Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Microsoft Cloud Encryption Security Windows

Microsoft Has Your Encryption Key If You Use Windows 10 (theintercept.com) 314

An anonymous reader writes with this bit of news from the Intercept. If you login to Windows 10 using your Microsoft account, your computer automatically uploads a copy of your recovery key to a Microsoft servers. From the article: "The fact that new Windows devices require users to backup their recovery key on Microsoft's servers is remarkably similar to a key escrow system, but with an important difference. Users can choose to delete recovery keys from their Microsoft accounts – something that people never had the option to do with the Clipper chip system. But they can only delete it after they've already uploaded it to the cloud.....As soon as your recovery key leaves your computer, you have no way of knowing its fate. A hacker could have already hacked your Microsoft account and can make a copy of your recovery key before you have time to delete it. Or Microsoft itself could get hacked, or could have hired a rogue employee with access to user data. Or a law enforcement or spy agency could send Microsoft a request for all data in your account, which would legally compel them to hand over your recovery key, which they could do even if the first thing you do after setting up your computer is delete it. As Matthew Green, professor of cryptography at Johns Hopkins University puts it, 'Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.'"
This discussion has been archived. No new comments can be posted.

Microsoft Has Your Encryption Key If You Use Windows 10

Comments Filter:
  • by RichMan ( 8097 ) on Tuesday December 29, 2015 @09:16AM (#51201317)

    I would like to know the opinion of large public corporations security officer on this feature of windows.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      I know the opinion of a couple of high security smaller companies, only 20,000 to 60,000 employees... they both say, "holy shit no. Windows 10 is not even being considered for corporate deployment"

      speaking anon to not get in trouble with them.

      • by JeffSh ( 71237 ) <<jeffslashdot> <at> <m0m0.org>> on Tuesday December 29, 2015 @09:35AM (#51201425)

        that is a totally out of context comment from an anonymous poster.

        large corporate entities will not deploy windows 10 for years anyway due to incompatible or uncertified line of business software platforms. it has nothing to do with this particular feature.

        moreover, this has to do with logging into your microsoft.com account, nothing to do with windows 10 pro joined to a domain.

        • Don't cherry pick (Score:5, Interesting)

          by s.petry ( 762400 ) on Tuesday December 29, 2015 @11:40AM (#51202141)

          While the main point of the article is about a Windows account there is an underlying discussion on overall privacy using Microsoft Windows. This is just the latest article discussing privacy and security concerns. Sure, "some" businesses are always years behind in releasing a new OS. Others are not so far behind, and are very concerned about security so not approving Win10.

          For example, as soon as the OS was released we see how the OS will send your keystrokes to Microsoft. Not just what you type into Cortana, IE, or Edge but ALL keystrokes are recorded by the OS. You can disable sending the data to Microsoft, but we have yet to find a way of disabling the keylogger built in to the Kernel. (recorded does not necessarily mean stored long term, but long enough to evaluate in memory.)

          Due to that lack of trust, I may have installed Win10 but never created a MS or Azure account. Anything I do on the device is treated as public knowledge because the OS is built to remove privacy from end users. I won't use online banking on the PC with Win10, and logging in to anything is assessed under the assumption that someone from MS and the Government will have full access to the account. When I'm working on sensitive stuff I use Linux.

          • by phantomfive ( 622387 ) on Tuesday December 29, 2015 @12:58PM (#51202711) Journal

            we have yet to find a way of disabling the keylogger built in to the Kernel. (recorded does not necessarily mean stored long term, but long enough to evaluate in memory.)

            Wait, what exactly does this mean? Even in Linux every keystroke goes through the kernel, it's kind of the purpose of the kernel to handle hardware stuff like that (of course Linux doesn't record it anywhere unless you want it to).

            • by AmiMoJo ( 196126 )

              It means most of this stuff is bullshit. For example, Windows 10 only uploads your encryption key if you sign on to a Microsoft account and the machine came encrypted from the factory, in which case the manufacturer had ample opportunity to steal your keys too. This is actually a huge win for privacy, because devices encrypted by default with no effort on the part of the user are clearly better than devices with no encryption.

              If you enable bitlocker manually you can optionally upload your key. For home user

        • large corporate entities will not deploy windows 10 for years anyway due to incompatible or uncertified line of business software platforms.

          Your post is good, and I understand why large corporations wait for software platforms to be certified, but my question is, are there known incompatibilities in Windows 10? OR is it still more of a theoretical thing?

        • moreover, this has to do with logging into your microsoft.com account, nothing to do with windows 10 pro joined to a domain.

          So this applies only to Microsoft employees, right? Or anyone with a hotmail, outlook.com or live.com account?

