| ▲ | hermanzegerman 5 hours ago |
| They could just ask before uploading your encryption key to the cloud.
Instead they force people to use a Microsoft Account to set up their windows and store the key without explicit consent |
|
| ▲ | cornholio 5 hours ago | parent | next [-] |
| That's a crypto architecture design choice, MS opted for the user-friendly key escrow option instead of the more secure strong local key - that requires a competent user setting a strong password and saving recovery codes, understanding the disastrous implication of a key loss etc. Given the abilities of the median MS client, the better choice is not obvious at all, while "protecting from a nation-state adversary" was definitely not one of the goals. |
| |
| ▲ | wobfan 5 hours ago | parent | next [-] | | While you're right, they also went out of their way to prevent competent users from using local accounts and/or not upload their BitLocker keys. I could understand if the default is an online account + automatic key upload, but only if you add an opt-out option to it. It might not even be visible by default, like, idk, hide it somewhere so that you can be sure that the median MS user won't see it and won't think about it. But just fully refusing to allow your users to decide against uploading the encryption key to your servers is evil, straight up. | | |
| ▲ | xp84 4 hours ago | parent | next [-] | | I really doubt those motives are "evil." They're in the business of selling and supporting an OS. Most people couldn't safeguard a 10-byte password on their own, they're not going to have a solution for saving their encryption key that keeps it safer than it'd be with Microsoft, and that goes for both criminals (or people otherwise facing law enforcement scrutiny) and normal grandmas who just want to not have all their pictures and recipes lost. Before recently, normal people who get arrested and have their computer seized were 100% guaranteed that the cops could read their hard drive and society didn't fall apart. Today, the chances the cops can figure out how to read a given hard drive is probably a bit less. If someone needs better security against the actual government (and I'm hoping that person is a super cool brave journalist and not a terrorist), they should be handling their own encryption at the application layer and keeping their keys safe on their own, and probably using Linux. | | | |
| ▲ | bri3d 3 hours ago | parent | prev | next [-] | | The OOBE (out of box experience) uploads the key by default (it tells you it’s doing it, but it’s a bit challenging to figure out how to avoid it) but any other setup method specifically asks where to back up your key, and you can choose not to. The way to avoid enrollment is to enable Bitlocker later than OOBE. I really think that enabling BitLocker with an escrowed key during OOBE is the right choice, the protection to risk balance for a “normal” user is good. Power users who are worried about government compulsion can still set up their system to be more hardened. | |
| ▲ | JasonADrury 5 hours ago | parent | prev | next [-] | | You can just ... not select the option to upload your keys to MS? During the setup you get to choose where to store your bitlocker recovery key. | | |
| ▲ | jcovik 4 hours ago | parent [-] | | The last time I've installed windows, bitlocker was enabled automatically and the key was uploaded without my consent. Yes, you can opt out of it while manually activating bitlocker, but I find it infuriating that there's no such choice at the system installation process. It's stupid that after system installation a user supposed to renecrypt their system drive if they don't want this. |
| |
| ▲ | vel0city 2 hours ago | parent | prev | next [-] | | It's a few clicks to choose to re-key and not have the key saved to your Microsoft account. | |
| ▲ | varispeed 4 hours ago | parent | prev [-] | | Maybe three letter agencies prevented them from giving that option. | | |
| ▲ | cylemons 4 hours ago | parent [-] | | Surely that's not legal is it? Can the government force companies to include spyware? | | |
| ▲ | dexterdog 3 hours ago | parent | next [-] | | No, but they can tie it to the consideration of software and services contracts which has the same effect. | |
| ▲ | Jigsy 3 hours ago | parent | prev [-] | | That's one of the ideas the British government had a few months back... |
|
|
| |
| ▲ | aprentic 4 hours ago | parent | prev | next [-] | | Yes and they had to lie to sell that option. If they honestly informed customers about the tradeoff between security and convenience they'd certainly have far fewer customers. Instead they lead people to believe that they can get that convenience for free. The obvious better choice is transparancy. | | |
| ▲ | xp84 3 hours ago | parent [-] | | > tradeoff between security and convenience they'd certainly have far fewer customers What? Most people, thinking through the tradeoff, would 100% not choose to be in charge of safeguarding their own key, because they're more worried about losing everything on their PC, than they are about going to jail. Because most people aren't planning on doing crime. Yes, I know people can be wrongly accused and stuff, but overall most people aren't thinking of that as their main worry. | | |
| ▲ | aprentic 2 hours ago | parent [-] | | That's exactly what I mean. If you tell people, "I'll take care of safeguarding your key for you," it sounds like you're just doing them a favor. It would be more honest to say, "I can hold on to a copy of your key and automatically unlock your data when we think you need it opened," but that would make it too obvious that they might do so without your permission. | | |
| ▲ | kelnos 2 hours ago | parent [-] | | I think most people would be ok with your second formulation too. |
