Microsoft encrypts explanation of borked Windows 10 encryption We know Microsoft can be pretty secretive about its spyware-as-a-service Windows 10, but Redmond has now taken its furtiveness to a whole new level. You may or may not know that its disk encryption tool Bitlocker has suddenly stopped working in the latest version of its operating system for a number of people. Bitlocker …
That response reminds me of the old joke of guys lost in a balloon in the fog . . .
* link leads to joke in plane, largely less credible but the gist is the same
Not True. The NEW consumer regulation allow for something LIKE a CLA. Im not entirely familiar with the ins and outs..
Perhaps you should become familiar with those little details, then, because the change you're referring to is restricted to competition cases. If you Google it you'll find plenty of law firms' web pages summarising the scope of the change.
"The NEW consumer regulation allow for something LIKE a CLA. Im not entirely familiar with the ins and outs"
Quite correct. You're not entirely familiar with the ins & outs. It's only available in limited circumstances related to competition.
"Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide solutions via our current Update Tuesday schedule"
The above is bollocks! Red Hat are much better at preventing, investigating and fixing security issues as all of their customers will confirm! Microsoft should not make misleading recommendations like this in fact I would go as far as to say it should be illegal from a consumer perspective.
It's as much a "platform" as Windows is, offering a desktop environment as well as lending itself to a variety of types of server environments to provide services from. Arguably they even have an "app store" via their repositories
Although you have a point that the term "platform" is vague as hell and isn't really good at explaining what it does
Howdy, Stoneshop,
There are those under no delusions working systems administrations in virtual platforms of operation realising Windows is muchmore olde business planphorm than leading edge executive base vessel and useful enough for conditions in those sorts of fields in virtual team terrains.
*Advanced IntelAIgent Research Craft
I might have guessed he could make sentence of it:
>Howdy, Stoneshop,
There are those under no delusions working systems administrations in virtual platforms of operation realising Windows is muchmore olde business planphorm than leading edge executive base vessel and useful enough for conditions in those sorts of fields in virtual team terrains.
*Advanced IntelAIgent Research Craft
What I think you do is count the number of primes then miss every other word reading it on a prime time, schedule until all the letters get use up, then you throw away the computer you first thought of and boil your head until no longer something or other shortage...
"Red Hat are much better at preventing, investigating and fixing security issues as all of their customers will confirm"
Why then do they have vastly more security patches than Windows - even when you restrict RedHat to comparable feature sets - and are on average slower to deliver them (more days at risk) for a product that costs considerably more?
> "Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide solutions via our current Update Tuesday =
There is a Windows customer with a commitment that is the only platform and it has, or had to investigate security issues that were reported I am not sure what poactively impacted devices are but once a month on Tuesdays or as soon as possible. I forget something something. And anyway I use Linux so there...
An encrypted drive safeguards your data somewhat when your kit gets stolen, that is it. When windows is running, all required data on your drive is automatically decrypted, for each and every program that runs on your computer, including Microsoft's telemetry (or whatever they call their spyware this week) software.
They don't need master keys, you other numpty, the data is decrypted on your system before it gets sent over a secure (I would hope for you, guyz) connection to mothership.
Maybe you mean a Microsoft rep is sneaking into your house to slurp your data while you're at work ...
Ooops. Silly me. I am sure I understand now.
Encryption is like DNT where you are just sending Microsoft a 1 to say do not look at my data and therefore they can ignore your implied request in order to check if you might be interested in buying some more socks.
After all these days someone else might have encrypted your sock pictures, sock novels, sock videos, sock music and sock design software along with your .sck design files so it's not as if they really know whether or not you yourself chose to encrypt your sock data so it's best to play safe and have a good rummage about the place just to make sure.
Thanks for clearing that one up for me. As for Microsoft Reps sneaking about the house when I am out.. It's not them, it's the Pixies. They use the Goblins at work when I am at home and Gremlins to supply the down votes on El Reg.
After all these days someone else might have encrypted your sock pictures, sock novels, sock videos, sock music and sock design software along with your .sck design files so it's not as if they really know whether or not you yourself chose to encrypt your sock data so it's best to play safe and have a good rummage about the place just to make sure.
