ONE OF THE EXCELLENT FEATURES of new Windows devices is that disk encryption is built-in and turned on by default, protecting your data in case your device is lost or stolen. But what is less well-known is that, if you are like most users and login to Windows 10 using your Microsoft account, your computer automatically uploaded a copy of your recovery key — which can be used to unlock your encrypted disk — to Microsoft’s servers, probably without your knowledge and without an option to opt out.
During the “crypto wars” of the ’90s, the National Security Agency developed an encryption backdoor technology — endorsed and promoted by the Clinton administration — called the Clipper chip, which it hoped telecom companies would use to sell backdoored crypto phones. Essentially, every phone with a Clipper chip would come with an encryption key, but the government would also get a copy of that key — this is known as key escrow — with the promise to only use it in response to a valid warrant. But due to public outcry and the availability of encryption tools like PGP, which the government didn’t control, the Clipper chip program ceased to be relevant by 1996. (Today, most phone calls still aren’t encrypted. You can use the free, open source, backdoorless Signal app to make encrypted calls.)
The fact that new Windows devices require users to backup their recovery key on Microsoft’s servers is remarkably similar to a key escrow system, but with an important difference. Users can choose to delete recovery keys from their Microsoft accounts (you can skip to the bottom of this article to learn how) — something that people never had the option to do with the Clipper chip system. But they can only delete it after they’ve already uploaded it to the cloud.
“The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well,” says Matthew Green, professor of cryptography at Johns Hopkins University. “There are certainly cases where it’s helpful to have a backup of your key or password. In those cases you might opt in to have a company store that information. But handing your keys to a company like Microsoft fundamentally changes the security properties of a disk encryption system.”
As soon as your recovery key leaves your computer, you have no way of knowing its fate. A hacker could have already hacked your Microsoft account and can make a copy of your recovery key before you have time to delete it. Or Microsoft itself could get hacked, or could have hired a rogue employee with access to user data. Or a law enforcement or spy agency could send Microsoft a request for all data in your account, which would legally compel it to hand over your recovery key, which it could do even if the first thing you do after setting up your computer is delete it.
As Green puts it, “Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.”
Of course, keeping a backup of your recovery key in your Microsoft account is genuinely useful for probably the majority of Windows users, which is why Microsoft designed the encryption scheme, known as “device encryption,” this way. If something goes wrong and your encrypted Windows computer breaks, you’re going to need this recovery key to gain access to any of your files. Microsoft would rather give their customers crippled disk encryption than risk their data.
“When a device goes into recovery mode, and the user doesn’t have access to the recovery key, the data on the drive will become permanently inaccessible. Based on the possibility of this outcome and a broad survey of customer feedback we chose to automatically backup the user recovery key,” a Microsoft spokesperson told me. “The recovery key requires physical access to the user device and is not useful without it.”
After you finish setting up your Windows computer, you can login to your Microsoft account and delete the recovery key. Is this secure enough? “If Microsoft doesn’t keep backups, maybe,” says Green. “But it’s hard to guarantee that. And for people who aren’t aware of the risk, opt-out seems risky.”
This policy is in stark contrast to Microsoft’s major competitor, Apple. New Macs also ship with built-in and default disk encryption: a technology known as FileVault. Like Microsoft, Apple lets you store a backup of your recovery key in your iCloud account. But in Apple’s case, it’s an option. When you set up a Mac for the first time, you can uncheck a box if you don’t want to send your key to Apple’s servers.
This policy is also in contrast to Microsoft’s premium disk encryption product called BitLocker, which isn’t the same thing as what Microsoft refers to as device encryption. When you turn on BitLocker you’re forced to make a backup of your recovery key, but you get three options: Save it in your Microsoft account, save it to a USB stick, or print it.
To fully understand the different disk encryption features that Windows offers, you need to know some Microsoft jargon. Windows comes in different editions: Home (the cheapest), Pro, and Enterprise (more expensive). Windows Home includes device encryption, which started to become available during Windows 8, and requires your computer to have a tamper-resistant chip that stores encryption keys, something all new PCs come with. Pro and Enterprise both include device encryption, and they also include BitLocker, which started to become available during Windows Vista, but only for the premium editions. Under the hood, device encryption and BitLocker are the same thing. The difference is there’s only one way to use device encryption, but BitLocker is configurable.
If you’re using a recent version of Windows, and your computer has the encryption chip, and if you have a Microsoft account, your disk will automatically get encrypted, and your recovery key will get sent to Microsoft. If you login to Windows using your company’s or university’s Windows domain, then your recovery key will get sent to a server controlled by your company or university instead of Microsoft — but still, you can’t prevent device encryption from sending your recovery key. If you choose to not use a Microsoft or a domain account at all and instead create a “local only” account, then you don’t get disk encryption.
BitLocker, on the other hand, gives you more control. When you turn on BitLocker you get the choice to store your recovery key locally, among other options. But if you buy a new Windows device, even if it supports BitLocker, you’ll be using device encryption when you first set it up, and you’ll automatically send your recovery key to Microsoft.
In short, there is no way to prevent a new Windows device from uploading your recovery key the first time you log in to your Microsoft account, even if you have a Pro or Enterprise edition of Windows. And this is worse than just Microsoft choosing an insecure default option. Windows Home users don’t get the choice to not upload their recovery key at all. And while Windows Pro and Enterprise users do get the choice (because they can use BitLocker), they can’t exercise that choice until after they’ve already uploaded their recovery key to Microsoft’s servers.
How to delete your recovery key from your Microsoft account
Go to this website and log in to your Microsoft account — this will be the same username and password that you use to log in to your Windows device. Once you’re in, it will show you a list of recovery keys backed up to your account.
If any of your Windows devices are listed, this means that Microsoft, or anyone who manages to access data in your Microsoft account, is technically able to unlock your encrypted disk, without your consent, as long as they physically have your computer. You can go ahead and delete your recovery key on this page — but you may want to back it up locally first, for example by writing it down on a piece of paper that you keep somewhere safe.
If you don’t see any recovery keys, then you either don’t have an encrypted disk, or Microsoft doesn’t have a copy of your recovery key. This might be the case if you’re using BitLocker and didn’t upload your recovery key when you first turned it on.
When you delete your recovery key from your account on this website, Microsoft promises that it gets deleted immediately, and that copies stored on its backup drives get deleted shortly thereafter as well. “The recovery key password is deleted right away from the customer’s online profile. As the drives that are used for failover and backup are sync’d up with the latest data the keys are removed,” a Microsoft spokesperson assured me.
If you have sensitive data that’s stored on your laptop, in some cases it might be safer to completely stop using your old encryption key and generate a new one that you never send to Microsoft. This way you can be entirely sure that the copy that used to be on Microsoft’s server hasn’t already been compromised.
Generate a new encryption key without giving a copy to Microsoft
Update: After this article was published, Ars Technica wrote about a method for preventing the recovery key you sent to Microsoft from being able to unlock your disk that doesn’t require upgrading from Windows Home to Pro or Enterprise. However if you already have a Pro or Enterprise edition, following the rest of the steps in this article might be simpler.
In order to generate a new disk encryption key, this time without giving a copy to Microsoft, you need decrypt your whole hard disk and then re-encrypt it, but this time in such a way that you’ll actually get asked how you want to backup your recovery key.
This is only possible if you have Windows Pro or Enterprise. Unfortunately, the only thing you can do if you have the Home edition is upgrade to a more expensive edition or use non-Microsoft disk encryption software, such as BestCrypt, which you have to pay for. You may also be able to get open source encryption software like VeraCrypt working, but sadly the open source options for full disk encryption in Windows don’t currently work well with modern PC hardware (as touched on here).
Go to Start, type “bitlocker,” and click “Manage BitLocker” to open BitLocker Drive Encryption settings.
From here, click “Turn off BitLocker.” It will warn you that your disk will get decrypted and that it may take some time. Go ahead and continue. You can use your computer while it’s decrypting.
After your disk is finished decrypting, you need to turn BitLocker back on. Back in the BitLocker Drive Encryption settings, click “Turn on BitLocker.”
It will check to see if your computer supports BitLocker, and then it will ask you how you want to backup your recovery key. It sure would be nice if it asked you this when you first set up your computer.
If you choose to save it to a file, it will make you save it onto a disk that you’re not currently encrypting, such as a USB stick. Or you can choose to print it and keep a hard copy. You must choose one of them to continue, but make sure you don’t choose “Save to your Microsoft account.”