|
|
| |
| ▲ | dmurray 4 hours ago | parent | prev | next [-] | | Protecting from a nation state adversary should probably be a goal for the kind of enterprise software MS sells. Protecting from specifically the nation state that hosts and regulates Microsoft and its biggest clients, probably not. | |
| ▲ | tucnak 4 hours ago | parent | prev | next [-] | | This is a consent issue, and visibility thereof, not "crypto architecture" | |
| ▲ | jeroenhd 2 hours ago | parent | prev [-] | | They could still have asked. They do if you enable Bitlocker outside of the OOBE. This story is just yet another confirmation of what used to be the "the americans have bugged most computers in the world" conspiracy theory. I hope Microsoft wakes up to the changes in the way America is being viewed these days, because they stand to lose a lot of business if they don't. |
|
|
| ▲ | shevy-java 4 hours ago | parent | prev | next [-] |
| It makes sense if you consider the possibility of a secret deal between the government and a giant corporation. The deal is that people's data is never secure. It's a nightmare actually. |
|
| ▲ | JasonADrury 5 hours ago | parent | prev | next [-] |
| The alternative is just not having FDE on by default, it really isn't "require utterly clueless non-technical users to go through complicated opt-in procedure for backups to avoid losing all their data when they forget their password". And AFAICT, they do ask, even if the flow is clearly designed to get the user to back up their keys online. |
| |
| ▲ | jeroenhd 2 hours ago | parent | next [-] | | Phones have had FDE enabled by default for years. Nobody needs backup keys for those. Of course this feature comes at the cost of no longer being able to have low level control over your device, but this isn't a binary choice. | | |
| ▲ | JasonADrury 26 minutes ago | parent [-] | | >Phones have had FDE enabled by default for years. Nobody needs backup keys for those. Yes, phones just try to back up all of your data online. |
| |
| ▲ | antiframe 4 hours ago | parent | prev | next [-] | | No, encryption keys should never be uploaded to someone else's computer unencrypted. The OOBE should give users a choice between no FDE or FDE with a warning that they should not forget their password or FDE and Microsoft has their key and will be able to recover their disk and would be compelled to share the key with law enforcement. By giving the user the three options with consequences you empower the user to address their threat model how they see fit. There is no good default choice here. The trade offs are too varied. | | |
| ▲ | JasonADrury 3 hours ago | parent [-] | | Always on FDE with online backups is a perfectly reasonable default. The OOBE does offer the users the choice to not back up their key online, even if it's displayed less prominently. >By giving the user the three options with consequences you empower the user to address their threat model how they see fit. Making it too easy for uneducated users to make poor choices is terrible software design. |
| |
| ▲ | xp84 3 hours ago | parent | prev [-] | | > The alternative is just not having FDE on by default yes, it would be. So, the current way, 99% of people are benefitting from knowing their data is secure when very common thefts occur, and 1% of people have the same outcome as if their disk was unencrypted: When they're arrested and their computers seized, the cops have their crime secrets. What's wrong? |
|
|
| ▲ | p_ing 5 hours ago | parent | prev [-] |
| Forcing implies there are zero ways to begin with a local only account (or other non-Microsoft Account). That's simply not true. |
| |
| ▲ | bdavbdav 5 hours ago | parent [-] | | Disagree. If the path is shrouded behind key presses and commands which are unpublished by MS (and in some instances routes that have been closed), it may as well be. | | |
| ▲ | p_ing 5 hours ago | parent [-] | | > it may as well be. That defies the definition of "forced". Forced means no option. You can disagree all you want -- but at a technical level, you're incorrect. | | |
| ▲ | bad_haircut72 4 hours ago | parent | next [-] | | Im going to shoot you unless you say the magic word - and technically Im not even forcing you into it, you could have said the magic word and got out of it!! Whats the magic word? not telling! | |
| ▲ | selfhoster11 5 hours ago | parent | prev [-] | | Try doing this as a normies without technical guidance. Technically correct, this time, is not the benchmark. | | |
| ▲ | rvnx 4 hours ago | parent [-] | | Anyway Microsoft and any software developer can be compelled to practically do anything, you don't want to be blocked in some jurisdictions (even less the US) and the managers do not want to go to jail to protect a terrorist, especially if nobody is going to know that they helped. Some even go that far that they push an update that exfiltrates data from a device (and some even do on their own initiative). And even if you are not legally compelled. Money or influence can go a long way. For example, the fact that HTTPS communications were decipherable by the NSA for almost 20 years, or, whoops, no contract with DoD ("not safe enough"...) Once the data is in the hands of the intelligence services, from a procedure perspective they can choose what to do next (e.g. to officialize this data collection through physical collection of the device, or do nothing and try to find a more juicy target). It's not in the interest of anyone to prevent such collection agreement with governments. It's just Prism v2. So seems normal that Microsoft gives the keys, the same that Cloudflare may give information about you and the others. They don't want to have their lives ruined for you. |
|
|
|
|
