Microsoft Has Your Encryption Key If You Use Windows 10

An anonymous reader writes with this bit of news from the Intercept. If you login to Windows 10 using your Microsoft account, your computer automatically uploads a copy of your recovery key to a Microsoft servers. From the article: "The fact that new Windows devices require users to backup their recovery key on Microsoft's servers is remarkably similar to a key escrow system, but with an important difference. Users can choose to delete recovery keys from their Microsoft accounts – something that people never had the option to do with the Clipper chip system. But they can only delete it after they've already uploaded it to the cloud.....As soon as your recovery key leaves your computer, you have no way of knowing its fate. A hacker could have already hacked your Microsoft account and can make a copy of your recovery key before you have time to delete it. Or Microsoft itself could get hacked, or could have hired a rogue employee with access to user data. Or a law enforcement or spy agency could send Microsoft a request for all data in your account, which would legally compel them to hand over your recovery key, which they could do even if the first thing you do after setting up your computer is delete it. As Matthew Green, professor of cryptography at Johns Hopkins University puts it, 'Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.'"

Can a corporate security officer comment

[RichMan]

I would like to know the opinion of large public corporations security officer on this feature of windows.

Re:Can a corporate security officer comment

I know the opinion of a couple of high security smaller companies, only 20,000 to 60,000 employees... they both say, "holy shit no. Windows 10 is not even being considered for corporate deployment"

speaking anon to not get in trouble with them.

Re:Can a corporate security officer comment

Large public corporations are going to be logging in using Active Directory credentials, not their Microsoft accounts. The article summary (which may be wrong, because they usually are) states that this behavior only happens when logging in with a Microsoft account.

Re:Can a corporate security officer comment

CISO here, we haven't made the jump to 10 yet (85% of our workforce is on 7 with some 8.1 here and there), things like this are kinda non starters for us for any employee who even remotely has a chance at accessing PII or confidential information. It's not that I think Microsoft would act maliciously, but it would violate a ton of compliance documentation that we have, requiring re-audits of our policies and procedures. Hopefully this is one of those features Microsoft will allow you to turn off in the Enterprise SKU. We're honestly watching Windows 10 very closely, it has a lot of really nice improvements on the security front. But things like this, and the giant sweeping updates like the November update, make it very hard. Microsoft is trying to move closer to the Apple model, but the Apple model is a big departure for anyone who knows the pains of PCI, HIPAA, or SOC2 compliance.

Re:Can a corporate security officer comment

[JeffSh]

that is a totally out of context comment from an anonymous poster.

large corporate entities will not deploy windows 10 for years anyway due to incompatible or uncertified line of business software platforms. it has nothing to do with this particular feature.

moreover, this has to do with logging into your microsoft.com account, nothing to do with windows 10 pro joined to a domain.

Re: Can a corporate security officer comment

The point is moot not mute.

Re:Can a corporate security officer comment

[Anonymous+Brave+Guy]

It's certainly possible that you're right, but equally if the GP poster really does have insider knowledge and really does want to speak without betraying a confidence then surely they really would post anonymously.

In any case, I can tell you the answer to your follow-up questions for at least some small to medium-sized companies I work with: Windows 10's biggest competition is probably Windows 7, which is what the majority of these organisations are already running as their standard desktop.

The difficulty Microsoft has with these customers is that Windows 10 doesn't have a lot of big selling points. I watched and listened to some of the early promotional material, and the loudest message I heard was "it's not Windows 8". Obviously to business customers who standardised on Windows 7 anyway, that's not exactly a good reason to undertake an inevitably expensive and disruptive migration to a new OS.

Re:Can a corporate security officer comment

[reggie6311]