On the next page it will ask you if you want to encrypt used disk space only (faster) or encrypt your entire disk including empty space (slower). If you want to be on the safe side, choose the latter. Then on the next page it will ask you if you wish to run the BitLocker system check, which you should probably do.
Finally, it will make you reboot your computer.
When you boot back up your hard disk will be encrypting in the background. At this point you can check your Microsoft account again to see if Windows uploaded your recovery key – it shouldn’t have.
Now just wait for your disk to finish encrypting. Congratulations: Your disk is encrypted and Microsoft no longer has the ability to unlock it.
“Congratulations: Your disk is encrypted and Microsoft no longer has the ability to unlock it.”
What a crock of Bull…
Microsoft and it’s partners make money by providing law enforcement with ways to bypass encryption with forensics recovery utilising the Linux platform and has done for years. Bit-locker keys are stored in the Windows registry from where they are easily recoverable to any analyst and your encryption scheme is already broken by default.
Not like any government department utilises encryption to any great extent anyway, because they just don’t get it. Can’t help but wonder if Obama was crying his eye’s out on Friday because of Gun lobby laws or because he got the richly deserved smack down from cryptography providers about the fact that the entire US tech sphere is using and utilising “BROKEN” encryption standards and it’s only a matter of time before everybody else start’s attacking those crypto-systems. They holler about terrorists etc et al, yet picture this, if you remove them from the online world, how do you continue to monitor there hateful message?
So you log into your PC with a cloud account, store your files in the cloud, and are now complaining that MS backs up your local encryption key? For 99.9% of users this is a Good Thing because when their HD/SSD eventually has a failure of some sort and the encryption key gets borked, they will have access to it to get to local content.
If you don’t want it, you can use a local account. Jesus, these non-stories are so annoying.
Hi Micah,
Thanks for the article. I had done something similar to this with my Windows 8 tablet when I still had it.
I recently purchased a new Asus Zenbook UX305 which comes by default with Windows 10 Home and TPM. Bitlocker is nowhere to be found on the system. Every reference to it through system search are gone, whether using a Microsoft account or local account. There are still PowerShell cmdlets, but trying to use them say that Bitlocker is not included in this edition of Windows. There doesn’t appear to be any way to turn it on with this laptop.
Regardless, I never bought it to run Windows because they always seem to cripple the consumer versions of Windows. It’s still dual booted, so I’d prefer to have Windows encrypted for the odd time that I do use it. LUKS + LVM seem to do the job quite nicely and I know that the encryption key isn’t stored in the TPM.
Andrew
Apparently none of you read the EULA that came with Windows 10.
If you did, there would be much more to talk about than storing private keys on the Internet.
Allow me to share, for those who don’t know yet:
“Finally, we will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to:
1. Comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies;
2. Protect our customers, for example to prevent spam or attempts to defraud users of the services, or to help prevent the loss of life or serious injury of anyone;
3. Operate & maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or
4. Protect the rights or property of Microsoft, including enforcing the terms governing the use of the services.
However, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property of Microsoft, we will not inspect a customer’s private content ourselves, but we may refer the matter to law enforcement.”
Windows 10. Why do you need privacy? Trust us!
Micah lee*
Michal lee: Thank you for sharing the information . Well done!
Encryption under Windows or not, Microsoft has ported its “telemetry” (spyware, actually) to every version of Windows down to 2007. What this means in practical terms is that your keystrokes, mouse movements, and software interactions (all of them, Katie) are logged anyway and sent “anonymously” (hah) to Microsoft’s servers to analyse “how you operate software” so they can “better support you.”
And you can’t block it at the hosts list level because Microsoft just bakes it into essential .dlls that disable functional parts of its OS if you delete them (and Microsoft will just send them to you again anyway in an update, which if you have a consumer-level version of its OS is automatic by MS’s mandate).
This makes encryption under Windows a cruel joke.
If you want privacy, at all, you do /not/ use closed-source software. There is no way around this except by eschewing technology altogether.
After using and abusing computers since the 8 bit era, in light of recent events, that last sentence gets more and more attractive to me as time goes on, at least on a personal level.
ML, pls write the damn book!
It’s a nonsense what you’re talking about. Device and encryption key are totally associated. You cannot decrypt the disk if you haven’t the device. So, which is the problem?
If you see a potential hacking business, I can say why the hackers focused on cryptolocker rather than exploring bitlocker, etc The user is totally informed about encrypting methods. If he doesn’t trust it, so, he shouldn’t use email systems, dropbox, OneDrive, etc.
Really I think that is a way to look for publicity and anyway it’s a way to male misinformation.
Happy 2016 to you all.
May you enjoy the new Windows 10 device that you got for Xmas ???? !
Folks can you not see the writing on the wall, Windows is about to become on demand in the near future, you will have to log into MS to log in. Windows 10 is a big step in that direction.
When that day comes, linux
The problem with articles like this–the point of trusting microsoft is so you don’t have to think about any of this stuff.
You close your eyes and let it happen.
As soon as you have to perform and understand 160 steps to (supposedly) turn off telemetry, tracking, key recovery, etc., then you might as well be using linux and improving the community instead of lining the pockets of MS shareholders.
If you are forced to play the latest games or need a specific piece of software for work, then just buy a separate computer. They really aren’t that expensive.
If you have to do ten hours of work to prepare for your maid to come clean your house for six hours, then you might as well learn how to clean your own house.
Or you can use open source Linux and give Microsoft the finger
For those that feel the need to change their recovery password, the following is an easier, faster, and more direct method that works on any Windows 10 edition, including home…
https://2sevenblog.wordpress.com/2015/12/30/how-to-change-the-windows-bitlocker-recovery-key-for-an-encrypted-drive/
This would acctually only generate a new recovery key. BUT it does not generate a new FVEK.
– The recovery password is a KEK key encryption key that can be used to decrypt the FVEK.
– The FVEK (full volume encryption key) is the key that is used to encrypt the data.
– A key package backup contains the FVEK and is protected with the recovery password.
https://msdn.microsoft.com/en-us/library/bb931360(VS.85).aspx
Once a recovery password has been replaced the old recvoery password can not be used anymore to access the data.
But even if you generated an new recovery key and the old one is no longer valid an previous backed up key package togehter with the old recoery key would still contain the FVEK.
So if you’re fearing that MS has a backup of the key you need to decrypt and re-encrypt the entire drive to generate a new FVEK.
BUT not encrypting a device because a backup key could possible be stored at MS isn’t really a good idea. It’s way more likley that you loose your computer and someone access your data than MS or any goverment organisation would try to access you machine…
And if they would like to: why should they try to access your device when it was powered off and is in the moste secure state it can be.
Last but not least MS has announced on the official company blog that additional steps will be taken to ensure customer data is kept private and secure, which will be added on top of the work already carried out by Microsoft to prevent unauthorized access to accounts. Redmond will now notify you if it’s believed your account has been targeted or compromised by a party acting on behalf of governments.
http://www.windowscentral.com/microsoft-will-now-alert-you-should-your-account-be-targeted-governments
Right, so where is the Link to this ‘Official Microsoft Information’ ?
Um, fyi, I know you’re mostly discussing Windows 10 but I recently purchased a used ThinkPad that’s still newer and faster than what I’ve been using. It had a Windows 7 Pro version included – and it doesn’t have BitLocker. When I do a search in Help on BitLocker it tells me: “The ability to encrypt drives using BitLocker Drive Encryption is only available in Windows 7 Ultimate and Enterprise editions.” You didn’t mention Ultimate – so I though I’d pass along the message I’m seeing.
I don’t understand. Does a PC have to be connected to the internet in order to install Windows 10? If the answer is “No”, then most of the points in the article are moot. If the answer is “Yes”, then I guess I will just pass.
FYI, when I install Fedora on my machines every six months or so, the install can be done completely off-line. Subsequent software updates from online sources are at my own discretion. Even if the installed software has lots of “phone home” functionality, it still needs to be connected in order to compromise my machine.
What is it that I don’t understand?
No, it doesn’t have to be connected to install and you don’t have to use an MS account even if it is.
You basically have three options…
1) Log into Windows with a traditional local account instead of a MS account (i.e. email address). You will lose functionality such as OneDrive cloud storage, synched settings between devices, synced browser favorites, etc.
2) Log in with a MS account, then manually configure (or reconfigure) BitLocker encryption (or third party encryption). It was ask you how you would like to save a backup of the recovery keys and they don’t have to be stored in your MS account/cloud.
3) Log in with a MS account, allow the device to auto-encrypt itself (if the device has the hardware to support it) and let the recovery key backup be stored in your MS cloud account (which is also the default for Apple devices) and don’t worry about it.
