securitybreach Posted May 13, 2015 Share Posted May 13, 2015 This article is from last year but worth a read if you haven't read it before. The FBI isn’t happy about the latest versions of iOS and Android using encryption by default. FBI director James Comey has been blasting both Apple and Google. Microsoft is never mentioned — but Windows 8.1 uses encryption by default, too. The FBI doesn’t seem worried about Windows 8.1’s default “device encryption” feature. Microsoft’s encryption works a bit differently — Microsoft holds the keys and could hand them over to the FBI. Why the FBI is Blasting Apple and Google FBI directory James Comey has said Apple and Google are creating “a black hole for law enforcement.” Encryption “threatens to lead us all to a very dark place,” according to the FBI. The latest versions of Apple’s iOS and Google’s Android automatically encrypt a smartphone or tablet’s storage by default. Previously, this was just an option most users wouldn’t enable. Because of the way encryption works, only a person who knows the key can decrypt it and access the unencrypted files. If Apple or Google received a warrant — or some sort of secret “national security letter” — they wouldn’t be able to decrypt the files even if they wanted to. They don’t have the encryption key. (A national security letter is a secret order that may contain a “nondisclosure” requirement, preventing the person who received the national security letter from ever talking about it for the rest of their life under threat of criminal prosecution.)............................... Windows 8.1’s Device Encryption Gives Microsoft a Key New Windows 8.1 devices ship with something called “device encryption” enabled by default. This is different from the BitLocker encryption feature, which is only available in more expensive Professional editions of Windows and not enabled by default. If you have a supported device, the device’s storage comes pre-encrypted — but it uses an empty encryption key. When you sign in with a Microsoft account, the encryption is activated and a recovery key is uploaded to Microsoft’s servers. (If you sign in on a domain, the recovery key is uploaded to Active Directory Domain Services, so your business or school has it instead of Microsoft.) If you use a local account, there’s no way to enable the device encryption. In other words, device encryption can only be used if you upload a recovery key to Microsoft’s servers (or to your organization’s domain server). If a thief stole your device, they wouldn’t be able to gain access. However, if law enforcement were to send a warrant (or a secret national security letter) to Microsoft, Microsoft would be forced to give the government your recovery key............ Overall, device encryption is still a useful feature in Windows. Encrypting files but allowing the FBI to gain access is still an improvement over not encrypting those files. The encryption at least prevents thieves from gaining access. Let’s not mince words: Device encryption is good. It’s better than the complete lack of default encryption Windows used to offer, even with this concern. However, Microsoft’s means of allowing law enforcement to access encrypted files is something that’s flown under the radar. It’s particularly relevant when we see Apple and Google digging in and refusing to enable this covert access. Apple and Google can’t provide law enforcement with access to your encrypted data, but Microsoft can. http://www.howtogeek...-scare-the-fbi/ Quote Link to comment Share on other sites More sharing options...
goretsky Posted May 19, 2015 Share Posted May 19, 2015 Hello, Here's a paper I wrote mentioning device encryption in Windows 8.1 from 2013: welivesecurity.com/2013/11/17/windows-8-1-security-improvements. Actually, that's a blog post about the paper. The link is towards the bottom. In a nutshell, if you're not attached to an ActiveDirectory-managed domain, the key is stored as part of your Microsoft Account data at Microsoft. I'm not sure what happens if you don't create a Microsoft Account during installation, though. If you are concerned about this, and not in a managed domain, it might be a good idea to look into some other form of whole disk encryption. Regards, Aryeh Goretsky Quote Link to comment Share on other sites More sharing options...
securitybreach Posted May 19, 2015 Author Share Posted May 19, 2015 Or run Linux.... 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.