldn't be hard to imagine differently though.
My main usage problem with Recall type solutions is less with lack of something to promise and more with lack of ability to deliver. Especially for local-only solutions. The concept can be great as can be, but it needs to be damn near foolproof to beat out how much we already remember.
>I haven't found a single situation where I would rather take that above more conventional and established approaches (browser history search, bookmarking, file management hygiene, etc)
But all of those are terrible for the use case at hand. It's like searching for the book that contains a passage without being able to search passages, rather searching by title, author or subject.
Aren't screenshots just one implementation specific variant of the possible solutions? Recall immediately made me think about a universal API that all kinds of applications write history to. That data can then be searched, or you could possibly even have global undo/redo.
Screenshots are just "easier" to use, because you don't need to implement anything for individual apps. "Easier" only if you have data centers full of compute and the capital to very inefficiently throw a bunch of silicon and electricity at the problem.
> all
I’m not anti-AI, although I am anti a 3rd-party recording everything on my screen like some sort of voluntary Stasi.
I can’t however think of a single time when this kind of functionality would have been something I would reach for.
So, if you’re going to say “all”, please give me one example where I needed it.
Please include me (and *everyone I've spoken to, from ignorant users to experts) out of 'all of us have encountered ..."
If you use recall, could you explain how? And what solutions does it provide (for you)?
ostensibly - and I'm in your camp, so this is just devilish advocacy - the idea is that you will be wondering, "who said X to me the other day?" or "what was that article I saw about Y?" and you'll be able to just ask one unified search interface instead of searching in 5 different messengers or poring through your browser history.
I don't know that I need that. Certainly not at the privacy cost involved.
>and boiling oceans along the way as an acceptable externality
Can we stop this? It's like saying it takes 2500 litres of water to make a hamburger. Distorting reality to make it seem worse than it is implicitly justifies it.
I still recall (duh) a post here from a guy who literally made a recall feature on his mac way before them. I would love to find that post...
It was screenshotting all the time, storing that locally, and then you could ask it any questions and roll back to that moment. Processing was also fully local.
https://github.com/jasonjmcghee/rem ?
Here's the Show HN: https://news.ycombinator.com/item?id=38787892
https://www.rewind.ai/
I think you hit the nail on the head. Recall was problematic because of the lack of information provided when they announced it. How would it handle sensitive details like banking account pages. Can developers opt out for best security practices? How is the managed in an enterprise environment?
Once they delayed and got all their ducks in a row it's a much more solid feature. Not for everyone, but a good way to leverage your PC as a source of information that you can search without having to save everything.
The post reads a little childish to me. Very "Micro$hit are greedy and want to steal your data" level of criticism.
What irritates me most about all these unwanted "innovations" is that they always make them opt-out. "If it's opt-in, nobody's gonna use it - and it's such a flawless feature, we should be shoving it down everyone's throats"
Recall is absolutely horrible in concept irregardless of implementation. Would you accept a big brother security camera over your shoulder recording every minute of your life? No? That’s the equivalent of what Recall is.
Its a pure unhidden giveaway: ai is not about anything you want as a user, its about busting the last shreds of privacy and security for the vast majority of computer users
You're criticizing a joke. Worse, you seem to be aware that you're criticizing a joke, and still went through with it.
I also disagree with your premise: Recall by an open-source entity would have many of the same problems. The threat model for most people isn't that Microsoft might tailor ads to their interests. The threat model is that you're giving that ransomware gang, or an abusive spouse, a new tool with devastating capabilities.
Even for people legitimately worried about law enforcement / the government, the same applies. You're gifting your adversary a database of everything you've ever done that understands context and can literally be queried for "just show me the bad things". It's slightly better if it lives locally rather than in the cloud, but it can be used to nab you just the same.
[dead]
Recall would be fine, I guess, on Linux, because we could be fairly certain it wouldn’t be slipped in under the radar. But… actually installing it seems like a pretty bad idea. Too big a target.