MS doesn’t need your recovery key (your data is already being managed by Windows which has to decrypt the disk to run anyway). Disk encryption is designed to protect against theft or government seizure of a device. The vast majority of people are concerned about theft. MS having a copy of your recovery key is only an issue in the event that a government seizes your device and issues a search warrant to MS to obtain the keys.
“MS having a copy of your recovery key is only an issue in the even that a government seized your device & issues a search warrant to MS to obtain the keys”…
That’s a pretty big concern, given Windows 10’s EULA, don’t you think?
“Finally, we will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to:
1. Comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies;
2. Protect our customers, for example to prevent spam or attempts to defraud users of the services, or to help prevent the loss of life or serious injury of anyone;
3. Operate & maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or
4. Protect the rights or property of Microsoft, including enforcing the terms governing the use of the services.
However, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property of Microsoft, we will not inspect a customer’s private content ourselves, but we may refer the matter to law enforcement.”
I won’t even have to mention the key logger in Windows 10, or the privacy risks by unstoppable background processes that monitor everything being used, nor the kill switch they have to kill any apps they think aren’t “legit”.
If you set up Windows 10 on a PC that isn’t connected to the internet, you don’t get disk encryption. Device encryption is only available if you login to your Windows account.
So quite honestly, though you cited this fact in the article, you could honestly have done a MUCH better job informing a person of this fact. Because the EASIEST way of not having disk based encryption is by setting up a local account for logging in the computer. You didn’t also point out, that you can have an MS account, and simply not use it to log into the computer, but have it, so you can use services such as Onedrive, Apps, and Office key access without it being on the computer and this somehow controversial disk encryption. This would make it nearly identical to an apple setup.
Another thing is the sort of lack of journalism is talking about why it’s actually set up this way. Not every single person is going to carry their encryption key with them, I deal with on a regular basis, clients that don’t remember their PASSWORDS on a usual basis, So If your device is stolen, or was tampered with, how is the easiest way they are going to lock and unlock the drive, guaranteed? How about the Microsoft account itself? one password and account with which to synchronize your settings, login, and info across all devices, if you’re going to offer feature of that convenience, wouldn’t you want security? You also mentioned buying a Surface Pro, which has existed since windows 8, which had bit-locker and the EXACT same set up, yet this is cited as a windows 10 issue.
Most people who have sense would use a non Microsoft method of encryption would they not.
WIndowns 10 collects so much private info, apps, app use, performance and some impenetrible stuff I can’t determine.
My firewall is constantly logging blocked access to MS services.
Mind you my firewall now logs blocked internet access attempts from almost every application I have installed on Windows 10 too.
Computer users are a commodity now.
Free Anti virus products data mine your PC for personal info and upload it too.
Trust MS, they have been handing data to the NSA for decades/
No other explanation for how vulnerable windows has been yet threadbare linux with a mere fraction of dev bucks.. is far more secure, hardly an accident.. sheesh
I use Win10 Enterprise + bitlocker with group policy defined crypto & behaviour. My mb doesn’t have TPM built in, and uses non-standard TPM addon, so I use yubi key instead.
There has been 3 or 4 times since Win10 launch that windows did a major update, rebooted, and was able to decrypt boot disk and launch Windows without asking for my key. That’s a bit shady. I don’t know how or why Windows does that, but what’s the point if Windows can somehow magically decrypt my disk when it feels like it?
My desktop doesn’t have a TPM module so I have to enter a password into the BitLocker bootloader. During reboots, including upgrades, I have to enter that key before Windows can proceed to load. I’m not sure your Yubi Key has anything to do with BitLocker. Are your sure your Yubi Key is not tied to two factor Windows authentication because that is a whole different thing.
It’s possible that when Windows reboots during a major update it doesn’t reboot entirely. One of the first steps of the boot process is to mount the BitLocker-encrypted C drive, and then after it’s mounted it loads the kernel into memory and finishes booting the operating system. Maybe after a major update it unloads the kernel and then reloads the updated kernel, but never does a complete power cycle, so never unmounts the encrypted C drive.
This is just a guess of course, but it could explain it. It would be very difficult for Microsoft to do it any other way — assuming they did have a key to unlock your disk, they’d have to store the key somewhere (probably in a small unencrypted part of your disk) so the Windows bootloader could retrieve it after the reboot, in order to automatically unlock C drive next time. Which seems like a terrible idea.
So, wouldn’t the real people be if someone just stolen your laptop or tablet? What is MS or a hacker really going to do with the keys without the device?
This is a great feature that I have used multiple times, but your advice of printing the keys is such crap as 99.9% of users will forget where they kept the print out or they will do something that changes the keys, reinstall and forgot to print them again.
More tin-hat BS and scare tactics for clicks. Just another reason why ad-blockers are a great feature.
I really could care less about encryption. If someone wants to look at pictures of my cats or BBQ recipes, they are welcome.
This is ridiculous.
Please post your IP and export your C:\ drive using an FTP server. I want to look at your cats and BBQ recipes.
Micah, I appreciate the idea behind an article like this but must ask a question. Did you research this thoroughly? I have upgraded a massive number of machines to Windows 10. I have ONLY seen this occur in instances where Bitlocker was ON and the drive/s encrypted at the time of upgrade. Assuming, the drive is encrypted, the logical process to upgrade would require a decrypt prior and then after resetting the encryption as it was prior, how many end users do you honestly think even understand that? The key HAS To be loaded off somewhere for the process. I do not consider a “unnamed company spokesperson” as a valid confirmation of anything. Perhaps you should have spoken with someone who actively participated in the beta and read the documentation that explains this? In reality, what does it really matter if a significant number of users download and install freeware online for anti-virus, and those helpful apps that hijack the browser intercepting everything anyway? Cyber-Security is not something you find in “articles” it is a mindset that requires far more specific knowledge of how a computer really works, combined with how end users work. Microsoft, like all others, are faced with making it easy for the majority. That majority, is not your typical reader. Linux, Mac, PC, irrelevant. End Users, are the issue. the Tech, is just a box of wires and switches designed by, End Users. The problem isn’t that Microsoft, can access your files, it is that ANYONE ANYWHERE ANYTIME can, if, the End User has a computer connected to the Internet or for that matter turned on. The systems in place today, were designed without the level of security paranoia needed to support us today and moving forward. Everything, is a workaround until everything is fixed. Until then, nothing is secure for the Tech end or the End User end. So the real question is, if the End User is going to install a toolbar or use a site with Flash that has the capacity to compromise everything anyway, and, everything passing through the networks everywhere is at risk of interception and collection, what, is the real significance of the encryption key for a drive in comparison? Unless there is something so secret that it is an issue, perhaps the issue is those secrets do not belong on a computer connected online unless the operator of that compute is fully aware of EVERY security issue for whichever vulnerable O/S they choose to believe in? Start with Zero trust and work your way up from there. Perhaps the important article isn’t slamming Apple, Linux or Microsoft but instead, slamming the fact that all of those focused on placing the responsibility for making things simple at the los of true security, are dumbing down for the lowest common denominator in the End User pool? Gone are the days of the Unix Admin. We, didn’t like their God complexes and having to bow down to the security requirements they forced upon us. As a consolation prize, we lost security and now have an unlimited number of totally under qualified experts wo do not understand, security starts with them and they are to lazy to do the research needed to be secure. Gone is the day when every line of code on a machine was written on the machine and free stuff was not willy nilly installed from some jack leg developers site who has the intention of jacking your stuff and showing you ads. The key to my encrypted drive is not nearly as important as the ISP that lets hackers continue to operate internal to their network, the cable modem, router, IDS, SEIM, WiFI that is vulnerable. If, the End User really wants the data secure, it is simple. Remember it and tell no one. An encrypted drive is no more secure than writing everything down in pig latin and sticking it in a locked cabinet. All those interested in obtaining the information need is a chop saw or a prybar. Blame Tesla, Edison, and all the others who failed to see that someday this tech they invented can be vulnerable. For anyone who is offended by this comment, I have written some code and loaded it up. Hold down the ALT key and press F5 to send me an instant complaint message. It keeps the message secure but only works on a PC. Thanks, have a great day, and remember, if it cannot be done in the real world, it cannot be done in the tech world. There are no secrets. Until you identify the End User, they cannot be secured. Want a secure O/S that no one can get into? There is a switch in your breaker panel for that. It is usually the one at the top of the panel marked MAIN BREAKER. Vulnerable = ON.