        • by Ubi_NL ( 313657 )

          Thats what i thought as well. But i work for a fortune-100 company and we roll out win 10 at this moment (for new machines though).

        • You called it a "feature". Just . . . damn.
      • by ArmoredDragon ( 3450605 ) on Tuesday December 29, 2015 @10:10AM (#51201631)

        Even if you do consider Windows 10 (or 8 for that matter) don't under ANY circumstances use a Microsoft account to log in. Recall not long ago during Microsoft's "Scroogled" campaign, they were promising account privacy and that they'd never look into your account at all. Well sometime during all of that, they broke into a blogger's hotmail account (read: he was their own customer) to identify his leak source for future MS products, right after saying that "oh, well now we really mean it this time."

        The problem with a Microsoft account is that your computer now answers to Microsoft's authentication servers, which means they ultimately hold the keys to unlocking your computer. In scenarios such as the above, or a government request, or social engineering, practically anybody could unlock your computer.

        As I've said elsewhere, there's no practical benefit to having one (you can still download apps and whatnot without using a Microsoft account to log in to your PC) so why needlessly expose yourself to the above risk?

      • Unfortunately that is the skill level of the majority of the security people, and 98% of those with a CISSP. The rest say lets review the security policies and make sure those capability are turned off.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Large public corporations are going to be logging in using Active Directory credentials, not their Microsoft accounts. The article summary (which may be wrong, because they usually are) states that this behavior only happens when logging in with a Microsoft account.

    • by Anonymous Coward on Tuesday December 29, 2015 @09:31AM (#51201407)

      CISO here, we haven't made the jump to 10 yet (85% of our workforce is on 7 with some 8.1 here and there), things like this are kinda non starters for us for any employee who even remotely has a chance at accessing PII or confidential information. It's not that I think Microsoft would act maliciously, but it would violate a ton of compliance documentation that we have, requiring re-audits of our policies and procedures. Hopefully this is one of those features Microsoft will allow you to turn off in the Enterprise SKU. We're honestly watching Windows 10 very closely, it has a lot of really nice improvements on the security front. But things like this, and the giant sweeping updates like the November update, make it very hard. Microsoft is trying to move closer to the Apple model, but the Apple model is a big departure for anyone who knows the pains of PCI, HIPAA, or SOC2 compliance.

      • Things like this do not affect the corp version at all. It's specific to people using MS not corp AD servers. We have had key escrow as an optional part of AD for a long time at least in relation to drive/file encryption.

      • Hopefully this is one of those features Microsoft will allow you to turn off in the Enterprise SKU.

        No, hopefully not. I'd rather see MS force their corporate customers to link their AD servers to MS's, and send all their encryption keys to MS's servers.

        • by epyT-R ( 613989 )

          Why?

    • Windows 10 enterprise doesn't have spyware. Only the home and professional versions do so the point is mute. Great way too to enforce companies buy an expensive corporate blanket and not save with the pro version

    • Win10 is not even on the table. Far from it. And as long as there is support for Windows 8, it will not become an issue.

      Seriously, most companies I deal with still use Win7. And they will do so until the final moment of its support.

    • by Reginald Owens ( 3490963 ) on Tuesday December 29, 2015 @10:05AM (#51201603)
      I find this to be rather difficult to properly converse about. While I'm not a CISO per say, I consult many CISO's regularly and this is one of the topics that have come up recently and has opened up a lot of interesting discussions. To clear the air, Windows 10 Enterprise (and Windows 10 Professional) do not give you the ability to store Bitlocker keys with Microsoft when joined to Active Directory, nor do they automatically upload the keys. When joined to Active Directory, you have 3 options for key backup: Printing a Copy, Saving it to a file, Saving it to a USB key. Behind the scenes (not visible to the end-user), there is a 4th option in which you can require that the joined computer store a backup copy of the key on the computer object within Active Directory. This must be configured in AD and deployed as a GPO to the computers otherwise this backup option will not take place. The option to backup to a MS account is not available, even if you add a MS Account to the workstation. Now, to be transparent, none of the large (Fortune 500 or bigger) companies that I consult are using Bitlocker (rather, they are using various third-party drive encryption systems). Now, that isn't to say that there aren't any, just not the ones that I consult. However, several of my medium enterprise clients are. All of the discussions have all been centered around where to store recovery keys for the purpose of the business being able to decrypt a system if needed by an authorized administrator. This has caused a lot of issue because for my clients that are using Bitlocker, a few of them have considered moving to Azure AD (Active Directory run by Microsoft in the Cloud). My concerns about this have been that if you are using AD as a recovery for Bitlocker and you move AD to the cloud, this effectively does exactly what a MS account does to the home computer... puts the encryption keys in the hands of Microsoft. Now, not all of my medium enterprise clients are considering this, but of the few that are, we haven't been able to get clear information from MS on who all would have access to Azure AD and what their policies are.
      • by ray-auch ( 454705 ) on Tuesday December 29, 2015 @10:34AM (#51201775)

