[HN Gopher] PcTattletale leaks victims' screen recordings to ent...
___________________________________________________________________
PcTattletale leaks victims' screen recordings to entire Internet
Author : nneonneo
Score : 158 points
Date : 2024-05-27 02:00 UTC (21 hours ago)
(HTM) web link (www.ericdaigle.ca)
(TXT) w3m dump (www.ericdaigle.ca)
| junniper wrote:
| Yeesh.
|
| Is it still considered a "vulnerability" if the door is built
| without locks? Or even a handle.
| ronsor wrote:
| "What door?"
| junniper wrote:
| Doors with locks are often a metaphor for security.
|
| In this case the "door" is this company's API.
|
| Considering the context of the original post what did you
| think my comment meant?
| BobaFloutist wrote:
| Their joke was that the security is so poor, it could even
| be conceived as a doorway they never put a door in. They
| were playing off your comment and agreeing by exaggerating
| further.
| junniper wrote:
| You're right! Now I feel silly for missing the joke.
| rinze wrote:
| Is that the codename for Windows 11?
| ronsor wrote:
| Based on the functionality, I'd think it's the codename for
| "Copilot Plus" or whatever it's called now.
| supernes wrote:
| What a wild story. From one of the linked reports:
|
| > it took Fleming over 20 hours to take the defaced website
| offline, but the long time was not for lack of trying: his own
| spyware recorded him clumsily attempting to restore the site
| fairly early on but ultimately failing to do so. while
| pcTattletale itself has now been entirely down for a few hours,
| the sending of screenshots to the s3 bucket continued until
| Flemings aws account was locked down by amazon shortly before
| publishing this article.
| e_daigle wrote:
| I'm the author of the blog post - the exploit is so simple it
| kind of speaks for itself, but if anyone has any questions feel
| free.
| buran77 wrote:
| The even more worrying thing for anyone considering _any_
| solutions which do such mass surveillance, regardless of motive
| (like Windows Rewind). They 're all one or two steps removed from
| massive scale access to these recordings. All of the steps have
| happened repeatedly in the past. The only way to be safer is not
| keep that data in the first place.
|
| > the tiny shell lets anyone execute abitrary php code by simply
| setting a cookie. what makes this file such an interesting find,
| though, is that the shell has been present since at least
| december 2011 (which is when the site got moved to its current
| server). it is impossible to tell whether this shell was placed
| there by pcTattletale (for whatever reason) or by a threat actor;
| either way, it reveals that pcTattletale has been backdoored for
| basically forever and may have had data exfiltrated from it for
| years by external actors
| dgellow wrote:
| Windows Recall is stored locally and encrypted from what I
| understood
| dorkwood wrote:
| Yes. I've heard it's unhackable. We are in good hands.
| WhackyIdeas wrote:
| For anyone downvoting this person, keep in mind they are
| quite obviously being sarcastic......
| buran77 wrote:
| Until a year or two later when MS rolls out the feature of
| "AI" on "your data". Or gives the option/default to store the
| recording on OneDrive. Or any number of options that MS can
| monetize somehow while selling it as a benefit for you. How
| many massively popular feature requests sit on the waiting
| list every day while this one comes out of the blue despite
| almost no user ever asking for it, and it's _for you_?
|
| Rewind is the house's foundation, the rest of the walls come
| later. How fast they come depends on what the CEO sees as the
| future of making money.
|
| Having these recordings is a liability more than it is a
| productivity boost. People today don't operate computers
| under the assumption they are recorded at all times even if
| they know the feature is there. So of course it's dangerous.
|
| One day, when you'll be thoroughly used to being surveilled
| at all times, having Rewind-like features will be as
| ubiquitous or as normal as walking around today with a GPS
| tracker, microphone and spy cam in your pocket, for someone
| else to use. Something equally unacceptable some decades ago.
| wkat4242 wrote:
| > Until a year or two later when MS rolls out the feature
| of "AI" on "your data"
|
| It's already touted as an AI feature.
|
| And yes Microsoft is very adamant the images are stored
| locally, I wonder if all the processing is purely local too
| though.
| buran77 wrote:
| > Microsoft is very adamant the images are stored locally
|
| But this is _today_ (as in "at the literal moment the
| statement was made"). What about tomorrow?
|
| History is plastered with examples of things companies
| were adamant about and as it turned out they either
| didn't keep their word for long or even it was a lie as
| it was spoken.
|
| One day they'll decide it's for your own interest to
| share this data. Or a patch will accidentally sync it to
| the cloud. Or their model will be trained on your data.
| Or authorities start targeting this for obtaining way
| more data than otherwise needed. Or malware will use it
| as a treasure trove of info like never before. All of
| this keeps happening, I can't bring myself to believe
| this case in particular will break the mold.
