Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Has Your Encryption Key If You Use Windows 10 (theintercept.com)

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes with this bit of news from the Intercept. If you login to Windows 10 using your Microsoft account, your computer automatically uploads a copy of your recovery key to a Microsoft servers. From the article: "The fact that new Windows devices require users to backup their recovery key on Microsoft's servers is remarkably similar to a key escrow system, but with an important difference. Users can choose to delete recovery keys from their Microsoft accounts – something that people never had the option to do with the Clipper chip system. But they can only delete it after they've already uploaded it to the cloud.....As soon as your recovery key leaves your computer, you have no way of knowing its fate. A hacker could have already hacked your Microsoft account and can make a copy of your recovery key before you have time to delete it. Or Microsoft itself could get hacked, or could have hired a rogue employee with access to user data. Or a law enforcement or spy agency could send Microsoft a request for all data in your account, which would legally compel them to hand over your recovery key, which they could do even if the first thing you do after setting up your computer is delete it. As Matthew Green, professor of cryptography at Johns Hopkins University puts it, 'Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.'"

3 of 314 comments (clear)

  1. Re:Can a corporate security officer comment by Anonymous Coward · · Score: 1, Funny

    You're posting anonymously because you're a liar trying to make a point, without losing precious karma off his main account in the process.

    So it's this version of Windows that your non-existent companies finally decided they weren't going to "consider for corporate deployment," eh? What _are_ they deploying corporately, then, seeing as how we're speaking off the record and all? If they're not going with the industry standard, what are they going with? Surely such insider knowledge would be of immense use to everyone trying to secure their systems, not just a karma whore like you.

  2. Re:Hmmmm by Anonymous Coward · · Score: 5, Funny

    When is this capability going to be added to systemd?

  3. Re:Don't cherry pick by johnw · · Score: 3, Funny

    That's not a low ID.