Device encryption is only automatically turned on when you’re setting up a new PC. It isn’t turned on when you upgrade from an older version of Windows to a newer one. It also is only turned on automatically if your hardware supports it (which all new Windows 10 devices should). But if you have a Windows 7-era PC, or an older Windows 8-era PC, then the hardware doesn’t support it and it won’t affect you until you get a brand new PC.
And as to the rest of your comment, I do agree that making sure you’re the only one with access to your disk encryption key isn’t as high priority to protect your data as making sure you don’t install malware, and making sure you encrypt data in transit on the internet. But it’s still important for many users, and also it’s the topic of this article.
The problem here is that you go out of your way to imply that this is a huge step down for Windows users security. However, you just said yourself that the built in encryption features didn’t exist at all for Home editions of Windows prior to Windows 10.
So how is encryption with a recovery key stored in the users MS account worse than no encryption at all? This article makes is sound like this is a changed/downgraded level of encryption when it is actually encryption for non-tech savvy users that previously had their data stored unencrypted.
It is a security failure because the point of encryption is to protect data from untrusted parties, and in this case you do not have a choice as to whether you trust Microsoft or not. Taking trust away by deleting the keys from Microsoft is not the same as never giving it in the first place, because you’re trusting that an untrusted party is doing what they say they’re doing.
From a purely idealist perspective I agree with you. However, in this specific case we are talking about trying to provide the average computer illiterate user with protection from the most likely threats. In this case that is device theft. It’s not a simple problem to solve and so the solutions may not be ideal.
How do you safely provide encryption protection from the most likely threats to the typical user that doesn’t even read the options presented to them on a computer screen? How many users would lose all of their data, family photos, etc. because MS tried to provide them with completely hardened encryption that they didn’t understand? How many users actually need that level of protection and why can’t those people that do use the manual tools that have always been available to power users?
Disk encryption where Microsoft holds a copy of your key is better (in most situations) than no disk encryption at all, because many attackers might not have access to your MS account, or aren’t in a situation to send legal requests to MS.
But having a forced key escrow system is a dangerous precedent for encryption schemes. It should be opt-in, not forced.
Two things…
1) At this point I’m not sure you even understand the different types of encryption and what types of threats they protect against. This type of encryption (whole disk encryption) is active when the data is at rest (system is shut down). It is designed to protect against theft of the physical device. It does not (nor can any disk based encryption) protect against online hackers that exploit a system while the file system is in use and therefore, decrypted. I mention that because of this quote in your article…
“A hacker could have already hacked your Microsoft account and can make a copy of your recovery key before you have time to delete it.”
For the stolen recovery keys to be of any value, the attacker would also need to have physical access to your device. That brings me to the second point.
2) This new “automatic” encryption functionality is aimed at users that would *otherwise not encrypt their device at all* and probably don’t even know what encryption is or how it works. There is a very high risk that some of these user’s will lose their data because they don’t understand what encryption is and the importance of those keys. If MS offered this functionality to the typical non-tech savvy user with an option to not store a *recovery key* (not the same as the encryption key BTW), a lot of users would end up losing their data. In short, this is just a baseline level of encryption (the previous baseline was no encryption) to protect the computer illiterate from device theft scenarios.
For those that understand encryption well enough to enable something above the baseline, the same manual tools and third party tools are still available. The manual encryption features for “power users” and businesses have not changed in Windows 10 and do not store recovery keys in the cloud without the user’s explicit permission.
You got off to a great start. Full disk encryption is for data at rest. It doesn’t make a user more secure on the Internet. Most users may as well wear an amulet around their neck as “protection.”
MS also holds a copy of your login credentials if you link your MS account to your User profile when setting up a new computer.
I was playing with Windows Credential Manager and deleted a “mysterious” credential. Next time I logged into my computer, my password was not recognized. I had to go to MS online and reset my password.
Just saying, if I can delete a cred on the client side that locks me out of my computer, believe that the cred could be deleted on the server side as well.
Its crazy to think that MS (or attackers/etc) have the power to “remotely deauthenticate” me as a user of my own computer!
Here’s the blog post about my experience: http://ericthomas.net/is-it-just-me-or/
The technology you are describing has been used in the enterprise for decades now. In domain environments, there is both a remote and a locally cached version of your credentials. Normally, if you deleted your local credentials you would be locked out of your PC for good. Fortunately for you, you could get back in by re-authenticating with the remote credentials.
I hear ya. Its just that this is NOT an enterprise domain i’m speaking of! This is a personal computer. In no way, shape, or form would I want to be associated with an external domain on my personal computer.
Kind of takes the “personal” out of it, ya know :)?
You chose to log in with a cloud account (local accounts are still an option) and you are surprised that Windows keeps a local copy of your credentials (which you thought should be deleted for some reason)? How do you expect Windows to authenticate you if you are away from an internet connection if you it doesn’t have a local cache of the credentials?
Honestly, I don’t follow your logic at all. Everybody seems perfectly happy to have a mandatory cloud login for their phones, which have access to your email, text messages, phones conversations, microphone, camera, and gps at all times. However, if MS provides an OPTION to use a cloud account to enable syncing with other devices, it is a conspiracy for sure and couldn’t possibly have any legitimate use.
The biggest logic fail of all though is the idea that MS wants you to log in with an MS account or get a copy of your encryption keys so they can steal your data. Windows is already managing the hardware and file system. If MS wanted your data they could have been taking it for decades now. They don’t need you to sign in with a cloud account or have your recovery password to get to the data that Windows and your installed programs already have access to.
I’m confused Micah – I don’t see how Microsoft having my encryption key makes me less safe. Since I’m using a Microsoft OS, can’t they data mine my activities regardless of disk encryption? Doesn’t every program work within the api framework of windows 10?
To be clear I’m concerned about my privacy against microsoft snooping, not against third parties.
Thank you for this article, I hope you see this post :)
Letting Microsoft keep a copy of your encryption key is perfectly safe and a good idea for most users. But some users have bigger theat models.
If you’re worried about getting detained and getting your computer seized by a government — maybe you’re a journalist or a lawyer, or you have trade secrets on your computer and are worried about economic espionage — then it’s much safer to be the only one who can unlock your hard disk. The US government, and possibly other governments, can compel Microsoft to give them copies of your recovery key. And a random attacker who steals your computer might be able to break into your Microsoft account to get a copy of your recovery key (probably only if you use a bad password), and use that to decrypt your hard disk.
The average computer user now has a false sense of security thinking no one but him has access to the data stored on the machine when in reality MS has a copy of the key. I can agree that for most people this is a better approach than to risk losing the data. The problem (and that’s a very big one) is that MS is not giving us, the owners of the data, a choice to whether we want the key uploaded to their servers.
Microsoft is quite good at hiding bad privacy defaults when installing the OS, that sends home all kinds of personal data about the user. They could easily have added a toggle there allowing savvy users to disable the encryption key upload. Regular users that go with default settings wouldn’t even see it. There only reason I see for such option to not be given is because MS *wants* to have a copy of the key.
(I found this article to be quite informative, thank you. )
The average computer user still doesn’t even know that their drive has been encrypted on their behalf and they weren’t encrypting their stuff at all before this. And again, a recovery key is only useful if you have physical access to the device. It has zero value to MS unless they show up at your house and take your computer.
If MS *wanted* the key, they could simply upload it to their servers and not display it to you. The fact that they display it to you and allow you to delete it (or not upload it at all if you are using the manual options) is a pretty good indicator that they don’t want it for anything other than to help users recover their own data. And for those that are into conspiracy theories, if a really paranoid user doesn’t trust MS to store their recovery key, then why are they relying on the automatic encryption options, why are they using MS encryption technology at all, and why are they using MS products in the first place?
It’s already been established they will give it to a gov. With a warrant.
As would any company. It’s called the law. Your landlord, banks, employer, phone company, ISP, etc. will all cooperate with law enforcement if a search warrant is issued. So will Apple, Google, and Amazon.
Again, this applies to the automated encryption only. It is for users that otherwise would not use encryption at all. It is designed to protect them from device theft. It does not apply to those that are manually configuring their encryption. If you have reason to fear search and seizure by a Government that MS operates under, then you should probably be taking the time to configure encryption manually.
And yet Microsoft’s implementation is subpar to Apple’s. I think that is the point the author was making.
I don’t understand what you’re trying to say between half baked truths, very misinformed opinions and bullshit rant against Unix.
Bottom line is this: Windows sends your encryption key to Microsoft. Apple does not.
I don’t think that’s an appropriate comparison. OSX FileVault operates exactly like Bitlocker (the equivalent) in that you can optionally upload your key to Apple.