I find this to be rather difficult to properly converse about. While I'm not a CISO per say, I consult many CISO's regularly and this is one of the topics that have come up recently and has opened up a lot of interesting discussions. To clear the air, Windows 10 Enterprise (and Windows 10 Professional) do not give you the ability to store Bitlocker keys with Microsoft when joined to Active Directory, nor do they automatically upload the keys. When joined to Active Directory, you have 3 options for key backup: Printing a Copy, Saving it to a file, Saving it to a USB key. Behind the scenes (not visible to the end-user), there is a 4th option in which you can require that the joined computer store a backup copy of the key on the computer object within Active Directory. This must be configured in AD and deployed as a GPO to the computers otherwise this backup option will not take place. The option to backup to a MS account is not available, even if you add a MS Account to the workstation. Now, to be transparent, none of the large (Fortune 500 or bigger) companies that I consult are using Bitlocker (rather, they are using various third-party drive encryption systems). Now, that isn't to say that there aren't any, just not the ones that I consult. However, several of my medium enterprise clients are. All of the discussions have all been centered around where to store recovery keys for the purpose of the business being able to decrypt a system if needed by an authorized administrator. This has caused a lot of issue because for my clients that are using Bitlocker, a few of them have considered moving to Azure AD (Active Directory run by Microsoft in the Cloud). My concerns about this have been that if you are using AD as a recovery for Bitlocker and you move AD to the cloud, this effectively does exactly what a MS account does to the home computer... puts the encryption keys in the hands of Microsoft. Now, not all of my medium enterprise clients are considering this, but of the few that are, we haven't been able to get clear information from MS on who all would have access to Azure AD and what their policies are.

Re:Can a corporate security officer comment

[ArmoredDragon]

Even if you do consider Windows 10 (or 8 for that matter) don't under ANY circumstances use a Microsoft account to log in. Recall not long ago during Microsoft's "Scroogled" campaign, they were promising account privacy and that they'd never look into your account at all. Well sometime during all of that, they broke into a blogger's hotmail account (read: he was their own customer) to identify his leak source for future MS products, right after saying that "oh, well now we really mean it this time."

The problem with a Microsoft account is that your computer now answers to Microsoft's authentication servers, which means they ultimately hold the keys to unlocking your computer. In scenarios such as the above, or a government request, or social engineering, practically anybody could unlock your computer.

As I've said elsewhere, there's no practical benefit to having one (you can still download apps and whatnot without using a Microsoft account to log in to your PC) so why needlessly expose yourself to the above risk?

Re: Can a corporate security officer comment

[Cro+Magnon]

Maybe the point can't talk.

Re:Can a corporate security officer comment

[ray-auch]

Good summary - unfortunately I don't have mod points today

I would add that the likely reason we can't get clear info from MS about Azure AD is that Azure is international and located in multiple regions / jurisdictions and I think the court cases are still ongoing about whether or not the US can short-circuit international treaties and local laws elsewhere and force MS to hand over data located in other jurisdictions. So, MS basically don't know.

It's safest to assume that govts are always likely to be able to get hold of keys whether stored on your own recovery server or with MS, and the likelihood rises with size of govt concerned...

Re:Can a corporate security officer comment

[mysidia]

As an IT technical admin of a non-public corporation; I will say that many of the cloud features of Windows 10 scare me greatly, and I would have many concerns to address moving forward.

I do not believe it is necessarily justifiable that they block all deployment, but we may add special in-house requirements and restrictions on deployment, as we see necessary.

For example: we may need to take steps to disable or interrupt features considered a risk.

We expect our endpoints to not upload sensitive encryption keys to Microsoft (or partner) servers outside our control.

Re:Can a corporate security officer comment

[Kjella]

Because they didn't by the pro version and have to use the Microsoft account.

This is simply false. So far, at least.

Re: Can a corporate security officer comment

Fun fact: telemetry cannot be disabled in the Enterprise version either.
Set it to "disabled" and it goes to the "Security" level. Source:
https://technet.microsoft.com/library/mt577208%28v=vs.85%29.aspx

Hmmmm

[Vintowin]

How about you don't login with a Microsoft account? That'll show them!

Re:Hmmmm

[DigiShaman]

Then you don't get encryption.

You can still create a local account only in Windows 8 and Windows 10. Next, turn on BitLocker and record your own recovery key. All of this can be done OFFLINE!

Re:Hmmmm

When is this capability going to be added to systemd?

Re:Hmmmm

[Lunix+Nutcase]

Then you don't get encryption.

Bitlocker works without a Microsoft account so this is patently false.

Re:Hmmmm

[MatthiasF]

Using a Microsoft account on Windows 8 or 10 is not necessary either.

But I'm willing to bet a lot more people keep themselves logged in to Chrome all the time than use a Microsoft account on Windows 10.

Remember that it's a disk RECOVERY key

[CajunArson]

So one important thing to remember is that these keys don't give anyone a login or remote access to your box whatsoever. Instead, Windows 10 now turns on disk encryption by default. That's a good thing, but of only limited value since disk encryption really only helps if the disk is physically stolen from you.

