No, that's not how HYOK works. Even an national security letter could at best turn over a blob of encrypted storage. It's kind of cumbersome to set up, but for most orgs even with significant security concerns BYOK is a reasonable balance.
As a user of Docs.com, I'm not sure how users would realize that the site isn't public by default... It warns you in big banners that it's a public docs site for publishing product manuals or other public consumption items that aren't websites but you want to provide links to or where folks can search for it. You can limit it down for personal, but that if you wanted that, you'd use one of the many other services on the exact same menu like OneDrive or SharePoint.
The fact you mention disk passwords leads me to believe that you are familiar with consumer grade encryption, but probably not enterprise grade encryption management. Microsoft offers some good tools for this, so do many of the other security vendors. Most of these tools have complex, rolling recovery keys for whole disk encryption and assigned users are still able to log in with their normal AD, but you can go the route of additional factors or ways of protecting the identities.
If you have need of an additional layer item level file encryption goes a very long way of securing email and documents that might be sensitive. That said, you have to equally protect the user accounts that can decrypt the system with tools like Privileged Access Management, Additional login Factors and threat detection tools.
I'd suggest hiring an expert for this endeavor, it's pretty specialized and if you get it wrong, you only make it harder to manage, not more secure. Consulting organizations do this all the time, and depending on what you need, it doesn't have to be insanely expensive.
With Azure Rights Management and Azure Information Protection integration into Outlook, Exchange and mobile support, Microsoft is way ahead in terms of ease of use for encrypted emails. In most cases, internal company emails are secured and users don't even know it aside from the little banner at the top. For external sharing it has a fairly easy to use system to share docs or emails and it does federate with external IDs. Company to company emails work without any sort of extra accounts or hassle. Company to end user does have a couple requirements, but it works pretty well. Fully federated experiences are coming to Gmail users too so you won't even have to have a Microsoft ID of any sort if you don't want it.
Yes, it works in email clients like Touchdown, and there is an attachment process that works in Apple Mail and such.
Sure, Storage Spaces is just fancy JBOD, but it works really well, is supported and isn't tied to hardware for migrating down the line. That said, you need to back that stuff up if it's of any importance. CrashPlan is highly recommended for good reason. There are others, but you are best off with something that can handle versioning to a local disk as well as getting that stuff sync'ed offsite.
Win 10 let's us do Workplace Join which can let us upgrade and activate an edition upgrade from Windows Home or Windows Pro to Windows Enterprise. This let's folks use their home computer but still use things like Bitlocker and DirectAccess which aren't part of Home. The way it works is we provide an edition change package, look up the Windows 10 Provisioning Package. Rather than relying on your home computer talking to the on-prem KMS, it uses essentially an old school MAC key for temporarily activating an upgrade. Once the PC is removed from the company's workplace join, it removes that edition. The goal is to let employees use any device they care to in order to get their work done and allow the company to reclaim that edition upgrade once they leave that role.
Why MS insists on calling it a subscription, I'm not sure, but it probably has more to do with the fact that to have the Enterprise version, you have to have an EA agreement and a Software Assurance. Basically no, it's not what you think and the Microsoft response is reasonably accurate it's just the word subscription that should be replaced with the word "Activation."
[Note, I'm a consultant who does Intune/Configuration Manager so I'm actively deploying these packages that do this with clients today.]
Just buy/download one of the cryptolocker malware shells. All of your data is fully encrypted and prompts you for a payment or warns that you didn't respond within the 72 hour window. That would replace your standard crypto GUI, but introduce a reasonable plausible deniability. Not necessarily encouraging this, but it fits the scenario.
It goes without saying that this would be a truly scary precedent if applied widely. Victims of cryptolocker for instance would have encrypted hard drives and literally have no way of providing the key or passphrase necessary to comply with a court order. Smart bad guys could just as easily borrow malware engines to do this to disguise their behavior, so it would not be easily apparent.
My personal opinion is that passwords are firmly 5th amendment protected, I just wish it came up under a more defendable case. The investigators should have done more surveillance or traditional investigations (with warrant) before pulling the trigger on the arrest and could have easily removed the ambiguity from the situation.
There are two of the Intel ones on the market as add-ons, but not many are integrated. You have to find the ones with the Intel RealSense feature.
If you want, check out the Creative labs F200. There is the Intel developer kit (R200) but I've not found it in stock.