I know this is satire, but there is actually one and one you actually control. May be useful to remember who said what and where. It can be useful. Just not the way a megacorp implements it.
Here it is [unaffiliated, untested by me, unvetted]: https://github.com/openrecall/openrecall
For all that it is satire, it is a lot more functional than you might realize at first glance.
https://github.com/rolflobker/recall-for-linux/blob/e16382f0...
Judging from the code, I’m pretty sure this is generated by AI
Why? Because of the emojis? Normally I'd agree, except in this case it seems like part of the joke.
Microsoft claims 30% of their code is now written by AI. So right on point.
[dead]
Lacks Wayland support unfortunately.
For just screen recording you can use https://git.dec05eba.com/gpu-screen-recorder
It's 10+ GB per 8 hours based on some testing I did. Could be useful for short term uses like tracing some technical troubleshooting or pulling screenshots for documentation.
What issue did you run into? It's using grim for capturing the screen.
I don't see any results on KDE Wayland; a (fairly old) open issue: https://github.com/openrecall/openrecall/issues/10
---
mss.exception.ScreenShotError: XGetImage() failed
Yeah, Wayland leaves this up to the compositors, and the compositors never bothered to implement it.
This alternative is still storing the screenshots and the OCRed content unencrypted, and the web UI is also unauthenticated.
There's some docs on storing the data in an encrypted volume or external drive, but 99% of people ain't doing that.
The only real improvement over MS's version is keeping the data local, which ain't much, really.
> The only real improvement over MS's version is keeping the data local, which ain't much, really.
That's already a lot.
It's an actual useful feature, it's just the tracking by microsoft that makes it meh.
I also track my activities with ActivityWatch (Open Source, https://activitywatch.net/) to remember missing time entries for billing clients. It's all local, so perfectly fine.
[dead]
Ah nice. I was hoping this was real - just yesterday someone was asking about something and I knew I had written up a description of it but couldn't remember where - Mattermost? GitHub Gist? Random text file? Confluence? Turned out to be Stackoverflow, but it took me quite a while to find it.
Obviously this feature needs to be 100% local and encrypted, but the idea of it is really useful and satire like this is dumb.
For the first time since the 1980's I'm not going to be running a PC with a Microsoft OS on anywhere (I dual boot my main desktop since I use it for work and gaming) but the Windows 11 install is getting binned.
Tired of having to read release notes carefully and make sure I've done just the right things to stop it doing things I never asked it to do.
Good job MS, you lost a customer who's never likely to come back.
Been running windows/linux alongside each other since the late 90's and outside of gaming my computing life is linux (even my TV is connected to a fedora box) so not a hard switch.
The value MS gains from milking to non technical people for all they’re worth outweighs the loss of the occasional tech savvy user.
And sadly I think MS are still far from the tipping point and it will get worse and worse for some time to come.
The only thing the non-techies have is the law to protect them.
I've directly moved at least 3 people out of Windows, and indirectly I'd guess at least a dozen. If all of us techies did the same, it'd be over pretty soon.
I've no one left to convert, my mums been running Linux since ~2016 when I got tired of her breaking windows (and in fairness it was her doing it most of the time) so I switched her to mint.
Her only requirement for her new computer is "it has to run that minty thing?" (it's actually running Fedora and has been for quite a while but that's the nice thing - she doesn't need to know or care) - it's still the same for her either way.
Same. My inlaws be rockin' ebay refurb lenovos with fedora for 6 years now
My score so far: 5 people directly, some ~40 workstations at my employer.
I remember Google being more popular with tech savvy users than Yahoo or Alta-Vista. IMO this is the writing on the wall.
They're pissing off the non technical people now, though. We'll see how it all plays out in the next few years.
I disagree. Tech people shape governmental IT policies. You already see some governments in the EU moving away from Microsoft.
Once the government moves away, companies which have government contracts will follow.
I think the dominoes are starting to fall.
