The tech giant said providing encryption keys was a standard response to a court order. But companies like Apple and Meta set up their systems so such a privacy violation isn’t possible.
A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device (e.g. a home router), or its embodiment
Not very covert if it is offered to a user.
If MS gives up the key that is stored plainly in their system, that is a problem. But not a backdoor.
This is quite literally the police knocking on the front door and demanding the key.
This is a meaningless, pedantic argument. Call it backdoor or something else, it does not matter. What matters is that it renders the encryption worthless.
Apple did add a new feature to iCloud called Advanced Data Protection, which enables E2E encryption on iCloud contents, which includes message and device backups.
After enabling this, it is likely prudent to regenerate FileVault keys. It’s also notable that for the initial setup of macOS, it does offer you to forego uploading the recovery key to iCloud, but selecting this option presents a warning stating that Apple will be unable to help you retrieve your data if you lose it. Thus, I am certain most Mac users just upload them to iCloud, which opens them up to exactly the same issue as in the article, but does help protect against thieves or adversaries with brief device access.
I have tried to convince Apple I know to enable ADP, but I have been faced with the expected dismissal of it being unnecessary because they are not interesting, etc.
More people need to engage in a culture of security and privacy when it comes to their digital lives.
Grey area, user chose to store the private bitlocker key to their online Microsoft acct, it’s optional. It’s still a dirtbag move, but probably less illegal.
it’s default in that it’s the top item on the list, but I can’t actually fault them much here, that dialog is crystal clear and you have to log into a Microsoft account to save it there. They don’t really push you very hard to put the key into their cloud.
I fault them more for not using zero-knowledge encryption to protect the user’s key.
the other options won’t let you continue without performing the actions in a way that windows likes.
So for someone trying to set up their PC, only the first option has zero cost.
option two requires an external drive without encryption
option 3 requires setting up a printer from that screen, so you can print the page. it won’t let you continue otherwise.
if you want to back up in some other way, you just don’t (or use PDF conversion from the print dialog)
They want the key, verifiably off the box, in clear text. Any usb stick. any sd card. Not great, but not any barrier that’s worse than needing to setup a microsoft account.
No they’re not really technically “selling” it. Its bundled with Windows.
Its the home edition thing where they require a microsoft account. Afaik, for the Pro version of Windows, Bitlocker doesn’t require a microsoft account.
What if you downloaded an iso from Microsoft and typed a simple command into powershell to activate it? 🏴☠️
But yeah all I’m saying is Microsoft are definitely on shaky ground with their sales claim here. However it’s no less shaky than things they were already convicted of years ago yet seem to be doing yet again, eg bundling Internet Explorer/Edge as the default browser - which has now expanded into occassionally resetting your default apps to Microsoft ones with system updates.
What if you downloaded an iso from Microsoft and typed a simple command into powershell to activate it? 🏴☠️
I mean you’re gonna have to prove in court how you’ve been “harmed” and if you don’t have a sales receipt from microsoft, then I don’t see how a court is gonna side with you.
Pretty sure some lawyer that works for Microsoft is gonna try to counterclaim and say you committed copyright infringement by bypassing the normal activation method.
And can you even afford lawyers lol? Most of us cannot afford constantly paying for laywers that cost $200/hour on the cheaper end, and suing a massive corporation is an uphill battle.
Lol setting aside the joke, and of course if you don’t pay you won’t have a case, but if you had paid I think there would be some statutory rights that would make a claim straightforward and wouldn’t require a lawyer. Small claims is a pretty universal concept regardless of jurisdiction, the limit varies but everywhere has some similar avenue. Filing fees are small and lawyers are not usually involved, just two parties and a judge, and these days it can be done remotely.
Mandatory Arbitration in ToS have entered the chat
You have like 30 days, from the date of sale, to opt out in most of these clauses, if you didnt mail a fucking letter to them to opt out, then you’re fucked.
If they’re selling bitlocker as “full-disk encryption”, doesn’t that open them up to a class action since encryption with a backdoor isn’t encryption?
The keys were very likely uploaded to the linked MS-account.
This is communicated as a backup in case you loose the key.
Breach of trust? Yep
Backdoor? Not very much.
Uploading the key to the cloud is a backdoor. The encryption is only as secure as the your key.
Sure doesnt sound like that to me.
Source: https://en.wikipedia.org/wiki/Backdoor_(computing)
Not very covert if it is offered to a user.
If MS gives up the key that is stored plainly in their system, that is a problem. But not a backdoor.
This is quite literally the police knocking on the front door and demanding the key.