Hello is more flexible than the above suggests and this is really just an extension of their Single Sign On options. Microsoft really wants to push the PIN + something as better than a password (that users will just put on a post-it note and leave in their office). For low security locations, sure maybe just a IR scan of your face including vein locations heartrate and such = 1 factor (Hello only works with very specific and weird cameras), but most are going to implement it with biometric (face or fingerprint) + a PIN. Which arguably is better than a password that users have on a post-it note stuck to their monitor.
Once you are initially logged in, the trust factor can reasonably be established as we already have a trusted token for your login and we can re-prompt for one factor just to make sure it's still the user at the keyboard, so we just reuse that token everywhere.
This ties into stuff like their SSO for Office 365, SaaS apps and has a password manager to store other non-recognized apps. Basically what UPEK was doing in the early 2000's with their fingerprint software, but hopefully more secure.
That last part - letting your phone cast - basically is Windows 10 Continuum. The head unit still needs a way of receiving that signal and doing processing like using the touch screen in the dash, so it isn't just a HDMI jack. It's more like Remote Desktop with some tweaks. That said, do I want a Windows 10 phone - no not really. Do I want something like it for Android to my UConnect's 9" screen, yes.
Even in the summary this said when the car is parked or auto drive. As an owner of a car with adaptive cruise + lane aware, it's actually a pretty reasonable proposition. My interaction on the daily commute in heavy traffic is lane changes and turns or taking over in cases of bad weather. I don't abuse it and keep my hands on the wheel (it yells at me if I don't) but I have very little I have to do while in the traffic crawl on the highway and my car isn't one of the fancy ones like the Tesla that can do much more. Right now it's just chilling to audiobooks, but we aren't that far from large periods of being completely interaction free.
The whole Ireland stuff is still stuck in appeals. The Gov asked for the data, Microsoft took it to the courts - to my knowledge nothing was handed over yet. That's what lead to them expanding their content storage in Germany as they had more legal support for taking it there. The NSA demands stuff all the time - doesn't mean it's always handed over. Besides, if you are worried about security O365 and Azure support Bring Your Own Key encryption. That's relatively standard stuff now days with Azure Government tenants - granted, I've only done this for US customers, cannot speak for the UK.
Regarding move to Germany, that's all scuttlebutt - but it's scuttlebutt from my local Microsoft Data Center folks over beers.
Not sure about the above, but to be fair, keep in mind that MS is creating new data (and expanding existing) centers in Germany - with the emphasis to get away from NSA snooping. They used the fact that the NSA pissed off Germany with basically act of war level spying to get German support to move the O365 & Azure DCs there in a safe haven. There's talk behind the scenes to start offering customers an intentional geo-deoptimization to shove sensitive data outside of NSA reach - without charging for it.
The MS data center SSPs I work with regularly are actually kind of excited about it as they trust the Germans more than the American Gov - what a weird world...
Not saying this will work, we might be just trading one privacy insensitive government for another, but that's the chatter that I'm hearing.
Management doesn't understand the difference between telling them it's technically possible to do live maintenance and that it's a challenge like the rest of our technical feats. I feel for the guy and his survivors. I've seen the same pressures play out on my data centers, but thankfully we were able to arrange that type of work as semi-regular full DR test and the place I was working at simply didn't have the same uptime demands when push came to shove.
From a safety angle, I can't help but think that moving over the DC voltage for datacenters might be a better option. Some of the big boys are already doing it as we're currently taking AC power, running it through or along side DC power backups, then up to AC for power supplies, then DC for the servers. There's an economy to it, but DC is just safer to work with. That said, there's always going to be an AC/DC bus that's dangerous to work on and live electrical work on it will always take appropriate design ($$) and proper training.
Microsoft uses a content delivery network for windows updates, since URLs don't go in a hosts file, you'd have to put IPs, problem is those CDN IPs are used for lots of things and change a lot. An intelligent outbound proxy is a better solution as that will parse URLs and wildcards.
For proxy filtering, I don't have a full list for the app store, but here's a list from Intune which includes all of the update pieces: https://technet.microsoft.com/... - that would at least be a start.
Also, Microsoft does have some additional steps on isolating Windows Store apps once they are on a PC, but I'm not sure I fully understood the direction they are going. It looks like they recommending the removal of networking permissions to anything except your user account, but I'd have to test it out to fully digest it: https://technet.microsoft.com/...
Who knows, maybe it was indeed a corporate directive. Let's let enterprise behave normal, but home and pro have to call back with at least basic telemetry. That said, with enough feedback, I bet they'd reverse direction and respect that telemetry blocking setting.