This is irrelevant to consumer adoption. The Chinese government uses their own Linux-based OS, which should be a common-sense national security policy, and it would certainly be a good idea for the rest of the world's governments to catch up and not rely on a US for-profit corporation. But even in China, 99% of regular people are using Windows.
The dominoes really aren't going anywhere. The average consumer has an extremely high tolerance for security and privacy violations, which is why the state of the market is the way it is, completely dominated by companies that are the antithesis of security and privacy. If a service offers utility to them, nothing else matters. And Windows offers a tremendous amount of utility to the average consumer relative to Linux. The things the general public cares about are not the same things anyone who uses this website cares about.
> The average consumer has an extremely high tolerance for security and privacy violations
Absolutely, or Facebook/Instagram/Whatsapp and similar "apps" wouldn't be nearly as successful.
While I think you're mostly right, I disagree with the "tremendous utility [...] relative to Linux". My relatives are certainly no users of this website, and yet they get all the utility they need out of Linux. They don't care about the OS, they mostly just want to use a browser and a few other tasks that work perfectly fine with their Debian installs.
They might be risking their quasi-monopoly/duopoly position. Probably not but before it was a 0% chance and now its nonzero.
I'm curious what they think the future looks like, Linux is growing on the desktop/laptop (in part driven by Valve/Steam), Users care less and less about PC's outside of the office generally - the primary computing device of most people is a phone not a PC doubly so if you exclude work - gaming has been a huge part of why many people still have PC's in the home and see above.
Not sure what their actual moat is in preventing a slow bleed out from multiple factors over the long term.
I think they'll hold businesses that are already on Windows for everything - like it/love it/loathe it Active Directory/Exchange etc do work for businesses but there has always been a halo effect from the same OS been used in the office as at work, i.e. people knew how to use word when they got into work because they'd used word at school (Chromebooks are very strong there) or home etc.
> but the Windows 11 install is getting binned
That makes you the best MS customer: you paid and you are not costing them anything in support.
Based on how aggressive Microsoft is becoming with ads/upsells and data collection I think they'd still call it a loss. Do home users even use Microsoft support?
For now. That all changes when the OP buys another computer.
There are plenty of vendors who will give you a OS less device and even a Linux device.
I self built my desktop as I have for decades, I've always bought MS licenses retail (since I could afford them, not so much as a kid..).
So yeah, they got my money 3 and a bit years ago but that'll be the last money they get from me and obviously no future version of windows will.
I simply no longer trust they are acting in my best interests as a consumer and I was already using Windows 11 as a glorified console OS to open steam.
> ...outside of gaming my computing life is linux...
If you've games purchased through Steam, try running them on Linux with the officially-supported-and-written-for-Linux Steam client. Over the past decade+, a ton of work has been put into making games work fine under Wine and Valve's fork of Wine called Proton.
I've found that nearly every game in my embarrassingly-large Steam library works fine on Linux.
I was very skeptical of the claim that gaming on linux is good now, but fully switched over last weekend.
All of the games I play on a regular basis just worked out of the box with no fiddling at all (nVidia graphics card, X11, pop_OS - but I'm pretty sure any modern distribution would work just as well). Fresh OS install (nvidia drivers just worked), install the steam flatpack, click "download", click "play". That's it.
This includes "modern" games such as Borderlands 4 and e.g. Helldivers 2.
The "nvidia driver" thing may go away, too. See Nvidias contributions to Nova.
Running steam itself as a flatpak may cost you between 10-15% in overhead if what I've read is true. Installing from repo on fedora/debian/etc should work in most cases just fine.
Oh really? Wow! I'll switch over tonight and give it a shot. Thanks!
> I've found that nearly every game in my embarrassingly-large Steam library works fine on Linux.
I have on occasion been scared off of buying a package from Humble Bundle when the games are available on Steam but not explicitly marked as linux. (Some of the games are marked with linux and some are not.) Are you saying I am being unnecessarily cautious?
For example, there is a "momcore" bundle at the moment where some games claim linux support and others do not, if you want to see what I'm talking about.
> Are you saying I am being unnecessarily cautious?