        Good summary - unfortunately I don't have mod points today

        I would add that the likely reason we can't get clear info from MS about Azure AD is that Azure is international and located in multiple regions / jurisdictions and I think the court cases are still ongoing about whether or not the US can short-circuit international treaties and local laws elsewhere and force MS to hand over data located in other jurisdictions. So, MS basically don't know.

        It's safest to assume that govts are always likely to be able to get hold of keys whether stored on your own recovery server or with MS, and the likelihood rises with size of govt concerned...

        • It's safest to assume that govts are always likely to be able to get hold of keys whether stored on your own recovery server or with MS, and the likelihood rises with size of govt concerned...

          Indeed, MS is most likely obligated to turn those keys over.

          • by PCM2 ( 4486 )

            Indeed, MS is most likely obligated to turn those keys over.

            Not in all cases. One particular one that I'm aware of was where a US court ordered Microsoft to turn over one of its customers' data, but Microsoft responded that the data in question was not hosted in the US and therefore the court had no jurisdiction to seize it. I think Microsoft is still battling it out with the US government on that one.

    • by mysidia ( 191772 )

      As an IT technical admin of a non-public corporation; I will say that many of the cloud features of Windows 10 scare me greatly, and I would have many concerns to address moving forward.

      I do not believe it is necessarily justifiable that they block all deployment, but we may add special in-house requirements and restrictions on deployment, as we see necessary.

      For example: we may need to take steps to disable or interrupt features considered a risk.

      We expect our endpoints to not upload sensitive encry

    • by cjjjer ( 530715 )
      Considering that large companies probably will disable this feature using a gpo (being able to add and or log in using a Microsoft account) it's probably not even an opinion worth asking.
  • by Vintowin ( 1476905 ) on Tuesday December 29, 2015 @09:16AM (#51201323)
    How about you don't login with a Microsoft account? That'll show them!
    • Re: (Score:2, Troll)

      by Z00L00K ( 682162 )

      And you think that actually helps? The key may already be uploaded and linked to your computer ID. The Microsoft account is just a decoy that they use to mislead and make you feel comfortable with getting some extras since they can confirm your identity even though they have statistically already determined your identity.

      • Do you have any proof of this assertion?

        Furthermore, how is this any worse than Google's password manager behavior?
        • by Z00L00K ( 682162 )

          It's worse because it's the key to the operating system itself, which would allow random attacker to gain control over your computer and access your data, possible even if it's encrypted with bitlocker.

          • You're forgetting about the Google Update service for Windows and Mac, and the deep integration of Google services into most version of Android.

            If anything, Google has had this very ability for years now and Microsoft is playing catch-up.
        • Furthermore, how is this any worse than Google's password manager behavior?

          One is something you have to explicitly opt-in to use whereas the other is done without your consent?

          • Using a Microsoft account on Windows 8 or 10 is not necessary either.

            But I'm willing to bet a lot more people keep themselves logged in to Chrome all the time than use a Microsoft account on Windows 10.
        • Not the poster but it looks like Windows 10 still has the keylogger from the beta running [disclose.tv] which means ANYTHING you type, including with the virtual keyboard? Is sent home to the mothership, along with samples of your voice and your webcam. Which of course means using a MSFT account means nothing, as once you type your key and/or passwords they have them and can then sell them or do as they see fit.

          Until someone shows a toll that can REALLY and truly remove the insane amount of spying, which as you can see

        • Furthermore, how is this any worse than Google's password manager behavior?

          Like a washed up dictator hauled in front of the hauge to answer for their crimes popping off "but Hitler did it too" ? Like that worse?

          Please for the love of god enough bandwagon fallacies.

      • And you think that actually helps? The key may already be uploaded and linked to your computer ID.

        Their keylogger has already given it to them

  • I dont have an encryption key! HA! Take that Microsoft!

  • So one important thing to remember is that these keys don't give anyone a login or remote access to your box whatsoever. Instead, Windows 10 now turns on disk encryption by default. That's a good thing, but of only limited value since disk encryption really only helps if the disk is physically stolen from you.