| wkat4242 wrote:
| Yes I don't trust them either. At all.
|
| I didn't say that too explicitly, sorry.
| rgmerk wrote:
| Doesn't matter as a tool of domestic abuse, as the
| attacker almost certainly has local access to the device
| concerned.
|
| The howls of outrage when Microsoft announced this are
| such that they may well have gotten the message on this
| one. But somebody else lower-profile will have the same
| bright idea.
| wkat4242 wrote:
| True, an attacker can install a screen capture tool but
| they will not automatically have the access to data from
| months back of course.
| dgellow wrote:
| > despite almost no user ever asking for it
|
| Honestly I never asked for it but now that I've seen it I
| want to try on my personal machines, if data are local I
| have no issues with it at all. I'm personally not afraid of
| Microsoft, but I understand they haven't been good at
| building trust for the past decade+. It would be awesome as
| an open source project.
|
| However I can see how something like Recall is pretty
| problematic in a corporate context, when enabled by admins
| without end-user controls
| a0123 wrote:
| The tech demos _never_ work as demonstrated at the tech
| demo conference.
| WhackyIdeas wrote:
| The only good thing about Recall is that it has been the
| definitive decider of moving away from Microsoft
| permanently because for them to create such a 'feature'
| shows a complete lack of care about people's private data -
| they'll be leaving a huge jackpot prize for anyone who
| breaks into a system.
|
| Just the kind of thing this NSA Prism-participating company
| would think was a top notch idea.
|
| Not saying the real motive is surveillance... I'm sure a
| feature update or two away will also turn the data into a
| real money maker of advertising which instead of just being
| able to advertise to you, can kill two birds with one stone
| in being able to increase tenfold the ad revenue by
| watching who you're talking with in your emails, your PM's
| on Facebook (or wherever else) and then selling marketing
| data on you AND them.
|
| If I was a purely profit driven individual - I'd be doing
| exactly that. But I have too much of a heart.
|
| Even if they say that they'll be abandoning this idea as
| they have 'listened to user feedback' or some other bull,
| the complete damage has already been done here.
|
| Thank the lord there are an abundance of excellent OS
| alternatives.
| mistrial9 wrote:
| no - the employer makes their subjects do it. It has
| always been that way, now it is more obvious, again.
| sandworm101 wrote:
| >> One day, when you'll be thoroughly used to being
| surveilled at all times
|
| When that day comes, when you don't want someone recording
| your screen and rummaging around your hard drives, linux
| will be there.
|
| Every bad day for Windows is a good day for linux.
| squigz wrote:
| Until Microsoft wants to start using that data, or is
| compelled to hand it over.
| jocoda wrote:
| I'm all for tools like this if they allow me to review my
| activity, especially if that's across the multiple systems I
| use, to get a handle on how and where I spend my time.
|
| It's not a surprise that Microsoft and Apple are determined
| to get us to use their cloud products for our personal data -
| there's billions up for grab.
| bayindirh wrote:
| Its keys or the token which gets the key from the TPM will
| probably be memory resident. I don't see encryption as a
| barrier to get relevant information.
|
| In the future, if I know Microsoft, this trove will be mined
| for "consumer oriented optimization and improvement of
| _Windows Experience_ ". This means at least a DLL or more
| probably an API will be present to tap into that data, which
| can be (ab)used by third parties.
|
| So, even if it's stored locally and be encrypted at rest, it
| doesn't mean it'll be completely unavailable to Microsoft or
| third parties.
|
| Oh, lastly, I'm sure that there'll be at least one forensics
| company which will build a tool to dump this data, making
| governments do a little happy dance.
| dgellow wrote:
| We will see. I still have some hopes, call me foolish or
| naive, that Microsoft will implement Recall in way that
| would be compliant with EU GDPR. The user is in control and
| can decide how data are being accessed. So far that's what
| I've seen, users can control applications, website that are
| saved, and for how long. They can also easily delete a
| timeframe of data.
|
| But if I'm honest I would never use that feature if I would
| leave outside of the EU, I don't know another regulatory
| body big tech is taking seriously.
| a0123 wrote:
| That's fine then because no one has ever managed to get
| around a single security measure, especially not in the world
| of computing.
| TiredOfLife wrote:
| Also newer ever make any notes or take any photos/video of
| anything. Talk only face to face in a cone of silence.
| buran77 wrote:
| The sarcasm made an already shaky point even worse.
|
| There's a huge difference in magnitude here (writing a note
| vs. screen grabbing _everything_ you ever do on the
| computer), and also a difference of awareness (intently
| recording one moment in time with a photo vs. almost
| unconsciously being recorded all the time even if you enabled
| it).