Ha, you're nothing but a sock-puppet...
BTW, if anyone's thinking of buying me Xmas presents, I could do with some socks...
"Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible."
...we think we're the only operating system manufacturer on the planet. At least, that's worth talking to. Competitors are jokers who don't take security reports or bugs seriously.
"We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."
... For fuck sake get off Windws 7 and 8 already. We've tried to warn you. Honestly. We even did you the favour of pushing our product down your private wire at great expense... to you... and you still didn't have the common bloody sense to push the single buton we helpfully popped up in the fucking task bar. Oh no. You even went to the extent of working out a secret registry key to turn off our helpfulness. Well, be warned, we're sending the boys round shortly.
"Our standard policy is to provide solutions via our current Update Tuesday schedule."
... We'll fix it on Tuesday. No, we won't tell you which one.
@captain veg:
I've read about this, but did not face it myself. I think probably because all my PCs are using Enterprise, which's not eligible for the upgrade anyway.
But I find it very interesting, so I would greatly appreciate it if you could please elaborate. In particular:
* Are the updates being received through WSUS or SCCM?
* What edition of Windows?
* Is the local user a normal, limited user?
@captain veg
Ah! I see now. Thank you very much for taking the time to reply.
Well, you're right that the update should still not show up, based on the KB. So I would bring that to Microsoft's attention, if I were you.
As for your setup, well, it's not how I would do it. And it's probably not keeping with best practices. But I assume you have a good reason for doing it that way. After all, people don't deploy configurations that result in more work without a damned good reason!
What I would suggest is maybe a GPO to apply the required registry values to those machines you want to block GWX on. Seems simplest, and should work.
I've seen such many times: you ask them (any large organization) a precise question, and
1. they don't reply
2. upon 2nd, 3rd, etc. e-mail, they send an copy and paste reply, at best vaguely related to the topic, signed by some David, Peter or Mary, more often than not, unsigned ("company policy", I bet)
3. if you still haven't got the clue (you clueless idiot) and send more emails asking, begging, demanding an answer, or merely frothing - you get the same copy and paste reply, until
4. you give up
5. SUCCESS!!! aka "we pride ourselves in providing active and meaningful feedback platform to our valued customers".
If it got through to a hell-desk - well, one worth it's salt, they'd get a reasonable answer. Maybe even one regarded as a tad too honest by the hell-deskers employers*. It's if the response comes from the marketeers you're more likely to get that kind of dross.
*I resemble this remark.
This is an annoying issue for those who use FDE, yes.
But installing RTM, enabling BitLocker and then doing an in-place upgrade to 10586 works fine. No need for any gradual updating. I know, as I just did this a few days ago.
BTW: how does one turn on the equivalent functionality (FDE using HW encryption on SED) on Linux, please?
"So, if I understand you correctly, you believe that it is OK that MicroSoft dropped the ball on this one because no other OS offers the same features?"
Fascinating! How did you arrive at that conclusion, please?
If you are referring to my asking about Linux, then I am afraid you are very much off base: I use Linux, and I would just like to know if I can use the hardware encryption capability of SEDs with Linux, is all. Do not read too deeply into what is really a very shallow question: there's only the surface layer.
BTW: how does one turn on the equivalent functionality (FDE using HW encryption on SED) on Linux, please?
If you are a numpty like me then you 'Ask Google',
https://www.google.co.uk/search?q=linux+encrypt+home+after+install&btnG=Search&gbv=1
and find something like this,
http://www.howtogeek.com/116032/how-to-encrypt-your-home-folder-after-installing-ubuntu/?PageSpeed=noscript
Which happens to be the first on page link. I really wish the Linux community would do something about this sort of shit because personally speaking I'd rather have to dig down past 10 pages of results before finding something that might do the job in Windows without having to install 24 toolbars, a pile of adware and upgrading to a different browser and then being repeatedly asked to sign up for the proper version because the evaluation copy is about to run out.
Of course that is not 'FDE', just the appropriate Home Folder and Swap. It may still be possible to do FDE after install and I get the impression that it is certainly the case that the option is available during an initial install.