    So what we have here is a copy of the key that allows recovery of an encrypted disk being stored in the cloud unless you delete it. Not the greatest thing ever but it doesn't panic me all that much whe

    • Windows 10 does not turn on disk encryption by default.
    • by Opportunist ( 166417 ) on Tuesday December 29, 2015 @10:04AM (#51201595)

      So one important thing to remember is that these keys don't give anyone a login or remote access to your box whatsoever. Instead, Windows 10 now turns on disk encryption by default. That's a good thing, but of only limited value since disk encryption really only helps if the disk is physically stolen from you.

      Like, say, in a police raid.

      So what we have here is a copy of the key that allows recovery of an encrypted disk being stored in the cloud unless you delete it.

      Like, say, to gain access to the data after the raid.

      Not the greatest thing ever but it doesn't panic me all that much when the same people who scream about not upgrading to Windows 10 because OMG NSA are also running old systems without any disk encryption whatsoever.

      To put it another way: The vast VAST majority of Linux systems in operation that don't use full disk encryption are actually LESS secure than this setup simply because there's no need to get your hands on a recovery key to decrypt anything. Yes, I'm well aware that Linux systems with full-disk encryption exist. So what, they did (and still do) on Windows too.

      With the difference that I can actually create encryption on Linux with a chance that nobody but me gains access to the key.

  • by sasparillascott ( 1267058 ) on Tuesday December 29, 2015 @09:56AM (#51201543)
    Good to remember, that Congress just passed new (clearing companies to share any data with the NSA directly without liability) surveillance legislation tucked into the 2015 budget bill:

    http://arstechnica.com/tech-po... [arstechnica.com]

    The way this (and the data uploading with Windows 10) dovetails with the budget spy bill just passed you'd think it was hatched out in a back room - in D.C.. Obviously don't use Windows 10 if possible (you can still get 7 or 8.1 on most systems) and don't use Microsoft's built in encryption option (which Microsoft kneecapped starting with Windows Version 8 by removing the elephant diffusor making it more vulnerable to brute force attacks), there are other options for Windows Encryption.
  • Consider the alternative:

    1. Encrypt the disk and login with Microsoft account
    2. Forget the password, reset it from the web
    3. Poof! You data is gone!

    Maintaining strong security is not a joke. You have to memorize multiple long passphrases for different domains of protected data and never access stuff on devices that have ever left your custody. Like a laptop that has been left at home for NSA keylogger installation convenience. Be prepared to lose data and toss hardware on regular basis. I don't blame Micros

  • by MarkH ( 8415 ) on Tuesday December 29, 2015 @10:53AM (#51201901)

    But you can setup a windows 10 machine with all local accounts and all updates, traffic disabled.

    Good guide here http://www.rockpapershotgun.com/2015/07/30/windows-10-privacy-settings/

    Looking at wireshark it does seem to work

  • Can someone explain what all this actually means? Why should I care about this recovery key? I back up my own data so... if I had to do a recovery, I can certainly do that.

    Not really any scenario where I would think of going to Microsoft to recover anything. What am I missing?

    • by wbr1 ( 2538558 ) on Tuesday December 29, 2015 @11:37AM (#51202117)
      It means MS has a copy of the keys to your bitlocker encrypted data. And by inference anyone with access to MS, hackers, government, disgruntled employees.. any could log into your computer and use the keys to unlock what you thought was encrypted and safe.
    • by pr100 ( 653298 )

      You have a laptop running windows 10. The hdd is encrypted with bitlocker. MS have a copy of the recovery key.

      That means that, in theory, MS and anyone they're prepared to share the key with can decrypt the contents of your HDD.

      Presumably there was a reason that you encrypted your hdd in the first place, so there at least some people that you don't want to be able to decrypt it (otherwise encrypting it was a waste of time).

      One difficulty is that you can't know for sure who really can get hold of that recove

  • by GuB-42 ( 2483988 ) on Tuesday December 29, 2015 @11:19AM (#51202037)

    If encryption is turned on by default for normal users, there must be a way for the provider to recover the data.
    People lose their passwords all the time, and don't want to lose all their data if that happens. For these people, disk encryption is just a way to prevent regular laptop thieves from accessing their data, not to protect them from the NSA and criminals who can hack Microsoft. They don't want end-to-end encryption.
    If you need high level security even against Microsoft, then don't use your MS account, or better yet, don't use Windows.

  • by globaljustin ( 574257 ) on Tuesday December 29, 2015 @12:07PM (#51202313) Journal

    Yours :P

  • by duke_cheetah2003 ( 862933 ) on Tuesday December 29, 2015 @12:12PM (#51202339) Homepage

    Should be noted, TrueCrypt 7.1a (last full version) works fine with Windows 10 if you're really concerned about someone thieving your data. I highly doubt the OS has your TrueCrypt keys if you use this solution, Microsoft account or not.

