We're continuing investigation to the performance issues, you can follow and react here: https://lemmy.world/c/friendicaworld

evacide

1 day ago

evacide
1 day ago

Do not store your Bitlocker encryption keys on Microsoft's servers if your threat model includes governments or law enforcement. As this article points out, this is the result of a design choice Microsoft made. It didn't have to be this way.

forbes.com/sites/thomasbrewste…

microsoft-gave-fbi-keys-to-unlock-bitlocker-encrypted-data

^{www.forbes.com}

reshared this

in reply to evacide

evacide

in reply to evacide 1 day ago

Because of limited space, I am using "governments or law enforcement" as shorthand for anyone who can show up at Microsoft with a valid court order for your data. This is not a 1-to-1 mapping. I understand the difference and I don't feel like arguing about it.

reshared this

in reply to evacide

Kluthulhu' XOR 1=1--

in reply to evacide 1 day ago

To paraphrase Hank: "Government and government-accessories"

in reply to evacide

René Mayrhofer 🇺🇦

in reply to evacide 1 day ago

Or, because this is Microsoft we are talking about, anyone who shows up virtually with a golden authentication ticket they got through an official API surface because Azure security is a mess...

Having encryption keys stored in plaintext on any cloud service is just a completely irresponsible and bonkers design.

in reply to evacide

Marius (windsheep)

in reply to evacide 1 day ago

Judge Dredd can show up.

in reply to evacide

Sveinn í Felli

in reply to evacide 1 day ago

If you're limited by space, "governments or law enforcement" could be shorthanded into just "they", but then maybe it depends on each person's mental state what "they" would mean.
🤔

in reply to evacide

Net Gremlin 🚴🏻 🐧 🇩🇪 🇪🇺

in reply to evacide 1 day ago

A threat model must always include governments or law enforcement, especially in USA (Gestapo aka ICE). Maybe also in EU, because EU commission wants total surveillance.

This entry was edited (1 day ago)

in reply to evacide

Kris Hardy

in reply to evacide 1 day ago

I still wonder what happened at the end of TrueCrypt, especially since they recommended using Bitlocker when they shut the project down. I've always had the feeling that govt was involved.

in reply to Kris Hardy

Asta McCarthy

in reply to Kris Hardy 1 day ago

@nonlinear The project continued as VeraCrypt: veracrypt.io/en/Home.html

VeraCrypt - Free Open source disk encryption with strong security for the Paranoid

VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability.

^veracrypt.io

@Kris Hardy

in reply to evacide

Asta McCarthy

in reply to evacide 1 day ago

Upgrade to Linux and use LUKS.

in reply to Asta McCarthy

loStronzoRocco

in reply to Asta McCarthy 1 day ago

@AstaMcCarthy Fuck yeah. That’s been my setup since forever.

@Asta McCarthy

in reply to evacide

Todd Heberlein (social)

in reply to evacide 1 day ago

The Trump era has shown “government or law enforcement” should *always* be in your threat model.

The US is not alone in this. Lots of governments have been pushing boundaries.

in reply to evacide

Tommaso Gagliardoni

in reply to evacide 1 day ago

@shufflecake a bit of shameless self-promotion: it looks like we'll be able to launch a prototype for a fully hidden OS using #Shufflecake somewhere this year. And, no, we don't have an option for uploading encryption keys to "the Cloud" 😂 shufflecake.net/

Shufflecake

^{shufflecake.net}

#ShuffleCake @The Shufflecake Project

Dan reshared this.

in reply to evacide

Byrnensorg🇮🇪🇺🇦🇵🇸🇬🇱🇩🇰

in reply to evacide 1 day ago

Not that the law is after me.... yet. I scrubbed bitlocker from my system and deleted the keys from my account, so good luck with that MS.

in reply to evacide

Drahflow

in reply to evacide 1 day ago

My surprise knows no lower bounds.

in reply to evacide

H.Lunke & Socke

in reply to evacide 1 day ago

do not use M$ Software if your threat model includes governments or law enforcement

in reply to H.Lunke & Socke

Jamie :3 🏳️‍⚧️

in reply to H.Lunke & Socke 1 day ago

@HLunke Or anyone who might end up hacking M$.

