Comment by rustyhancock
4 hours ago
Crikey, it seems that the big news - a backdoor is somewhat burried.
It also strikes me that these are several very high value (all but one complete) exploits.
Surely the value of these on the market would be astronomical and best suited to law enforcement agencies using unlock as a service businesses.
So I have to say I applaud the open disclosure
Though I am convinced this is intentional, i.e. a backdoor and not a bug, it should be noted that for goverment agencies there was already access anyway:
https://news.ycombinator.com/item?id=46735545
Access for those who used a Microsoft account and upload their encryption keys there. While I’m unhappy that most of the users end up using this (bad) mode, previously I was under the impression that there was a meaningful choice involved.
Microsoft has ensured the alternative is nearly impossible, constantly working to block any workarounds that users discover to use a local-only account. And it will even going so far as to silently reset the master recovery key if the original key couldn’t be uploaded (my coworker discovered this to his horror when finding out that not only had it changed his failsafe recovery key again, but also uploaded the wrong key to MDM—all data simply lost)
Yes it does seem prudent to encrypt those keys some other way on the cloud and not add them to the clouds accessible keys.
They also seem suitable for using a secret sharing scheme.
I have Microsoft authenticator requests all day every day. Using aliases has helped but somehow they continue. It's only a matter of time before somehow accidentally I approve.
Which has simply led to me not putting anything of high value in my Microsoft account and not using it for my email.
1 reply →