    • by cfalcon ( 779563 )

      Veracrypt as well. I'm not sure about Ciphershed, but probably. These are the forks of Truecrypt once the Truecrypt devs gave their warnings and went away.

      The keylogger's transmission can be disabled, and I'm not 100% sure if the fact that the data is in the kernel is inherently flawed. It's definitely highly suspicious, however.

  • I mean, this should be pretty old news by now, but the moral of the story is the same as the previous N stories where using a Microsoft account uploads your personal information to Microsoft's (and the government's) servers: don't use a Microsoft account. At least this is a relatively easy fix which avoids a lot of the badness of Windows 10. I view it like running an ad blocker: yeah, it's kinda bad for convenience sometimes, but it's a small price to pay to avoid malware I know about, and other malicious t

  • The conclusion in the article was that everybody who manages to hack the MS database or extorts an employee there would get access to my data. While i severely doubt that accessing the key is easily possible for an employee (i would not think so) without being noticed, there is another important point: Whoever steals my key, still needs access to my physical access to the HD (an that is the only situation in which stealing the key makes a difference: physical access, but no possibility to manipulate the OS

    • I could not agree with you more.

      The encryption keys are only useful to decrypt your hard drive once your computer has been turned off.

      There are much easier ways for hackers to get your data which do not require decryption at all (because that has already been or is being done once the computer is booted).

      This is a perfectly reasonable trade off in usability without a huge hit to security.

      It is not a "TNO" (trust no one) solution. But if you need that, you probably should not be running anything but a Linux

  • Microsoft doesn't give anything away for free without a catch.

    In this instance, the catch is your encryption key.
  • by 140Mandak262Jamuna ( 970587 ) on Tuesday December 29, 2015 @02:03PM (#51203213) Journal
    Not only you have to upload your recovery key to microsoft, the response you get after you upload from their servers does not bode well.

    It says "all your base are belong to us".

  • by ITRambo ( 1467509 ) on Tuesday December 29, 2015 @02:33PM (#51203489)
    Does MS having a copy of a WIndows 10 Pro bitlocker key for a PC in a small medical office violate HIPPA or is the issue moot?
  • like Microsoft developers forums?

  • by cfalcon ( 779563 ) on Tuesday December 29, 2015 @04:58PM (#51204627)

    Bitlocker lets you have the option to save your "recovery key" to USB, or to print it. In both cases, you can destroy the key effectively (note that you'll have to take care to ensure that the USB device is physically destroyed or secured in a manner secure against attackers you are concerned about, and that your printer doesn't keep a recoverable copy somewhere).

    So Bitlocker is (in theory) safe and secure. Personally, I wouldn't trust this- it's proprietary, it's Microsoft, and there's every motivation to either make the key recoverable or disclose it for uses Microsoft deems useful (for instance, a future tyrannical government might be able to threaten them in such a way as to produce the keys). But by their claims, it should be.

    The article distinguishes this from "device encryption", a gimped form of Bitlocker present in the "Home" edition that they give for free (or cheap or whatever- once I did even the first amount of research into Windows 10 I decided to avoid it entirely). If you pay for Professional, you get access to "Bitlocker", which has configuration options, including the print-out and USB options, which can result in NO recovery key- the generally desired state from a security perspective.

    The headline of the article truthfully states that Microsoft "probably" has your recovery key, and the slashdot headline leaves that out totally. Both leave out the important fact that you have to be using the "device encryption" version of Bitlocker in the shit-tier version of Windows 10.

    There's other posts talking about the keylogger, or kernel keylogging. I'm not sure the fact that the kernel keeps your keystrokes for awhile is inherently vulnerable, but it is suspicious.

    In any event, the fact that you must be an expert user to get anything that MIGHT be security out of Windows 10 is absolutely disgusting. The Home version will be the most common by far, and the average user will not be aware of the default settings where keys are sent (along with a ton of other things) upstream, nor will he be aware of the fact that his supposed device encryption is recoverable by any hacker or bad actor in the future. The level of drama required to do anything in Windows 10 is massive. It's a real nightmare.

    Anyone notice how oddly hard it is to set up anything but straight AES in almost all places? There's a shocking lack of user exposed options even in Linux (and Linux can be configured to extremely high levels of redundancy or security). Name a distro that lets you full disk encrypt with AES-Twofish-Serpent from a GUI, for instance (again, you can absolutely configure this, but it seems hard to get anything but straight AES). I know AES is trusted, but I'd trust it more if there were ways more ways to opt out of it and use either another block cipher, or it WITH another block cipher.

Any program which runs right is obsolete.

Working...