This is a meaningless, pedantic argument. Call it backdoor or something else, it does not matter. What matters is that it renders the encryption worthless.
If I stick the key outside of the apartment the lock is also useless.
In the end it’s the carelessness of the user and not some nefarious scheme the big bad corp trying to come for your homework folder.
You should really touch some grass and stop playing cyberpunk2077 so much. For your own mental being.
We’re talking about the default option here.
Nah, it’s encryption all right, they just back up the key in case you lose it. Which is a feature. https://aka.ms/bitlockerrecovery
I hear iMessage e2e-encrypted messages are also backed up into cloud as plaintext…
Apple did add a new feature to iCloud called Advanced Data Protection, which enables E2E encryption on iCloud contents, which includes message and device backups.
After enabling this, it is likely prudent to regenerate FileVault keys. It’s also notable that for the initial setup of macOS, it does offer you to forego uploading the recovery key to iCloud, but selecting this option presents a warning stating that Apple will be unable to help you retrieve your data if you lose it. Thus, I am certain most Mac users just upload them to iCloud, which opens them up to exactly the same issue as in the article, but does help protect against thieves or adversaries with brief device access.
I have tried to convince Apple I know to enable ADP, but I have been faced with the expected dismissal of it being unnecessary because they are not interesting, etc.
More people need to engage in a culture of security and privacy when it comes to their digital lives.
plain text is probably the wrong phrasing, but apple does control all your keys
no matter who it is, the key holder can always read your data
Grey area, user chose to store the private bitlocker key to their online Microsoft acct, it’s optional. It’s still a dirtbag move, but probably less illegal.
While optional, it is also the default behavior.
it’s default in that it’s the top item on the list, but I can’t actually fault them much here, that dialog is crystal clear and you have to log into a Microsoft account to save it there. They don’t really push you very hard to put the key into their cloud.
I fault them more for not using zero-knowledge encryption to protect the user’s key.
the other options won’t let you continue without performing the actions in a way that windows likes. So for someone trying to set up their PC, only the first option has zero cost.
option two requires an external drive without encryption
option 3 requires setting up a printer from that screen, so you can print the page. it won’t let you continue otherwise.
if you want to back up in some other way, you just don’t (or use PDF conversion from the print dialog)
They want the key, verifiably off the box, in clear text. Any usb stick. any sd card. Not great, but not any barrier that’s worse than needing to setup a microsoft account.
lol. Last time I checked the rule of law in the US only matters if corporations want it to
Oh you can sue if you have Epic Games level of money and access to lawyers. Otherwise corporate says “fuck you”.
No they’re not really technically “selling” it. Its bundled with Windows.
Its the home edition thing where they require a microsoft account. Afaik, for the Pro version of Windows, Bitlocker doesn’t require a microsoft account.
They’re selling Windows and one of the selling points is that it includes full disk encryption. Thus they are selling full disk encryption.
Most people have windows because of OEM keys, so you don’t really have a direct bussiness relationship with Microsoft so its kinda harder to sue.
If you build a pc then separately bought a key, then you might have a better case.
(Disclaimer: I am not a laywer)
What if you downloaded an iso from Microsoft and typed a simple command into powershell to activate it? 🏴☠️
But yeah all I’m saying is Microsoft are definitely on shaky ground with their sales claim here. However it’s no less shaky than things they were already convicted of years ago yet seem to be doing yet again, eg bundling Internet Explorer/Edge as the default browser - which has now expanded into occassionally resetting your default apps to Microsoft ones with system updates.
I mean you’re gonna have to prove in court how you’ve been “harmed” and if you don’t have a sales receipt from microsoft, then I don’t see how a court is gonna side with you.
Pretty sure some lawyer that works for Microsoft is gonna try to counterclaim and say you committed copyright infringement by bypassing the normal activation method.
And can you even afford lawyers lol? Most of us cannot afford constantly paying for laywers that cost $200/hour on the cheaper end, and suing a massive corporation is an uphill battle.
Lol setting aside the joke, and of course if you don’t pay you won’t have a case, but if you had paid I think there would be some statutory rights that would make a claim straightforward and wouldn’t require a lawyer. Small claims is a pretty universal concept regardless of jurisdiction, the limit varies but everywhere has some similar avenue. Filing fees are small and lawyers are not usually involved, just two parties and a judge, and these days it can be done remotely.
Mandatory Arbitration in ToS have entered the chat
You have like 30 days, from the date of sale, to opt out in most of these clauses, if you didnt mail a fucking letter to them to opt out, then you’re fucked.
Thankfully mandatory arbitration isn’t a global problem.