So what we have here is a copy of the key that allows recovery of an encrypted disk being stored in the cloud unless you delete it. Not the greatest thing ever but it doesn't panic me all that much when the same people who scream about not upgrading to Windows 10 because OMG NSA are also running old systems without any disk encryption whatsoever.

To put it another way: The vast VAST majority of Linux systems in operation that don't use full disk encryption are actually LESS secure than this setup simply because there's no need to get your hands on a recovery key to decrypt anything. Yes, I'm well aware that Linux systems with full-disk encryption exist. So what, they did (and still do) on Windows too.

Re:Remember that it's a disk RECOVERY key

[Opportunist]

So one important thing to remember is that these keys don't give anyone a login or remote access to your box whatsoever. Instead, Windows 10 now turns on disk encryption by default. That's a good thing, but of only limited value since disk encryption really only helps if the disk is physically stolen from you.

Like, say, in a police raid.

So what we have here is a copy of the key that allows recovery of an encrypted disk being stored in the cloud unless you delete it.

Like, say, to gain access to the data after the raid.

Not the greatest thing ever but it doesn't panic me all that much when the same people who scream about not upgrading to Windows 10 because OMG NSA are also running old systems without any disk encryption whatsoever.

To put it another way: The vast VAST majority of Linux systems in operation that don't use full disk encryption are actually LESS secure than this setup simply because there's no need to get your hands on a recovery key to decrypt anything. Yes, I'm well aware that Linux systems with full-disk encryption exist. So what, they did (and still do) on Windows too.

With the difference that I can actually create encryption on Linux with a chance that nobody but me gains access to the key.

Re:Remember that it's a disk RECOVERY key

[Perky_Goth]

Like, say, in a police raid.

See, that's not how you should put, because people will think you want to break the law free of charge.
You should say corporate espionage helped by the US government and have a few links ready. That'll get their attention.

Re:Remember that it's a disk RECOVERY key

[Sloppy]

Raids schmaids. In my experience, the most common case of data leaving the building are failing drives RMAed to manufacturer. I don't remember ever being raided but I have RMAed quite a few drives.

That is why everyone should always be encrypting. So that the drive (which is different from the boot SSD which has the key file pointed at by /etc/crypttab) is just noise. Worrying about the feds is like worrying that you're going to be killed by a terrorist, when you ought to be getting more exercise and driving more defensively. Prioritize your threats!

The Microsoft scenario isn't that they're going to hand your keys over to the feds. It's that a couple years from now we're going to be reading the news story that all Windows 10 users' keys were leaked in some unattributed breach.

Re:Remember that it's a disk RECOVERY key

[Opportunist]

Look at your laws. Then tell me with a straight face that you have not broken one of them today. Or in the last 60 minutes.

Dovetails with new surveillance legislation

[sasparillascott]

Good to remember, that Congress just passed new (clearing companies to share any data with the NSA directly without liability) surveillance legislation tucked into the 2015 budget bill:

http://arstechnica.com/tech-po...

The way this (and the data uploading with Windows 10) dovetails with the budget spy bill just passed you'd think it was hatched out in a back room - in D.C.. Obviously don't use Windows 10 if possible (you can still get 7 or 8.1 on most systems) and don't use Microsoft's built in encryption option (which Microsoft kneecapped starting with Windows Version 8 by removing the elephant diffusor making it more vulnerable to brute force attacks), there are other options for Windows Encryption.

Re:Dovetails with new surveillance legislation

[Holi]

"you can still get 7 or 8.1 on most systems"
You haven't heard? Windows 10 Telemetry and spyware have been backported to Windows 7 and 8.
http://www.extremetech.com/com...

A bit of a pain in arse

[MarkH]

But you can setup a windows 10 machine with all local accounts and all updates, traffic disabled.

Good guide here http://www.rockpapershotgun.com/2015/07/30/windows-10-privacy-settings/

Looking at wireshark it does seem to work

RE: I am 6 x 2

[davidwr]

"I am not a number. I am a free man."

Well, I was a free man until I logged in with my Microsoft account on my Windows 10 PC.

Re:did we forget the edward snowden stuff already?

[strstr]

here's a few ways NSA is intercepting it.