This article describes the option when users don’t specifically enable encryption. In this instance Windows protects a users data much more than OSX does (which does nothing). So a lost Mac PC with OSX would leave a user vulnerable to data being stolen whereas with a Windows 10 PC, the user is protected. Yes, a backup key is uploaded in this instance to the users OneDrive space so they have the ability to get data back should they move the drive to another PC. But in the instance where a user wants to enable Bitlocker encryption, they are fully in control of the keys.
@RW, that’s not true.
All new Macs come with FileVault turned on by default, so if you lose it your data isn’t vulnerable to being stolen (assuming you have a good password). And when you create your account the first time you get the option to upload your recovery key to iCloud.
All new Windows 10 computers come with device encryption turned on too, so if you lose it your data isn’t vulnerable to being stolen either. But you’re forced to upload your recovery key to your Microsoft account. You never get presented an option.
I’m not convinced Apple’s approach is better for most users. Look, I understand that the ideal scenario is that only the user knows the key and that they save it in a safe place. However, we are talking about the same people that readily install malware on their own computer because a website Ad said they needed to. I’m willing to bet that people are going to lose their data because they unchecked that box on their Mac without understanding what it does.
On Windows 10 it would probably be even worse. The tech blogosphere has been doing a great job of spreading misinformation and exaggerating issues related to Windows 10 privacy. A decent percentage of people believe that Windows 10 includes a key logger and that it sends all your files back to MS (as if MS wants to clog their servers with everyone’s local files and keystrokes). I’m willing to bet a higher percentage of Windows 10 users would opt out of the recovery key cloud option without doing anything to save the recovery keys locally (or saving it to the USB flash drive that is kept with the device and stolen as a set). So instead of having a small percentage of risk of having their device and data stolen, they now have a very high risk of losing all their data at some point down the road because they can’t decrypt it.
Apple’s approach works for people of every threat model — both the majority who benefit from key escrow, and the small minority who need to opt-out. Microsoft’s approach works for the majority who benefit from key escrow, but is really bad for the minority of users with big security concerns related to device theft and seizure.
I didn’t know it was the default now. Looking at the current UI, there is an option checked by default: so by default 99% of users will end up with Apple having their key too.
I think you’re missing the point of this out of the box security though, which is that it is there to provide users with a safe PC that if lost, doesn’t leave all their data in someone else’s hands. This is not security designed to prevent the government from accessing your data. Any user who wanted that would not be signing in with an iCloud/MSA login and not using OS embedded encryption!! It is designed for ease of use and basic device security. Given the change from a few years ago, we should be thankful that both Apple and Microsoft are doing a good job on this front by adding these features. This article title is designed to play off the fears of a bunch of Windows XP users who fear governments and corporations, but these features are for those general users who just want their stolen laptop to not give away their SSN and bank details etc. For that purpose, these encryption features are great just as they are today and users will benefit from them without even thinking.
As a security expert I would recommend an alternative encryption software, rather than Windows-based. Personally I prefer biometric solutions by IdentaMaster or mybiodentity – easy to use, great protection, fast to implement.
Bitlocker cannot be trusted. Even if the attacker has no access to the decryption key, they can still manipulate the encrypted disk image in such a way that code of their choice will be executed the next time you access it.
See this:
https://cryptoservices.github.io/fde/2014/12/08/code-execution-in-spite-of-bitlocker.html
I enjoyed the post, but you (and post on The Intercept in general) should consider shortening these things!
1000 word limit!
Thanks! I try to make them as short as possible while still saying what I want to say, but it’s difficult to write about complicated technical topics while avoiding jargon without being verbose. Good feedback nonetheless.
Why does he need to “consider shortening these things”? Your ADD won’t allow you to spend 6.5 minutes reading an article?
Go visit buzzfeed and gawker – those seem to be more up your alley.
This article understates the nastiness of Windows 10. It contains a universal back door, which means that Microsoft can remotely install any change it wishes. This means it could remotely install code to decrypt parts of your disk and send the data to Microsoft. Whatever encryption software you use, even if it is free/libre, you’re hosed.
We know this, because Microsoft admits it. Microsoft also admits that it can remotely access any file on Windows 10. See http://gnu.org/proprietary/malware-microsoft.html.
Malicious functionality is par for the course, nowadays, with software that is not free/libre. Apple is not much different from Microsoft: http://gnu.org/proprietary/malware-apple.html. When software is under the control of a company, that company is constantly tempted to mistreat its own users. See http://gnu.org/philosophy/free-software-even-more-important.html.
The solution is obvious: don’t use any of nonfree software. Defenestrate your computer by installing GNU/Linux in place of Windows.
More fear mongering. MS has processes in place for updates, error reporting, etc. There is no evidence that they have malicious “backdoors” and it’s not in their best interest to have such things. Their biggest market is corporate customers and governments after all.
Linux is a good OS for certain things (I work with it daily for my job), but lets not pretend it is a good choice for most users. It is problemactic for a number of reasons that have been discussed to death. Most user friendly Linux distros also have the same call-home update processes that people are pointing at as evidence of “backdoors” in Windows. It’s also worth mentioning that some of the most painful and problematic security holes in the recent past have been in open source software such as OpenSSL/heartbleed.
This is pretty naive thinking. By the time there is irrefutable evidence, it will be too late. Better safe than sorry. You yield an inch and you risk losing a mile. It starts with the sheeple brushing off the concerns as fear mongering and conspiracy theories but ends with these same people crying about how they “did not know” when all is said and done.
For every one OpenSSL/heartbleed issue, there are a hundred security holes with proprietary code.
While the Windows source code is not available to you and I, it is pretty well known that the code is available for review to governments and large companies can purchase a license to review the source code as well. If there were secret backdoors built into Windows, I doubt that the US government, other governments, and large enterprises would be deploying it so heavily. I mean they have had decades now to find these supposed backdoors and migrate off of Windows, and yet nearly all of them have continued to deploy Windows on desktops. Between Windows Server and Linux, the “big iron” Unix brands are nearly gone these days.
Or, maybe you just work for MS or some other parties who benefit from all this, like someone else here said.
For the sake of clarification & based on some Google searches: the Windows Device Encryption feature is only available on PCs which have hardware that supports something called InstantGo – see https://blogs.windows.com/windowsexperience/2014/06/19/instantgo-a-better-way-to-sleep/ for details. In a nutshell: if your PC or tablet hardware does not support InstantGo, installing Windows 10 will not automatically turn on device encryption, and thus no keys are ever sent to MS.
This article is very misleading. Nothing has changed for Pro and Enterprise versions of Windows 10. If the user manually enables the built in BitLocker encryption they are given an option of where to save the recovery key and a USB drive is one of the options. For Enterprise editions the keys go to the enterprise server instead of MS. Nothing new here.
The only change is that the Home edition of Windows 10 now has a built in encryption option. Previously it didn’t have encryption functionality built in at all. If the new encryption feature in Windows 10 *Home* is used, it will store a recovery key with the user’s MS account. However, the previous alternative was no encryption at all and this automated encryption feature is geared towards people that don’t otherwise implement any encryption manually (either via BitLocker in a higher version of Windows or via third party software).
So in summary, the only people affected by this “issue” are people that would otherwise have no encryption at all. Considering that the biggest threat to most peoples data is through theft of the physical device or improper disposal, this new feature really has no downsides. Of course that isn’t going to stop “journalists” from twisting things into a fear mongering
“article” with click bait headlines.
The way you are defending this bad security practice makes me think you’re from Microsoft or a party that will benefit from it. So what is it like working for NSA or GCHQ?
I work in enterprise IT for a private company. I’m not saying it’s a perfect solution, but I don’t see the world in only black and white either. See my previous reply to you above for details.
Not true. This affects all Pro and Enterprise users who buy new computers, too.
I own a Surface Pro 3 that came with Windows 10 Pro. The first time I turned it on, I logged into my Microsoft account. My disk was automatically encrypted, and my recovery key was automatically uploaded to my Microsoft account. I wasn’t given a choice. Figuring out how to go about having a BitLocker-encrypted disk without giving Microsoft a copy of my key was the impetus for writing this article.
Enterprise computers are installed from images with the options preset by an admin/GPO and users don’t log into them using MS accounts. They use Active Directory domain accounts which are maintained on the company’s AD servers. Therefore, there isn’t an MS account to save the recovery keys to.
Pro editions have the manual BitLocker tools and you can simply change the key if you don’t want it stored with your MS account (it can actually be done without decrypting the drive from the command prompt). So again, this only occurs when someone is relying strictly on the automatic encryption rather than configuring the encryption themselves.