@H.Lunke & Socke

in reply to evacide

Jamie :3 🏳️‍⚧️

in reply to evacide 1 day ago

“While key recovery offers convenience, it also carries a risk of unwanted access, so Microsoft believes customers are in the best position to decide... how to manage their keys” If you pay for Windows Pro which is 100$ more compared to Windows Home.

in reply to evacide

BoloMKXXVIII

in reply to evacide 1 day ago

Simply put, do not use any Microsoft products if real security is your goal. Anything stored outside of your own hardware is not secure. Use strong (and long) passwords and never use biometrics.

in reply to evacide

Hordearius

in reply to evacide 1 day ago

This is disingenuous click-bait (no surprise from Forbes). If the machine is your own, NOT managed by an employer or school, and you did not specifically choose the option to backup your recovery key by "Saving to your Microsoft Account", Microsoft doesn't have your key and can't assist law enforcement authorities in accessing the data.

in reply to evacide

Jona Joachim

in reply to evacide 1 day ago

Why encrypt in the first place if you give out your keys. This is the same level of stupid as SSE-S3 in #AWS

#aws

in reply to evacide

Ameise

in reply to evacide 1 day ago

Well, thats easy. Simply, go away from Microsoft and use Linux. I changed all my IT stuff to "Open Source" and I am happy with it since years. No privacy problems, no security problems, no hidden backdoors ...
#FOSS

#foss

in reply to evacide

GhostOnTheHalfShell

in reply to evacide 1 day ago

Can we just say don’t touch anything Microsoft and don’t use anything where Microsoft is involved in software infrastructure?

in reply to GhostOnTheHalfShell

`Da Elf

in reply to GhostOnTheHalfShell 1 day ago

@GhostOnTheHalfShell Whsat, I've been talking to myself for the last quarter century? (The answer is yes, it's always been yes. ... "Yes Elf, you're a grumpy old man shaking his fist ineffectually at Redmond (or in that shithole when I lived there) and none of us are listening to you ... even though there's overwhelming evidence you are correct, we just don't care. Now, what was my license key?"

I gave up years ago. Wanna shoot yourself with MS products? Go Ahead! No skin off my teeth.

@GhostOnTheHalfShell

GhostOnTheHalfShell reshared this.

in reply to `Da Elf

GhostOnTheHalfShell

in reply to `Da Elf 1 day ago

@elfin
There are a great number of people who resemble that statement (old bitter cassandras)

@`Da Elf

in reply to GhostOnTheHalfShell

`Da Elf

in reply to GhostOnTheHalfShell 1 day ago

@GhostOnTheHalfShell Nobody listens to them either.

Just a bunch of old grumps.

But now I can add "I told you so" to my grumpy old man shtick.

@GhostOnTheHalfShell

in reply to `Da Elf

GhostOnTheHalfShell

in reply to `Da Elf 1 day ago

@elfin
One more for the bucket list

@`Da Elf

in reply to evacide

PKs Powerfromspace1

in reply to evacide 1 day ago

FFS $MSFT this applies to enterprises as well and foreign govt and social activists 😳

in reply to evacide

gunstick

in reply to evacide 1 day ago

whatsapp tut das gleiche. Da ist auch der private Schlüssel auf deren Servern hinterlegt.

in reply to evacide

dragonfrog

in reply to evacide 1 day ago

In principle that would also include anyone who knows my email address and can set up a phishing website, right?

Government agencies need whatever a valid warrant is in their jurisdiction, but a user just has to log in to their account and click through the "I forget my Bitlocker password" workflow.

So someone who knows me, or stole my laptop bag with my business cards in it, knows who to phish to get into an account likely to have my recovery key, right?