1. all data over the internet is being saved so they nab the key as it's being uploaded plus any other data communicated with Microsoft transparently as you use the net. ; if they want to gain legal authority to use the snoop'd data they go for a warrant and get it 'lawfully' from Microsoft, parallel constructing how their case was built. even if Microsoft encrypts the signal communications between their server and the end-user, the data is nabbed, and most definitely all of the encryption codes for end-user and Microsoft server software is de-decryptable by NSA because NSA has all of Microsoft's encryption certificates and has broken most encryption.
2. alt method is Microsoft just gives them all the encryption certificates secretly even without a warrant.

This has been explained before. Check out the Whistleblowers Websites on the issue.

williambinney.com thomasdrake.xyz russelltice.com drrobertduncan.com

End-to-end encryption and "normal" users

[GuB-42]

If encryption is turned on by default for normal users, there must be a way for the provider to recover the data.
People lose their passwords all the time, and don't want to lose all their data if that happens. For these people, disk encryption is just a way to prevent regular laptop thieves from accessing their data, not to protect them from the NSA and criminals who can hack Microsoft. They don't want end-to-end encryption.
If you need high level security even against Microsoft, then don't use your MS account, or better yet, don't use Windows.

Re:Primer version anyone

[wbr1]

It means MS has a copy of the keys to your bitlocker encrypted data. And by inference anyone with access to MS, hackers, government, disgruntled employees.. any could log into your computer and use the keys to unlock what you thought was encrypted and safe.

Don't cherry pick

[s.petry]

While the main point of the article is about a Windows account there is an underlying discussion on overall privacy using Microsoft Windows. This is just the latest article discussing privacy and security concerns. Sure, "some" businesses are always years behind in releasing a new OS. Others are not so far behind, and are very concerned about security so not approving Win10.

For example, as soon as the OS was released we see how the OS will send your keystrokes to Microsoft. Not just what you type into Cortana, IE, or Edge but ALL keystrokes are recorded by the OS. You can disable sending the data to Microsoft, but we have yet to find a way of disabling the keylogger built in to the Kernel. (recorded does not necessarily mean stored long term, but long enough to evaluate in memory.)

Due to that lack of trust, I may have installed Win10 but never created a MS or Azure account. Anything I do on the device is treated as public knowledge because the OS is built to remove privacy from end users. I won't use online banking on the PC with Win10, and logging in to anything is assessed under the assumption that someone from MS and the Government will have full access to the account. When I'm working on sensitive stuff I use Linux.

Re:Don't cherry pick

[phantomfive]

we have yet to find a way of disabling the keylogger built in to the Kernel. (recorded does not necessarily mean stored long term, but long enough to evaluate in memory.)

Wait, what exactly does this mean? Even in Linux every keystroke goes through the kernel, it's kind of the purpose of the kernel to handle hardware stuff like that (of course Linux doesn't record it anywhere unless you want it to).

Re:Don't cherry pick

[kimhanse]

There is a lot of NSA code in Linux.

http://git.kernel.org/cgit/lin...

https://www.nsa.gov/research/s...

I am not saying that it causes the security problems the AC was writing about, but it is there.

Re:Don't cherry pick

[johnw]

That's not a low ID.

Re:Don't cherry pick

[AmiMoJo]

It means most of this stuff is bullshit. For example, Windows 10 only uploads your encryption key if you sign on to a Microsoft account and the machine came encrypted from the factory, in which case the manufacturer had ample opportunity to steal your keys too. This is actually a huge win for privacy, because devices encrypted by default with no effort on the part of the user are clearly better than devices with no encryption.

If you enable bitlocker manually you can optionally upload your key. For home users who weren't going to encrypt anyway it's a reasonable compromise. If their mobo dies their data will be recoverable via the copy MS keeps for them. For the rest of us it makes no difference.

The keylogger is pure bullshit. Like other operating systems, you can submit anonymous handwriting samples to improve pen input, but it's optional and doesn't affect most desktop users who don't have pen input. Unfortunately the message that got out was Windows 10 logs every keystroke and sends it to Microsoft.

My favorite version of Windows?

[globaljustin]

Yours :P

TrueCrypt

[duke_cheetah2003]

Should be noted, TrueCrypt 7.1a (last full version) works fine with Windows 10 if you're really concerned about someone thieving your data. I highly doubt the OS has your TrueCrypt keys if you use this solution, Microsoft account or not.

The acknowledgement does not look good

[140Mandak262Jamuna]

Not only you have to upload your recovery key to microsoft, the response you get after you upload from their servers does not bode well.

It says "all your base are belong to us".

Re:Craziness

[brix]

This.

