Microsoft Has Your Encryption Key If You Use Windows 10

An anonymous reader writes with this bit of news from the Intercept. If you login to Windows 10 using your Microsoft account, your computer automatically uploads a copy of your recovery key to a Microsoft servers. From the article: "The fact that new Windows devices require users to backup their recovery key on Microsoft's servers is remarkably similar to a key escrow system, but with an important difference. Users can choose to delete recovery keys from their Microsoft accounts – something that people never had the option to do with the Clipper chip system. But they can only delete it after they've already uploaded it to the cloud.....As soon as your recovery key leaves your computer, you have no way of knowing its fate. A hacker could have already hacked your Microsoft account and can make a copy of your recovery key before you have time to delete it. Or Microsoft itself could get hacked, or could have hired a rogue employee with access to user data. Or a law enforcement or spy agency could send Microsoft a request for all data in your account, which would legally compel them to hand over your recovery key, which they could do even if the first thing you do after setting up your computer is delete it. As Matthew Green, professor of cryptography at Johns Hopkins University puts it, 'Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.'"

Can a corporate security officer comment

[RichMan]

I would like to know the opinion of large public corporations security officer on this feature of windows.

Re:Can a corporate security officer comment

CISO here, we haven't made the jump to 10 yet (85% of our workforce is on 7 with some 8.1 here and there), things like this are kinda non starters for us for any employee who even remotely has a chance at accessing PII or confidential information. It's not that I think Microsoft would act maliciously, but it would violate a ton of compliance documentation that we have, requiring re-audits of our policies and procedures. Hopefully this is one of those features Microsoft will allow you to turn off in the Enterprise SKU. We're honestly watching Windows 10 very closely, it has a lot of really nice improvements on the security front. But things like this, and the giant sweeping updates like the November update, make it very hard. Microsoft is trying to move closer to the Apple model, but the Apple model is a big departure for anyone who knows the pains of PCI, HIPAA, or SOC2 compliance.

Re:Can a corporate security officer comment

[JeffSh]

that is a totally out of context comment from an anonymous poster.

large corporate entities will not deploy windows 10 for years anyway due to incompatible or uncertified line of business software platforms. it has nothing to do with this particular feature.

moreover, this has to do with logging into your microsoft.com account, nothing to do with windows 10 pro joined to a domain.

Re:Can a corporate security officer comment

[Anonymous+Brave+Guy]

It's certainly possible that you're right, but equally if the GP poster really does have insider knowledge and really does want to speak without betraying a confidence then surely they really would post anonymously.

In any case, I can tell you the answer to your follow-up questions for at least some small to medium-sized companies I work with: Windows 10's biggest competition is probably Windows 7, which is what the majority of these organisations are already running as their standard desktop.

The difficulty Microsoft has with these customers is that Windows 10 doesn't have a lot of big selling points. I watched and listened to some of the early promotional material, and the loudest message I heard was "it's not Windows 8". Obviously to business customers who standardised on Windows 7 anyway, that's not exactly a good reason to undertake an inevitably expensive and disruptive migration to a new OS.

Re:Can a corporate security officer comment

[reggie6311]

I find this to be rather difficult to properly converse about. While I'm not a CISO per say, I consult many CISO's regularly and this is one of the topics that have come up recently and has opened up a lot of interesting discussions. To clear the air, Windows 10 Enterprise (and Windows 10 Professional) do not give you the ability to store Bitlocker keys with Microsoft when joined to Active Directory, nor do they automatically upload the keys. When joined to Active Directory, you have 3 options for key backup: Printing a Copy, Saving it to a file, Saving it to a USB key. Behind the scenes (not visible to the end-user), there is a 4th option in which you can require that the joined computer store a backup copy of the key on the computer object within Active Directory. This must be configured in AD and deployed as a GPO to the computers otherwise this backup option will not take place. The option to backup to a MS account is not available, even if you add a MS Account to the workstation. Now, to be transparent, none of the large (Fortune 500 or bigger) companies that I consult are using Bitlocker (rather, they are using various third-party drive encryption systems). Now, that isn't to say that there aren't any, just not the ones that I consult. However, several of my medium enterprise clients are. All of the discussions have all been centered around where to store recovery keys for the purpose of the business being able to decrypt a system if needed by an authorized administrator. This has caused a lot of issue because for my clients that are using Bitlocker, a few of them have considered moving to Azure AD (Active Directory run by Microsoft in the Cloud). My concerns about this have been that if you are using AD as a recovery for Bitlocker and you move AD to the cloud, this effectively does exactly what a MS account does to the home computer... puts the encryption keys in the hands of Microsoft. Now, not all of my medium enterprise clients are considering this, but of the few that are, we haven't been able to get clear information from MS on who all would have access to Azure AD and what their policies are.

Re:Can a corporate security officer comment

[ArmoredDragon]

Even if you do consider Windows 10 (or 8 for that matter) don't under ANY circumstances use a Microsoft account to log in. Recall not long ago during Microsoft's "Scroogled" campaign, they were promising account privacy and that they'd never look into your account at all. Well sometime during all of that, they broke into a blogger's hotmail account (read: he was their own customer) to identify his leak source for future MS products, right after saying that "oh, well now we really mean it this time."

The problem with a Microsoft account is that your computer now answers to Microsoft's authentication servers, which means they ultimately hold the keys to unlocking your computer. In scenarios such as the above, or a government request, or social engineering, practically anybody could unlock your computer.

As I've said elsewhere, there's no practical benefit to having one (you can still download apps and whatnot without using a Microsoft account to log in to your PC) so why needlessly expose yourself to the above risk?

Re:Hmmmm

When is this capability going to be added to systemd?

Don't cherry pick

[s.petry]

While the main point of the article is about a Windows account there is an underlying discussion on overall privacy using Microsoft Windows. This is just the latest article discussing privacy and security concerns. Sure, "some" businesses are always years behind in releasing a new OS. Others are not so far behind, and are very concerned about security so not approving Win10.

For example, as soon as the OS was released we see how the OS will send your keystrokes to Microsoft. Not just what you type into Cortana, IE, or Edge but ALL keystrokes are recorded by the OS. You can disable sending the data to Microsoft, but we have yet to find a way of disabling the keylogger built in to the Kernel. (recorded does not necessarily mean stored long term, but long enough to evaluate in memory.)

Due to that lack of trust, I may have installed Win10 but never created a MS or Azure account. Anything I do on the device is treated as public knowledge because the OS is built to remove privacy from end users. I won't use online banking on the PC with Win10, and logging in to anything is assessed under the assumption that someone from MS and the Government will have full access to the account. When I'm working on sensitive stuff I use Linux.