Yes.
If a game is marked with Linux, that means it has a native Linux port. However, Proton has gotten so good in recent years that some of the native Linux ports actually perform _worse_ than just downloading the Windows exe and running it with the compatibility layer.
The investment in Proton makes sense in retrospect, since SteamOS is based on Arch Linux, and most of these games you mention should run just fine on a Steam Deck.
Check protondb.com. Current protondb status for Lake, Calico, We should talk, Beasts of Maravilla Island: Platinum, Apico: Gold, Kana Quest, Bombfest, Where the Bees Make Honey: Uknown, Onsen Master: Uknown (but has native build), Beans: The Coffee Shop Simulator: Playable.
You can still use Proton with games not purchased on Steam: https://www.reddit.com/r/linux_gaming/comments/pvzn03/runnin...
You can often find reports from people running games on linux at protondb.com
Plus, Epic and Gog work through the third-party launcher "Heroic Game Launcher", for Ubisoft, EA and Blizzard, you can just install their launcher using Steam compatibility, or Lutris, then run games from it.
The major hurdle is games plagued with Windows-only Kernel-level anti cheat software (mostly competitive multiplayer games): https://areweanticheatyet.com/
I always wonder just how much gaming has propped up and continues to prop up windows.
I recently went back to full time Linux and the gaming aspect is fine with my RTX-3090. I don't really play anything like COD or Battlefield with all the invasive anticheat though, so your mileage may vary
Love bazzite on my 9070/9800x3d setup. Zero issues with a game yet. Played expedition 33 the day I built it a few months back!
Nice, I'm running a 7900XTX/7950X3D so I may give it a try - I don't game anything like as much as I used to though anyway so if the odd game did cause issues it's no biggie.
I just nuked my home server Ubuntu and installed Windows. Canonical is still unable to make reliable TPM-unlocked full disk encryption, unacceptable for me as a data hoarder. https://bugs.launchpad.net/snapd/+bug/2045417
This is something that's bugged me about BitLocker for ages: What's the point of encrypting your disks if the computer automatically decrypts them anyway? The only situation I can see where this helps you is if someone steals your disk but not your computer, but that seems very unlikely to me. Maybe if someone just clones the disk, but again, it seems much more likely to me that if you're a high enough value target to do that, a bad actor would just grab your device.
> What's the point of encrypting your disks if the computer automatically decrypts them anyway?
The important detail you're missing is: the computer automatically decrypts your disks if you're booting into that operating system. Try booting into something else (like a Linux CD), and you'll see that the TPM does not release the encryption key (the way it works is that each step of the boot sequence records into the TPM what's going on, and the TPM will only release the key if the sequence matches what it expects).
The point is that the disks will only be decrypted when booting into the expected OS, and that this OS will require you to login before giving anyone access to your files.
> The only situation I can see where this helps you is if someone steals your disk but not your computer, but that seems very unlikely to me.
It'll also help if someone steals the computer but does not have your login password; they can boot into Windows, the files will be decrypted while booted into Windows, but without logging into your account, they are not accessible. Of course, unless you're using memory encryption (which I don't think is normally available on normal non-server devices), someone with the right hardware knowledge and an expensive set of hardware tools could in theory manipulate the RAM to get access.
Bitlocker has options to require a pin/password/network attestation at boot. Most people don't use it, but it exists.
Also, a lot of data theft is from after a disk is disposed of and reused. Bitlocker prevents that from happening.
It does decrypt them. But then what? How are you the thief going to extract them or data from RAM of a working machine?
If it’s decrypted, you don’t need to steal it from RAM.
You just do normal file operations and copy the files
you need to login to do that. The point of bitlocker is that it prevents filesystem access from a different OS install.
But somehow the malware infested/backdoored alternative has more appeal? Even more than the myriad of other distros, or DIY options for that matter? Doesn't click.
> myriad of other distros, or DIY options for that matter
Have you ever seen a working configuration? The only other distro that advertises it out of the box is Fedora. And maybe it is better in this respect than Ubuntu, but I already wasted a few days dealing with the fallout, so maybe I'll try it next year.
