All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Microsoft gave FBI a set of BitLocker encryption keys to unlock suspects’ laptops: reports
Microsoft provided the FBI with the recovery keys to unlock encrypted data on the hard drives of three laptops as part of a federal investigation, Forbes reported on Friday.
Many modern Windows computers rely on full-disk encryption, called BitLocker, which is enabled by default. This type of technology should prevent anyone except the device owner from accessing the data if the computer is locked and powered off.
But, by default, BitLocker recovery keys are uploaded to Microsoft’s cloud, allowing the tech giant — and by extension law enforcement — to access them and use them to decrypt drives encrypted with BitLocker, as with the case reported by Forbes.
The case involved several people suspected of fraud related to the Pandemic Unemployment Assistance program in Guam, a U.S. island in the Pacific. ...
https://tech.yahoo.com/cybersecurity/articles/microsoft-gave-fbi-set-bitlocker-155409531.html
Comments
Couldn't expect Microslop to operate with American feds
It's a non-story. BL keys are uploaded to your MS account by default like it says, for easy recovery. FBI subpoena/search warrant for the MS account data is all it is.
If anyone had expectations that this crushed, I highly recommend re-evaluating the basis for the expectations.
Bitlocker should be considered insecure. Or actually, all of windows should be considered insecure
We welcome customers to save their BitLocker keys with us by uploading Deep Atlantic Storage.
The bits are sorted so nice that neither FBI nor KGB could glean any useful information for recovery.
It probably wouldn't have made a whole lot of difference anyway.
https://media.ccc.de/v/39c3-bitunlocker-leveraging-windows-recovery-to-extract-bitlocker-secrets
that's why shady characters prefer to use TrueCrypt, developed by a drug dealer, or its successor product.
BitLocker is enabled by default? Wuh?
I mostly use nlite or autounattend files, but I don't recall this on a vanilla install.
You don't need to be a shady character to not want the government to have access to your encryption keys.
And LUKS2 is better than TrueCrypt/VeraCrypt anyway, since it uses Argon2 instead of PBKDF2.
If they have the keys to the encryption, that's no longer an encryption. In theory that's an encryption, but practically is not.
Microsoft is lying to its customers by hiding information which should be clearly stated and for which should ask explicit and clear consent.
Yeah, on recent Windows installs it defaults to on for the boot drive. At some point it became an option on non-Pro installs for only the boot drive and sometime recently (well, at least a year ago, maybe two) it's enabled by default.
The last 3 machines I've bought (a laptop about 18 months ago, and 2 mini PCs around 14 months ago) all had it enabled after going through the initial boot OOBE. The 2 mini PCs came with Pro licences, the laptop was a Home licence but also had bitlocker on by default.
This is a problem with all security products. If a developer can access a critical point (for example, keys), then, without a doubt, the government secret service can request access to it. There are no exceptions. The only way to prevent this is to create a product in which critical points are used only in the user environment, and the developer does not have access to them at all.
Is it possible to disable this default behavior and only keeps keys local?
Absolute way would be blocking MSFT servers from your network.
Yes. No idea how though, as I only use Linux.
Even with a warrant? Yeah, it does.
I always disable buttlocker, I consider it bloatware.
LUKS2 on a BTRFS filesystem with Grub2 gives you full disk encryption (no need for a separate /boot partition)
For Windows users coming across this thread - Linux Mint makes full disk encryption easy
Not at all. Not only are there plenty of laws that should not be laws, but there are many, many situations where warrants are issued by corrupt judges, especially if you're a privacy activist who tends to get under the skin of feds.
Why btrfs specifically? It would work with any filesystem. I use something similar to that with ext4.
sorry my mistake (it's probably 10 years since I've run ext4 on a system root) - & when I did a separate /boot was needed for LUKS / GRUB
If I ever reinstall Arch I'd be tempted to just use encrypted zfs instead of LUKS + encrypted zfs - for a bit more performance @ home. For a laptop I'd probably still use both.
You better lock your but, because when that bloat will ware you - it will be hard.
Grub2 already supports LUKS2 but only with PBKDF2 (not Argon2). There are ways to include custom support for full LUKS2 support in Grub via patches but I think very soon Grub2 will come with native support for Argon2 which means no more special stuff required and everything should "just work".
Bitlocker service runs even if it's not being used - Win 11 IOT LTSC phones home a lot even without MS recall / copilot
Ayooo!
trackers of Microsoft and google are everywhere,
I'm okay with that, using outlook mail for all my servers related things, not even thinking about them spying on me, even they do, i don't care
if you are interested i do simple, I'm using *********** protocol for a vps connection which is not change my original ip and dns servers, but give access to local network on vps, inside the vps all is working locally with lets encrypt certs on https, all is stay on local network, since ************ have a special function, show private login page for visitors,
it's private, safe and ultra fast, basically i have my original ip and dns servers and browse web like normal user, while I'm connected to a local network inside my vps, where have apps web websites working locally with trusted certs, simple and private.
Be domain joined, or use the command line. The automatic escrow is technically a feature (your domain might enforce it) - and automatic upload is only of the recovery key, which you can remove (just another key slot). If you use the command line, you bypass the UI's requirement to save the recovery key somewhere (e.g. the cloud, a flash drive, etc.) - and you can also just not enable the recovery key protector at all.
This is a non-story - BitLocker is safe (it's been audited to the moon), the recovery keys are stored encrypted, just that Microsoft has the decryption keys (as apposed to being secured with a customer encryption key). And being a US company, they must comply with a court order.
Just don't send your encryption keys to be stored where you can recover them without a password, and you're fine.
I think the Argon2 patches are already in upstream GRUB2, aren't they? Maybe not in stable distro repositories, though.