Page 1 of 2 12 LastLast
Results 1 to 15 of 22
  1. #1
    Star Lounger
    Join Date
    Jul 2015
    Posts
    83
    Thanks
    6
    Thanked 2 Times in 2 Posts

    Exclamation Microsoft has your Windows 10 encryption key

    From Slashdot:

    Microsoft Has Your Encryption Key If You Use Windows 10

    http://tech.slashdot.org/story/15/12/29/0212222/microsoft-has-your-encryption-key-if-you-use-windows-10

    From the post:

    An anonymous reader writes with this bit of news from the Intercept. If you login to Windows 10 using your Microsoft account, your computer automatically uploads a copy of your recovery key to a Microsoft servers. From the article: "The fact that new Windows devices require users to backup their recovery key on Microsoft's servers is remarkably similar to a key escrow system, but with an important difference. Users can choose to delete recovery keys from their Microsoft accounts – something that people never had the option to do with the Clipper chip system. But they can only delete it after they've already uploaded it to the cloud.....As soon as your recovery key leaves your computer, you have no way of knowing its fate. A hacker could have already hacked your Microsoft account and can make a copy of your recovery key before you have time to delete it. Or Microsoft itself could get hacked, or could have hired a rogue employee with access to user data. Or a law enforcement or spy agency could send Microsoft a request for all data in your account, which would legally compel them to hand over your recovery key, which they could do even if the first thing you do after setting up your computer is delete it. As Matthew Green, professor of cryptography at Johns Hopkins University puts it, 'Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.'"

    Well, that's a fine how-do-you-do!

  2. #2
    5 Star Lounger
    Join Date
    Oct 2013
    Location
    Phoenix, AZ
    Posts
    926
    Thanks
    554
    Thanked 137 Times in 128 Posts
    You beat me to it, but here is the article:
    Recently Bought a Windows Computer? Microsoft Probably Has Your Encryption Key
    https://theintercept.com/2015/12/28/...ncryption-key/

    For most users I don't think this is a bad thing. I would never want an encryption I didn't control. But how often have we had a OP post they forgot their Windows password and wanted to break it?

  3. #3
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    4,752
    Thanks
    171
    Thanked 650 Times in 573 Posts
    As happens from time to time, somebody has spotted a feature in Windows 10 that isn't actually new and has largely denounced it as a great privacy violation.

    If you have Windows 10 Home and want to encrypt your disk, but don't want the recovery key to be stored in OneDrive, that's OK; you can do it. Contrary to what The Intercept wrote, this doesn't require a paid upgrade to Windows 10 Pro or Enterprise; Windows 10 Home can do it, too.


    Microsoft may have your encryption key; here’s how to take it back

  4. #4
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,592
    Thanks
    5
    Thanked 1,059 Times in 928 Posts
    This is not new. I can verify that the encryption key for Surface Pro 3 with Windows 8.1 was stored in your Microsoft account.

    Joe

  5. #5
    WS Lounge VIP mrjimphelps's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    3,407
    Thanks
    447
    Thanked 405 Times in 377 Posts
    If you need maximum security (most people don't, in my opinion), you could set up a local (non-Microsoft) account for your copy of Windows 10. And you could then set up your own encryption.

    I wonder, if you set up a local account and your own encryption, would this prevent Microsoft from gathering all of the "telemetry" information?

  6. #6
    5 Star Lounger RussB's Avatar
    Join Date
    Dec 2009
    Location
    Grand Rapids, Michigan
    Posts
    803
    Thanks
    10
    Thanked 50 Times in 49 Posts
    Just one more reason to move on up to Linux.
    Do you "Believe"? Do you vote? Please Read:
    LEARN something today so you can TEACH something tomorrow.
    DETAIL in your question promotes DETAIL in my answer.
    Dominus Vobiscum <))>(

  7. #7
    Star Lounger
    Join Date
    Jul 2015
    Posts
    83
    Thanks
    6
    Thanked 2 Times in 2 Posts
    It appears the naysayers outnumber those who post information of interest to Windows users. Just because "they know" doesn't mean the rest of us aren't interested.

    Did the naysayers also go to Slashdot and TheIntercept and tell them about their "old news"? Probably not.

    But that's okay, the more you put it down, the more others want to know about it.

