Researchers Crack Microsoft Feature, Say Encryption Backdoors Similarly Crackable

An anonymous reader writes: Researchers who uncovered a security key that protects Windows devices as they boot up say their discovery is proof that encryption backdoors do not work. The pair of researchers, credited by their hacker nicknames MY123 and Slipstream, found the cryptographic key protecting a feature called Secure Boot. They believe the discovery highlights a problem with requests law enforcement officials have made for technology companies to provide police with some form of access to otherwise virtually unbreakable encryption that might be used by criminals. "Microsoft implemented a 'secure golden key' system. And the golden keys got released from [Microsoft's] own stupidity," wrote the researchers in their report, in a section addressed by name to the FBI.

proof that encryption backdoors do not work

proof that [anything developed by Microsoft does] not work.

FTFY.

Dear God

[TechyImmigrant]

That web site is annoying. 8 bit game music and the text jitters.

Re:Dear God

That's a long way to say "What's NoScript?"

Microsoft; Secure? Bwahahaha!

[UnknownSoldier]

Their security has a been a joke for *decades*.

Re:Microsoft; Secure? Bwahahaha!

[clubby]

That implies that it was once respected. I think it's more accurate to say that their security has *always* been a joke.

That "Microsoft Feature" is Secure Boot

Microsoft made a signed policy file which can be used with a Microsoft signed UEFI boot loader to turn off Secure Boot, and accidentally (?) published that policy with the Windows 10 anniversary update. Using this policy, Secure Boot can even be disabled on systems that won't allow the owner to disable it. And of course, this can be used to turn off Secure Boot remotely, so basically Microsoft eradicated any benefit that Secure Boot might have had. Now it's just annoying.

Re:That "Microsoft Feature" is Secure Boot

[AmiMoJo]

An update has appeared that claims to fix this issue (KB3172729). Presumably they have revoked that key and replaced it with a new one.

This isn't really an issue with backdoors though, it's just an issue with public key crypto in general. You have to protect the private key, and not accidentally leak it. And to be fair to Microsoft, they aren't the only ones. Apple leaked the private key for their firmware updates, allowing you to create an undetectable rootkit that lived in, say, the battery firmware and which could not be removed by a full HDD wipe. And Github regularly scans for people accidentally posting their private keys when they commit code.

Re:That "Microsoft Feature" is Secure Boot

[AmiMoJo]

http://arstechnica.com/apple/2...

Just Google it next time.

Re:"Crack Microsoft Feature"

[geek]

When will the folks in Redmond put down the pipes?

You laugh but it's a bit ironic. This wasn't a crack, it was a leak. MS actually gave everyone the fucking keys. This is great for me though, I spent 4 hours yesterday telling everyone at work that Microsoft is just as fucked on security today as they were 20 years ago. Then this happens and I'm totally vindicated.

challenge accepted!

Show me an unhackable machine and I'll show you my bare arse.

Sounds like an easily exploitable security hole to me...

"Government only" keys do not exist

[Opportunist]

Dear politicians: There will never be a backdoor key that only your law enforcement will have. Such things tend to be very, very valuable. Being able to decrypt any and all trade secrets is valuable. At a level where nation states start to be interested, not just some petty criminals, or even large criminal entities. Governments are interested. And they tend to have very, very deep pockets. Pockets deep enough that pretty much anyone becomes open for bribes. And if bribes don't work, well, there are other ways to be convincing.

Any key you have will also be held by Iran, Russia and probably even North Korea within reasonable time. That backdoor game is an odd one: The only winning move is not to play it.