top | item 46744413

(no title)

wobfan | 1 month ago

While you're right, they also went out of their way to prevent competent users from using local accounts and/or not upload their BitLocker keys.

I could understand if the default is an online account + automatic key upload, but only if you add an opt-out option to it. It might not even be visible by default, like, idk, hide it somewhere so that you can be sure that the median MS user won't see it and won't think about it. But just fully refusing to allow your users to decide against uploading the encryption key to your servers is evil, straight up.

discuss

xp84|1 month ago

I really doubt those motives are "evil." They're in the business of selling and supporting an OS. Most people couldn't safeguard a 10-byte password on their own, they're not going to have a solution for saving their encryption key that keeps it safer than it'd be with Microsoft, and that goes for both criminals (or people otherwise facing law enforcement scrutiny) and normal grandmas who just want to not have all their pictures and recipes lost.

Before recently, normal people who get arrested and have their computer seized were 100% guaranteed that the cops could read their hard drive and society didn't fall apart. Today, the chances the cops can figure out how to read a given hard drive is probably a bit less. If someone needs better security against the actual government (and I'm hoping that person is a super cool brave journalist and not a terrorist), they should be handling their own encryption at the application layer and keeping their keys safe on their own, and probably using Linux.

pocksuppet|1 month ago

[deleted]

hermanzegerman|1 month ago

Or use a MacBook, which somehow doesn't need to upload encryption keys Law Enforcement repeatedly failed to decrypt these here

bri3d|1 month ago

The OOBE (out of box experience) uploads the key by default (it tells you it’s doing it, but it’s a bit challenging to figure out how to avoid it) but any other setup method specifically asks where to back up your key, and you can choose not to. The way to avoid enrollment is to enable Bitlocker later than OOBE.

I really think that enabling BitLocker with an escrowed key during OOBE is the right choice, the protection to risk balance for a “normal” user is good. Power users who are worried about government compulsion can still set up their system to be more hardened.

JasonADrury|1 month ago

You can just ... not select the option to upload your keys to MS? During the setup you get to choose where to store your bitlocker recovery key.

jcovik|1 month ago

The last time I've installed windows, bitlocker was enabled automatically and the key was uploaded without my consent.

Yes, you can opt out of it while manually activating bitlocker, but I find it infuriating that there's no such choice at the system installation process. It's stupid that after system installation a user supposed to renecrypt their system drive if they don't want this.

vel0city|1 month ago

It's a few clicks to choose to re-key and not have the key saved to your Microsoft account.

varispeed|1 month ago

Maybe three letter agencies prevented them from giving that option.

cylemons|1 month ago

Surely that's not legal is it? Can the government force companies to include spyware?