  8. #8
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    Quote Originally Posted by oldITguy View Post
    It appears the naysayers outnumber those who post information of interest to Windows users. Just because "they know" doesn't mean the rest of us aren't interested.

    Did the naysayers also go to Slashdot and TheIntercept and tell them about their "old news"? Probably not.

    But that's okay, the more you put it down, the more others want to know about it.
    You can believe what you want, no one stops you.

    In what concerns me, I have a tendency to be demanding when evaluating the credibility of any given source. Now let's consider this analysis from Paul Thurrott about the issue at hand:

    "Inexplicably making news this week is a report in The Intercept which dredges up years-old information about Microsoft storing encryption keys in the cloud and presents it as something new. “ONE OF THE EXCELLENT FEATURES of new Windows devices is that disk encryption is built-in and turned on by default, protecting your data in case your device is lost or stolen,” Mr. Lee reports, incorrectly. (Disk encryption is not on by default, and is only available in Windows Pro or higher.) "

    Hmmm... not being aware of what is available or not in the addressed Windows version, doesn't give a lot of credibility to your source, does it? I would think it makes the source look like a fool, more interested in making headlines, than addressing actual issues...


    “Less well-known is that, if you are like most users and login to Windows 10 using your Microsoft account, your computer automatically uploaded a copy of your recovery key–which can be used to unlock your encrypted disk–to Microsoft’s servers.” Frankly, I’m kind of embarrassed for this guy, so I’ll just leave it at this: The very notion that a hacker would both break into your Microsoft account (potentially bypassing the two-factor authentication Microsoft offers) and gain physical access to your PC is about as ludicrous as anything I’ve read on the Internet this year. And, yes, I’ve heard of the Kardashians."

    I think Paul has a point here, although I disagree a bit with his last statement. Anyone who would gain physical access to your computer and gain access to your account, could probably gain access to your Microsoft account, as well. It's not that easy, and if you protect the account properly, highly unlikely, but I wouldn't classify it as ludicrous. It would require a few harebrained moves, but it would be possible.

    In any case, this is not only specific to Windows 10, as it was stated, but it can be avoided and even if not, successful exploits would require the confluence of multiple circumstances, not at all easy to achieve, especially if you are security conscious - as you probably are if you decided to use device encryption, which also requires specific hardware components.

    Now, you can pay all the attention you want o TheIntercept, but if you are really interested in getting a full view, you will consider other reputed sources on Windows. That may be Thurrott himself, but also Peter Bright, from ArsTechnica, which wrote about it in 2013, and wrote about it again, commenting on TheIntercept report.

    Now, you have enough information to make an informed decision, as others have. Please respect our own abilities to look up for correct, up to date, technically rigorous information, if you don't mind. It's really not about putting anything down, but showing it for what it really means.

    Personally I doubt most regular users buy hardware that support TPM 2.0. Of those who do, how many are aware of what it allows? How many will use device encryption? How many advanced users will use it instead of resorting to BitLocker?

    That report was meant to disseminate FUD, nothing else, IMHO.
    Rui
    -------
    R4

  9. The Following User Says Thank You to ruirib For This Useful Post:

    handcuff36 (2015-12-31)

  10. #9
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    4,752
    Thanks
    171
    Thanked 650 Times in 573 Posts
    Quote Originally Posted by ruirib View Post
    “ONE OF THE EXCELLENT FEATURES of new Windows devices is that disk encryption is built-in and turned on by default, protecting your data in case your device is lost or stolen,” Mr. Lee reports, incorrectly. (Disk encryption is not on by default, and is only available in Windows Pro or higher.) "
    I think Paul Thurrott is wrong on both these counts though, and therefore Mr. Lee reports this aspect correctly:

    Device encryption is enabled by default in all editions including Home, on newer computers with Secure Boot, Trusted Platform Module and Connected Standby. This has been the case for more than two years since Windows 8.1, as confirmed by both those Ars Technica articles. Comments on Paul Thurrott's article confirm that it applies to Surface 3 which comes with Home edition.

    In my opinion, the only thing the original Interceptor article got wrong was saying that the only way for Home users to avoid the situation, if necessary, is to upgrade to Pro. But that has now been corrected with an addition: "Update: After this article was published, Ars Technica wrote about a method for preventing the recovery key you sent to Microsoft from being able to unlock your disk that doesn’t require upgrading from Windows Home to Pro or Enterprise."