Not sure whether it is 'Hardware Encryption'. Otherwise sorry if it was not the answer you were looking for.
Thank you. I already use this on my Linux boxen.
But it's not FDE. And it's not using the SED's HW encryption.
The attraction of using HW encryption is that it has no performance impact, so it's very useful for system drive encryption -- or for any other drives that will see a lot of traffic.
But it's not FDE. And it's not using the SED's HW encryption.
Muh-Huh. I kind of thought it was not the answer you were looking for....
https://www.google.co.uk/search?q=%22Linux%22+SED+HW+encryption&btnG=Search&hl=en-GB&biw=&bih=&gbv=1
YMWV or you will run out of gas but a quick scan of those suggests SED HW Encryption is drive/bios specific such that if your drive does it and your bios/motherboard supports it then there will be a bit of extra pain involved before something happens.
---> Apparently it's free and you may need some later on if you try things out.
@WorBlux:
Thank you for the reply. Very interesting.
Looking at the documentation, I can see why the Linux zealots were reluctant to come forward, if this is the best Linux has to offer: it's not very user-friendly, is it?
But it's good to see that someone is working on this, at least. And it *is* an uncommon usage scenario, so it would be rather low priority for anyone -- be it Microsoft, or anyone else. Here's hoping it will reach a usable state, sometime soon.
@WorBlux:
Thank you for the reply. Very interesting.
Looking at the documentation, I can see why the Linux zealots were reluctant to come forward, if this is the best Linux has to offer: it's not very user-friendly, is it?
I might be inclined to turn into a 'Linux Zealot'. Then again, just before I do... given you have demonstrated your wealth of 'boxen' knowledge, perhaps you can sort things out for the rest of us.
Looking forward to trickling your sweet cum down the back of my throat. I like Real Cherry Flavour without the stones and if you skin your interface just right everyone will be putting their heads up to drink from your fountain.
Ah! Good question, actually.
An SED will optionally use a HW engine to encrypt all data written to it. But, what does that *really* mean? I mean, if the drive is completely encrypted, how do you boot from it? And where do you store the key? How, for that matter, do you pass the key to the decryption engine? Obviously you cannot store it on the drive itself! Etc., etc.
Microsoft's eDrive takes care of all this rather neatly and seamlessly, once its requirements are met. The only annoying thing, really, is the need to do a clean install of Windows to use it.
I am wondering if there's an equivalently painless process -- or a better one! -- for Linux, and I am hoping someone here will be able to help.
I expect implementations vary with distros. I haven't bothered with encryption on most of my machines. The Thinkpad I bought for travelling runs Qubes. Encryption via Fedora. "Fedora's default implementation of LUKS is AES 128 with a SHA256 hashing."
For what it's worth. I'm not bright enough to know anything about it, I just use it and move along.
is a disease, is it not? Why do you airheads continue to make Gates & Co. billionaires?
Those who love MS so much should follow on by taking whatever vaccines the Gates Foundation is forcing on poor inhabitants of India and Africa.
W10 is a disaster, but - MS have openly revealed how they have been operating secretly since the inception. They are contemptible, conniving scum who do anything they can to "capture" clients.
And they do that with the full cooperation (not requiring bribery) of hardware manufacturers, who load their crap into their products. They surreptitiously load software on older version Windows boxes forcing folk onto W10. At least with Apple, you know where the back door is.
A major complaint of those coming from Windows to Linux over the years has been "I can't play my games on Linux".
You "gamers" shouldn't complain about W10. Windows has always been crap. It is little different from the first version.
I had this long winded explanation about FDE, and how linux and windows aren't really that different in the implementation. Scrubbed it.
FDE at the disk requires that the disk and the BIOS both understand the idea, and the unlock key is either *hardware* (TPM) based or the bios knows how to ask the user for the key (sometimes both).
Bitlocker, however, doesn't encrypt the boot block, the bootloader partition of windows. I follow the same standard on my linux and LUKs installs. Neither the boot block or the /boot partition is encrypted. After that however, we have LUKs. On one laptop I have LUKs for all working partitions including the vm's I run on the laptop, and *they* have LUKs on their disks too.