I don’t have an issue with pointing out that this happens when the automatic encryption is used, but you should remove the incorrect statements about corporate customers, online hackers, and explain the situation and why MS handles it the way it does more clearly. Otherwise, it just serves to misinform people and probably drives a lot of the more clueless people away from using bitlocker encryption in favor of no encryption “cuz M$ is steal’n thar datas.”
I posted some questions about how my company could guarantee client confidentiality if we were going to use Windows 10. I got a call from the boss the next day telling me not to discuss such things. A few weeks later, I was laid off. Last year, microsoft locked me out of my hotmail account after 20 years because I would not provide them with a phone number. Microsoft is part of a global control effort, that is not pro American.
You are spot on sir. MS is part of the globalist gang .
I seriously doubt your story about your interaction with your boss. If your layoff had anything to do with your Window 10 questions, you must have been asking them in a very inappropriate way or time. Like in the middle of a business deal with clients and/or by basing your questions on some ignorant conspiracy theory.
Also, MS does not lock people out of their email accounts for not providing a phone number. I have had a Hotmail account for decades and I have never given it a phone number. Most likely, you had two factor authentication enabled and it was trying to verify your second authentication factor. A friend of mine once had the same problem because he enabled two factor authentication with his girlfriends email as the second factor. It was fine until they broke up and he got a new unrecognized computer.
Great article Micah, thank you. Very interesting this was happening and nobody knew it.
When you view automatic unadvertised key escrow, the additional user data uploading Microsoft introduced with Windows 10 (and backported to 8.x and 7 via updates – which can be uninstalled BTW…great article opportunity there Micah) and how it dovetails with the newly passed legislation tucked in the 2015 budget bill that okays companies to share any user information directly with the NSA without liability – you’d think it was all planned out in a smokey D.C. backroom.
http://arstechnica.com/tech-policy/2015/12/congress-approves-surveillance-legislation-tucked-into-budget-package/
If your data is so sensitive that you feel you need to encrypt it with a level of security that this article describes, you would be a complete idiot to use software like Windows 10 to store it. There are plenty of options to store data securely and Windows 10 never claimed to be that software. It’s for home users.
I agree and it’s good to see that there are others that do no trust MS at all as I certainly do not trust them…
The level of security that this article describes is disk encryption where you’re the only one with the key, sort of like iPhone disk encryption, or LUKS in Linux. I think anyone who works for a company that has trade secrets stored on their computer (especially if they work for a non-US company) would fall into that category.
Bitlocker was made by MS together with NSA, one can only assume it is broken anyway, backup key or not. Ask MS, and they will be legally obliged to lie to you, so. No trust.
You are spot on. I would not trust Micro-shite any further than I could throw them.
Anyone who has done more than one install of Windows 10 would know that this is all only true if you choose to sign-in with your Microsoft ID. If you use a local user, your key isn’t uploaded automatically. And “most users” DO NOT in fact login with a Microsoft Account.
Click bait article is click bait.
As the article states:
Lets be clear here no one knows what goes on under the hood of windows because it’s far to bloated for any one to understand and the only way to block microsoft from calling home is by the use of a hardware firewall in the wofi-router.
Trouble is micrrosoft owns about 50 million ip’s within hundreds of ip-ranges so it’s too much trouble to add them all to the outboud firewall rules set.
Another option is to run your own version of web-sensene or your own DNS server that can block (send to 127.0.0.1) Whois ASN’s like 8075 thats are owned by microsoft.
if you are runing windows 8 and onwards then you are realy running a remote terminal for microsoft and even the system administrators are being locked out bit by bit , more and more.
I new use a microsoft account and only ever use a local account when creating a new windows user but even as a windows security expert I cannot say for sure that every word i type is not being uploaded to central servers by one of the programs running inside SvrHost, ConHost, TaskHost because they are little black boxes, no one knows what goes on inside them but we know we cannot trust microsoft thats for sure.
Thanks for confirming what I already suspected….
When generating the new key and storing it to a file, I would make suer the computer was not connected to the internet, air gapped or with suitable firewall.
Just in case….
And how will this prevent the key from being stored locally and uploaded to MS’ servers the next time you enable a network connections?
The article leaves me back with a few questions:
First, I didn’t know about all of this – neither the automatic encryption, nor the upload of the key. I never noticed this on any of my computers. They were originally installed with Windows 8 (Pro)/Windows 8.1 (Home) and both upgraded to Windows 10. I do NOT use a local account on any of those computers. None of them seems to be encrypted with MS Drive Encryption though – although I did not know of this and therefore did not turn it off intentionally. So when does the automatic encryption actually take place?
Also the following parts of the article seems a bit contradictory to me:
“In short, there is no way to prevent a new Windows device from uploading your recovery key the first time you log in to to your Microsoft account, even if you have a Pro or Enterprise edition of Windows.”
“If you don’t see any recovery keys, then you either don’t have an encrypted disk, or Microsoft doesn’t have a copy of your recovery key. This might be the case if you’re using BitLocker and didn’t upload your recovery key when you first turned it on.”
How, if there is no way to prevent it?
Sounds like (from the article) its only new machines that come preloaded with 10 that are encrypted (not via BitLocker).
The confusing part is that Microsoft has 2 different versions of drive encryption and new computers all come with the one where you don’t get the choice about encryption key escrow turned on before you open the box. You can unencrypt all versions afterwards.
Then buy something else to encrypt it that doesn’t upload your key to Microsoft. Also, on Pro and Enterprise you can unencrypt your drive, then use the built in BitLocker to encrypt it again (and you’ll be given the choice of where to put the escrow key) – keep in mind Microsoft weakened BitLocker starting with Windows 8 by removing part of the BitLocker system called the elephant diffusor – making the encryption vulnerable to brute force hacking (something the NSA could do).
Its easy to check on your local machine to see if its encrypted though, boot the machine off another disk that can view NTFS file system files (USB, DVD, backup utility disk etc.) and see if you can view files on your Windows 8.x / 10 disk without entering a password…if you can, its almost certainly an unencrypted installation and your good.
Device encryption (which is the automatic encryption) is only available on hardware that supports it — basically you need a TPM and to meet some other requirements. So it’s totally possible that your computer just doesn’t support it, so it wasn’t turned on by default. Also, device encryption is only on by default on brand new PCs. If you started with a version of Windows before there was device encryption (Windows 8 when it was new, I believe, or Windows 7), upgrading doesn’t turn on device encryption automatically for you either.
If you have a Pro or Enterprise edition of Windows that doesn’t already use device encryption, and you manually turn on BitLocker, at that point you can choose to backup your key in your Microsoft account or save it locally. So if you have an encrypted disk but Microsoft doesn’t have your key, then you probably enabled BitLocker in the past and choose to backup the recovery key locally.
It’s terribly confusing, with a lot of permutations to deal with. But basically, this article definitely applies to all new Windows 10 computers, because they all support device encryption.
It just can not be that all this effort, all these resources are directed towards Terrorism.
They are not looking for terrorism, they are looking for you.
http://www.metrolyrics.com/knock-on-any-door-lyrics-jackson-browne.html
Knock on any door
Look through any window
Baby knock on any door
Knock on any door
Is there any place you want to go
Baby who you lookin’ for
Yeah, yeah, baby now you know
It’s a cold world like they told you so
[snip]
A clueless keyless society.
https://en.wikipedia.org/wiki/Scroll_and_Key
The Scroll and Key Society is a secret society, founded in 1842 at Yale University, in New Haven, Connecticut. It is the second oldest[1][2] Yale secret society and has many distinguished members. Each year, the society admits fifteen rising seniors to participate in its activities and carry on its traditions.
{snip]
At the close of Thursday and Sunday sessions, members are known to sing the “Troubadour” song on the front steps of the Society’s hall, a remnant of the tradition of public singing at Yale.[11][12] The song (written in the 1820s by Thomas Haynes Bayly), was recorded by Tennessee Ernie Ford on his 1956 album, “This Lusty Land”, as “Gaily the Troubador”.
In keeping with the practice of adopting secret letters or symbols such as Skull and Bones’ “322,” Manuscript’s “344,” and the Pundits’ “T.B.I.Y.T.B,” Scroll and Key is known to use the letters “C.S.P.,C.C.J.”.[13]
Members of the society sign letters to each other “YiT”, as opposed to Skull and Bones’ “yours in 322″.[13]
Outside of its tap-related activities, the society has been known to hold two major annual events called “Z Session”[13] [snip]
This policy is in stark contract to Microsoft’s major competitor, Apple.
please fix
How do you (or anyone else) know what Apple is doing? They seem to want to lock users into their ecosystem with no chance of escape, so I would not trust them for one second any more than their competitors.