So, you installed and OS that proudly says it has features that cloud sync. Accepted the EULA saying you knew it's there and agree to install. They didn't have to give any options to turn off telemetry collection and had no legal disclaimers that it worked and would adjust your EULA, but provided an option to do so, that works, but only partially. Yeah... Not sure a bug in an option designed to make the OS better is going to qualify as saying it's illegal.
Spy-traffic? You mean the standardized telemetry data they used to assess how people use their OS to make it better? Where else would you suggest putting a random ID that let's you figure out which feedback comes from which users? Apple and Google do the same things as well - not saying I like it necessarily, but this isn't new.
They aren't covert that this feature exists, or why, and it's in the EULA (not that people read it). The fact that when you toggle it off that some of the subsystems keep talking is what's broken.
But that said, it's still good to fix it, so let them know to fix it, that's what the little feedback button is for. Complaining on/. doesn't get it fixed. Giving them feedback that something isn't working right via their Windows 10 feedback icon does.
You're right, it's not fair to say Win7 is insecure and 10 isn't, but they companies I work for are so wickedly behind on patches for 7, they know they have massive holes all over the place, especially around.net and so forth. Most of those will only deploy 1-2 updates per month or don't enforce reboots at all so they have significant vulnerability issues. So to them 10 is perceived as more secure because it's "up to date".
I do ConfigMgr consulting, so it's all about bulk OS and update deployment. My clients percieve it that way, so it rubs off. Fully up to date, who knows...
I do ConfigMgr work as a consultant, so bulk OS upgrades is a core part of my job. I've got projects booked for upgrades for quite a while. Most of them are PoC though, the big guys aren't going completely bonkers, but they want to get off Windows 7, but don't want 8 so they are left seeing if 10 will be acceptable. Net new stuff though, it's actually getting some traction, did a health care divesture the other day, Windows 10 across 100% of their network so they can get rid of on-prem domain controllers (Azure AD join instead). Pretty big financial incentive since they had hundreds of little bitty locations of users and could ditch all their servers.
I figured you could use EMET to lock down the MS telemetry and store services? I haven't tried, but I've used it elsewhere to similar effect. So you're suggesting just handling it at the firewall level than disabling additional calls? Something Else?
Slashdot Mirror
No, that's not how HYOK works. Even an national security letter could at best turn over a blob of encrypted storage. It's kind of cumbersome to set up, but for most orgs even with significant security concerns BYOK is a reasonable balance.
As a user of Docs.com, I'm not sure how users would realize that the site isn't public by default... It warns you in big banners that it's a public docs site for publishing product manuals or other public consumption items that aren't websites but you want to provide links to or where folks can search for it. You can limit it down for personal, but that if you wanted that, you'd use one of the many other services on the exact same menu like OneDrive or SharePoint.
The fact you mention disk passwords leads me to believe that you are familiar with consumer grade encryption, but probably not enterprise grade encryption management. Microsoft offers some good tools for this, so do many of the other security vendors. Most of these tools have complex, rolling recovery keys for whole disk encryption and assigned users are still able to log in with their normal AD, but you can go the route of additional factors or ways of protecting the identities. If you have need of an additional layer item level file encryption goes a very long way of securing email and documents that might be sensitive. That said, you have to equally protect the user accounts that can decrypt the system with tools like Privileged Access Management, Additional login Factors and threat detection tools. I'd suggest hiring an expert for this endeavor, it's pretty specialized and if you get it wrong, you only make it harder to manage, not more secure. Consulting organizations do this all the time, and depending on what you need, it doesn't have to be insanely expensive.
With Azure Rights Management and Azure Information Protection integration into Outlook, Exchange and mobile support, Microsoft is way ahead in terms of ease of use for encrypted emails. In most cases, internal company emails are secured and users don't even know it aside from the little banner at the top. For external sharing it has a fairly easy to use system to share docs or emails and it does federate with external IDs. Company to company emails work without any sort of extra accounts or hassle. Company to end user does have a couple requirements, but it works pretty well. Fully federated experiences are coming to Gmail users too so you won't even have to have a Microsoft ID of any sort if you don't want it. Yes, it works in email clients like Touchdown, and there is an attachment process that works in Apple Mail and such.
Sure, Storage Spaces is just fancy JBOD, but it works really well, is supported and isn't tied to hardware for migrating down the line. That said, you need to back that stuff up if it's of any importance. CrashPlan is highly recommended for good reason. There are others, but you are best off with something that can handle versioning to a local disk as well as getting that stuff sync'ed offsite.