|
| These simplistic fallacies are the result of very superficial
| assessments. Either an apparently small mistake leads to a
| wildly wrong conclusion (being overheard once is the same as
| being overheard all the time, because overheard is
| overheard), or everything is justifiable in small increments
| so you just loop through them as many times as it takes to
| get to a wildly unacceptable result (if one photo is ok, then
| two photos are ok, and just iterate it until you get 30
| photos per second of constant video surveillance, you just
| said you're fine with one more photo).
|
| Bottom line being you won't get anything of value out of such
| a conversation. I know I don't.
| VS1999 wrote:
| This dismissive, snarky one-liner only works if people
| already overwhelmingly agree with you. Most people are tired
| of companies adding more and more surveillance "features" and
| grew up in a time that set a higher bar for how much privacy
| they're willing to give away. A user taking a note? Sure. The
| OS recording everything you do 24/7 to send through an AI?
| Maybe we need new legislation to address your behavior.
| Renaud wrote:
| Isn't MS Rewind/Recall supposed to be encrypted and offline,
| on-device only? I don't see how it could be anything else and
| pass any data-protection regulation (in the EU, at least).
|
| It's a hazard and its usefulness needs to be balanced with
| other needs, but on a work machine that belongs to me, it could
| be useful. Now, if my boss has unfettered access to this data,
| or any of it is online, then obviously it's a no no.
|
| Understanding the implications of tools like this is necessary.
| I'm not too optimistic that the general user will fully
| understand these implications though. That's one of the main
| danger with these technologies: promises are made, people don't
| think twice and overshare, and the data is used against their
| interests.
|
| However, I want it to exist, MS or Open Source, preferrably,
| but only if I get 100% control over it, and it is never
| accessible to anyone else.
|
| Having said that, I'm very much aware that most implementation
| of these tools will become a security and surveillance
| nightmare.
|
| The next few years are going to be interesting, and probably
| frightening.
| sandworm101 wrote:
| >> Isn't MS Rewind/Recall supposed to be encrypted and
| offline, on-device only?
|
| From what I have been reading, the raw data is meant to
| remain local (the screen recordings) but I am unclear about
| the indexed AI-generated metadata. For instance, if the AI
| identified that you used X software at Y time to complete Z
| task, are the XYZ tags kept local or archived elsewhere? That
| might not violate many privacy rules. Either way, they
| certainly _could_ be uploaded /shared very easily should
| Microsoft's policies change. I guess it is down to how much
| we all trust Microsoft long term.
|
| Personally, I will never accept someone recording my screens.
| In fact, running any such software on my work machine would
| violate a host of professional rules.
| jkaplowitz wrote:
| I can't imagine them not providing a way to turn Recall
| off, for reasons like the ones you describe.
| sandworm101 wrote:
| Oh I'm very sure there will be a box to untick, which we
| will all have to dutifully check after every tiny
| software update.
| loeg wrote:
| If the data can be accessed by the user, it can be accessed
| programmatically -- no? It's available locally for something
| malicious to exfiltrate.
| Dylan16807 wrote:
| So Rewind expands the "locally malicious software" scenario
| from "it accesses all my files and it can monitor me going
| forward" to "it accesses all my files and it can monitor me
| retroactively for a few months and also going forward"?
|
| That's a little bit worse but not much worse.
| mrangle wrote:
| >I don't see how it could be anything else and pass any data-
| protection regulation
|
| >Having said that, I'm very much aware that most
| implementation of these tools will become a security and
| surveillance nightmare.
|
| The contradiction of the quoted statements nullifies anyone's
| ability to make sense of the theme in the post.
| Renaud wrote:
| No real contradiction: MS implementation is probably in
| line with current data protection regulations. Everyone has
| eyes on them.
|
| Doesn't mean others will take as much care, or that new
| cool tools will not push the boundaries of what's ethical,
| safe or even legal.
|
| We've seen it with many industries, not least the ad
| industry: some actors stay within the dotted line, but
| there is tremendous financial incentive not to.
| urbandw311er wrote:
| So 17Tb of screenshot data from the last 7 years is doing the
| rounds in the wild? An AI will have a field day extracting
| whatever kinds of specific juicy details an attacker could ever
| want.
|
| "Give me a list of all the credit card numbers" "Give me any
| emails where somebody is asking a lawyer to block publication of
| something" Etc
| squigz wrote:
| I don't think the AI's day is going to be any different,
| really.
| araes wrote:
| Notably other issues (from the publisher):
|
| > pcTattletale is a discreet and powerful tool that records and
| shows you the online activities of your _employees and
| children_. (emphasis mine)
|
| Work computers with work secrets and children's computers with
| children's data. 17,000,000,000,000 bytes of such data. Maybe
| 5,000,000 screens if it was "normal" cell images. (Based on say
| a 3 MB screen, which might be large. If it's all XGA, or SXGA,
| or something, it may be way more screens.)
