undefined | Better HN

0 pointsmotohagiography1mo ago0 comments

if you have ever dealt with a regulated institution, they have an obligation to publicly report lost and stolen devices that contain PII/PHI as a breach, and the people whose data was on the device must be notified. It's a huge deal that has board level involvement when it occurs.

The ONLY control that mitigates this risk is disk encryption, and it is perniciously misleading to ship a sabotaged product on which these legally consequential decisions get made around the world- based on the specific assurance the product is designed and marketed to provide.

If true, it is a specific outrage against the laws of several countries, medical and other research ethics, public health, and the social contracts people have with their institutions. If MS is given impunity for this, a lot of regulation is not worth the paper it is written on.

before arguing further, I recommend looking at the breach notification sections of the laws in these major economies: https://www.dlapiperdataprotection.com/

0 comments

2 comments · 1 top-level

bigyabai1mo ago· 1 in thread

I commented because I've worked with regulated institutions where FDE was standard across the org. Bitlocker was laughed at whenever you mentioned it by name, there was not a single engineer I met that took it seriously (even the Windows daily drivers). Microsoft Windows is consistently identified as the weakest link for securing sensitive data, one job even had a no-fly policy for Windows laptops in case they were misplaced in luggage.

So remind me how Microsoft was reprimanded for merging Dual_EC_DRBG support into Windows Vista? Or how they were punished for turning over Bitlocker keys to US law enforcement? It never happens. The regulation isn't worth the paper it's written on, and it hasn't been for well over a decade now: https://en.wikipedia.org/wiki/NOBUS

motohagiographyOP1mo ago

we all know there are limits and vulnerabilities to manage in products. however, this backdoor appears to be a misrepresentation of the core function of the product. if you deployed something you believed to be a joke, you may be the sucker at that table, as thats culpable.

maybe the license language means they make no reps about security, but if this is as described they have compromised the compliance of their customer base.