Win 10 let's us do Workplace Join which can let us upgrade and activate an edition upgrade from Windows Home or Windows Pro to Windows Enterprise. This let's folks use their home computer but still use things like Bitlocker and DirectAccess which aren't part of Home. The way it works is we provide an edition change package, look up the Windows 10 Provisioning Package. Rather than relying on your home computer talking to the on-prem KMS, it uses essentially an old school MAC key for temporarily activating an upgrade. Once the PC is removed from the company's workplace join, it removes that edition. The goal is to let employees use any device they care to in order to get their work done and allow the company to reclaim that edition upgrade once they leave that role. Why MS insists on calling it a subscription, I'm not sure, but it probably has more to do with the fact that to have the Enterprise version, you have to have an EA agreement and a Software Assurance. Basically no, it's not what you think and the Microsoft response is reasonably accurate it's just the word subscription that should be replaced with the word "Activation." [Note, I'm a consultant who does Intune/Configuration Manager so I'm actively deploying these packages that do this with clients today.]
Just buy/download one of the cryptolocker malware shells. All of your data is fully encrypted and prompts you for a payment or warns that you didn't respond within the 72 hour window. That would replace your standard crypto GUI, but introduce a reasonable plausible deniability. Not necessarily encouraging this, but it fits the scenario.
It goes without saying that this would be a truly scary precedent if applied widely. Victims of cryptolocker for instance would have encrypted hard drives and literally have no way of providing the key or passphrase necessary to comply with a court order. Smart bad guys could just as easily borrow malware engines to do this to disguise their behavior, so it would not be easily apparent. My personal opinion is that passwords are firmly 5th amendment protected, I just wish it came up under a more defendable case. The investigators should have done more surveillance or traditional investigations (with warrant) before pulling the trigger on the arrest and could have easily removed the ambiguity from the situation.
Yeah no. It doesn't work that way.
There are two of the Intel ones on the market as add-ons, but not many are integrated. You have to find the ones with the Intel RealSense feature. If you want, check out the Creative labs F200. There is the Intel developer kit (R200) but I've not found it in stock.
Hello is more flexible than the above suggests and this is really just an extension of their Single Sign On options. Microsoft really wants to push the PIN + something as better than a password (that users will just put on a post-it note and leave in their office). For low security locations, sure maybe just a IR scan of your face including vein locations heartrate and such = 1 factor (Hello only works with very specific and weird cameras), but most are going to implement it with biometric (face or fingerprint) + a PIN. Which arguably is better than a password that users have on a post-it note stuck to their monitor. Once you are initially logged in, the trust factor can reasonably be established as we already have a trusted token for your login and we can re-prompt for one factor just to make sure it's still the user at the keyboard, so we just reuse that token everywhere. This ties into stuff like their SSO for Office 365, SaaS apps and has a password manager to store other non-recognized apps. Basically what UPEK was doing in the early 2000's with their fingerprint software, but hopefully more secure.
That last part - letting your phone cast - basically is Windows 10 Continuum. The head unit still needs a way of receiving that signal and doing processing like using the touch screen in the dash, so it isn't just a HDMI jack. It's more like Remote Desktop with some tweaks. That said, do I want a Windows 10 phone - no not really. Do I want something like it for Android to my UConnect's 9" screen, yes. Even in the summary this said when the car is parked or auto drive. As an owner of a car with adaptive cruise + lane aware, it's actually a pretty reasonable proposition. My interaction on the daily commute in heavy traffic is lane changes and turns or taking over in cases of bad weather. I don't abuse it and keep my hands on the wheel (it yells at me if I don't) but I have very little I have to do while in the traffic crawl on the highway and my car isn't one of the fancy ones like the Tesla that can do much more. Right now it's just chilling to audiobooks, but we aren't that far from large periods of being completely interaction free.
The whole Ireland stuff is still stuck in appeals. The Gov asked for the data, Microsoft took it to the courts - to my knowledge nothing was handed over yet. That's what lead to them expanding their content storage in Germany as they had more legal support for taking it there. The NSA demands stuff all the time - doesn't mean it's always handed over. Besides, if you are worried about security O365 and Azure support Bring Your Own Key encryption. That's relatively standard stuff now days with Azure Government tenants - granted, I've only done this for US customers, cannot speak for the UK. Regarding move to Germany, that's all scuttlebutt - but it's scuttlebutt from my local Microsoft Data Center folks over beers.
