On the Intercept, Micah Lee has a good article that talks about how Microsoft is collecting the hard-drive encryption keys of Windows 10 users, and how to disable that “feature.”
EDITED TO ADD (1/13): More useful information.
Alex madden • January 4, 2016 1:42 PM
I don’t see the big deal here.
Before : most people had unencrypted drives, once the drive is obtained anyone can read it.
Current state : anyone with Windows 10 signing on with a Microsoft account has their drive encrypted. Once the drive is obtained, to read it you must serve a warrant on Microsoft to obtain the decryption key.
I can’t see how this is a regressive move.
Alex
Jungle • January 4, 2016 1:50 PM
@Alex madden
You missed a period in-between where TrueCrypt offered greater security before it mysteriously disappeared.
Anura • January 4, 2016 1:55 PM
I suggest that you don’t create a Microsoft account in the first place. Not just because of key escrow, but because it’s an operating system, not a web service and there is nothing it could possibly add. That said, I still wouldn’t trust Windows encryption, even without a Microsoft account.
Steve • January 4, 2016 2:07 PM
TrueCrypt did mysteriously disappear, but VeraCrypt is based on the TrueCrypt 7.1a code. There are other projects based on TrueCrypt as well.
So there are other options, at least as secure as TrueCrypt was.
Ben • January 4, 2016 2:09 PM
As the article says, this is probably a sensible default and a legitimate feature (without the scare quotes) for the majority of home users. The problem is that there’s no way to opt out before the key is uploaded.
George • January 4, 2016 2:11 PM
I’m with @Alex and in part with @Anura.
To use the key, an attacker still needs physical access to your computer, and if you’re using an MS account, there’s a good chance a lot of your data’s not even on the computer but on OneDrive or Outlook.com.
What NONE of these “the sky is falling” articles capture is the consequence to users of NOT having the key in OneDrive. In OneDrive, secured (optionally) by 2FA, you can recover your encrypted data, quite easily. I’ve used this several times. WITHOUT that recovery capability, you need to back the key up to removable media and protect that volume. No thanks.
IIRCE, Bruce did a review of BitLocker a while back and it came off as cryptographically sufficient, IIRC.
Eric L • January 4, 2016 2:19 PM
The key is uploaded as part of the initial account setup process. Besides deleting it on the MS site, you can also change the recovery key.
From an administrator command prompt:
manage-bde -protectors -disable %systemdrive%
manage-bde -protectors -delete %systemdrive% -type RecoveryPassword
manage-bde -protectors -add %systemdrive% -RecoveryPassword
manage-bde -protectors -enable %systemdrive%
The first command suspends Bitlocker. The second deletes the recovery password. The third creates a new one. The final command turns Bitlocker back on.
With this method you’ll need to manually copy that recovery key somewhere safe as it doesn’t force you to do so like the GUI version does.
People like to get mad a Microsoft for some of the wrong reasons–when there are good reasons to get mad at them that get ignored. This feature improves security for the vast majority of people while protecting them from data loss. The average person’s “adversary” is a lost device. There are multiple ways for a person who does not want Microsoft to have their keys to work around the escrow, but they have to know to do it, just like they did before when they encrypted their drives manually.
-Eric
Brian • January 4, 2016 2:55 PM
@Steve
TrueCrypt did mysteriously disappear, but VeraCrypt is based on the TrueCrypt 7.1a code. There are other projects based on TrueCrypt as well.
So there are other options, at least as secure as TrueCrypt was.
Microshill for some reason moved their whole boot method from legacy to UEFI. That means system encryption code from Veracrypt has to be completely rewritten to satisfy Windows 10. Another issue is fastboot is enabled in Windows 10, so when you turn off the computer, it isn’t actually “off”.
Thomas • January 4, 2016 2:58 PM
@Alex
I can’t see how this is a regressive move.
A false sense of security is harmful. Getting people used to the idea of “key escrow” is harmful.
@Jungle
You missed a period in-between where TrueCrypt offered greater security before it mysteriously disappeared.
You’re missing alternatives currently available, for free even:
Linux with FDE + virtualisation = encrypted windows desktop.
Most of you were probably not born during or just after WWII. We who came from that era are literally sickened by any kind of government and company snooping. For many years we heard of the practice of Germans spying and turning in their neighbors for any alleged suspicious activity. German children were taught and encouraged to report any seemingly suspicious activity by their parents and relatives. The thought of an American doing this after the war was anathema! In the 60’s, Californians began this practice in reporting on one another. Microsoft BitLocker has been reported to be backdoored. I for one can’t imagine someone installing W10. How anyone would trust MS after turning over the OS code to the FBI before releasing it is beyond me. Well, as the saying goes: Those who do not learn the lessons on history are doomed to repeat them.
paranoid.schizophrenic • January 4, 2016 3:21 PM
@Thomas
“Linux with FDE + virtualisation = encrypted windows desktop.”
Too much work. Just open your “walls” up a bit and let the latest generation of ransomware encrypt your hard drive for you.
George Orwell • January 4, 2016 3:45 PM
It’s all part of a progressive erosion of rights in society, and a matching increase in intrusiveness and power in government.
Thomas • January 4, 2016 3:58 PM
@paranoid.schizophrenic
Too much work.
I usually skip the bits after “Linux with FDE” which makes it less work…
… ransomware …
isn’t that just key escrow without the local copy?
orcmid • January 4, 2016 5:23 PM
There is too much hyperbole here. In my home there are three systems running Windows 10 and only one has Bitlocker enabled. That one, a laptop, has a recovery key stored privately at my Microsoft Account because I specified permission to do so when I selected Bitlocker encryption.
The only Windows 10 devices for which device encryption is automatic upon activation with a Microsoft Account are ones that satisfy very specific hardware requirements more likely satisfied by mobile devices and perhaps some tablets.
Also, note that the recovery key is not the startup key that is used when the device starts up. The recovery key is used when the startup key has been lost or there is a problem with the configuration.
The recovery key is secured at a private OneDrive account and it is not visible by inspection of the OneDrive account storage. A particular web address must be used to obtain the recovery key, which will presented in text on a web page. The 48-digit numeric recovery-key value must be entered manually on the device and, depending on other protections, will still not provide open access to the device.
Whether Microsoft is able to surrender the recovery key on a lawful request is not clear. The requester would need to know how to ask for the correct recovery key, although it might be searchable by Microsoft given the GUID that is associated with the device encryption.
No Such Agency • January 4, 2016 5:31 PM
Windows 10 is only good for non-critical use. If you don’t need it, don’t use it.
I don’t think anyone beyond the TrueCrypt developers know why they suddenly abandoned it, but if there are nefarious reasons for it being abandoned in the manner that it was, why should any branches be trusted? Sure that code would also be tainted with whatever is in TrueCrypt?
Never Save Anything • January 4, 2016 6:42 PM
Really? You don’t believe the NSA or any other nation’s intelligence community has any greater insight to the TrueCrypt developer’s motives than the developers themselves? Seems unlikely to me. And once you presume some of them have that knowledge, you can easily presume the knowledge has spread at least somewhat. Knowledge is power.
Never Suggest Alternatives • January 4, 2016 6:46 PM
brain fart decon- “any greater insight to the TrueCrypt developer’s motives than the developers themselves?” should have of course read “any greater insight to the TrueCrypt developer’s motives than the general public?”
Dirk Praet • January 4, 2016 7:09 PM
@ Eric L
This feature improves security for the vast majority of people while protecting them from data loss. The average person’s “adversary” is a lost device.
I’m not too much of a Microsoft fan, but that’s actually how I see it too. From a security/privacy vantage, the diagnostic/telemetry data collection is a much bigger reason for concern than the encryption recovery key by default being uploaded to the user’s One Drive account. Unless Bitlocker encryption is done for them in some easy and transparant way, they’re never going to do it and even if they do, they’d probably just lose a recovery key stored on paper or USB.
@ Ben
As the article says, this is probably a sensible default and a legitimate feature (without the scare quotes) for the majority of home users.
I thought Bitlocker was not supported on Windows 10 Home Edition. And in a business environment, recovery keys would be stored in AD.
@ orcmid
Whether Microsoft is able to surrender the recovery key on a lawful request is not clear.
But of course they are. Let’s not be naive here.
@ Anyone interested
Bitlocker volumes can be read under Linux and OS X using Dislocker.
James • January 4, 2016 7:49 PM
This article may be more helpful to people than the one from the Intercept
@dirk, protip on dislink man. thank you very much.
65535 • January 4, 2016 8:06 PM
I am at the lower end of this thread so I will make my comments short.
@ No Such Agency
“Windows 10 is only good for non-critical use. If you don’t need it, don’t use it.” –No Such Agency
I agree.
There is too much server side bits and pieces being transmitted to Microsoft over the wire to leak or be MITM’d or diverted to various 3 letter agencies [NSA, CIA, FBI and so on].
Both Trusted Platform Module (TPM) and Unified Extensible Firmware Interface (UEFI) have wholes in them and leak to some extent. Bitlocker depends on TPM and that is sketchy. The Windows “Device Encryption” requires a “Microsoft Account” [Onedrive or Outlook] which defeats your OPSEC [Operational Security] by various means including recording your IP and most likely your MAC address [or other identification methods].
@ Thomas
“A false sense of security is harmful. Getting people used to the idea of “key escrow” is harmful.” -Thomas
I concur. That is the whole idea of shipping your data off to Microsoft and “trusting them” in a repetitive fashion is subliminal training technique – not to say monetary advantage for Microsoft [for those who have a paid Microsoft account – which tie your financial details to that account].
In the long run you will be trained to depend on corporate digital property to “secure” your encryption keys or data. As they say, “possession is 9 tenths of the law. Reading some of End User Agreements is stupefying and gives control of your data to a third party in many cases.
@ Anura
“I suggest that you don’t create a Microsoft account in the first place.”- Anura
Good suggestion.
But as the dependency of Server Side computing and storage increase not having a Onedrive or Outlook account [or others] will be come difficult. That doesn’t mean people should be complacent and take steps to keep from becoming dependant on large corporate storage providers.
@ Ben
“The problem is that there’s no way to opt out before the key is uploaded.” – Ben
Yes, that is true.
For “home” and most mobile users that is true.
As soon as your recovery key leaves your computer, you have no way of knowing its fate. A hacker could have already hacked your Microsoft account and can make a copy of your recovery key before you have time to delete it…Microsoft itself could get hacked, or could have hired a rogue employee with access to user data. Or a law enforcement or spy agency could send Microsoft a request for all data in your account, which would legally compel it to hand over your recovery key, which it could do even if the first thing you do after setting up your computer is delete it… As Green puts it, “Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.”- The intercept
The problem is does Microsoft keep a copy of your key? The answer is probably yes.
[Wikipedia]
“When users delete any files on OneDrive, the service will allow the user to undo the action and restore the deleted file from the recycle bin back to the original folder. Items in the recycle bin do not count against the user’s OneDrive storage limit. All items stored in the recycle bin are kept for a minimum of 3 days and a maximum of 90 days. If the content in a user’s recycle bin exceeds 10% of the user’s storage limit (e.g. 0.7 GB for a user with a total of 7 GB OneDrive storage), OneDrive will delete the oldest content from the recycle bin (provided that the files have been in the recycle bin for at least 3 days)” –Wikipedia
https://en.wikipedia.org/wiki/OneDrive#Recycle_bin
The 64 thousand dollar question remains – does Microsoft or others maintain a copy of said key?
@ orcmid
“Whether Microsoft is able to surrender the recovery key on a lawful request is not clear.” –orcmid
I would wager that a National Security Letter from the FBI or others would be clear enough to cause Microsoft to hand over your recovery key [probably after the FBI has your device – or an image of it – in their possession].
All of the rest of you arguments seem sound – but only to a degree.
I don’t recommend Windows 10 home because or mobile editions because of the requirement of an Onedrive or Outlook account to active said device [that blows your OPSEC]. Sure, windows 10 home edition [or Mobile edition] is fine for gaming and other non-critical uses. But, for critical uses I would not recommend it.
I’ll not comment further on other aspects such as TPM and UEFI hacks [and the possibility of “Carrier IQ” style of key logging].
Excuse the poor grammar and other errors. This was written quickly.
does anyone know offhand which usb device it was that claimed it was not vulnerable to firmware updates?
in-search-off a removable /boot partition
Scott Lewis • January 4, 2016 10:16 PM
I give up. The naysayers have lost it. It’s a fantastic feature. Well over 99% of home users have both minimal attractiveness to the government and minimal knowledge of what encryption is, why it’s good, and wouldn’t know how to answer a question on whether or not to turn it on, and what to do about a backup key and where to put it. They aren’t to be trusted to back things up on their own.
Honestly the rest of the Windows computers out there are in the hands of people who know how to disable it in lieu of a third party encryption product, or people who know how to disable the OneDrive feature or weren’t using a Live account in the first place, know how to change the key after the fact, or are Pro or Enterprise editions on a domain and using totally different account types and key storage.
I know better and just don’t care. It’s convienent. It’s safe. And the NSA can have my hard drive. Seriously. I’m all for reigning them back in but under no illusion that anything I do is going to be a problem if and when they see it.
And to the guy that thinks we should all switch to Linux, you’ve never dealt with my mother in law.
tyr • January 4, 2016 11:29 PM
It is impossible to strike the chains from a slave
who admires the glitter and shine of decoration
added to their life. Once it becomes modish to
wear chains even the gullible among the free will
wish to have them.
You can gloss over this by calls to the convenience
of a corporate control over your life with a load
of rubbish about how wonderful it is but he fact
you surrendered your own ownership and control is
still plainly evident.
I hear that Google decided to censor an election
by eliminating matters of public record. That is a
clear sign of what surrender to a corporate entity
means.
Microsoft thinks you are too dumb to be allowed to
control your own property. You need to ponder that
for awhile before you start agreeing with them.
SteveMB • January 5, 2016 12:04 AM
The problem isn’t the basic setup — Microsoft is simply designing for the average user, and the half of users less clueful than that, which means anticipating lost-password calls to tech support. The problem is not providing a clearly presented non-escrow option for those of us who don’t need the hand-holding.
Chris • January 5, 2016 1:59 AM
Much to do about nothing… Microsoft did this to prevent people from encrypting their computers, forgetting their pins, and then not having a way to recover their drives… Both Goolge and Apple store my passwords in their cloud as well but I don’t see any “sky is falling” stories about the dangers here…
They offer the option to delete the key, so use it if you are savvy enough to understand computers…
Btw, TrueCrypt didn’t offer full disk encryption for Windows 8.1 and higher…
No Such Agency • January 5, 2016 2:14 AM
@SteveMB: the question about the lack of an option to not use key escrow is one of intent.
Whilst I agree with the principle “don’t attribute to malice that which can be explained by incompetence”, Microsoft are not entirely stupid. Given everything we know so far about Windows 10, it looks less like incompetence, and more like a deliberate design decision.
Something else that is curious is the fact MS are perfectly happy to give away Windows 10. What better way to encourage up-take of a privacy-violating product than to make it free for maximum coverage?
Something that might be worth investigating is whether any remote control capability exists in the OS? Even if it looks like a “bug” in another component.
Just passin' thru • January 5, 2016 2:29 AM
@orcmid
(Maybe someone else posted this, but…)
When you say that a key can only be obtained by legal process, do you realize that the legal process can compel production of all keys in MS’s possesion?
In other words, can you say Lavabit?
Jacob • January 5, 2016 2:50 AM
@r
There is a USB stick with signed firmware by Kanguru called “FlashTrust” that is claimed to be resistant to unwanted updates.
Thanx • January 5, 2016 3:37 AM
Thanks @Jacob for the reference to flashtrust.
Who? • January 5, 2016 3:50 AM
Seriously, why wasting your valuable time trying to make Windows secure?
Do you want security? Do not use Windows, OS X or IOS (both Cisco’s and Apple’s).
Do you care about privacy? Do not use Windows, OS X, IOS or some linux distributions.
Don’t care about security or privacy? Why are you reading this forum then?
In any case, you care about data integrity, right? As noted by “paranoid.schizophrenic” on this thread, just let some sort of ransomware encrypt the disk for you… you will learn how stronger encryption is this way when compared to sharing the key with third parties.
For some serious OPSEC I would start by running OpenBSD with softraid FDE (disk encrypted using AES-256 in XTS mode) or some hardened Linux with FDE.
