Microsoft obeys court orders to provide Windows BitLocker recovery keys
38 points by krinkle
38 points by krinkle
I don't find this ... particularly surprising, to be honest?
Somewhat related, this talk from the 39c3 shows completely local methods of decrypting a BitLocker disk through bits in the recovery partition: https://media.ccc.de/v/39c3-bitunlocker-leveraging-windows-recovery-to-extract-bitlocker-secrets These are supposedly all fixed now but I think it's wild that these methods ever worked.
I, too, am not surprised. And I am surprised this is a news story.
I've never viewed Bitlocker as a way to protect my private stuff, more something that keeps company data out of the hands of people stealing laptops.
I've never viewed Bitlocker as a way to protect my private stuff, more something that keeps company data out of the hands of people stealing laptops.
For most people it would prevent thieves from getting your private pictures or information when they steal the laptop. Backing up the key into the cloud to help customers that forget their pin/password is the sensible choice for ~99% of users.
Rest of the ~1% of users should probably have gotten a more informed choice about this though?
A year or so ago, the fact that a US company could decrypt all of your encrypted data was a concern for a few people. Now, it's a concern for most of the world (including those in the USA).
It was always a concern, it just took a few decades and a couple of authoritarian activities until people started waking up.
I don't think most of the world are in a position to fear the US in a way where Microsoft would be compelled to hand over bitlocker encryption keys?
It would also imply they have your machine, which is not the case for anyone outside the US.
I would be surprised if Microsoft did not honor a request (via warrant) from law enforcement agencies outside the USA.
Sure, I'm not going to dispute that. But most people do not need to fear the police and a warrant.The millions, or so, users of Microsoft Windows in Norway do need a balance of usable security.
If you are actively protesting the ICE in the US however, you probably need to reconsider your disk encryption setup on Windows.
I don't find this ... particularly surprising, to be honest?
I find it borderline incompetence for service providers to be storing recovery keys in plain text. Only a user with their password should be able to ever access recovery keys.
I agree! I'm just not surprised that it's not the case here. :)
I mean, as @Foxboron said in the sibling thread, one could probably make an argument that it's useful (in a "serves most users" sense) to be able to recover this key even if you forget your password etc. when you basically try to roll this out as a default for everyone. But personally, I'd pick something else for my data.
It's time to encrypt a bunch of suspiciously named but disgusting perfectly legal videos, with watermarked messages to throw off the file sizes and heuristics, so a live person has to view every one all the way through.