Manual - maybe. But is spending time learning yet another distro worth the Windows license?
re: malware/backdoored
I am not running self-wafered CPU, so backdoors at certain levels are outside of the threat model.
If anything, Ubuntu was "malware" in the sense that it didn't work as advertised. https://documentation.ubuntu.com/core/how-to-guides/manage-u...
> After entering a valid key, Ubuntu Core will decrypt the device, proceed with the boot, and restore the TPM from the recovered key. The recovery keys will remain the same and do not need to be retrieved again.
The restore TPM bit just didn't happen.
Ubuntu is historically unstable and unreliable, in my experience. I would never suggest it for home or work use.
Don't use Ubuntu?
That's exactly what I thought and acted.
I thought this was a serious take for a second (until I looked at microsoft_recall_linux.exe - lol).
Having said that, I would actually be keen for something similar that is both open-source and totally local so that I could use the output as AI fodder (for a local inference model of course).
It's a joke yes but it does work, in a really crude way. The exe is actually a short bash script, it takes a screenshot every 5 seconds, feeds it to tesseract (OCR) and dumps the result in ~/.recall.
When I was working in audits, I used to record everything happening on my screen with 3 fps and then rewatching it with 10x speed, just not to forget anything.
When Recall was announced, I was in minority who thought it was super cool technology.
> I was in minority who thought it was super cool technology.
The technology can be cool while still be a horrific idea because of the implementation and privacy implications.
As long as it's stored and processed locally, I don't really see the implications being that much worse than someone getting all your local IRC/IM/email logs. (Those or their equivalents are stored in the cloud nowadays but disregard that for now for the sake of argument.)
It has been over a decade that big tech has been playing this script:
* Introduce a feature that is abysmal for user privacy
* Promise it's okay because $reasons
* Make the feature opt-out
* Change the EULA so that $reasons are no longer applicable/valid
* Roll out an update that "accidentally" turns the feature back on for everyone
* Apologize, deny, divert, deflect
* Siphon off all that sweet sweet user data
Rinse and repeat. Get away with it every time. People still go "oh I don't see the problem, they said $reasons". This time "it's stored locally". Until it won't.
You are merely objecting to Microsoft being the developer behind Recall. Great I don't fault you for that. But now consider hypothetically what if the Linux Foundation developed and announced Recall?
> As long as it's stored and processed locally
If it was any other company than Microsoft, I might have agreed with you that it's fine as long as those things happen.
But if history is any indication of the future, as soon as the tool gets popular, Microsoft will try to claw back whatever data it can about it's users, or add Pro features only available to signed up Microsoft users who pay, or something similar.
I think many of us have been burned by these companies doing bait-and-switch so many times, that it's almost impossible to not see the writing on the wall here and even spend five minutes trying it out.
I much rather wait for the inevitable (serious) FOSS clone that will be safer to use instead.
> I much rather wait for the inevitable (serious) FOSS clone that will be safer to use instead.
Yep - though I've no interest in a tool like Recall (I don't really see the point, it doesn't do anything for me I'd want) I do understand that others may feel differently but even if I did want it, I'd wait for the FOSS version as well.
The equivalent of screenscraping passwords, API keys, etc.
> As long as it's stored and processed locally
Anything stored locally can be exfiltrated by malware. Run OCR on the archives, check when someone opens their password manager, copy and exfiltrate the password.
Oh and partners, ex-partners and children can also abuse such data. Even if you clear your browsing history, forget about clearing the Recall cache and whoops, they can see your browsing habits post-facto.
Employers and law enforcement agencies are another bad actor that's to guard against. Even if laws such as GDPR or employee safety regulations prohibit companies from screenrecording, there's not much stopping them from using a feature Microsoft tries its hardest to prevent people from opting out of.
the privacy implications are really no worse than people who have a web browser cache/history, use a password manager, and have their entire email/message history available for offline perusal on their computer/device.
just like an attacker can go after the recall data, they can go after those well known sources of data as well, which are generally not encrypted.
Which is why, for example, the changes signal made to prevent recall from working when it was visible, were pure virtue signalling. By default signal on the PC keeps all messages sent available in a db that any attacker can easily download.
The entire criticism aimed at recall ignored all the other ways this data is stored on one's PC.
I think there is a difference between "I can audit the code, it's encrypted, I want to run this and want to use this" and "Microsoft installs it, it's not encrypted and wants to turn it on by default, potentially sharing data to them soon(tm)"
> When Recall was announced, I was in minority who thought it was super cool technology.
I think almost every serious computer professional want something like Recall, I don't think you were in the minority at all.
But the amount of people who want the least security-minded company of probably all time to manage that software, and for that program to ignore the last three decades of security/privacy methodologies, is probably something way less people want, and is why Recall is being shit on.
If a non-profit managed it, it had a security/privacy-first mindset/goals, and was run by non-Microsoft people, I think it could be a really useful tool.
There's nothing wrong with the concept, but if it's not local with you in total control of the data then it's also just a no go.
The technology is cool. It's microsoft that's not. Tools like this already existed on Mac.
Like several modern pieces of technology, it would in fact be "super cool" if only it ran locally and respected your privacy, and if it weren't in fact just a paper-thin excuse for massive and constant surveillance.
It kinda IS a working solution tho. recall-for-linux.exe is just a bash script that does this in a loop. :)
grim - | tee ~/.recall/$(date "+%Y-%m-%dT%H-%M-%S").png | tesseract stdin stdout 2>/dev/null >~/.recall/$(date "+%Y-%m-%dT%H-%M-%S").log
https://github.com/mediar-ai/screenpipe is promising, however it has some issues with my setup. I'm personally just dumping all the data with ffmpeg + x11grab, will figure out what I want to do with it later
Windows & macos only though. "linux support coming soon" has been on that website forever.
That's for the fancy GUI. Basic "capture and dump to disk" is supported on Linux with the cli version
> I would actually be keen for something similar that is both open-source and totally local
Did you actually look at it? Or just look at it? Because it is actually open-source and totally local.
I think all the nonsense/emojis are supposed to be funny, but that actually does the thing. Replace "tesseract" with whatever local AI you want; replace grim with some other screenshotting tool if you like.I've done something like this for over a decade (although I have a diff that deletes duplicate frames) and I like to partition by date (do that "T" becomes a "/") because that makes other things easier, but my script isn't much more complicated than that.
Same.
I have a terrible memory so a totally local ai that knows everything I do would actually be useful.
That's the biggest problem I have with Recall. Not that the idea or functionality is bad, but that the probability that the company behind it will abuse it is so large that it's not worth the risk.
If the system worked fully locally, didn't come from Apple/Microsoft/Google/Facebook/etc., and had decent data isolation, I would probably turn it on.
Unfortunately I find that getting basic OCR to work reliably on Linux is a challenge in itself compared to Windows' APIs and quality of OCR results, so I doubt an honest, well-intentioned implementation will make it to Linux.
There is/was https://github.com/selfspy/selfspy (not updated in 10 years).
That's what people crave.
Mac only but if you want a local only version of this (which has been mentioned in other comments), Dayflow[1] looks decent. I think I'd actually love something like this but can't quite bring myself to run it.. even with local models
[1] https://github.com/JerryZLiu/Dayflow
Nice, I did not know about that. I've built something similar (https://github.com/Srakai/aw-llm-worker) on top of ActivityWatch (https://github.com/ActivityWatch/activitywatch)
Some great satire and comedy here. I enjoyed the curl "installation", the .exe filename...and then I read the License. Pure gold.
I love how the exe-file is just a shell script, printing random messages.
It doesn't actually spy on you though, it just says that it does
From the installation instructions;
I would say do not run it (I only skimmed it), but if you 'wget' the script or grab it in your browser and just read it it's quite funny :) hats off to the developer.You can read the script in the repo: https://github.com/rolflobker/recall-for-linux/blob/main/rec...