The 'self encrypting drives' I've run into that do this silently *usually* are modified hardware TPM based encryption and simply don't have valid data when you stuff them in another system. These are worse than useless in an enterprise.
I can speak about Windows somewhat usefully, as I have been using eDrive for a while, now:
* Can be done without TPM. You just need to supply the key on a UFD. Which seems stupid, if you ask me: store the key on the boot partition encrypted with a user-supplied password, FFS! Just as Linux does it (I think).
* BitLocker is still BitLocker. IE, recovery agents in AD, etc., if you want them. So very applicable in an enterprise environment. If AD is compromised, well, that's a resume-generating event, one way or another, isn't it...? So it's nothing one needs to worry about, IMO. ;-)
Here's some more info, if you'd care to read about it. I promise it's all fascinating stuff, for the slightly-paranoid:
* What SED are: http://arstechnica.com/civis/viewtopic.php?f=11&t=1243475
* How it's done on Windows: https://helgeklein.com/blog/2015/01/how-to-enable-bitlocker-hardware-encryption-with-ssd/
* Someone tinkering with stuff on Gentoo: https://forums.gentoo.org/viewtopic-t-1001902.html
It's so encrypted that it can't be decrypted by anything - even the owner.
A likely problem is that the Beast hasn't worked out a back door API deal with the self encrypting drive makers yet, and so can't uphold their commitments to various TLAs to keep that back door open. People might start encrypting stuff on their PCs that Microsoft can't grant access to recover.
Nice theory.
Except:
* BitLocker still works. And still does FDE, just not leveraging the HW of SEDs.
* Even that works, if you upgrade from Windows 10 RTM after already enabling hardware encryption. Just make sure you never turn it off, because you wouldn't be able to turn it back on!
Anyway, it seems like a minor bug, in the larger scheme of things. Hopefully will be fixed soon because it's bloody annoying. But probably not very high on the list of priorities right now. I mean, how many people are impacted, would you imagine...? I'd guess it's not a high percentage of users!
Anyone at NSA or GCHQ will tell you that the only encryption worth its salt is the one that only they can break. Who, pray tell, do you think provided the new encryption algorithms? So much cheaper for Microsoft to just use an existing system than develop their own. Got to keep an eye on that bottom line, don't ya know.
Knowing MS, however, we might expect the NSA encryption to end up in Europe and the GCHQ version to end up in North America. Which, of course, will require an update to the ORtRTAE (One Ring to Rule Them All Encryption).
Of course, the immediate fix is to copy your data from the encrypted drive to an unencrypted drive or MS encrypted drive so "they", whoever that might be, can have access to it.
Fix? This IS The FixAnyone at NSA or GCHQ will tell you that the only encryption worth its salt is the one that only they can break. …. thx1138v2
That belief is the ongoing problem causing all manner of escalating woes and deepening difficulties, thx1138v2, for the only encryption worth its salt is the one which cannot be broken, surely. Everything and anything else not supplying that, and purporting to be encryption, is vapourware and a conspiracy and fraud being perpetrated by colluding parties on the innocent and gullible, guilty and aware alike.
And yes, that emboldened headline question is correctly written.
I keep all of my work and personal data on a Truecrypt volume on a separate hdd to the OS (W7) As far as I can see this covers my obligations under the data protection acts in the UK and I can display due diligence if there is any data relating to my clients that is leaked online or whatever.
I know it has been shelved and that the tinfoil hat wearers are all concerned about it but for my purposes it does the job. Also means that none of my data is stored on any servers outside the UK and I am not held ransom by the usual mega corporations when they decide to change or bugger up their systems.
Any UK government agency that wants to see what I have got on my disk only needs to ask, any agency outside the UK can go fuck itself, I am not in their jurisdiction.
Edit: Also forgot to add (before I get castigated by a lot of people who presume to know my affairs better than me ) that all of this data is backed up on separate external drives, same encryption, at least 1 jumbo jet width apart. Anything bigger than that which lands on my house will make any back up redundant anyway !
Seems good to me. And TrueCrypt has been very thoroughly audited.