I do not think commercial products are a good starting point for security, not to say those products that automatically take copies of our keys `for our own protection.’
Mark • January 5, 2016 4:05 AM
I’m very surprised at a lot of comments here. Do you all seriously not see what is going on? With a combination of government and corporates, inch by inch, all over the world, we are slowly having our privacy and liberty taken away.
We all know that these encryption keys can be requested by the American government. Soon the Brits will try to demand that encryption can be broken/bypassed by their own government. Again, I see in this thread illusions/delusions of “I don’t have anything to hide… take it all”.
For the people who have stated that this is “better than what we had before”: Wake up. Do you think that holding all of the encryption keys in one place is a good idea? OPM, anybody?
Companies/governments getting us used to key escrow is a huge problem. Microsoft could have easily — remember how “seriously” they take our privacy — given us an option not to use key escrow. But they didn’t. Apple provide this option in OS X.
Normally I am happy to see some likeminded people here on Bruce’s site. However, far too many of you are complicit in governments’/corporates’ surveillance.
Read Wm’s comment. He hit the nail on the head. We’re repeating the same mistakes that we’ve already made.
Curious • January 5, 2016 4:26 AM
I don’t know how disk encryption works, but could it be a problem of sorts, if the initial key used for the very first disk encryption, is re-used for other parts of the OS without the knowledge of the user?
BobbyT • January 5, 2016 4:55 AM
I get a bit confused by the article. It says:
1: …Pro and Enterprise both include device encryption, and they also include BitLocker
2: If you’re using a recent version of Windows, and your computer has the encryption chip, and if you have a Microsoft account, your disk will automatically get encrypted, and your recovery key will get sent to Microsoft.
3: If you choose to not use a Microsoft or a domain account at all and instead create a “local only” account, then you don’t get disk encryption
4: …if you buy a new Windows device, even if it supports BitLocker, you’ll be using device encryption when you first set it up, and you’ll automatically send your recovery key to Microsoft.
Ergo (according to @John Macdonald): The key is always sent to Microsoft when encryption is turned on.
But: If you have a PRO version, install using a local account (not MS) and then enable BitLocker, would you not prevent the keys from being sent to MS, or is BitLocker not available to you if you set Windows up with a local user?
I would never consider using a MS account to log on to my personal laptop, nor use their cloud services.
Winblows • January 5, 2016 5:08 AM
I’m sure everyone who doesn’t have any problems with Win10 has read the 45 pages of terms and conditions, right? And the privacy policy? Start reading and weeping:
https://www.microsoft.com/en-us/privacystatement/default.aspx
https://www.microsoft.com/en-gb/servicesagreement/default.aspx
If you don’t have the time, let me summarise it for you: you are simply screwed if you care about privacy or anonymity.
Most of your activity is logged, Cortana is a spy, encryption security is really non-existent, advertisers know who you are, Microshaft will use their data as they see fit anytime they like, you are tracked across the web via URLs like a bitch, they engage in keystroke-logging, they will disclose your private files or comms as they see fit, and you lose any semblance of control you thought you had over your O/S yada yada yada
Yeah – great platform, if you are an apologist for the Police-surveillance state.
Lets get real – ‘Qubes it up’ if you want proper security. Micah Lee has some good articles out there to get your started and the documentation is pretty straight forward for intermediate-advanced users of Linux.
Then, run Qubes with “Qubes TorVM” to provide torrified networking everywhere when needed. For proper anonymity, use the Whonix template-VM and voila, you have a proper linux system that doesn’t have a monolithic kernel with 10s of millions of lines of vulnerable code. The Xen hypervisor in Qubes only has several thousand lines of code and is not weak like all the type-II hypervisors e.g. Virtualbox and co.
Set as many VMs as you need in Qubes, based on your paranoia level. Open up dodgy email attachments and links in a throw-away VM when required. Set minimum trust to ‘risky’ activities like browsing.
The biggest problem in getting Qubes running will be finding compatible hardware.
Solution: use the live USB boot option (requires 32 Gb space), and see if Qubes will run on the hardware you intend to buy/use FIRST. Basically, it is critical to have (from documentation):
Minimum
Recommended
Summary:
Qubes gives Edward Snowden a stiff boner based on his feedback, so it’s probably worth investigating for the Schneier crowd, who are highly competent in silicon land and profess to care about security.
If your kid plays some fancy 3-d gaming, dual boot with Debian and run the many work-around options with meta-compatability layering, VMs in Linux etc to get his stuff working. Most games will work with tweaking.
Or better yet, introduce your snotty, anti-social brat to Steam. Alternatively, have Winblows on a throw-away drive when you want to soil your hardware with that glorified virus.
Czerno • January 5, 2016 7:28 AM
@Mark :
«Normally I am happy to see some likeminded people here on Bruce’s site. However, far too many of you are complicit in governments’/corporates’ surveillance.»
“Schneier on Security”‘s been taken over by the FBI/NSA, didn’t
ye know ?
OK, private joke – but – I recall I’d suggested Bruce might want
to install a warning “canari” of sorts watching this wen site,
for some reason nothing of the kind has happened – yet –
A CANARI FOR BRUCE SCHNEIER !
Let it be my 2015 new year’s wish, if you all like !
Czerno • January 5, 2016 7:30 AM
ooops… substitute /wen site/website/
ianf • January 5, 2016 7:38 AM
@ Who?
Non-obvious sarcasm travels poorly through these interconnected series of tubes of ours. Or did you mean this matter-of-factly?
Do you want security? Do not use… iOS (Apple’s or Cisco’s)
Do you care about privacy? Do not use Windows, OSX, iOS or some linux distributions.
If the latter, do you seriously claim that an (specifically ) iOS device might be in serious danger of having some ransomware encrypt the RAM (-disk), wait until iCloud backs it up, then demand the ransom knowing full well that there is no (easy, i.e. one not involving Apple’s help) course of recovery?
paranoid.schizophrenic • January 5, 2016 7:39 AM
@Thomas
isn’t that just key escrow without the local copy?
Yes, but far more secure. After all, it is so secure that even you can’t access the data. This seems only reasonable since most people should not be trusted with their own information, let alone someone else’s.
Dirk Praet • January 5, 2016 8:23 AM
@ 65535
Bitlocker depends on TPM and that is sketchy.
No it doesn’t. You can disable TPM as shown here for Windows 8.
Anonymous11 • January 5, 2016 8:38 AM
It is beyond me why anyone who is even remotely security concerned would use Windows. Even before Windows 10 it was clear from the NSA leaks that pretty much no US made proprietary software should be trusted. If you want to your data to be secure, use safer software, don’t try to manually patch every security hole intentionally left in crappy proprietary software because you will never find them all.
Jason • January 5, 2016 10:41 AM
If i’m not mistaken Apple also stores your key in your account. The only difference is that it asks you to opt in.
Anon • January 5, 2016 11:00 AM
Does anyone SERIOUSLY believe that the NSA does NOT make a copy of the encryption key the second it arrives at Microsoft servers? I mean this is the agency that went to the trouble of hacking Gemalto for their SIM keys.
Hence deleting the key from the Microsoft database subsequently will be totally useless in terms of privacy against big brother.
Unless people do what @Eric L, suggests, then bitlocker will be just pretend window-dressing security.
Anura • January 5, 2016 11:13 AM
@Anon
It’s possible that the NSA isn’t making a copy; it could just as easily be the FBI doing it; it is just metadata, after all.
Jim • January 5, 2016 11:39 AM
Disk Encryption rarely would protect anyone. Who really turns off their computer anymore? It’s main purpose is to provide compliance to the enterprise and avoid the costs associated with data loss. Offering Disk Encryption to the masses without key escrow just isn’t possible – successful encryption is a model where users do not manage keys.
While I do wish that the “surveillance state” did not exist the sad truth is that it does, it’s well funded and manned by many capable folks that if interested simply move the attack vector.
no place to hide • January 5, 2016 12:11 PM
@Wm
For many years we heard of the practice of Germans spying and turning in their neighbors for any alleged suspicious activity. German children were taught and encouraged to report any seemingly suspicious activity by their parents and relatives.
true, true…the Germans were not just getting rid of people because of “race” (e.g. Jews and gypsies) or behavior (e.g. homosexuals and some types of criminals).
They were also interested of getting rid of people whom they otherwise accepted but who had “undesirable” ideas in their heads. So they also wanted to know about those who sympathized with certain kinds of politics (commies or socialists) or religions (like the JWs).
But at this rate it will not be necessary for NSA do any domestic surveillance (considering that they love verbal technicalities). All surveillance can eventually be outsourced to Microsoft.
Came to think about the Lavabit case. What encryption keys was the government asking for his email service – was it the keys to the disks where the email server stores the emails?
Or that case where Glenn Greenwald’s partner David Miranda was detained at the London airport and they took his laptop. If he had used Windows 10 disk encryption, the UK government would likely had easy access to his data.
Who? • January 5, 2016 12:21 PM
@ ianf,
On the one hand iOS is far from being a secure operating system. Security has been one of the weaknesses of Apple since Job’s era. They just ported the old NeXT’s mach kernel with existing bugs and didn’t really improved its quality over years. Apple just does not care about security (in both kernel and userland), they only care about aesthetics. On the other hand letting a private corporation store our data in their servers (call them Apple iCloud, Microsoft OneDrive, Google Drive, Ubuntu One, whatever…) is not a very good base to build either privacy or security.
For an example about how bad UEFI vulnerabilities found on Apple’s firmware look see this tweet:
https://twitter.com/Rootsector/status/681580497135366144
Or to this talk from Matthew Garrett:
http://mjg59.dreamwidth.org/39339.html
https://media.ccc.de/v/32c3-7343-beyond_anti_evil_maid#video
Isn’t it worrying?
Who? • January 5, 2016 12:35 PM
@ Curious,
I don’t know how disk encryption works, but could it be a problem of sorts, if the initial key used for the very first disk encryption, is re-used for other parts of the OS without the knowledge of the user?
I cannot speak on a general case, but at least OpenBSD does not reuse the key for other parts of the OS (human beings may reuse it, however!).
The way OpenBSD’s softraid-based FDE works is simple: the softraid’s CRYPTO discipline encrypts data with AES XTS 256. The AES XTS key is masked using a passphrase chosen by the user. This passphrase is what we usually call “the key”, but it isn’t the key used to encrypt the disk just a passphrase used to mask the real key.
Alternatively the AES XTS key may reside out of the encrypted disk, on what is known as a “key disk” (e.g., a small USB flash drive). Good luck breaking this set up!
Who? • January 5, 2016 12:57 PM
@ ianf,
By my reckoning, the iOS, being a native part of a closely controlled hardware-software-iCloud chain, looks more secure than any other current widely-used OS on the market. But maybe I’m dreaming… so here’s your chance to awaken me from my slumber.
Sorry, it is just your dream.
The only advantage of a closely controlled hardware-software-iCloud chain is that Apple does not need to worry about supporting five new graphics cards each month (usually small variants of mainstream hardware, different enough as to require their own drivers instead of using a generic one), or getting the full documentation from the hardware manufacturers to implement the drivers without worrying about the secretive specs of each device.
@ Bruce,
Someday you should start a thread on your blog about why hardware manufacturers protect the documentation of the devices they sell so secretively. Is not an advantage for all of them openly publishing documentation outlining how their hardware calls work so good driver hackers write the software to efficiently managing that hardware for free on different operating systems?
The way hardware manufacturers reduce their own market by hidding something so innocuous as the system calls used to enable their devices is something that has bugged me for years!
Who? • January 5, 2016 1:04 PM
Obviously I am talking about the technical documentation that may be used to write drivers that enable hardware devices. I am not referring to documentation about how the hardware itself works. I understand the value of these business secrets as a mean to achieve competitive advantage, but the system calls that should use a driver should in no way be so secretively protected or available only after signing NDAs.
65535 • January 5, 2016 4:42 PM
@ Dirk Praet
“You can disable TPM as shown here for Windows 8.”
Now for Windows 10 …it is possible to some extent – with a painfully complex setup depending on your hardware and Windows 10 version [Home, Mobile, Mobile pro, Education, Pro, Enterprise, Enterprise LTSB and N NK and so on] to do so. Your mileage may fluctuate.
[Microsoft]
Minimum specifications to run Windows 10:
“BitLocker To Go requires a USB flash drive (Windows 10 Pro only).”
“BitLocker requires either Trusted Platform Module (TPM) 1.2, TPM 2.0 or a USB flash drive (Windows 10 Pro and Windows 10 Enterprise only).”
http://www.microsoft.com/en-us/windows/windows-10-specifications
[Windows blog on how to get bitlocker working on Pro and Enterprise versions without TPM and a correct bios or UEFT bios]
“Thank you for being a part of Windows 10 Technical Preview testing.
“You can use Bit locker in Windows 10 without TPM. I would suggest you to try the following steps.
“How to Configure Computer to Enable BitLocker without Compatible TPM:
“Administrators must follow the steps below to configure their Windows 8 computers to allow enabling Bit Locker Drive Encryption without compatible TPM:
“a. Log on to Windows 10 computer with the account that has administrative privileges.
“b. Assuming that the computer has been configured to display classic start menu, click Start and at the bottom of the menu in search box type GPEDIT.MSC command and press enter key.
“c. On the opened Local Group Policy Editor snap-in from the left pane expand Computer Configuration > Administrative Templates > Windows Components > Bit Locker Drive Encryption and from the expanded list click to select Operating System Devices.
“d. From the right pane double-click “Require additional authentication” at startup.
“e. On the opened box click to select Enabled radio button and ensure that under Options section Allow Bit Locker without a compatible TPM checkbox is checked.
“f. Once done, click Ok button to allow the changes to take effect and close Local Group Policy Editor snap-in.
“If anything in my post is unclear or you have further questions on Windows, do not hesitate to let us know. It is our pleasure to be of assistance.” –Vijay B
https://answers.microsoft.com/en-us/profile/0b75c145-a920-42e3-82d1-c53883802f90
And, if one is on a domain you can up load the keys to the Domain instead of a Microsoft Account [In theory, assuming the Domain Controller doesn’t send the keys off to the mother ship].
But, this is of little help to the Home user or average non-tech savvy Microsoft user!
Dirk Praet • January 5, 2016 7:40 PM
@ 65535
But, this is of little help to the Home user or average non-tech savvy Microsoft user!
Who probably hasn’t the foggiest idea what Bitlocker, TPM or telemetry services are anyway. Anyone falling into that class for all practical purposes has already been unwittingly assimilated into the Fenestric Matrix™ or MicroBorg™ Collective.
Sasparilla • January 5, 2016 9:06 PM
Nice article… Believe the key only gets uploaded if you use a Microsoft login on initial setup, which is quite difficult to get around in Windows 10 (this applies mostly to new machines). That said the issue is that the user is not notified & given a choice about this on initial setup (yes or no to encryption & yes or no to key uploading…apologists like to pretend PC’s are the same as smart phones, but most users expect much more control over a PC device).
Hat tip to Anon, remember Microsft was offering pre-encryption access to all its customers e-mail & Skype communications…they never said they stopped. Add in the new surveillance law tucked into the 2015 budget law that protects companies from sharing any data with the NSA & Microsofts increased data monitoring of Windows 10 back ported to 7 & 8 via patches & it looks like it was all planned out in a smokey back room in DC. I would assume that all encryption keys are immediately shared with the NSA for storage (& future reference) on any Win 10 or bit locker installs the moment they are uploaded to Microsoft…there is a reason we don’t have any stories of the NSA/CIA trying to compromise Microsft’s compilers or OS…because they are willing partners.
Do you want your OS from a willing partner of the NSA? (Saying that to myself as much as to anyone else…still running Windows…but the change is coming for me…don’t think I’ll ever make it to v10)
Clive Robinson • January 5, 2016 11:34 PM
@ Sasparilla,
With regards Micro$haft Win10, you will find –if you look back– I’ve already called it FBI director “Comey’s front door”, just for the “ET” keystroke logging.
65535 • January 6, 2016 2:20 AM
@ Windblows and Dirk
Good posts.