Not sure about the above, but to be fair, keep in mind that MS is creating new data (and expanding existing) centers in Germany - with the emphasis to get away from NSA snooping. They used the fact that the NSA pissed off Germany with basically act of war level spying to get German support to move the O365 & Azure DCs there in a safe haven. There's talk behind the scenes to start offering customers an intentional geo-deoptimization to shove sensitive data outside of NSA reach - without charging for it. The MS data center SSPs I work with regularly are actually kind of excited about it as they trust the Germans more than the American Gov - what a weird world... Not saying this will work, we might be just trading one privacy insensitive government for another, but that's the chatter that I'm hearing.
Management doesn't understand the difference between telling them it's technically possible to do live maintenance and that it's a challenge like the rest of our technical feats. I feel for the guy and his survivors. I've seen the same pressures play out on my data centers, but thankfully we were able to arrange that type of work as semi-regular full DR test and the place I was working at simply didn't have the same uptime demands when push came to shove. From a safety angle, I can't help but think that moving over the DC voltage for datacenters might be a better option. Some of the big boys are already doing it as we're currently taking AC power, running it through or along side DC power backups, then up to AC for power supplies, then DC for the servers. There's an economy to it, but DC is just safer to work with. That said, there's always going to be an AC/DC bus that's dangerous to work on and live electrical work on it will always take appropriate design ($$) and proper training.
Microsoft uses a content delivery network for windows updates, since URLs don't go in a hosts file, you'd have to put IPs, problem is those CDN IPs are used for lots of things and change a lot. An intelligent outbound proxy is a better solution as that will parse URLs and wildcards.
For proxy filtering, I don't have a full list for the app store, but here's a list from Intune which includes all of the update pieces: https://technet.microsoft.com/... - that would at least be a start. Also, Microsoft does have some additional steps on isolating Windows Store apps once they are on a PC, but I'm not sure I fully understood the direction they are going. It looks like they recommending the removal of networking permissions to anything except your user account, but I'd have to test it out to fully digest it: https://technet.microsoft.com/...
Who knows, maybe it was indeed a corporate directive. Let's let enterprise behave normal, but home and pro have to call back with at least basic telemetry. That said, with enough feedback, I bet they'd reverse direction and respect that telemetry blocking setting.
Outbound proxy, or even just a good outbound firewall/content filter would do the job.
So, you installed and OS that proudly says it has features that cloud sync. Accepted the EULA saying you knew it's there and agree to install. They didn't have to give any options to turn off telemetry collection and had no legal disclaimers that it worked and would adjust your EULA, but provided an option to do so, that works, but only partially. Yeah... Not sure a bug in an option designed to make the OS better is going to qualify as saying it's illegal.
Spy-traffic? You mean the standardized telemetry data they used to assess how people use their OS to make it better? Where else would you suggest putting a random ID that let's you figure out which feedback comes from which users? Apple and Google do the same things as well - not saying I like it necessarily, but this isn't new. They aren't covert that this feature exists, or why, and it's in the EULA (not that people read it). The fact that when you toggle it off that some of the subsystems keep talking is what's broken. But that said, it's still good to fix it, so let them know to fix it, that's what the little feedback button is for. Complaining on /. doesn't get it fixed. Giving them feedback that something isn't working right via their Windows 10 feedback icon does.
But surprising?
You're right, it's not fair to say Win7 is insecure and 10 isn't, but they companies I work for are so wickedly behind on patches for 7, they know they have massive holes all over the place, especially around .net and so forth. Most of those will only deploy 1-2 updates per month or don't enforce reboots at all so they have significant vulnerability issues. So to them 10 is perceived as more secure because it's "up to date".
I do ConfigMgr consulting, so it's all about bulk OS and update deployment. My clients percieve it that way, so it rubs off. Fully up to date, who knows...
I do ConfigMgr work as a consultant, so bulk OS upgrades is a core part of my job. I've got projects booked for upgrades for quite a while. Most of them are PoC though, the big guys aren't going completely bonkers, but they want to get off Windows 7, but don't want 8 so they are left seeing if 10 will be acceptable. Net new stuff though, it's actually getting some traction, did a health care divesture the other day, Windows 10 across 100% of their network so they can get rid of on-prem domain controllers (Azure AD join instead). Pretty big financial incentive since they had hundreds of little bitty locations of users and could ditch all their servers.
I figured you could use EMET to lock down the MS telemetry and store services? I haven't tried, but I've used it elsewhere to similar effect. So you're suggesting just handling it at the firewall level than disabling additional calls? Something Else?