Microsoft’s encryption: a surveillance sleight of hand

[steven36]

A leopard does not change its spots. The Microsoft that sells Windows 10 devices today is the same Microsoft that failed to adequately explain the existence of the NSAKEY in its code, discovered by Andrew Fernandes in 1999. The only thing that has changed in the intervening years is that politicians and politicians’ servants have become cleverer at, well, politicking. Microsoft’s encryption for devices is just a new example.

 

An article in The Intercept this week explained that,

Quote

if you are like most users and login to Windows 10 using your Microsoft account, your computer automatically uploaded a copy of your recovery key – which can be used to unlock your encrypted disk – to Microsoft’s servers, probably without your knowledge and without an option to opt-out.

Microsoft’s encryption

In security terms, your device encryption is worthless because you do not have control of the key. Given current US law that means that the US government (and probably a lot of other governments) will have access to your encrypted files by confiscating your computer (easily done) and demanding (and inevitably getting) the decryption key from Microsoft. You may think that MS is one of the good guys for giving you encryption, but in fact it is not because it did not.

 

It is an example of the increased subtlety of those watching us, similar to Microsoft and other tech giants opening up European data centers. If European data never leaves Europe we automatically believe it is safe from US government. This is wrong.

 

Back in March 2015  Alexander Hanff commented (EU Data Centers are not safe from US Surveillance):

Quote

But where I have a problem is the fact that this trend serves one purpose and that purpose is to mislead European consumers, politicians and corporations – it is sleight of hand. By making these announcements that they are moving EU data into EU Data Centers, these global tech giants are attempting to mitigate some of the damage the Snowden revelations have done to the US cloud industry – but it is absolutely false.

 

Surveillance remains absolute and remains absolutely dangerous. The Founding Fathers understood. They created a Constitution designed to limit the power of government simply because government, any government, cannot be trusted. Government is not and never has been about protecting the people – it is about controlling the people. Now, today, we are simply allowing government to take total control over us. It already, through a combination of legal and illegal practices, has full access to everything we write, view or discuss on the internet – unless we encrypt it. Free speech and freedom of thought is a fallacy.

 

As Lord Justice Laws wrote in 2012 (cf. The Good Constitution of Lord Justice Laws):

Quote

 

freedom of expression; and this is a right which is inherent in the autonomy of the individual, the very basis of the morality of law. Along with Article 9, freedom of thought and religion, it is integral to one of the law’s core principles – the presumption of liberty… And I think it is under threat.

 

 

 

Encryption is our only remaining safeguard for freedom of expression, our last defense against totalitarian government. This is why, for the last 30 years, governments have been seeking to ban or subvert the people’s encryption. Microsoft’s so-called encryption is an example of subversion.

 

In pretending to protect us from losing our data by retaining a recovery key for us, Microsoft is simply disguising the fact that we don’t really have encryption. It is doing what it has always done – pretending to be on its customers’ side while actually doing the bidding of government. A leopard does not change its spots – it just pretends to.

 

Source

 

[vibranium]

You can use Microsoft's encryption. You just gotta know how to tame the beast.

[steven36]

4 minutes ago, vibranium said:

You can use Microsoft's encryption. You just gotta know how to tame the beast.

You can use folder lock too but it don't mean its worth having .  

If you buy pro versions of windows just for encryption you may as well save you're  money and use open source encryption .

[Batu69]

Quote

While you cannot prevent Windows from transferring keys to the cloud, you can check using your Microsoft Account to find out if keys are saved in the cloud, and delete them if that is the case.

1. Load https://onedrive.live.com/recoverykey in your browser of choice.
2. Log in to your Microsoft Account to access the service.
3. Microsoft lists all recovery keys stored under that account on the page. If you get "You don't have any BitLocker recovery keys in your Microsoft account" it means that no keys are stored. This is the case for instance if the computer has no encryption chip, or if a local account is used to sign in on the PC.
4. Otherwise, you may delete the recovery key on the site. It is suggested to back up the key before you do so.

To be on the safe side

 

Microsoft noted that the encryption key and backups are deleted when users deleted them on the Recovery Key page.

 

While that is reassuring, it is suggested to create a new encryption key locally instead and save it locally as well to make sure no one can decrypt data on the drive using the old encryption key.

 

While local access is needed for that, it is better to be safe than sorry later on.

1. Tap on the Windows-key, type bitlocker and select the Manage BitLocker result to open the BitLocker Drive Encryption settings.
2. Select "Turn off BitLocker" next to the operating system drive. This will decrypt the drive which may take a while depending on its size and performance.
3. Once done, select "Turn on BitLocker".
4. Windows will prompt you to back up the recovery key. You can select to save it to a file, or to print the recovery key. Don't select Microsoft Account as it will end up in the cloud again if you do.
5. Select to encrypt the entire disk including empty space on the next page.
6. Select yes when asked to run the BitLocker system check afterwards.
7. Reboot your PC.

BitLocker will start to encrypt the drive in the background afterwards. It is suggested to check the Microsoft Account again when the process completes to make sure the new recovery key is not listed there.

 

http://www.ghacks.net/2015/12/30/find-out-if-microsoft-saved-encryption-recovery-keys-in-the-cloud/

[steven36]

2 minutes ago, Batu69 said:

 

http://www.ghacks.net/2015/12/30/find-out-if-microsoft-saved-encryption-recovery-keys-in-the-cloud/

Why are you going  pay a  $ 100  more extra   for a pro version of windows and have to use workarounds ? when you can use a free alternative? It would cost me over a 100 dollars to upgrade  to a pro version of for something that's a big joke HAHAHA.

