Microsoft Has Your Encryption Key If You Use Windows 10

An anonymous reader writes with this bit of news from the Intercept. If you login to Windows 10 using your Microsoft account, your computer automatically uploads a copy of your recovery key to a Microsoft servers. From the article: "The fact that new Windows devices require users to backup their recovery key on Microsoft's servers is remarkably similar to a key escrow system, but with an important difference. Users can choose to delete recovery keys from their Microsoft accounts – something that people never had the option to do with the Clipper chip system. But they can only delete it after they've already uploaded it to the cloud.....As soon as your recovery key leaves your computer, you have no way of knowing its fate. A hacker could have already hacked your Microsoft account and can make a copy of your recovery key before you have time to delete it. Or Microsoft itself could get hacked, or could have hired a rogue employee with access to user data. Or a law enforcement or spy agency could send Microsoft a request for all data in your account, which would legally compel them to hand over your recovery key, which they could do even if the first thing you do after setting up your computer is delete it. As Matthew Green, professor of cryptography at Johns Hopkins University puts it, 'Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.'"

Can a corporate security officer comment

[RichMan]

I would like to know the opinion of large public corporations security officer on this feature of windows.

Re:Can a corporate security officer comment

CISO here, we haven't made the jump to 10 yet (85% of our workforce is on 7 with some 8.1 here and there), things like this are kinda non starters for us for any employee who even remotely has a chance at accessing PII or confidential information. It's not that I think Microsoft would act maliciously, but it would violate a ton of compliance documentation that we have, requiring re-audits of our policies and procedures. Hopefully this is one of those features Microsoft will allow you to turn off in the Enterprise SKU. We're honestly watching Windows 10 very closely, it has a lot of really nice improvements on the security front. But things like this, and the giant sweeping updates like the November update, make it very hard. Microsoft is trying to move closer to the Apple model, but the Apple model is a big departure for anyone who knows the pains of PCI, HIPAA, or SOC2 compliance.

Re:Can a corporate security officer comment

[ray-auch]

Good summary - unfortunately I don't have mod points today

I would add that the likely reason we can't get clear info from MS about Azure AD is that Azure is international and located in multiple regions / jurisdictions and I think the court cases are still ongoing about whether or not the US can short-circuit international treaties and local laws elsewhere and force MS to hand over data located in other jurisdictions. So, MS basically don't know.

It's safest to assume that govts are always likely to be able to get hold of keys whether stored on your own recovery server or with MS, and the likelihood rises with size of govt concerned...

A bit of a pain in arse

[MarkH]

But you can setup a windows 10 machine with all local accounts and all updates, traffic disabled.

Good guide here http://www.rockpapershotgun.com/2015/07/30/windows-10-privacy-settings/

Looking at wireshark it does seem to work

End-to-end encryption and "normal" users

[GuB-42]

If encryption is turned on by default for normal users, there must be a way for the provider to recover the data.
People lose their passwords all the time, and don't want to lose all their data if that happens. For these people, disk encryption is just a way to prevent regular laptop thieves from accessing their data, not to protect them from the NSA and criminals who can hack Microsoft. They don't want end-to-end encryption.
If you need high level security even against Microsoft, then don't use your MS account, or better yet, don't use Windows.

Don't cherry pick

[s.petry]

While the main point of the article is about a Windows account there is an underlying discussion on overall privacy using Microsoft Windows. This is just the latest article discussing privacy and security concerns. Sure, "some" businesses are always years behind in releasing a new OS. Others are not so far behind, and are very concerned about security so not approving Win10.

For example, as soon as the OS was released we see how the OS will send your keystrokes to Microsoft. Not just what you type into Cortana, IE, or Edge but ALL keystrokes are recorded by the OS. You can disable sending the data to Microsoft, but we have yet to find a way of disabling the keylogger built in to the Kernel. (recorded does not necessarily mean stored long term, but long enough to evaluate in memory.)

Due to that lack of trust, I may have installed Win10 but never created a MS or Azure account. Anything I do on the device is treated as public knowledge because the OS is built to remove privacy from end users. I won't use online banking on the PC with Win10, and logging in to anything is assessed under the assumption that someone from MS and the Government will have full access to the account. When I'm working on sensitive stuff I use Linux.