don't keep them on your microsoft-controlled, universally-backdoored computer either. microsoft, and thus the government, can get at them from your computer too. why wouldn't it?

@evacide
Proprietary Software can't be trusted. It's that simple

@evacide Apart from that, storing the key in the specific provider‘s cloud isn‘t a good idea anyway - the same counts for iCloud as well. There are things that should be separated from each other because of reasons, this one is just another proof for the need to do so.

@evacide interesting. Thanks for sharing. The article refers to it as a “privacy flaw”. I guess it depends on the definition of privacy, though to me, it seems like a security issue.

@evacide
Using other words:
Do not use software from a fascist regime.

@evacide Personally I consider the use of microsoft for any threat model out side of not having one and not caring a bad option unless its your only option say for a service that noone else has that is to high enough standards.

@evacide it absolutely floors me to see how many people are reposting this article. I mean it's good for awareness but considering anyone involved with security didn't know big tech hands over your data to IC or law enforcement before today has been living under a rock.

@evacide “ #Microsoft says it will provide encryption keys for Windows PC data protected by BitLocker where it has access to them and it's received a valid warrant.”

The word “valid” sure is doing a lot of work there. This is the most corrupt DoJ and FBI in generations. One that ignores court rulings that it disagrees with. So what way is the warrant “valid”? Syntactically? Grammatically? Because if we get any deeper, like morally or ethically, the argument gets harder to make.

@evacide Simply deactivate Bitlocker. Bad by design and a gate wide open to lock YOU OUT.

Just use Veracrypt or something like that on a second drive ou usb stick to protect the very sensible data......and at least, deactivate Bitlocker, that force windows recall or whatever is name to deactivate too.

@evacide

Well .. they give US authorities everything else they ask for so ...

@evacide The person at Forbes who described this as a 'flaw' seems like they are deliberately underselling it. At least with tech 'flaw' almost entirely implies 'error' rather than 'decision'. It's a little harsher than some of the euphemisms that vendors prefer for product defects, in order to try to normalize how many they ship; but it's absolutely exonerative of one's intentions; which is wholly undeserved.

@evacide Does MS automatically store BitLocker recovery keys on MS accounts for Pro/Enterprise editions of Windows when enabling BitLocker? I know they do this on Home editions of Windows if you have the "Device encryption" feature enabled, but at least for other editions it usually gives you the option to store the recovery key as a file when you enable BitLocker. Unless of course that's not an option that's provided if you deployed a Bitlocker management configuration to a number of devices?

@evacide In principle that would also include anyone who knows your email address and can set up a phishing website, right?

Government agencies need whatever a valid warrant is in their jurisdiction, but a user just has to log in to their account and click through the "I forget my Bitlocker password" workflow.

So someone who's stolen my laptop bag with my business card in it, knows who to phish to get into an account likely to have my recovery key, right?

@evacide whatsapp tut das gleiche. Da ist auch der private Schlüssel auf deren Servern hinterlegt.

@evacide FFS $MSFT this applies to enterprises as well and foreign govt and social activists 😳

@evacide

Can we just say don’t touch anything Microsoft and don’t use anything where Microsoft is involved in software infrastructure?

@evacide Well, thats easy. Simply, go away from Microsoft and use Linux. I changed all my IT stuff to "Open Source" and I am happy with it since years. No privacy problems, no security problems, no hidden backdoors ...
#FOSS

@evacide Why encrypt in the first place if you give out your keys. This is the same level of stupid as SSE-S3 in #AWS

@evacide This is disingenuous click-bait (no surprise from Forbes). If the machine is your own, NOT managed by an employer or school, and you did not specifically choose the option to backup your recovery key by "Saving to your Microsoft Account", Microsoft doesn't have your key and can't assist law enforcement authorities in accessing the data.

@evacide Simply put, do not use any Microsoft products if real security is your goal. Anything stored outside of your own hardware is not secure. Use strong (and long) passwords and never use biometrics.

@evacide “While key recovery offers convenience, it also carries a risk of unwanted access, so Microsoft believes customers are in the best position to decide... how to manage their keys” If you pay for Windows Pro which is 100$ more compared to Windows Home.

@evacide do not use M$ Software if your threat model includes governments or law enforcement

@evacide My surprise knows no lower bounds.

@evacide Not that the law is after me.... yet. I scrubbed bitlocker from my system and deleted the keys from my account, so good luck with that MS.

@evacide @shufflecake a bit of shameless self-promotion: it looks like we'll be able to launch a prototype for a fully hidden OS using #Shufflecake somewhere this year. And, no, we don't have an option for uploading encryption keys to "the Cloud" 😂 https://shufflecake.net/

@evacide The Trump era has shown “government or law enforcement” should *always* be in your threat model.

The US is not alone in this. Lots of governments have been pushing boundaries.

@evacide Upgrade to Linux and use LUKS.

@evacide I still wonder what happened at the end of TrueCrypt, especially since they recommended using Bitlocker when they shut the project down. I've always had the feeling that govt was involved.

@evacide A threat model must always include governments or law enforcement, especially in USA (Gestapo aks ICE). Maybe also in EU, because EU commission wants total surveillance.

Because of limited space, I am using "governments or law enforcement" as shorthand for anyone who can show up at Microsoft with a valid court order for your data. This is not a 1-to-1 mapping. I understand the difference and I don't feel like arguing about it.