Slashdot Mirror
Microsoft Retracts Private Folder Option
An anonymous reader writes "Just recently, an update to Windows added the option to password-encrypt a personal folder. The intent was to allow users who share PCs to have a measure of privacy, but C|Net reports the company is now removing that functionality with a patch. IT managers hit the roof when the option was added, complaining of the possibility of lost passwords and inaccessible data." From the article: "'Oh great, have they even thought about the impact this could have on enterprises. I'm already trying to frantically find information on this product so that A) I can block to all our desktops and B) figure out how we then support it when users inevitably lose files. I can see the benefit in this product for home users, but it's a bit of a sloppy release by Microsoft,' Stuart Graham said in a posting on Windows Server-related site MSBlog."
If it actually worked as advertised, that'd be something I'd want to use. The correct answer for companies is to 1) forbid its use (just like you wouldn't let employees PGP-encrypt their work), and 2) find out how to disable it in Active Directory. Don't just dike out the functionality, though!
Dewey, what part of this looks like authorities should be involved?
I always find it amusing when you have IT people developing features for Windows that really don't understand IT in the real world. Then they release something and are shocked when IT managers are furious over it. One would think MS would have a real good understanding of the IT environment and what is and is not a good idea. Good stuff :)
http://religiousfreaks.com/Couldn't they have just put a warning message/dislaimer in?
This sort of kneejerk reaction, removing a useful feature, is excedingly irritating. It's not users aren't aware of the fact that if you password something, you'll then need to REMEMBER the password...
I'm really starting to wonder if windows administrators should be working at my local burger king instead of with computers. It seems an awful lot of MS policy is dictated by these neanderthols. Hey - nice encryption feature added, and admins freak because they don't know how to block it. Sounds like the administrator's fault - they can't keep their users from installing unauthorized software? Encrypted folders should be the LEAST of their worries.
It reminds me of the idiotic microsoft security fix cycle. Every user in the world has to wait for MS patch day because some whiney admins wanted to be able to schedule their vacation time. Hey jackasses - if you don't want to update on a given day, don't update on that day. Why should the rest of us be waiting for a fix to fit someone else's schedule?
I tried this out on my personal computer and the most annoying thing about it is that you have to store it on the desktop.
There are far better third party folder encrypters out there than MPF.
Windows Private Folders was released with the best of intent, but I can see 3-4 things that would have made it not so controversial.
First, document how it stores/encrypts files. Does it sit on a front-end of an archiver or is it a pass-through encryption similar to what CFS does? What encryption algorithms does it use? WPF needs a lot more documentation.
Second, release a group policy add-on that domain admins can use to restrict or block its use. MS should have released a domain policy add-on a couple weeks before the utility is available, so companies can push out a policy denying use of this utility on their network, or specifying a "master" password using a password or an EFS key for recovery reasons. This utility is good, but on computers owned by a business, this utility can create major liability and regulation issues.
Third, it needs to be written with security in mind. How is the password stored? Is the password hashed, or is the password stored by decrypting part of the file similar to what TrueCrypt does so a hash algorithm failure doesn't compromise security? What mode (ECB, CBC) is the encryption running in? Is the decrypted password stored in secure memory, or can it be swapped to disk?
Windows Private Folders isn't a bad utility, and I wish MS would release a version 2.0 of it that addresses concerns of business domains and some more documentation on how it works -- it is made for an easy to use place for home users to stick files in they don't want others to read. WPF just needed a little more planning behind its release.
It's a shame that Microsoft caved in to the whining of the IT control freaks. There are legitimate reasons to encrypt sensitive information, even in the corporate setting. If you think that the possession of the Administrator password means that you should have unfettered access to every scrap of data on the network, you need to see a psychiatrist about your delusions.
Mea navis aericumbens anguillis abundat
Sometimes its about obsessive-compulsive lockdown freaks, but unfortunately in a number of businesses, IT *has* to be control freaks so the business doesn't get fined out of existance and people put in prison. Banks, hospitals, and other industries have to be very careful not to run afoul of HIPAA, Sox or other laws, unless they want the SEC to start coming in with a motion of discovery in hand to start auditing, and hit the company with very high fines should even a single financial E-mail have been deleted instead of being archived for seven years. No company wants the SEC or some audit board to start going through every file, folder, or hard disk, so its pretty normal for an IT group to be heavy-handed.
I might be no expert in this area, but ... let's see...
... how?
1. Patch for data encryption feature.
2. User using data encryption.
3. Patch for removial of data encryption.
4. User accessing his encrypted data
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
But why are enterprise end users installing software? Dont blame Microsoft for your problems.
Why are you frantically trying to block something you dont know about - why dont you solve that problem by only allowing the software that has been approved? Why are there people that still dont understand that if a user can install appX, they can install virusX too? I mean really, you do understand this right?
This was a home user product. IT wasnt intended for businesses.
Instead of pitching a fit about new Microsoft software, why don't "I.T. Managers" do their jobs and manage the damn I.T.? Really. There are complex problems in I.T. for large businesses, but this is absolutely not one of them. Microsoft has given them the ability to manage software isntallations for years now. It's very simple, really. Users who cannot be trusted to install software like "Private Folder" without exposing the enterprise to increased risk of data loss should not have permission to install software. Full stop.
Is it really easier to shout at Microsoft than restrict users? Because shouting at Microsoft won't prevent users from using the dozens of equivalent apps available for download from other companies unless you also restrict users appropriately.
.sig: file not found
Not that I agree with incopetent IT managers who can't figure out how to lock certain options in a system dictating software policy for Microsoft but while individuals may have a right to privacy and to keep things to themselves, they certainly don't have a right to store it on MY system. The problem is, too many people assume that because they use something it is now theirs to do with as they please and that's not the case. The computer belongs to the company, if they let you do non work related things on that computer that's their perogative but you have no right to use that computer for any purpose other than those the company allows you to do. Now by the same token I believe that if a company is going to require that I use my personal equipment for a job, that I have the same rights and control over that equipment as they have over theirs which means if I want to store that information triple encrypted that's my perogative because it's my machine. But unless it's a personal machine, you have no rights to do anything on it.
T Money
World Domination with a plastic spoon since 1984
Unless all decryption keys are registered on the domain controller.
I agree, but at the same time, turing this feature off is equally as logical as removing the delete key from the system.
You already have a level of trust with your users. Why doesn't that trust extend to a new techology with the same level of associated potential concequences (data loss)?
The only possible answers to that question are that you don't really trust your users at all (in which case you're a moron for giving them any access before giving them training), or that you don't understand the new technology. Which is it?
MS seems to have forgotten who their real customer is.
Dell, the RIAA and the DVD Forum.
KFG
I always find it amusing when you have IT people developing features for Windows that really don't understand IT in the real world. Then they release something and are shocked when IT managers are furious over it. One would think MS would have a real good understanding of the IT environment and what is and is not a good idea.
Many IT administrators are barely-in-the-closet fascists. They enjoy making sure that their user bases have no privacy, cannot use their organizations phones or computers for anything that isn't "strictly business", are constantly under surveillance at the workplace, etc. These admins are usually on power trips -- they are usually hated by the users of the systems they (supposedly) support and those users often take pleasure in working against them in subtle (or at least anonymous) ways. These "Users versus IT Gestapo" situations are often entertaining to observe, as long as one isn't part of the problem.
At the other extreme are the system and network administrators who allow (even encourage) users to do (or install) whatever they damn well please on their workstations (unless the action is obviously malicious or illegal). These admins must be masochistic -- the more computer illiterate the user base, the more likely it will figure out ways to create problems which require a week's worth of IT's time to correct, on a daily or even hourly basis. These nearly anarchistic computing environments are a lot of fun while they last -- which is rarely for longer than it takes for an oh-so-clever user to crash a server, delete someone else's files, sell organizational secrets, buy a drop-in pr0n site package and run it on the facilities at the workplace, make (what she thinks are) anonymous death threats, etc.
Somewhere in the middle are the administrators who can usually leave their work at the office at the end of the day but who don't mind if users want to access and maybe save personal email messages or other files from work (where the spiffy color laser printer sometimes gets used to print pictures of a worker's newborn baby or a photo that an employee wants to hand in his cube), and realize that most sane people don't truly compartmentalize their work and personal lives; that overlap is normal and natural, usually inevitable, and often beneficial -- that most folks want/expect some personal privacy in the workplace and to be cut a little slack when using office resources for personal reasons.
As someone who has tried to fall into that third, loosely defined group of IT administrators/managers when I've held such positions, I find it to be worth the effort to do the balancing/juggling act. Then again, I'm a practical libertarian and not a compulsively anal authoritarian by nature.
"You're young, you're drunk, you're in bed, you have knives; shit happens." -- Angelina Jolie
so you can deny having stored porn when your gf tells you to show her
/. about gfs and wives, and enough is enough.
You know, I see this a lot on
I don't know if you people have no gfs or wives, or if you live in the US, or what. If you can't tell your gf/wife what porn you like you have a bigger problem than how to encrypt it. How the fuck do you think you can have a satisfying relationship if you can't reveal intimate desires?
Get out into the real world or, respectively, move to a place where the christian idiots didn't brainwash everyone, where females are into porn and all kinds of other fun things.
"When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
Nice quote from Stuart Graham there, complaining about all the extra work he now (alledgedly) has.
I replied to him on that site. If he's not running a decent group policy to stop non-admin users from installing any old crap on their machines, he deserves all the extra work he gets. If he's any kind of enterprise sysadmin, he wouldn't even bat an eyelid at this piece of software.
Microsoft forgot that other companies treat there users like dumb shits and don't want to face up to the facts.
People, stop being fucking elite about the computers. I have worked with people who are scared to do anything with the computers becasuse of IT's attitude.
Here is a clur, tell the people if they use it and loose the password the data is gone. Most people will get that. If they don't and they loose valuable data too bad. They'll catch on, or they will be shown the door.
The Kruger Dunning explains most post on
If you have an Empornium account, this this is it.