Quote

 

VeraCrypt (Windows/Mac/Linux)

AxCrypt (Windows)

GNU Privacy Guard (Windows/Mac/Linux)

 

 

 

 

 

 

[SnakeMasteR]

37 minutes ago, vibranium said:

You can use Microsoft's encryption. You just gotta know how to tame the beast.

You can run naked thru lively streets, pretending nobody has seen ya.

[steven36]

1 hour ago, n0_risk! said:

You can run naked thru lively streets, pretending nobody has seen ya.

If people had any actual proof that it wasn't a back door for the NSA  expect for the fact they use it themselves and defend it purely out of reason because they use it , because people don't want to accept reality . I would respect them for defending it if they had real proof .  But why do people defend  something that there's proof of backdoors since 1999?  that's 2 years before i came online even.

 

Now they going to fix it with a work around after its been backdoored  for over 16 years ? Give me a break. If that's not a false sense of security i don't know what is ...

 

The head the FBI  said this already  about Open source  encryption

Quote

Soghoian noted, however, that more and more encryption platforms are being made available on the Internet for free by individuals or groups of open-source developers in the United States and Europe, which will make it difficult to regulate them.

 

 

Why would you settle  for something  that's  has a closed  off code that's  made in Washington state USA   that's very easy to regulate because of laws to protect M$  from being sued ? I don't know about you but i want  the very best.

 

The whole debate  was really Microsoft and others don't care about you're privacy they just want put it in the media that   they do  so you have a a false sense of security.

 

While the whole  time they were in bed with the Government  behind you're back  sneaking in laws to protect them from being sued when the Government  ask for you're private encrypted information.

 

[steven36]

More Breaking News:  Microsoft keeps its users' encryption keys stored on servers.

Windows computers have a default disk encryption feature that to protect customers' data if their computer is lost or stolen, but Microsoft keeps a copy of these recovery keys on its servers, a move that information security professionals say defeats the purpose of encryption technologies.

 

This approach “undermines every tenant of encrypted data and privacy,” said Scott Petry, CEO of Authentic8. “They're probably thinking of protecting data against the casual hacker, as opposed to sophisticated, motivated nation-state hackers,” he said.

 

It is possible for users to delete the recovery key from their Microsoft accounts, although it is not the default setting.

 

Whether the setting is an intentional default to cooperate with government requests for user information or a security oversight, the default setting makes user data more vulnerable to attackers looking to steal a user's recovery key from Microsoft servers.

 

“It's a very casual approach to information security,” said Petry.

 

The setting also raises a question brought up by the discovery that the NSA may have been involved in creating a backdoor in Juniper's VPN connection: what are the risks of government backdoors? Earlier this month, former National Security Agency (NSA) Gen. Michael Hayden, said it is “a weak security position” for governments to ask tech companies to build backdoors into their products.

 

“It's true that we need strong crypto to safeguard everything from indiscrete photos to online shopping transactions,” wrote Electronic Frontier Foundation's activism director Rainey Reitman, in a blog post earlier this month. “But let's not forget that for many people, strong crypto is a matter of life or death.”

 

Source

 

[straycat19]

5 hours ago, vibranium said:

You can use Microsoft's encryption. You just gotta know how to tame the beast.

 

Do you really believe that crap you wrote?  I can access any drive encrypted with Microsoft encryption just as if there was no encryption whatsoever on it.  Any certified forensic investigator can do it regardless of the brand of encryption because the companies provide access, the only exception being Apple.  But then there are laws in place that require a person to give up their access keys or go to jail anyway until they do.  This law even applies to login credentials.

[vibranium]

6 hours ago, straycat19 said:

 

Do you really believe that crap you wrote?  I can access any drive encrypted with Microsoft encryption just as if there was no encryption whatsoever on it.  Any certified forensic investigator can do it regardless of the brand of encryption because the companies provide access, the only exception being Apple.  But then there are laws in place that require a person to give up their access keys or go to jail anyway until they do.  This law even applies to login credentials.

 

Really? Come over and decrypt a bitlocker volume XTS-AES256 where there is no key backed up.

 

While you're at it, grab a cup of tea and decrypt that hardware encrypted TCG Opal 2.0 SSD.

[steven36]

41 minutes ago, vibranium said:

 

Really? Come over and decrypt a bitlocker volume XTS-AES256 where there is no key backed up.

 

While you're at it, grab a cup of tea and decrypt that hardware encrypted TCG Opal 2.0 SSD.

If Microsoft  has gave  NSA the  master  recovery keys its really easy  it just like  if some hacker was too hack in to M$ and get these recovery keys there's a tool for Linux were you can bootup live dvd and  unlock windows bitlocker  its called dislocker.  In fact there's many distros  of Linux  dedicated  to forensics  with all kinds  of tools.

[vibranium]

It can be broken, but it is non-trivial. It is much more complicated for the hardware encryption. Possible? Certainly. Easy? No.

 

7 hours ago, straycat19 said:

 

I can access any drive encrypted with Microsoft encryption just as if there was no encryption whatsoever on it.  Any certified forensic investigator can do it regardless of the brand of encryption because the companies provide access, the only exception being Apple.

 

I'm calling BS on this one. I'm not saying MS encryption is great. I'm saying it is usable, and not as broken as it is claimed.

 

 

 

 

 

 

[steven36]

9 minutes ago, vibranium said:

It can be broken, but it is non-trivial. It is much more complicated for the hardware encryption. Possible? Certainly. Easy? No.

 

 

I'm calling BS on this one.

 

I agree its not as easy as he says ..you have a key to unlock  and not everyone would have access  to this even if Microsoft  did give the keys out to state hackers . The only way  any would have such keys if it was gave to them or M$ was compromised . The way Windows  is geared up to work on the cloud now days it could happen . It happen to many other software in 2015  like password apps  and Juniper