Unless you are an Apple employee developing their operating system, you are NOT in a position to comment on their policies, except as stated in their TOS. But that may be no more reliable that Google’s TOS or Microsoft’s TOS.
Let’s face it…We don’t know what’s going on behind the scenes. It’s way too complicated for analysis by average users, and (as far as I know) there is no central organization that has taken on the task of examining and passing judgment on every piece of operating system software released, including Linux.
Commenter proofread was referring to the misspelled word “contrast,” and the first line in his comment is Micah’s sentence – just missing quote marks or a block indent.
When you buy a new Mac and create your account the first time you power it on, there’s an checkbox to “Let your iCloud account unlock your startup drive”. If you uncheck it during this process, it doesn’t send your FileVault key to Apple. If you keep it checked, it does. But when you buy a new PC and create your Windows account for the first time, it just automatically sends your device encryption key to Microsoft without giving you the choice.
It’s true that Windows and Mac OS X are both proprietary, which makes it more challenging to inspect that these OSes are doing what they claim, but by no means impossible. If you make a claim that when you choose to not upload your FileVault key to iCloud it does anyway, it’s good to provide some evidence.
Typo fixed.
Thanks for the great article, Micah Lee, and thanks for describing technical issues to a non-technical audience.
My only objection to this article: you could be speaking beyond your knowledge when you say that one can use Microsoft’s proprietary BitLocker software to generate a new encryption key “without giving a copy to Microsoft”. I don’t know what you know but the fact that BitLocker is proprietary tells me that we have no idea what a networked Microsoft system does with the user-generated key one chooses to save or print. I imagine it’s very easy for a proprietor to upload the new key to some trusted (by the proprietor) location online without informing the user this upload happened even if one does not indicate they want the key uploaded.
Also, do we know that any proprietary software encryption program uses only one key and gives that key only to the user?
Finally, would it be possible for a proprietary encryption system to generate a key using some algorithm that would allow the proprietor to generate that same key later if desired (thus putting the proprietor in a position to decrypt the data even if the target system was kept offline)? A free software encryption system would be fully inspectable, we’d know what its source code did and could improve it if we found it didn’t do what we wanted it to do.
I’m sure this is not news to you, but those who care about privacy shouldn’t be using non-free systems like Microsoft Windows anyhow. Free software systems running on hardware we can inspect and alter are the closest we can come to fully understanding the entire system right now (see https://www.fsf.org/ryf for some such systems). More work is needed to free more hardware for the computer components we can’t currently run in freedom (such as code on CPUs, code on storage devices, and more). By free software I mean software the user has the freedom to run, study, share, and alter at any time for any reason. These freedoms are simply required for privacy preservation. There’s no guarantee of privacy with a totally free system but one needs a free system to begin to have computer privacy.
I understand this article (like your other articles) aims to speak to the majority of computer users in the world which means talking about Microsoft Windows for a non-technical audience. Thanks again for doing that writing, it’s greatly needed and appreciated.
Micah,
Please continue to put out more articles related to digital security on TI. You do an amazing job describing the technologies to the average layman, while also producing valuable insight on the topics. I wish you’d write more, but maybe it’s because you’re doing so much research and info. gathering to produce another quality piece…
I wholeheartedly agree with X. Please write more articles like this Micah. We thirst for quality information!
Thank you!
I’m unclear on the applicability of this issue. What exactly is a Windows device—a tablet? Or any device with W10?
Are these always linked to a Microsoft account?
And what the hell is a Microsoft account?
And why would anyone give those people money?
No more questions.
Any Windows 10 device that has the required encryption hardware. That could be a desktop, laptop, tablet, hybrid, and maybe a phone.
No, you have the option to use a MS account or a local account. Corporate users would have AD/domain accounts which is controlled by the company IT admins.
An MS account is the same concept as a Google, Apple, or Amazon account. It lets you sync settings between devices and store specified files in the cloud.
The Windows 10 upgrade is free and MS is no better or worse than Apple, Google, or others on this stuff. Actually, Google is significantly worse than the rest of the industry with their privacy policies.
As far back as Windows Vista, MS incorporated in its upgraded Crypto API, National Security Agency’s modules, known as ‘Suite B.’
http://m.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
Of other OSs, in 2009 a website ( url long removed from my house), suggested that the NSA had given a rootkit code to Apple. All attempts to retrieve the article online have long failed.
And that is all just the trivial part…
I really appreciate this article which is informative, instructive and very useful. I do care about my privacy and have no reason to trust Microsoft or others. My best compliments to the author, I have bookmarked this article! Thanks and all the best in 2016.
Simply put, just about everything you do electronically is probably recorded somewhere, somehow. Understanding that is the first step to protect yourself.
Even if Mr Softy can no longer unlock your encryption the internet provider still knows where you are going and the cell provider still knows who you call.
The best advice I can give is stop and think about what you are doing electronically before you do it. Measure the risks before taking action.
Another thing you can do is get an extra hard drive to use for your personal records and one for your pleasure activities. Mix up operating systems and have multiple boot options so no one OS is used constantly.
This is just my advice, for what it’s worth.
When the climate change dystopia arrives and it won’t be long and your kids are going hungry and society starts breaking down and you finally tear yourself away from your toys to go to the streets and YOUR military and YOUR Police start shooting you down in the streets they won’t be asking you for your “key”; that will be the least of your problems. Why do you think they are instituting the security police state; 30,000 camel jockeys an ocean away or a few lone terrorist wolves outnumbered 100 to one by white nut cases? Terrorism is a useful distraction from the real problems here and to come. In the meantime, watch out for the texting driver or third hand cigarette smoke, sugar, fat, inactivity and, and. the bread and circuses will only last so long; the velvet glove will be taken off to reveal the mailed fist when society starts to break down. Hope I’m gone by then.
Really what you mean to say is usa_naziland has coarced mickeysoft into stealing any & all data stored or used through the use of there O/S. Because if ever there was a real terrorist instead of the manufactured ones by the cia-scum or fbi-scumbags,….they’d laud it up how much MORE money they need to propel themselves into orbiting the Earth with giant binoculars to spy on every single sentient being dead or alive.
Seriously FU usa_naziland & FU uk_naziland right in the asshole.
Thanks for that.
I find many of the comments quite remarkable. Seems that many are happy to be surveilled by commercial companies but are unhappy with only some subset of the watchers.
News dudes, nobody can be trusted. If you want security (let’s say confidentiality, availability and integrity) then here’s two options to think about:
1) Don’t use computers especially consumer only devices
2) Use computers that you can control and do your own encryption (consider distrusting do-it-for-you programs with a GUI’s), of things that really count?
There’s a few things that you should be able to control yourself (DNS, Encryption suites…)
Sheesh it’s not hard.
linux is your best friend
Since microsoft knows your account credentials (if the user uses MS account to login) they can login into the PC in any case with or without the encryption key.
To log in to your account on a computer with full disk encryption, you need to know three things:
1-decryption key for the HD
2-username
3-password for username
If an attacker knows only the login credentials (#2 & 3) as you suggest MS does, that information would still be of no use without the HD decryption key (presuming that full disk encryption means the OS’ system files are also encrypted) because it would be impossible for the computer to even boot up past the prompt for the decryption key.
If MS can login into an “encrypted” system without knowing #1, it means the system isn’t actually encrypted (or it is encrypted in a totally ineffective manner). This article describes a different scenario than yours though, one where the encryption scheme isn’t easily cracked, but is made insecure by providing MS with a copy of #1, thus giving it all three key pieces of information.
BitLocker uses hardware key storage in the form of a TPM. This is common practice for exactly the reason you described. It is a well tested industry standard.
Why on Earth would people pay $99 to get an encryption method that starts by sending away the key to the spy-industrial complex? Why would anyone believe that, having been forced to send away the key without a proper warning, that a claim it is deleted is meaningful? Surely it’ll be deleted the way Wikipedia deletes an article (which is, yeah, if you’re Joe Schmo and don’t rate, you can’t read it, but there’s always some administrator with access and if you beg really nice he’ll even share access)
We may not be able to stop the Powers That Be from de facto banning encryption, but we sure as hell can avoid paying for it or otherwise believing in it.
I always espoused the ‘BUY AMERICAN’ mantra. Never thought I would say this, but NOT ANYMORE!