Here is my reply post. It is fairly long so it is in the Friday open thread.
https://www.schneier.com/blog/archives/2016/01/friday_squid_bl_508.html#c6714511
Fascist Nation • January 6, 2016 6:37 AM
Well, this is a better debate here than occurred on Windows Secrets forum about this article which fell between “old news,” “nothing much here” and “outrageous!”
http://windowssecrets.com/forums/showthread.php/173684-Microsoft-has-your-Windows-10-encryption-key
Dr. Frank N Stein • January 6, 2016 10:53 AM
Why is Microsoft monitoring how long you use Windows 10?
http://betanews.com/2016/01/04/why-is-microsoft-monitoring-how-long-you-use-windows-10/
This might seem like a slightly strange statistic for Microsoft to keep track of, but the company knows how long, collectively, Windows 10 has been running on computers around the world. To have reached this figure (11 billion hours in December, apparently) Microsoft must have been logging individuals’ usage times. Intrigued, we contacted Microsoft to find out what on earth is going on.
Microsoft’s response was mostly “no comments”.
JG4 • January 6, 2016 4:33 PM
Happy New Year
as always, appreciate the educational discussion
@Czerno
you can be sure that the spook rat bastards check in here to stay on top of recent developments
@Wm
Steve Wozniak decided to move to Australia precisely because he was taught that bad governments spy on their people, torture, assassinate and start wars.
Apple Co-Founder Steve Wozniak Discusses The Constitution, NSA Spying and Torture
http://libertyblitzkrieg.com/2013/06/18/apple-co-founder-steve-wozniak-discusses-the-constitution-nsa-spying-and-torture/
Michael Krieger | Posted Tuesday Jun 18, 2013 at 2:03 pm
When I was brought up we were taught that Communist Russia were the ones that were going to kill us, bomb our country and all this. That Communist Russia was so bad because they followed their people, they snooped on them, they arrested them, put them in secret prisons…they disappeared them. These sorts of things were part of Russia. We’re getting more and more like that.
– Steve Wozniak in the video below
Steve Wozniak is not only co-founder of Apple Computer, he is an extremely thoughtful person and patriot. In the video below, Steve was approached in an airport and he took the time to provide us with some thoughts about all of the disturbing authoritarian trends happening in these United States today. He covered a lot of key points in just a few minutes. Enjoy!
Woz habla sobre iOS 7 y el programa de vigilancia PRISM
https://www.youtube.com/watch?feature=player_embedded&v=xOWDwKLJAfo
ianf • January 6, 2016 5:30 PM
@ Who? – I need to get to the bottom of this, and this: You telling me that I’m dreaming without listing the applicable iOS threat vectors can after all be just a later, conjured up bit of the same dream ;-))
First things first: I ask you to elaborate on by you claimed specifically iOS vulnerabilities for rogue-actor/ ransomware attacks, and you respond with a bunch of general “Apple=bad security” platitudes, followed by a tweet listing patching chronology of desktop OSX, plus a talk and a video decrying lack of UEFI Secure Boot and TPM on Apple laptops. So where are the alleged holes in the iOS? Apparently they ARE the black holes, never to be seen.
I am aware of that both my cable-provider’s modem’s, and the wired Apple AirPort router’s firmware could be reflashed—but how would I know that/ what could I do about it? While your original “bundling” bad-OS-bad-bad-bad mentions the iOS, both your responses to me claim only that […] “iOS is far from being a secure operating system”, but supply no elucidation. All you talk of is the OSX—as were this the same thing, security- and otherwise. So how is that different from spreading iOS FUD and/or pathologizing theoretical threat vectors?
65535 • January 6, 2016 10:53 PM
@ Sasparilla
“Believe the key only gets uploaded if you use a Microsoft login on initial setup, which is quite difficult to get around in Windows 10…”
You are right.
Say, a Windows 10 machine is gifted to a spouse or child. That machine will most likely need a OneDrive account or Outlook account. The encryption key will be sent off to the mother ship in 98% of cases. All of the rest of your post is reasonable.
@ Dr. Frank N Stein
“Why is Microsoft monitoring how long you use Windows 10?”
Good question.
My guess is that the Microsoft EULA allows for your name address, Geo-location, IP, MAC, 1 pixel tracker, finger print, keystroke mapping, voice print, facial recognition, and content to be feed into the Microsoft Data Monster to be slice, diced, and correlated to the degree that Microsoft knows exactly how long you are using their software. Microsoft has you under a microscope so to speak.
@ Windblows
Both of your links were eye opening.
If a person a fails to “opt-out” of one or more data mining traps it appears the other Microsoft data mining traps will probably cascade and draw a very clear picture of said person and personal details. Microsoft’s level of data mining makes me want to vomit [but probably Google/Alphabet and Apple are equal nauseating].
@ Dirk Praet
“[Microsoft Users] Who probably hasn’t the foggiest idea what Bitlocker, TPM or telemetry services are anyway.”
That’s not the point.
At some level of user acceptance of intense surveillance by non-tech savvy users, the pool of these users will swell to an ocean and will cause Tech Savvy users to be data mined and correlated.
If you send a text, SMS, email, voice message, photo or video conferencing the Tech Savvy user will eventually be data mined by Microsoft’s Data Monster. Sooner or later you will send an electronic communication to your mother, grandmother, son/daughter, friend, or business contact who has allowed full data mining capabilities to run on there machine which will capture your Meta-data.
Your metadata will then be feed to Data Mining Monster and you will be tagged or correlated to any/all social networks or possible financial purchase from a large corporate data property [say Amazon or Apple]. You’re banking details and probably your credit report and will blow your OpSec. This will probably give away your name, location, and a variety of details unique to you and your devices.
That said, I don’t believe people should be complacent. The tech savvy people should fight back. They should help educated the non-tech savvy people and help them to avoid the Data mining monster.
Excuse the grammar errors and other errors. I banged this out.