(Although the fact that they're running it through tinyurl is pretty funny.)
`curl -fsSL https://tinyurl.com/2u5ckjyn | bash`
This satire is amusing. Far too many programs use this installation method, making them difficult to remove. Seeing this is an immediate deterrent to installation.
Don't blame the program authors; blame the Linux community for completely failing to agree on a better alternative.
Admittedly, a distro agnostic equivalent to the PKGBUILD or Nix Flakes would have been great. But it's hard to excuse them when so many better alternatives are available. Even apps that could easily be built into a single binary use these odd installation methods.
And while Flatpak gets a lot of criticism, I honestly think it's far better than these `script| bash` methods.
> Even apps that could easily be built into a single binary use these odd installation methods.
Yeah because the curl bash script can deal with automatically selecting the right binary (even on Mac) and adding it to your PATH.
> And while Flatpak gets a lot of criticism, I honestly think it's far better than these `script| bash` methods.
I agree but does Flatpak actually work for CLI tools (which is where I see most use of curl-bash). E.g. could I install Rust using Flatpak? My understanding was it's more suited for sandboxed GUI apps.
> I agree but does Flatpak actually work for CLI tools (which is where I see most use of curl-bash). E.g. could I install Rust using Flatpak? My understanding was it's more suited for sandboxed GUI apps.
Distrobox is basically flatpak for CLI apps. Not exactly, but it accomplishes a similar goal.
Doesn't it use Docker? Fine for trying stuff out on different distros but there's no way I want Docker as a normal installation process.
Docker is what you use if you've failed to do it the right way.
No. It is absolutely ridiculous to suggest that one must read some unknown script just for the simple task of adding a binary to the directory on PATH. Unless, of course, you're the type of person who just runs any script without verification.
Furthermore, for files installed 'automatically' like that, it's nearly impossible to remember what was done and where. This means that to remove it, you have to find and read 'that specific version' of the script you ran, and then delete the files. It's not like the script is always in a place with a persistent history, like a git repository. Good luck with that.
Yeah uninstallation is a flaw, but what alternative are you suggesting?
And yes I am the type of person that uses heuristics to trust what software to run. You aren't magically safer if you audit the install script and not the actual binary.
The smaller the attack surface, the better. There is no need to expand it unnecessarily. By your logic, we shouldn't even use the binaries provided by the official package manager, because they also cannot be trusted.
We are talking about the dangers of the installation method. Not the program itself.
Yeah, honestly, package your thing up as either a .DEB or an .RPM. 'alien' [0] will handle converting from one to the other, and that will take care of like 90->98% of the Linux users out there.
The "OMFG there's no standard way to package things on Linux!" complaint kinda sucks.
[0] <https://wiki.debian.org/Alien>
fpm (Effing package manager) goes far beyond what alien does, too, in case you need even more flexibility.
https://fpm.readthedocs.io/en/latest/getting-started.html
Actually, I don't use Debian or Ubuntu either, and I don't think it's a good idea to only support those methods.
you can use <a href="https://brew.sh/">homebrew</a> or flatpak
Ingenious! Now imagine an M$ ad: "Are you forced to work with Linux? Do you miss the convenience of Microsoft spying on you and keeping track of everything?
Fear not! This amazing tool will bring back all those great Windows Recall features that you have been missing: WINDOWS 11"
I was expecting OneDrive subscription message to go up from time time time.
And here I was thinking someone had resurrected NeXT's issue tracking system.
I was thinking about switching back to Windows but finally getting missing functionalities like Recall may change my mind...
I didn't know it was April 1st yet X-D
I love that they took the time to make their shitpost (kinda) work
Not the hero we need, but the one we deserve.
i already have a big enough scrollback buffer.
Microsoft Linux, best distro.
They don't look like they need money, but they look prime for a series A. This idea has legs.