This entry was edited (1 day ago)

in reply to evacide

Quinn9282 🖥️🌙✌️

in reply to evacide 1 day ago

Does MS automatically store BitLocker recovery keys on MS accounts for Pro/Enterprise editions of Windows when enabling BitLocker? I know they do this on Home editions of Windows if you have the "Device encryption" feature enabled, but at least for other editions it usually gives you the option to store the recovery key as a file when you enable BitLocker. Unless of course that's not an option that's provided if you deployed a Bitlocker management configuration to a number of devices?

in reply to Quinn9282 🖥️🌙✌️

Jeff Turner ⛵

in reply to Quinn9282 🖥️🌙✌️ 1 day ago

@Quinn9282 if enabling it manually you can store it as a file. Print it out. If using pro version and active directory you can choose to store it in your own ad on premise or in the microsoft azure, entra (whatever its called today) account.

@Quinn9282 🖥️🌙✌️

in reply to evacide

fuzzyfuzzyfungus

in reply to evacide 1 day ago

The person at Forbes who described this as a 'flaw' seems like they are deliberately underselling it. At least with tech 'flaw' almost entirely implies 'error' rather than 'decision'. It's a little harsher than some of the euphemisms that vendors prefer for product defects, in order to try to normalize how many they ship; but it's absolutely exonerative of one's intentions; which is wholly undeserved.

in reply to evacide

MyView

in reply to evacide 1 day ago

Well .. they give US authorities everything else they ask for so ...

in reply to evacide

mikeTesteLinuxQlub

in reply to evacide 1 day ago

Simply deactivate Bitlocker. Bad by design and a gate wide open to lock YOU OUT.

Just use Veracrypt or something like that on a second drive ou usb stick to protect the very sensible data......and at least, deactivate Bitlocker, that force windows recall or whatever is name to deactivate too.

Tanquist reshared this.

in reply to evacide

Paco (2026: New) Hope

in reply to evacide 1 day ago

“#Microsoft says it will provide encryption keys for Windows PC data protected by BitLocker where it has access to them and it's received a valid warrant.”

The word “valid” sure is doing a lot of work there. This is the most corrupt DoJ and FBI in generations. One that ignores court rulings that it disagrees with. So what way is the warrant “valid”? Syntactically? Grammatically? Because if we get any deeper, like morally or ethically, the argument gets harder to make.

#microsoft

in reply to evacide

x41h

in reply to evacide 1 day ago

it absolutely floors me to see how many people are reposting this article. I mean it's good for awareness but considering anyone involved with security didn't know big tech hands over your data to IC or law enforcement before today has been living under a rock.

in reply to evacide

Oliver

in reply to evacide 21 hours ago (Received 20 hours ago)

Apart from that, storing the key in the specific provider‘s cloud isn‘t a good idea anyway - the same counts for iCloud as well. There are things that should be separated from each other because of reasons, this one is just another proof for the need to do so.

in reply to evacide

Natalie Esmerelda

in reply to evacide 1 day ago (Received 20 hours ago)

Personally I consider the use of microsoft for any threat model out side of not having one and not caring a bad option unless its your only option say for a service that noone else has that is to high enough standards.

in reply to evacide

Yan

in reply to evacide 22 hours ago (Received 19 hours ago)

interesting. Thanks for sharing. The article refers to it as a “privacy flaw”. I guess it depends on the definition of privacy, though to me, it seems like a security issue.

in reply to evacide

reindeerphoto

in reply to evacide 1 day ago (Received 18 hours ago)

Using other words:
Do not use software from a fascist regime.

in reply to evacide

Paolo Redaelli

in reply to evacide 13 hours ago

Proprietary Software can't be trusted. It's that simple

in reply to evacide

DFX4509B (Joshua Mason)

in reply to evacide 2 hours ago

At this point get rid of Windows if you're not running anything that's DRM-locked to that OS.

⇧

evacide 1 day ago • •

evacide
1 day ago