  11. #10
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    Quote Originally Posted by BruceR View Post
    I think Paul Thurrott is wrong on both these counts though, and therefore Mr. Lee reports this aspect correctly:

    Device encryption is enabled by default in all editions including Home, on newer computers with Secure Boot, Trusted Platform Module and Connected Standby. This has been the case for more than two years since Windows 8.1, as confirmed by both those Ars Technica articles. Comments on Paul Thurrott's article confirm that it applies to Surface 3 which comes with Home edition.

    In my opinion, the only thing the original Interceptor article got wrong was saying that the only way for Home users to avoid the situation, if necessary, is to upgrade to Pro. But that has now been corrected with an addition: "Update: After this article was published, Ars Technica wrote about a method for preventing the recovery key you sent to Microsoft from being able to unlock your disk that doesn’t require upgrading from Windows Home to Pro or Enterprise."
    Actually, the implication that this happens with Windows 10 (and is thus a new thing) is also wrong. His article is two years late.
    Rui
    -------
    R4

  12. #11
    Banned Member
    Join Date
    Dec 2015
    Posts
    464
    Thanks
    115
    Thanked 30 Times in 28 Posts
    Hi I have nothing to hide. If this keeps me safer from terrorists, I have no problem with it. If you're on the internet, you are never safe from the eyes of the world. I'm sure someone knows every thing I do and I really don't care! Don't want your actions know, burn your PC and go back to paper! I laugh at the people who gripe about these things and then put their whole life on Facebook.

  13. #12
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    4,752
    Thanks
    171
    Thanked 650 Times in 573 Posts
    Quote Originally Posted by ruirib View Post
    Actually, the implication that this happens with Windows 10 (and is thus a new thing) is also wrong. His article is two years late.
    And the "fix" is more than five years old: How to regenerate the BitLocker Numerical Recovery Password

    It was more the anonymous SlashDot post which put the emphasis on Windows 10. The Intercept article did include, "Windows Home includes device encryption, which started to become available during Windows 8, ..." and, "If you’re using a recent version of Windows, ...".

    That original article still seems to be wrong though, where it says; "In order to generate a new disk encryption key, this time without giving a copy to Microsoft, you need decrypt your whole hard disk and then re-encrypt it, ...". The steps recommended by Ars Technica (the five-year-old fix above, minus step 4 if not on a domain) appear to be much quicker.

  14. #13
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    Quote Originally Posted by BruceR View Post
    And the "fix" is more than five years old: How to regenerate the BitLocker Numerical Recovery Password

    It was more the anonymous SlashDot post which put the emphasis on Windows 10. The Intercept article did include, "Windows Home includes device encryption, which started to become available during Windows 8, ..." and, "If you’re using a recent version of Windows, ...".

    That original article still seems to be wrong though, where it says; "In order to generate a new disk encryption key, this time without giving a copy to Microsoft, you need decrypt your whole hard disk and then re-encrypt it, ...". The steps recommended by Ars Technica (the five-year-old fix above, minus step 4 if not on a domain) appear to be much quicker.
    I think it's FUD spreading, to be honest, even with some facts undoubtedly true. I would also like to know how many tablets and laptops support the required TPM 2.0. I think I have had two, but they were both business class Toshiba tablet PC devices!
    Rui
    -------
    R4

  15. #14
    Silver Lounger wavy's Avatar
    Join Date
    Dec 2009
    Location
    ny
    Posts
    2,378
    Thanks
    235
    Thanked 147 Times in 136 Posts
    Quote Originally Posted by BruceR View Post
    I think Paul Thurrott is wrong on both these counts though, and therefore Mr. Lee reports this aspect correctly:

    Device encryption is enabled by default in all editions including Home, on newer computers with Secure Boot, Trusted Platform Module and Connected Standby. This has been the case for more than two years since Windows 8.1, as confirmed by both those Ars Technica articles. .[/I]"
    And that implies M/B soldered Ram >> Likely not too many desk tops that would meet those requirements.
    David

    Just because you don't know where you are going doesn't mean any road will get you there.

  16. #15
    Star Lounger
    Join Date
    Jul 2015
    Posts
    83
    Thanks
    6
    Thanked 2 Times in 2 Posts

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •