Slashdot Mirror
Microsoft Retracts Private Folder Option
An anonymous reader writes "Just recently, an update to Windows added the option to password-encrypt a personal folder. The intent was to allow users who share PCs to have a measure of privacy, but C|Net reports the company is now removing that functionality with a patch. IT managers hit the roof when the option was added, complaining of the possibility of lost passwords and inaccessible data." From the article: "'Oh great, have they even thought about the impact this could have on enterprises. I'm already trying to frantically find information on this product so that A) I can block to all our desktops and B) figure out how we then support it when users inevitably lose files. I can see the benefit in this product for home users, but it's a bit of a sloppy release by Microsoft,' Stuart Graham said in a posting on Windows Server-related site MSBlog."
If it actually worked as advertised, that'd be something I'd want to use. The correct answer for companies is to 1) forbid its use (just like you wouldn't let employees PGP-encrypt their work), and 2) find out how to disable it in Active Directory. Don't just dike out the functionality, though!
Dewey, what part of this looks like authorities should be involved?
TrueCrypt is your friend. It's open source, it mounts as a drive and you can even have hidden volumes (so you can deny having stored porn when your gf tells you to show her). It's great.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
Do not ever say "lol" on slashdot again, do you understand me? Never. This is my sanctuary from the rest of the internet. If you ruin it I will hunt you down. Same goes for not capitalizing, needlessly doubling question marks, and smileys, to a lesser extent. This is not AIM.
By the way, the folders are fucking ENCRYPTED. You can't decrypt data by saying "THIS IS YOUR ADMINISTRATOR, OPEN UP!"
ResidntGeek
Windows Private Folders was released with the best of intent, but I can see 3-4 things that would have made it not so controversial.
First, document how it stores/encrypts files. Does it sit on a front-end of an archiver or is it a pass-through encryption similar to what CFS does? What encryption algorithms does it use? WPF needs a lot more documentation.
Second, release a group policy add-on that domain admins can use to restrict or block its use. MS should have released a domain policy add-on a couple weeks before the utility is available, so companies can push out a policy denying use of this utility on their network, or specifying a "master" password using a password or an EFS key for recovery reasons. This utility is good, but on computers owned by a business, this utility can create major liability and regulation issues.
Third, it needs to be written with security in mind. How is the password stored? Is the password hashed, or is the password stored by decrypting part of the file similar to what TrueCrypt does so a hash algorithm failure doesn't compromise security? What mode (ECB, CBC) is the encryption running in? Is the decrypted password stored in secure memory, or can it be swapped to disk?
Windows Private Folders isn't a bad utility, and I wish MS would release a version 2.0 of it that addresses concerns of business domains and some more documentation on how it works -- it is made for an easy to use place for home users to stick files in they don't want others to read. WPF just needed a little more planning behind its release.
You must have pretty low standards if you think of Slashdot as a refuge from idiocy.
That's exactly what I have. I just graduated from a Catholic school, in Florida. You can guess how much faith I have in other people.
ResidntGeek
> You wouldn't complain to the shredder company because the shredder doesn't
> have an undo button.
I wouldn't, but my users probably would.