| rgmerk wrote:
| This kind of thing has happened repeatedly, but kinda misses the
| point.
|
| Stalkerware is designed and built as a tool of abuse. The people
| who create it are looking to profit off that abuse.
|
| More effort should be devoted to prosecuting these bottom-
| feeders.
| TiredOfLife wrote:
| US and other countries are moving to classify more and more
| things as "not a crime" like car theft or shoplifting. So don't
| hold your hope up.
| ziddoap wrote:
| Can you back this up somehow?
|
| I haven't heard of or seen anything indicating that the US,
| or any other country, is trying to make car theft or petty
| theft legal.
| halfcat wrote:
| They're probably referring to situations in California
| where people walk out with merchandise because the
| penalties are less than the merch they're getting.
|
| It's less of a "the way things are headed" in the US, and
| more of a side effect of the state-level political games
| each side is playing, where blue states score points by
| loosening penalties, and red states score points by
| tightening penalties.
|
| Neither population of state citizens is right or wrong, but
| rather they're all pawns. As someone put it, the
| politicians have organized the country into two LARPing
| teams to keep everyone distracted while they run out the
| back door with the money.
| mk67 wrote:
| From what I read it's not prosecuted in San Francisco e.g.
| anymore.
| badgersnake wrote:
| All the users password hashes (in MD5, so basically their
| plaintext passwords) got leaked as well.
| mmsc wrote:
| what makes this file such an interesting find, though, is that
| the shell has been present since at least december 2011
|
| It's really easy to change the creation date of a file by
| changing the system clock for a millisecond, and create a file,
| before changing the clock back to normal. Some people like to do
| this to avoid their back doors being found by IR doing a "find"
| for any newly created files.
| zaxomi wrote:
| No need to change the system clock for a millisecond. The
| operating system has an API for changing allt the timestamps of
| a file.
| vitus wrote:
| Indeed, that's what `touch -t 201101020304 /tmp/old-file` is
| for. (Although on ext4 it seems that you can't control the
| birth time; for that you would need to set your system
| clock.)
| gigatexal wrote:
| Just in time for Microsoft Rewind or whatever it's called.
| userbinator wrote:
| _Unfortunately there are 86400 timestamps per day, so enumerating
| this across all days and all devices would take forever._
|
| _Instead we 'll use a heuristic: we'll start with the last
| screenshot and subtract one second at a time, downloading from
| each and seeing if we get a valid photo or the error XML that
| comes up if no screenshot was taken at that second. If we get the
| error XML 20 times in a row, we'll assume the recording is over
| and give up._
|
| Binary search?
| abtinf wrote:
| This, and the other stalkerware linked to in the article, is what
| everyone on iOS can look forward to thanks to the EU.
| EMIRELADERO wrote:
| Care to elaborate? I thought Chat Control laws and similar were
| deemed "unconstitutional" by the ECHR
| abtinf wrote:
| Sideloading.
| wackget wrote:
| You mean the ability to install your choice of software on a
| device that you own is dangerous????? Someone should tell the
| authors of literally every other operating system ever made
| about this astonishing discovery!
| abtinf wrote:
| They should. Every major platform has this issue
| _pervasively_ , _except_ for iOS.
|
| People like you have decided that you own my phone, not me.
| You get to tell me and Apple how I have to use my phone, just
| because you don't like that _my choice of software_ is a
| locked down device.
| VS1999 wrote:
| You don't have to use your phone any way. Just don't
| download something if you don't want it, silly.
| justin_oaks wrote:
| > the pcTattletale client api returns raw aws credentials. it's
| intended to allow screenshots to be directly uploaded to the
| storage bucket, which is already terrible enough on its own, but
| it's worsened by the fact that these credentials are the same for
| all devices and provide full unscoped access to Fleming's aws
| infrastructure
|
| (From the Maia arson crimew blog post linked in the article)
|
| This is my favorite part of the story. This is one of the worst
| decisions you can make when developing an app that uses cloud
| resources.
|
| It's so pathetic that it makes me wish that we could revoke
| someone's license to write code.
| halfcat wrote:
| It appears that this is installed to the path below on Windows,
| if you want to check if it's running on your PC:
|
| C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler
|
| Using one of these executable names:
|
| mssched.exe
|
| jusched32.exe
| imchillyb wrote:
| My Grandfather: "Don't write anything down that you don't want
| others to see."
|
| Those words have been with me since I was 8 years old. The truth
| of them resounds throughout history, and well into the distant
| future.
|
| Ignore them at your peril.
___________________________________________________________________
(page generated 2024-05-27 23:01 UTC)