I know this is satire, but a program that logs what you were doing and when is quite helpful. I have a script that fires every ten seconds and stores the current active window's metadata to a sqlite database. Other scripts log battery level, system load and free space. I use Zeitgeist to store my clipboard history and it's backed up regularly. Another script, run by Audacious (with the "song change" plugin), logs the music I'm playing.
Recall is not a reverse RDP capture.
A must have for every linux user that reads carefully
ugh with the emojis. dead ai giveaway.
Wonderfull satire. Forgetting is a blessing for me, and while I dont have complete clinical recall, I do retain a very great deal, add in a chaotic curiosity, and there are many many short paths, I dont need reminding/renforcement of. Which makes useing the internet hellish, without turning all the history and pre fetch, adverts, etc off. Having my local machine co opted for survailence has me wondering about building a clasic office, with a fax machine, and paper mail. Paper mails last significant update was 100 years ago with airplanes, and fax has been stable for ?50 years? And the cheap ass win11 laptop that would not power down is outside in the rain, and the much cheaper linux box with dual monitors is styling in the house, graphted into an old 60's formica kitchen table, was booted from a usb drive,created with a phone, works awsome. Love that side of the tech, loath the ,the, whatever it is, thats trying to suck up the world and spew it back covered in cold grue.
Not to be confused with Recoll (for Linux, et al) https://www.recoll.org/
needs more AI! also y no rust?
simply thank you, I was missing all those features
not enough clanker
With all the emojis in the source code, one can instantly recognize it as AI slop. :)
I thought that at first too until I read the first bullet point
" Stores all you sensitive data "
That's a grammar error I don't expect an LLM to make?
There are a couple more in the README too.
It's not impossible that an AI was asked to sprinkle in a few typos for effect, but perhaps it really is just written by a person who really loves emojis.
Maybe they wanted to intentionally make it look like AI as an added pun
I've seen major React ecosystem packages with emoji readmes nearly 10 years back. Your super serious bank app may have emoji in their bundle.
These recall apps disappoint me. They screenshot all the time.
It's not enough data. They should be adding event driven window history reporting, accessibility tree scraping, and filesystem deltas too. I want a better exocortex!
Look up eidetic os - it runs a micro kernel and captures all the inputs to it, to be able to perfectly deterministicly replay everything. Like running all your programs under a time travel debugger.
It’s a cool idea I think!
Stop it. I can only get so nerdsniped this week.
Now everyone can switch to Linux
Recall signaled the coming end of networked compute resource usefulness. The writings on the wall. All those fancy shmancy crypto systems developed over decades reduced to nothing. Apart from it having no practical usefulness to the end user and only apparent usefulness to oligarchs and state actors, its offensive the way these schemes are always sold as though they're good for us. Can you call it gaslighting? Mental abuse? I dont know.
LOL, can’t believe a Linux app turned out to be an .exe file.
The shebang line doesn’t care about your filename.
This looks great! Does it support MFA & JWT tokens? We can't install anything on our fleet without MFA & JWT /s.
Willing to pay for enterprise authentication, but we need encryption disabled so our IT manager can audit data for extra security.
I never understood the hate for Recall. The idea is definitely good. In fact I want this sort of feature to work across my devices. I guess people don't trust Microsoft to implement it in a secure way?
Because every time someone checks it, it turns out it's not implemented in a secure way. You really don't want an accidental transcript of your PII and payment details to just stay there, readable to anyone with access to your user. And that's even without being sceptical and expecting the information to be mined and sold soon.
I think people already just don't want their screen recorded "24/7" regardless of Microsoft, but then when you add Microsoft into the mix, and potentially sending stuff off-host for AI etc, it gets worse?
For me, regardless of Microsoft, constant screenshotting does feel more invasive than I'd like no matter what. It's already bad enough that websites do it on their own properties.
Very likely a performance hog. And then very likely an attack vector for data exfiltration.
This is an app I will not be installing.
Exactly, it will be installed for you!
Someone else will take care of that minor detail for you!