If Microsoft was forcing full-disk encryption on Windows 10 Home users (and I'm not convinced that they are), then it's still better than the alternative of having no encryption, right? Someone might argue that it's a "false sense of security" since you really don't know where the recovery keys could have gone, but I seriously doubt that most of these users would even know that they had encryption on anyway, so it can't be a false sense of security if you never knew you had the security in the first place.

And I'm not convinced this is even that widespread. I've installed Win 10 Pro on several machines with the TPM chip enabled from a previous install, and none of them automatically encrypted. In each case, I had to manually turn on Bitlocker. I can't speak for Home installs, but having this "poor man's Bitlocker" seems an upgrade over the "no encryption at all" (or third-party) in 8.1 Home and before. And seriously, how many Home users have actually configured their TPM in the first place?

Speaking as the "family tech support" guy, I'm happy that Microsoft went this route (again, if they did). It ensures that recovery is possible in case of the need to switch the drive to a new machine, without making me have to explain to each of my family members what to do during each install. And really, my advice for these users would be to let Microsoft manage it anyway. I wouldn't trust that they would print out a recovery key and put it in their safe (don't forget labeling it properly to make sure they knew which computer/drive it went with), purchase some storage media (e.g. flash drive) to keep in the safe, or safely store it in some other way. For these HOME users, having the recovery key in their MS account is "good enough", especially when they probably wouldn't have encryption otherwise.

Side note: The fact that there are around 100 replies after the nonsensical question "Can a corporate security officer comment?" goes to show why Slashdot should put back in the "most recent posts first" sort order and have it as the default. This just isn't an issue for corporate use, since they are going to manage Bitlocker recovery keys themselves in AD. And yet then you get a dozen nonsensical replies that, "This is why no company would consider Windows 10."

Why center the discussion around the person who put all of 10 seconds of thought into their "First post" when the better thought out posts will be further down?

HIPPA Compliance

[ITRambo]

Does MS having a copy of a WIndows 10 Pro bitlocker key for a PC in a small medical office violate HIPPA or is the issue moot?

Headline is a *tad* FUDdy, but article is accurate

[cfalcon]

Bitlocker lets you have the option to save your "recovery key" to USB, or to print it. In both cases, you can destroy the key effectively (note that you'll have to take care to ensure that the USB device is physically destroyed or secured in a manner secure against attackers you are concerned about, and that your printer doesn't keep a recoverable copy somewhere).

So Bitlocker is (in theory) safe and secure. Personally, I wouldn't trust this- it's proprietary, it's Microsoft, and there's every motivation to either make the key recoverable or disclose it for uses Microsoft deems useful (for instance, a future tyrannical government might be able to threaten them in such a way as to produce the keys). But by their claims, it should be.

The article distinguishes this from "device encryption", a gimped form of Bitlocker present in the "Home" edition that they give for free (or cheap or whatever- once I did even the first amount of research into Windows 10 I decided to avoid it entirely). If you pay for Professional, you get access to "Bitlocker", which has configuration options, including the print-out and USB options, which can result in NO recovery key- the generally desired state from a security perspective.

The headline of the article truthfully states that Microsoft "probably" has your recovery key, and the slashdot headline leaves that out totally. Both leave out the important fact that you have to be using the "device encryption" version of Bitlocker in the shit-tier version of Windows 10.

There's other posts talking about the keylogger, or kernel keylogging. I'm not sure the fact that the kernel keeps your keystrokes for awhile is inherently vulnerable, but it is suspicious.

In any event, the fact that you must be an expert user to get anything that MIGHT be security out of Windows 10 is absolutely disgusting. The Home version will be the most common by far, and the average user will not be aware of the default settings where keys are sent (along with a ton of other things) upstream, nor will he be aware of the fact that his supposed device encryption is recoverable by any hacker or bad actor in the future. The level of drama required to do anything in Windows 10 is massive. It's a real nightmare.

Anyone notice how oddly hard it is to set up anything but straight AES in almost all places? There's a shocking lack of user exposed options even in Linux (and Linux can be configured to extremely high levels of redundancy or security). Name a distro that lets you full disk encrypt with AES-Twofish-Serpent from a GUI, for instance (again, you can absolutely configure this, but it seems hard to get anything but straight AES). I know AES is trusted, but I'd trust it more if there were ways more ways to opt out of it and use either another block cipher, or it WITH another block cipher.