65535 • January 6, 2016 11:30 PM
It happens. Here is a quick example of Granny “up-grading” to Windows 10:
[Arstechnica on Dell tech scam]
“…I literally just got back from my grandmother’s house who was scared she had been hacked with a similar story. She was upgrading from windows 7 to 10 and supposedly clicked on the help button (because she’s generally technologically illiterate), and was duped into calling a ‘dell’ help line. She gave them remote access to her computer…” -Mdewitt
Noname • January 9, 2016 10:47 PM
I never upgrade my PC to Win10; seriuosly, if they care about their privacy, they shouldn’t use Win10 in the first place.
Why they can’t move to Linux?
… anyway,
1. Don’t trust MS.
2. You can’t disable such feature because MS wants all your data like Google does.
3. Use other software to encrypt OS; for example, VeraCrypt.
PeteRepeat • January 10, 2016 10:07 PM
“…to the user’s One Drive account”
There’s a reason they call it “Microsoft Account” –
It’s because you don’t own it, they do !
Sick of You All • March 27, 2016 12:25 AM
Gotta love the hardcore paranoiacs. (I will refer to them as HPs in the remainder of my post.) Those of us using Win10 are only a smidge above terrorists on their scale of human estimation. As it is, apparently we’re slaves, and happy to be!
Oh yes, because these HPs are fully withdrawn from corporatism! They all live like the Unabomber, don’tchaknow! Yes, they somehow post on a web site even though they have forsaken technology.
And surely they are complete Luddites, right? Either that, or they’ve created their own OS from the bottom-up, and also handcrafted every bit of software running on it. Right? Or, they use nothing but 100% open source software, and they have personally reviewed every line of code, and they are competent to do that. Right?
Because if they haven’t done that, they are hypocrites.
Figureitout • March 27, 2016 12:46 AM
Sick of You All RE: hp’s
–No we aren’t withdrawn from corporatism, very dependent on it. We post w/ infected pc’s and routers like everyone else. We may not be focused on just the OS, but say the software jumping to and loading the OS; the hardcores among us the hardware design. We use closed source code sometimes (hence we can’t share what we work on sometimes b/c we need to eat). We have not personally reviewed every line of code, that is completely impossible. And we are not competent for the fantasy land what you describe.
So no we aren’t hypocrites, mostly idealists. So take your false mischaracterisations and shove ’em you know where.
Clive Robinson • March 27, 2016 3:48 AM
@ Sick…,
And surely they are complete Luddites, right? Either that, or they’ve created their own OS from the bottom-up, and also handcrafted every bit of software running on it. Right?
Like most older “embedded system” designers I’ve done it all from scratch, including building my own tool chains at times.
As it happens I did work on the first MicroSoft products for both Apple and IBM hardware, in the latter case building a fair bit software using the “debug” program.
More recently I’ve designd and built embedded security systems such as data diodes / slucies / pumps for serial comms using as older least capacity microcontroler parts as I can.
You appear to be under the mistaken view that OSs and the Apps for them require vast quantities of code to be of use? I can assure you they do not.
One of the reasons why malware originated in vast quantities from places like Russia was that they had to build nearly everything from scratch using computers and software tools that were several generations behind those in the much more affluent west. This taught them a lot that the “code cutters” in the west did not get to learn or in quite a few cases did not bother to even think about. Which might be one reason we have so much bug riddled code being attacked…
As for using FOSS many embedded systems design engineers use it, many of whom use the BSD licenced code, which by the way is the same code Microsoft used in it’s OSs for many years. Have a look under the hood of Apple’s OSs and see where they originated from, you might learn something about the way the software world worked at one point in time. After all a little learning usually does “no harm” unless it changes your POV away from the race to the bottom “free market” “hamster wheel of pain” many code cutters have got caught in to put food on the table and a roof over their heads.
Beito • March 27, 2016 10:20 AM
@Sick of you all
Do you have to be a chef in order to find out that shitty meals taste, well, shitty?
Amber Khan • June 5, 2016 7:59 AM
I’ve installed windows 8.1 on my laptop after buying license from ODosta Store, I want to activate it to get free upgrade from windows 7 professional to windows 10 home.
I’m now confused, How to activate and upgrade to windows 10.
Please mention within details.
Mathias Hollstein • July 19, 2016 5:50 PM
That does not seem to be the only problem with telemetry, but maybe they are related in some way.
As reported by German publisher Mr. Schiefer, Microsoft ported back some functionality of its new Windows 10 operating system into its predecessors. Unfortunately neither does that software act in the users best interest, nor are Microsoft customers being informed about the consequences in advance.
Several CERT units worldwide therefore recommend users of Microsoft Windows to run CI (counterintelligence), by removing four updates critical to privacy protection manually. Those are named kb3022345, kb3068708, kb3075249 and kb3080149. The on-board Windows facilities should be employed to correctly locate and purge the software packages from given installations.
The updates mentioned contain software with regards to Microsoft’s customer experience program and Windows’ system telemetry implementation. After installation Microsoft is enabled to completely explore the computer system and therefore gather deep insights into private user data, also including documents and e-mails.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
John Macdonald • January 4, 2016 1:35 PM
Reading the article, you will find that you cannot disable the feature. The key is always sent to Microsoft when encryption is turned on. What you can do is to go to you Microsoft account page and ask them to delete their copy of the key. You still have to hope that no copy has been made in the meantime, and that they actually do delete all of their copies of the key. So, you can close the barn door that they insist be initially left open – hoping that the horse is still in the barn when you lock the door. Unfortunately, this horse is invisible – it’s hard to see whether someone has copied your key during the interval, either in transit or from Microsoft’s servers.