It seemed that the only things that America produced in any numbers were Microsoft software and airliners from Boeing. Now it’s malware from Microsoft and faulty encryption from Microsoft. Time to stop buying American software and e-products. Maybe after the backlash from the loss of sales of U.S. networking equipment, MS PC’s, software, and security software (caused by the U.S. companies partnering with the NSA) has finally settled in -will it (in a kind of back door way) MAKE AMERICA GREAT AGAIN! Fuck you Donald Trump!
Thanks Micah. You just ruined my happy New Year. But the painful reality is now I will HAVE to buy a much more expensive Apple PC or worse yet -build my own PC and actually become educated with Linux!
I guess now is the time to transfer all my data to a new external hard drive. And the last thing I will put on this PC is a sledgehammer with great prejudice!
Well, Good luck believing that you are safe after buying a Mac. I would sooner trust a monkey to not eat a banana given it it than I would trust Apple with any thing. Even MS is more trustworthy.
The only thing you are really safe with is a Linux distribution you build yourself from the ground up from source code starting from the kernel.
This post is exactly what I’m talking about. Your article is misinforming people and making them dumber. You could have provided valuable info for power users and made the situation clear, but instead you spread FUD, implied some kind of malicious intent, and claimed that corporate customers are affected (probably just ignorance on your part) in order to make your article seem more interesting.
I would like to have the hard drive on my Windows 10 laptop encrypted, if only to protect the data in case the machine is lost or stolen. However, I have the Home Edition of Windows, and Bitlocker is not available. Upgrading to Windows Pro is $99 – a lot to pay for something that will probably never be needed.
Unlike all other modern operating systems — Mac OS X, Chrome OS, iOS, and Android, –Windows 10 still doesn’t offer integrated encryption tools to everyone.
Yes, it does actually. This article (which has since been slightly amended) contains misinformation about the encryption features built into Windows 10 home edition (which also existing in Windows 8.x home edition BTW.
Funny all this rush for de crypting when neither Paris nor San Bernardino had any encrypting going on…its like this whole rush to look for everything other than what is so obvious….kinda reminds me of Bush going to war with Iraq when we all knew it was just about finishing the job GBush #1 didn’t quite manage..(because we created this guy in the first place??)
I see you are under the assumption that our government wants to stop these attacks rather than use them as propaganda to distract us from what is really going on.
http://Www.dunwalke.com
Thanks very much!
Meanwhile, if ever, there was a definitive illustration how the Surveillance State is in cooporation with corporate scumbags, even at the level of children’s toys..this stinking piece of shit is it…
http://www.amazon.com/PLAYMOBIL-Secret-Police-Station-Playset/dp/B00A30YWCY
If there was any doubt in your mind that Murika has become a full blown fascist state, this should remove it.
Look what the Guardian dragged in.
http://www.theguardian.com/world/2015/dec/28/israel-armed-forces-shocked-dismissal-missile-defence-chief-yair-ramati
More to follow, to be sure. Was it a Microsoft laptop?
Contrast with what happened to David Petraeus, or Hillary Clinton for that matter. Whatever their faults may be, the Israelis are serious about security.
It was published today that the sensitive material was on his phone (no laptop) and he showed it to unauthorized people.
No hacking here…
No hacking, it seems; simply that his sin was to confide secrets to a laptop. Seems the IDF doesn’t trust whatever OS it was.
What’s sad about most users is they fear the “encryption slowdown” and they don’t want to encrypt their laptops out of fear that it will “slow their computer down”. Well, PGP and Apple Encryptions use hardware accelerations in the Corei5 and i7 chips so the performance difference before and after encryption is indistinguishable. Luckily with iPhone’s Apple has made encryption completely transparent, and user’s don’t even know their phone is encrypted. If you have a four digit passcode on your iPhone, then it is already encrypted.
With the Equation group in the firmware of all our hard drives would any of these secure OS’ s and Virtual Machine sessions really matter? Please answer if you know.
Depends what capability the firmware malware has. At the very least you couldn’t trust the baked in (hardware level) hard drive encryption or secure erase functions. In this scenario a software solution at a higher application level writing encrypted bits to the drive could still work e.g. TrueCrypt. However if the malware is more advanced and can infect the host OS it could in theory do anything including allowing access for a remote access trojan or sending encryption keys back to the Equation Group. In that case you need open source hardware and firmware then some way to ensure it completely overwrites the old malware firmware.
“With the Equation group in the firmware of all our hard drives would any of these secure OS’ s and Virtual Machine sessions really matter?”
No.
Most users don’t even know and wouldn’t even care about encryption. Those who do have long migrated away from Windows.
But first let us know how successful TI is in tracking all those who visit and comment on this site.
I think the best choice is to use a non-microsoft product. Without having a firewall appliance in place to make sure, you really do not know if MS is still keeping your keys offsite even if you have elected to save it locally. If your data truly must be controlled only by you, don’t trust MS.
If you have reason to believe that you are a target of the government, or another attacker that is capable of compromising your MS account *and* gaining physical access to your machine, then you shouldn’t use Windows. Or Facebook, or Google, or Apple, or most versions of Linux. If you do not have that level of paranoia, then the compromise MS made improves practical security for most users and mitigates data loss in a reasonable manner.
We are all targets, haven’t you been keeping up?
Obama signs $1.1 trillion spending package, approves CISA surveillance legislation
Published time: 19 Dec, 2015 01:52
[Excerpt]
The new law authorizes companies to share information about cyber threats with “any federal entity.” Any company participating in the data sharing would be immune from consumer lawsuits…
(cont.)
https://www.rt.com/usa/326481-obama-signs-budget-cisa-bill/
pink floyd – us and them
Studio Wild Sunflower 242,318 views
http://m.youtube.com/#/watch?v=I3OdanjBYoM
The Dark Side of the Moon | Pink Floyd – wikipedia
https://en.m.wikipedia.org/wiki/The_Dark_Side_of_the_Moon
Micah – lets tell it how it is.
If people are sick of being microshafted, microscammed and microfucked by Winblows – the best reach-around friends the NSA ever had – then they should flick that bloated malware pronto.
Secondly, they should shift to GNU/Linux (Linux Mint if a newbie) or preferably Qubes OS (intermediate users and above), running Tor proxy network VMs in combination with Whonix, and a shit-load of separate VMs for various processes as outlined in the documentation.
Nothing proprietary or from American soil can be trusted, ever. They blew their chance, big time.
Bill “Snowden is a traitor” Gates needs to have his corporation’s head kicked in by a mass exodus of users. They are nothing but Stasi sympathizers, masquerading as a legitimate O/S.
Um, Micah pretty much said that just a few months ago, and I reread it only yesterday. While he’s probably not allowed to write “use or buy this” and “don’t use or buy that”, truly interested readers clearly find such information reading between his lines.
https://theintercept.com/2015/09/16/getting-hacked-doesnt-bad/
While you may be correct, not everyone has the capabilities to run Qubes OS. I use Linux (Debian) for 10 years now and I am still weary of trying it out.
Furthermore there are a lot of people who want to use Windows (games f.e.) and/or are too ‘scared’ to try/use Linux. While you and I may think that’s short sighted/dumb/etc, reality shows us that lots of people (still) use Windows.
And this article can help them improve the situation a bit.
Linux is not a panacea and Tor has vulnerabilities. Just this month, it was found that Grub2 was compromised – you could bypass authentication at boot by pressing backspace 28 times. It has since been fixed. There was also GHOST and several other major vulns – one of which was over a decade old – uncovered in the last couple years. More attacks are being focused on Linux systems all the time. Linux is the backbone of the internet, enterprise, IoT, many routers, phones, and the like. As such, it has grown as a target for espionage, data theft – identity,credit, banking, ddos attacks, etc. Why hack just personal computers when you can have it all en mass? That said, sure Linux is more secure than MS, but remember that it is hackable and don’t grow complacent just because you run some flavor of Linux.
“Of course, keeping a backup of your recovery key in your Microsoft account is genuinely useful for probably the majority of Windows users, which is why Microsoft designed the encryption scheme, known as “device encryption,” this way. If something goes wrong and your encrypted Windows computer breaks, you’re going to need this recovery key to gain access to any of your files. Microsoft would rather give their customers crippled disk encryption than risk their data.
“When a device goes into recovery mode, and the user doesn’t have access to the recovery key, the data on the drive will become permanently inaccessible. Based on the possibility of this outcome and a broad survey of customer feedback we chose to automatically backup the user recovery key,” a Microsoft spokesperson told me. “The recovery key requires physical access to the user device and is not useful without it.”
IOW, this fear-mongering article is full of shit, so, nevermind…
The truth hurts sometimes, doesn’t it?