On the other hand, if your main concern is displaying due diligence in a court of law if you ever have to, you might want to consider if you want to go through the extra effort of defending your decision to continue using a software package after its unknown developers very publicly pulled it, saying that it is not secure...
I mean, you and I know it's secure; but will the judge...?
On the other hand, if your main concern is displaying due diligence in a court of law if you ever have to, you might want to consider if you want to go through the extra effort of defending your decision to continue using a software package after its unknown developers very publicly pulled it, saying that it is not secure...
I mean, you and I know it's secure; but will the judge...?
Veracrypt fixes the issues with Truecrypt and can also read and write to Truecrypt encrypted partitions as well !
"Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide solutions via our current Update Tuesday schedule"
Slurp is doing the usual suspect buzzword bingo. How many layers of encryption are there in the quote? Now if the NSA would earns it keep.
Given this and all the other horrors I read about Windows 10, why is anyone using it at all?
It breaks privacy, it breaks encryption, it breaks a lot of software and drivers, it breaks the UI, it breaks trust, it breaks your ownership of your own PC, and for people on capped data plans, it breaks your data cap too just in case you thought it couldn't get worse.
Nothing in it seems to work properly - for some reason Microsoft appear to have fiddled with everything from the hardware abstraction layers upwards, and fiddled badly. I haven't yet read anything positive, except that it has a sort-of start menu which is kind of better than the tiles in Windows 8.
Cause when you try to install Vista or ealier, on a windows 10 certified machine..... IT wont work.
Mandatory EFI*
EFI; Initially I thought it was all about killing of linux. The scalps that it actually claims today are XP and Win2K. A successful result for MS
*Egregious Ferret Insertion
The recovery password can be recovered from a BitLocker enabled computer provided it can be logged into e.g. by running: manage-bde.exe -protectors -get C: -Type recoverypassword
Just more ineptitude from the guys at MS who've never really understood the whole principle of Encryption in the first place, it's not supposed to be recoverable.
Windows has a long history of snafu and borking cryptography, they even completely screwed up Kerberos implementations in Windows 7 leading the maintainers of it to be left shaking there heads saying "Windows jus' doesn't get it!" which is true when you reflect it's supposed to be for protection of government departments and there own data, but then these government departments "holla" on about needing better security whilst they then try to erode it - claiming it helps bad guys. It must be marvellous to work in an environment of complete idiots who just do not understand why it's important and where it's use isn't even that highly mandated in the first place.
Goodness me just imagine if they'd used TrueCrypt to store all there secret documents, then they might not have got shared all over the Web! Suck's eh? Meanwhile in other news, they have access to so much data, they're drowning in it and the bad guys are talking over coffee and lunch in the local McDonalds instead of over the internet.
It's possible to save the recovery password of a BitLocker volume if you already have access to it, yes.
How is this a problem...?
The alternative would be the need to migrate all the data to a new volume if you lose the recovery password of an old one and are not comfortable with the idea of not having a recovery option.
Perhaps the 'powers that be' have decided that snooping via the network is ultimately going to be too hard as unbiquitous encryption (slow but inevitably) takes hold.
So where else to target... easy, just put the listeners on the target devices themselves and get whatever information they need regardless of what grade of encryption is used for network traffic. Having an OS which allows them to hide this effectively becomes very important.
In order to do this though they need to embed the malware at a very deep level so it can't be easily discovered. Possibly even lower than the level at which the current software encryption between the encrypted hard drive and the applications on the OS operate...
Perhaps this is part of MS contribution to the 'cause'...
All you hard drives are belong to us. Once M$ went with Windows anal probe 10, it had to be pretty obvious nothing would force them to drop that massive invasion of privacy short of new laws and regulations. Basically they like windows 8 are going to try to force it through and not give a crap about customer opposition.
"I'm sorry Dave, you want to add encryption to a self encrypting drive? I'm afraid we (and various agencies of choice) can't decrypt that (so we don't like it)".
Well, probably.
I was mortified to see the default is to save BitLocker keys "into the (MS) cloud" for you(r safety). Unless you have Win 10 Pro, in which case you are allegedly deemed capable of not losing your keys.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
